securenow 7.7.7 → 7.7.9

package/cli/firewall.js

@@ -36,10 +36,11 @@ async function status(args, flags) {
       ['App scope', appKey || 'all apps'],
       ['Environment', data.environment || environment],
       ['Last updated', data.updatedAt || 'unknown'],
-      ['Allowed IPs', data.allowlistCount != null ? `${data.allowlistCount} total (${data.allowlistExactCount} exact + ${data.allowlistCidrCount} CIDR ranges)` : '0'],
-      ['Allowlist updated', data.allowlistUpdatedAt || 'never'],
-      ['Sync TTL', `${data.ttl || 60}s`],
-    ]);
+      ['Allowed IPs', data.allowlistCount != null ? `${data.allowlistCount} total (${data.allowlistExactCount} exact + ${data.allowlistCidrCount} CIDR ranges)` : '0'],
+      ['Allowlist updated', data.allowlistUpdatedAt || 'never'],
+      ['Rate limit rules', String(data.rateLimitCount ?? 0)],
+      ['Sync TTL', `${data.ttl || 60}s`],
+    ]);
     if (data.allowlistCount > 0) {
       console.log('');
       console.log(`  ${ui.c.yellow('!')} Allowlist is active — only ${data.allowlistCount} IP(s) can reach your app`);

