@riavzon/bot-detector 1.0.0

package/dist/main.mjs

@@ -0,0 +1,3210 @@
+import { createConfigManager } from "@riavzon/utils";
+import z from "zod";
+import maxmind from "maxmind";
+import { open } from "lmdb";
+import fs, { existsSync } from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { pino } from "pino";
+import { existsSync as existsSync$1, mkdirSync } from "fs";
+import path$1 from "path";
+import { createStorage } from "unstorage";
+import memoryDriver from "unstorage/drivers/memory";
+import { createDatabase } from "db0";
+import consola from "consola";
+import { randomBytes, randomUUID } from "crypto";
+import { UAParser } from "ua-parser-js";
+import { isAIBot, isBot } from "ua-parser-js/helpers";
+import { CLIs, Crawlers, Fetchers, Libraries } from "ua-parser-js/extensions";
+import { isIP } from "node:net";
+import dns from "node:dns/promises";
+import { anyOf, createRegExp, digit, exactly, letter, maybe } from "magic-regexp";
+import { URL as URL$1 } from "url";
+import { spawn } from "child_process";
+import { performance } from "perf_hooks";
+import { Router } from "express";
+import { compiler } from "@riavzon/shield-base";
+
+//#region src/botDetector/types/configSchema.ts
+const dbConfigStorage = z.custom((val) => {
+	if (typeof val !== "object" || val === null) return false;
+	return typeof val.driver === "string";
+}, { message: "Database config must be an object with a valid \"driver\" string" });
+const store = z.object({ main: dbConfigStorage }).required().strict();
+const cache = z.custom((val) => {
+	if (typeof val !== "object" || val === null) return false;
+	return typeof val.driver === "string";
+}, { message: "Storage must be an object with a valid \"driver\" string" });
+const configSchema = z.object({
+	store,
+	banScore: z.number().max(100).min(0).default(100),
+	maxScore: z.number().max(100).min(0).default(100),
+	restoredReputationPoints: z.number().default(10),
+	setNewComputedScore: z.boolean().default(false),
+	whiteList: z.array(z.union([
+		z.ipv4(),
+		z.ipv6(),
+		z.string()
+	])).optional().default([]),
+	checksTimeRateControl: z.object({
+		checkEveryRequest: z.boolean().default(true),
+		checkEvery: z.number().default(1e3 * 60 * 5)
+	}).prefault({}),
+	batchQueue: z.object({
+		flushIntervalMs: z.number().default(5e3),
+		maxBufferSize: z.number().default(100),
+		maxRetries: z.number().default(3)
+	}).prefault({}),
+	storage: cache.optional(),
+	checkers: z.object({
+		localeMapsCheck: z.discriminatedUnion("enable", [z.object({ enable: z.literal(false) }), z.object({
+			enable: z.literal(true),
+			penalties: z.object({
+				ipAndHeaderMismatch: z.number().default(20),
+				missingHeader: z.number().default(20),
+				missingGeoData: z.number().default(20),
+				malformedHeader: z.number().default(30)
+			}).prefault({})
+		})]).prefault({ enable: true }),
+		knownBadUserAgents: z.discriminatedUnion("enable", [z.object({ enable: z.literal(false) }), z.object({
+			enable: z.literal(true),
+			penalties: z.object({
+				criticalSeverity: z.number().default(100),
+				highSeverity: z.number().default(80),
+				mediumSeverity: z.number().default(30),
+				lowSeverity: z.number().default(10)
+			}).prefault({})
+		})]).prefault({ enable: true }),
+		enableIpChecks: z.discriminatedUnion("enable", [z.object({ enable: z.literal(false) }), z.object({
+			enable: z.literal(true),
+			penalties: z.number().default(10)
+		})]).prefault({ enable: true }),
+		enableGoodBotsChecks: z.discriminatedUnion("enable", [z.object({ enable: z.literal(false) }), z.object({
+			enable: z.literal(true),
+			banUnlistedBots: z.boolean().default(true),
+			penalties: z.number().default(100)
+		})]).prefault({ enable: true }),
+		enableBehaviorRateCheck: z.discriminatedUnion("enable", [z.object({ enable: z.literal(false) }), z.object({
+			enable: z.literal(true),
+			behavioral_window: z.number().default(6e4),
+			behavioral_threshold: z.number().default(30),
+			penalties: z.number().default(60)
+		})]).prefault({ enable: true }),
+		enableProxyIspCookiesChecks: z.discriminatedUnion("enable", [z.object({ enable: z.literal(false) }), z.object({
+			enable: z.literal(true),
+			penalties: z.object({
+				cookieMissing: z.number().default(80),
+				proxyDetected: z.number().default(40),
+				multiSourceBonus2to3: z.number().default(10),
+				multiSourceBonus4plus: z.number().default(20),
+				hostingDetected: z.number().default(50),
+				ispUnknown: z.number().default(10),
+				orgUnknown: z.number().default(10)
+			}).prefault({})
+		})]).prefault({ enable: true }),
+		enableUaAndHeaderChecks: z.discriminatedUnion("enable", [z.object({ enable: z.literal(false) }), z.object({
+			enable: z.literal(true),
+			penalties: z.object({
+				headlessBrowser: z.number().default(100),
+				shortUserAgent: z.number().default(80),
+				tlsCheckFailed: z.number().default(60),
+				badUaChecker: z.boolean().default(true)
+			}).prefault({})
+		})]).prefault({ enable: true }),
+		enableBrowserAndDeviceChecks: z.discriminatedUnion("enable", [z.object({ enable: z.literal(false) }), z.object({
+			enable: z.literal(true),
+			penalties: z.object({
+				cliOrLibrary: z.number().default(100),
+				internetExplorer: z.number().default(100),
+				linuxOs: z.number().default(10),
+				impossibleBrowserCombinations: z.number().default(30),
+				browserTypeUnknown: z.number().default(10),
+				browserNameUnknown: z.number().default(10),
+				desktopWithoutOS: z.number().default(10),
+				deviceVendorUnknown: z.number().default(10),
+				browserVersionUnknown: z.number().default(10),
+				deviceModelUnknown: z.number().default(5)
+			}).prefault({})
+		})]).prefault({ enable: true }),
+		enableGeoChecks: z.discriminatedUnion("enable", [z.object({ enable: z.literal(false) }), z.object({
+			enable: z.literal(true),
+			bannedCountries: z.array(z.string()).optional().default([]),
+			penalties: z.object({
+				countryUnknown: z.number().default(10),
+				regionUnknown: z.number().default(10),
+				latLonUnknown: z.number().default(10),
+				districtUnknown: z.number().default(10),
+				cityUnknown: z.number().default(10),
+				timezoneUnknown: z.number().default(10),
+				subregionUnknown: z.number().default(10),
+				phoneUnknown: z.number().default(10),
+				continentUnknown: z.number().default(10)
+			}).prefault({})
+		})]).prefault({ enable: true }),
+		enableKnownThreatsDetections: z.discriminatedUnion("enable", [z.object({ enable: z.literal(false) }), z.object({
+			enable: z.literal(true),
+			penalties: z.object({
+				anonymiseNetwork: z.number().default(20),
+				threatLevels: z.object({
+					criticalLevel1: z.number().default(40),
+					currentAttacksLevel2: z.number().default(30),
+					threatLevel3: z.number().default(20),
+					threatLevel4: z.number().default(10)
+				}).prefault({})
+			}).prefault({})
+		})]).prefault({ enable: true }),
+		enableAsnClassification: z.discriminatedUnion("enable", [z.object({ enable: z.literal(false) }), z.object({
+			enable: z.literal(true),
+			penalties: z.object({
+				contentClassification: z.number().default(20),
+				unknownClassification: z.number().default(10),
+				lowVisibilityPenalty: z.number().default(10),
+				lowVisibilityThreshold: z.number().default(15),
+				comboHostingLowVisibility: z.number().default(20)
+			}).prefault({})
+		})]).prefault({ enable: true }),
+		enableTorAnalysis: z.discriminatedUnion("enable", [z.object({ enable: z.literal(false) }), z.object({
+			enable: z.literal(true),
+			penalties: z.object({
+				runningNode: z.number().default(15),
+				exitNode: z.number().default(20),
+				webExitCapable: z.number().default(15),
+				guardNode: z.number().default(10),
+				badExit: z.number().default(40),
+				obsoleteVersion: z.number().default(10)
+			}).prefault({})
+		})]).prefault({ enable: true }),
+		enableTimezoneConsistency: z.discriminatedUnion("enable", [z.object({ enable: z.literal(false) }), z.object({
+			enable: z.literal(true),
+			penalties: z.number().default(20)
+		})]).prefault({ enable: true }),
+		honeypot: z.discriminatedUnion("enable", [z.object({ enable: z.literal(false) }), z.object({
+			enable: z.literal(true),
+			paths: z.array(z.string()).default([])
+		})]).prefault({ enable: true }),
+		enableSessionCoherence: z.discriminatedUnion("enable", [z.object({ enable: z.literal(false) }), z.object({
+			enable: z.literal(true),
+			penalties: z.object({
+				pathMismatch: z.number().default(10),
+				missingReferer: z.number().default(20),
+				domainMismatch: z.number().default(30)
+			}).prefault({})
+		})]).prefault({ enable: true }),
+		enableVelocityFingerprint: z.discriminatedUnion("enable", [z.object({ enable: z.literal(false) }), z.object({
+			enable: z.literal(true),
+			cvThreshold: z.number().default(.1),
+			penalties: z.number().default(40)
+		})]).prefault({ enable: true }),
+		enableKnownBadIpsCheck: z.discriminatedUnion("enable", [z.object({ enable: z.literal(false) }), z.object({
+			enable: z.literal(true),
+			highRiskPenalty: z.number().default(30)
+		})]).prefault({ enable: true })
+	}),
+	generator: z.object({
+		scoreThreshold: z.number().default(70),
+		generateTypes: z.boolean().default(false),
+		deleteAfterBuild: z.boolean().default(false),
+		mmdbctlPath: z.string().default("mmdbctl")
+	}).prefault({}),
+	headerOptions: z.object({
+		weightPerMustHeader: z.number().default(20),
+		missingBrowserEngine: z.number().default(30),
+		postManOrInsomiaHeaders: z.number().default(50),
+		AJAXHeaderExists: z.number().default(30),
+		connectionHeaderIsClose: z.number().default(20),
+		originHeaderIsNULL: z.number().default(10),
+		originHeaderMismatch: z.number().default(30),
+		omittedAcceptHeader: z.number().default(30),
+		clientHintsMissingForBlink: z.number().default(30),
+		teHeaderUnexpectedForBlink: z.number().default(10),
+		clientHintsUnexpectedForGecko: z.number().default(30),
+		teHeaderMissingForGecko: z.number().default(20),
+		aggressiveCacheControlOnGet: z.number().default(15),
+		crossSiteRequestMissingReferer: z.number().default(10),
+		inconsistentSecFetchMode: z.number().default(20),
+		hostMismatchWeight: z.number().default(40)
+	}).prefault({}),
+	pathTraveler: z.object({
+		maxIterations: z.number().default(3),
+		maxPathLength: z.number().default(1500),
+		pathLengthToLong: z.number().default(100),
+		longDecoding: z.number().default(100),
+		traversalDetected: z.number().default(60)
+	}).prefault({}),
+	punishmentType: z.object({ enableFireWallBan: z.boolean().default(false) }).prefault({}),
+	logLevel: z.enum([
+		"debug",
+		"info",
+		"warn",
+		"error",
+		"fatal"
+	]).default("info")
+});
+
+//#endregion
+//#region src/botDetector/db/findDataPath.ts
+const __moduleDir = path.dirname(fileURLToPath(import.meta.url));
+function getLibraryRoot(currentDir = __moduleDir) {
+	if (fs.existsSync(path.join(currentDir, "package.json"))) return currentDir;
+	const parentDir = path.resolve(currentDir, "..");
+	if (parentDir === currentDir) throw new Error("Could not find library root");
