@prosopo/provider 4.7.1 → 4.8.0

package/.turbo/turbo-build$colon$cjs.log

@@ -1,5 +1,5 @@
 
-> @prosopo/provider@4.7.1 build:cjs
+> @prosopo/provider@4.8.0 build:cjs
 > NODE_ENV=${NODE_ENV:-development}; vite build --config vite.cjs.config.ts --mode $NODE_ENV
 
 ViteCommonJSConfig: .
@@ -84,7 +84,7 @@ rendering chunks...
 dist/cjs/api/headerCheckMiddleware.cjs                                         1.07 kB
 dist/cjs/api/captcha/getFrictionlessCaptchaChallenge/sessionDedup.cjs          1.09 kB
 dist/cjs/tasks/powCaptcha/powTasksUtils.cjs                                    1.13 kB
-dist/cjs/tasks/detection/getBotScore.cjs                                       1.13 kB
+dist/cjs/tasks/detection/getBotScore.cjs                                       1.21 kB
 dist/cjs/schedulers/getClientList.cjs                                          1.21 kB
 dist/cjs/schedulers/setClientEntropy.cjs                                       1.24 kB
 dist/cjs/schedulers/captchaScheduler.cjs                                       1.28 kB
@@ -112,8 +112,8 @@ rendering chunks...
 dist/cjs/tasks/frictionless/routingMachine.cjs                                 1.86 kB
 dist/cjs/api/captcha/checkSpamEmail.cjs                                        2.10 kB
 dist/cjs/api/captcha/getFrictionlessCaptchaChallenge/shortCircuit.cjs          2.11 kB
+dist/cjs/api/admin/apiDnsEventEndpoint.cjs                                     2.12 kB
 dist/cjs/tasks/spam/updateSpamEmailDomains.cjs                                 2.13 kB
-dist/cjs/api/admin/apiDnsEventEndpoint.cjs                                     2.31 kB
 dist/cjs/api/captcha.cjs                                                       2.66 kB
 dist/cjs/api/ja4Middleware.cjs                                                 2.74 kB
 dist/cjs/api/captcha/submitPuzzleCaptchaSolution.cjs                           2.85 kB
@@ -123,32 +123,32 @@ rendering chunks...
 dist/cjs/api/admin/apiAdminRoutesProvider.cjs                                  3.56 kB
 dist/cjs/api/captcha/getFrictionlessCaptchaChallenge/accessPolicy.cjs          3.78 kB
 dist/cjs/api/domainMiddleware.cjs                                              3.91 kB
-dist/cjs/index.cjs                                                             3.94 kB
+dist/cjs/index.cjs                                                             4.01 kB
 dist/cjs/services/ipComparison.cjs                                             4.10 kB
 dist/cjs/tasks/spam/checkSpamEmail.cjs                                         4.32 kB
-dist/cjs/api/blacklistRequestInspector.cjs                                     4.78 kB
 dist/cjs/api/captcha/submitPoWCaptchaSolution.cjs                              5.20 kB
 dist/cjs/tasks/tasks.cjs                                                       5.33 kB
 dist/cjs/util/usageCounters.cjs                                                5.40 kB
-dist/cjs/api/captcha/getImageCaptchaChallenge.cjs                              5.41 kB
-dist/cjs/api/captcha/getPoWCaptchaChallenge.cjs                                6.11 kB
-dist/cjs/api/captcha/getPuzzleCaptchaChallenge.cjs                             6.30 kB
+dist/cjs/api/captcha/getImageCaptchaChallenge.cjs                              5.53 kB
+dist/cjs/api/blacklistRequestInspector.cjs                                     6.05 kB
+dist/cjs/api/captcha/getPoWCaptchaChallenge.cjs                                6.23 kB
+dist/cjs/api/captcha/getPuzzleCaptchaChallenge.cjs                             6.42 kB
 dist/cjs/api/startProviderApi.cjs                                              9.53 kB
 dist/cjs/api/captcha/getFrictionlessCaptchaChallenge/decisionMachine.cjs       9.54 kB
-dist/cjs/api/captcha/getFrictionlessCaptchaChallenge/handler.cjs               9.89 kB
+dist/cjs/api/captcha/getFrictionlessCaptchaChallenge/handler.cjs              10.10 kB
 dist/cjs/tasks/decisionMachine/decisionMachineRunner.cjs                      10.19 kB
 dist/cjs/api/verify.cjs                                                       10.85 kB
 dist/cjs/util.cjs                                                             12.22 kB
 dist/cjs/tasks/client/clientTasks.cjs                                         15.63 kB
-dist/cjs/tasks/captchaManager.cjs                                             15.73 kB
-dist/cjs/tasks/frictionless/frictionlessTasks.cjs                             16.01 kB
+dist/cjs/tasks/captchaManager.cjs                                             15.75 kB
+dist/cjs/tasks/frictionless/frictionlessTasks.cjs                             16.20 kB
 dist/cjs/tasks/detection/decodeSimd.cjs                                       18.20 kB
-dist/cjs/tasks/puzzleCaptcha/puzzleTasks.cjs                                  19.00 kB
+dist/cjs/tasks/puzzleCaptcha/puzzleTasks.cjs                                  19.08 kB
 dist/cjs/tasks/detection/decodeBehavior.cjs                                   19.16 kB
-dist/cjs/tasks/powCaptcha/powTasks.cjs                                        20.97 kB
-dist/cjs/tasks/imgCaptcha/imgCaptchaTasks.cjs                                 26.84 kB
+dist/cjs/tasks/powCaptcha/powTasks.cjs                                        21.06 kB
+dist/cjs/tasks/imgCaptcha/imgCaptchaTasks.cjs                                 26.91 kB
 dist/cjs/tasks/detection/decodePayload.cjs                                    44.26 kB
-✓ built in 773ms
+✓ built in 808ms
 [copy-plugin] copying /home/runner/work/captcha/captcha/packages/provider/src/tasks/detection/decodeBehavior.js to /home/runner/work/captcha/captcha/packages/provider/dist/cjs/tasks/detection/decodeBehavior.js
 [copy-plugin] copying /home/runner/work/captcha/captcha/packages/provider/src/tasks/detection/decodePayload.js to /home/runner/work/captcha/captcha/packages/provider/dist/cjs/tasks/detection/decodePayload.js
 [copy-plugin] copying /home/runner/work/captcha/captcha/packages/provider/src/tasks/detection/decodeSimd.js to /home/runner/work/captcha/captcha/packages/provider/dist/cjs/tasks/detection/decodeSimd.js