package/cli/rateLimits.js

@@ -0,0 +1,245 @@
+'use strict';
+
+const { api, requireAuth } = require('./client');
+const config = require('./config');
+const ui = require('./ui');
+
+function resolveApp(flags) {
+  return flags.app || config.getDefaultApp();
+}
+
+function resolveEnvironment(flags, fallback = null) {
+  return flags.env || flags.environment || fallback;
+}
+
+function parseWindow(value) {
+  if (value == null || value === '') return 60;
+  if (/^\d+$/.test(String(value))) return Number(value);
+  const raw = String(value).trim().toLowerCase();
+  const match = raw.match(/^(\d+)\s*(s|sec|second|seconds|m|min|minute|minutes|h|hr|hour|hours)$/);
+  if (!match) {
+    ui.error('Window must be seconds or look like 30s, 1m, or 1h.');
+    process.exit(1);
+  }
+  const n = Number(match[1]);
+  const unit = match[2][0];
+  return unit === 'h' ? n * 3600 : unit === 'm' ? n * 60 : n;
+}
+
+function buildQuery(flags) {
+  const query = {};
+  if (flags.page) query.page = flags.page;
+  if (flags.limit) query.limit = flags.limit;
+  if (flags.status) query.status = flags.status;
+  if (flags.search) query.search = flags.search;
+  const appKey = resolveApp(flags);
+  if (appKey) query.appKey = appKey;
+  const environment = resolveEnvironment(flags, null);
+  if (environment) query.environment = environment;
+  return query;
+}
+
+function describeTarget(rule) {
+  const parts = [];
+  if (rule.ip) parts.push(rule.ip);
+  if (rule.method && rule.method !== 'ALL') parts.push(rule.method);
+  if (rule.pathPattern) parts.push(`${rule.pathMatchMode || 'prefix'}:${rule.pathPattern}`);
+  return parts.join(' ') || 'all traffic';
+}
+
+async function list(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Fetching rate limits');
+  try {
+    const data = await api.get('/rate-limits', { query: buildQuery(flags) });
+    const rules = data.rateLimits || [];
+    s.stop(`Found ${rules.length} rate-limit rule${rules.length !== 1 ? 's' : ''}${data.total ? ` (${data.total} total)` : ''}`);
+
+    if (flags.json) { ui.json(data); return; }
+
+    console.log('');
+    const rows = rules.map((r) => [
+      ui.c.dim(ui.truncate(r.id || r._id, 12)),
+      r.status === 'active' ? ui.statusBadge('active') : ui.statusBadge(r.status || 'unknown'),
+      describeTarget(r),
+      `${r.limit}/${r.windowSeconds}s`,
+      r.applicationKey || ui.c.dim('all apps'),
+      r.environment || ui.c.dim('all envs'),
+      r.expiresAt ? new Date(r.expiresAt).toLocaleString() : ui.c.dim('permanent'),
+      ui.timeAgo(r.createdAt),
+    ]);
+    ui.table(['ID', 'Status', 'Target', 'Limit', 'App', 'Env', 'Expires', 'Created'], rows);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch rate limits');
+    throw err;
+  }
+}
+
+async function show(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow ratelimit show <id>');
+    process.exit(1);
+  }
+  const s = ui.spinner('Fetching rate limit');
+  try {
+    const data = await api.get(`/rate-limits/${id}`);
+    const r = data.rateLimit;
+    s.stop('Rate limit loaded');
+    if (flags.json) { ui.json(r); return; }
+    console.log('');
+    ui.heading(r.name || 'Rate limit');
+    console.log('');
+    ui.keyValue([
+      ['ID', r.id || r._id || id],
+      ['Status', r.status || '-'],
+      ['Target', describeTarget(r)],
+      ['Limit', `${r.limit}/${r.windowSeconds}s`],
+      ['Key by', r.keyBy || 'ip'],
+      ['App', r.applicationKey || 'all apps'],
+      ['Environment', r.environment || 'all envs'],
+      ['Reason', r.reason || '-'],
+      ['Expires', r.expiresAt || 'permanent'],
+    ]);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch rate limit');
+    throw err;
+  }
+}
+
+async function add(args, flags) {
+  requireAuth();
+  const ip = args[0] || flags.ip || '';
+  const pathPattern = flags.route || flags.path || flags.pattern || '';
+
+  if (!ip && !pathPattern) {
+    ui.error('Provide an IP/CIDR, --route, or both.');
+    ui.info('Example: securenow ratelimit add 203.0.113.10 --limit 30 --window 1m --duration 24h');
+    process.exit(1);
+  }
+  if (!flags.limit) {
+    ui.error('Pass --limit <count>.');