+	return getLibraryRoot(parentDir);
+}
+function resolveDataPath(fileName) {
+	const root = getLibraryRoot();
+	const possiblePaths = [path.resolve(root, "_data-sources", fileName), path.resolve(root, "dist", "_data-sources", fileName)];
+	for (const path of possiblePaths) if (fs.existsSync(path)) return path;
+	if (fileName !== "banned.mmdb" && fileName !== "highRisk.mmdb") throw new Error(`[Bot Detector] Data file "${fileName}" not found. Run 'bot-detector init' to download required data files.`);
+	return "";
+}
+
+//#endregion
+//#region src/botDetector/helpers/mmdbDataReaders.ts
+var DataSources = class DataSources {
+	constructor(readers) {
+		this.readers = readers;
+	}
+	static async initialize() {
+		const options = { watchForUpdates: process.env.NODE_ENV !== "test" };
+		const [asn, city, country, goodBots, tor, proxy, fireholAnon, fireholLvl1, fireholLvl2, fireholLvl3, fireholLvl4] = await Promise.all([
+			maxmind.open(resolveDataPath("asn.mmdb"), options),
+			maxmind.open(resolveDataPath("city.mmdb"), options),
+			maxmind.open(resolveDataPath("country.mmdb"), options),
+			maxmind.open(resolveDataPath("goodBots.mmdb"), options),
+			maxmind.open(resolveDataPath("tor.mmdb"), options),
+			maxmind.open(resolveDataPath("proxy.mmdb"), options),
+			maxmind.open(resolveDataPath("firehol_anonymous.mmdb"), options),
+			maxmind.open(resolveDataPath("firehol_l1.mmdb"), options),
+			maxmind.open(resolveDataPath("firehol_l2.mmdb"), options),
+			maxmind.open(resolveDataPath("firehol_l3.mmdb"), options),
+			maxmind.open(resolveDataPath("firehol_l4.mmdb"), options)
+		]);
+		const bannedPath = resolveDataPath("banned.mmdb");
+		const highRiskPath = resolveDataPath("highRisk.mmdb");
+		const [banned, highRisk] = await Promise.all([existsSync(bannedPath) ? maxmind.open(bannedPath, options) : Promise.resolve(void 0), existsSync(highRiskPath) ? maxmind.open(highRiskPath, options) : Promise.resolve(void 0)]);
+		return new DataSources({
+			asn,
+			city,
+			country,
+			goodBots,
+			tor,
+			proxy,
+			fireholAnon,
+			fireholLvl1,
+			fireholLvl2,
+			fireholLvl3,
+			fireholLvl4,
+			banned,
+			highRisk,
+			userAgentLmdb: open({
+				path: resolveDataPath("useragent-db/useragent.mdb"),
+				name: "useragent",
+				compression: true,
+				readOnly: true,
+				useVersions: true,
+				sharedStructuresKey: Symbol.for("structures"),
+				pageSize: 4096,
+				cache: { validated: true },
+				noReadAhead: true,
+				maxReaders: 2024
+			}),
+			ja4Lmdb: open({
+				path: resolveDataPath("ja4-db/ja4.mdb"),
+				name: "ja4",
+				compression: true,
+				readOnly: true,
+				useVersions: true,
+				sharedStructuresKey: Symbol.for("structures"),
+				pageSize: 4096,
+				cache: { validated: true },
+				noReadAhead: true,
+				maxReaders: 2024
+			})
+		});
+	}
+	asnDataBase(ip) {
+		return this.readers.asn.get(ip);
+	}
+	cityDataBase(ip) {
+		return this.readers.city.get(ip);
+	}
+	countryDataBase(ip) {
+		return this.readers.country.get(ip);
+	}
+	goodBotsDataBase(ip) {
+		return this.readers.goodBots.get(ip);
+	}
+	torDataBase(ip) {
+		return this.readers.tor.get(ip);
+	}
+	proxyDataBase(ip) {
+		return this.readers.proxy.get(ip);
+	}
+	fireholAnonDataBase(ip) {
+		return this.readers.fireholAnon.get(ip);
+	}
+	fireholLvl1DataBase(ip) {
+		return this.readers.fireholLvl1.get(ip);
+	}
+	fireholLvl2DataBase(ip) {
+		return this.readers.fireholLvl2.get(ip);
+	}
+	fireholLvl3DataBase(ip) {
+		return this.readers.fireholLvl3.get(ip);
+	}
+	fireholLvl4DataBase(ip) {
+		return this.readers.fireholLvl4.get(ip);
+	}
+	bannedDataBase(ip) {
+		return this.readers.banned?.get(ip) ?? null;
+	}
+	highRiskDataBase(ip) {
+		return this.readers.highRisk?.get(ip) ?? null;
+	}
+	getUserAgentLmdb() {
+		return this.readers.userAgentLmdb;
+	}
+	getJa4Lmdb() {
+		return this.readers.ja4Lmdb;
+	}
+};
+
+//#endregion
+//#region src/botDetector/utils/logger.ts
+const LOG_DIR = path$1.resolve(process.cwd(), process.env.LOG_DIR || "bot-detector-logs");
+if (!existsSync$1(LOG_DIR)) mkdirSync(LOG_DIR, { recursive: true });
+const transport = pino.transport({ targets: [
+	{
+		target: "pino/file",
+		level: "info",
+		options: {
+			destination: `${LOG_DIR}/info.log`,
+			mkdir: true
+		}
+	},
+	{
+		target: "pino/file",
+		level: "warn",
+		options: {
+			destination: `${LOG_DIR}/warn.log`,
+			mkdir: true
+		}
+	},
+	{
+		target: "pino/file",
+		level: "error",
+		options: {
+			destination: `${LOG_DIR}/errors.log`,
+			mkdir: true
+		}
+	}
+] });
+let logger;
+function getLogger() {
+	if (logger) return logger;
+	const { logLevel } = getConfiguration();
+	logger = pino({
+		level: logLevel,
+		timestamp: pino.stdTimeFunctions.isoTime,
+		mixin() {
+			return { uptime: process.uptime() };
+		},
+		redact: {
+			paths: [
+				"*.password",
+				"*.email",
+				"name",
+				"Name",
+				"*.cookies",
+				"*.cookie",
+				"cookies",
+				"cookie",
+				"*.accessToken",
+				"*.refresh_token",
+				"*.secret"
+			],
+			censor: "[SECRET]"
+		}
+	}, transport);
+	return logger;
+}
+
+//#endregion
+//#region src/botDetector/db/dialectUtils.ts
+function isMySQL(db) {
+	return db.dialect === "mysql";
+}
+function isSQLite(db) {
+	return db.dialect === "sqlite";
+}
+/** Convert ? placeholders to $1, $2, for PostgreSQL. */
+function prep(db, sql) {
+	if (db.dialect !== "postgresql") return db.prepare(sql);
+	let i = 0;
+	return db.prepare(sql.replace(/\?/g, () => `$${String(++i)}`));
+}
+/** Generate positional placeholders for a dynamic list of values. */
+function placeholders(db, count, offset = 0) {
+	return Array.from({ length: count }, (_, i) => db.dialect === "postgresql" ? `$${String(offset + i + 1)}` : "?").join(", ");
+}
+/** NOW() equivalent per dialect. */
+function now(db) {
+	return isSQLite(db) ? "datetime('now')" : "NOW()";
+}
+/**
+* Upsert conflict clause.
+* MySQL: ON DUPLICATE KEY UPDATE
+* Others: ON CONFLICT(pk) DO UPDATE SET
+*/
+function onUpsert(db, pk) {
+	return isMySQL(db) ? "ON DUPLICATE KEY UPDATE" : `ON CONFLICT(${pk}) DO UPDATE SET`;
+}
+/**
+* Reference to the incoming row value in an upsert SET clause.
+* MySQL: VALUES(col)
+* Others: excluded.col
+*/
+function excluded(db, col) {
+	return isMySQL(db) ? `VALUES(${col})` : `excluded.${col}`;
+}
+
+//#endregion
+//#region src/botDetector/db/updateBanned.ts
+async function updateBannedIP(cookie, ipAddress, country, user_agent, info) {
+	const db = getDb();
+	const log = getLogger().child({
+		service: "BOT DETECTOR",
+		branch: "db",
+		type: "updateBannedIP"
+	});
+	const params = [
+		cookie,
+		ipAddress,
+		country,
+		user_agent,
+		JSON.stringify(info.reasons),
+		info.score
+	];
+	const ex = (col) => excluded(db, col);
+	const upsert = onUpsert(db, "canary_id");
+	try {
+		await prep(db, `INSERT INTO banned (canary_id, ip_address, country, user_agent, reason, score)
+       VALUES (?, ?, ?, ?, ?, ?)
+       ${upsert}
+       ip_address = ${ex("ip_address")},
+       country = ${ex("country")},
+       user_agent = ${ex("user_agent")},
+       score = ${ex("score")},
+       reason = ${ex("reason")}`).run(...params);
+		log.info(`Updated Database TABLE - banned. A user has been banned for IP ${ipAddress} (score ${String(info.score)})`);
+	} catch (err) {
+		log.error({ error: err }, "ERROR UPDATING \"banned\" TABLE");
+		throw err;
+	}
+}
+
+//#endregion
+//#region src/botDetector/db/updateIsBot.ts
+async function updateIsBot(isBot, cookie) {
+	const params = [isBot, cookie];
+	const db = getDb();
+	const log = getLogger().child({
+		service: "BOT DETECTOR",
+		branch: "db",
+		type: "updateIsBot"
+	});
+	try {
+		await prep(db, `UPDATE visitors SET is_bot = ? WHERE canary_id = ?`).run(...params);
+	} catch (err) {
+		log.error({ error: err }, "ERROR UPDATING IS_BOT");
+		throw err;
+	}
+}
+
+//#endregion
+//#region src/botDetector/db/updateVisitors.ts
+async function updateVisitor(u) {
+	const db = getDb();
+	const log = getLogger().child({
+		service: "BOT DETECTOR",
+		branch: "db",
+		type: "updateVisitors"
+	});
+	const { visitorId, cookie, ipAddress, userAgent, country, region, regionName, city, district, lat, lon, timezone, currency, isp, org, as: asOrg, device_type, browser, proxy, hosting, is_bot, first_seen, last_seen, request_count, deviceVendor, deviceModel, browserType, browserVersion, os, activity_score } = u;
+	const params = [
+		visitorId,
+		cookie,
+		ipAddress,
+		userAgent,
+		country,
+		region,
+		regionName,
+		city,
+		district,
+		lat,
+		lon,
+		timezone,
+		currency,
+		isp,
+		org,
+		asOrg,
+		device_type,
+		browser,
+		proxy,
+		hosting,
+		is_bot,
+		first_seen,
+		last_seen,
+		request_count,
+		deviceVendor,
+		deviceModel,
+		browserType,
+		browserVersion,
+		os,
+		Number(activity_score) || 0
+	].map((value) => value === void 0 ? null : value);
+	const ex = (col) => excluded(db, col);
+	const upsert = onUpsert(db, "canary_id");
+	try {
+		await prep(db, `INSERT INTO visitors (
+         visitor_id,
+         canary_id,
+         ip_address,
+         user_agent,
+         country,
+         region,
+         region_name,
+         city,
+         district,
+         lat,
+         lon,
+         timezone,
+         currency,
+         isp,
+         org,
+         as_org,
+         device_type,
+         browser,
+         proxy,
+         hosting,
+         is_bot,
+         first_seen,
+         last_seen,
+         request_count,
+         deviceVendor,
+         deviceModel,
+         browserType,
+         browserVersion,
+         os,
+         suspicious_activity_score
+       ) VALUES (
+         ${params.map(() => "?").join(", ")}
+       )
+       ${upsert}
+         ip_address = ${ex("ip_address")},
+         user_agent = ${ex("user_agent")},
+         country = ${ex("country")},
+         region = ${ex("region")},
+         region_name = ${ex("region_name")},
+         city = ${ex("city")},
+         district = ${ex("district")},
+         lat = ${ex("lat")},
+         lon = ${ex("lon")},
+         timezone = ${ex("timezone")},
+         currency = ${ex("currency")},
+         isp = ${ex("isp")},
+         org = ${ex("org")},
+         as_org = ${ex("as_org")},
+         device_type = ${ex("device_type")},
+         browser = ${ex("browser")},
+         proxy = ${ex("proxy")},
+         hosting = ${ex("hosting")},
+         last_seen = ${now(db)},
+         request_count = request_count + 1,
+         deviceVendor = ${ex("deviceVendor")},
+         deviceModel = ${ex("deviceModel")},
+         browserType = ${ex("browserType")},
+         browserVersion = ${ex("browserVersion")},
+         os = ${ex("os")}`).run(...params);
+		log.info(`Updated visitors table, Visitor row for canary_id=${cookie ?? ""} inserted/updated successfully.`);
+		return;
+	} catch (err) {
+		log.error({ error: err }, `ERROR UPDATING visitors TABLE`);
+	}
+}
+
+//#endregion
+//#region src/botDetector/db/updateVisitorScore.ts
+async function updateScore(score, cookie) {
+	const params = [score, cookie];
+	const db = getDb();
+	const log = getLogger().child({
