@anomira/node-sdk 0.2.2 → 0.2.4

package/README.md

@@ -168,41 +168,70 @@ Once registered, the middleware records **every request** with zero additional c
 
 Use these when the middleware can't infer the event on its own — e.g., application-level failures.
 
+### Getting the real client IP
+
+> **Important — do not use `req.ip` for the `ip` field.**
+>
+> Behind a reverse proxy (Nginx, AWS ALB, Cloudflare — which every production app uses), `req.ip` in Express without `trust proxy` configured returns `127.0.0.1` — the proxy's address, not the user's. This breaks geo-detection, IP blocking, and attack correlation.
+>
+> Always use `anomira.getClientIp(req)` instead. It reads `X-Forwarded-For`, `CF-Connecting-IP`, `X-Real-IP`, and other forwarded headers in the correct priority order automatically.
+
+```ts
+// ✅ Correct — works behind Nginx, Cloudflare, AWS ALB, any reverse proxy
+const ip = anomira.getClientIp(req);
+
+// ❌ Wrong behind a proxy — returns 127.0.0.1 unless trust proxy is configured
+const ip = req.ip;
+```
+
+If you use `anomira.express()` or `anomira.fastify()` middleware and call `track()` **inside a request handler**, you can omit the `ip` field entirely — the SDK reads it from the active request context automatically.
+
+```ts
+// ✅ Also correct — IP is resolved from middleware context, no need to pass it
+anomira.track("auth.otp.failed", { userId: req.body.phone });
+```
+
+### Examples
+
 ```ts
 // Credential stuffing / failed login attempt
 await anomira.trackLogin({
-  ip:      req.ip,
+  ip:      anomira.getClientIp(req),
   userId:  req.body.email,     // email or user ID
   success: false,              // false = failed attempt
 });
 
 // Successful login (enables geo-velocity tracking)
 await anomira.trackLogin({
-  ip:     req.ip,
-  userId: user.id,
+  ip:      anomira.getClientIp(req),
+  userId:  user.id,
   success: true,
 });
 
 // Failed OTP — otp_flood detection
 anomira.track("auth.otp.failed", {
-  ip:     req.ip,
+  ip:     anomira.getClientIp(req),
   userId: req.body.phone,
   meta:   { endpoint: "/api/verify-otp" },
 });
 
 // SIM swap detection — call after any phone-based auth
-anomira.trackPhoneAuth({ ip: req.ip, userId: user.id, phone: user.phone });
+anomira.trackPhoneAuth({
+  ip:     anomira.getClientIp(req),
+  userId: user.id,
+  phone:  user.phone,
+});
 
 // Account takeover signal — e.g., password changed from new IP
 anomira.track("auth.account.takeover", {
-  ip:     req.ip,
+  ip:     anomira.getClientIp(req),
   userId: user.id,
   meta:   { reason: "password_changed_new_ip" },
 });
 
 // Webhook replay — call when you detect a replayed webhook signature
 anomira.track("webhook.replay.detected", {
-  ip:   req.ip,
+  ip:   anomira.getClientIp(req),
   meta: { webhookId: req.headers["x-webhook-id"] },
 });
 ```
@@ -230,8 +259,10 @@ The SDK syncs your dashboard's blocked IPs and firewall rules every 60 seconds.
 
 ```ts
 app.use((req, res, next) => {
+  const ip = anomira.getClientIp(req);  // always use this, not req.ip
+
   // Check if IP is manually blocked in the dashboard
-  if (anomira.isBlocked(req.ip)) {
+  if (anomira.isBlocked(ip)) {
     return res.status(403).json({ error: "Forbidden" });
   }
 
@@ -241,7 +272,7 @@ app.use((req, res, next) => {
     method:  req.method,
     body:    req.body,
     headers: req.headers,
-    ip:      req.ip,
+    ip,
   });
 
   if (match) {
@@ -379,8 +410,8 @@ app.addHook("onClose", async () => {
 3. Confirm the middleware is registered **before** your routes and **after** body parsers.
 4. Make sure you're not blocking outbound HTTPS traffic to `api.anomira.io`.
 
-**TypeScript errors on `req.ip`?**
-Express types sometimes don't include `ip` directly. Use `(req as express.Request).ip ?? req.socket.remoteAddress ?? "0.0.0.0"`.