+    process.exit(1);
+  }
+
+  const appKey = resolveApp(flags);
+  const environment = resolveEnvironment(flags, 'production');
+  const body = {
+    ip,
+    pathPattern,
+    pathMatchMode: flags.mode || flags['path-mode'] || (pathPattern ? 'prefix' : 'prefix'),
+    method: flags.method || 'ALL',
+    keyBy: flags['key-by'] || flags.keyBy || 'ip',
+    limit: Number(flags.limit),
+    windowSeconds: parseWindow(flags.window || flags['window-seconds']),
+    reason: flags.reason || '',
+    name: flags.name || '',
+    duration: flags.duration || '',
+    expiresAt: flags.expiresAt || flags.expires || '',
+  };
+  if (appKey) body.appKey = appKey;
+  if (environment) body.environment = environment;
+
+  const s = ui.spinner('Creating rate limit');
+  try {
+    const data = await api.post('/rate-limits', body);
+    s.stop('Rate limit created');
+    if (flags.json) { ui.json(data); return; }
+    const r = data.rateLimit;
+    console.log('');
+    console.log(`  ${ui.c.green('ACTIVE')} ${describeTarget(r)} at ${r.limit}/${r.windowSeconds}s`);
+    console.log(`  ${ui.c.dim('ID:')} ${r.id || r._id}`);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to create rate limit');
+    throw err;
+  }
+}
+
+async function setStatus(args, flags, status) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error(`Usage: securenow ratelimit ${status === 'active' ? 'enable' : 'disable'} <id>`);
+    process.exit(1);
+  }
+  const s = ui.spinner(`${status === 'active' ? 'Enabling' : 'Disabling'} rate limit`);
+  try {
+    const data = await api.put(`/rate-limits/${id}`, { status });
+    s.stop(status === 'active' ? 'Rate limit enabled' : 'Rate limit disabled');
+    if (flags.json) ui.json(data);
+  } catch (err) {
+    s.fail('Failed to update rate limit');
+    throw err;
+  }
+}
+
+async function enable(args, flags) { return setStatus(args, flags, 'active'); }
+async function disable(args, flags) { return setStatus(args, flags, 'disabled'); }
+
+async function remove(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow ratelimit remove <id> [--reason "..."]');
+    process.exit(1);
+  }
+  if (!flags.force && !flags.yes) {
+    const ok = await ui.confirm('Remove this rate-limit rule?');
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+  const s = ui.spinner('Removing rate limit');
+  try {
+    const opts = flags.reason ? { query: { reason: flags.reason } } : undefined;
+    const data = await api.delete(`/rate-limits/${id}`, opts);
+    s.stop('Rate limit removed');
+    if (flags.json) ui.json(data);
+  } catch (err) {
+    s.fail('Failed to remove rate limit');
+    throw err;
+  }
+}
+
+async function test(args, flags) {
+  requireAuth();
+  const ip = args[0] || flags.ip;
+  if (!ip) {
+    ui.error('Usage: securenow ratelimit test <ip> --path /api/login [--method POST]');
+    process.exit(1);
+  }
+  const query = {
+    ip,
+    path: flags.path || flags.route || '/',
+    method: flags.method || 'GET',
+  };
+  const appKey = resolveApp(flags);
+  if (appKey) query.appKey = appKey;
+  const environment = resolveEnvironment(flags, 'production');
+  if (environment) query.environment = environment;
+
+  const s = ui.spinner('Testing rate-limit match');
+  try {
+    const data = await api.get('/rate-limits/check', { query });
+    s.stop('Rate-limit check complete');
+    if (flags.json) { ui.json(data); return; }
+    console.log('');
+    if (data.limited) {
+      console.log(`  ${ui.c.bold(ui.c.yellow('RATE LIMITED'))} - ${data.matches.length} matching rule${data.matches.length !== 1 ? 's' : ''}`);
+      for (const r of data.matches.slice(0, 5)) {
+        console.log(`  ${ui.c.dim(r.id || r._id)}  ${describeTarget(r)}  ${r.limit}/${r.windowSeconds}s`);
+      }
+    } else {
+      console.log(`  ${ui.c.bold(ui.c.green('NOT LIMITED'))} - no matching rate-limit rules`);
+    }
+    console.log(`  ${ui.c.dim(`App scope: ${appKey || 'all apps'} - Environment: ${data.environment || environment}`)}`);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to test rate limit');
+    throw err;
+  }
+}
+
+module.exports = { list, show, add, enable, disable, remove, test };