+		service: "BOT DETECTOR",
+		branch: "db",
+		type: "updateScore"
+	});
+	try {
+		await prep(db, `UPDATE visitors SET suspicious_activity_score = ? WHERE canary_id = ?`).run(...params);
+	} catch (err) {
+		log.error({ error: err }, "ERROR UPDATING SCORE");
+		throw err;
+	}
+}
+
+//#endregion
+//#region src/botDetector/db/batchQueue.ts
+var BatchQueue = class {
+	constructor() {
+		this.jobs = /* @__PURE__ */ new Map();
+		this.timer = null;
+		this.flushPromise = null;
+	}
+	get config() {
+		return getConfiguration().batchQueue;
+	}
+	get log() {
+		return getLogger().child({
+			service: "BOT DETECTOR",
+			branch: "BatchQueue"
+		});
+	}
+	async addQueue(canary, ipAddress, type, params, priority = "deferred") {
+		const key = `${type}:${canary}:${ipAddress}`;
+		this.jobs.set(key, {
+			id: key,
+			type,
+			priority,
+			params
+		});
+		if (priority === "immediate" || this.jobs.size >= this.config.maxBufferSize) await this.flush();
+		else this.timer ??= setTimeout(() => void this.flush(), this.config.flushIntervalMs);
+	}
+	async flush() {
+		while (this.flushPromise || this.jobs.size > 0) {
+			if (this.flushPromise) await this.flushPromise;
+			if (this.jobs.size > 0) {
+				if (this.timer) {
+					clearTimeout(this.timer);
+					this.timer = null;
+				}
+				const currentBatch = Array.from(this.jobs.values());
+				this.jobs.clear();
+				this.flushPromise = this.executeBatch(currentBatch, 0);
+				try {
+					await this.flushPromise;
+				} finally {
+					this.flushPromise = null;
+				}
+			}
+		}
+	}
+	runJob(job) {
+		switch (job.type) {
+			case "visitor_upsert": return updateVisitor(job.params.insert);
+			case "score_update": {
+				const { score, cookie } = job.params;
+				return updateScore(score, cookie);
+			}
+			case "is_bot_update": {
+				const { isBot, cookie } = job.params;
+				return updateIsBot(isBot, cookie);
+			}
+			case "update_banned_ip": {
+				const { cookie, ipAddress, country, user_agent, info } = job.params;
+				return updateBannedIP(cookie, ipAddress, country, user_agent, info);
+			}
+		}
+	}
+	async executeBatch(batch, retryCount) {
+		try {
+			const visitors = batch.filter((j) => j.type === "visitor_upsert");
+			const others = batch.filter((j) => j.type !== "visitor_upsert");
+			if (visitors.length > 0) await Promise.all(visitors.map((j) => this.runJob(j)));
+			await Promise.all(others.map((j) => this.runJob(j)));
+		} catch (err) {
+			this.log.error({ err }, `Batch flush failed (Attempt ${String(retryCount + 1)})`);
+			if (retryCount < this.config.maxRetries) {
+				await new Promise((res) => setTimeout(res, 1e3));
+				return this.executeBatch(batch, retryCount + 1);
+			}
+			this.log.error("Max retries reached. Discarding batch.");
+		}
+	}
+	async shutdown() {
+		this.log.info("Shutting down BatchQueue: Draining remaining jobs...");
+		await this.flush();
+	}
+};
+
+//#endregion
+//#region src/botDetector/config/storageAdapter.ts
+async function initStorage(config) {
+	if (!config) return createStorage({ driver: memoryDriver() });
+	const { driver, ...opts } = config;
+	let mod;
+	switch (driver) {
+		case "redis":
+			mod = await import("unstorage/drivers/redis");
+			break;
+		case "upstash":
+			mod = await import("unstorage/drivers/upstash");
+			break;
+		case "lru":
+			mod = await import("unstorage/drivers/lru-cache");
+			break;
+		case "fs":
+			mod = await import("unstorage/drivers/fs-lite");
+			break;
+		case "cloudflare-kv-binding":
+			mod = await import("unstorage/drivers/cloudflare-kv-binding");
+			break;
+		case "cloudflare-kv-http":
+			mod = await import("unstorage/drivers/cloudflare-kv-http");
+			break;
+		case "cloudflare-r2-binding":
+			mod = await import("unstorage/drivers/cloudflare-r2-binding");
+			break;
+		case "vercel":
+			mod = await import("unstorage/drivers/vercel-runtime-cache");
+			break;
+		default: throw new Error(`Unsupported storage driver: ${driver}`);
+	}
+	return createStorage({ driver: mod.default(opts) });
+}
+
+//#endregion
+//#region src/botDetector/config/dbAdapter.ts
+async function initDb(config) {
+	const { driver, ...opts } = config;
+	let mod;
+	switch (driver) {
+		case "mysql-pool":
+			mod = await import("./mysqlPoolConnector-9PtXF5E7.mjs");
+			break;
+		case "postgresql":
+			mod = await import("db0/connectors/postgresql");
+			break;
+		case "sqlite":
+			mod = await import("db0/connectors/better-sqlite3");
+			break;
+		case "cloudflare-d1":
+			mod = await import("db0/connectors/cloudflare-d1");
+			break;
+		case "planetscale":
+			mod = await import("db0/connectors/planetscale");
+			break;
+		default: throw new Error(`Unsupported database driver: ${driver}`);
+	}
+	return createDatabase(mod.default(opts));
+}
+
+//#endregion
+//#region src/botDetector/checkers/CheckerRegistry.ts
+let registeredCheckers = [];
+const CheckerRegistry = {
+	register(checker) {
+		consola.log(`Loaded plugin: ${checker.name}`);
+		registeredCheckers.push(checker);
+	},
+	getEnabled(phase, config) {
+		return registeredCheckers.filter((checker) => checker.phase === phase && checker.isEnabled(config));
+	},
+	clear() {
+		registeredCheckers = [];
+	}
+};
+
+//#endregion
+//#region src/botDetector/checkers/badUaChecker.ts
+const SEVERITY_ORDER = [
+	"critical",
+	"high",
+	"medium",
+	"low"
+];
+let patterns = [];
+function loadUaPatterns() {
+	const db = getDataSources().getUserAgentLmdb();
+	const bucketStrings = new Map(SEVERITY_ORDER.map((sev) => [sev, []]));
+	for (const { value } of db.getRange({ limit: 1e4 })) {
+		const sev = value.metadata_severity;
+		bucketStrings.get(sev)?.push(value.useragent_rx);
+	}
+	patterns = SEVERITY_ORDER.map((severity) => {
+		const patterns = bucketStrings.get(severity) ?? [];
+		if (patterns.length === 0) return null;
+		const combined = patterns.map((p) => `(?:${p})`).join("|");
+		return {
+			rx: new RegExp(combined, "i"),
+			severity
+		};
+	}).filter((p) => p !== null);
+}
+var BadUaChecker = class {
+	constructor() {
+		this.name = "Bad User Agent list";
+		this.phase = "heavy";
+	}
+	isEnabled(config) {
+		return config.checkers.knownBadUserAgents.enable;
+	}
+	run(ctx, config) {
+		const { knownBadUserAgents } = config.checkers;
+		const reasons = [];
+		let score = 0;
+		if (!knownBadUserAgents.enable) return {
+			score,
+			reasons
+		};
+		if (patterns.length === 0) loadUaPatterns();
+		const rawUa = ctx.req.get("User-Agent") ?? "";
+		for (const { rx, severity } of patterns) if (rx.test(rawUa)) {
+			reasons.push("BAD_UA_DETECTED");
+			switch (severity) {
+				case "critical":
+					score += knownBadUserAgents.penalties.criticalSeverity;
+					break;
+				case "high":
+					score += knownBadUserAgents.penalties.highSeverity;
+					break;
+				case "medium":
+					score += knownBadUserAgents.penalties.mediumSeverity;
+					break;
+				case "low":
+					score += knownBadUserAgents.penalties.lowSeverity;
+					break;
+			}
+			break;
+		}
+		return {
+			score,
+			reasons
+		};
+	}
+};
+CheckerRegistry.register(new BadUaChecker());
+
+//#endregion
+//#region src/botDetector/config/config.ts
+const { defineConfiguration, getConfiguration } = createConfigManager(configSchema, "Bot Detector");
+let globalDataSources;
+let globalBatchQueue;
+let globalStorage;
+let globalDb;
+/**
+* @description
+* The bot detector library's configuration object.
+* Contains the core configuration to make the library usable client side.
+* @module jwtAuth/config
+* @see {@link ./jwtAuth/types/configSchema.js}
+*/
+async function configuration(config) {
+	const initDataSourcesTask = async () => {
+		globalDataSources ??= await DataSources.initialize();
+		loadUaPatterns();
+	};
+	const initBatchQueueTask = () => {
+		if (!globalBatchQueue) {
+			globalBatchQueue = new BatchQueue();
+			process.on("SIGTERM", () => {
+				globalBatchQueue?.shutdown();
+			});
+			process.on("SIGINT", () => {
+				globalBatchQueue?.shutdown();
+			});
+		}
+	};
+	const initStorageTask = async () => {
+		globalStorage ??= await initStorage(config.storage);
+	};
+	const initDbTask = async () => {
+		globalDb ??= await initDb(config.store.main);
+	};
+	await defineConfiguration(config, [
+		initDataSourcesTask,
+		initBatchQueueTask,
+		initStorageTask,
+		initDbTask
+	]);
+}
+function getBatchQueue() {
+	if (!globalBatchQueue) {
+		consola.trace("Premature getBatchQueue() call");
+		throw new Error("BatchQueue not ready. Call configuration() first.");
+	}
+	return globalBatchQueue;
+}
+function getStorage() {
+	if (!globalStorage) {
+		consola.trace("Premature getStorage() call");
+		throw new Error("Storage not ready. Call configuration() first.");
+	}
+	return globalStorage;
+}
+function getDb() {
+	if (!globalDb) {
+		consola.trace("Premature getDb() call");
+		throw new Error("DB not ready. Call configuration() first.");
+	}
+	return globalDb;
+}
+function getDataSources() {
+	if (!globalDataSources) {
+		consola.trace("Premature getDataSources() call");
+		throw new Error(`##### Must be initialized globally #####
+      Bot Detector: DataSources not ready. Call configuration() first.`);
+	}
+	return globalDataSources;
+}
+
+//#endregion
+//#region src/botDetector/helpers/getIPInformation.ts
+const norm = (string) => string?.trim().toLowerCase();
+function getData(ip) {
+	const dataSource = getDataSources();
+	const countryLvl = dataSource.countryDataBase(ip);
+	const cityLvl = dataSource.cityDataBase(ip);
+	const asn = dataSource.asnDataBase(ip);
+	const proxy = dataSource.proxyDataBase(ip);
+	const tor = dataSource.torDataBase(ip);
+	return {
+		country: norm(countryLvl?.name ?? cityLvl?.name),
+		countryCode: norm(countryLvl?.country_code ?? cityLvl?.country_code),
+		region: norm(cityLvl?.region ?? countryLvl?.region),
+		regionName: norm(cityLvl?.continent ?? cityLvl?.subregion ?? countryLvl?.subregion),
+		subregion: norm(cityLvl?.subregion ?? countryLvl?.subregion),
+		state: norm(cityLvl?.state),
+		zipCode: norm(cityLvl?.zip_code),
+		city: norm(cityLvl?.city ?? cityLvl?.capital ?? countryLvl?.capital),
+		phone: norm(cityLvl?.phone ?? countryLvl?.phone),
+		numericCode: norm(cityLvl?.numericCode ?? countryLvl?.numericCode),
+		native: norm(cityLvl?.native ?? countryLvl?.native),
+		continent: norm(cityLvl?.continent),
+		capital: norm(cityLvl?.capital ?? countryLvl?.capital),
+		district: norm(cityLvl?.state),
+		lat: norm(cityLvl?.latitude),
+		lon: norm(cityLvl?.longitude),
+		timezone: norm(cityLvl?.timezone ?? countryLvl?.timezone),
+		timeZoneName: norm(cityLvl?.timeZoneName ?? countryLvl?.timeZoneName),
+		utc_offset: norm(cityLvl?.utc_offset ?? countryLvl?.utc_offset),
+		tld: norm(cityLvl?.tld ?? countryLvl?.tld),
+		nationality: norm(cityLvl?.nationality ?? countryLvl?.nationality),
+		currency: norm(cityLvl?.currency ?? countryLvl?.currency),
+		iso639: norm(cityLvl?.iso639 ?? countryLvl?.iso639),
+		languages: norm(cityLvl?.languages ?? countryLvl?.languages),
+		isp: norm(asn?.asn_name),
+		org: norm(asn?.asn_id),
+		as_org: norm(asn?.asn_name),
+		proxy: proxy ? true : false,