+**TypeScript errors on IP extraction?**
+Use `anomira.getClientIp(req)` — it handles all proxy headers and TypeScript types correctly. Do not use `req.ip` or `req.socket.remoteAddress` directly in production; both return the proxy address behind Nginx.
 
 **`flush()` taking too long on shutdown?**
 The flush waits for in-flight HTTP requests to complete. If your process needs to exit fast, you can add a timeout:

package/dist/index.cjs

@@ -521,6 +521,9 @@ var KNOWN_BOT_UA = [
   [/^Ruby$/i, "Ruby"]
 ];
 var AXIOS_ACCEPT = "application/json, text/plain, */*";
+function isBrowserUa(ua) {
+  return /Mozilla\/5\.0/.test(ua) && /(?:Chrome|Firefox|Safari|OPR|Edg(?:e|HTML)?|Trident)\/[\d.]+/.test(ua);
+}
 function computeBrowserFingerprint(headers, ua) {
   const signals = [];
   let score = 0;
@@ -537,10 +540,15 @@ function computeBrowserFingerprint(headers, ua) {
   }
   const accept = str(headers["accept"]);
   if (!isDefiniteBot && accept === AXIOS_ACCEPT) {
-    isDefiniteBot = true;
-    knownClient = "axios";
-    score = 100;
-    signals.push("known_accept:axios");
+    if (!isBrowserUa(ua)) {
+      isDefiniteBot = true;
+      knownClient = "axios";
+      score = 100;
+      signals.push("known_accept:axios");
+    } else {
+      score += 15;
+      signals.push("browser_axios_accept");
+    }
   }
   if (isDefiniteBot) return { score, signals, isDefiniteBot, knownClient };
   const hasSecFetchSite = "sec-fetch-site" in headers;
@@ -624,7 +632,7 @@ function detectHoneypotType(path) {
 function generateHoneypotResponse(type, canaryToken, callbackBase, orgId) {
   switch (type) {
     case "env_file":
-      return makeEnvFile(canaryToken, callbackBase, orgId);
+      return makeEnvFile(canaryToken);
     case "aws_credentials":
       return makeAwsCredentials(canaryToken);
     case "git_config":
@@ -645,14 +653,16 @@ function generateHoneypotResponse(type, canaryToken, callbackBase, orgId) {
       return makeGeneric(canaryToken);
   }
 }
-function makeEnvFile(canaryToken, callbackBase, orgId) {
+function makeEnvFile(canaryToken, _callbackBase, _orgId) {
   const jwtSecret = genHex(32);
   const dbPassword = genAlphanumeric(20);
   const redisPassword = genAlphanumeric(16);
   const apiKey = genHex(32);
-  const webhookUrl = `${callbackBase}/v1/canary/${orgId}/${canaryToken}`;
   const dnsDb = `db.${canaryToken}.srv.anomira.io`;
   const dnsCache = `cache.${canaryToken}.srv.anomira.io`;
+  const dnsMonitoring = `hooks.monitoring.${canaryToken}.srv.anomira.io`;
+  const dnsAlerts = `hooks.alerts.${canaryToken}.srv.anomira.io`;
+  const dnsDeploy = `deploy.internal.${canaryToken}.srv.anomira.io`;
   const fakeJwt = generateCanaryJwt(canaryToken, jwtSecret);
   const body = `# Production Environment Configuration
 # Last updated: ${new Date(Date.now() - 7 * 864e5).toISOString().split("T")[0]}
@@ -683,9 +693,9 @@ AWS_REGION=eu-west-1
 AWS_S3_BUCKET=app-production-${genHex(4)}
 
 # \u2500\u2500 Monitoring / Webhooks \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
-MONITORING_WEBHOOK=${webhookUrl}
-ALERT_WEBHOOK=${webhookUrl}
-DEPLOY_HOOK=${callbackBase}/v1/canary/${orgId}/${canaryToken}
+MONITORING_WEBHOOK=https://${dnsMonitoring}/v1/events/ingest
+ALERT_WEBHOOK=https://${dnsAlerts}/services/${genHex(7).toUpperCase()}/notify
+DEPLOY_HOOK=https://${dnsDeploy}/hooks/deploy/${genHex(6)}
 
 # \u2500\u2500 External APIs \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
 INTERNAL_API_KEY=${apiKey}
@@ -1097,7 +1107,8 @@ function makeGeneric(canaryToken) {
 }
 function generateCanaryJwt(canaryToken, secret) {
   const now = Math.floor(Date.now() / 1e3);
