signalk-edge-link 2.7.0 → 2.8.0

package/lib/config-watcher.js

@@ -53,7 +53,14 @@ const constants_1 = require("./constants");
 const { readFile, writeFile, mkdir } = fs_1.promises;
 function createDebouncedConfigHandler(opts) {
     const { name, getFilePath, processConfig, state, instanceId, app, readFallback } = opts;
-    async function runLoad() {
+    // Serialize concurrent runLoad calls: while one is in flight, a follow-up
+    // call awaits its completion and only then evaluates its own work. The
+    // previous hash-claim trick had a window between "claim hash" and
+    // "processConfig await" in which a second runLoad could observe the new
+    // hash, skip, and silently drop a legitimate event if the first one then
+    // threw. A simple promise-chain serialization is strictly more correct.
+    let runInFlight = null;
+    async function runLoadInner() {
         if (state.stopped)
             return;
         let content;
@@ -72,48 +79,73 @@ function createDebouncedConfigHandler(opts) {
             app.debug(`[${instanceId}] ${name} file unchanged, skipping`);
             return;
         }
-        // Claim the hash BEFORE awaiting processConfig so a concurrent runLoad
-        // (e.g. the initial flush() racing an fs.watch event triggered during
-        // startup) sees the hash and skips instead of running processConfig
-        // twice. Without this, two processConfigs can both observe the same
-        // pre-claim hash and both call subscribe(), leaving leaked listeners
-        // for any path whose bus is created between the new subscribe() and
-        // the old previousUnsubscribes.forEach() in the second call.
-        const previousHash = state.configContentHashes[name];
-        function revertHashClaim() {
-            if (state.configContentHashes[name] !== contentHash)
-                return;
-            if (previousHash === undefined) {
-                delete state.configContentHashes[name];
-            }
-            else {
-                state.configContentHashes[name] = previousHash;
-            }
-        }
-        state.configContentHashes[name] = contentHash;
         let parsed;
         try {
             parsed = content ? JSON.parse(content) : readFallback;
         }
         catch (parseErr) {
-            // Parse failure leaves nothing valid to process. Revert the claim so
-            // a subsequent file event (presumably with corrected content) is not
-            // silently skipped on the unchanged-hash check.
-            revertHashClaim();
+            // Parse failure: do not advance the hash so a subsequent file event
+            // (presumably with corrected content) is not silently skipped.
             throw parseErr;
         }
         try {
             await processConfig(parsed);
         }
         catch (err) {
-            revertHashClaim();
+            // Processing failed: leave the previous hash intact so a retry can
+            // re-detect the same content as still-pending.
             throw err;
         }
-        // If stop() ran between claim and the processConfig microtask, treat
-        // the hash as unclaimed so a fresh start() will reload from disk
-        // instead of inheriting our claim (the in-memory state is gone).
-        if (state.stopped) {
-            revertHashClaim();
+        // Only after processConfig completes successfully do we mark this
+        // content as the last-known-good. Holding the hash update to the
+        // success path means a failed apply does not silently swallow the next
+        // identical event.
+        if (!state.stopped) {
+            state.configContentHashes[name] = contentHash;
+        }
+    }
+    let rerunRequested = false;
+    async function runLoad() {
+        // Single-producer serialization: only the first caller spawns the
+        // runLoadInner loop; later callers set rerunRequested and return,
+        // so the producer drains them before clearing runInFlight. A naive
+        // "attach + recreate" pattern would let two callers both spawn a
+        // fresh runLoadInner and reintroduce overlap.
+        if (runInFlight) {
+            rerunRequested = true;
+            await runInFlight.catch(() => {
+                /* errors surface through the caller's .catch */
+            });
+            return;
+        }
+        runInFlight = (async () => {
+            // Drain queued reruns even if an earlier pass threw — a parse or
+            // apply failure must not strand the queued follow-up that
+            // arrived between the failure and now. The latest error is
+            // reported once draining is complete.
+            let lastError;
+            while (!state.stopped) {
+                rerunRequested = false;
+                try {
+                    await runLoadInner();
+                    lastError = undefined;
+                }
+                catch (err) {
+                    lastError = err;
+                }
+                if (!rerunRequested) {
+                    break;
+                }
+            }
+            if (lastError !== undefined) {
+                throw lastError;
+            }
+        })();
+        try {
+            await runInFlight;
+        }
+        finally {
+            runInFlight = null;
         }
     }
     const handleChange = function () {