package/cli.js

@@ -253,6 +253,48 @@ const COMMANDS = {
     },
     defaultSub: 'status',
   },
+  ratelimit: {
+    desc: 'Manage soft rate-limit remediation rules',
+    usage: 'securenow ratelimit <list|add|show|test|enable|disable|remove> [options]',
+    flags: {
+      app: 'Scope to app key (defaults to logged-in app)',
+      env: 'Scope to environment (default for create/test: production)',
+      environment: 'Alias for --env',
+      json: 'Output as JSON',
+      limit: 'Allowed requests per window',
+      window: 'Window size, e.g. 30s, 1m, 1h',
+      duration: 'Expiry, e.g. 24h or 7d',
+      route: 'Path pattern such as /api/login',
+      path: 'Alias for --route',
+      mode: 'Path mode: exact, prefix, or regex',
+      method: 'HTTP method, or ALL',
+      reason: 'Audit reason',
+    },
+    sub: {
+      list: { desc: 'List rate-limit remediation rules', run: (a, f) => require('./cli/rateLimits').list(a, f) },
+      add: { desc: 'Create a rate-limit rule', usage: 'securenow ratelimit add [ip] --route /api/login --limit 5 --window 1m --duration 24h', run: (a, f) => require('./cli/rateLimits').add(a, f) },
+      show: { desc: 'Show one rate-limit rule', usage: 'securenow ratelimit show <id>', run: (a, f) => require('./cli/rateLimits').show(a, f) },
+      test: { desc: 'Check whether a request would match rate-limit rules', usage: 'securenow ratelimit test <ip> --path /api/login --method POST', run: (a, f) => require('./cli/rateLimits').test(a, f) },
+      enable: { desc: 'Enable a rate-limit rule', usage: 'securenow ratelimit enable <id>', run: (a, f) => require('./cli/rateLimits').enable(a, f) },
+      disable: { desc: 'Disable a rate-limit rule', usage: 'securenow ratelimit disable <id>', run: (a, f) => require('./cli/rateLimits').disable(a, f) },
+      remove: { desc: 'Remove a rate-limit rule', usage: 'securenow ratelimit remove <id> [--reason "..."]', run: (a, f) => require('./cli/rateLimits').remove(a, f) },
+    },
+    defaultSub: 'list',
+  },
+  'rate-limit': {
+    desc: 'Alias for ratelimit',
+    usage: 'securenow rate-limit <list|add|show|test|enable|disable|remove> [options]',
+    sub: {
+      list: { desc: 'List rate-limit remediation rules', run: (a, f) => require('./cli/rateLimits').list(a, f) },
+      add: { desc: 'Create a rate-limit rule', usage: 'securenow rate-limit add [ip] --route /api/login --limit 5 --window 1m --duration 24h', run: (a, f) => require('./cli/rateLimits').add(a, f) },
+      show: { desc: 'Show one rate-limit rule', usage: 'securenow rate-limit show <id>', run: (a, f) => require('./cli/rateLimits').show(a, f) },
+      test: { desc: 'Check whether a request would match rate-limit rules', usage: 'securenow rate-limit test <ip> --path /api/login --method POST', run: (a, f) => require('./cli/rateLimits').test(a, f) },
+      enable: { desc: 'Enable a rate-limit rule', usage: 'securenow rate-limit enable <id>', run: (a, f) => require('./cli/rateLimits').enable(a, f) },
+      disable: { desc: 'Disable a rate-limit rule', usage: 'securenow rate-limit disable <id>', run: (a, f) => require('./cli/rateLimits').disable(a, f) },
+      remove: { desc: 'Remove a rate-limit rule', usage: 'securenow rate-limit remove <id> [--reason "..."]', run: (a, f) => require('./cli/rateLimits').remove(a, f) },
+    },
+    defaultSub: 'list',
+  },
   automation: {
     desc: 'Manage automation rules for blocklist actions',
     usage: 'securenow automation <list|defaults|show|create|update|dry-run|execute|delete> [rule-id] [options]',
@@ -555,7 +597,7 @@ function showHelp(commandName) {
     'Detect & Respond': ['human', 'notifications', 'alerts', 'fp'],
     'Investigate': ['ip', 'forensics'],
     'Firewall': ['firewall'],
-    'Remediation': ['automation', 'blocklist', 'allowlist', 'trusted'],
+    'Remediation': ['automation', 'ratelimit', 'blocklist', 'allowlist', 'trusted'],
     'Telemetry': ['log', 'test-span'],
     'Utilities': ['redact', 'cidr', 'doctor', 'env', 'mcp'],
     'Settings': ['instances', 'config', 'version'],

package/firewall.js

@@ -17,7 +17,7 @@ let _initialized = false;
 let _consecutiveErrors = 0;
 let _layers = [];
 let _rawIps = [];
-let _stats = { syncs: 0, blocked: 0, allowed: 0, versionChecks: 0, errors: 0, suppressedDisabled: 0 };
+let _stats = { syncs: 0, blocked: 0, rateLimited: 0, allowed: 0, versionChecks: 0, errors: 0, suppressedDisabled: 0 };
 let _localhostFallbackTried = false;
 let _eventQueue = [];
 let _eventTimer = null;
@@ -30,11 +30,17 @@ let _remoteEnabled = true;
 let _lastRemoteEnabled = null;
 
 // Allowlist state
-let _allowlistMatcher = null;
-let _allowlistRawIps = [];
-let _lastAllowlistModified = null;
-let _lastAllowlistVersion = null;
-let _lastAllowlistSyncEtag = null;
+let _allowlistMatcher = null;
+let _allowlistRawIps = [];
+let _lastAllowlistModified = null;
+let _lastAllowlistVersion = null;
+let _lastAllowlistSyncEtag = null;
+
+// Rate-limit policy state is synced in Phase 1 for forward compatibility.
+// Enforcement is intentionally added in the next SDK phase.
+let _rateLimitRules = [];
+let _lastRateLimitVersion = null;
+let _rateLimitBuckets = new Map();
 
 // Circuit breaker
 const CIRCUIT_OPEN_THRESHOLD = 5;
@@ -295,6 +301,7 @@ function doUnifiedSync(callback) {
   if (_options.environment) headers['X-SecureNow-Environment'] = _options.environment;
   if (_lastVersion) headers['X-Blocklist-Version'] = _lastVersion;
   if (_lastAllowlistVersion) headers['X-Allowlist-Version'] = _lastAllowlistVersion;
+  if (_lastRateLimitVersion) headers['X-Rate-Limit-Version'] = _lastRateLimitVersion;
   if (_lastUnifiedEtag) headers['If-None-Match'] = _lastUnifiedEtag;
 
   httpGet(url, headers, 8000, (err, res, data) => {
@@ -364,13 +371,25 @@ function doUnifiedSync(callback) {
         }
       }
 