-  const header = { alg: "HS256", typ: "JWT", kid: `canary-${canaryToken.slice(0, 12)}` };
+  const kid = `${canaryToken.slice(0, 8)}-${canaryToken.slice(8, 12)}-4${canaryToken.slice(13, 16)}-${canaryToken.slice(16, 20)}-${canaryToken.slice(20, 32)}`;
+  const header = { alg: "HS256", typ: "JWT", kid };
   const payload = {
     sub: "svc_internal_7482",
     name: "service-account",
@@ -1107,7 +1118,8 @@ function generateCanaryJwt(canaryToken, secret) {
     // issued 48h ago (realistic stale credential)
     exp: now - 86400,
     // expired 24h ago
-    jti: `canary-${canaryToken}`
+    jti: canaryToken
+    // raw hex — no "canary-" prefix to leak purpose
   };
   const h = Buffer.from(JSON.stringify(header)).toString("base64url");
   const p = Buffer.from(JSON.stringify(payload)).toString("base64url");
@@ -1143,6 +1155,108 @@ var DEFAULT_INGEST_URL = "https://ingest.anomira.io/v1/events";
 var DEFAULT_BATCH_SIZE = 100;
 var DEFAULT_FLUSH_MS = 5e3;
 var DEFAULT_MAX_RETRIES = 3;
+var SENSITIVE_FIELDS = {
+  identity: [
+    "first_name",
+    "last_name",
+    "full_name",
+    "name",
+    "bvn",
+    "nin",
+    "ssn",
+    "national_id",
+    "tin",
+    "passport",
+    "passport_number",
+    "drivers_license",
+    "license_number",
+    "voter_id",
+    "dob",
+    "date_of_birth",
+    "birth_date",
+    "birthdate",
+    "gender",
+    "marital_status",
+    "nationality"
+  ],
+  contact: [
+    "email",
+    "phone",
+    "phone_number",
+    "mobile",
+    "mobile_number",
+    "address",
+    "street",
+    "city",
+    "state",
+    "postal_code",
+    "zip"
+  ],
+  financial: [
+    "card_number",
+    "credit_card",
+    "debit_card",
+    "cvv",
+    "account_number",
+    "bank_account",
+    "routing_number",
+    "sort_code",
+    "iban",
+    "swift",
+    "wallet_id"
+  ],
+  authentication: [
+    "password",
+    "pin",
+    "otp",
+    "secret",
+    "private_key",
+    "api_key",
+    "access_token",
+    "refresh_token",
+    "jwt",
+    "bearer_token",
+    "security_answer",
+    "mother_maiden_name"
+  ],
+  biometric: [
+    "fingerprint",
+    "face_id",
+    "iris",
+    "voiceprint",
+    "biometric"
+  ],
+  health: [
+    "medical_record",
+    "diagnosis",
+    "blood_group",
+    "insurance_id"
+  ],
+  fintech: [
+    "kyc_id",
+    "customer_id",
+    "beneficiary_account",
+    "transaction_pin",
+    "wallet_balance",
+    "bank_verification_number",
+    "virtual_account",
+    "monnify_account",
+    "paystack_customer",
+    "flutterwave_customer"
+  ]
+};
+var FIELD_CATEGORY_MAP = /* @__PURE__ */ new Map();
+for (const [cat, fields] of Object.entries(SENSITIVE_FIELDS)) {
+  for (const f of fields) FIELD_CATEGORY_MAP.set(f, cat);
+}
+var VALUE_PATTERNS = [
+  { name: "email", category: "contact", re: /^[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}$/ },
+  { name: "bvn_nin", category: "identity", re: /^\d{11}$/ },
+  { name: "card_number", category: "financial", re: /^\d{13,19}$/ },
+  { name: "phone_ng", category: "contact", re: /^(?:\+234|0)[789][01]\d{8}$/ },
+  { name: "jwt", category: "authentication", re: /^eyJ[A-Za-z0-9_\-]{10,}\.[A-Za-z0-9_\-]{10,}\./ },
+  { name: "iban", category: "financial", re: /^[A-Z]{2}\d{2}[A-Z0-9]{4,30}$/ }
+];
 var AnomiraClient = class {
   constructor(config) {
     this.logBuffer = [];
@@ -1475,13 +1589,35 @@ var AnomiraClient = class {
     }
   }
   // ─── Public API ────────────────────────────────────────────────────────────
+  /**
+   * Extract the real client IP from a request object, reading forwarded headers
+   * in the correct priority order (Cloudflare → XFF → X-Real-IP → socket).