+		hosting: asn?.classification === "Content" || Boolean(tor?.exit_addresses)
+	};
+}
+
+//#endregion
+//#region src/botDetector/utils/cookieGenerator.ts
+function makeCookie(res, name, value, options) {
+	if (name.startsWith("__Host-")) {
+		options.secure = true;
+		options.path = "/";
+		delete options.domain;
+	}
+	if (name.startsWith("__Secure-")) options.secure = true;
+	res.cookie(name, value, {
+		httpOnly: options.httpOnly,
+		sameSite: options.sameSite,
+		maxAge: options.maxAge,
+		secure: options.secure,
+		expires: options.expires,
+		domain: options.domain,
+		path: options.path
+	});
+}
+
+//#endregion
+//#region src/botDetector/helpers/UAparser.ts
+function parseUA(userAgent) {
+	const botParser = new UAParser([
+		Crawlers,
+		CLIs,
+		Fetchers,
+		Libraries
+	]);
+	const uaString = typeof userAgent === "string" ? userAgent : String(userAgent);
+	const result = botParser.setUA(uaString).getResult();
+	return {
+		device: result.device.type ?? "desktop",
+		deviceVendor: result.device.vendor,
+		deviceModel: result.device.model,
+		browser: result.browser.name,
+		browserType: result.browser.type,
+		browserVersion: result.browser.version,
+		os: result.os.name,
+		botAI: isAIBot(result),
+		bot: isBot(result),
+		allResults: result
+	};
+}
+
+//#endregion
+//#region src/botDetector/checkers/ipValidation.ts
+var IpChecker = class {
+	constructor() {
+		this.name = "IP Validation";
+		this.phase = "cheap";
+	}
+	isEnabled(config) {
+		return config.checkers.enableIpChecks.enable;
+	}
+	run(ctx, config) {
+		const isValid = isIP(ctx.ipAddress) !== 0;
+		return {
+			score: isValid ? 0 : config.banScore,
+			reasons: isValid ? [] : ["IP_INVALID"]
+		};
+	}
+};
+CheckerRegistry.register(new IpChecker());
+
+//#endregion
+//#region src/botDetector/helpers/cache/dnsLookupCache.ts
+const DNS_TTL_SECONDS = 3600 * 2;
+const PREFIX$5 = "dns:";
+const dnsCache = {
+	async get(ip) {
+		return getStorage().getItem(`${PREFIX$5}${ip}`);
+	},
+	async set(ip, entry) {
+		await getStorage().setItem(`${PREFIX$5}${ip}`, entry, { ttl: DNS_TTL_SECONDS });
+	},
+	async delete(ip) {
+		await getStorage().removeItem(`${PREFIX$5}${ip}`);
+	},
+	async clear() {
+		await getStorage().clear();
+	}
+};
+
+//#endregion
+//#region src/botDetector/checkers/goodBots/base.ts
+var GoodBotsBase = class {
+	getDomains(suffix) {
+		const allDomains = [];
+		for (const key in suffix) {
+			const entrySuffix = suffix[key].suffix;
+			if (Array.isArray(entrySuffix)) allDomains.push(...entrySuffix);
+			else if (typeof entrySuffix === "string") allDomains.push(entrySuffix);
+		}
+		return allDomains;
+	}
+	get logger() {
+		this._logger ??= getLogger().child({
+			service: "botDetector",
+			branch: "checker",
+			type: "GoodBotsBase"
+		});
+		return this._logger;
+	}
+	constructor(suffixes) {
+		this.suffixes = suffixes;
+		this.domains = this.getDomains(this.suffixes).map((d) => `.${d.toLowerCase()}`);
+	}
+	async isBotFromTrustedDomain(ip) {
+		const cached = await dnsCache.get(ip);
+		if (cached) return cached.trustedBot;
+		try {
+			const matchingHosts = (await dns.reverse(ip)).filter((host) => this.domains.some((domain) => host.endsWith(domain)));
+			if (matchingHosts.length === 0) {
+				dnsCache.set(ip, {
+					ip,
+					trustedBot: false
+				}).catch((err) => {
+					this.logger.error({ err }, "Failed to save dnsCache in storage");
+				});
+				return false;
+			}
+			for (const host of matchingHosts) if ((await dns.lookup(host, { all: true })).some((a) => a.address === ip)) {
+				dnsCache.set(ip, {
+					ip,
+					trustedBot: true
+				}).catch((err) => {
+					this.logger.error({ err }, "Failed to save dnsCache in storage");
+				});
+				return true;
+			}
+		} catch (err) {
+			this.logger.error({ err }, "DNS reverse lookup failed");
+		}
+		dnsCache.set(ip, {
+			ip,
+			trustedBot: false
+		}).catch((err) => {
+			this.logger.error({ err }, "Failed to save dnsCache in storage");
+		});
+		return false;
+	}
+	isBotIPTrusted(ipAddress) {
+		return getDataSources().goodBotsDataBase(ipAddress) !== null;
+	}
+};
+
+//#endregion
+//#region src/botDetector/checkers/goodBots/goodBots.ts
+const suffixPath = resolveDataPath("suffix.json");
+const suffixes = JSON.parse(fs.readFileSync(suffixPath, "utf-8"));
+const userAgents = Object.values(suffixes).flatMap((e) => Array.isArray(e.useragent) ? e.useragent : [e.useragent]).map((u) => u.toLowerCase());
+var GoodBotsChecker = class extends GoodBotsBase {
+	constructor() {
+		super(suffixes);
+		this.name = "Good/Bad Bot Verification";
+		this.phase = "cheap";
+	}
+	isEnabled(config) {
+		return config.checkers.enableGoodBotsChecks.enable;
+	}
+	async run(ctx, config) {
+		const browserType = (ctx.parsedUA.browserType ?? "").toLowerCase();
+		const browserName = (ctx.parsedUA.browser ?? "").toLowerCase();
+		const ipAddress = ctx.ipAddress;
+		const score = 0;
+		const reasons = [];
+		const checkersConfig = config.checkers.enableGoodBotsChecks;
+		if (!checkersConfig.enable) return {
+			score,
+			reasons
+		};
+		if (browserType !== "crawler" && browserType !== "fetcher") return {
+			score: 0,
+			reasons: []
+		};
+		const name = browserName;
+		const botsWithoutSuffix = [
+			"duckduckbot",
+			"gptbot",
+			"oai-searchbot",
+			"chatgpt-user"
+		].includes(name);
+		const botsWithSuffix = userAgents.some((suf) => name.includes(suf));
+		if (checkersConfig.banUnlistedBots && !botsWithoutSuffix && !botsWithSuffix) {
+			reasons.push("BAD_BOT_DETECTED");
+			return {
+				score: 0,
+				reasons
+			};
+		}
+		let trusted;
+		if (botsWithSuffix) trusted = await this.isBotFromTrustedDomain(ipAddress);
+		else trusted = this.isBotIPTrusted(ipAddress);
+		if (!trusted) {
+			reasons.push("BAD_BOT_DETECTED");
+			return {
+				score: checkersConfig.penalties,
+				reasons
+			};
+		}
+		reasons.push("GOOD_BOT_IDENTIFIED");
+		return {
+			score,
+			reasons
+		};
+	}
+};
+CheckerRegistry.register(new GoodBotsChecker());
+
+//#endregion
+//#region src/botDetector/checkers/browserTypesAneDevicesCalc.ts
+var BrowserDetailsAndDeviceChecker = class {
+	constructor() {
+		this.name = "Browser and Device Verification";
+		this.phase = "cheap";
+	}
+	isEnabled(config) {
+		return config.checkers.enableBrowserAndDeviceChecks.enable;
+	}
+	run(ctx, config) {
+		const checkConfig = config.checkers.enableBrowserAndDeviceChecks;
+		const reasons = [];
+		let score = 0;
+		if (!checkConfig.enable) return {
+			score,
+			reasons
+		};
+		const penalties = checkConfig.penalties;
+		const bType = ctx.parsedUA.browserType;
+		const bName = ctx.parsedUA.browser ?? "";
+		const bOS = ctx.parsedUA.os ?? "";
+		const dType = ctx.parsedUA.device ?? "desktop";
+		if (bType === "cli" || bType === "library") {
+			score += penalties.cliOrLibrary;
+			reasons.push("CLI_OR_LIBRARY");
+		}
+		if ([
+			"ie",
+			"iemobile",
+			"internet explorer"
+		].includes(bName.toLowerCase())) {
+			score += penalties.internetExplorer;
+			reasons.push("INTERNET_EXPLORER");
+		}
+		if (bOS.toLowerCase().includes("kali")) {
+			score += penalties.linuxOs;
+			reasons.push("KALI_LINUX_OS");
+		}
+		if (bOS === "Mac OS" && dType === "mobile") {
+			score += penalties.impossibleBrowserCombinations;
+			reasons.push("IMPOSSIBLE_BROWSER_COMBINATION");
+		}
+		if (bName === "Safari" && bOS === "Windows") {
+			score += penalties.impossibleBrowserCombinations;
+			reasons.push("IMPOSSIBLE_BROWSER_COMBINATION");
+		}
+		if (dType === "desktop" && ctx.parsedUA.deviceVendor) {
+			score += penalties.impossibleBrowserCombinations;
+			reasons.push("IMPOSSIBLE_BROWSER_COMBINATION");
+		}
+		if (!bType && (!bName || dType !== "desktop")) {
+			score += penalties.browserTypeUnknown;
+			reasons.push("BROWSER_TYPE_UNKNOWN");
+		}
+		if (!bName) {
+			score += penalties.browserNameUnknown;
+			reasons.push("BROWSER_NAME_UNKNOWN");
+		}
+		if (dType === "desktop" && !bOS) {
+			score += penalties.desktopWithoutOS;
+			reasons.push("DESKTOP_WITHOUT_OS");
+		}
+		if (dType !== "desktop" && !ctx.parsedUA.deviceVendor) {
+			score += penalties.deviceVendorUnknown;
+			reasons.push("DEVICE_VENDOR_UNKNOWN");
+		}
+		if (!ctx.parsedUA.browserVersion) {
+			score += penalties.browserVersionUnknown;
+			reasons.push("BROWSER_VERSION_UNKNOWN");
+		}
+		if (!ctx.parsedUA.deviceModel) {
+			score += penalties.deviceModelUnknown;
+			reasons.push("NO_MODEL");
+		}
+		return {
+			score,
+			reasons
+		};
+	}
+};
+CheckerRegistry.register(new BrowserDetailsAndDeviceChecker());
+
+//#endregion
+//#region src/botDetector/utils/regex/acceptLangRegex.ts
+const space = anyOf(" ", "	").times.any();
+const quality = maybe(anyOf(exactly(space, ";", space, "q", space, "=", space, anyOf(exactly("0", maybe(anyOf(exactly(".", digit.times.between(1, 3))))), exactly("1", maybe(anyOf(exactly(".", exactly("0").times.between(1, 3)))))))));
+const primaryTag = letter.times.between(1, 8);
+const subTag = anyOf(exactly("-", anyOf(letter, digit).times.between(1, 8))).times.any();
+const language = exactly(anyOf(exactly("*"), exactly(primaryTag, subTag)), quality);
+const repeatingLanguages = anyOf(exactly(space, ",", space, language)).times.any();
+const acceptLanguageValidator = createRegExp(exactly(language, repeatingLanguages).at.lineStart().at.lineEnd(), ["i"]);
+
+//#endregion
+//#region src/botDetector/checkers/acceptLangMap.ts
+var LocaleMapChecker = class {
+	constructor() {
+		this.name = "Locale and Country Verification";
+		this.phase = "cheap";
+	}
+	isEnabled(config) {
+		return config.checkers.localeMapsCheck.enable;
+	}
+	run(ctx, config) {
+		const settings = config.checkers.localeMapsCheck;
+		const reasons = [];
+		let score = 0;
+		if (!settings.enable) return {
+			score,
+			reasons
+		};
+		const AccHeader = ctx.req.get("Accept-Language") ?? "";
+		if (!AccHeader) {
+			score += settings.penalties.missingHeader;
+			if (score > 0) reasons.push("LOCALE_MISMATCH");
+			return {
+				score,
+				reasons
+			};
+		}
+		if (!acceptLanguageValidator.test(AccHeader.trim().toLowerCase())) {
+			score += settings.penalties.malformedHeader;
+			if (score > 0) reasons.push("LOCALE_MISMATCH");
+			return {
+				score,
+				reasons
+			};
+		}
+		const langs = AccHeader.split(",").map((entry) => {
+			const [tag, q] = entry.trim().split(/\s*;\s*q\s*=\s*/);
+			return {
+				tag: tag.toLowerCase(),
+				weight: q ? parseFloat(q) : 1
+			};
+		}).sort((a, b) => b.weight - a.weight);
+		const country = ctx.geoData.country;
+		const countryCode = ctx.geoData.countryCode;
+		const iso6 = ctx.geoData.iso639;
+		if (!country || !countryCode || !iso6) {
+			score += settings.penalties.missingGeoData;
+			if (score > 0) reasons.push("LOCALE_MISMATCH");
+			return {
+				score,
+				reasons
+			};
+		}
+		const expectedCountryCode = countryCode.toLowerCase();
+		const expectedLang = iso6.toLowerCase();
+		const combined = `${expectedLang}-${expectedCountryCode}`;
+		let localeMatchesGeo = false;
+		for (const { tag, weight } of langs) {
+			if (weight === 0) continue;
+			const parts = tag.split(/[-_]/);
