beskar 0.0.2 → 0.1.0

data/lib/beskar/configuration.rb

@@ -1,10 +1,15 @@
 module Beskar
   class Configuration
-    attr_accessor :rate_limiting, :security_tracking, :risk_based_locking, :geolocation, :ip_whitelist, :waf, :authentication_models, :emergency_password_reset
+    attr_accessor :rate_limiting, :security_tracking, :risk_based_locking, :geolocation, :ip_whitelist, :waf, :authentication_models, :emergency_password_reset, :monitor_only, :authenticate_admin
 
     def initialize
+      @monitor_only = false # Global monitor-only mode - logs everything but doesn't block
       @ip_whitelist = [] # Array of IP addresses or CIDR ranges
 
+      # Dashboard authentication - configure this to restrict access to the dashboard
+      # Example: config.authenticate_admin = proc { authenticate_admin! }
+      @authenticate_admin = nil
+
       # Authentication models configuration
       # Auto-detect by default, or can be explicitly configured
       @authentication_models = {
@@ -16,12 +21,20 @@ module Beskar
       @waf = {
         enabled: false,                  # Master switch for WAF
         auto_block: true,                # Automatically block IPs after threshold
-        block_threshold: 3,              # Number of violations before blocking
-        violation_window: 1.hour,        # Time window to count violations
-        block_durations: [ 1.hour, 6.hours, 24.hours, 7.days ], # Escalating block durations
-        permanent_block_after: 5,        # Permanent block after N violations (nil = never)
+        score_threshold: 150,            # Cumulative risk score before blocking (replaces block_threshold)
+        violation_window: 6.hours,       # Maximum time window to track violations
+        block_durations: [1.hour, 6.hours, 24.hours, 7.days], # Escalating block durations
+        permanent_block_after: 500,      # Permanent block after cumulative score reaches this (nil = never)
         create_security_events: true,    # Create SecurityEvent records
-        monitor_only: false              # If true, log but don't block (even if auto_block is true)
+        record_not_found_exclusions: [], # Regex patterns to exclude from RecordNotFound detection
+        decay_enabled: true,             # Enable exponential decay of violation scores over time
+        decay_rates: {                   # Decay rates by severity (half-life in minutes)
+          critical: 360,                 # Critical violations: 6 hour half-life
+          high: 120,                     # High violations: 2 hour half-life
+          medium: 45,                    # Medium violations: 45 minute half-life
+          low: 15                        # Low violations: 15 minute half-life
+        },
+        max_violations_tracked: 50       # Maximum number of violations to track per IP (oldest pruned)
       }
       @security_tracking = {
         enabled: true,
@@ -135,11 +148,12 @@ module Beskar
     end
 
     def waf_auto_block?
-      waf_enabled? && @waf[:auto_block] && !@waf[:monitor_only]
+      waf_enabled? && @waf[:auto_block] && !@monitor_only
     end
 
-    def waf_monitor_only?
-      @waf[:monitor_only] == true
+    # General monitor-only mode check (affects all blocking)
+    def monitor_only?
+      @monitor_only == true
     end
 
     # IP Whitelist configuration helpers
@@ -179,7 +193,7 @@ module Beskar
           end
         rescue => e
           # Ignore errors during detection
-          Rails.logger.debug "[Beskar] Error detecting Rails auth model #{model.name}: #{e.message}"
+          Beskar::Logger.debug("Error detecting Rails auth model #{model.name}: #{e.message}")
         end
       end
 