+   *
+   * Use this instead of `req.ip` when tracking events manually. `req.ip` in
+   * Express without `trust proxy` set returns the proxy's address (127.0.0.1
+   * behind Nginx), which breaks geo-detection and IP blocking.
+   *
+   * ```ts
+   * // ✅ Correct — reads X-Forwarded-For / CF-Connecting-IP automatically
+   * sentinel.track(EventName.OTP_FAILED, {
+   *   ip:     sentinel.getClientIp(req),
+   *   userId: req.body.phone,
+   *   meta:   { endpoint: "/api/verify-otp" },
+   * });
+   *
+   * // ❌ Wrong behind a proxy — req.ip is 127.0.0.1 without trust proxy configured
+   * sentinel.track(EventName.OTP_FAILED, { ip: req.ip, ... });
+   * ```
+   */
+  getClientIp(req) {
+    return this.config.getIp(req);
+  }
   /**
    * Track a custom security event.
    *
    * ```ts
-   * // Track a failed OTP attempt
    * sentinel.track(EventName.OTP_FAILED, {
-   *   ip:     req.ip,
+   *   ip:     sentinel.getClientIp(req),   // use getClientIp, not req.ip
    *   userId: req.body.phone,
    *   meta:   { endpoint: "/api/verify-otp", attempts: 3 },
    * });
@@ -1554,6 +1690,11 @@ var AnomiraClient = class {
     if (this.disabled) return;
     const ctx = requestContext.getStore();
     const resolvedIp = data.ip && data.ip !== "0.0.0.0" && data.ip !== "" ? data.ip : ctx?.ip ?? "0.0.0.0";
+    if (this.config.debug && data.ip && isPrivateIp2(data.ip)) {
+      this._origWarn(
+        `[Anomira] Warning: track() received a private/loopback IP "${data.ip}" for event "${eventName}". Behind a reverse proxy, req.ip is the proxy's address \u2014 use sentinel.getClientIp(req) instead.`
+      );
+    }
     const resolvedMeta = ctx?.endpoint && !data.meta?.["endpoint"] ? { endpoint: ctx.endpoint, method: ctx.method, ...data.meta } : data.meta;
     const event = {
       name: eventName,
@@ -1769,6 +1910,12 @@ function defaultGetUserId(req) {
         );
         const jwtId = pickId(payload);
         if (jwtId) return jwtId;
+        for (const val of Object.values(payload)) {
+          if (val && typeof val === "object" && !Array.isArray(val)) {
+            const nested = pickId(val);
+            if (nested) return nested;
+          }
+        }
       }
     } catch {
     }
@@ -1788,18 +1935,27 @@ function normalizeIp(raw) {
   if (raw.startsWith("::ffff:")) return raw.slice(7);
   return raw;
 }
+function isPrivateIp2(ip) {
+  return ip === "127.0.0.1" || ip === "::1" || ip === "0.0.0.0" || ip.startsWith("10.") || ip.startsWith("192.168.") || /^172\.(1[6-9]|2\d|3[01])\./.test(ip);
+}
 function defaultGetIp(req) {
   const r = req;
   const fwd = r["headers"];
-  const xff = fwd?.["x-forwarded-for"];
-  if (xff) {
-    const first = Array.isArray(xff) ? xff[0] : xff.split(",")[0];
-    if (first) return normalizeIp(first.trim());
+  function firstHdr(name) {
+    const v = fwd?.[name];
+    if (!v) return void 0;
+    const s = (Array.isArray(v) ? v[0] : v.split(",")[0])?.trim();
+    return s || void 0;
   }
-  const xri = fwd?.["x-real-ip"];
-  if (typeof xri === "string") return normalizeIp(xri.trim());
-  const socket = r["socket"];
-  return normalizeIp(socket?.remoteAddress ?? "0.0.0.0");
+  const ip = firstHdr("cf-connecting-ip") ?? // Cloudflare
+  firstHdr("true-client-ip") ?? // Cloudflare Enterprise / Akamai
+  firstHdr("x-forwarded-for") ?? // Nginx, AWS ALB, GCP LB, most proxies
+  firstHdr("x-real-ip") ?? // Nginx (single-IP alternative to XFF)
+  firstHdr("fastly-client-ip") ?? // Fastly CDN
+  firstHdr("x-client-ip") ?? // Generic reverse proxies
+  firstHdr("x-cluster-client-ip") ?? // Cluster / k8s ingress
+  r["socket"]?.remoteAddress ?? "0.0.0.0";
+  return normalizeIp(ip);
 }
 function sendFakeResponse(res, fakeResponse) {