+			const langPart = parts[0];
+			const regionPart = parts.find((p) => p.length === 2 && p === expectedCountryCode);
+			if (regionPart) {
+				localeMatchesGeo = true;
+				break;
+			}
+			if (langPart === expectedLang) {
+				localeMatchesGeo = true;
+				break;
+			}
+			if (langPart && regionPart && tag === combined) {
+				localeMatchesGeo = true;
+				break;
+			}
+		}
+		if (!localeMatchesGeo) {
+			score += settings.penalties.ipAndHeaderMismatch;
+			if (score > 0) reasons.push("LOCALE_MISMATCH");
+		}
+		return {
+			score,
+			reasons
+		};
+	}
+};
+CheckerRegistry.register(new LocaleMapChecker());
+
+//#endregion
+//#region src/botDetector/helpers/cache/rateLimitarCache.ts
+const RATE_TTL_SECONDS_FALLBACK = 120;
+const PREFIX$4 = "rate:";
+const rateCache = {
+	async get(cookie) {
+		return getStorage().getItem(`${PREFIX$4}${cookie}`);
+	},
+	async set(cookie, entry, ttlSeconds) {
+		await getStorage().setItem(`${PREFIX$4}${cookie}`, entry, { ttl: ttlSeconds ?? RATE_TTL_SECONDS_FALLBACK });
+	},
+	async delete(cookie) {
+		await getStorage().removeItem(`${PREFIX$4}${cookie}`);
+	},
+	async clear() {
+		await getStorage().clear();
+	}
+};
+
+//#endregion
+//#region src/botDetector/checkers/rateTracker.ts
+var BehavioralDbChecker = class {
+	constructor() {
+		this.name = "Behavior Rate Verification";
+		this.phase = "heavy";
+	}
+	get logger() {
+		this._logger ??= getLogger().child({
+			service: "botDetector",
+			branch: "checker",
+			type: "BehavioralDbChecker"
+		});
+		return this._logger;
+	}
+	isEnabled(config) {
+		return config.checkers.enableBehaviorRateCheck.enable;
+	}
+	async run(ctx, config) {
+		const cookie = ctx.cookie ?? "";
+		const checkConfig = config.checkers.enableBehaviorRateCheck;
+		if (!checkConfig.enable) return {
+			score: 0,
+			reasons: []
+		};
+		const BEHAVIORAL_THRESHOLD = checkConfig.behavioral_threshold;
+		const BEHAVIORAL_WINDOW = checkConfig.behavioral_window;
+		const BEHAVIORAL_PENALTY = checkConfig.penalties;
+		const ttlSeconds = Math.ceil(BEHAVIORAL_WINDOW / 1e3);
+		const cached = await rateCache.get(cookie);
+		if (cached) if (Date.now() - cached.timestamp <= BEHAVIORAL_WINDOW) {
+			const newCount = cached.request_count + 1;
+			const score = newCount > BEHAVIORAL_THRESHOLD ? BEHAVIORAL_PENALTY : 0;
+			rateCache.set(cookie, {
+				...cached,
+				request_count: newCount,
+				score
+			}, ttlSeconds).catch((err) => {
+				this.logger.error({ err }, "Failed to save rateCache in storage");
+			});
+			return {
+				score,
+				reasons: score ? ["BEHAVIOR_TOO_FAST"] : []
+			};
+		} else {
+			rateCache.set(cookie, {
+				request_count: 1,
+				timestamp: Date.now(),
+				score: 0
+			}, ttlSeconds).catch((err) => {
+				this.logger.error({ err }, "Failed to reset rateCache in storage");
+			});
+			return {
+				score: 0,
+				reasons: []
+			};
+		}
+		return {
+			score: 0,
+			reasons: []
+		};
+	}
+};
+CheckerRegistry.register(new BehavioralDbChecker());
+
+//#endregion
+//#region src/botDetector/checkers/proxyISPAndCookieCalc.ts
+var ProxyIspAndCookieChecker = class {
+	constructor() {
+		this.name = "Proxy, ISP and Cookie Verification";
+		this.phase = "heavy";
+	}
+	isEnabled(config) {
+		return config.checkers.enableProxyIspCookiesChecks.enable;
+	}
+	run(ctx, config) {
+		const checkConfig = config.checkers.enableProxyIspCookiesChecks;
+		const reasons = [];
+		let score = 0;
+		if (!checkConfig.enable) return {
+			score,
+			reasons
+		};
+		const { penalties } = checkConfig;
+		const cookie = ctx.cookie ?? "";
+		const proxy = ctx.proxy.isProxy;
+		const proxyType = ctx.proxy.proxyType ?? "";
+		const hosting = ctx.geoData.hosting ?? false;
+		const isp = ctx.geoData.isp ?? "";
+		const org = ctx.geoData.org ?? "";
+		if (!cookie) {
+			score += penalties.cookieMissing;
+			reasons.push("COOKIE_MISSING");
+		}
+		if (proxy) {
+			score += penalties.proxyDetected;
+			reasons.push("PROXY_DETECTED");
+			if (proxyType) {
+				const sourceCount = proxyType.split(",").length;
+				if (sourceCount >= 4) score += penalties.multiSourceBonus4plus;
+				else if (sourceCount >= 2) score += penalties.multiSourceBonus2to3;
+			}
+		}
+		if (hosting) {
+			score += penalties.hostingDetected;
+			reasons.push("HOSTING_DETECTED");
+		}
+		if (!isp) {
+			score += penalties.ispUnknown;
+			reasons.push("ISP_UNKNOWN");
+		}
+		if (!org) {
+			score += penalties.orgUnknown;
+			reasons.push("ORG_UNKNOWN");
+		}
+		return {
+			score,
+			reasons
+		};
+	}
+};
+CheckerRegistry.register(new ProxyIspAndCookieChecker());
+
+//#endregion
+//#region src/botDetector/checkers/headers/headersBase.ts
+var HeadersBase = class {
+	constructor() {
+		this.config = getConfiguration().headerOptions;
+	}
+	mustHaveHeadersChecker(req) {
+		let score = 0;
+		if (req.httpVersion === "1.0") return score += 40;
+		if (!req.get("User-Agent")) score += this.config.weightPerMustHeader;
+		if (!req.accepts) score += this.config.weightPerMustHeader;
+		if (!req.acceptsEncodings) score += this.config.weightPerMustHeader;
+		if (!req.acceptsLanguages) score += this.config.weightPerMustHeader;
+		if (!req.host) score += this.config.weightPerMustHeader;
+		if (!req.get("Upgrade-Insecure-Requests")) score += this.config.weightPerMustHeader;
+		if (!req.get("x-client-id")) score += this.config.weightPerMustHeader;
+		if (req.httpVersion === "1.1" || req.get("Connection")) {
+			if (!req.get("Connection") || req.get("Connection") !== "keep-alive") score += this.config.connectionHeaderIsClose;
+		}
+		if (!req.get("sec-fetch-mode") || !req.get("sec-fetch-dest") || !req.get("sec-fetch-site")) score += this.config.weightPerMustHeader;
+		return score;
+	}
+	async engineHeaders(req) {
+		let score = 0;
+		const ua = req.get("User-Agent");
+		const hints = req.headers;
+		const { name } = await new UAParser(ua, hints).getEngine().withClientHints();
+		if (!name) return score += this.config.missingBrowserEngine;
+		const headers = Object.keys(hints);
+		const containsCh = headers.some((sec) => sec.toLowerCase().startsWith("sec-ch-ua"));
+		const containsTe = headers.some((te) => te.toLowerCase() === "te");
+		if (name === "Blink") {
+			if (!containsCh) score += this.config.clientHintsMissingForBlink;
+			if (containsTe) score += this.config.teHeaderUnexpectedForBlink;
+		} else if (name === "Gecko") {
+			if (containsCh) score += this.config.clientHintsUnexpectedForGecko;
+			if (!containsTe) score += this.config.teHeaderMissingForGecko;
+		} else if (name === "WebKit") {
+			if (containsCh) score += this.config.clientHintsUnexpectedForGecko;
+			if (containsTe) score += this.config.teHeaderUnexpectedForBlink;
+		}
+		return score;
+	}
+	weirdHeaders(req) {
+		let score = 0;
+		if (req.get("accept") === "*/*") score += this.config.omittedAcceptHeader;
+		if (req.get("x-requested-with") && req.method === "GET") score += this.config.AJAXHeaderExists;
+		if (req.get("postman-token") || req.get("insomnia")) score += this.config.postManOrInsomiaHeaders;
+		const hostHeader = req.get("X-Forwarded-Host");
+		if (hostHeader && req.hostname && hostHeader !== req.hostname) score += this.config.hostMismatchWeight;
+		if (req.method === "GET" && req.get("Cache-Control") === "no-cache" && req.get("Pragma") === "no-cache") score += this.config.aggressiveCacheControlOnGet;
+		if (req.get("sec-fetch-site") === "cross-site" && !req.get("referer")) score += this.config.crossSiteRequestMissingReferer;
+		const isBrowserRequest = !req.get("x-client-id");
+		const isTopNavigation = req.method === "GET" && req.get("sec-fetch-dest") === "document";
+		if (isBrowserRequest && !isTopNavigation && req.method !== "GET") {
+			const origin = req.get("origin");
+			if (!origin) score += this.config.originHeaderIsNULL;
+			else if (origin !== `${req.protocol}://${req.hostname}`) score += this.config.originHeaderMismatch;
+		}
+		const mode = req.get("sec-fetch-mode");
+		if (mode !== "same-origin" && mode !== "navigate") score += this.config.inconsistentSecFetchMode;
+		return score;
+	}
+};
+
+//#endregion
+//#region src/botDetector/checkers/headers/headers.ts
+var HeaderAnalysis = class extends HeadersBase {
+	constructor(req) {
+		super();
+		this.req = req;
+	}
+	async scoreHeaders() {
+		const missing = this.mustHaveHeadersChecker(this.req);
+		const engines = await this.engineHeaders(this.req);
+		const weird = this.weirdHeaders(this.req);
+		return missing + engines + weird;
+	}
+};
+
+//#endregion
+//#region src/botDetector/utils/regex/pathTravelersRegex.ts
+const startOrSlash = anyOf(exactly("").at.lineStart(), "/").grouped();
+const slashOrEnd = anyOf("/", exactly("").at.lineEnd());
+const pathRules = [
+	{
+		re: createRegExp(startOrSlash, ".git", slashOrEnd, ["i"]),
+		weight: 10
+	},
+	{
+		re: createRegExp(startOrSlash, ".git/config", slashOrEnd, ["i"]),
+		weight: 10
+	},
+	{
+		re: createRegExp(startOrSlash, ".env", maybe(anyOf(".local", ".example")), slashOrEnd, ["i"]),
+		weight: 10
+	},
+	{
+		re: createRegExp(startOrSlash, "wp-admin", slashOrEnd, ["i"]),
+		weight: 8
+	},
+	{
+		re: createRegExp("/wp-json/wp/v2", slashOrEnd, ["i"]),
+		weight: 7
+	},
+	{
+		re: createRegExp("/", anyOf("jenkins", "hudson").grouped(), slashOrEnd, ["i"]),
+		weight: 9
+	},
+	{
+		re: createRegExp("/", anyOf("script", "login").grouped(), ".groovy", slashOrEnd, ["i"]),
+		weight: 8
+	},
+	{
+		re: createRegExp("/actuator/", anyOf("env", "health", "metrics"), slashOrEnd, ["i"]),
+		weight: 8
+	},
+	{
+		re: createRegExp("/web.config", slashOrEnd, ["i"]),
+		weight: 7
+	},
+	{
+		re: createRegExp("/.DS_Store", slashOrEnd, ["i"]),
+		weight: 4
+	},
+	{
+		re: createRegExp("/latest/meta-data/iam", slashOrEnd, ["i"]),
+		weight: 10
+	},
+	{
+		re: createRegExp(startOrSlash, ".aws/credentials", slashOrEnd, ["i"]),
+		weight: 10
+	},
+	{
+		re: createRegExp("/Dockerfile", slashOrEnd, ["i"]),
+		weight: 7
+	},
+	{
+		re: createRegExp("/composer.lock", slashOrEnd, ["i"]),
+		weight: 7
+	},
+	{
+		re: createRegExp("/jnlpJars/jenkins-cli.jar", slashOrEnd, ["i"]),
+		weight: 9
+	},
+	{
+		re: createRegExp("/manager/html", slashOrEnd, ["i"]),
+		weight: 10
+	},
+	{
+		re: createRegExp("/shell", maybe(".php"), slashOrEnd, ["i"]),
+		weight: 10
+	},
+	{
+		re: createRegExp("/", anyOf("grafana", "kibana", "prometheus").grouped(), slashOrEnd, ["i"]),
+		weight: 7
+	},
+	{
+		re: createRegExp("/", anyOf("owa", "ecp").grouped(), slashOrEnd, ["i"]),
+		weight: 8
+	},
+	{
+		re: createRegExp("wp-login.php", slashOrEnd, ["i"]),
+		weight: 8
+	},
+	{
+		re: createRegExp("/swagger-ui", anyOf("/", ".html"), slashOrEnd, ["i"]),
+		weight: 6
+	},
+	{
+		re: createRegExp("/v2/api-docs", slashOrEnd, ["i"]),
+		weight: 5
+	},
+	{
+		re: createRegExp("/api-docs", anyOf("/", ".json"), slashOrEnd, ["i"]),
+		weight: 5
+	},
+	{
+		re: createRegExp("phpmyadmin", slashOrEnd, ["i"]),
+		weight: 8
+	},
+	{
+		re: createRegExp(startOrSlash, ".well-known", slashOrEnd, ["i"]),
+		weight: 5
+	},
+	{
+		re: createRegExp(startOrSlash, ".htaccess", slashOrEnd, ["i"]),
+		weight: 7