data/lib/beskar/engine.rb

@@ -11,9 +11,9 @@ module Beskar
       if defined?(Beskar::BannedIp)
         Rails.application.executor.wrap do
           Beskar::BannedIp.preload_cache!
-          Rails.logger.info "[Beskar] Preloaded banned IPs into cache"
+          Beskar::Logger.info("Preloaded banned IPs into cache")
         rescue => e
-          Rails.logger.warn "[Beskar] Failed to preload banned IPs: #{e.message}"
+          Beskar::Logger.warn("Failed to preload banned IPs: #{e.message}")
         end
       end
     end
@@ -35,7 +35,7 @@ module Beskar
                security_event &&
                user_was_just_locked?(user, security_event) &&
                user.respond_to?(:access_locked?) && user.access_locked?
-              Rails.logger.warn "[Beskar] Signing out user #{user.id} due to high-risk lock"
+              Beskar::Logger.warn("Signing out user #{user.id} due to high-risk lock")
               auth.logout
               throw :warden, scope: opts[:scope], message: :account_locked_due_to_high_risk
             end
@@ -61,7 +61,7 @@ module Beskar
             if model_class && model_class.respond_to?(:track_failed_authentication)
               model_class.track_failed_authentication(request, scope)
             else
-              Rails.logger.debug "[Beskar] No trackable model found for scope: #{scope}"
+              Beskar::Logger.debug("No trackable model found for scope: #{scope}")
             end
           end
         end