-      if (body.allowlistIps) {
-        _allowlistRawIps = body.allowlistIps;
-        _allowlistMatcher = createMatcher(body.allowlistIps);
-        alChanged = true;
-      }
-
-      callback(null, { blChanged, alChanged });
+      if (body.allowlistIps) {
+        _allowlistRawIps = body.allowlistIps;
+        _allowlistMatcher = createMatcher(body.allowlistIps);
+        alChanged = true;
+      }
+
+      if (body.rateLimits) {
+        const newVer = body.rateLimits.version;
+        if (newVer !== _lastRateLimitVersion) {
+          _lastRateLimitVersion = newVer;
+        }
+      }
+
+      if (Array.isArray(body.rateLimitRules)) {
+        _rateLimitRules = body.rateLimitRules;
+        pruneRateLimitBuckets(_rateLimitRules);
+      }
+
+      callback(null, { blChanged, alChanged, rlChanged: Array.isArray(body.rateLimitRules) });
     } catch (e) {
       callback(new Error(`Failed to parse sync response: ${e.message}`));
     }
@@ -557,11 +576,14 @@ function pollOnce(callback) {
         const s = _matcher.stats();
         fwLog('[securenow] Firewall: re-synced %d blocked IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
       }
-      if (result.alChanged && _options.log && _allowlistMatcher) {
-        const s = _allowlistMatcher.stats();
-        fwLog('[securenow] Firewall: re-synced %d allowed IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
-      }
-    }
+      if (result.alChanged && _options.log && _allowlistMatcher) {
+        const s = _allowlistMatcher.stats();
+        fwLog('[securenow] Firewall: re-synced %d allowed IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
+      }
+      if (result.rlChanged && _options.log) {
+        fwLog('[securenow] Firewall: re-synced %d rate-limit rules (enforcement pending SDK phase 2)', _rateLimitRules.length);
+      }
+    }
     callback(null);
   };
 
@@ -639,12 +661,15 @@ function startSyncLoop() {
         const s = _matcher.stats();
         fwLog('[securenow] Firewall: synced %d blocked IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
       }
-      if (_options.log && _allowlistMatcher) {
-        const s = _allowlistMatcher.stats();
-        if (s.total > 0) fwLog('[securenow] Firewall: synced %d allowed IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
-      }
-    });
-  }
+      if (_options.log && _allowlistMatcher) {
+        const s = _allowlistMatcher.stats();
+        if (s.total > 0) fwLog('[securenow] Firewall: synced %d allowed IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
+      }
+      if (_options.log && _rateLimitRules.length > 0) {
+        fwLog('[securenow] Firewall: synced %d rate-limit rules (enforcement pending SDK phase 2)', _rateLimitRules.length);
+      }
+    });
+  }
 
   initialSync();
   scheduleNextPoll();
@@ -655,14 +680,17 @@ function startSyncLoop() {
     // Force a full re-fetch by clearing versions so unified endpoint returns full data
     const savedBlVer = _lastVersion;
     const savedAlVer = _lastAllowlistVersion;
+    const savedRlVer = _lastRateLimitVersion;
     const savedUnifiedEtag = _lastUnifiedEtag;
     _lastVersion = null;
     _lastAllowlistVersion = null;
+    _lastRateLimitVersion = null;
     _lastUnifiedEtag = null;
     pollOnce((err) => {
       if (err) {
         _lastVersion = savedBlVer;
         _lastAllowlistVersion = savedAlVer;
+        _lastRateLimitVersion = savedRlVer;
         _lastUnifiedEtag = savedUnifiedEtag;
       }
     });
@@ -726,19 +754,125 @@ function wrapListener(originalListener) {
   };
 }
 
