@anomira/node-sdk 0.2.0 → 0.2.3

package/dist/index.cjs

@@ -3,6 +3,7 @@
 Object.defineProperty(exports, '__esModule', { value: true });
 
 var async_hooks = require('async_hooks');
+var crypto = require('crypto');
 
 // src/client.ts
 
@@ -406,7 +407,741 @@ var EventName = {
   FIREWALL_FLAG: "http.firewall.flag"
 };
 
-// src/client.ts
+// src/agent-detection.ts
+var CONFIRMED_UA_PATTERNS = [
+  // OpenAI — https://developers.openai.com/api/docs/bots
+  [/GPTBot\//i, "openai", "GPTBot"],
+  [/ChatGPT-User\//i, "openai", "ChatGPT-User"],
+  [/OAI-SearchBot\//i, "openai", "OAI-SearchBot"],
+  [/OAI-AdsBot\//i, "openai", "OAI-AdsBot"],
+  // Anthropic — https://support.claude.com/en/articles/8896518
+  [/ClaudeBot\//i, "anthropic", "ClaudeBot"],
+  [/Claude-User\//i, "anthropic", "Claude-User"],
+  [/Claude-SearchBot\//i, "anthropic", "Claude-SearchBot"],
+  // Perplexity — https://docs.perplexity.ai/guides/bots
+  [/PerplexityBot\//i, "perplexity", "PerplexityBot"],
+  [/Perplexity-User\//i, "perplexity", "Perplexity-User"]
+];
+var MCP_SESSION_HEADER = "mcp-session-id";
+var RFC9421_SIG_HEADER = "signature-agent";
+var MCP_ACCEPT_EXACT = "application/json, text/event-stream";
+function detectAgent(headers) {
+  const signals = [];
+  let agentType = null;
+  let agentName = null;
+  let sessionId = null;
+  let isMcp = false;
+  let confidence = null;
+  const sigAgent = headerStr(headers[RFC9421_SIG_HEADER]);
+  if (sigAgent) {
+    signals.push("rfc9421_signature_agent");
+    confidence = "high";
+    agentType = sigAgent.includes("chatgpt.com") ? "openai" : "rfc9421_agent";
+    agentName = `rfc9421:${sigAgent.slice(0, 60)}`;
+  }
+  const mcpSession = headerStr(headers[MCP_SESSION_HEADER]);
+  if (mcpSession) {
+    signals.push("mcp_session_id");
+    isMcp = true;
+    sessionId = mcpSession;
+    confidence = "high";
+    if (!agentType) agentType = "mcp_client";
+  }
+  const accept = headerStr(headers["accept"]);
+  if (accept === MCP_ACCEPT_EXACT) {
+    signals.push("mcp_accept_header");
+    isMcp = true;
+    if (!confidence) confidence = "high";
+    if (!agentType) agentType = "mcp_client";
+  }
+  const ua = headerStr(headers["user-agent"]) ?? "";
+  for (const [pattern, type, name] of CONFIRMED_UA_PATTERNS) {
+    const match = ua.match(pattern);
+    if (match) {
+      signals.push(`ua_${name.toLowerCase().replace(/[^a-z0-9]/g, "_")}`);
+      confidence = "high";
+      const tokenStart = ua.indexOf(match[0]);
+      const tokenEnd = ua.indexOf(" ", tokenStart);
+      agentName = tokenEnd > -1 ? ua.slice(tokenStart, tokenEnd) : match[0];
+      agentType = type;
+      break;
+    }
+  }
+  if (!agentType && /^python-httpx\//i.test(ua) && isMcp) {
+    signals.push("ua_python_httpx_with_mcp");
+    confidence = "medium";
+    agentType = "mcp_client";
+    agentName = ua.split(" ")[0] ?? "python-httpx";
+  }
+  const isAgent = confidence !== null;
+  return {
+    isAgent,
+    confidence: confidence ?? "medium",
+    agentType: isAgent ? agentType ?? "unknown_agent" : null,
+    agentName: isAgent ? agentName : null,
+    sessionId,
+    isMcp,
+    signals
+  };
+}
+function headerStr(v) {
+  if (v === void 0) return void 0;
+  return Array.isArray(v) ? v[0] : v;
+}
+
+// src/behavioral-fingerprint.ts
+var KNOWN_BOT_UA = [
+  // Confirmed: psf/requests utils.py (default_headers)
+  [/^python-requests\//i, "python-requests"],
+  // Confirmed: encode/httpx tests/client/test_headers.py
+  [/^python-httpx\//i, "python-httpx"],
+  // Confirmed: aiohttp docs (format: "Python/3.x aiohttp/3.x.x")
+  [/\baiohttp\//i, "aiohttp"],
+  // Confirmed: nodejs/undici issue #1305
+  [/^undici$/i, "undici"],
+  // Confirmed: everything.curl.dev
+  [/^curl\//i, "curl"],
+  // Confirmed: GNU wget docs
+  [/^Wget\//i, "wget"],
+  // Confirmed: Go net/http DefaultClient (golang.org/pkg/net/http)
+  [/^Go-http-client\//i, "Go-http-client"],
+  // Confirmed: Java HttpURLConnection default
+  [/^Java\//i, "Java"],
+  // Confirmed: Scrapy docs (scrapy.org)
+  [/^Scrapy\//i, "Scrapy"],
+  // Confirmed: OkHttp (square.github.io/okhttp)
+  [/\bokhttp\//i, "okhttp"],
+  // Confirmed: libwww-perl (metacpan.org/pod/LWP)
+  [/^libwww-perl\//i, "libwww-perl"],
+  // Confirmed: node-fetch (github.com/node-fetch/node-fetch README)
+  [/^node-fetch\//i, "node-fetch"],
+  // Confirmed: axios docs (axios-http.com/docs/config_defaults)
+  [/^axios\//i, "axios"],
+  // Confirmed: Ruby net/http default (ruby-doc.org)
+  [/^Ruby$/i, "Ruby"]
+];
+var AXIOS_ACCEPT = "application/json, text/plain, */*";
+function computeBrowserFingerprint(headers, ua) {
+  const signals = [];
+  let score = 0;
+  let isDefiniteBot = false;
+  let knownClient = null;
+  for (const [pattern, name] of KNOWN_BOT_UA) {
+    if (pattern.test(ua)) {
+      isDefiniteBot = true;
+      knownClient = name;
+      score = 100;
+      signals.push(`known_ua:${name}`);
+      break;
+    }
+  }
+  const accept = str(headers["accept"]);
+  if (!isDefiniteBot && accept === AXIOS_ACCEPT) {
+    isDefiniteBot = true;
+    knownClient = "axios";
+    score = 100;
+    signals.push("known_accept:axios");
+  }
+  if (isDefiniteBot) return { score, signals, isDefiniteBot, knownClient };
+  const hasSecFetchSite = "sec-fetch-site" in headers;
+  const hasSecFetchMode = "sec-fetch-mode" in headers;
+  if (!hasSecFetchSite && !hasSecFetchMode) {
+    score += 30;
+    signals.push("missing_sec_fetch");
+  }
+  const acceptLang = str(headers["accept-language"]);
+  if (!acceptLang) {
+    score += 25;
+    signals.push("missing_accept_language");
+  }
+  const acceptEnc = str(headers["accept-encoding"]);
+  if (!acceptEnc) {
+    score += 10;
+    signals.push("missing_accept_encoding");
+  }
+  if (hasSecFetchMode && !hasSecFetchSite) {
+    score += 20;
+    signals.push("undici_pattern:sec_fetch_mode_without_site");
+    knownClient = "undici (Node.js fetch)";
+  }
+  if (acceptLang === "*") {
+    score += 15;
+    signals.push("undici_pattern:accept_language_wildcard");
+  }
+  const claimsChrome = /Chrome\//i.test(ua) && !/Chromium/i.test(ua);
+  const hasSecChUa = "sec-ch-ua" in headers;
+  if (claimsChrome && !hasSecChUa) {
+    score += 10;
+    signals.push("chrome_ua_without_sec_ch_ua");
+  }
+  score = Math.min(100, score);
+  return { score, signals, isDefiniteBot, knownClient };
+}
+function extractHttp2Settings(req) {
+  const stream = req["stream"] ?? req["raw"]?.["stream"];
+  if (!stream) return null;
+  const session = stream["session"];
+  if (!session) return null;
+  const remote = session["remoteSettings"];
+  if (!remote) return null;
+  const initialWindowSize = remote.initialWindowSize ?? 65535;
+  const headerTableSize = remote.headerTableSize ?? 4096;
+  const enablePush = remote.enablePush ?? true;
+  const signals = [];
+  let score = 0;
+  if (initialWindowSize <= 131072) {
+    score += 20;
+    signals.push(`h2_window_${initialWindowSize}`);
+  }
+  if (headerTableSize <= 4096 && initialWindowSize <= 131072) {
+    score += 5;
+    signals.push("h2_header_table_default");
+  }
+  return { initialWindowSize, headerTableSize, enablePush, score, signals };
+}
+function extractUpstreamTls(headers) {