data/lib/beskar/logger.rb

@@ -0,0 +1,293 @@
+# frozen_string_literal: true
+
+module Beskar
+  # Centralized logging module for consistent log formatting and flexible output handling
+  module Logger
+    class << self
+      # Available log levels
+      LOG_LEVELS = %i[debug info warn error fatal].freeze
+
+      # Generate logging methods for each level
+      LOG_LEVELS.each do |level|
+        define_method(level) do |message, component: nil|
+          log(level, message, component: component)
+        end
+      end
+
+      # Main logging method that handles formatting and output
+      #
+      # @param level [Symbol] The log level (:debug, :info, :warn, :error, :fatal)
+      # @param message [String] The message to log
+      # @param component [String, Symbol, nil] Optional component name for more specific prefixes
+      #
+      # @example Basic usage
+      #   Beskar::Logger.info("User authenticated successfully")
+      #   # => [Beskar] User authenticated successfully
+      #
+      # @example With component
+      #   Beskar::Logger.warn("Rate limit exceeded", component: :WAF)
+      #   # => [Beskar::WAF] Rate limit exceeded
+      #
+      # @example With class as component
+      #   Beskar::Logger.error("Failed to lock account", component: self.class)
+      #   # => [Beskar::AccountLocker] Failed to lock account
+      def log(level, message, component: nil)
+        return unless should_log?(level)
+
+        formatted_message = format_message(message, component)
+        logger.send(level, formatted_message)
+      rescue StandardError => e
+        # Fallback to stderr if logging fails
+        $stderr.puts "[Beskar::Logger] Failed to log message: #{e.message}"
+        $stderr.puts "[Beskar::Logger] Original message: #{formatted_message}"
+      end
+
+      # Configure the logger instance
+      #
+      # @param logger_instance [Logger, nil] The logger to use, defaults to Rails.logger
+      def logger=(logger_instance)
+        @logger = logger_instance
+      end
+
+      # Get the current logger instance
+      #
+      # @return [Logger] The configured logger or Rails.logger as default
+      def logger
+        @logger ||= default_logger
+      end
+
+      # Configure log level threshold
+      #
+      # @param level [Symbol, String] Minimum log level to output
+      def level=(level)
+        @level = level.to_sym if LOG_LEVELS.include?(level.to_sym)
+      end
+
+      # Get the current log level
+      #
+      # @return [Symbol] Current log level
+      def level
+        @level ||= :debug
+      end
+
+      # Reset logger configuration to defaults
+      def reset!
+        @logger = nil
+        @level = nil
+        @component_aliases = nil
+      end
+
+      # Configure component name aliases for cleaner output
+      #
+      # @param aliases [Hash] Mapping of classes/modules to display names
+      #
+      # @example
+      #   Beskar::Logger.component_aliases = {
+      #     'Beskar::Services::Waf' => 'WAF',
+      #     'Beskar::Services::AccountLocker' => 'AccountLocker'
+      #   }
+      def component_aliases=(aliases)
+        @component_aliases = aliases
+      end
+
+      # Get component aliases
+      #
+      # @return [Hash] Current component aliases
+      def component_aliases
+        @component_aliases ||= default_component_aliases
+      end
+
+      private
+
+      # Format the log message with appropriate prefix
+      #
+      # @param message [String] The message to format
+      # @param component [String, Symbol, Class, nil] Component identifier
+      # @return [String] Formatted message with prefix
+      def format_message(message, component)
+        prefix = build_prefix(component)
+        "#{prefix} #{message}"
+      end
+
+      # Build the log prefix based on component
+      #
+      # @param component [String, Symbol, Class, nil] Component identifier
+      # @return [String] Formatted prefix
+      def build_prefix(component)
+        return "[Beskar]" if component.nil?
+
+        component_name = normalize_component_name(component)
+
+        if component_name.nil? || component_name.empty?
+          "[Beskar]"
+        else
+          "[Beskar::#{component_name}]"
+        end
+      end
+
+      # Normalize component name from various input types
+      #
+      # @param component [String, Symbol, Class] Component identifier
+      # @return [String, nil] Normalized component name
+      def normalize_component_name(component)
+        case component
+        when String
+          apply_component_alias(component)
+        when Symbol
+          component.to_s
+        when Class
+          apply_component_alias(component.name)
+        when Module
+          apply_component_alias(component.name)
+        else
+          component.to_s
+        end
+      end
+
+      # Apply component alias if configured
+      #
+      # @param component_name [String] Original component name
+      # @return [String] Aliased name or original
+      def apply_component_alias(component_name)
+        return nil if component_name.nil?
+
+        # First check exact matches
+        aliased = component_aliases[component_name]
+        return aliased if aliased
+
+        # Remove Beskar:: prefix if present for lookup
+        clean_name = component_name.sub(/^Beskar::/, '')
+        aliased = component_aliases[clean_name]
+        return aliased if aliased
+
+        # Check if it's already a simple component name (no ::)
+        return clean_name unless clean_name.include?('::')
+
+        # Extract the last component for nested classes
+        # e.g., "Beskar::Services::Waf" -> "Waf"
+        last_component = clean_name.split('::').last
+        component_aliases[clean_name] || last_component
+      end
+
+      # Check if message should be logged based on current level
+      #
+      # @param message_level [Symbol] Level of the message
+      # @return [Boolean] True if message should be logged
+      def should_log?(message_level)
+        level_value(message_level) >= level_value(level)
+      end
+
+      # Convert log level to numeric value for comparison
+      #
+      # @param level_sym [Symbol] Log level
+      # @return [Integer] Numeric value
+      def level_value(level_sym)
+        LOG_LEVELS.index(level_sym) || 0
+      end
+
+      # Get the default logger instance
+      #
+      # @return [Logger] Default logger (Rails.logger or stdlib Logger)
+      def default_logger
+        if defined?(Rails) && Rails.respond_to?(:logger) && Rails.logger
+          Rails.logger
+        else
+          require 'logger'
+          ::Logger.new($stdout)
+        end
+      end
+
+      # Default component name aliases for cleaner output
+      #
+      # @return [Hash] Default aliases
+      def default_component_aliases
+        {
+          'Beskar::Services::Waf' => 'WAF',
+          'Beskar::Services::WAF' => 'WAF',
+          'Services::Waf' => 'WAF',
+          'Services::WAF' => 'WAF',
+          'Beskar::Services::AccountLocker' => 'AccountLocker',
+          'Services::AccountLocker' => 'AccountLocker',
+          'Beskar::Services::RateLimiter' => 'RateLimiter',
+          'Services::RateLimiter' => 'RateLimiter',
+          'Beskar::Services::IpWhitelist' => 'IpWhitelist',
+          'Services::IpWhitelist' => 'IpWhitelist',
+          'Beskar::Services::GeolocationService' => 'GeolocationService',
+          'Services::GeolocationService' => 'GeolocationService',
+          'Beskar::Services::DeviceDetector' => 'DeviceDetector',
+          'Services::DeviceDetector' => 'DeviceDetector',
+          'Beskar::Middleware::RequestAnalyzer' => 'Middleware',
+          'Middleware::RequestAnalyzer' => 'Middleware',
+          'Beskar::Models::SecurityTrackableDevise' => 'SecurityTracking',
+          'Models::SecurityTrackableDevise' => 'SecurityTracking',
+          'Beskar::Models::SecurityTrackableAuthenticable' => 'SecurityTracking',
+          'Models::SecurityTrackableAuthenticable' => 'SecurityTracking',
+          'Beskar::Models::SecurityTrackableGeneric' => 'SecurityTracking',
+          'Models::SecurityTrackableGeneric' => 'SecurityTracking'
+        }
+      end
+    end
+
+    # Module to include in classes for instance-level logging
+    module ClassMethods
+      # Log a debug message with automatic component detection
+      def log_debug(message)
+        Beskar::Logger.debug(message, component: self)
+      end
+
+      # Log an info message with automatic component detection
+      def log_info(message)
+        Beskar::Logger.info(message, component: self)
+      end
+
+      # Log a warning message with automatic component detection
+      def log_warn(message)
+        Beskar::Logger.warn(message, component: self)
+      end
+
+      # Log an error message with automatic component detection
+      def log_error(message)
+        Beskar::Logger.error(message, component: self)
+      end
+
+      # Log a fatal message with automatic component detection
+      def log_fatal(message)
+        Beskar::Logger.fatal(message, component: self)
+      end
+    end
+
+    # Module to include in classes for instance-level logging
+    module InstanceMethods
+      # Log a debug message with automatic component detection
+      def log_debug(message)
+        Beskar::Logger.debug(message, component: self.class)
+      end
+
+      # Log an info message with automatic component detection
+      def log_info(message)
+        Beskar::Logger.info(message, component: self.class)
+      end
+
+      # Log a warning message with automatic component detection
+      def log_warn(message)
+        Beskar::Logger.warn(message, component: self.class)
+      end
+
+      # Log an error message with automatic component detection
+      def log_error(message)
+        Beskar::Logger.error(message, component: self.class)
+      end
+
+      # Log a fatal message with automatic component detection
+      def log_fatal(message)
+        Beskar::Logger.fatal(message, component: self.class)
+      end
+    end
+
+    # Convenience method to include both class and instance methods
+    def self.included(base)
+      base.extend(ClassMethods)
+      base.include(InstanceMethods)
+    end
+  end
+end