package/.turbo/turbo-build$colon$tsc.log

@@ -1,8 +1,8 @@
 
-> @prosopo/provider@4.7.1 build:tsc
+> @prosopo/provider@4.8.0 build:tsc
 > tsc --build --verbose
 
-8:15:26 AM - Projects in this build: 
+12:30:35 PM - Projects in this build: 
     * ../../dev/config/tsconfig.json
     * ../util/tsconfig.json
     * ../logger/tsconfig.json
@@ -25,47 +25,47 @@
     * ../load-balancer/tsconfig.json
     * tsconfig.json
 
-8:15:26 AM - Project '../../dev/config/tsconfig.json' is up to date because newest input '../../dev/config/src/webpack/webpack.config.ts' is older than output '../../dev/config/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../../dev/config/tsconfig.json' is up to date because newest input '../../dev/config/src/webpack/webpack.config.ts' is older than output '../../dev/config/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project '../util/tsconfig.json' is up to date because newest input '../util/src/url.ts' is older than output '../util/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../util/tsconfig.json' is up to date because newest input '../util/src/url.ts' is older than output '../util/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project '../logger/tsconfig.json' is up to date because newest input '../logger/src/index.ts' is older than output '../logger/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../logger/tsconfig.json' is up to date because newest input '../logger/src/index.ts' is older than output '../logger/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project '../api-route/tsconfig.json' is up to date because newest input '../api-route/src/apiRoutes.ts' is older than output '../api-route/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../api-route/tsconfig.json' is up to date because newest input '../api-route/src/index.ts' is older than output '../api-route/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project '../locale/tsconfig.json' is up to date because newest input '../locale/src/translationKey.ts' is older than output '../locale/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../locale/tsconfig.json' is up to date because newest input '../locale/src/translationKey.ts' is older than output '../locale/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project '../util-crypto/tsconfig.json' is up to date because newest input '../util-crypto/src/types.ts' is older than output '../util-crypto/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../util-crypto/tsconfig.json' is up to date because newest input '../util-crypto/src/types.ts' is older than output '../util-crypto/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project '../types/tsconfig.json' is up to date because newest input '../types/src/procaptcha/api.ts' is older than output '../types/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../types/tsconfig.json' is up to date because newest input '../types/src/procaptcha/behavioral.ts' is older than output '../types/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project '../common/tsconfig.json' is up to date because newest input '../common/src/error.ts' is older than output '../common/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../common/tsconfig.json' is up to date because newest input '../common/src/tests/utils/batches.unit.test.ts' is older than output '../common/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project '../ipinfo/tsconfig.json' is up to date because newest input '../ipinfo/src/IpInfoService.ts' is older than output '../ipinfo/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../ipinfo/tsconfig.json' is up to date because newest input '../ipinfo/src/IpInfoService.ts' is older than output '../ipinfo/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project '../redis-client/tsconfig.json' is up to date because newest input '../redis-client/src/index.ts' is older than output '../redis-client/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../redis-client/tsconfig.json' is up to date because newest input '../redis-client/src/redisClient.ts' is older than output '../redis-client/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project '../api/tsconfig.json' is up to date because newest input '../api/src/index.ts' is older than output '../api/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../api/tsconfig.json' is up to date because newest input '../api/src/index.ts' is older than output '../api/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project '../user-access-policy/tsconfig.json' is up to date because newest input '../user-access-policy/src/transformRule.ts' is older than output '../user-access-policy/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../user-access-policy/tsconfig.json' is up to date because newest input '../user-access-policy/src/rule.ts' is older than output '../user-access-policy/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project '../types-database/tsconfig.json' is up to date because newest input '../types-database/src/types/bannedDomain.ts' is older than output '../types-database/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../types-database/tsconfig.json' is up to date because newest input '../types-database/src/index.ts' is older than output '../types-database/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project '../database/tsconfig.json' is up to date because newest input '../database/src/tests/integration/ipInfoPersistence.integration.test.ts' is older than output '../database/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../database/tsconfig.json' is up to date because newest input '../database/src/tests/unit/databases/centralDbStreamer.unit.test.ts' is older than output '../database/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project '../keyring/tsconfig.json' is up to date because newest input '../keyring/src/index.ts' is older than output '../keyring/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../keyring/tsconfig.json' is up to date because newest input '../keyring/src/keyring/keyring.ts' is older than output '../keyring/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project '../types-env/tsconfig.json' is up to date because newest input '../types-env/src/index.ts' is older than output '../types-env/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../types-env/tsconfig.json' is up to date because newest input '../types-env/src/env.ts' is older than output '../types-env/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project '../env/tsconfig.json' is up to date because newest input '../env/src/env.ts' is older than output '../env/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../env/tsconfig.json' is up to date because newest input '../env/src/env.ts' is older than output '../env/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project '../api-express-router/tsconfig.json' is up to date because newest input '../api-express-router/src/tests/unit/errorHandler.unit.test.ts' is older than output '../api-express-router/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../api-express-router/tsconfig.json' is up to date because newest input '../api-express-router/src/middlewares/requestLoggerMiddleware.ts' is older than output '../api-express-router/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project '../datasets/tsconfig.json' is up to date because newest input '../datasets/src/tests/mocks/data/captchas.ts' is older than output '../datasets/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../datasets/tsconfig.json' is up to date because newest input '../datasets/src/index.ts' is older than output '../datasets/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project '../load-balancer/tsconfig.json' is up to date because newest input '../load-balancer/src/balancer.ts' is older than output '../load-balancer/tsconfig.tsbuildinfo'
+12:30:35 PM - Project '../load-balancer/tsconfig.json' is up to date because newest input '../load-balancer/src/index.ts' is older than output '../load-balancer/tsconfig.tsbuildinfo'
 