   const allHeaders = {
@@ -1822,10 +1978,29 @@ function sendFakeResponse(res, fakeResponse) {
     res["end"](fakeResponse.body);
   }
 }
+function isLoopbackIp(ip) {
+  return ip === "127.0.0.1" || ip === "0.0.0.0" || ip === "::1";
+}
 function createExpressMiddleware(client) {
+  let ipCheckCount = 0;
+  let ipLoopCount = 0;
+  let ipWarnFired = false;
+  let userIdCheckCount = 0;
+  let userIdMissCount = 0;
+  let userIdWarnFired = false;
   return async function sentinelMiddleware(req, res, next) {
     const startMs = Date.now();
     const ip = client.config.getIp(req);
+    if (!ipWarnFired && ipCheckCount < 20) {
+      ipCheckCount++;
+      if (isLoopbackIp(ip)) ipLoopCount++;
+      if (ipCheckCount === 20 && ipLoopCount >= 16) {
+        ipWarnFired = true;
+        console.warn(
+          "[Anomira] WARNING: client IP not captured on 80%+ of requests.\n  Your app is likely behind a reverse proxy (Nginx, Cloudflare, AWS ALB)\n  that is not forwarding client IP headers. Alerts will have no IP attribution.\n\n  Nginx fix:   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n               proxy_set_header X-Real-IP         $remote_addr;\n  Express fix: app.set('trust proxy', 1);\n  Fastify fix: Fastify({ trustProxy: true })\n  Docs:        https://docs.anomira.io/sdk/ip-capture"
+        );
+      }
+    }
     if (client.isBlocked(ip)) {
       const method_ = req["method"]?.toUpperCase() ?? "GET";
       const url_ = req["originalUrl"] ?? req["url"] ?? "/";
@@ -1882,12 +2057,12 @@ function createExpressMiddleware(client) {
             const b64p = (parts[1] ?? "").replace(/-/g, "+").replace(/_/g, "/");
             const pay = JSON.parse(Buffer.from(b64p + "==", "base64").toString());
             const jti = pay["jti"] ?? "";
-            const kid = hdr["kid"] ?? "";
-            if (jti.startsWith("canary-") && client["canaryTokenCache"].has(jti.slice(7)) || kid.startsWith("canary-") && client["canaryTokenCache"].has(kid.slice(7))) {
+            const cache = client["canaryTokenCache"];
+            if (jti && cache.has(jti)) {
               client.track("http.canary.triggered", {
                 ip,
                 userId,
-                meta: { endpoint: url, method, token: jti.slice(7, 23), source: "canary_jwt" }
+                meta: { endpoint: url, method, token: jti.slice(0, 16), source: "canary_jwt" }
               });
             }
           }
@@ -1975,13 +2150,48 @@ function createExpressMiddleware(client) {
       }
     }
     const onFinish = () => {
+      const lateUserId = client.config.getUserId(req);
+      if (!userIdWarnFired && userIdCheckCount < 20) {
+        userIdCheckCount++;
+        if (!lateUserId) userIdMissCount++;
+        if (userIdCheckCount === 20 && userIdMissCount >= 18) {
+          userIdWarnFired = true;
+          console.warn(
+            "[Anomira] WARNING: userId not captured on 90%+ of requests.\n  EWS Evidence Package, geo-velocity, and account takeover detection\n  silently stop working without it. The SDK tried 5 auto-detection tiers\n  (Passport / express-jwt, req.auth, direct req.userId, session, JWT Bearer)\n  \u2014 none matched your auth setup.\n\n  Fix: pass a getUserId resolver that matches your auth middleware:\n  new Anomira({ ..., getUserId: (req) => req.user?.id })"
+          );
+        }
+      }
       const status = res["statusCode"] ?? 0;
       const latencyMs = Date.now() - startMs;
       const getHeader = res["getHeader"];
       const bytes = typeof getHeader === "function" ? parseInt(getHeader.call(res, "content-length") ?? "0", 10) || 0 : 0;
+      const rawBody = req["body"];
+      const piiFields = [];
+      const piiPatterns = [];
+      const piiCatSet = /* @__PURE__ */ new Set();