data/lib/beskar/middleware/request_analyzer.rb

@@ -9,76 +9,116 @@ module Beskar
         request = ActionDispatch::Request.new(env)
         ip_address = request.ip
 
+        Beskar::Logger.debug("[RequestAnalyzer] Processing request from IP: #{ip_address}, Path: #{request.path}", component: :Middleware)
+
         # 1. Check if IP is whitelisted (whitelisted IPs skip blocking but still get logged)
         is_whitelisted = Beskar::Services::IpWhitelist.whitelisted?(ip_address)
 
-        # 2. Check if IP is banned (early exit for blocked IPs, unless whitelisted)
+        # 2. Check if IP is banned (early exit for blocked IPs, unless whitelisted or in monitor-only mode)
         if !is_whitelisted && Beskar::BannedIp.banned?(ip_address)
-          Rails.logger.warn "[Beskar::Middleware] Blocked request from banned IP: #{ip_address}"
-          return blocked_response("Your IP address has been blocked due to suspicious activity.")
+          if Beskar.configuration.monitor_only?
+            Beskar::Logger.warn("🔍 MONITOR-ONLY: Would block request from banned IP: #{ip_address}, but monitor_only=true. Request proceeding normally.", component: :Middleware)
+          else
+            Beskar::Logger.warn("Blocked request from banned IP: #{ip_address}", component: :Middleware)
+            return blocked_response("Your IP address has been blocked due to suspicious activity.")
+          end
         end
 