-8:15:26 AM - Project 'tsconfig.json' is out of date because output file 'tsconfig.tsbuildinfo' does not exist
+12:30:35 PM - Project 'tsconfig.json' is out of date because output file 'tsconfig.tsbuildinfo' does not exist
 
-8:15:26 AM - Building project '/home/runner/work/captcha/captcha/packages/provider/tsconfig.json'...
+12:30:35 PM - Building project '/home/runner/work/captcha/captcha/packages/provider/tsconfig.json'...
 

package/.turbo/turbo-build.log

@@ -1,9 +1,9 @@
 
-> @prosopo/provider@4.7.1 build
+> @prosopo/provider@4.8.0 build
 > npm run build:cross-env -- --mode ${NODE_ENV:-development}
 
 
-> @prosopo/provider@4.7.1 build:cross-env
+> @prosopo/provider@4.8.0 build:cross-env
 > vite build --config vite.esm.config.ts --mode production
 
 ViteEsmConfig: .
@@ -90,7 +90,7 @@ rendering chunks...
 dist/api/admin/apiRemoveSiteKeyEndpoint.js                                1.00 kB
 dist/api/admin/apiRemoveSiteKeysEndpoint.js                               1.00 kB
 dist/api/admin/apiRegisterSiteKeysEndpoint.js                             1.01 kB
-dist/tasks/detection/getBotScore.js                                       1.02 kB
+dist/tasks/detection/getBotScore.js                                       1.09 kB
 dist/api/admin/apiRemoveDetectorKeyEndpoint.js                            1.09 kB
 dist/schedulers/getClientList.js                                          1.10 kB
 dist/schedulers/setClientEntropy.js                                       1.13 kB
@@ -108,18 +108,18 @@ rendering chunks...
 dist/tasks/spam/checkTrafficFilter.js                                     1.56 kB
 dist/utils/honeypot/phraseBank.js                                         1.57 kB
 dist/api/public.js                                                        1.60 kB
+dist/api/admin/apiDnsEventEndpoint.js                                     1.64 kB
 dist/api/admin/apiClearAllCountersEndpoint.js                             1.66 kB
 dist/api/admin/apiUpdateDecisionMachineEndpoint.js                        1.67 kB
 dist/utils/honeypot/encoders.js                                           1.71 kB
 dist/tasks/frictionless/routingMachine.js                                 1.76 kB
-dist/api/admin/apiDnsEventEndpoint.js                                     1.82 kB
 dist/api/captcha/getFrictionlessCaptchaChallenge/shortCircuit.js          1.95 kB
 dist/tasks/spam/updateSpamEmailDomains.js                                 2.03 kB
 dist/api/captcha/checkSpamEmail.js                                        2.08 kB
 dist/api/ja4Middleware.js                                                 2.19 kB
 dist/api/captcha.js                                                       2.49 kB
 dist/utils/dns.js                                                         2.57 kB
-dist/index.js                                                             2.62 kB
+dist/index.js                                                             2.66 kB
 dist/api/captcha/submitPuzzleCaptchaSolution.js                           2.78 kB
 dist/tasks/spam/evaluateEmailSpamRules.js                                 2.84 kB
 dist/api/admin/apiAdminRoutesProvider.js                                  2.93 kB
@@ -128,29 +128,29 @@ rendering chunks...
 dist/api/domainMiddleware.js                                              3.71 kB
 dist/services/ipComparison.js                                             4.00 kB
 dist/tasks/spam/checkSpamEmail.js                                         4.26 kB
-dist/api/blacklistRequestInspector.js                                     4.57 kB
 dist/api/captcha/submitPoWCaptchaSolution.js                              5.09 kB
 dist/tasks/tasks.js                                                       5.13 kB
 dist/util/usageCounters.js                                                5.29 kB
-dist/api/captcha/getImageCaptchaChallenge.js                              5.29 kB
-dist/api/captcha/getPoWCaptchaChallenge.js                                5.88 kB
-dist/api/captcha/getPuzzleCaptchaChallenge.js                             6.05 kB
+dist/api/captcha/getImageCaptchaChallenge.js                              5.41 kB
+dist/api/blacklistRequestInspector.js                                     5.80 kB
+dist/api/captcha/getPoWCaptchaChallenge.js                                6.00 kB
+dist/api/captcha/getPuzzleCaptchaChallenge.js                             6.17 kB
 dist/api/startProviderApi.js                                              7.65 kB
 dist/api/captcha/getFrictionlessCaptchaChallenge/decisionMachine.js       9.17 kB
-dist/api/captcha/getFrictionlessCaptchaChallenge/handler.js               9.56 kB
+dist/api/captcha/getFrictionlessCaptchaChallenge/handler.js               9.76 kB
 dist/tasks/decisionMachine/decisionMachineRunner.js                      10.14 kB
 dist/api/verify.js                                                       10.43 kB
 dist/util.js                                                             11.79 kB
-dist/tasks/captchaManager.js                                             15.08 kB
+dist/tasks/captchaManager.js                                             15.10 kB
 dist/tasks/client/clientTasks.js                                         15.37 kB
-dist/tasks/frictionless/frictionlessTasks.js                             15.70 kB
+dist/tasks/frictionless/frictionlessTasks.js                             15.89 kB
 dist/tasks/detection/decodeSimd.js                                       18.06 kB
-dist/tasks/puzzleCaptcha/puzzleTasks.js                                  18.74 kB
+dist/tasks/puzzleCaptcha/puzzleTasks.js                                  18.83 kB
 dist/tasks/detection/decodeBehavior.js                                   19.03 kB
-dist/tasks/powCaptcha/powTasks.js                                        20.62 kB
-dist/tasks/imgCaptcha/imgCaptchaTasks.js                                 26.44 kB
+dist/tasks/powCaptcha/powTasks.js                                        20.71 kB
+dist/tasks/imgCaptcha/imgCaptchaTasks.js                                 26.52 kB
 dist/tasks/detection/decodePayload.js                                    44.24 kB
-✓ built in 1.35s
+✓ built in 1.40s
 [copy-plugin] copying /home/runner/work/captcha/captcha/packages/provider/src/tasks/detection/decodeBehavior.js to /home/runner/work/captcha/captcha/packages/provider/dist/tasks/detection/decodeBehavior.js
 [copy-plugin] copying /home/runner/work/captcha/captcha/packages/provider/src/tasks/detection/decodePayload.js to /home/runner/work/captcha/captcha/packages/provider/dist/tasks/detection/decodePayload.js
 [copy-plugin] copying /home/runner/work/captcha/captcha/packages/provider/src/tasks/detection/decodeSimd.js to /home/runner/work/captcha/captcha/packages/provider/dist/tasks/detection/decodeSimd.js