+  const ja3 = str(headers["x-ja3-hash"]) || str(headers["x-ja3"]) || null;
+  const ja4 = str(headers["x-ja4"]) || null;
+  return { ja3: ja3 || null, ja4: ja4 || null };
+}
+function str(v) {
+  if (v === void 0) return "";
+  return Array.isArray(v) ? v[0] ?? "" : v;
+}
+function detectHoneypotType(path) {
+  const p = path.toLowerCase().split("?")[0] ?? path.toLowerCase();
+  if (/\/\.env(\.[\w]+)?$/.test(p) || p.endsWith("/.env")) return "env_file";
+  if (p.includes(".aws/credentials") || p.includes("aws/credentials")) return "aws_credentials";
+  if (p.includes(".git/config") || p.endsWith("/git/config")) return "git_config";
+  if (p.includes("/graphql") || p.includes("/graphiql")) return "graphql";
+  if (p.includes("/actuator/env") || p.includes("/actuator/")) return "spring_actuator";
+  if (/\/(config|settings|secrets?)(\.json)?$/.test(p)) return "json_config";
+  if (p.endsWith("/.htpasswd") || p.endsWith("/.htaccess")) return "htpasswd";
+  if (p.includes("/.s3cfg") || p.endsWith("/s3") || p.includes("s3cfg")) return "s3_bucket";
+  if (/\/(admin|wp-admin|administrator|panel|cpanel|dashboard|manage|backend)(\/|$)/.test(p)) return "admin_portal";
+  return "generic";
+}
+function generateHoneypotResponse(type, canaryToken, callbackBase, orgId) {
+  switch (type) {
+    case "env_file":
+      return makeEnvFile(canaryToken);
+    case "aws_credentials":
+      return makeAwsCredentials(canaryToken);
+    case "git_config":
+      return makeGitConfig(canaryToken, callbackBase, orgId);
+    case "graphql":
+      return makeGraphQL();
+    case "spring_actuator":
+      return makeSpringActuator(canaryToken);
+    case "json_config":
+      return makeJsonConfig(canaryToken, callbackBase, orgId);
+    case "htpasswd":
+      return makeHtpasswd(canaryToken);
+    case "s3_bucket":
+      return makeS3Bucket(canaryToken);
+    case "admin_portal":
+      return makeAdminPortal(canaryToken);
+    default:
+      return makeGeneric(canaryToken);
+  }
+}
+function makeEnvFile(canaryToken, _callbackBase, _orgId) {
+  const jwtSecret = genHex(32);
+  const dbPassword = genAlphanumeric(20);
+  const redisPassword = genAlphanumeric(16);
+  const apiKey = genHex(32);
+  const dnsDb = `db.${canaryToken}.srv.anomira.io`;
+  const dnsCache = `cache.${canaryToken}.srv.anomira.io`;
+  const dnsMonitoring = `hooks.monitoring.${canaryToken}.srv.anomira.io`;
+  const dnsAlerts = `hooks.alerts.${canaryToken}.srv.anomira.io`;
+  const dnsDeploy = `deploy.internal.${canaryToken}.srv.anomira.io`;
+  const fakeJwt = generateCanaryJwt(canaryToken, jwtSecret);
+  const body = `# Production Environment Configuration
+# Last updated: ${new Date(Date.now() - 7 * 864e5).toISOString().split("T")[0]}
+
+NODE_ENV=production
+PORT=3000
+
+# \u2500\u2500 Database \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+DATABASE_URL=postgresql://db_prod:${dbPassword}@${dnsDb}:5432/app_production
+DATABASE_REPLICA_URL=postgresql://db_prod:${dbPassword}@${dnsDb}:5433/app_production
+DATABASE_POOL_MIN=2
+DATABASE_POOL_MAX=10
+
+# \u2500\u2500 Cache \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+REDIS_URL=redis://:${redisPassword}@${dnsCache}:6379/0
+
+# \u2500\u2500 Authentication \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+JWT_SECRET=${jwtSecret}
+JWT_EXPIRES_IN=15m
+REFRESH_TOKEN_SECRET=${genHex(32)}
+SESSION_SECRET=${genHex(32)}
+
+# \u2500\u2500 Sample authenticated token (service account) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+SERVICE_ACCOUNT_TOKEN=${fakeJwt}
+
+# \u2500\u2500 AWS \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+AWS_REGION=eu-west-1
+AWS_S3_BUCKET=app-production-${genHex(4)}
+
+# \u2500\u2500 Monitoring / Webhooks \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+MONITORING_WEBHOOK=https://${dnsMonitoring}/v1/events/ingest
+ALERT_WEBHOOK=https://${dnsAlerts}/services/${genHex(7).toUpperCase()}/notify
+DEPLOY_HOOK=https://${dnsDeploy}/hooks/deploy/${genHex(6)}
+
+# \u2500\u2500 External APIs \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+INTERNAL_API_KEY=${apiKey}
+`;
+  return {
+    statusCode: 200,
+    contentType: "text/plain; charset=utf-8",
+    headers: {
+      "Cache-Control": "no-store",
+      "Last-Modified": new Date(Date.now() - 7 * 864e5).toUTCString(),
+      "ETag": `"${genHex(8)}-${genHex(4)}"`,
+      // Apache-style headers — most exposed .env files are on PHP/Apache stacks
+      "Server": "Apache/2.4.41 (Ubuntu)",
+      "X-Content-Type-Options": "nosniff"
+    },
+    body,
+    canaryToken
+  };
+}
+function makeAwsCredentials(canaryToken) {
+  const fakeKeyId = makeAwsKeyId();
+  const fakeSecret = makeAwsSecret();
+  const stsPrefixKey = "ASIA" + makeAwsKeyId().slice(4);
+  const stsSecret = makeAwsSecret();
+  const stsToken = genBase64(300);
+  const body = `[default]
+aws_access_key_id=${fakeKeyId}
+aws_secret_access_key=${fakeSecret}
+region=eu-west-1
+
+[production]
+aws_access_key_id=${fakeKeyId}
+aws_secret_access_key=${fakeSecret}
+region=eu-west-1
+
+[staging]
+aws_access_key_id=${stsPrefixKey}
+aws_secret_access_key=${stsSecret}
+aws_session_token=${stsToken}
+region=eu-west-1
+`;
+  return {
+    statusCode: 200,
+    contentType: "text/plain; charset=utf-8",
+    headers: {
+      "Cache-Control": "no-store",
+      "Last-Modified": new Date(Date.now() - 14 * 864e5).toUTCString(),
+      // Match the Server header an AWS EC2 instance metadata endpoint might have
+      "Server": "EC2ws",
+      "X-Content-Type-Options": "nosniff"
+    },
+    body,
+    canaryToken
+  };
+}
+function makeGitConfig(canaryToken, callbackBase, orgId) {
+  const ghpToken = `ghp_${genAlphanumeric(36)}`;
+  const glpatToken = `glpat-${genAlphanumeric(20)}`;
+  const webhookUrl = `${callbackBase}/v1/canary/${orgId}/${canaryToken}`;
+  const dnsGit = `git.${canaryToken}.srv.anomira.io`;
+  const body = `[core]
+	repositoryformatversion = 0
+	filemode = true
+	bare = false
+	logallrefupdates = true
+
+[remote "origin"]
+	url = https://oauth2:${ghpToken}@github.com/company/app.git
+	fetch = +refs/heads/*:refs/remotes/origin/*
+
+[remote "deploy"]
+	url = https://deploy-token:${glpatToken}@${dnsGit}/backend/app.git
+	fetch = +refs/heads/*:refs/remotes/deploy/*
+
+[remote "notify"]
+	url = ${webhookUrl}
+
+[branch "main"]
+	remote = origin
+	merge = refs/heads/main
+
+[branch "production"]
+	remote = deploy
+	merge = refs/heads/production
+
+[credential "https://github.com"]
+	username = deploy-bot
+`;
+  return {
+    statusCode: 200,
+    contentType: "text/plain; charset=utf-8",
+    headers: {
+      "Cache-Control": "no-store",
+      "Last-Modified": new Date(Date.now() - 30 * 864e5).toUTCString(),
+      "Server": "Apache/2.4.41 (Ubuntu)"
+    },
+    body,
+    canaryToken
+  };
+}
+function makeGraphQL() {
+  const body = JSON.stringify({
+    data: {
+      __schema: {
+        queryType: { name: "Query" },
+        mutationType: { name: "Mutation" },
+        types: [
+          { kind: "OBJECT", name: "Query", fields: [{ name: "user" }, { name: "users" }, { name: "posts" }] },
+          { kind: "OBJECT", name: "Mutation", fields: [{ name: "login" }, { name: "createUser" }, { name: "adminReset" }, { name: "exportData" }] },