         # 3. Check rate limiting (unless whitelisted)
         if !is_whitelisted && rate_limited?(request)
-          Rails.logger.warn "[Beskar::Middleware] Rate limit exceeded for IP: #{ip_address}"
-          
-          # Auto-block after excessive rate limiting violations
+          # Auto-block after excessive rate limiting violations (even in monitor-only mode - we create the ban record)
           if should_auto_block_rate_limit?(ip_address)
             Beskar::BannedIp.ban!(
               ip_address,
-              reason: 'rate_limit_abuse',
+              reason: "rate_limit_abuse",
               duration: 1.hour,
-              details: 'Excessive rate limit violations'
+              details: "Excessive rate limit violations"
             )
           end
-          
-          return rate_limit_response
+
+          if Beskar.configuration.monitor_only?
+            Beskar::Logger.warn("🔍 MONITOR-ONLY: Would block rate limit exceeded for IP: #{ip_address}, but monitor_only=true. Request proceeding normally.", component: :Middleware)
+          else
+            Beskar::Logger.warn("Rate limit exceeded for IP: #{ip_address}", component: :Middleware)
+            return rate_limit_response
+          end
         end
 
         # 4. Check WAF patterns (vulnerability scans)
         if Beskar.configuration.waf_enabled?
+          Beskar::Logger.debug("[RequestAnalyzer] WAF enabled, analyzing request", component: :Middleware)
           waf_analysis = Beskar::Services::Waf.analyze_request(request)
-          
+
           if waf_analysis
+            Beskar::Logger.debug("[RequestAnalyzer] WAF detected threat: #{waf_analysis[:patterns].map { |p| p[:description] }.join(", ")}", component: :Middleware)
             # Log the violation (and create security event if configured)
             # Pass whitelist status to prevent auto-blocking whitelisted IPs
-            violation_count = Beskar::Services::Waf.record_violation(ip_address, waf_analysis, whitelisted: is_whitelisted)
-            
+            current_score = Beskar::Services::Waf.record_violation(ip_address, waf_analysis, whitelisted: is_whitelisted)
+            Beskar::Logger.debug("[RequestAnalyzer] Current score after recording: #{current_score.round(2)}", component: :Middleware)
+
             # Log even for whitelisted IPs (but don't block)
             if is_whitelisted
-              Rails.logger.info(
-                "[Beskar::Middleware] WAF violation from whitelisted IP #{ip_address} " \
-                "(not blocking): #{waf_analysis[:patterns].map { |p| p[:description] }.join(', ')}"
-              )
+              Beskar::Logger.info("WAF violation from whitelisted IP #{ip_address} " \
+                "(not blocking): #{waf_analysis[:patterns].map { |p| p[:description] }.join(", ")}", component: :Middleware)
             else
               # Check if we should block
               should_block = Beskar::Services::Waf.should_block?(ip_address)
-              
-              if Beskar.configuration.waf_monitor_only?
-                # Monitor-only mode: Just log, don't block
+              Beskar::Logger.debug("[RequestAnalyzer] Should block IP #{ip_address}?: #{should_block}", component: :Middleware)
+
+              if Beskar.configuration.monitor_only?
+                # Monitor-only mode: Just log, don't block (but ban record was created by WAF.record_violation)
                 if should_block
-                  Rails.logger.warn(
-                    "[Beskar::Middleware] 🔍 MONITOR-ONLY: Would block IP #{ip_address} " \
-                    "after #{violation_count} WAF violations, but monitor_only=true. " \
-                    "Request proceeding normally."
-                  )
+                  Beskar::Logger.warn("🔍 MONITOR-ONLY: Would block IP #{ip_address} " \
+                    "with score #{current_score.round(2)}, but monitor_only=true. " \
+                    "Request proceeding normally.", component: :Middleware)
                 end
-              elsif should_block
-                # Actually block the request
-                Rails.logger.warn(
-                  "[Beskar::Middleware] 🔒 Blocking IP #{ip_address} " \
-                  "after #{violation_count} WAF violations"
-                )
+              elsif should_block && !Beskar.configuration.monitor_only?
+                # Actually block the request (not in monitor-only mode)
+                Beskar::Logger.warn("🔒 Blocking IP #{ip_address} " \
+                  "with WAF score #{current_score.round(2)}", component: :Middleware)
                 # Block already handled by WAF.record_violation auto-block logic
                 # But we return 403 immediately
                 return blocked_response("Access denied due to suspicious activity.")
               end
             end
+          else
+            Beskar::Logger.debug("[RequestAnalyzer] No WAF threat detected for path: #{request.path}", component: :Middleware)
           end
+        else
+          Beskar::Logger.debug("[RequestAnalyzer] WAF is disabled", component: :Middleware)
         end
 