package/CHANGELOG.md

@@ -1,5 +1,38 @@
 # @prosopo/provider
 
+## 4.8.0
+### Minor Changes
+
+- 2f459ce: Collapse the per-request access-rule lookup from 2 × (2^n − 1) Redis `FT.SEARCH` round trips (126 with n=6 user-scope fields) to a single greedy query, with specificity ranking done in JS. Same external semantics — client-scoped rules still outrank global, and a rule with both `ja4Hash` and `ip` constraints is correctly rejected for requests that only match one of them.
+
+### Patch Changes
+
+- 2f459ce: Add `asn` as a user-scope field for access rules. The captcha provider can now block / restrict by Autonomous System Number, matching what the protect/bumblebee tier already supports. ASN is read from `ipInfo.asnNumber` and threaded through `getRequestUserScope` and `checkForHardBlock` at all challenge entry points. Redis index gains a NUMERIC `asn` field with range-syntax lookups.
+- Updated dependencies [2f459ce]
+  - @prosopo/user-access-policy@3.8.0
+  - @prosopo/database@3.13.9
+  - @prosopo/types-database@4.8.2
+  - @prosopo/env@3.5.9
+  - @prosopo/types-env@2.9.18
+  - @prosopo/api-express-router@3.1.19
+
+## 4.7.2
+### Patch Changes
+
+- b03dad1: Thread `shadowDomPenalty: boolean` from the catcher's encrypted detection payload through `decryptPayload` and persist it on `Session.scoreComponents` so the flag is queryable in Mongo without inferring it from `baseScore=1 ∧ ¬triggeredDetectors`. Field is optional on the wire (position 6); older catcher bundles omit it and `shadowDomPenalty` stays undefined.
+- Updated dependencies [b03dad1]
+  - @prosopo/types@4.3.1
+  - @prosopo/types-database@4.8.1
+  - @prosopo/env@3.5.8
+  - @prosopo/api@3.4.9
+  - @prosopo/api-express-router@3.1.18
+  - @prosopo/database@3.13.8
+  - @prosopo/datasets@3.1.29
+  - @prosopo/keyring@2.9.35
+  - @prosopo/load-balancer@2.9.11
+  - @prosopo/types-env@2.9.17
+  - @prosopo/user-access-policy@3.7.12
+
 ## 4.7.1
 ### Patch Changes
 

package/dist/api/admin/apiDnsEventEndpoint.d.ts

@@ -1,10 +1,14 @@
 import { type ApiEndpoint, type ApiEndpointResponse } from "@prosopo/api-route";
 import { type Logger } from "@prosopo/logger";
-import { type DnsEvent, DnsEventBatchSchema, type Session } from "@prosopo/types";
+import { type DnsEvent, DnsEventBatchSchema } from "@prosopo/types";
 import type { IProviderDatabase } from "@prosopo/types-database";
 import type { z } from "zod";
 type DnsEventBatchSchemaType = typeof DnsEventBatchSchema;
-export declare const dnsEventToPartialSession: (event: DnsEvent, existing: Session["dnsEvent"] | undefined) => Session["dnsEvent"];
+export declare const dnsEventToFields: (event: DnsEvent) => {
+    resolverIp?: string;
+    peerIp?: string;
+    pathValid?: boolean;
+};
 declare class ApiDnsEventEndpoint implements ApiEndpoint<DnsEventBatchSchemaType> {
     private readonly db;
     constructor(db: IProviderDatabase);