+          { kind: "OBJECT", name: "User", fields: [{ name: "id" }, { name: "email" }, { name: "role" }, { name: "createdAt" }] },
+          { kind: "OBJECT", name: "AuthPayload", fields: [{ name: "token" }, { name: "user" }] },
+          { kind: "SCALAR", name: "String", fields: null },
+          { kind: "SCALAR", name: "Boolean", fields: null },
+          { kind: "SCALAR", name: "Int", fields: null },
+          { kind: "SCALAR", name: "ID", fields: null }
+        ]
+      }
+    }
+  });
+  return {
+    statusCode: 200,
+    contentType: "application/json; charset=utf-8",
+    headers: {
+      "X-Powered-By": "Express",
+      "X-Request-Id": `req_${genHex(16)}`
+    },
+    body,
+    canaryToken: ""
+  };
+}
+function makeSpringActuator(canaryToken) {
+  const dbPassword = genAlphanumeric(20);
+  const secretKey = genHex(32);
+  const body = JSON.stringify({
+    activeProfiles: ["production"],
+    defaultProfiles: ["default"],
+    propertySources: [
+      {
+        name: "systemProperties",
+        properties: {
+          "java.runtime.version": { value: "17.0.9+9" },
+          "server.port": { value: "8080" },
+          "user.home": { value: "/home/appuser" }
+        }
+      },
+      {
+        name: "applicationConfig: [classpath:/application-production.properties]",
+        properties: {
+          "spring.datasource.url": { origin: "class path resource [application-production.properties] - 3:1", value: "jdbc:postgresql://db.internal:5432/myapp" },
+          "spring.datasource.username": { origin: "class path resource [application-production.properties] - 4:1", value: "dbadmin" },
+          "spring.datasource.password": { origin: "class path resource [application-production.properties] - 5:1", value: dbPassword },
+          "app.jwt.secret": { origin: "class path resource [application-production.properties] - 8:1", value: secretKey },
+          "app.canary.token": { value: canaryToken },
+          "management.endpoints.web.exposure.include": { value: "health,info,env,metrics,loggers" }
+        }
+      }
+    ]
+  }, null, 2);
+  return {
+    statusCode: 200,
+    contentType: "application/vnd.spring-boot.actuator.v3+json",
+    headers: {
+      "X-Application-Context": "myapp:production:8080",
+      "X-Content-Type-Options": "nosniff",
+      "X-XSS-Protection": "1; mode=block"
+    },
+    body,
+    canaryToken
+  };
+}
+function makeJsonConfig(canaryToken, callbackBase, orgId) {
+  const webhookUrl = `${callbackBase}/v1/canary/${orgId}/${canaryToken}`;
+  const body = JSON.stringify({
+    environment: "production",
+    version: "2.4.1",
+    database: {
+      host: "db.internal.company.com",
+      port: 5432,
+      name: "app_production",
+      user: "db_prod",
+      password: genAlphanumeric(20)
+    },
+    jwt: {
+      secret: genHex(32),
+      expiresIn: "15m"
+    },
+    webhooks: {
+      events: webhookUrl,
+      alerts: `${callbackBase}/v1/canary/${orgId}/${canaryToken}`
+    },
+    internalApiKey: genHex(32)
+  }, null, 2);
+  return {
+    statusCode: 200,
+    contentType: "application/json; charset=utf-8",
+    headers: {
+      "Cache-Control": "no-store",
+      "ETag": `"${genHex(8)}"`,
+      "X-Powered-By": "Express"
+    },
+    body,
+    canaryToken
+  };
+}
+function makeHtpasswd(canaryToken) {
+  const apr1Salt = genAlphanumeric(8).toLowerCase();
+  const apr1Hash = genBase64(22).replace(
+    /[+=/]/g,
+    (c) => ({ "+": ".", "=": "/", "/": "X" })[c] ?? c
+  );
+  const bcryptHash = genBase64(53).replace(
+    /[+=]/g,
+    (c) => ({ "+": ".", "=": "/" })[c] ?? c
+  );
+  const canaryApr1 = `$apr1$${canaryToken.slice(0, 8)}$${genBase64(22).slice(0, 22)}`;
+  const body = `# Apache HTTP Server password file
+admin:$apr1$${apr1Salt}$${apr1Hash}
+deploy:$2y$10$${bcryptHash}
+root:${canaryApr1}
+backup-user:$apr1$${genAlphanumeric(8).toLowerCase()}$${genBase64(22).slice(0, 22)}
+`;
+  return {
+    statusCode: 200,
+    contentType: "text/plain; charset=utf-8",
+    headers: {
+      "Cache-Control": "no-store",
+      "Last-Modified": new Date(Date.now() - 45 * 864e5).toUTCString(),
+      "Server": "Apache/2.4.41 (Ubuntu)",
+      "Content-Disposition": "inline"
+    },
+    body,
+    canaryToken
+  };
+}
+function makeS3Bucket(canaryToken) {
+  const ownerId = genHex(32) + genHex(32);
+  const now = /* @__PURE__ */ new Date();
+  const dateStr = (offset) => new Date(now.getTime() - offset).toISOString().replace(/\.\d{3}Z/, ".000Z");
+  const body = `<?xml version="1.0" encoding="UTF-8"?>
+<ListAllMyBucketsResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
+  <Owner>
+    <ID>${ownerId}</ID>
+    <DisplayName>company-admin</DisplayName>
+  </Owner>
+  <Buckets>
+    <Bucket>
+      <Name>company-production-data</Name>
+      <CreationDate>${dateStr(120 * 864e5)}</CreationDate>
+    </Bucket>
+    <Bucket>
+      <Name>company-assets-${genHex(4)}</Name>
+      <CreationDate>${dateStr(90 * 864e5)}</CreationDate>
+    </Bucket>
+    <Bucket>
+      <Name>company-backups-${canaryToken.slice(0, 12)}</Name>
+      <CreationDate>${dateStr(30 * 864e5)}</CreationDate>
+    </Bucket>
+    <Bucket>
+      <Name>company-logs-archive</Name>
+      <CreationDate>${dateStr(180 * 864e5)}</CreationDate>
+    </Bucket>
+  </Buckets>
+</ListAllMyBucketsResult>`;
+  return {
+    statusCode: 200,
+    contentType: "application/xml",
+    headers: {
+      "x-amz-request-id": genHex(8).toUpperCase() + genHex(8).toUpperCase(),
+      "x-amz-id-2": genBase64(60),
+      "Server": "AmazonS3"
+    },
+    body,
+    canaryToken
+  };
+}
+function makeAdminPortal(canaryToken) {
+  const body = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>Administration \u2014 Login</title>
+  <style>
+    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      background: #0f1117;
+      color: #c9d1d9;
+      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif;
+      display: flex; align-items: center; justify-content: center;
+      min-height: 100vh;
+    }
+    .card {
+      background: #161b22;
+      border: 1px solid #30363d;
+      border-radius: 8px;
+      padding: 32px;
+      width: 100%;
+      max-width: 360px;
+    }
+    h1 { font-size: 1.1rem; font-weight: 600; color: #e6edf3; margin-bottom: 4px; }
+    .subtitle { font-size: 0.8rem; color: #7d8590; margin-bottom: 24px; }
+    label { display: block; font-size: 0.8rem; font-weight: 600; color: #c9d1d9; margin-bottom: 6px; }
+    input[type=text], input[type=password] {
+      width: 100%; padding: 8px 12px; border: 1px solid #30363d;
+      border-radius: 6px; background: #0d1117; color: #c9d1d9;
+      font-size: 0.875rem; outline: none; margin-bottom: 16px;
+    }
+    input:focus { border-color: #388bfd; box-shadow: 0 0 0 3px rgba(56,139,253,.1); }
+    .row { display: flex; align-items: center; justify-content: space-between; margin-bottom: 16px; }
+    .row label { margin-bottom: 0; font-weight: normal; display: flex; align-items: center; gap: 6px; cursor: pointer; }
+    button {
+      width: 100%; padding: 8px 16px; background: #238636; color: #fff;
+      border: none; border-radius: 6px; font-size: 0.875rem; font-weight: 600;