         # 5. Process the request normally (will raise 404 if route not found)
+        Beskar::Logger.debug("[RequestAnalyzer] Passing request to application", component: :Middleware)
         @app.call(env)
+      rescue ActionController::UnknownFormat => e
+        # Analyze unknown format as potential scanner
+        if Beskar.configuration.waf_enabled?
+          handle_rails_exception(request, e, ip_address, is_whitelisted)
+        end
+        # Re-raise to allow normal error handling
+        raise
+      rescue ActionDispatch::RemoteIp::IpSpoofAttackError => e
+        # Handle IP spoofing attack
+        if Beskar.configuration.waf_enabled?
+          handle_rails_exception(request, e, ip_address, is_whitelisted)
+        end
+        # Re-raise to allow normal error handling
+        raise
+      rescue ActiveRecord::RecordNotFound => e
+        # Analyze record not found as potential enumeration scan
+        if Beskar.configuration.waf_enabled?
+          handle_rails_exception(request, e, ip_address, is_whitelisted)
+        end
+        # Re-raise to allow normal error handling
+        raise
+      rescue ActionDispatch::Http::MimeNegotiation::InvalidType => e
+        # Analyze invalid MIME type as potential scanner
+        if Beskar.configuration.waf_enabled?
+          handle_rails_exception(request, e, ip_address, is_whitelisted)
+        end
+        # Re-raise to allow normal error handling
+        raise
       rescue ActionController::RoutingError => e
         # If WAF is enabled, log 404s as potential scanning attempts
         if Beskar.configuration.waf_enabled?
@@ -94,7 +134,7 @@ module Beskar
         # Check both IP rate limit and authentication abuse
         ip_check = Beskar::Services::RateLimiter.check_ip_rate_limit(request.ip)
         auth_abused = authentication_brute_force?(request.ip)
-        
+
         !ip_check[:allowed] || auth_abused
       end
 