package/lib/constants.js

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.MONITORING_HEATMAP_BUCKETS = exports.PATH_STATS_MAX_SIZE = exports.BANDWIDTH_HISTORY_MAX = exports.METRICS_PUBLISH_INTERVAL = exports.MAX_PARSE_PAYLOAD_SIZE = exports.MAX_DECOMPRESSED_SIZE = exports.UDP_RATE_LIMIT_MAX_PACKETS = exports.UDP_RATE_LIMIT_WINDOW = exports.MAX_CLIENT_SESSIONS = exports.BONDING_RTT_EMA_ALPHA = exports.BONDING_HEALTH_WINDOW_SIZE = exports.BONDING_FAILBACK_LOSS_HYSTERESIS = exports.BONDING_FAILBACK_RTT_HYSTERESIS = exports.BONDING_HEARTBEAT_TIMEOUT = exports.BONDING_FAILBACK_DELAY = exports.BONDING_LOSS_THRESHOLD = exports.BONDING_RTT_THRESHOLD = exports.BONDING_HEALTH_CHECK_INTERVAL = exports.CONGESTION_DECREASE_FACTOR = exports.CONGESTION_INCREASE_FACTOR = exports.CONGESTION_RTT_MULTIPLIER_HIGH = exports.CONGESTION_LOSS_THRESHOLD_HIGH = exports.CONGESTION_LOSS_THRESHOLD_LOW = exports.CONGESTION_SMOOTHING_FACTOR = exports.CONGESTION_MAX_ADJUSTMENT = exports.CONGESTION_ADJUST_INTERVAL = exports.CONGESTION_TARGET_RTT = exports.CONGESTION_MAX_DELTA_TIMER = exports.CONGESTION_MIN_DELTA_TIMER = exports.RATE_LIMIT_MAX_REQUESTS = exports.RATE_LIMIT_WINDOW = exports.SMART_BATCH_MAX_DELTAS = exports.SMART_BATCH_MIN_DELTAS = exports.SMART_BATCH_INITIAL_ESTIMATE = exports.SMART_BATCH_SMOOTHING = exports.SMART_BATCH_SAFETY_MARGIN = exports.UDP_SEND_TIMEOUT_MS = exports.UDP_RETRY_DELAY = exports.UDP_RETRY_MAX = exports.BROTLI_QUALITY_HIGH = exports.MAX_SAFE_UDP_PAYLOAD = exports.WATCHER_RECOVERY_DELAY = exports.CONTENT_HASH_ALGORITHM = exports.FILE_WATCH_DEBOUNCE_DELAY = exports.MAX_DELTAS_PER_PACKET = exports.DELTA_BUFFER_DROP_RATIO = exports.MAX_DELTAS_BUFFER_SIZE = exports.MILLISECONDS_PER_MINUTE = exports.PING_TIMEOUT_BUFFER = exports.DEFAULT_DELTA_TIMER = void 0;
-exports.PACKET_INSPECTOR_MAX_CLIENTS = exports.PACKET_CAPTURE_MAX_PACKETS = exports.MONITORING_ALERT_COOLDOWN = exports.MONITORING_PATH_LATENCY_WINDOW = exports.MONITORING_RETRANSMIT_HISTORY_SIZE = exports.MONITORING_HEATMAP_BUCKET_DURATION = void 0;
+exports.OUTBOUND_DUPLICATE_SUPPRESS_MS = exports.PATH_STATS_MAX_SIZE = exports.BANDWIDTH_HISTORY_MAX = exports.METRICS_PUBLISH_INTERVAL = exports.MAX_PARSE_PAYLOAD_SIZE = exports.MAX_DECOMPRESSED_SIZE = exports.UDP_RATE_LIMIT_MAX_PACKETS = exports.UDP_RATE_LIMIT_WINDOW = exports.MAX_CLIENT_SESSIONS = exports.BONDING_RTT_EMA_ALPHA = exports.BONDING_HEALTH_WINDOW_SIZE = exports.BONDING_FAILBACK_LOSS_HYSTERESIS = exports.BONDING_FAILBACK_RTT_HYSTERESIS = exports.BONDING_HEARTBEAT_TIMEOUT = exports.BONDING_FAILBACK_DELAY = exports.BONDING_LOSS_THRESHOLD = exports.BONDING_RTT_THRESHOLD = exports.BONDING_HEALTH_CHECK_INTERVAL = exports.CONGESTION_DECREASE_FACTOR = exports.CONGESTION_INCREASE_FACTOR = exports.CONGESTION_RTT_MULTIPLIER_HIGH = exports.CONGESTION_LOSS_THRESHOLD_HIGH = exports.CONGESTION_LOSS_THRESHOLD_LOW = exports.CONGESTION_SMOOTHING_FACTOR = exports.CONGESTION_MAX_ADJUSTMENT = exports.CONGESTION_ADJUST_INTERVAL = exports.CONGESTION_TARGET_RTT = exports.CONGESTION_MAX_DELTA_TIMER = exports.CONGESTION_MIN_DELTA_TIMER = exports.RATE_LIMIT_MAX_REQUESTS = exports.RATE_LIMIT_WINDOW = exports.SMART_BATCH_MAX_DELTAS = exports.SMART_BATCH_MIN_DELTAS = exports.SMART_BATCH_INITIAL_ESTIMATE = exports.SMART_BATCH_SMOOTHING = exports.SMART_BATCH_SAFETY_MARGIN = exports.UDP_SEND_TIMEOUT_MS = exports.UDP_RETRY_DELAY = exports.UDP_RETRY_MAX = exports.BROTLI_QUALITY_HIGH = exports.MAX_SAFE_UDP_PAYLOAD = exports.WATCHER_RECOVERY_DELAY = exports.CONTENT_HASH_ALGORITHM = exports.FILE_WATCH_DEBOUNCE_DELAY = exports.MAX_DELTAS_PER_PACKET = exports.DELTA_BUFFER_DROP_RATIO = exports.MAX_DELTAS_BUFFER_SIZE = exports.MILLISECONDS_PER_MINUTE = exports.PING_TIMEOUT_BUFFER = exports.DEFAULT_DELTA_TIMER = void 0;
