 |
VOOZH | about |
|
VOOZH | about |
dotnet add package mostlylucid.botdetection --version 7.5.2
NuGet\Install-Package mostlylucid.botdetection -Version 7.5.2
<PackageReference Include="mostlylucid.botdetection" Version="7.5.2" />
<PackageVersion Include="mostlylucid.botdetection" Version="7.5.2" />Directory.Packages.props
<PackageReference Include="mostlylucid.botdetection" />Project file
paket add mostlylucid.botdetection --version 7.5.2
#r "nuget: mostlylucid.botdetection, 7.5.2"
#:package mostlylucid.botdetection@7.5.2
#addin nuget:?package=mostlylucid.botdetection&version=7.5.2Install as a Cake Addin
#tool nuget:?package=mostlylucid.botdetection&version=7.5.2Install as a Cake Tool
Package rename notice: On June 1, 2025, this package (
mostlylucid.botdetection) will be renamed tostylobot. The new package ships with the same API under a new namespace (Stylobot.*). Version 7.0 will be published under the new name; this package will be deprecated on NuGet at that point. See the migration guide for full details.
DESTROY ALL ROBOTS! (politely, with HTTP 403s)
Built on StyloFlow, the ephemeral workflow engine.
Bot detection middleware for ASP.NET Core with multi-signal detection, AI-powered classification with continuous learning, auto-updated blocklists, YARP integration, and full observability.
mask-pii/strip-pii stream-mask response payloads for risky trafficWhen commercial WAF isn't an option:
When you need more than User-Agent matching:
When you want adaptive protection:
Note: For enterprise applications with stringent security requirements, consider commercial services like Cloudflare Bot Management or AWS WAF Bot Control.
dotnet add package Mostlylucid.BotDetection
using Mostlylucid.BotDetection.Extensions;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddBotDetection();
var app = builder.Build();
app.UseBotDetection();
app.Run();
{
"BotDetection": {
"BotThreshold": 0.7,
"BlockDetectedBots": true,
"DefaultActionPolicyName": "throttle-stealth",
"EnableAiDetection": true,
"AiDetection": {
"Provider": "Heuristic",
"Heuristic": {
"Enabled": true,
"EnableWeightLearning": true
}
},
"Learning": {
"Enabled": true,
"EnableDriftDetection": true
},
"PathPolicies": {
"/api/login": "strict",
"/api/checkout/*": "strict",
"/sitemap.xml": "allowVerifiedBots"
}
}
}
This enables:
if (context.IsBot())
return Results.StatusCode(403);
var confidence = context.GetBotConfidence();
var botType = context.GetBotType();
app.MapGet("/api/data", () => "sensitive")
.BlockBots();
app.MapPost("/api/submit", () => "ok")
.RequireHuman();
[BlockBots(AllowVerifiedBots = true)]
public IActionResult Index() => View();
All detectors execute in a wave-based pipeline. Fast-path detectors run in parallel in <1ms. Advanced detectors fire only when triggered by upstream signals.