package/dist/api/admin/apiDnsEventEndpoint.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"apiDnsEventEndpoint.d.ts","sourceRoot":"","sources":["../../../src/api/admin/apiDnsEventEndpoint.ts"],"names":[],"mappings":"AAcA,OAAO,EACN,KAAK,WAAW,EAChB,KAAK,mBAAmB,EAExB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,KAAK,MAAM,EAAa,MAAM,iBAAiB,CAAC;AACzD,OAAO,EACN,KAAK,QAAQ,EACb,mBAAmB,EACnB,KAAK,OAAO,EACZ,MAAM,gBAAgB,CAAC;AACxB,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AACjE,OAAO,KAAK,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAE7B,KAAK,uBAAuB,GAAG,OAAO,mBAAmB,CAAC;AAG1D,eAAO,MAAM,wBAAwB,UAC7B,QAAQ,YACL,OAAO,CAAC,UAAU,CAAC,GAAG,SAAS,KACvC,OAAO,CAAC,UAAU,CAYpB,CAAC;AAEF,cAAM,mBAAoB,YAAW,WAAW,CAAC,uBAAuB,CAAC;IACrD,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAAF,EAAE,EAAE,iBAAiB;IAEnD,cAAc,CACnB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,uBAAuB,CAAC,EACtC,MAAM,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,mBAAmB,CAAC;IA0CxB,oBAAoB,IAAI,uBAAuB;CAGtD;AAED,OAAO,EAAE,mBAAmB,EAAE,CAAC"}
+{"version":3,"file":"apiDnsEventEndpoint.d.ts","sourceRoot":"","sources":["../../../src/api/admin/apiDnsEventEndpoint.ts"],"names":[],"mappings":"AAcA,OAAO,EACN,KAAK,WAAW,EAChB,KAAK,mBAAmB,EAExB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,KAAK,MAAM,EAAa,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,KAAK,QAAQ,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACpE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AACjE,OAAO,KAAK,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAE7B,KAAK,uBAAuB,GAAG,OAAO,mBAAmB,CAAC;AAG1D,eAAO,MAAM,gBAAgB,UACrB,QAAQ,KACb;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,OAAO,CAAA;CAW7D,CAAC;AAEF,cAAM,mBAAoB,YAAW,WAAW,CAAC,uBAAuB,CAAC;IACrD,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAAF,EAAE,EAAE,iBAAiB;IAEnD,cAAc,CACnB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,uBAAuB,CAAC,EACtC,MAAM,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,mBAAmB,CAAC;IA6CxB,oBAAoB,IAAI,uBAAuB;CAGtD;AAED,OAAO,EAAE,mBAAmB,EAAE,CAAC"}

package/dist/api/admin/apiDnsEventEndpoint.js

@@ -1,18 +1,17 @@
 import { ApiEndpointResponseStatus } from "@prosopo/api-route";
 import { getLogger } from "@prosopo/logger";
 import { DnsEventBatchSchema } from "@prosopo/types";
-const dnsEventToPartialSession = (event, existing) => {
-  const receivedAt = existing?.receivedAt ?? /* @__PURE__ */ new Date();
-  const merged = { ...existing ?? {}, receivedAt };
+const dnsEventToFields = (event) => {
   if (event.kind === "dns") {
-    merged.resolverIp = event.src_ip;
-  } else {
-    merged.peerIp = event.src_ip;
-    if (typeof event.path_valid === "boolean") {
-      merged.pathValid = event.path_valid;
-    }
+    return { resolverIp: event.src_ip };
+  }
+  const out = {
+    peerIp: event.src_ip
+  };
+  if (typeof event.path_valid === "boolean") {
+    out.pathValid = event.path_valid;
   }
-  return merged;
+  return out;
 };
 class ApiDnsEventEndpoint {
   constructor(db) {
@@ -23,19 +22,22 @@ class ApiDnsEventEndpoint {
     const { events } = args;
     let stored = 0;
     let errors = 0;
+    const now = /* @__PURE__ */ new Date();
     for (const event of events) {
       const sessionId = event.jti;
       if (!sessionId) {
         continue;
       }
       try {
-        const session = await this.db.getSessionRecordBySessionId(sessionId);
-        if (!session) {
-          continue;
+        const fields = dnsEventToFields(event);
+        const matched = await this.db.mergeSessionDnsEvent(
+          sessionId,
+          fields,
+          now
+        );
+        if (matched) {
+          stored += 1;
         }
-        const dnsEvent = dnsEventToPartialSession(event, session.dnsEvent);
-        await this.db.updateSessionRecord(sessionId, { dnsEvent });
-        stored += 1;
       } catch (err) {
         errors += 1;
         logger.warn(() => ({
@@ -60,5 +62,5 @@ class ApiDnsEventEndpoint {
 }
 export {
   ApiDnsEventEndpoint,
-  dnsEventToPartialSession
+  dnsEventToFields
 };

