@redsocs/spam-warden 1.1.5 → 1.1.8

package/README.md

@@ -85,18 +85,21 @@ Traditional spam filters (like Akismet or ReCaptcha) often:
 
 **SpamWarden** exists to provide a **local, fast, and Thai-centric** alternative that stops spam at the source: the user's input field.
 
-# Security & "Brutal" Obfuscation
+# Security & Active Defense
 
 > [!WARNING]
-> **Honesty First:** All client-side code is inherently bypassable. If a human can run it, a human can reverse-engineer it.
+> **Honesty First:** All client-side code is inherently bypassable by a sufficiently motivated human. However, we have engineered this library to be an absolute nightmare for automated bots and script kiddies.
 
-We use **JavaScript Obfuscator** with high-entropy settings (Control Flow Flattening, Dead Code Injection, String Array Transformations) for the `min.js` distribution. Here is why we do it "brutally":
+We do not rely solely on "Security through Obscurity." SpamWarden employs a **Hostile Active Defense** architecture:
 
-1. **Anti-Hijacking:** Without obfuscation, a malicious actor can simply type `window.spamwarden.spamcheck = () => ({ isSpam: false })` in the console to bypass your entire defense. Obfuscation hides these entry points and variables, making it significantly harder to find and override the core logic.
-2. **Model Protection:** The Bernoulli Naive Bayes weights and vocabulary are embedded in the file. Obfuscation protects this data from easy scraping and extraction by competitors or spam-bot developers.
-3. **Defense-in-Depth:** While it isn't "encryption," it raises the **Cost of Attack**. It turns a 5-second bypass into a 5-hour reverse-engineering task. For most spammers, this friction is enough to make them move on to an easier target.
+1. **The Ghost Tarpit (Honeypot):** We intentionally deploy a "Poison Pill" decoy. If a bot or attacker attempts to bypass or tamper with the script, they are redirected into this trap, which is designed to actively retaliate by crashing headless browsers (Puppeteer/Playwright) and wasting attacker compute credits.
+2. **Build-Time Randomization (The Moving Target):** The real machine-learning engine is hidden inside an isolated closure and bound to the DOM using a randomized cryptographic key generated during compilation. The internal execution path changes on every release, defeating static bypass scripts.
+3. **Brutal DOM Protection:** By utilizing Document-Level Capturing Phase listeners, Prototype Monkey-Patching, and MutationObservers, SpamWarden intercepts submissions before they reach the form element. This defeats trivial bypasses like form cloning or direct `document.forms[0].submit()` calls.
+4. **Aggressive Obfuscation:** The final distribution is run through high-entropy obfuscation (Control Flow Flattening, String Shifting) to protect the model weights and heavily penalize reverse engineers trying to step through the code.
 
-If you require absolute, unbreakable security, you **must** use our telemetry to double-check results on your backend.
+If you require absolute, mathematically unbroken security, client-side protection will never be enough. You **must** validate payloads on your backend:
+- **For WordPress:** Use our [SpamWarden WP Plugin](https://redsocs.com/spam-warden) to protect your server at the PHP layer (Paid).
+- **For Node.js/Custom Stacks:** Grab this NPM package directly, bundle it internally, and run the `spamcheck()` function on your backend server before hitting your database (Free).
 
 # Local Simulation & Testing
 
@@ -128,7 +131,7 @@ You can spin up a local simulation server to test the DOM auto-blocking behavior
 
 # About
 
-- **Version:** 1.1.5 (Engine v11.06)
+- **Version:** 1.1.8 (Engine v11.06)
 - **Author:** [RedSocs](https://github.com/RedSocs)
 - **License:** MIT
 - **Model Origin:** Trained via [RedSocs/spam-labeler](https://github.com/RedSocs/spam-labeler)