-function sendBlockResponse(req, res, ip) {
-  const code = (_options && _options.statusCode) || 403;
-  const accept = req.headers['accept'] || '';
-  if (accept.includes('text/html')) {
+function sendBlockResponse(req, res, ip) {
+  const code = (_options && _options.statusCode) || 403;
+  const accept = req.headers['accept'] || '';
+  if (accept.includes('text/html')) {
     res.writeHead(code, { 'Content-Type': 'text/html; charset=utf-8' });
     res.end(blockedHtml(ip));
   } else {
     res.writeHead(code, { 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({ error: 'Forbidden', ip }));
-  }
-}
-
-function firewallRequestHandler(req, res) {
+    res.end(JSON.stringify({ error: 'Forbidden', ip }));
+  }
+}
+
+function sendRateLimitResponse(req, res, ip, decision) {
+  const retryAfter = Math.max(1, decision.retryAfter || 1);
+  const headers = {
+    'Retry-After': String(retryAfter),
+    'X-RateLimit-Limit': String(decision.limit || ''),
+    'X-RateLimit-Window': String(decision.windowSeconds || ''),
+    'X-SecureNow-Rate-Limit-Rule': decision.ruleId || '',
+  };
+  const accept = req.headers['accept'] || '';
+  if (accept.includes('text/html')) {
+    res.writeHead(429, { ...headers, 'Content-Type': 'text/html; charset=utf-8' });
+    res.end('<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Too Many Requests</title></head><body><h1>Too Many Requests</h1><p>Please retry later.</p></body></html>');
+  } else {
+    res.writeHead(429, { ...headers, 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({
+      error: 'Too Many Requests',
+      ip,
+      retryAfter,
+    }));
+  }
+}
+
+function requestPath(req) {
+  try {
+    return new URL(req.url || '/', 'http://localhost').pathname || '/';
+  } catch (_) {
+    return req.url || '/';
+  }
+}
+
+function ruleIpMatches(rule, ip) {
+  const target = String(rule.ip || '').trim();
+  if (!target) return true;
+  try {
+    return createMatcher([target]).isBlocked(ip);
+  } catch (_) {
+    return false;
+  }
+}
+
+function rulePathMatches(rule, path) {
+  const pattern = String(rule.pathPattern || '').trim();
+  if (!pattern) return true;
+  const mode = rule.pathMatchMode || 'prefix';
+  if (mode === 'exact') return path === pattern;
+  if (mode === 'regex') {
+    try { return new RegExp(pattern).test(path); } catch (_) { return false; }
+  }
+  return path.startsWith(pattern);
+}
+
+function rateLimitKey(rule, ip) {
+  const id = rule.id || rule._id || `${rule.ip || '*'}:${rule.method || 'ALL'}:${rule.pathPattern || '*'}`;
+  const subject = rule.keyBy === 'global' ? 'global' : ip;
+  return `${id}|${subject}`;
+}
+
+function checkRateLimitRules(req, ip) {
+  if (!_rateLimitRules || _rateLimitRules.length === 0) return null;
+  const method = String(req.method || 'GET').toUpperCase();
+  const path = requestPath(req);
+  const now = Date.now();
+
+  for (const rule of _rateLimitRules) {
+    if (!rule) continue;
+    const ruleMethod = String(rule.method || 'ALL').toUpperCase();
+    if (ruleMethod !== 'ALL' && ruleMethod !== method) continue;
+    if (!ruleIpMatches(rule, ip)) continue;
+    if (!rulePathMatches(rule, path)) continue;
+
+    const limit = Math.max(1, Number(rule.limit || 1) || 1);
+    const windowSeconds = Math.max(1, Number(rule.windowSeconds || 60) || 60);
+    const windowMs = windowSeconds * 1000;
+    const key = rateLimitKey(rule, ip);
+    let bucket = _rateLimitBuckets.get(key);
+    if (!bucket || now - bucket.windowStart >= windowMs) {
+      bucket = { windowStart: now, count: 0 };
+      _rateLimitBuckets.set(key, bucket);
+    }
+
+    if (bucket.count >= limit) {
+      const retryAfter = Math.ceil((bucket.windowStart + windowMs - now) / 1000);
+      return {
+        rule,
+        ruleId: rule.id || rule._id || '',
+        limit,
+        windowSeconds,
+        retryAfter,
+        path,
+      };
+    }
+    bucket.count++;
+  }
+
+  return null;
+}
+
+function pruneRateLimitBuckets(rules) {
+  const ids = new Set((rules || []).map((rule) => String(rule.id || rule._id || `${rule.ip || '*'}:${rule.method || 'ALL'}:${rule.pathPattern || '*'}`)));
+  for (const key of _rateLimitBuckets.keys()) {
+    const idx = key.indexOf('|');
+    const ruleKey = idx === -1 ? key : key.slice(0, idx);
+    if (!ids.has(ruleKey)) _rateLimitBuckets.delete(key);
+  }
+}
+
+function firewallRequestHandler(req, res) {
   // Remote disable wins over everything: when the dashboard / CLI flips the
   // toggle off, requests pass through the SDK as if the firewall weren't
   // installed. The poll loop keeps running so we re-enable within seconds.
@@ -783,9 +917,29 @@ function firewallRequestHandler(req, res) {
     sendBlockResponse(req, res, ip);
     return true;
   }
-
-  return false;
-}
+
+  const rateLimitDecision = checkRateLimitRules(req, ip);
+  if (rateLimitDecision) {
+    _stats.rateLimited++;
+    if (_options && _options.log) {
+      fwLog('[securenow] Firewall: rate-limited %s via HTTP (rule=%s)', ip, rateLimitDecision.ruleId || 'unknown');
+    }
+    reportFirewallEvent({
+      action: 'rate_limited',
+      source: 'rate_limit',
+      statusCode: 429,
+      ip,
+      matchedEntry: rateLimitDecision.ruleId || '',
+      method: req.method || '',
+      path: rateLimitDecision.path || req.url || '',
+      userAgent: req.headers['user-agent'] || '',
+    });
+    sendRateLimitResponse(req, res, ip, rateLimitDecision);
+    return true;
+  }
+
+  return false;
+}
 