| Detector | Description |
|---|---|
| UserAgent | Pattern matching against 1000+ known bot signatures with category classification |
| Header | Suspicious/missing header detection (Accept-Language, encoding, connection patterns) |
| IP | Datacenter, cloud provider, and known botnet IP range identification |
| SecurityTool | Penetration testing tool detection (Nikto, sqlmap, Burp Suite, Metasploit) |
| CacheBehavior | HTTP cache header interaction analysis (ETag, If-Modified-Since, gzip) |
| VersionAge | Browser/OS version staleness detection (outdated clients = suspicious) |
| AiScraper | AI training bot detection (GPTBot, ClaudeBot, PerplexityBot, Google-Extended) |
| FastPathReputation | Ultra-fast cached reputation from previous detections (ConfirmedGood/Bad) |
| ReputationBias | Signature-based reputation tracking from historical patterns |
| Haxxor | SQL injection, XSS, path traversal, command injection detection |
| TransportProtocol | WebSocket, gRPC, GraphQL, SSE protocol violation detection |
| Inconsistency | UA/header mismatch and cross-signal inconsistency detection |
| VerifiedBot | DNS-verified identification of Googlebot, Bingbot, and 30+ legitimate crawlers |
| Detector | Description |
|---|---|
| Behavioral | Rate limiting, request pattern analysis, timing anomalies |
| AdvancedBehavioral | Deep statistical analysis - entropy, Markov chains, anomaly detection |
| BehavioralWaveform | FFT-based spectral fingerprinting of request timing patterns |
| ClientSide | Headless browser detection via JavaScript fingerprinting signals |
| GeoChange | Geographic drift detection, country reputation, origin verification |
| AccountTakeover | Credential stuffing, brute force, and account takeover detection |
| ResponseBehavior | Honeypot path detection, response-side behavioral patterns |
| Detector | Description |
|---|---|
| TLS Fingerprint | JA3/JA4 TLS fingerprint analysis - identifies client libraries |
| TCP/IP Fingerprint | p0f-style passive OS fingerprinting via TCP stack behavior |
| HTTP/2 Fingerprint | AKAMAI-style HTTP/2 frame analysis (settings, priorities, pseudo-headers) |
| HTTP/3 Fingerprint | QUIC transport parameter fingerprinting and version negotiation analysis |
| MultiLayerCorrelation | Cross-layer consistency analysis (does TLS match TCP match HTTP match UA?) |
| Detector | Description |
|---|---|
| Heuristic | Feature-weighted classification extracting ~50 features with online learning |
| HeuristicLate | Post-AI refinement with full evidence from all prior waves |
| Similarity | Fuzzy signature matching via HNSW/Qdrant vector search |
| Cluster | Bot network detection with Leiden community discovery |
| TimescaleReputation | Time-series IP/signature reputation aggregation |
| LLM | Background classification via LLM plugin (LlamaSharp CPU or Ollama HTTP) |
| Detector | Description |
|---|---|
| ProjectHoneypot | HTTP:BL IP reputation via DNS lookup (~100ms) |
The AI detection and learning system is what sets this library apart:
Request → Fast Detectors → Heuristic Model → Decision → Learning Bus
↓ ↓ ↓
Quick signals Risk score Pattern Reputation
↓ ↓
Action Policy Weight Updates
{
"BotDetection": {
"EnableAiDetection": true,
"AiDetection": {
"Provider": "Heuristic",
"Heuristic": { "Enabled": true, "EnableWeightLearning": true }
},
"Learning": { "Enabled": true }
}
}
See and for details.
Control HOW to respond to detected bots:
| Policy | Description |
|---|---|
block |
Return 403 Forbidden |
throttle-stealth |
Delay response (bots don't notice) |
challenge |
Present CAPTCHA or proof-of-work |
redirect-honeypot |
Silent redirect to trap |
logonly |
Shadow mode (log but allow) |
mask-pii |
Stream-mask PII in response payload |
See for full details. See for rollout and configuration.
BotDetection is built on StyloFlow, a YAML-driven orchestration framework. Each detector is configured via a manifest file that defines its inputs, outputs, and behavior.