+      cursor: pointer; transition: background .15s;
+    }
+    button:hover { background: #2ea043; }
+    .footer { text-align: center; font-size: 0.72rem; color: #7d8590; margin-top: 20px; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <h1>Administration Panel</h1>
+    <p class="subtitle">Sign in to continue</p>
+    <form method="POST" action="./login" autocomplete="off">
+      <input type="hidden" name="_token" value="${canaryToken}" />
+      <div>
+        <label for="username">Username</label>
+        <input id="username" name="username" type="text" placeholder="admin" autocomplete="off" />
+      </div>
+      <div>
+        <label for="password">Password</label>
+        <input id="password" name="password" type="password" placeholder="\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022" autocomplete="off" />
+      </div>
+      <div class="row">
+        <label><input type="checkbox" name="remember" /> Remember me</label>
+        <a href="#" style="font-size:.8rem;color:#388bfd;text-decoration:none;">Forgot password?</a>
+      </div>
+      <button type="submit">Sign in</button>
+    </form>
+    <p class="footer">v3.2.1 \xB7 Secure Administration Portal</p>
+  </div>
+</body>
+</html>`;
+  return {
+    statusCode: 200,
+    contentType: "text/html; charset=utf-8",
+    headers: {
+      "Cache-Control": "no-store, no-cache",
+      "X-Frame-Options": "SAMEORIGIN",
+      "Server": "nginx/1.18.0 (Ubuntu)"
+    },
+    body,
+    canaryToken
+  };
+}
+function makeAdminLoginFailed() {
+  const body = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <title>Administration \u2014 Login</title>
+  <style>
+    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+    body { background: #0f1117; color: #c9d1d9; font-family: -apple-system, sans-serif;
+      display: flex; align-items: center; justify-content: center; min-height: 100vh; }
+    .card { background: #161b22; border: 1px solid #30363d; border-radius: 8px; padding: 32px; width: 100%; max-width: 360px; }
+    h1 { font-size: 1.1rem; font-weight: 600; color: #e6edf3; margin-bottom: 4px; }
+    .error { background: #3d1010; border: 1px solid #f85149; color: #f85149; border-radius: 6px; padding: 10px 14px; font-size: .8rem; margin-bottom: 16px; }
+    label { display: block; font-size: .8rem; font-weight: 600; color: #c9d1d9; margin-bottom: 6px; }
+    input[type=text], input[type=password] { width: 100%; padding: 8px 12px; border: 1px solid #f85149; border-radius: 6px; background: #0d1117; color: #c9d1d9; font-size: .875rem; outline: none; margin-bottom: 16px; }
+    button { width: 100%; padding: 8px 16px; background: #238636; color: #fff; border: none; border-radius: 6px; font-size: .875rem; font-weight: 600; cursor: pointer; }
+    .footer { text-align: center; font-size: .72rem; color: #7d8590; margin-top: 20px; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <h1>Administration Panel</h1>
+    <div class="error">\u26A0 Invalid username or password. Please try again.</div>
+    <form method="POST" action="" autocomplete="off">
+      <div><label for="u">Username</label><input id="u" name="username" type="text" autocomplete="off" /></div>
+      <div><label for="p">Password</label><input id="p" name="password" type="password" autocomplete="off" /></div>
+      <button type="submit">Sign in</button>
+    </form>
+    <p class="footer">v3.2.1 \xB7 Secure Administration Portal</p>
+  </div>
+</body>
+</html>`;
+  return {
+    statusCode: 401,
+    contentType: "text/html; charset=utf-8",
+    headers: {
+      "Cache-Control": "no-store",
+      "Server": "nginx/1.18.0 (Ubuntu)",
+      "WWW-Authenticate": 'Form realm="Administration Panel"'
+    },
+    body,
+    canaryToken: ""
+  };
+}
+function makeGeneric(canaryToken) {
+  return {
+    statusCode: 200,
+    contentType: "text/plain; charset=utf-8",
+    headers: { "Cache-Control": "no-store" },
+    body: `# ${canaryToken}
+`,
+    canaryToken
+  };
+}
+function generateCanaryJwt(canaryToken, secret) {
+  const now = Math.floor(Date.now() / 1e3);
+  const kid = `${canaryToken.slice(0, 8)}-${canaryToken.slice(8, 12)}-4${canaryToken.slice(13, 16)}-${canaryToken.slice(16, 20)}-${canaryToken.slice(20, 32)}`;
+  const header = { alg: "HS256", typ: "JWT", kid };
+  const payload = {
+    sub: "svc_internal_7482",
+    name: "service-account",
+    role: "admin",
+    email: "admin@internal.company.com",
+    iat: now - 172800,
+    // issued 48h ago (realistic stale credential)
+    exp: now - 86400,
+    // expired 24h ago
+    jti: canaryToken
+    // raw hex — no "canary-" prefix to leak purpose
+  };
+  const h = Buffer.from(JSON.stringify(header)).toString("base64url");
+  const p = Buffer.from(JSON.stringify(payload)).toString("base64url");
+  const sig = crypto.createHmac("sha256", secret).update(`${h}.${p}`).digest("base64url");
+  return `${h}.${p}.${sig}`;
+}
+function makeAwsKeyId() {
+  const base32Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+  const middle = Array.from(
+    { length: 13 },
+    () => base32Chars[crypto.randomBytes(1)[0] % base32Chars.length]
+  ).join("");
+  return `AKIAI${middle}A`;
+}
+function makeAwsSecret() {
+  return crypto.randomBytes(30).toString("base64").slice(0, 40);
+}
+function genHex(bytes) {
+  return crypto.randomBytes(bytes).toString("hex");
+}
+function genAlphanumeric(len) {
+  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+  return Array.from(
+    { length: len },
+    () => chars[crypto.randomBytes(1)[0] % chars.length]
+  ).join("");
+}
+function genBase64(approxLen) {
+  return crypto.randomBytes(Math.ceil(approxLen * 3 / 4)).toString("base64").slice(0, approxLen);
+}
 var requestContext = new async_hooks.AsyncLocalStorage();
 var DEFAULT_INGEST_URL = "https://ingest.anomira.io/v1/events";
 var DEFAULT_BATCH_SIZE = 100;
@@ -418,10 +1153,28 @@ var AnomiraClient = class {
     this.logFlushTimer = null;
     this.blocklistTimer = null;
     this.firewallTimer = null;
+    this.communityThreatTimer = null;
     /** True when credentials are missing — all operations become no-ops. */
     this.disabled = false;
-    /** In-process cache of blocked IPs — refreshed every 60 s from the ingest server. */
+    /** In-process cache of manually blocked IPs — refreshed every 60 s. */
     this.blockedIpCache = /* @__PURE__ */ new Set();
+    /** In-process cache of community threat IPs with their confidence scores.
+     *  Populated from Anomira's federated threat network — IPs confirmed malicious
+     *  across multiple customers. Refreshed every 60 s. */
+    this.communityThreatCache = /* @__PURE__ */ new Map();
+    /**
+     * Set of honeypot paths to intercept. When a request matches, the SDK returns
+     * a fake response instead of forwarding to the customer's route handlers.
+     * Synced from ingest every 60 s. Keys are lowercase path strings.
+     */
+    this.honeypotPaths = /* @__PURE__ */ new Set();
+    /**
+     * Set of active canary token strings embedded in previously-served honeypot
+     * responses. When any of these appear in a request's Authorization header or
+     * body, a http.canary.triggered event is fired.