+exports.PACKET_INSPECTOR_MAX_CLIENTS = exports.PACKET_CAPTURE_MAX_PACKETS = exports.MONITORING_ALERT_COOLDOWN = exports.MONITORING_PATH_LATENCY_WINDOW = exports.MONITORING_RETRANSMIT_HISTORY_SIZE = exports.MONITORING_HEATMAP_BUCKET_DURATION = exports.MONITORING_HEATMAP_BUCKETS = exports.HELLO_PAYLOAD_MAX_BYTES = exports.SNAPSHOT_REPLAY_CHUNK_SIZE = exports.DELTA_SEND_RETRY_BACKOFF_MS = exports.DELTA_SEND_MAX_RETRIES = exports.SOURCE_SNAPSHOT_MAX_OBJECT_KEYS = exports.SOURCE_SNAPSHOT_MAX_ARRAY_LENGTH = exports.SOURCE_SNAPSHOT_MAX_DEPTH = exports.SOURCE_SNAPSHOT_MAX_STRING_LENGTH = exports.SOURCE_SNAPSHOT_MAX_KEY_LENGTH = exports.SOURCE_SNAPSHOT_MAX_PROVIDERS = exports.SOURCE_SNAPSHOT_INTERVAL_MS = exports.SOURCE_REGISTRY_TTL_MS = exports.SOURCE_REGISTRY_MAX_RECORDS = exports.OUTBOUND_DEDUPE_MAX_ENTRIES = exports.OUTBOUND_DEDUPE_CLEANUP_INTERVAL_MS = exports.SUPPRESSED_DUPLICATE_STATS_MAX_SIZE = void 0;
 exports.calculateMaxDeltasPerBatch = calculateMaxDeltasPerBatch;
 // Delta and timing
 exports.DEFAULT_DELTA_TIMER = 1000; // milliseconds
@@ -66,6 +66,36 @@ exports.MAX_PARSE_PAYLOAD_SIZE = 512 * 1024; // 512 KB
 exports.METRICS_PUBLISH_INTERVAL = 1000; // Interval (ms) for publishing metrics to Signal K
 exports.BANDWIDTH_HISTORY_MAX = 60; // Keep 60 data points (5 minutes at 5s intervals)
 exports.PATH_STATS_MAX_SIZE = 500; // Max tracked paths in pathStats Map (prevent unbounded growth)
+// Outbound delta deduplication. signalk-server's subscriptionmanager can
+// deliver the same cached/live pair about one fixed-policy window apart;
+// 1500 ms catches that without suppressing legitimate periodic resends.
+exports.OUTBOUND_DUPLICATE_SUPPRESS_MS = 1500;
+exports.SUPPRESSED_DUPLICATE_STATS_MAX_SIZE = 50;
+exports.OUTBOUND_DEDUPE_CLEANUP_INTERVAL_MS = 1000;
+exports.OUTBOUND_DEDUPE_MAX_ENTRIES = 5000;
+// Source replication registry. 7-day TTL chosen to retain records across a
+// typical maintenance gap; 5000 records covers the busiest production
+// boats observed with N2K source-address rotation churn.
+exports.SOURCE_REGISTRY_MAX_RECORDS = 5000;
+exports.SOURCE_REGISTRY_TTL_MS = 7 * 24 * 60 * 60 * 1000;
+// Source snapshot replication (per-peer source tree)
+exports.SOURCE_SNAPSHOT_INTERVAL_MS = 60000;
+exports.SOURCE_SNAPSHOT_MAX_PROVIDERS = 256;
+exports.SOURCE_SNAPSHOT_MAX_KEY_LENGTH = 128;
+exports.SOURCE_SNAPSHOT_MAX_STRING_LENGTH = 1024;
+exports.SOURCE_SNAPSHOT_MAX_DEPTH = 8;
+// Per-container limits inside a provider — without these, an authorised
+// peer could stay within depth/string rules and still force large
+// allocations by sending one extremely wide array or object.
+exports.SOURCE_SNAPSHOT_MAX_ARRAY_LENGTH = 256;
+exports.SOURCE_SNAPSHOT_MAX_OBJECT_KEYS = 256;
+// Delta send retry behaviour
+exports.DELTA_SEND_MAX_RETRIES = 1;
+exports.DELTA_SEND_RETRY_BACKOFF_MS = 100;
+// Full-status snapshot replay backpressure
+exports.SNAPSHOT_REPLAY_CHUNK_SIZE = 50; // Yield to event loop every N deltas
+// HELLO payload bound (UDP MTU is already a soft cap; reject anything larger)
+exports.HELLO_PAYLOAD_MAX_BYTES = 4096;
 // Enhanced monitoring
 exports.MONITORING_HEATMAP_BUCKETS = 60; // Number of time buckets for packet loss heatmap
 exports.MONITORING_HEATMAP_BUCKET_DURATION = 5000; // Duration of each bucket (5 seconds)