package/dist/api/admin/apiDnsEventEndpoint.js.map

@@ -1 +1 @@
-{"version":3,"file":"apiDnsEventEndpoint.js","sourceRoot":"","sources":["../../../src/api/admin/apiDnsEventEndpoint.ts"],"names":[],"mappings":"AAcA,OAAO,EAGN,yBAAyB,GACzB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAe,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAEN,mBAAmB,GAEnB,MAAM,gBAAgB,CAAC;AAOxB,MAAM,CAAC,MAAM,wBAAwB,GAAG,CACvC,KAAe,EACf,QAAyC,EACnB,EAAE;IACxB,MAAM,UAAU,GAAG,QAAQ,EAAE,UAAU,IAAI,IAAI,IAAI,EAAE,CAAC;IACtD,MAAM,MAAM,GAAwB,EAAE,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC;IACxE,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC1B,MAAM,CAAC,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC;IAClC,CAAC;SAAM,CAAC;QACP,MAAM,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC;QAC7B,IAAI,OAAO,KAAK,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YAC3C,MAAM,CAAC,SAAS,GAAG,KAAK,CAAC,UAAU,CAAC;QACrC,CAAC;IACF,CAAC;IACD,OAAO,MAAM,CAAC;AACf,CAAC,CAAC;AAEF,MAAM,mBAAmB;IACxB,YAAoC,EAAqB;QAArB,OAAE,GAAF,EAAE,CAAmB;IAAG,CAAC;IAE7D,KAAK,CAAC,cAAc,CACnB,IAAsC,EACtC,MAAe;QAEf,MAAM,GAAG,MAAM,IAAI,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACtD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;QAExB,IAAI,MAAM,GAAG,CAAC,CAAC;QACf,IAAI,MAAM,GAAG,CAAC,CAAC;QAEf,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC5B,MAAM,SAAS,GAAG,KAAK,CAAC,GAAG,CAAC;YAC5B,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChB,SAAS;YACV,CAAC;YAED,IAAI,CAAC;gBACJ,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,2BAA2B,CAAC,SAAS,CAAC,CAAC;gBACrE,IAAI,CAAC,OAAO,EAAE,CAAC;oBACd,SAAS;gBACV,CAAC;gBACD,MAAM,QAAQ,GAAG,wBAAwB,CAAC,KAAK,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;gBACnE,MAAM,IAAI,CAAC,EAAE,CAAC,mBAAmB,CAAC,SAAS,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;gBAC3D,MAAM,IAAI,CAAC,CAAC;YACb,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACd,MAAM,IAAI,CAAC,CAAC;gBACZ,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;oBAClB,GAAG;oBACH,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE;oBACrC,GAAG,EAAE,wCAAwC;iBAC7C,CAAC,CAAC,CAAC;YACL,CAAC;QACF,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YAClB,IAAI,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE;YACjD,GAAG,EAAE,2BAA2B;SAChC,CAAC,CAAC,CAAC;QAEJ,OAAO;YACN,MAAM,EAAE,yBAAyB,CAAC,OAAO;YACzC,IAAI,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;SACxB,CAAC;IACH,CAAC;IAEM,oBAAoB;QAC1B,OAAO,mBAAmB,CAAC;IAC5B,CAAC;CACD;AAED,OAAO,EAAE,mBAAmB,EAAE,CAAC"}
+{"version":3,"file":"apiDnsEventEndpoint.js","sourceRoot":"","sources":["../../../src/api/admin/apiDnsEventEndpoint.ts"],"names":[],"mappings":"AAcA,OAAO,EAGN,yBAAyB,GACzB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAe,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAiB,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAOpE,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAC/B,KAAe,EACiD,EAAE;IAClE,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC1B,OAAO,EAAE,UAAU,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC;IACrC,CAAC;IACD,MAAM,GAAG,GAA4C;QACpD,MAAM,EAAE,KAAK,CAAC,MAAM;KACpB,CAAC;IACF,IAAI,OAAO,KAAK,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QAC3C,GAAG,CAAC,SAAS,GAAG,KAAK,CAAC,UAAU,CAAC;IAClC,CAAC;IACD,OAAO,GAAG,CAAC;AACZ,CAAC,CAAC;AAEF,MAAM,mBAAmB;IACxB,YAAoC,EAAqB;QAArB,OAAE,GAAF,EAAE,CAAmB;IAAG,CAAC;IAE7D,KAAK,CAAC,cAAc,CACnB,IAAsC,EACtC,MAAe;QAEf,MAAM,GAAG,MAAM,IAAI,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACtD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;QAExB,IAAI,MAAM,GAAG,CAAC,CAAC;QACf,IAAI,MAAM,GAAG,CAAC,CAAC;QACf,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QAEvB,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC5B,MAAM,SAAS,GAAG,KAAK,CAAC,GAAG,CAAC;YAC5B,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChB,SAAS;YACV,CAAC;YAED,IAAI,CAAC;gBACJ,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;gBACvC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,oBAAoB,CACjD,SAAS,EACT,MAAM,EACN,GAAG,CACH,CAAC;gBACF,IAAI,OAAO,EAAE,CAAC;oBACb,MAAM,IAAI,CAAC,CAAC;gBACb,CAAC;YACF,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACd,MAAM,IAAI,CAAC,CAAC;gBACZ,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;oBAClB,GAAG;oBACH,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE;oBACrC,GAAG,EAAE,wCAAwC;iBAC7C,CAAC,CAAC,CAAC;YACL,CAAC;QACF,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YAClB,IAAI,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE;YACjD,GAAG,EAAE,2BAA2B;SAChC,CAAC,CAAC,CAAC;QAEJ,OAAO;YACN,MAAM,EAAE,yBAAyB,CAAC,OAAO;YACzC,IAAI,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;SACxB,CAAC;IACH,CAAC;IAEM,oBAAoB;QAC1B,OAAO,mBAAmB,CAAC;IAC5B,CAAC;CACD;AAED,OAAO,EAAE,mBAAmB,EAAE,CAAC"}

package/dist/api/blacklistRequestInspector.d.ts

@@ -1,9 +1,10 @@
 import type { Logger } from "@prosopo/logger";
 import { type IPInfoResponse } from "@prosopo/types";
-import { type AccessRulesStorage, type UserScope, type UserScopeRecord } from "@prosopo/user-access-policy";
+import { type AccessRule, type AccessRulesStorage, type UserScope, type UserScopeRecord } from "@prosopo/user-access-policy";
 import type { NextFunction, Request, Response } from "express";
-export declare const getRequestUserScope: (requestHeaders: Record<string, unknown>, ja4?: string, ip?: string, user?: string, headHash?: string, coords?: string, countryCode?: string) => Pick<UserScopeRecord, "userId" | "ja4Hash" | "userAgent" | "ip" | "headHash" | "coords" | "countryCode">;
-export declare const getPrioritisedAccessRule: (userAccessRulesStorage: AccessRulesStorage, userScope: UserScope | UserScopeRecord, clientId?: string) => Promise<import("@prosopo/user-access-policy").AccessRule[]>;
+export declare const getRequestUserScope: (requestHeaders: Record<string, unknown>, ja4?: string, ip?: string, user?: string, headHash?: string, coords?: string, countryCode?: string, asn?: number) => Pick<UserScopeRecord, "userId" | "ja4Hash" | "userAgent" | "ip" | "headHash" | "coords" | "countryCode" | "asn">;
+export declare const rankCandidateRules: (rules: AccessRule[], request: UserScope, requestClientId: string | undefined) => AccessRule[];
+export declare const getPrioritisedAccessRule: (userAccessRulesStorage: AccessRulesStorage, userScope: UserScope | UserScopeRecord, clientId?: string) => Promise<AccessRule[]>;
 export declare class BlacklistRequestInspector {
     private readonly userAccessRulesStorage;
     private readonly environmentReadinessWaiter;