Entity types define the data contracts between detectors:
| Entity Type | Description | Persistence |
|---|---|---|
botdetection.request |
HTTP request with all detection signals | Ephemeral |
botdetection.signature |
Aggregated signals for classification | Ephemeral |
botdetection.contribution |
Single detector contribution | Ephemeral |
botdetection.ledger |
Accumulated detection evidence | Ephemeral |
botdetection.result |
Final classification result | JSON |
botdetection.learning_record |
Training data for learning system | Database |
botdetection.embedding |
Vector embedding for similarity search | Embedded |
botdetection.multivector_embedding |
Multi-vector ColBERT-style embedding | Embedded |
Each detector has a YAML manifest defining its input/output contracts:
# useragent.detector.yaml
name: UserAgentContributor
priority: 10
enabled: true
input:
accepts:
- type: botdetection.request
required: true
signal_pattern: request.headers.*
required_signals:
- request.headers.user-agent
output:
produces:
- type: botdetection.contribution
- type: botdetection.ua_signal
signals:
- key: detection.useragent.confidence
entity_type: number
salience: 0.8
defaults:
weights:
bot_signal: 1.5
verified: 2.0
confidence:
bot_detected: 0.3
strong_signal: 0.85
parameters:
min_ua_length: 10
verify_known_bots: true
Override detector defaults via appsettings.json:
{
"BotDetection": {
"Detectors": {
"UserAgentContributor": {
"Weights": {
"BotSignal": 2.0
},
"Parameters": {
"min_ua_length": 20
}
}
}
}
}
For advanced similarity-based detection, embeddings support named vectors:
# In botdetection.entity.yaml
- type: botdetection.multivector_embedding
persistence: embedded
schema:
properties:
vectors:
items:
properties:
name:
description: Vector identifier (e.g., "ua", "ip", "tls")
vector:
type: array
weight:
description: Relative importance for MaxSim scoring
aggregation:
enum: [maxsim, avgpool, concat]
| Feature | Description | Docs |
|---|---|---|
| Quick Start | Two-line setup, all 30 detectors | |
| Configuration | Full options reference | |
| AI Detection | Heuristic model, LLM escalation, learning | |
| AI Scraper Detection | GPTBot, ClaudeBot, PerplexityBot | |
| Learning & Reputation | Pattern learning, drift detection | |
| Action Policies | Block, throttle, challenge, redirect | |
| Detection Policies | Path-based detection configuration | |
| Extensibility | Custom detectors and policies | |
| User-Agent Detection | Pattern matching with reputation | |
| Header Detection | HTTP header anomaly analysis | |
| IP Detection | Datacenter and cloud IP identification | |
| Version Age Detection | Browser/OS version staleness detection | |
| Security Tools Detection | Penetration testing tool detection | |
| Project Honeypot | HTTP:BL IP reputation checking | |
| Behavioral Analysis | Rate limiting and anomaly detection | |
| Advanced Behavioral | Entropy, Markov chains, anomalies | |
| Behavioral Waveform | FFT spectral request timing analysis | |
| Client-Side Fingerprinting | Headless browser detection | |
| Cache Behavior | HTTP cache header analysis | |
| Response Behavior | Honeypot and response-side patterns | |
| TLS/TCP/HTTP2 Fingerprinting | JA3/JA4, p0f, AKAMAI fingerprints | |
| HTTP/3 Fingerprinting | QUIC transport parameter analysis | |
| Multi-Layer Correlation | Cross-layer consistency analysis | |
| Cluster Detection | Leiden clustering for bot networks | |
| TCP/IP Fingerprint | Passive OS fingerprinting (p0f) | |
| Timescale Reputation | Time-series reputation aggregation | |
| Haxxor Detection | SQL injection, XSS, attack payload detection | |
| Account Takeover | Credential stuffing, brute force detection | |
| Transport Protocol | WebSocket, gRPC, GraphQL violation detection | |
| Geo Change Detection | Geographic drift, country reputation | |
| Verified Bot Detection | DNS-verified crawler identification | |
| Inconsistency Detection | UA/header mismatch detection | |
| YARP Integration | Bot-aware reverse proxy | |
| Telemetry | OpenTelemetry traces and metrics | |
| Stylobot Gateway | Companion Docker gateway |
For edge deployments, use - a lightweight Docker-first reverse proxy:
# Zero-config reverse proxy in seconds
docker run -p 80:8080 -e DEFAULT_UPSTREAM=http://your-app:3000 scottgal/stylobot-gateway
Why use it with BotDetection?