+	},
+	{
+		re: createRegExp("composer.json", slashOrEnd, ["i"]),
+		weight: 7
+	},
+	{
+		re: createRegExp("docker-compose.y", maybe("a"), "ml", slashOrEnd, ["i"]),
+		weight: 7
+	},
+	{
+		re: createRegExp(".", anyOf("sql", "bak", "old", "save", "log", "ini", "conf", "zip", exactly("tar", maybe(".gz"))), slashOrEnd, ["i"]),
+		weight: 7
+	},
+	{
+		re: createRegExp(anyOf("..", "%2e%2e").grouped(), anyOf("/", "\\"), ["i"]),
+		weight: 5
+	},
+	{
+		re: createRegExp(anyOf("package-lock.json", "yarn.lock", ".gitignore").grouped(), slashOrEnd, ["i"]),
+		weight: 6
+	},
+	{
+		re: createRegExp(startOrSlash, "admin", slashOrEnd, ["i"]),
+		weight: 6
+	},
+	{
+		re: createRegExp("phpinfo", maybe(".php"), slashOrEnd, ["i"]),
+		weight: 8
+	},
+	{
+		re: createRegExp(startOrSlash, ".ssh", slashOrEnd, ["i"]),
+		weight: 8
+	},
+	{
+		re: createRegExp(exactly("").at.lineStart(), "/xmlrpc.php", slashOrEnd, ["i"]),
+		weight: 8
+	},
+	{
+		re: createRegExp(startOrSlash, "wp-config.php", slashOrEnd, ["i"]),
+		weight: 10
+	},
+	{
+		re: createRegExp(startOrSlash, anyOf("install", "setup").grouped(), maybe(".php"), slashOrEnd, ["i"]),
+		weight: 8
+	},
+	{
+		re: createRegExp(startOrSlash, "backup", maybe("s"), anyOf(".zip", ".tar.gz", ".sql"), slashOrEnd, ["i"]),
+		weight: 8
+	},
+	{
+		re: createRegExp(startOrSlash, ".gitlab-ci.yml", slashOrEnd, ["i"]),
+		weight: 8
+	},
+	{
+		re: createRegExp(startOrSlash, ".svn", slashOrEnd, ["i"]),
+		weight: 6
+	},
+	{
+		re: createRegExp(startOrSlash, ".hg", slashOrEnd, ["i"]),
+		weight: 6
+	},
+	{
+		re: createRegExp(startOrSlash, "CVS", slashOrEnd, ["i"]),
+		weight: 6
+	},
+	{
+		re: createRegExp(startOrSlash, ".vscode", slashOrEnd, ["i"]),
+		weight: 4
+	},
+	{
+		re: createRegExp(startOrSlash, ".htpasswd", slashOrEnd, ["i"]),
+		weight: 8
+	},
+	{
+		re: createRegExp("phpunit", maybe(".phar"), slashOrEnd, ["i"]),
+		weight: 9
+	},
+	{
+		re: createRegExp(startOrSlash, "config", maybe("uration"), ".", anyOf("php", "yml", "json", "xml", "ini", "conf", "cfg"), slashOrEnd, ["i"]),
+		weight: 7
+	}
+];
+const whiteList = [
+	createRegExp(exactly("").at.lineStart(), maybe("/"), exactly("").at.lineEnd()),
+	createRegExp(exactly("").at.lineStart(), "/", anyOf("css", "js", "images", "assets", "static").grouped(), "/", ["i"]),
+	createRegExp(".", anyOf("html", "css", "js", "png", exactly("jp", maybe("e"), "g"), "svg", "map", exactly("woff", maybe("2")), "ttf", "webp"), exactly("").at.lineEnd(), ["i"]),
+	createRegExp(exactly("").at.lineStart(), "/robots.txt", exactly("").at.lineEnd(), ["i"]),
+	createRegExp(exactly("").at.lineStart(), "/sitemap.xml", exactly("").at.lineEnd(), ["i"])
+];
+
+//#endregion
+//#region src/botDetector/checkers/UaAndHeaderChecker/base.ts
+var UaAndHeaderCheckerBase = class {
+	pathScore(req, config) {
+		const settings = config.pathTraveler;
+		const MAX_DECODE_ITERATIONS = settings.maxIterations;
+		const MAX_PATH_LENGTH = settings.maxPathLength;
+		let score = 0;
+		const hostHeader = req.get("x-forwarded-host");
+		const base = `${req.protocol}://${hostHeader ?? req.get("host") ?? ""}`;
+		const rawPath = req.get("x-original-path") || req.originalUrl;
+		if (/(?:\.\.[\\/]|\.\.%2f|\.\.%5c|%2e%2e[\\/]|%2e%2e%2f|%2e%2e%5c)/i.test(rawPath)) return settings.traversalDetected;
+		let pathname;
+		try {
+			pathname = new URL$1(rawPath, base).pathname;
+		} catch {
+			pathname = rawPath.split("?")[0];
+		}
+		if (pathname.length > MAX_PATH_LENGTH) return settings.pathLengthToLong;
+		if (whiteList.some((rx) => rx.test(pathname))) return 0;
+		let decoded = pathname;
+		let totalDecodedLength = 0;
+		for (let i = 0; i < MAX_DECODE_ITERATIONS; i++) try {
+			const tmp = decodeURIComponent(decoded);
+			if (tmp === decoded) break;
+			totalDecodedLength += tmp.length;
+			if (totalDecodedLength > MAX_PATH_LENGTH * 2) return settings.longDecoding;
+			decoded = tmp;
+		} catch {
+			break;
+		}
+		const normalized = path$1.normalize(decoded);
+		for (const { re, weight } of pathRules) if (re.test(normalized)) {
+			score += weight;
+			if (score >= 30) break;
+		}
+		return score;
+	}
+	tlsBotScore(req, config) {
+		const settings = config.checkers.enableUaAndHeaderChecks;
+		if (!settings.enable) return 0;
+		const { penalties } = settings;
+		let score = 0;
+		const proto = req.httpVersion === "2.0" ? "h2" : req.httpVersion === "1.1" ? "http/1.1" : "";
+		if (!proto || proto !== "h2" && proto !== "http/1.1") score += penalties.tlsCheckFailed;
+		const cipher = req.get("x-client-cipher") ?? "";
+		if (!new Set([
+			"TLS_AES_128_GCM_SHA256",
+			"TLS_AES_256_GCM_SHA384",
+			"TLS_CHACHA20_POLY1305_SHA256",
+			"ECDHE-ECDSA-AES128-GCM-SHA256",
+			"ECDHE-RSA-AES128-GCM-SHA256",
+			"ECDHE-ECDSA-CHACHA20-POLY1305",
+			"ECDHE-RSA-CHACHA20-POLY1305",
+			"ECDHE-ECDSA-AES256-GCM-SHA384",
+			"ECDHE-RSA-AES256-GCM-SHA384",
+			"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+			"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+			"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+			"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+			"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+			"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+		]).has(cipher)) score += penalties.tlsCheckFailed;
+		const tlsVersion = (req.get("x-client-tls-version") ?? "").toLowerCase();
+		if (tlsVersion && !tlsVersion.startsWith("tls1.3") && !tlsVersion.startsWith("tls1.2")) score += penalties.tlsCheckFailed;
+		return score;
+	}
+};
+
+//#endregion
+//#region src/botDetector/checkers/UaAndHeaderChecker/headersAndUACalc.ts
+var UaAndHeaderChecker = class extends UaAndHeaderCheckerBase {
+	constructor(..._args) {
+		super(..._args);
+		this.name = "User agent and Header Verification";
+		this.phase = "heavy";
+	}
+	isEnabled(config) {
+		return config.checkers.enableUaAndHeaderChecks.enable;
+	}
+	async run(ctx, config) {
+		const checkConfig = config.checkers.enableUaAndHeaderChecks;
+		const reasons = [];
+		let score = 0;
+		if (!checkConfig.enable) return {
+			score,
+			reasons
+		};
+		const { penalties } = checkConfig;
+		const req = ctx.req;
+		const uaString = req.get("User-Agent") ?? "";
+		const uaLower = uaString.toLowerCase();
+		if (createRegExp(anyOf("headless", "puppeteer", "selenium", "playwright", "phantomjs")).test(uaLower)) {
+			score += penalties.headlessBrowser;
+			reasons.push("HEADLESS_BROWSER_DETECTED");
+		}
+		if (!uaString || uaString.length < 10) {
+			score += penalties.shortUserAgent;
+			reasons.push("SHORT_USER_AGENT");
+		}
+		const tlsCheckScore = this.tlsBotScore(req, config);
+		if (tlsCheckScore > 0) {
+			score += tlsCheckScore;
+			reasons.push("TLS_CHECK_FAILED");
+		}
+		const headerChecker = await new HeaderAnalysis(req).scoreHeaders();
+		if (headerChecker > 0) {
+			score += headerChecker;
+			reasons.push("HEADER_SCORE_TOO_HIGH");
+		}
+		const pathChecker = this.pathScore(req, config);
+		if (pathChecker > 0) {
+			score += pathChecker;
+			reasons.push("PATH_TRAVELER_FOUND");
+		}
+		return {
+			score,
+			reasons
+		};
+	}
+};
+CheckerRegistry.register(new UaAndHeaderChecker());
+
+//#endregion
+//#region src/botDetector/checkers/geoLocationCalc.ts
+var GeoLocationChecker = class {
+	constructor() {
+		this.name = "Geo-Location Verification";
+		this.phase = "heavy";
+	}
+	isEnabled(config) {
+		return config.checkers.enableGeoChecks.enable;
+	}
+	isAllowedCountry(country, bannedCountries) {
+		return !bannedCountries.includes(country.trim().toLowerCase());
+	}
+	run(ctx, config) {
+		const checkConfig = config.checkers.enableGeoChecks;
+		const reasons = [];
+		let score = 0;
+		if (!checkConfig.enable) return {
+			score,
+			reasons
+		};
+		const penalties = checkConfig.penalties;
+		const banScore = config.banScore;
+		const details = ctx.geoData;
+		const country = details.country;
+		const countryCode = details.countryCode;
+		if (countryCode || country) {
+			const banned = checkConfig.bannedCountries;
+			const codeMatch = !!countryCode && !this.isAllowedCountry(countryCode, banned);
+			const nameMatch = !!country && !this.isAllowedCountry(country, banned);
+			if (codeMatch || nameMatch) {
+				score += banScore;
+				reasons.push("BANNED_COUNTRY");
+			}
+		} else {
+			score += penalties.countryUnknown;
+			reasons.push("COUNTRY_UNKNOWN");
+		}
+		const region = details.region;
+		const regionName = details.regionName;
+		if (!region || !regionName) {
+			score += penalties.regionUnknown;
+			reasons.push("REGION_UNKNOWN");
+		}
+		if (!details.lat || !details.lon) {
+			score += penalties.latLonUnknown;
+			reasons.push("LAT_LON_UNKNOWN");
+		}
+		if (!details.district) {
+			score += penalties.districtUnknown;
+			reasons.push("DISTRICT_UNKNOWN");
+		}
+		if (!details.city) {
+			score += penalties.cityUnknown;
+			reasons.push("CITY_UNKNOWN");
+		}
+		if (!details.timezone) {
+			score += penalties.timezoneUnknown;
+			reasons.push("TIMEZONE_UNKNOWN");
+		}
+		if (!details.subregion) {
+			score += penalties.subregionUnknown;
+			reasons.push("SUBREGION_UNKNOWN");
+		}
+		if (!details.phone) {
+			score += penalties.phoneUnknown;
+			reasons.push("PHONE_UNKNOWN");
+		}
+		if (!details.continent) {
+			score += penalties.continentUnknown;
+			reasons.push("CONTINENT_UNKNOWN");
+		}
+		return {
+			score,
+			reasons
+		};
+	}
+};
+CheckerRegistry.register(new GeoLocationChecker());
+
+//#endregion
+//#region src/botDetector/checkers/fireholEscalation.ts
+var ThreatLevels = class {
+	constructor() {
+		this.name = "Known ThreatLevels";
+		this.phase = "cheap";
+	}
+	isEnabled(config) {
+		return config.checkers.enableKnownThreatsDetections.enable;
+	}
+	run(ctx, config) {
+		const { enableKnownThreatsDetections } = config.checkers;
+		const reasons = [];
+		let score = 0;
+		if (!enableKnownThreatsDetections.enable) return {
+			score,
+			reasons
+		};
+		const { anonymiseNetwork, threatLevels } = enableKnownThreatsDetections.penalties;
+		if (ctx.anon) {
+			score += anonymiseNetwork;
+			reasons.push("ANONYMITY_NETWORK");
+		}
+		switch (ctx.threatLevel) {
+			case 1:
+				score += threatLevels.criticalLevel1;
+				reasons.push("FIREHOL_L1_THREAT");
+				break;
+			case 2:
+				score += threatLevels.currentAttacksLevel2;
+				reasons.push("FIREHOL_L2_THREAT");
+				break;
+			case 3:
+				score += threatLevels.threatLevel3;
+				reasons.push("FIREHOL_L3_THREAT");
+				break;
+			case 4:
+				score += threatLevels.threatLevel4;
+				reasons.push("FIREHOL_L4_THREAT");
+				break;
+		}
+		return {
+			score,
+			reasons
+		};
+	}
+};
+CheckerRegistry.register(new ThreatLevels());
+
+//#endregion
+//#region src/botDetector/checkers/asnClassification.ts
+var AsnClassificationChecker = class {
+	constructor() {
+		this.name = "ASN Classification";
+		this.phase = "cheap";
+	}
+	isEnabled(config) {
+		return config.checkers.enableAsnClassification.enable;
+	}
+	run(ctx, config) {
+		const checkConfig = config.checkers.enableAsnClassification;
+		const reasons = [];
+		let score = 0;
+		if (!checkConfig.enable) return {