+     * Synced from ingest every 60 s (max 100 tokens, sliding 7-day window).
+     */
+    this.canaryTokenCache = /* @__PURE__ */ new Set();
     /** In-process cache of firewall rules with pre-compiled regex — refreshed every 60 s. */
     this.compiledRules = [];
     // Saved originals — used by SDK internals so patched console doesn't recurse
@@ -445,7 +1198,8 @@ var AnomiraClient = class {
         service: "app",
         getUserId: defaultGetUserId,
         getIp: defaultGetIp,
-        detect: { bruteForce: true, rateAbuse: true, pathTraversal: true, xss: true, scanDetection: true, geoVelocity: true }
+        detect: { bruteForce: true, rateAbuse: true, pathTraversal: true, xss: true, scanDetection: true, geoVelocity: true },
+        autoBlock: { enabled: true, communityThreshold: 85 }
       };
       this.buffer = new EventBuffer({ appId: "", apiKey: "", ingestUrl: DEFAULT_INGEST_URL, maxBatchSize: 0, flushIntervalMs: 999999999, maxRetries: 0, debug: false });
       return;
@@ -470,6 +1224,10 @@ var AnomiraClient = class {
         xss: config.detect?.xss ?? true,
         scanDetection: config.detect?.scanDetection ?? true,
         geoVelocity: config.detect?.geoVelocity ?? true
+      },
+      autoBlock: {
+        enabled: config.autoBlock?.enabled ?? true,
+        communityThreshold: config.autoBlock?.communityThreshold ?? 85
       }
     };
     this.buffer = new EventBuffer({
@@ -492,6 +1250,21 @@ var AnomiraClient = class {
       void this.#refreshFirewallRules();
     }, 6e4);
     if (this.firewallTimer.unref) this.firewallTimer.unref();
+    void this.#refreshHoneypotPaths();
+    const honeypotTimer = setInterval(() => {
+      void this.#refreshHoneypotPaths();
+    }, 6e4);
+    if (honeypotTimer.unref) honeypotTimer.unref();
+    void this.#refreshCanaryTokens();
+    const canaryTimer = setInterval(() => {
+      void this.#refreshCanaryTokens();
+    }, 6e4);
+    if (canaryTimer.unref) canaryTimer.unref();
+    void this.#refreshCommunityThreats();
+    this.communityThreatTimer = setInterval(() => {
+      void this.#refreshCommunityThreats();
+    }, 6e4);
+    if (this.communityThreatTimer.unref) this.communityThreatTimer.unref();
     this.logFlushTimer = setInterval(() => {
       void this.#flushLogs();
     }, 1e4);
@@ -527,7 +1300,7 @@ var AnomiraClient = class {
       const res = await fetch(syncUrl, {
         headers: {
           Authorization: `Bearer ${this.config.apiKey}`,
-          "User-Agent": `@anomira/node-sdk/0.1.0`
+          "User-Agent": `@anomira/node-sdk/0.2.2`
         },
         signal: AbortSignal.timeout(5e3)
       });
@@ -540,6 +1313,58 @@ var AnomiraClient = class {
     } catch {
     }
   }
+  async #refreshCommunityThreats() {
+    const syncUrl = this.config.ingestUrl.replace(/\/v1\/events$/, "/v1/community-threats/sync");
+    try {
+      const res = await fetch(syncUrl, {
+        headers: {
+          Authorization: `Bearer ${this.config.apiKey}`,
+          "User-Agent": `@anomira/node-sdk/0.2.2`
+        },
+        signal: AbortSignal.timeout(5e3)
+      });
+      if (!res.ok) return;
+      const data = await res.json();
+      const newCache = /* @__PURE__ */ new Map();
+      for (const t of data.threats ?? []) {
+        newCache.set(t.ip, { score: t.score, topAttack: t.topAttack });
+      }
+      this.communityThreatCache = newCache;
+      if (this.config.debug && newCache.size > 0) {
+        this._origLog(`[Anomira] community threats refreshed \u2014 ${newCache.size} known threat IPs`);
+      }
+    } catch {
+    }
+  }
+  async #refreshHoneypotPaths() {
+    const syncUrl = this.config.ingestUrl.replace(/\/v1\/events$/, "/v1/honeypots/sync");
+    try {
+      const res = await fetch(syncUrl, {
+        headers: { Authorization: `Bearer ${this.config.apiKey}`, "User-Agent": "@anomira/node-sdk/0.2.2" },
+        signal: AbortSignal.timeout(5e3)
+      });
+      if (!res.ok) return;
+      const data = await res.json();
+      this.honeypotPaths = new Set((data.paths ?? []).map((p) => p.toLowerCase()));
+      if (this.config.debug && this.honeypotPaths.size > 0) {
+        this._origLog(`[Anomira] honeypot paths refreshed \u2014 ${this.honeypotPaths.size} traps active`);
+      }
+    } catch {
+    }
+  }
+  async #refreshCanaryTokens() {
+    const syncUrl = this.config.ingestUrl.replace(/\/v1\/events$/, "/v1/canary-tokens/sync");
+    try {
+      const res = await fetch(syncUrl, {
+        headers: { Authorization: `Bearer ${this.config.apiKey}`, "User-Agent": "@anomira/node-sdk/0.2.2" },
+        signal: AbortSignal.timeout(5e3)
+      });
+      if (!res.ok) return;
+      const data = await res.json();
+      this.canaryTokenCache = new Set(data.tokens ?? []);
+    } catch {
+    }
+  }
   async #refreshFirewallRules() {
     const syncUrl = this.config.ingestUrl.replace(/\/v1\/events$/, "/v1/firewall-rules/sync");
     try {
@@ -666,10 +1491,40 @@ var AnomiraClient = class {
    * });
    * ```
    */
-  /** Returns true if the IP is in the current blocked list. Synchronous — no network call. */
+  /**
+   * Returns true if the IP should be blocked. Synchronous — no network call.
+   *
+   * Checks two independent sources:
+   *   1. Manual blocklist  — IPs explicitly blocked by the customer or via playbooks.
+   *   2. Community threats — IPs from Anomira's federated network whose confidence
+   *                         score meets the autoBlock.communityThreshold (default 85).
+   *                         Only active when autoBlock.enabled is true (the default).
+   *
+   * If a customer sets autoBlock.enabled = false, only the manual blocklist is checked.
+   */
   isBlocked(ip) {
     if (this.disabled) return false;
-    return this.blockedIpCache.has(ip);
+    if (this.blockedIpCache.has(ip)) return true;
+    if (this.config.autoBlock.enabled) {
+      const threat = this.communityThreatCache.get(ip);
+      if (threat && threat.score >= this.config.autoBlock.communityThreshold) return true;
+    }
+    return false;
+  }
+  /**
+   * Returns the block reason for an IP — useful for logging or custom responses.
+   * Returns null if the IP is not blocked.