@@ -104,7 +144,7 @@ module Beskar
         violations = Rails.cache.read(cache_key) || 0
         violations += 1
         Rails.cache.write(cache_key, violations, expires_in: 1.hour)
-        
+
         # Block after 5 rate limit violations in an hour
         violations >= 5
       end
@@ -112,53 +152,88 @@ module Beskar
       def authentication_brute_force?(ip_address)
         # Check authentication failure count from RateLimiter
         cache_key = "beskar:ip_auth_failures:#{ip_address}"
-        
+
         # Get current failure count and timestamp
         failure_data = Rails.cache.read(cache_key)
         return false unless failure_data.is_a?(Hash)
-        
+
         # Count recent failures (within the configured period)
         config = Beskar.configuration.rate_limiting[:ip_attempts] || {}
         period = config[:period] || 1.hour
         limit = config[:limit] || 10
-        
+
         now = Time.current.to_i
         recent_failures = failure_data.select { |timestamp, _| now - timestamp.to_i < period.to_i }
-        
+
         # If too many auth failures, it's brute force
         if recent_failures.length >= limit
-          # Auto-ban for authentication abuse
+          # Auto-ban for authentication abuse (create ban record even in monitor-only mode)
           Beskar::BannedIp.ban!(
             ip_address,
-            reason: 'authentication_abuse',
+            reason: "authentication_abuse",
             duration: 1.hour,
             details: "#{recent_failures.length} failed authentication attempts in #{period / 60} minutes",
-            metadata: { failure_count: recent_failures.length, detection_time: Time.current }
+            metadata: {failure_count: recent_failures.length, detection_time: Time.current}
           )
-          
-          Rails.logger.warn(
-            "[Beskar::Middleware] 🔒 Auto-blocked IP #{ip_address} " \
-            "for authentication brute force (#{recent_failures.length} failures)"
-          )
-          
+
+          if Beskar.configuration.monitor_only?
+            Beskar::Logger.warn("🔍 MONITOR-ONLY: Would auto-block IP #{ip_address} " \
+              "for authentication brute force (#{recent_failures.length} failures), but monitor_only=true", component: :Middleware)
+          else
+            Beskar::Logger.warn("🔒 Auto-blocked IP #{ip_address} " \
+              "for authentication brute force (#{recent_failures.length} failures)", component: :Middleware)
+          end
+
           return true
         end
-        
+
         false
       end
 
+      def handle_rails_exception(request, exception, ip_address, is_whitelisted)
+        # Analyze the exception using WAF
+        waf_analysis = Beskar::Services::Waf.analyze_exception(exception, request)
+
+        if waf_analysis
+          Beskar::Logger.debug("[RequestAnalyzer] WAF detected threat from exception: #{exception.class.name}", component: :Middleware)
+
+          # Record the violation (similar to regular WAF violations)
+          current_score = Beskar::Services::Waf.record_violation(ip_address, waf_analysis, whitelisted: is_whitelisted)
+
+          # Log for whitelisted IPs
+          if is_whitelisted
+            Beskar::Logger.info("Exception-based WAF violation from whitelisted IP #{ip_address} " \
+              "(not blocking): #{exception.class.name} - #{waf_analysis[:patterns].first[:description]}", component: :Middleware)
+          else
+            # Check if we should block
+            should_block = Beskar::Services::Waf.should_block?(ip_address)
+
+            if Beskar.configuration.monitor_only?
+              if should_block
+                Beskar::Logger.warn("🔍 MONITOR-ONLY: Would block IP #{ip_address} " \
+                  "with score #{current_score.round(2)} (exception: #{exception.class.name}), " \
+                  "but monitor_only=true. Request proceeding normally.", component: :Middleware)
+              end
+            elsif should_block && !Beskar.configuration.monitor_only?
+              Beskar::Logger.warn("🔒 Blocking IP #{ip_address} " \
+                "with score #{current_score.round(2)} (exception: #{exception.class.name})", component: :Middleware)
+              # Note: We don't return blocked response here as exception is already raised
+              # The ban record is created by WAF.record_violation
+            end
+          end
+        end
+      end
+
       def log_404_for_waf(request, error)
         # 404s on suspicious paths might indicate scanning
         path = request.fullpath || request.path
-        
+
         # Only log if it matches WAF patterns (already analyzed in analyze_request)
         waf_analysis = Beskar::Services::Waf.analyze_request(request)
-        
+
         if waf_analysis
-          Rails.logger.info(
-            "[Beskar::Middleware] 404 on suspicious path from #{request.ip}: #{path} " \
-            "(WAF patterns: #{waf_analysis[:patterns].map { |p| p[:description] }.join(', ')})"
-          )
+          Beskar::Logger.info("404 on suspicious path from #{request.ip}: #{path} " \
+            "(WAF patterns: #{waf_analysis[:patterns].map { |p| p[:description] }.join(", ")})", component: :Middleware)
         end
       end