+			score,
+			reasons
+		};
+		const { penalties } = checkConfig;
+		const { classification, hits } = ctx.bgp;
+		if (!classification) {
+			score += penalties.unknownClassification;
+			reasons.push("ASN_CLASSIFICATION_UNKNOWN");
+			return {
+				score,
+				reasons
+			};
+		}
+		if (classification === "Content") {
+			score += penalties.contentClassification;
+			reasons.push("ASN_HOSTING_CLASSIFIED");
+		}
+		const hitsNum = parseInt(hits ?? "", 10);
+		const isLowVisibility = Number.isFinite(hitsNum) && hitsNum >= 0 && hitsNum < penalties.lowVisibilityThreshold;
+		if (isLowVisibility) {
+			score += penalties.lowVisibilityPenalty;
+			reasons.push("ASN_LOW_VISIBILITY");
+		}
+		if (classification === "Content" && isLowVisibility) {
+			score += penalties.comboHostingLowVisibility;
+			reasons.push("ASN_HOSTING_LOW_VISIBILITY_COMBO");
+		}
+		return {
+			score,
+			reasons
+		};
+	}
+};
+CheckerRegistry.register(new AsnClassificationChecker());
+
+//#endregion
+//#region src/botDetector/checkers/torAnalysis.ts
+var TorAnalysisChecker = class {
+	constructor() {
+		this.name = "Tor Node Analysis";
+		this.phase = "cheap";
+	}
+	isEnabled(config) {
+		return config.checkers.enableTorAnalysis.enable;
+	}
+	parseFlags(flags) {
+		if (!flags) return /* @__PURE__ */ new Set();
+		return new Set(flags.split(",").map((f) => f.trim()));
+	}
+	canExitWebTraffic(summary) {
+		if (!summary) return false;
+		try {
+			const policy = JSON.parse(summary);
+			const coversWebPort = (entry) => {
+				if (entry === "80" || entry === "443") return true;
+				if (entry.includes("-")) {
+					const [lo, hi] = entry.split("-").map(Number);
+					return lo <= 80 && 80 <= hi || lo <= 443 && 443 <= hi;
+				}
+				return false;
+			};
+			if (policy.accept) return policy.accept.some(coversWebPort);
+			if (policy.reject) return !policy.reject.some(coversWebPort);
+		} catch {}
+		return false;
+	}
+	run(ctx, config) {
+		const checkConfig = config.checkers.enableTorAnalysis;
+		const reasons = [];
+		let score = 0;
+		if (!checkConfig.enable) return {
+			score,
+			reasons
+		};
+		if (!ctx.tor || Object.keys(ctx.tor).length === 0) return {
+			score,
+			reasons
+		};
+		const { penalties } = checkConfig;
+		const { running, exit_addresses, flags, recommended_version, version_status, exit_probability, exit_policy_summary, guard_probability } = ctx.tor;
+		const flagSet = this.parseFlags(flags);
+		if (running) {
+			score += penalties.runningNode;
+			reasons.push("TOR_ACTIVE_NODE");
+		}
+		if ((exit_addresses && exit_addresses.length > 0) ?? flagSet.has("Exit")) {
+			score += penalties.exitNode + Math.ceil((exit_probability ?? 0) * 30);
+			reasons.push("TOR_EXIT_NODE");
+			if (this.canExitWebTraffic(exit_policy_summary)) {
+				score += penalties.webExitCapable;
+				reasons.push("TOR_WEB_EXIT_CAPABLE");
+			}
+		}
+		if (flagSet.has("BadExit")) {
+			score += penalties.badExit;
+			reasons.push("TOR_BAD_EXIT");
+		}
+		if (flagSet.has("Guard") || (guard_probability ?? 0) > 0) {
+			score += penalties.guardNode;
+			reasons.push("TOR_GUARD_NODE");
+		}
+		if (recommended_version === false || version_status === "obsolete") {
+			score += penalties.obsoleteVersion;
+			reasons.push("TOR_OBSOLETE_VERSION");
+		}
+		return {
+			score,
+			reasons
+		};
+	}
+};
+CheckerRegistry.register(new TorAnalysisChecker());
+
+//#endregion
+//#region src/botDetector/checkers/timezoneConsistency.ts
+var TimezoneConsistencyChecker = class {
+	constructor() {
+		this.name = "Timezone Consistency";
+		this.phase = "cheap";
+	}
+	isEnabled(config) {
+		return config.checkers.enableTimezoneConsistency.enable;
+	}
+	run(ctx, config) {
+		const checkConfig = config.checkers.enableTimezoneConsistency;
+		const reasons = [];
+		let score = 0;
+		if (!checkConfig.enable) return {
+			score,
+			reasons
+		};
+		const geoTimezone = ctx.geoData.timezone?.toLowerCase();
+		if (!geoTimezone) return {
+			score,
+			reasons
+		};
+		const tzHeader = ctx.req.get("Sec-CH-UA-Timezone") ?? ctx.req.get("X-Timezone");
+		if (tzHeader && tzHeader.toLowerCase() !== geoTimezone) {
+			score += checkConfig.penalties;
+			reasons.push("TZ_HEADER_GEO_MISMATCH");
+		}
+		return {
+			score,
+			reasons
+		};
+	}
+};
+CheckerRegistry.register(new TimezoneConsistencyChecker());
+
+//#endregion
+//#region src/botDetector/checkers/honeypot.ts
+var HoneypotChecker = class {
+	constructor() {
+		this.name = "Honeypot Path";
+		this.phase = "cheap";
+	}
+	isEnabled(config) {
+		return config.checkers.honeypot.enable;
+	}
+	run(ctx, config) {
+		const checkConfig = config.checkers.honeypot;
+		const reasons = [];
+		if (!checkConfig.enable || checkConfig.paths.length === 0) return {
+			score: 0,
+			reasons
+		};
+		const requestPath = ctx.req.path.toLowerCase();
+		if (checkConfig.paths.some((p) => requestPath === p.toLowerCase())) {
+			reasons.push("HONEYPOT_PATH_HIT");
+			reasons.push("BAD_BOT_DETECTED");
+		}
+		return {
+			score: 0,
+			reasons
+		};
+	}
+};
+CheckerRegistry.register(new HoneypotChecker());
+
+//#endregion
+//#region src/botDetector/helpers/cache/sessionCache.ts
+const SESSION_TTL_SECONDS = 600;
+const PREFIX$3 = "session:";
+const sessionCache = {
+	async get(sessionId) {
+		const key = `${PREFIX$3}${sessionId}`;
+		const storage = getStorage();
+		const data = await storage.getItem(key);
+		if (data) storage.setItem(key, data, { ttl: SESSION_TTL_SECONDS }).catch((err) => {
+			consola.warn(`Failed to update session TTL for ${key}`, err);
+		});
+		return data;
+	},
+	async set(sessionId, entry) {
+		const key = `${PREFIX$3}${sessionId}`;
+		await getStorage().setItem(key, entry, { ttl: SESSION_TTL_SECONDS });
+	},
+	async delete(sessionId) {
+		const key = `${PREFIX$3}${sessionId}`;
+		await getStorage().removeItem(key);
+	},
+	async clear() {
+		await getStorage().clear();
+	}
+};
+
+//#endregion
+//#region src/botDetector/checkers/sessionCoherence.ts
+var SessionCoherenceChecker = class {
+	constructor() {
+		this.name = "Session Coherence";
+		this.phase = "heavy";
+	}
+	get logger() {
+		this._logger ??= getLogger().child({
+			service: "botDetector",
+			branch: "checker",
+			type: "SessionCoherenceChecker"
+		});
+		return this._logger;
+	}
+	isEnabled(config) {
+		return config.checkers.enableSessionCoherence.enable;
+	}
+	async run(ctx, config) {
+		const checkConfig = config.checkers.enableSessionCoherence;
+		const reasons = [];
+		let score = 0;
+		if (!checkConfig.enable) return {
+			score,
+			reasons
+		};
+		if (!ctx.cookie) return {
+			score,
+			reasons
+		};
+		const currentPath = ctx.req.path;
+		const refererHeader = ctx.req.get("Referer");
+		const secFetchSite = ctx.req.get("Sec-Fetch-Site");
+		const currentHostname = ctx.req.hostname;
+		const cached = await sessionCache.get(ctx.cookie);
+		if (secFetchSite === "same-origin" && !refererHeader || cached && !refererHeader) {
+			score += checkConfig.penalties.missingReferer;
+			reasons.push("SESSION_COHERENCE_MISSING_REFERER");
+		} else if (refererHeader) try {
+			const refererUrl = new URL(refererHeader);
+			if (refererUrl.hostname !== currentHostname) {
+				score += checkConfig.penalties.domainMismatch;
+				reasons.push("SESSION_COHERENCE_DOMAIN_MISMATCH");
+			} else if (cached && refererUrl.pathname !== cached.lastPath) {
+				score += checkConfig.penalties.pathMismatch;
+				reasons.push("SESSION_COHERENCE_PATH_MISMATCH");
+			}
+		} catch {
+			score += checkConfig.penalties.missingReferer;
+			reasons.push("SESSION_COHERENCE_INVALID_REFERER");
+		}
+		sessionCache.set(ctx.cookie, { lastPath: currentPath }).catch((err) => {
+			this.logger.error({ err }, "Failed to save session in storage.");
+		});
+		return {
+			score,
+			reasons
+		};
+	}
+};
+CheckerRegistry.register(new SessionCoherenceChecker());
+
+//#endregion
+//#region src/botDetector/helpers/cache/timingCache.ts
+const TIMING_TTL_SECONDS = 900;
+const PREFIX$2 = "timing:";
+const timingCache = {
+	async get(visitorId) {
+		const key = `${PREFIX$2}${visitorId}`;
+		return await getStorage().getItem(key);
+	},
+	async set(visitorId, entry) {
+		const key = `${PREFIX$2}${visitorId}`;
+		await getStorage().setItem(key, entry, { ttl: TIMING_TTL_SECONDS });
+	},
+	async delete(visitorId) {
+		const key = `${PREFIX$2}${visitorId}`;
+		await getStorage().removeItem(key);
+	},
+	async clear() {
+		await getStorage().clear();
+	}
+};
+
+//#endregion
+//#region src/botDetector/checkers/velocityFingerprint.ts
+const MAX_SAMPLES = 10;
+const MIN_SAMPLES_TO_EVALUATE = 5;
+var VelocityFingerprintChecker = class {
+	constructor() {
+		this.name = "Velocity Fingerprinting";
+		this.phase = "heavy";
+	}
+	get logger() {
+		this._logger ??= getLogger().child({
+			service: "botDetector",
+			branch: "checker",
+			type: "VelocityFingerprintChecker"
+		});
+		return this._logger;
+	}
+	isEnabled(config) {
+		return config.checkers.enableVelocityFingerprint.enable;
+	}
+	async run(ctx, config) {
+		const checkConfig = config.checkers.enableVelocityFingerprint;
+		const reasons = [];
+		let score = 0;
+		if (!checkConfig.enable || !ctx.cookie) return {
+			score,
+			reasons
+		};
+		const now = Date.now();
+		const timestamps = [...await timingCache.get(ctx.cookie) ?? [], now].slice(-MAX_SAMPLES);
+		timingCache.set(ctx.cookie, timestamps).catch((err) => {
+			this.logger.error({ err }, "Failed to save timingCache in storage");
+		});
+		if (timestamps.length < MIN_SAMPLES_TO_EVALUATE) return {
+			score,
+			reasons
+		};
+		const intervals = [];
+		for (let i = 1; i < timestamps.length; i++) intervals.push(timestamps[i] - timestamps[i - 1]);
+		const mean = intervals.reduce((a, b) => a + b, 0) / intervals.length;
+		if (mean === 0) return {
+			score,
+			reasons
+		};
+		const variance = intervals.reduce((a, b) => a + Math.pow(b - mean, 2), 0) / intervals.length;
+		if (Math.sqrt(variance) / mean < checkConfig.cvThreshold) {
+			score += checkConfig.penalties;
+			reasons.push("TIMING_TOO_REGULAR");
+		}
+		return {
+			score,
+			reasons
+		};
+	}
+};
+CheckerRegistry.register(new VelocityFingerprintChecker());
+
+//#endregion
+//#region src/botDetector/checkers/knownBadIps.ts
+var KnownBadIps = class {
+	constructor() {
+		this.name = "KnownBadIps";
+		this.phase = "cheap";
+	}
+	isEnabled(config) {
+		return config.checkers.enableKnownBadIpsCheck.enable;
+	}
+	run(ctx, config) {
+		const { enableKnownBadIpsCheck } = config.checkers;
+		const reasons = [];
+		let score = 0;
+		if (!enableKnownBadIpsCheck.enable) return {
+			score,
+			reasons
+		};
+		const ds = getDataSources();
+		const ip = ctx.ipAddress;
+		if (ds.bannedDataBase(ip)) {
+			reasons.push("PREVIOUSLY_BANNED_IP", "BAD_BOT_DETECTED");
+			return {
+				score,
+				reasons
+			};
+		}
+		const highRisk = ds.highRiskDataBase(ip);
+		if (highRisk) {
+			const ratio = Math.min(highRisk.score / config.banScore, 1);
+			score += Math.round(enableKnownBadIpsCheck.highRiskPenalty * ratio);
+			reasons.push("PREVIOUSLY_HIGH_RISK_IP");
+		}
+		return {
+			score,