+   */
+  blockReason(ip) {
+    if (this.disabled) return null;
+    if (this.blockedIpCache.has(ip)) return { source: "manual" };
+    if (this.config.autoBlock.enabled) {
+      const threat = this.communityThreatCache.get(ip);
+      if (threat && threat.score >= this.config.autoBlock.communityThreshold) {
+        return { source: "community", score: threat.score, topAttack: threat.topAttack };
+      }
+    }
+    return null;
   }
   /**
    * Fire-and-forget: report a blocked-IP attempt to the ingest server so the
@@ -701,12 +1556,15 @@ var AnomiraClient = class {
   }
   track(eventName, data) {
     if (this.disabled) return;
+    const ctx = requestContext.getStore();
+    const resolvedIp = data.ip && data.ip !== "0.0.0.0" && data.ip !== "" ? data.ip : ctx?.ip ?? "0.0.0.0";
+    const resolvedMeta = ctx?.endpoint && !data.meta?.["endpoint"] ? { endpoint: ctx.endpoint, method: ctx.method, ...data.meta } : data.meta;
     const event = {
       name: eventName,
       ts: Date.now(),
-      ip: data.ip,
+      ip: resolvedIp,
       userId: data.userId,
-      meta: data.meta
+      meta: resolvedMeta
     };
     this.buffer.push(event);
   }
@@ -725,13 +1583,15 @@ var AnomiraClient = class {
   async trackLogin(data) {
     if (this.disabled) return;
     const tsMs = Date.now();
-    this.track(EventName.LOGIN_SUCCESS, { ...data, meta: { ...data.meta } });
+    const ctx = requestContext.getStore();
+    const resolvedIp = data.ip && data.ip !== "0.0.0.0" ? data.ip : ctx?.ip ?? "0.0.0.0";
+    this.track(EventName.LOGIN_SUCCESS, { ...data, ip: resolvedIp, meta: { ...data.meta } });
     if (!this.config.detect.geoVelocity) return;
     try {
-      const result = await checkGeoVelocity(data.userId, data.ip, tsMs, this.config.geoLookupUrl || void 0);
+      const result = await checkGeoVelocity(data.userId, resolvedIp, tsMs, this.config.geoLookupUrl || void 0);
       if (!result) return;
       this.track(EventName.GEO_VELOCITY, {
-        ip: data.ip,
+        ip: resolvedIp,
         userId: data.userId,
         meta: {
           distanceKm: result.distanceKm,
@@ -766,6 +1626,7 @@ var AnomiraClient = class {
     if (this.disabled) return;
     this.track(EventName.PHONE_AUTH, {
       ip: data.ip,
+      // track() auto-resolves from context if empty
       userId: data.userId,
       meta: { phone: data.phone, ...data.meta }
     });
@@ -834,6 +1695,22 @@ var AnomiraClient = class {
    */
   async flush() {
     if (this.disabled) return;
+    if (this.blocklistTimer) {
+      clearInterval(this.blocklistTimer);
+      this.blocklistTimer = null;
+    }
+    if (this.firewallTimer) {
+      clearInterval(this.firewallTimer);
+      this.firewallTimer = null;
+    }
+    if (this.communityThreatTimer) {
+      clearInterval(this.communityThreatTimer);
+      this.communityThreatTimer = null;
+    }
+    if (this.logFlushTimer) {
+      clearInterval(this.logFlushTimer);
+      this.logFlushTimer = null;
+    }
     await Promise.all([this.buffer.flush(), this.#flushLogs()]);
   }
   /**
@@ -860,8 +1737,60 @@ var AnomiraClient = class {
 function defaultGetUserId(req) {
   const r = req;
   const user = r["user"];
-  if (!user) return void 0;
-  return user["id"] ?? user["userId"] ?? user["sub"] ?? user["_id"];
+  if (user && typeof user === "object") {
+    const id = pickId(user);
+    if (id) return id;
+  }
+  const auth = r["auth"];
+  if (auth && typeof auth === "object") {
+    const id = pickId(auth);
+    if (id) return id;
+  }
+  const direct = r["userId"] ?? r["user_id"] ?? r["accountId"] ?? r["account_id"] ?? r["customerId"];
+  if (direct && typeof direct === "string") return direct;
+  const session = r["session"];
+  if (session && typeof session === "object") {
+    const sessionDirect = session["userId"] ?? session["user_id"];
+    if (sessionDirect) return sessionDirect;
+    const sessionUser = session["user"];
+    if (sessionUser && typeof sessionUser === "object") {
+      const id = pickId(sessionUser);
+      if (id) return id;
+    }
+  }
+  const headers = r["headers"];
+  const rawAuth = headers?.["authorization"];
+  const authStr = Array.isArray(rawAuth) ? rawAuth[0] : rawAuth;
+  if (authStr?.startsWith("Bearer ")) {
+    const token = authStr.slice(7);
+    try {
+      const parts = token.split(".");
+      if (parts.length === 3) {
+        const b64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+        const padded = b64 + "=".repeat((4 - b64.length % 4) % 4);
+        const payload = JSON.parse(
+          Buffer.from(padded, "base64").toString("utf8")
+        );
+        const jwtId = pickId(payload);
+        if (jwtId) return jwtId;
+        for (const val of Object.values(payload)) {
+          if (val && typeof val === "object" && !Array.isArray(val)) {
+            const nested = pickId(val);
+            if (nested) return nested;
+          }
+        }
+      }
+    } catch {
+    }
+  }
+  return void 0;
+}
+function pickId(obj) {
+  const id = obj["id"] ?? obj["sub"] ?? // JWT standard claim
+  obj["userId"] ?? obj["user_id"] ?? obj["uid"] ?? // Firebase
+  obj["_id"] ?? // MongoDB
+  obj["accountId"] ?? obj["account_id"] ?? obj["customerId"] ?? obj["customer_id"];
+  return typeof id === "string" && id.length > 0 ? id : void 0;
 }
 function normalizeIp(raw) {
   if (raw === "::1") return "127.0.0.1";
@@ -872,25 +1801,84 @@ function normalizeIp(raw) {
 function defaultGetIp(req) {
   const r = req;
   const fwd = r["headers"];
-  const xff = fwd?.["x-forwarded-for"];
-  if (xff) {
-    const first = Array.isArray(xff) ? xff[0] : xff.split(",")[0];
-    if (first) return normalizeIp(first.trim());
+  function firstHdr(name) {
+    const v = fwd?.[name];
+    if (!v) return void 0;
+    const s = (Array.isArray(v) ? v[0] : v.split(",")[0])?.trim();
+    return s || void 0;
+  }
+  const ip = firstHdr("cf-connecting-ip") ?? // Cloudflare
+  firstHdr("true-client-ip") ?? // Cloudflare Enterprise / Akamai
+  firstHdr("x-forwarded-for") ?? // Nginx, AWS ALB, GCP LB, most proxies
+  firstHdr("x-real-ip") ?? // Nginx (single-IP alternative to XFF)
+  firstHdr("fastly-client-ip") ?? // Fastly CDN
+  firstHdr("x-client-ip") ?? // Generic reverse proxies
+  firstHdr("x-cluster-client-ip") ?? // Cluster / k8s ingress
+  r["socket"]?.remoteAddress ?? "0.0.0.0";
+  return normalizeIp(ip);
+}
+function sendFakeResponse(res, fakeResponse) {
+  const allHeaders = {
+    "Content-Type": fakeResponse.contentType,
+    ...fakeResponse.headers
+  };
+  if (typeof res["set"] === "function") {
+    res["set"](allHeaders);
+  } else if (typeof res["setHeader"] === "function") {
+    for (const [k, v] of Object.entries(allHeaders)) {
+      res["setHeader"](k, v);
+    }
+  }
+  if (typeof res["status"] === "function") {
+    res["status"](fakeResponse.statusCode);
+  } else {
+    res["statusCode"] = fakeResponse.statusCode;
+  }
+  if (typeof res["end"] === "function") {
+    res["end"](fakeResponse.body);
   }
-  const xri = fwd?.["x-real-ip"];
-  if (typeof xri === "string") return normalizeIp(xri.trim());
-  const socket = r["socket"];
-  return normalizeIp(socket?.remoteAddress ?? "0.0.0.0");
+}
+function isLoopbackIp(ip) {
+  return ip === "127.0.0.1" || ip === "0.0.0.0" || ip === "::1";
 }
 function createExpressMiddleware(client) {
+  let ipCheckCount = 0;
+  let ipLoopCount = 0;
+  let ipWarnFired = false;
+  let userIdCheckCount = 0;
+  let userIdMissCount = 0;
+  let userIdWarnFired = false;
   return async function sentinelMiddleware(req, res, next) {
     const startMs = Date.now();
     const ip = client.config.getIp(req);
+    if (!ipWarnFired && ipCheckCount < 20) {
+      ipCheckCount++;
+      if (isLoopbackIp(ip)) ipLoopCount++;
+      if (ipCheckCount === 20 && ipLoopCount >= 16) {
+        ipWarnFired = true;
+        console.warn(
+          "[Anomira] WARNING: client IP not captured on 80%+ of requests.\n  Your app is likely behind a reverse proxy (Nginx, Cloudflare, AWS ALB)\n  that is not forwarding client IP headers. Alerts will have no IP attribution.\n\n  Nginx fix:   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n               proxy_set_header X-Real-IP         $remote_addr;\n  Express fix: app.set('trust proxy', 1);\n  Fastify fix: Fastify({ trustProxy: true })\n  Docs:        https://docs.anomira.io/sdk/ip-capture"