See for integration patterns.
app.MapBotDetectionEndpoints("/bot-detection");
// GET /bot-detection/check - Current request analysis
// GET /bot-detection/stats - Detection statistics
// GET /bot-detection/health - Health check
// Default: all detectors + Heuristic AI with learning (no LLM)
builder.Services.AddBotDetection();
// Add in-process CPU LLM provider (LlamaSharp, zero external deps)
builder.Services.AddStylobotLlamaSharp();
// OR: Add external Ollama HTTP provider (GPU capable)
builder.Services.AddStylobotOllama("http://localhost:11434", "gemma4");
// User-agent only (fastest, minimal)
builder.Services.AddSimpleBotDetection();
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net10.0 net10.0 is compatible. net10.0-android net10.0-android was computed. net10.0-browser net10.0-browser was computed. net10.0-ios net10.0-ios was computed. net10.0-maccatalyst net10.0-maccatalyst was computed. net10.0-macos net10.0-macos was computed. net10.0-tvos net10.0-tvos was computed. net10.0-windows net10.0-windows was computed. |
Showing the top 5 NuGet packages that depend on mostlylucid.botdetection:
| Package | Downloads |
|---|---|
|
Mostlylucid.BotDetection.UI
DEPRECATION NOTICE: This package will be renamed to 'stylobot.ui' on June 1 2025. See https://github.com/scottgal/stylobot/blob/main/docs/migration-v7.md -- Real-time bot detection dashboard with SignalR and DaisyUI. Includes sb-badge, sb-confidence, sb-gate, sb-honeypot, sb-human, sb-risk, sb-signal, and sb-summary Tag Helpers plus View Components for embedding detection results in ASP.NET Core views. |
|
|
Mostlylucid.BotDetection.UI.PostgreSQL
PostgreSQL storage provider for Stylobot Dashboard with GIN-indexed signature search, TimescaleDB time-series optimizations, and pgvector ML-based similarity search using Dapper |
|
|
Mostlylucid.BotDetection.Llm
Package Description |
|
|
Mostlylucid.GeoDetection.Contributor
GeoDetection contributor for BotDetection - provides geographic location analysis and geo-based bot detection signals including country/region validation and geo-inconsistency detection. |
|
|
Mostlylucid.BotDetection.ApiHolodeck
API Holodeck extension for Mostlylucid.BotDetection - honeypot API simulation using LLM-powered mock responses. Includes: HolodeckActionPolicy (redirect bots to fake APIs), HoneypotContributor (detect honeypot link followers), and Project Honeypot data submission. |
This package is not used by any popular GitHub repositories.
| Version | Downloads | Last Updated |
|---|---|---|
| 7.5.5 | 190 | 6/16/2026 |
| 7.5.3 | 55 | 6/16/2026 |
| 7.5.2 | 70 | 6/16/2026 |
| 7.5.1 | 60 | 6/16/2026 |
| 7.5.0 | 61 | 6/16/2026 |
| 7.0.1-alpha0 | 97 | 6/4/2026 |
| 7.0.0 | 347 | 6/1/2026 |
| 7.0.0-rc0 | 100 | 5/31/2026 |
| 7.0.0-alpha2 | 90 | 5/31/2026 |
| 7.0.0-alpha1 | 99 | 5/31/2026 |
| 7.0.0-alpha0 | 99 | 5/31/2026 |
| 6.9.0-alpha0 | 96 | 5/28/2026 |
| 6.8.9 | 238 | 5/26/2026 |
| 6.8.8 | 125 | 5/26/2026 |
| 6.8.6 | 103 | 5/26/2026 |
| 6.8.5 | 104 | 5/25/2026 |
| 6.8.4 | 112 | 5/25/2026 |
| 6.8.3 | 97 | 5/25/2026 |
| 6.8.2 | 107 | 5/25/2026 |
| 6.7.7 | 174 | 5/24/2026 |
6.5.0
Remote-mode dashboard + new binaries:
- stylobot-ui (Stylobot.Ui): dashboard host that reads everything from a remote
stylobot gateway's /api/v1/* over HTTP. Designed to be hosted inside a network
as a viewer with local-only access. Configurable via StyloBot:Source:Pull:Type
(rest|local) and StyloBot:Source:Live:Type (signalr|none).