+      if (rawBody != null && typeof rawBody === "object" && !Array.isArray(rawBody)) {
+        const body = rawBody;
+        for (const key of Object.keys(body)) {
+          const cat = FIELD_CATEGORY_MAP.get(key.toLowerCase());
+          if (cat) {
+            piiFields.push(key.toLowerCase());
+            piiCatSet.add(cat);
+          }
+        }
+        for (const val of Object.values(body)) {
+          if (typeof val !== "string" || val.length > 200) continue;
+          for (const { name, category, re } of VALUE_PATTERNS) {
+            if (!piiPatterns.includes(name) && re.test(val)) {
+              piiPatterns.push(name);
+              piiCatSet.add(category);
+            }
+          }
+        }
+      }
+      const piiCategories = piiCatSet.size > 0 ? [...piiCatSet] : void 0;
       client.track(EventName.REQUEST, {
         ip,
-        userId,
+        userId: lateUserId,
         meta: {
           method,
           endpoint: url,
@@ -1989,17 +2199,18 @@ function createExpressMiddleware(client) {
           latencyMs,
           userAgent: ua,
           bytes,
+          ...piiFields.length > 0 ? { piiFields } : {},
+          ...piiPatterns.length > 0 ? { piiPatterns } : {},
+          ...piiCategories ? { piiCategories } : {},
           _fp: fingerprint.score,
           _fpSig: fingerprint.signals.join(","),
           ...fingerprint.knownClient ? { _fpClient: fingerprint.knownClient } : {},
-          // HTTP/2 SETTINGS from client connection preface (when Node.js is TLS endpoint)
           ...h2settings ? {
             _h2Window: h2settings.initialWindowSize,
             _h2HdrTable: h2settings.headerTableSize,
             _h2Score: h2settings.score,
             _h2Signals: h2settings.signals.join(",")
           } : {},
-          // JA3/JA4 from upstream proxy (Nginx with ngx_ssl_fingerprint_module)
           ...upstreamTls.ja3 ? { _ja3: upstreamTls.ja3 } : {},
           ...upstreamTls.ja4 ? { _ja4: upstreamTls.ja4 } : {},
           ...agentInfo.isAgent ? {
@@ -2016,7 +2227,7 @@ function createExpressMiddleware(client) {
       if (agentInfo.isAgent) {
         client.track("http.agent_detected", {
           ip,
-          userId,
+          userId: lateUserId,
           meta: {
             endpoint: url,
             method,
@@ -2032,17 +2243,17 @@ function createExpressMiddleware(client) {
         });
       }
       if (client.config.detect.rateAbuse && status === 429) {
-        client.track(EventName.RATE_LIMIT, { ip, userId, meta: { url, method, statusCode: status } });
+        client.track(EventName.RATE_LIMIT, { ip, userId: lateUserId, meta: { url, method, statusCode: status } });
       }
       if (client.config.detect.bruteForce && status === 401) {
         if (/\/(login|signin|auth|token|session)/i.test(url)) {
-          client.track(EventName.LOGIN_FAILED, { ip, userId, meta: { url, method, statusCode: status } });
+          client.track(EventName.LOGIN_FAILED, { ip, userId: lateUserId, meta: { url, method, statusCode: status } });
         }
       }
       if (client.config.detect.scanDetection && status === 404) {
         const looksLikeScanner = !ua || /curl|wget|python|go-http|nuclei|sqlmap|nikto/i.test(ua);
         if (looksLikeScanner) {
-          client.track(EventName.SCAN_DETECTED, { ip, userId, meta: { url, method, userAgent: ua } });
+          client.track(EventName.SCAN_DETECTED, { ip, userId: lateUserId, meta: { url, method, userAgent: ua } });
         }
       }
       cleanup();
@@ -2055,9 +2266,25 @@ function createExpressMiddleware(client) {
   };
 }
 function createFastifyPlugin(client) {
+  let ipCheckCount = 0;
+  let ipLoopCount = 0;
+  let ipWarnFired = false;