package/dist/api/blacklistRequestInspector.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"blacklistRequestInspector.d.ts","sourceRoot":"","sources":["../../src/api/blacklistRequestInspector.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAa,KAAK,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChE,OAAO,EAEN,KAAK,kBAAkB,EAEvB,KAAK,SAAS,EACd,KAAK,eAAe,EAEpB,MAAM,6BAA6B,CAAC;AAErC,OAAO,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAE/D,eAAO,MAAM,mBAAmB,mBACf,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,QACjC,MAAM,OACP,MAAM,SACJ,MAAM,aACF,MAAM,WACR,MAAM,gBACD,MAAM,KAClB,IAAI,CACN,eAAe,EACb,QAAQ,GACR,SAAS,GACT,WAAW,GACX,IAAI,GACJ,UAAU,GACV,QAAQ,GACR,aAAa,CAef,CAAC;AAiBF,eAAO,MAAM,wBAAwB,2BACZ,kBAAkB,aAC/B,SAAS,GAAG,eAAe,aAC3B,MAAM,gEA+BjB,CAAC;AAEF,qBAAa,yBAAyB;IAEpC,OAAO,CAAC,QAAQ,CAAC,sBAAsB;IACvC,OAAO,CAAC,QAAQ,CAAC,0BAA0B;gBAD1B,sBAAsB,EAAE,kBAAkB,EAC1C,0BAA0B,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC;IAGpD,2BAA2B,CACvC,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,YAAY,GAChB,OAAO,CAAC,IAAI,CAAC;IAyBH,kBAAkB,CAC9B,cAAc,EAAE,MAAM,EACtB,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,MAAM,EACX,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACvC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACpC,MAAM,EAAE,MAAM,EACd,MAAM,CAAC,EAAE,cAAc,GACrB,OAAO,CAAC,OAAO,CAAC;IAmEnB,SAAS,CAAC,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAInD,SAAS,CAAC,qBAAqB,CAC9B,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACvC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAClC;QACF,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;QAC3B,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;KAC7B;IAcD,SAAS,CAAC,cAAc,CACvB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,GAAG,EAAE,MAAM,GACT,OAAO;CAGV"}
+{"version":3,"file":"blacklistRequestInspector.d.ts","sourceRoot":"","sources":["../../src/api/blacklistRequestInspector.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAa,KAAK,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChE,OAAO,EAEN,KAAK,UAAU,EACf,KAAK,kBAAkB,EAEvB,KAAK,SAAS,EACd,KAAK,eAAe,EAEpB,MAAM,6BAA6B,CAAC;AACrC,OAAO,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAE/D,eAAO,MAAM,mBAAmB,mBACf,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,QACjC,MAAM,OACP,MAAM,SACJ,MAAM,aACF,MAAM,WACR,MAAM,gBACD,MAAM,QACd,MAAM,KACV,IAAI,CACN,eAAe,EACb,QAAQ,GACR,SAAS,GACT,WAAW,GACX,IAAI,GACJ,UAAU,GACV,QAAQ,GACR,aAAa,GACb,KAAK,CAgBP,CAAC;AA+FF,eAAO,MAAM,kBAAkB,UACvB,UAAU,EAAE,WACV,SAAS,mBACD,MAAM,GAAG,SAAS,KACjC,UAAU,EAWT,CAAC;AAaL,eAAO,MAAM,wBAAwB,2BACZ,kBAAkB,aAC/B,SAAS,GAAG,eAAe,aAC3B,MAAM,KACf,OAAO,CAAC,UAAU,EAAE,CAqBtB,CAAC;AAEF,qBAAa,yBAAyB;IAEpC,OAAO,CAAC,QAAQ,CAAC,sBAAsB;IACvC,OAAO,CAAC,QAAQ,CAAC,0BAA0B;gBAD1B,sBAAsB,EAAE,kBAAkB,EAC1C,0BAA0B,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC;IAGpD,2BAA2B,CACvC,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,YAAY,GAChB,OAAO,CAAC,IAAI,CAAC;IAyBH,kBAAkB,CAC9B,cAAc,EAAE,MAAM,EACtB,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,MAAM,EACX,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACvC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACpC,MAAM,EAAE,MAAM,EACd,MAAM,CAAC,EAAE,cAAc,GACrB,OAAO,CAAC,OAAO,CAAC;IAqEnB,SAAS,CAAC,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAInD,SAAS,CAAC,qBAAqB,CAC9B,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACvC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAClC;QACF,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;QAC3B,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;KAC7B;IAcD,SAAS,CAAC,cAAc,CACvB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,GAAG,EAAE,MAAM,GACT,OAAO;CAGV"}