- stylobot-all (Stylobot.All): YARP gateway + detection + dashboard in one
process. One container, simplest deployment.
- stylobot (Console gateway) --enable-api flag: opts into the /api/v1/* REST
surface + SignalR invalidation hub at /api/v1/hub. Off by default to preserve
the small-surface posture. Fails fast at startup if no StyloBot:ApiKeys are
configured.
- 10 new /api/v1/* endpoints: clusters, labels, approvals, endpoint-pins,
sessions, useragents/search, investigate (+ shape-search + presets), bdf
export, config manifests, fingerprints (+ unabsorbed counts).
- IConfigEditorService, IFingerprintReader, IBotClusterReader interfaces
extracted from concrete classes so remote HTTP-backed adapters can substitute.
- SignalR live-feed relay: stylobot-ui opens a HubConnection to the gateway's
/api/v1/hub and forwards invalidation beacons into the local hub so browsers
refresh on detection events end-to-end.
- CLI: -d / --daemon shorthand for the start subcommand;
--output-config <file> dumps the effective BotDetectionOptions to disk in
appsettings.json shape for editing.
- Naming: ResolveDisplayName falls through to FingerprintNameComposer so
humans always get a derived display name ("Chrome on Windows (US:abcd)")
even when the metastable identity layer is off.
- AOT: sidecar publishes at 37MB (down from 131MB self-contained-single-file)
after the VYaml + TypedResults + RequestDelegateGenerator work; Console
gateway with --enable-api publishes at 59MB AOT.
See CHANGELOG.md for the full 6.5.0 entry.
---
3.5.0
UI Components, Dashboard Enhancements & Hardening:
New Sb* Tag Helpers (Mostlylucid.BotDetection.UI):
- <sb-badge>: Inline bot/human badge with risk colouring
- <sb-confidence>: Confidence score bar or text display
- <sb-gate>: Conditional rendering based on bot detection result
- <sb-honeypot>: Honeypot form field insertion
- <sb-human>: Show content only for verified humans
- <sb-risk>: Risk level display
- <sb-risk-pill>: Compact risk pill/badge
- <sb-signal>: Individual signal display
- <sb-summary>: Full detection summary (inline or card variant)
New View Components:
- SbBadgeViewComponent, SbConfidenceViewComponent, SbSummaryViewComponent
- Card and Default views for SbSummary
- Standalone CSS: sb-components.css
SignatureOnlyPaths:
- New BotDetectionOptions.SignatureOnlyPaths property
- Paths compute visitor HMAC signature without running the 27-detector pipeline
- Dashboard automatically registers its BasePath as signature-only
- Enables "Your Detection" panel to look up cached results from real page visits
Dashboard Improvements:
- Embed mode: pass ?embed=1 to hide the brand header (for iframe embedding)
- /api/me sentinel endpoint: returns current visitor's cached detection
- Client-side retry: fetchMeWithRetry polls api/me when initial data is null
- General API rate limiting (60 req/min per IP) on all dashboard endpoints
- Authorization failure logging
Security & Hardening:
- SignalR hub auth: OnConnectedAsync enforces same auth as dashboard middleware
- Dashboard auth warning: logs when no AuthorizationFilter/RequireAuthorizationPolicy configured
- SafeJson: all @Html.Raw() JSON blocks escape </ to prevent script-tag breakout (XSS defence-in-depth)
- Removed Html.Raw for emoji rendering in ViewComponents (defence-in-depth)
- Thread-safe mutation of SignatureOnlyPaths via lock
- Rate limiting expanded from diagnostics-only to all API endpoints (60 req/min per IP)
- Rate limiter cleanup threshold lowered from 1000 to 500 entries
- Rate limiter hard cap (10,000 entries) prevents memory exhaustion under distributed attacks
- User-Agent sanitization: email addresses stripped from UA strings before SignalR broadcast
Demo Application:
- ComponentsController with Gating, Honeypot, and Index views
- ComponentDemo Razor Page for interactive component testing
- New _Layout, _ViewImports, _ViewStart for Demo views
Documentation:
- New ui-components.md: full reference for all 11 Sb* tag helpers with usage examples
- Path Configuration section in configuration.md (ExcludedPaths, SignatureOnlyPaths, PathOverrides)
- Dashboard API: /api/me endpoint, embed mode (?embed=1), rate limiting details
- Security: SignalR hub auth, dashboard auth warning, SafeJson escaping
---
1.2.0
Enhanced Detection Pipeline & Security Layer:
Security Detection:
- SecurityToolContributor: Detects penetration testing tools (SQLMap, Nikto, Nmap, Burp Suite, etc.)
