Realtime settings updates

[marksmith]

This change adds realtime settings updates from server-side events. The Aikido::Zen::Agent attempts to connect the realtime endpoint at startup and warns the user that realtime settings updates will not be available because the startup connection attempt failed.

Realtime settings updates are implemented on Aikido::Zen::APIStream. The API stream implements a simple server-side events client, which connects to the realtime endpoint and reads events. The API streams executes concurrently using a Concurrent::SingleThreatExecutor, and calls all registered event handlers for each event received. Currently, the agent registers a single event handler for the config-updated event.

Event handlers are executed by the single thread executor, and access to the runtime settings object must be synchronized; because of this change, the runtime settings object is now accessed from multiple threads. Synchronization is localized in the agent using the update_settings_from_runtime_config! and update_settings_from_runtime_firewall_lists! methods, defined using updater.

The change includes a number of important tangential fixes. Notable is the fix to outbound connection blocking with multiple processes, where the default Aikido::Zen::RuntimeSettings::DomainSettings.none object identity check fails because each process instantiates its own process local default after forking. The globally unique sentinal nil is now used as the default, and the implementation and tests for outbound connection blocking have been modified.

Summary by Aikido

Security Issues: 0	🔍 Quality Issues: 9	Resolved Issues: 0

🚀 New Features

• Introduced APIStream SSE client and connected it to Agent

⚡ Enhancements

• Integrated realtime config-updated events into Agent startup and shutdown
• Made RuntimeSettings firewall update method return Boolean on success
• Fixed runtime timestamp parsing to use seconds instead of milliseconds
• Adjusted APIClient should_fetch_settings timestamp handling for realtime probe

^{More info}

[codecov]

Codecov Report

❌ Patch coverage is 90.79755% with 15 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
lib/aikido/zen/agent.rb	73.33%	8 Missing and 4 partials ⚠️
lib/aikido/zen/api_stream.rb	97.29%	2 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

[tomaisthorpe]

I think not covered in this PR is the change of URL for zen realtime. We're moving to https://zen.aikido.dev, but as part of that, we need to ensure we can still fallback to the old URL incase there's network level blocking.

You can see how node is handling it here:
https://github.com/AikidoSec/firewall-node/blob/16a288a5880380ad540017397d56e3597b6d4a71/library/agent/realtime/probeRealtimeURL.ts