+  let userIdCheckCount = 0;
+  let userIdMissCount = 0;
+  let userIdWarnFired = false;
   return async function sentinelFastifyPlugin(fastify) {
     fastify.addHook("onRequest", (req, reply) => {
       const ip = client.config.getIp(req);
+      if (!ipWarnFired && ipCheckCount < 20) {
+        ipCheckCount++;
+        if (isLoopbackIp(ip)) ipLoopCount++;
+        if (ipCheckCount === 20 && ipLoopCount >= 16) {
+          ipWarnFired = true;
+          console.warn(
+            "[Anomira] WARNING: client IP not captured on 80%+ of requests.\n  Your app is likely behind a reverse proxy (Nginx, Cloudflare, AWS ALB)\n  that is not forwarding client IP headers. Alerts will have no IP attribution.\n\n  Nginx fix:   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n               proxy_set_header X-Real-IP         $remote_addr;\n  Fastify fix: Fastify({ trustProxy: true })\n  Docs:        https://docs.anomira.io/sdk/ip-capture"
+          );
+        }
+      }
       const url_ = req["url"] ?? "/";
       const method_ = req["method"]?.toUpperCase() ?? "GET";
       const hdrs_ = req["headers"];
@@ -2129,6 +2356,16 @@ function createFastifyPlugin(client) {
       const method = req["method"]?.toUpperCase() ?? "GET";
       const userId = client.config.getUserId(req);
       const status = reply["statusCode"] ?? 0;
+      if (!userIdWarnFired && userIdCheckCount < 20) {
+        userIdCheckCount++;
+        if (!userId) userIdMissCount++;
+        if (userIdCheckCount === 20 && userIdMissCount >= 18) {
+          userIdWarnFired = true;
+          console.warn(
+            "[Anomira] WARNING: userId not captured on 90%+ of requests.\n  EWS Evidence Package, geo-velocity, and account takeover detection\n  silently stop working without it. The SDK tried 5 auto-detection tiers\n  (Passport / @fastify/jwt, req.auth, direct req.userId, session, JWT Bearer)\n  \u2014 none matched your auth setup.\n\n  Fix: pass a getUserId resolver that matches your auth middleware:\n  new Anomira({ ..., getUserId: (req) => (req as any).user?.id })"
+          );
+        }
+      }
       const headers = req["headers"];
       const ua = (typeof headers?.["user-agent"] === "string" ? headers["user-agent"] : "") ?? "";
       const latencyMs = reply["elapsedTime"] ?? 0;
@@ -2212,6 +2449,11 @@ function createExpressMiddleware2(client) {
     const ip = client.config.getIp(req);
     const userId = client.config.getUserId(req);
     const { method, originalUrl: url } = req;
+    if (client.isBlocked(ip)) {
+      client.reportBlockedHit(ip, { method, url, userAgent: req.headers["user-agent"] ?? "" });
+      res.status(403).json({ error: "Forbidden" });
+      return;
+    }
     if (client.config.detect.pathTraversal && (url.includes("../") || url.includes("..%2F"))) {
       client.track(EventName.PATH_TRAVERSAL, {
         ip,
@@ -2276,11 +2518,15 @@ function createExpressMiddleware2(client) {
 // src/middleware/fastify.ts
 function createFastifyPlugin2(client) {
   return async function sentinelPlugin(fastify) {
-    fastify.addHook("onRequest", async (req, _reply) => {
+    fastify.addHook("onRequest", async (req, reply) => {
       const ip = client.config.getIp(req);
       const userId = client.config.getUserId(req);
       const url = req.url;
       const method = req.method.toUpperCase();
+      if (client.isBlocked(ip)) {
+        client.reportBlockedHit(ip, { method, url, userAgent: req.headers["user-agent"] ?? "" });
+        return reply.code(403).send({ error: "Forbidden" });
+      }
       if (client.config.detect.pathTraversal && (url.includes("../") || url.includes("..%2F"))) {
         client.track(EventName.PATH_TRAVERSAL, { ip, userId, meta: { url, method } });
       }