- ProjectHoneypotContributor: HTTP:BL IP reputation lookups via DNS with test mode simulation
- Pattern fetching from digininja/scanner_user_agents and OWASP CoreRuleSet
- Honeypot test mode: Use <test-honeypot:harvester|spammer|suspicious> markers for testing
AI Detection Improvements:
- HeuristicLateContributor: Post-AI refinement layer that runs after LLM for final classification
- Improved LLM prompt for better accuracy with smaller models
- Fixed localhost IP detection - no longer incorrectly flagged as datacenter IP
- Default LLM model upgraded to gemma3:4b for better reasoning
Demo Enhancements:
- Interactive bot simulator with 20+ preconfigured bot types
- Custom User-Agent input field for testing arbitrary UA strings
- UA Only policy for fast User-Agent-only detection testing
- Honeypot simulator buttons for testing Project Honeypot integration
- Security scanner buttons (Nikto, Nessus, Nmap, Burp Suite, Acunetix)
Production Security Defaults:
- ResponseHeaders.Enabled defaults to false (never leak detection details)
- EnableTestMode defaults to false
- Detection results flow downstream only via HttpContext.Items
New Documentation:
- security-tools-detection.md - Comprehensive security tool detection guide
- project-honeypot.md - HTTP:BL integration and testing guide
- Updated ai-detection.md with HeuristicLate contributor details
Integration Tests:
- Production security defaults verification
- Honeypot test mode simulation tests
- Contributor registration tests
New SignalKeys:
- SecurityToolDetected, SecurityToolName, SecurityToolCategory
- HoneypotChecked, HoneypotListed, HoneypotThreatScore, HoneypotVisitorType
- HoneypotTestMode (for test mode simulation)
---
1.0.0
🎉 First Stable Release!
Bot detection middleware for ASP.NET Core with multi-signal detection,
AI-powered classification with continuous learning, and full observability.