package/dist/api/blacklistRequestInspector.js

@@ -1,7 +1,6 @@
 import { ApiPrefix } from "@prosopo/types";
-import { userScopeInput, FilterScopeMatch, AccessPolicyType } from "@prosopo/user-access-policy";
-import { uniqueSubsets } from "@prosopo/util";
-const getRequestUserScope = (requestHeaders, ja4, ip, user, headHash, coords, countryCode) => {
+import { AccessPolicyType, userScopeInput, FilterScopeMatch } from "@prosopo/user-access-policy";
+const getRequestUserScope = (requestHeaders, ja4, ip, user, headHash, coords, countryCode, asn) => {
   const userAgent = requestHeaders["user-agent"] ? requestHeaders["user-agent"].toString() : void 0;
   return {
     ...user && { userId: user },
@@ -10,45 +9,89 @@ const getRequestUserScope = (requestHeaders, ja4, ip, user, headHash, coords, co
     ...ip && { ip },
     ...headHash && { headHash },
     ...coords && { coords },
-    ...countryCode && { countryCode }
+    ...countryCode && { countryCode },
+    ...typeof asn === "number" && { asn }
   };
 };
-const getPrioritisedUserScopes = (userScope) => {
-  const userScopeKeys = Object.keys(userScope);
-  return uniqueSubsets(userScopeKeys).map(
-    (subset) => subset.reduce(
-      (acc, key) => {
-        acc[key] = userScope[key];
-        return acc;
-      },
-      {}
-    )
-  );
+const SCALAR_USER_SCOPE_FIELDS = [
+  "userId",
+  "ja4Hash",
+  "headersHash",
+  "userAgentHash",
+  "headHash",
+  "coords",
+  "countryCode",
+  "asn"
+];
+const ruleHasIpConstraint = (rule) => rule.numericIp !== void 0 || rule.numericIpMaskMin !== void 0 && rule.numericIpMaskMax !== void 0;
+const ruleIpMatchesRequest = (rule, requestIp) => {
+  if (!ruleHasIpConstraint(rule)) {
+    return true;
+  }
+  if (requestIp === void 0) {
+    return false;
+  }
+  if (rule.numericIp !== void 0) {
+    return requestIp === rule.numericIp;
+  }
+  return requestIp >= rule.numericIpMaskMin && requestIp <= rule.numericIpMaskMax;
 };
-const getPrioritisedAccessRule = async (userAccessRulesStorage, userScope, clientId) => {
-  const prioritisedUserScopes = getPrioritisedUserScopes(userScope);
-  const policyPromises = [];
-  const clientLoop = clientId ? [clientId, void 0] : [void 0];
-  for (const clientOrUndefined of clientLoop) {
-    for (const scope of prioritisedUserScopes) {
-      if (Object.values(scope).every((value) => value === void 0)) {
-        continue;
-      }
-      const parsedUserScope = userScopeInput.parse(scope);
-      const filter = {
-        ...clientOrUndefined && {
-          policyScope: {
-            clientId: clientOrUndefined
-          }
-        },
-        policyScopeMatch: FilterScopeMatch.Exact,
-        userScope: parsedUserScope,
-        userScopeMatch: FilterScopeMatch.Exact
-      };
-      policyPromises.push(userAccessRulesStorage.findRules(filter, true, true));
+const ruleApplies = (rule, request, requestClientId) => {
+  if (rule.clientId !== void 0 && rule.clientId !== requestClientId) {
+    return false;
+  }
+  for (const field of SCALAR_USER_SCOPE_FIELDS) {
+    const ruleValue = rule[field];
+    if (ruleValue === void 0) {
+      continue;
+    }
+    if (ruleValue !== request[field]) {
+      return false;
+    }
+  }
+  return ruleIpMatchesRequest(rule, request.numericIp);
+};
+const ruleSpecificity = (rule, requestClientId) => {
+  let score = 0;
+  if (rule.clientId !== void 0 && rule.clientId === requestClientId) {
+    score += 1;
+  }
+  for (const field of SCALAR_USER_SCOPE_FIELDS) {
+    if (rule[field] !== void 0) {
+      score += 1;
     }
   }
-  return (await Promise.all(policyPromises)).flat();
+  if (ruleHasIpConstraint(rule)) {
+    score += 1;
+  }
+  return score;
+};
+const policySeverity = (rule) => rule.type === AccessPolicyType.Block ? 1 : 0;
+const rankCandidateRules = (rules, request, requestClientId) => rules.filter((rule) => ruleApplies(rule, request, requestClientId)).sort((a, b) => {
+  const specDelta = ruleSpecificity(b, requestClientId) - ruleSpecificity(a, requestClientId);
+  if (specDelta !== 0) {
+    return specDelta;
+  }
+  return policySeverity(b) - policySeverity(a);
+});
+const getPrioritisedAccessRule = async (userAccessRulesStorage, userScope, clientId) => {
+  const parsedUserScope = userScopeInput.parse(userScope);
+  const filter = {
+    ...clientId && {
+      policyScope: {
+        clientId
+      }
+    },
+    policyScopeMatch: FilterScopeMatch.Greedy,
+    userScope: parsedUserScope,
+    userScopeMatch: FilterScopeMatch.Greedy
+  };
+  const candidates = await userAccessRulesStorage.findRules(
+    filter,
+    false,
+    true
+  );
+  return rankCandidateRules(candidates, parsedUserScope, clientId);
 };
 class BlacklistRequestInspector {
   constructor(userAccessRulesStorage, environmentReadinessWaiter) {
@@ -97,6 +140,7 @@ class BlacklistRequestInspector {
         requestBody
       );
       const countryCode = ipInfo?.isValid ? ipInfo.countryCode : void 0;
+      const asn = ipInfo?.isValid ? ipInfo.asnNumber : void 0;
       const accessPolicies = await getPrioritisedAccessRule(
         this.userAccessRulesStorage,
         getRequestUserScope(
@@ -108,7 +152,8 @@ class BlacklistRequestInspector {
           // headHash
           void 0,
           // coords
-          countryCode
+          countryCode,
+          asn
         ),
         clientId
       );
@@ -143,5 +188,6 @@ class BlacklistRequestInspector {
 export {
   BlacklistRequestInspector,
   getPrioritisedAccessRule,
-  getRequestUserScope
+  getRequestUserScope,
+  rankCandidateRules
 };