package/lib/crypto.js

@@ -128,7 +128,9 @@ function normalizeKey(secretKey, options = {}) {
 // the raw ASCII key (hex-encoded for Map use) so the plaintext key is not
 // retained in process memory beyond the live derivation. The cache is
 // effectively bounded by the number of distinct configured keys (typically
-// one or two per Signal K instance).
+// one or two per Signal K instance); the LRU cap is a defensive measure
+// against a future caller that passes externally-influenced strings here.
+const ASCII_KEY_CACHE_MAX = 32;
 const asciiKeyCache = new Map();
 function asciiKeyCacheKey(asciiKey) {
     return crypto.createHash("sha256").update(asciiKey, "utf8").digest("hex");
@@ -137,9 +139,18 @@ function getOrDeriveAsciiKey(asciiKey) {
     const cacheKey = asciiKeyCacheKey(asciiKey);
     const cached = asciiKeyCache.get(cacheKey);
     if (cached) {
+        // LRU refresh: move to tail by delete-then-set on insertion order Map.
+        asciiKeyCache.delete(cacheKey);
+        asciiKeyCache.set(cacheKey, cached);
         return cached;
     }
     const derived = deriveKeyFromPassphrase(asciiKey);
+    if (asciiKeyCache.size >= ASCII_KEY_CACHE_MAX) {
+        const oldest = asciiKeyCache.keys().next();
+        if (!oldest.done) {
+            asciiKeyCache.delete(oldest.value);
+        }
+    }
     asciiKeyCache.set(cacheKey, derived);
     return derived;
 }

package/lib/index.js

@@ -165,6 +165,23 @@ module.exports = function createPlugin(app) {
         // ── Start rate limiting ───────────────────────────────────────────────
         routes.startRateLimitCleanup();
         // ── Create and start instances ────────────────────────────────────────
+        // Emit a security warning specifically for v2 connections so operators
+        // running on untrusted networks notice the gap and migrate to v3. v2
+        // control packets (HEARTBEAT/HELLO/META_REQUEST/FULL_STATUS_REQUEST/
+        // ACK/NAK) are CRC-only and forgeable; v3 adds HMAC authentication.
+        // v1 is logged at debug level — it is the documented legacy default and
+        // has a wholly different threat model (no reliable transport at all).
+        for (const cfg of connectionList) {
+            const proto = (cfg.protocolVersion ?? 1);
+            if (proto === 2) {
+                app.error(`[security] Connection "${cfg.name}" uses protocol v2; control frames are NOT authenticated (CRC-only) ` +
+                    `and can be forged by any host that reaches the UDP port. Migrate to protocolVersion: 3 for any link exposed ` +
+                    `to untrusted networks. See docs/protocol-v2-spec.md §5.`);
+            }
+            else if (proto < 2) {
+                app.debug(`[security] Connection "${cfg.name}" uses legacy protocol v${proto}; see docs/protocol-v2-spec.md for v3 migration.`);
+            }
+        }
         const usedIds = new Set();
         for (const cfg of connectionList) {
             const instanceId = generateInstanceId(cfg.name, usedIds);