 const _origEmit = http.Server.prototype.emit;
 let _emitPatched = false;
@@ -887,8 +1041,10 @@ function shutdown() {
   _circuitState = 'closed';
   _circuitOpenedAt = 0;
   _consecutiveErrors = 0;
-  _pollInflight = false;
-  _retryAfterUntil = 0;
+  _pollInflight = false;
+  _retryAfterUntil = 0;
+  _rateLimitRules = [];
+  _rateLimitBuckets = new Map();
 
   _httpAgent.destroy();
   _httpsAgent.destroy();
@@ -912,9 +1068,11 @@ function shutdown() {
 function getStats() {
   return {
     ..._stats,
-    matcher: _matcher ? _matcher.stats() : null,
-    allowlistMatcher: _allowlistMatcher ? _allowlistMatcher.stats() : null,
-    initialized: _initialized,
+    matcher: _matcher ? _matcher.stats() : null,
+    allowlistMatcher: _allowlistMatcher ? _allowlistMatcher.stats() : null,
+    rateLimitRules: _rateLimitRules.length,
+    rateLimitBuckets: _rateLimitBuckets.size,
+    initialized: _initialized,
     circuitState: _circuitState,
     consecutiveErrors: _consecutiveErrors,
     unifiedSync: _useUnifiedSync,
@@ -927,8 +1085,9 @@ function getStats() {
 // Layers (TCP / iptables / cloud) read the matcher to populate kernel-level
 // rules. When the remote toggle is off, return null so they treat the policy
 // as "no IPs to block" without us mutating the cached matcher.
-function getMatcher() { return _remoteEnabled === false ? null : _matcher; }
-function getAllowlistMatcher() { return _remoteEnabled === false ? null : _allowlistMatcher; }
-function isRemoteEnabled() { return _remoteEnabled !== false; }
-
-module.exports = { init, shutdown, getStats, getMatcher, getAllowlistMatcher, isRemoteEnabled };
+function getMatcher() { return _remoteEnabled === false ? null : _matcher; }
+function getAllowlistMatcher() { return _remoteEnabled === false ? null : _allowlistMatcher; }
+function getRateLimitRules() { return _remoteEnabled === false ? [] : _rateLimitRules.slice(); }
+function isRemoteEnabled() { return _remoteEnabled !== false; }
+
+module.exports = { init, shutdown, getStats, getMatcher, getAllowlistMatcher, getRateLimitRules, isRemoteEnabled };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.7.7",
+  "version": "7.7.9",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",