+        );
+      }
+    }
     if (client.isBlocked(ip)) {
       const method_ = req["method"]?.toUpperCase() ?? "GET";
       const url_ = req["originalUrl"] ?? req["url"] ?? "/";
       const ua_ = req["headers"]?.["user-agent"] ?? "";
+      const reason_ = client.blockReason(ip);
       client.reportBlockedHit(ip, { method: method_, url: url_, userAgent: ua_ });
+      if (reason_?.source === "community") {
+        client.track("http.community_threat_blocked", {
+          ip,
+          meta: {
+            endpoint: url_,
+            method: method_,
+            score: reason_.score,
+            topAttack: reason_.topAttack,
+            source: "anomira_network"
+          }
+        });
+      }
       const res_ = res;
       if (typeof res_["status"] === "function") {
         res_["status"](403);
@@ -904,8 +1892,100 @@ function createExpressMiddleware(client) {
     const method = req["method"]?.toUpperCase() ?? "GET";
     const url = req["originalUrl"] ?? req["url"] ?? "/";
     const headers = req["headers"];
-    const ua = headers?.["user-agent"] ?? "";
-    const fwMatch = client.matchFirewallRule({ url, body: req["body"], headers: headers ?? {}, ip });
+    const headersStr = headers;
+    const ua = (typeof headers?.["user-agent"] === "string" ? headers["user-agent"] : "") ?? "";
+    const agentInfo = detectAgent(headers ?? {});
+    const fingerprint = computeBrowserFingerprint(headers ?? {}, ua);
+    const h2settings = extractHttp2Settings(req);
+    const upstreamTls = extractUpstreamTls(headers ?? {});
+    if (client["canaryTokenCache"] && client["canaryTokenCache"].size > 0) {
+      const authHeader = (typeof headers?.["authorization"] === "string" ? headers["authorization"] : "") ?? "";
+      if (authHeader.startsWith("Bearer ")) {
+        const bearerToken = authHeader.slice(7);
+        if (client["canaryTokenCache"].has(bearerToken)) {
+          client.track("http.canary.triggered", {
+            ip,
+            userId,
+            meta: { endpoint: url, method, token: bearerToken.slice(0, 16), source: "authorization_header" }
+          });
+        }
+        try {
+          const parts = bearerToken.split(".");
+          if (parts.length === 3) {
+            const b64h = (parts[0] ?? "").replace(/-/g, "+").replace(/_/g, "/");
+            const hdr = JSON.parse(Buffer.from(b64h + "==", "base64").toString());
+            const b64p = (parts[1] ?? "").replace(/-/g, "+").replace(/_/g, "/");
+            const pay = JSON.parse(Buffer.from(b64p + "==", "base64").toString());
+            const jti = pay["jti"] ?? "";
+            const cache = client["canaryTokenCache"];
+            if (jti && cache.has(jti)) {
+              client.track("http.canary.triggered", {
+                ip,
+                userId,
+                meta: { endpoint: url, method, token: jti.slice(0, 16), source: "canary_jwt" }
+              });
+            }
+          }
+        } catch {
+        }
+      }
+    }
+    const urlPath = url.split("?")[0]?.toLowerCase() ?? url.toLowerCase();
+    const isHoneypot = client["honeypotPaths"].size > 0 && [...client["honeypotPaths"]].some(
+      (hp) => urlPath === hp || urlPath.startsWith(hp + "/") || urlPath.startsWith(hp + ".")
+    );
+    if (isHoneypot) {
+      const honeypotType = detectHoneypotType(url);
+      const callbackBase = client.config.ingestUrl.replace(/\/v1\/events$/, "");
+      const orgId = "";
+      if (method === "POST" && honeypotType === "admin_portal") {
+        const body_ = req["body"];
+        const username = String(
+          body_?.["username"] ?? body_?.["email"] ?? body_?.["user"] ?? body_?.["login"] ?? ""
+        );
+        const password = String(
+          body_?.["password"] ?? body_?.["pass"] ?? body_?.["pwd"] ?? body_?.["passwd"] ?? ""
+        );
+        if (username || password) {
+          const passwordHint = password.length > 0 ? `${password.slice(0, 2)}***[${password.length}]` : "(empty)";
+          client.track("http.honeypot.credential_attempt", {
+            ip,
+            userId,
+            meta: {
+              endpoint: url,
+              method,
+              userAgent: ua,
+              honeypotType,
+              username,
+              passwordHint,
+              // Hidden _token field — if this is the canary token we issued
+              // in the GET response, we know this is the same attacker session
+              formToken: String(body_?.["_token"] ?? "")
+            }
+          });
+        }
+        const failed = makeAdminLoginFailed();
+        sendFakeResponse(res, failed);
+        return;
+      }
+      const canaryToken = crypto.randomBytes(16).toString("hex");
+      const fakeResponse = generateHoneypotResponse(honeypotType, canaryToken, callbackBase, orgId);
+      client.track("http.honeypot.hit", {
+        ip,
+        userId,
+        meta: {
+          endpoint: url,
+          method,
+          userAgent: ua,
+          honeypotType,
+          canaryToken,
+          responseType: "enhanced"
+        }
+      });
+      sendFakeResponse(res, fakeResponse);
+      return;
+    }
+    const fwMatch = client.matchFirewallRule({ url, body: req["body"], headers: headersStr ?? {}, ip });
     if (fwMatch) {
       client.track("http.firewall." + fwMatch.rule.action, {
         ip,
@@ -930,27 +2010,83 @@ function createExpressMiddleware(client) {
       }
     }
     const onFinish = () => {
+      const lateUserId = client.config.getUserId(req);
+      if (!userIdWarnFired && userIdCheckCount < 20) {
+        userIdCheckCount++;
+        if (!lateUserId) userIdMissCount++;
+        if (userIdCheckCount === 20 && userIdMissCount >= 18) {
+          userIdWarnFired = true;
+          console.warn(
+            "[Anomira] WARNING: userId not captured on 90%+ of requests.\n  EWS Evidence Package, geo-velocity, and account takeover detection\n  silently stop working without it. The SDK tried 5 auto-detection tiers\n  (Passport / express-jwt, req.auth, direct req.userId, session, JWT Bearer)\n  \u2014 none matched your auth setup.\n\n  Fix: pass a getUserId resolver that matches your auth middleware:\n  new Anomira({ ..., getUserId: (req) => req.user?.id })"
+          );
+        }
+      }
       const status = res["statusCode"] ?? 0;
       const latencyMs = Date.now() - startMs;
       const getHeader = res["getHeader"];
       const bytes = typeof getHeader === "function" ? parseInt(getHeader.call(res, "content-length") ?? "0", 10) || 0 : 0;
       client.track(EventName.REQUEST, {
         ip,
-        userId,
-        meta: { method, endpoint: url, status, latencyMs, userAgent: ua, bytes }
+        userId: lateUserId,
+        meta: {
+          method,
+          endpoint: url,
+          status,
+          latencyMs,
+          userAgent: ua,
+          bytes,
+          _fp: fingerprint.score,
+          _fpSig: fingerprint.signals.join(","),
+          ...fingerprint.knownClient ? { _fpClient: fingerprint.knownClient } : {},
+          ...h2settings ? {
+            _h2Window: h2settings.initialWindowSize,
+            _h2HdrTable: h2settings.headerTableSize,
+            _h2Score: h2settings.score,
+            _h2Signals: h2settings.signals.join(",")
+          } : {},
+          ...upstreamTls.ja3 ? { _ja3: upstreamTls.ja3 } : {},
+          ...upstreamTls.ja4 ? { _ja4: upstreamTls.ja4 } : {},
+          ...agentInfo.isAgent ? {
+            agentDetected: true,
+            agentType: agentInfo.agentType,
+            agentName: agentInfo.agentName,
+            agentConfidence: agentInfo.confidence,
+            mcpSessionId: agentInfo.sessionId,
+            isMcp: agentInfo.isMcp,
+            agentSignals: agentInfo.signals.join(",")
+          } : {}
+        }
       });
+      if (agentInfo.isAgent) {
+        client.track("http.agent_detected", {
+          ip,
+          userId: lateUserId,
+          meta: {
+            endpoint: url,
+            method,
+            agentType: agentInfo.agentType,
+            agentName: agentInfo.agentName,
+            agentConfidence: agentInfo.confidence,