Key Features:
- Multi-signal detection: User-Agent, headers, IP ranges, behavioral analysis, client-side fingerprinting
- AI-powered classification: Heuristic model (<1ms) with optional LLM escalation
- Continuous learning: Heuristic weights adapt over time based on detection feedback
- Composable policies: Separate detection (WHAT) from action (HOW)
- Stealth responses: Throttle, challenge, or honeypot bots without revealing detection
- Auto-updated threat intel: isbot patterns and cloud IP ranges
- Full observability: OpenTelemetry traces and metrics
Breaking Changes from Preview:
- Default LLM model changed from gemma3:1b to gemma3:4b (better reasoning)
- Default LLM timeout increased from 2000ms to 5000ms
- ONNX provider removed in favor of Heuristic provider (faster, no external dependencies)
Migration Guide:
- Replace "Provider": "Onnx" with "Provider": "Heuristic" in config
- Update Ollama model if using LLM escalation: gemma3:4b recommended
---
0.5.0-preview2
Composable Action Policy System:
- Named action policies separate from detection policies
- Built-in: block, throttle, challenge, redirect, logonly
- BlockActionPolicy: Configurable status codes, messages, headers
- ThrottleActionPolicy: Jitter, risk-scaling, exponential backoff, stealth mode
- ChallengeActionPolicy: CAPTCHA, JavaScript, proof-of-work challenges
- RedirectActionPolicy: Honeypot, tarpit, error page with templates
- LogOnlyActionPolicy: Shadow mode, debug headers, metrics
- IActionPolicyFactory for configuration-based creation
- IActionPolicyRegistry for runtime policy lookup
- Custom action policies via IActionPolicy interface
- [BotAction("policy-name")] attribute for endpoint overrides
- ActionPolicyName property on detection policies and transitions
---
0.5.0-preview1
Policy-Based Detection:
- Named policies with configurable detectors per endpoint
- Path-based resolution with glob patterns (/api/*, /admin/**)
- Built-in: default, strict, relaxed, allowVerifiedBots
- Transitions based on risk thresholds and signals
- Per-policy weight overrides
- Actions: Allow, Block, Challenge, Throttle, EscalateToAi
Management Endpoints & Attributes:
- MapBotPolicyEndpoints() for CRUD and testing
- [BotPolicy("strict")] attribute for controllers/actions
- [BotDetector("UserAgent,Header")] for inline ad-hoc detection
- [SkipBotDetection] to bypass detection
- Policy simulation endpoint for testing transitions
Response Headers & TagHelpers:
- Configurable response headers (X-Bot-Risk-Score, X-Bot-Policy)
- <bot-detection-result /> TagHelper for client-side JS integration
- Full JSON result via Base64-encoded header option
Throttling with Jitter:
- Configurable base delay, max delay, jitter percent
- ScaleByRisk option for risk-proportional delays
- DelayResponse to slow bots at TCP level
- Custom throttle messages and challenge types
Blackboard Architecture:
- Event-driven detection with evidence aggregation
- Wave-based parallel execution
- Trigger conditions (WhenSignalExists, WhenRiskExceeds)
- Circuit breakers per detector
- Early exit for high-confidence detections
Pattern Reputation System:
- BotScore, Support, State tracking with time decay
- Online EMA updates, state machine (Neutral → Suspect → ConfirmedBad)
- Manual overrides never auto-downgrade
- Drift detection for bot/human ratio changes
Fast/Slow Path:
- Fast path: sync detectors (<100ms)
- Slow path: async AI/learning via LearningEventBus
New Interfaces:
- IContributingDetector, ILearningEventHandler, IPatternReputationCache
- IPolicyRegistry, IPolicyEvaluator
SQLite Pattern Store, comprehensive documentation
---
0.0.5-preview1
Client-Side Fingerprinting:
- BotDetectionTagHelper for fingerprint collection JS
- Signed token system prevents spoofing
- Detects headless browsers, automation markers
Inconsistency Detection:
- Catches UA/header mismatches
- Cross-signal contradiction detection
Risk Assessment:
- RiskBand enum (Low, Elevated, Medium, High)
- GetRiskBand(), ShouldChallengeRequest(), GetRecommendedAction()
Session-Level Behavioral Analysis:
- Multi-identity tracking (IP, fingerprint, API key, user)
- Anomaly detection (spikes, new paths, timing)
---
0.0.4-preview1
- ONNX-based detection (1-10ms latency)
- Source-generated regex for performance
- OpenTelemetry metrics integration
- YARP reverse proxy integration
---
0.0.3-preview2: Security fixes (ReDoS, CIDR validation)
0.0.3-preview1: Documentation improvements
0.0.2-preview1: Background updates, SQLite storage
0.0.1-preview1: Initial release