+            mcpSessionId: agentInfo.sessionId,
+            isMcp: agentInfo.isMcp,
+            agentSignals: agentInfo.signals.join(","),
+            status,
+            userAgent: ua
+          }
+        });
+      }
       if (client.config.detect.rateAbuse && status === 429) {
-        client.track(EventName.RATE_LIMIT, { ip, userId, meta: { url, method, statusCode: status } });
+        client.track(EventName.RATE_LIMIT, { ip, userId: lateUserId, meta: { url, method, statusCode: status } });
       }
       if (client.config.detect.bruteForce && status === 401) {
         if (/\/(login|signin|auth|token|session)/i.test(url)) {
-          client.track(EventName.LOGIN_FAILED, { ip, userId, meta: { url, method, statusCode: status } });
+          client.track(EventName.LOGIN_FAILED, { ip, userId: lateUserId, meta: { url, method, statusCode: status } });
         }
       }
       if (client.config.detect.scanDetection && status === 404) {
         const looksLikeScanner = !ua || /curl|wget|python|go-http|nuclei|sqlmap|nikto/i.test(ua);
         if (looksLikeScanner) {
-          client.track(EventName.SCAN_DETECTED, { ip, userId, meta: { url, method, userAgent: ua } });
+          client.track(EventName.SCAN_DETECTED, { ip, userId: lateUserId, meta: { url, method, userAgent: ua } });
         }
       }
       cleanup();
@@ -963,14 +2099,43 @@ function createExpressMiddleware(client) {
   };
 }
 function createFastifyPlugin(client) {
+  let ipCheckCount = 0;
+  let ipLoopCount = 0;
+  let ipWarnFired = false;
+  let userIdCheckCount = 0;
+  let userIdMissCount = 0;
+  let userIdWarnFired = false;
   return async function sentinelFastifyPlugin(fastify) {
     fastify.addHook("onRequest", (req, reply) => {
       const ip = client.config.getIp(req);
+      if (!ipWarnFired && ipCheckCount < 20) {
+        ipCheckCount++;
+        if (isLoopbackIp(ip)) ipLoopCount++;
+        if (ipCheckCount === 20 && ipLoopCount >= 16) {
+          ipWarnFired = true;
+          console.warn(
+            "[Anomira] WARNING: client IP not captured on 80%+ of requests.\n  Your app is likely behind a reverse proxy (Nginx, Cloudflare, AWS ALB)\n  that is not forwarding client IP headers. Alerts will have no IP attribution.\n\n  Nginx fix:   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n               proxy_set_header X-Real-IP         $remote_addr;\n  Fastify fix: Fastify({ trustProxy: true })\n  Docs:        https://docs.anomira.io/sdk/ip-capture"
+          );
+        }
+      }
       const url_ = req["url"] ?? "/";
       const method_ = req["method"]?.toUpperCase() ?? "GET";
       const hdrs_ = req["headers"];
       if (client.isBlocked(ip)) {
+        const reason_ = client.blockReason(ip);
         client.reportBlockedHit(ip, { method: method_, url: url_, userAgent: hdrs_?.["user-agent"] ?? "" });
+        if (reason_?.source === "community") {
+          client.track("http.community_threat_blocked", {
+            ip,
+            meta: {
+              endpoint: url_,
+              method: method_,
+              score: reason_.score,
+              topAttack: reason_.topAttack,
+              source: "anomira_network"
+            }
+          });
+        }
         const rep = reply;
         if (typeof rep["code"] === "function") {
           const chained = rep["code"](403);
@@ -1024,14 +2189,73 @@ function createFastifyPlugin(client) {
       const method = req["method"]?.toUpperCase() ?? "GET";
       const userId = client.config.getUserId(req);
       const status = reply["statusCode"] ?? 0;
+      if (!userIdWarnFired && userIdCheckCount < 20) {
+        userIdCheckCount++;
+        if (!userId) userIdMissCount++;
+        if (userIdCheckCount === 20 && userIdMissCount >= 18) {
+          userIdWarnFired = true;
+          console.warn(
+            "[Anomira] WARNING: userId not captured on 90%+ of requests.\n  EWS Evidence Package, geo-velocity, and account takeover detection\n  silently stop working without it. The SDK tried 5 auto-detection tiers\n  (Passport / @fastify/jwt, req.auth, direct req.userId, session, JWT Bearer)\n  \u2014 none matched your auth setup.\n\n  Fix: pass a getUserId resolver that matches your auth middleware:\n  new Anomira({ ..., getUserId: (req) => (req as any).user?.id })"
+          );
+        }
+      }
       const headers = req["headers"];
-      const ua = headers?.["user-agent"] ?? "";
+      const ua = (typeof headers?.["user-agent"] === "string" ? headers["user-agent"] : "") ?? "";
       const latencyMs = reply["elapsedTime"] ?? 0;
+      const agentInfo = detectAgent(headers ?? {});
+      const fingerprint = computeBrowserFingerprint(headers ?? {}, ua);
+      const h2settings = extractHttp2Settings(req);
+      const upstreamTls = extractUpstreamTls(headers ?? {});
       client.track(EventName.REQUEST, {
         ip,
         userId,
-        meta: { method, endpoint: url, status, latencyMs: Math.round(latencyMs), userAgent: ua, bytes: 0 }
+        meta: {
+          method,
+          endpoint: url,
+          status,
+          latencyMs: Math.round(latencyMs),
+          userAgent: ua,
+          bytes: 0,
+          _fp: fingerprint.score,
+          _fpSig: fingerprint.signals.join(","),
+          ...fingerprint.knownClient ? { _fpClient: fingerprint.knownClient } : {},
+          ...h2settings ? {
+            _h2Window: h2settings.initialWindowSize,
+            _h2HdrTable: h2settings.headerTableSize,
+            _h2Score: h2settings.score,
+            _h2Signals: h2settings.signals.join(",")
+          } : {},
+          ...upstreamTls.ja3 ? { _ja3: upstreamTls.ja3 } : {},
+          ...upstreamTls.ja4 ? { _ja4: upstreamTls.ja4 } : {},
+          ...agentInfo.isAgent ? {
+            agentDetected: true,
+            agentType: agentInfo.agentType,
+            agentName: agentInfo.agentName,
+            agentConfidence: agentInfo.confidence,
+            mcpSessionId: agentInfo.sessionId,
+            isMcp: agentInfo.isMcp,
+            agentSignals: agentInfo.signals.join(",")
+          } : {}
+        }
       });
+      if (agentInfo.isAgent) {
+        client.track("http.agent_detected", {
+          ip,
+          userId,
+          meta: {
+            endpoint: url,
+            method,
+            agentType: agentInfo.agentType,
+            agentName: agentInfo.agentName,
+            agentConfidence: agentInfo.confidence,
+            mcpSessionId: agentInfo.sessionId,
+            isMcp: agentInfo.isMcp,
+            agentSignals: agentInfo.signals.join(","),
+            status,
+            userAgent: ua
+          }
+        });
+      }
       if (client.config.detect.rateAbuse && status === 429) {
         client.track(EventName.RATE_LIMIT, { ip, userId, meta: { url, method, statusCode: status } });
       }
@@ -1058,6 +2282,11 @@ function createExpressMiddleware2(client) {
     const ip = client.config.getIp(req);
     const userId = client.config.getUserId(req);
     const { method, originalUrl: url } = req;
+    if (client.isBlocked(ip)) {
+      client.reportBlockedHit(ip, { method, url, userAgent: req.headers["user-agent"] ?? "" });
+      res.status(403).json({ error: "Forbidden" });
+      return;
+    }
     if (client.config.detect.pathTraversal && (url.includes("../") || url.includes("..%2F"))) {
       client.track(EventName.PATH_TRAVERSAL, {
         ip,
@@ -1122,11 +2351,15 @@ function createExpressMiddleware2(client) {
 // src/middleware/fastify.ts
 function createFastifyPlugin2(client) {
   return async function sentinelPlugin(fastify) {
-    fastify.addHook("onRequest", async (req, _reply) => {
+    fastify.addHook("onRequest", async (req, reply) => {
       const ip = client.config.getIp(req);
       const userId = client.config.getUserId(req);
       const url = req.url;
       const method = req.method.toUpperCase();
+      if (client.isBlocked(ip)) {
+        client.reportBlockedHit(ip, { method, url, userAgent: req.headers["user-agent"] ?? "" });
+        return reply.code(403).send({ error: "Forbidden" });
+      }
       if (client.config.detect.pathTraversal && (url.includes("../") || url.includes("..%2F"))) {
         client.track(EventName.PATH_TRAVERSAL, { ip, userId, meta: { url, method } });
       }