+			reasons
+		};
+	}
+};
+CheckerRegistry.register(new KnownBadIps());
+
+//#endregion
+//#region src/botDetector/helpers/exceptions.ts
+var BadBotDetected = class extends Error {
+	constructor(message = "Bad bot detected") {
+		super(message);
+		this.name = "BadBotDetected";
+	}
+};
+var GoodBotDetected = class extends Error {
+	constructor(message = "Good bot detected") {
+		super(message);
+		this.name = "GoodBotDetected";
+	}
+};
+
+//#endregion
+//#region src/botDetector/penalties/banIP.ts
+const UFW = "/usr/sbin/ufw";
+function banIp(ip, info) {
+	const log = getLogger().child({
+		service: "BOT DETECTOR",
+		branch: `banIp`,
+		ipAddress: ip,
+		details: info
+	});
+	const { punishmentType } = getConfiguration();
+	if (!punishmentType.enableFireWallBan) {
+		log.info(`Firewall punishment ban is disabled, skipping`);
+		return;
+	}
+	log.info("about to ban an IP");
+	return new Promise((resolve, reject) => {
+		const child = spawn("sudo", [
+			"-n",
+			UFW,
+			"insert",
+			"1",
+			"deny",
+			"from",
+			ip
+		], {
+			stdio: [
+				"ignore",
+				"ignore",
+				"pipe"
+			],
+			detached: true
+		});
+		child.unref();
+		let stderr = "";
+		const timer = setTimeout(() => {
+			child.kill("SIGKILL");
+			log.warn(`ufw hang timeout on ${ip}`);
+			reject(/* @__PURE__ */ new Error(`ufw hang timeout on ${ip}`));
+		}, 5e3);
+		child.stderr.on("data", (d) => stderr += String(d));
+		child.on("error", (err) => {
+			clearTimeout(timer);
+			log.fatal({ err }, `- CRITICAL - UFW spawn failed`);
+			reject(err);
+		});
+		child.on("close", (code) => {
+			clearTimeout(timer);
+			if (code !== 0) {
+				log.fatal({ code }, `- CRITICAL - UFW ban failed`);
+				reject(/* @__PURE__ */ new Error(`ufw exited ${String(code)}`));
+				return;
+			}
+			log.info(`Banning Detected Bot/Malicious User. IP ${ip} banned (score ${String(info.score)})\nReasons:\n- ${info.reasons.join("\n- ")}`);
+			resolve();
+		});
+	});
+}
+
+//#endregion
+//#region src/botDetector/helpers/processChecks.ts
+async function processChecks(checkers, ctx, config, botScore, reasons, phaseLabel = "phase") {
+	const { banScore } = getConfiguration();
+	const log = getLogger().child({
+		service: `BOT DETECTOR`,
+		branch: "checks"
+	});
+	const reqId = Date.now();
+	const phaseStart = performance.now();
+	log.info({
+		phase: phaseLabel,
+		reqId,
+		event: "start"
+	});
+	const banLimit = banScore;
+	for (const checker of checkers) {
+		const label = checker.name;
+		const checkStart = performance.now();
+		log.info({
+			reqId,
+			check: label,
+			event: "start"
+		});
+		const { score, reasons: rs } = await checker.run(ctx, config);
+		const checkEnd = performance.now();
+		log.info({
+			reqId,
+			check: label,
+			event: "end",
+			durationMs: +(checkEnd - checkStart).toFixed(3),
+			score,
+			reasons: rs
+		});
+		botScore += score;
+		rs.forEach((r) => reasons.push(r));
+		if (rs.includes("GOOD_BOT_IDENTIFIED")) throw new GoodBotDetected();
+		if (rs.includes("BAD_BOT_DETECTED")) throw new BadBotDetected();
+		if (botScore >= banLimit) {
+			log.warn({
+				reqId,
+				botScore
+			}, "Bot detected — aborting checks");
+			break;
+		}
+	}
+	const phaseEnd = performance.now();
+	log.info({
+		reqId,
+		phase: phaseLabel,
+		event: "end",
+		durationMs: +(phaseEnd - phaseStart).toFixed(3),
+		Score: botScore
+	});
+	return botScore;
+}
+
+//#endregion
+//#region src/botDetector/helpers/cache/reputationCache.ts
+const PREFIX$1 = "reputation:";
+const reputationCache = {
+	async get(cookie) {
+		return getStorage().getItem(`${PREFIX$1}${cookie}`);
+	},
+	async set(cookie, entry) {
+		const { checksTimeRateControl } = getConfiguration();
+		await getStorage().setItem(`${PREFIX$1}${cookie}`, entry, { ttl: Math.floor(checksTimeRateControl.checkEvery / 1e3) });
+	},
+	async delete(cookie) {
+		await getStorage().removeItem(`${PREFIX$1}${cookie}`);
+	},
+	async clear() {
+		await getStorage().clear();
+	}
+};
+
+//#endregion
+//#region src/botDetector.ts
+async function uaAndGeoBotDetector(req, ipAddress, userAgent, geo, parsedUA, buildCustomContext) {
+	const log = getLogger().child({
+		service: "BOT DETECTOR",
+		branch: "main"
+	});
+	const { banScore, maxScore, setNewComputedScore } = getConfiguration();
+	const BAN_THRESHOLD = banScore;
+	const MAX_SCORE = maxScore;
+	const reasons = [];
+	let botScore = 0;
+	const cookie = req.cookies.canary_id;
+	const uaString = req.get("User-Agent") ?? "";
+	log.info(`BotDetection called for ${req.method} ${req.get("X-Forwarded-Host") ?? ""}`);
+	const threatsLevels = getDataSources().fireholLvl1DataBase(ipAddress) ? 1 : getDataSources().fireholLvl2DataBase(ipAddress) ? 2 : getDataSources().fireholLvl3DataBase(ipAddress) ? 3 : getDataSources().fireholLvl4DataBase(ipAddress) ? 4 : null;
+	const proxy = () => {
+		const isProxy = getDataSources().proxyDataBase(ipAddress);
+		if (isProxy) return {
+			proxy: true,
+			proxyType: isProxy.comment
+		};
+		return { proxy: false };
+	};
+	const { tor, asn, threatLevel, anon } = {
+		tor: getDataSources().torDataBase(ipAddress),
+		asn: getDataSources().asnDataBase(ipAddress),
+		threatLevel: threatsLevels,
+		anon: getDataSources().fireholAnonDataBase(ipAddress) ? true : false
+	};
+	const proxyResult = proxy();
+	const ctx = {
+		req,
+		ipAddress,
+		parsedUA,
+		geoData: geo,
+		cookie,
+		proxy: {
+			isProxy: proxyResult.proxy,
+			proxyType: proxyResult.proxyType
+		},
+		anon,
+		bgp: asn ?? {},
+		tor: tor ?? {},
+		threatLevel,
+		custom: buildCustomContext ? buildCustomContext(req) : {}
+	};
+	const cheapChecks = CheckerRegistry.getEnabled("cheap", getConfiguration());
+	const checks = CheckerRegistry.getEnabled("heavy", getConfiguration());
+	try {
+		botScore = await processChecks(cheapChecks, ctx, getConfiguration(), botScore, reasons, "cheapPhase");
+		if (botScore < BAN_THRESHOLD) botScore = await processChecks(checks, ctx, getConfiguration(), botScore, reasons, "heavyPhase");
+	} catch (error) {
+		if (error instanceof BadBotDetected) {
+			const bannedInfo = {
+				score: BAN_THRESHOLD,
+				reasons: Array.from(reasons)
+			};
+			banIp(ipAddress, bannedInfo);
+			getBatchQueue().addQueue(cookie ?? "", ipAddress, "update_banned_ip", {
+				cookie: cookie ?? "",
+				ipAddress,
+				country: ctx.geoData.country ?? "",
+				user_agent: uaString,
+				info: bannedInfo
+			}, "deferred");
+			getBatchQueue().addQueue(cookie ?? "", ipAddress, "is_bot_update", {
+				isBot: true,
+				cookie: cookie ?? ""
+			}, "deferred");
+			return true;
+		}
+		if (error instanceof GoodBotDetected) return false;
+		log.error({ error }, "unexpected error");
+	}
+	botScore = Math.min(botScore, MAX_SCORE);
+	if (botScore >= BAN_THRESHOLD) {
+		log.info(`Starting Ban for ${ipAddress} ${userAgent}`);
+		const bannedInfo = {
+			score: botScore,
+			reasons: Array.from(reasons)
+		};
+		banIp(ipAddress, bannedInfo);
+		getBatchQueue().addQueue(cookie ?? "", ipAddress, "update_banned_ip", {
+			cookie: cookie ?? "",
+			ipAddress,
+			country: ctx.geoData.country ?? "",
+			user_agent: uaString,
+			info: bannedInfo
+		}, "deferred");
+		getBatchQueue().addQueue(cookie ?? "", ipAddress, "is_bot_update", {
+			isBot: true,
+			cookie: cookie ?? ""
+		}, "deferred");
+		return true;
+	}
+	if (setNewComputedScore) {
+		getBatchQueue().addQueue(cookie ?? "", ipAddress, "score_update", {
+			score: botScore,
+			cookie: cookie ?? ""
+		}, "deferred");
+		reputationCache.set(cookie ?? "", {
+			isBot: false,
+			score: botScore
+		}).catch((err) => {
+			log.error({ err }, "Failed to set reputationCache in storage");
+		});
+	} else {
+		const cached = await reputationCache.get(cookie ?? "");
+		if (!cached || cached.score === 0) {
+			getBatchQueue().addQueue(cookie ?? "", ipAddress, "score_update", {
+				score: botScore,
+				cookie: cookie ?? ""
+			}, "deferred");
+			reputationCache.set(cookie ?? "", {
+				isBot: false,
+				score: botScore
+			}).catch((err) => {
+				log.error({ err }, "Failed to set reputationCache in storage");
+			});
+		}
+	}
+	return false;
+}
+
+//#endregion
+//#region src/botDetector/helpers/cache/cannaryCache.ts
+const PREFIX = "visitor:";
+const visitorCache = {
+	async get(cookie) {
+		return getStorage().getItem(`${PREFIX}${cookie}`);
+	},
+	async set(cookie, entry) {
+		const { checksTimeRateControl } = getConfiguration();
+		await getStorage().setItem(`${PREFIX}${cookie}`, entry, { ttl: Math.floor(checksTimeRateControl.checkEvery / 1e3) });
+	},
+	async delete(cookie) {
+		await getStorage().removeItem(`${PREFIX}${cookie}`);
+	},
+	async clear() {
+		await getStorage().clear();
+	}
+};
+
+//#endregion
+//#region src/botDetector/helpers/reputation.ts
+async function userReputation(cookie) {
+	const log = getLogger().child({
+		service: `BOT DETECTOR`,
+		branch: `reputation`
+	});
+	const db = getDb();
+	const { banScore, restoredReputationPoints, setNewComputedScore } = getConfiguration();
+	const botScore = banScore;
+	const cached = await reputationCache.get(cookie);
+	if (cached) {
+		log.info(`CACHE HIT cookie=${cookie} score=${String(cached.score)} →  (botScore=${String(botScore)})`);
+		if (cached.isBot) return;
+		if (!cached.isBot && cached.score > 0 && cached.score < botScore) {
+			log.info(`updating cache score cookie=${cookie} score=${String(cached.score)} →  (botScore=${String(botScore)})`);
+			const newReputation = Math.max(0, cached.score - restoredReputationPoints);
+			if (newReputation !== cached.score) {
+				getBatchQueue().addQueue(cookie, "", "score_update", {
+					score: newReputation,
+					cookie
+				}, "deferred");
+				log.info(`updating cache score to DB cookie=${cookie} score=${String(cached.score)} →  (botScore=${String(botScore)})`);
+				reputationCache.set(cookie, {
+					isBot: cached.isBot,
+					score: newReputation
+				}).catch((err) => {
+					log.error({ err }, "Failed to save reputationCache in storage");
+				});
+			}
+			log.info(`finished Updating Score from cache to DB cookie: ${cookie} NEW SCORE: ${String(newReputation)}`);
+		}
+		return;
+	}
+	try {
+		const visitor = await prep(db, `
+        SELECT is_bot,
+        suspicious_activity_score
+        FROM visitors
+          WHERE canary_id = ?
+          LIMIT 1`).get(cookie);
+		if (!visitor) {
+			log.warn(`no visitor record for canary_id=${cookie}`);
+			return;
+		}
+		const isBot = visitor.is_bot === 0 ? false : true;
+		const reputation = visitor.suspicious_activity_score;
+		if (isBot) return;
+		if (!setNewComputedScore) reputationCache.set(cookie, {
+			isBot,
+			score: reputation
+		}).catch((err) => {
+			log.error({ err }, "Failed to save reputationCache in storage");
+		});
+		log.info({
+			label: "[REP-GATE]",
+			isBot,
+			score: reputation,
+			"score>0": reputation > 0,
+			"score<ban": reputation < botScore,
+			healPts: restoredReputationPoints
+		});
+		if (!isBot && reputation > 0 && reputation < botScore) {
+			log.info(`calculating new score cookie=${cookie} score=${String(reputation)} →  (botScore=${String(botScore)})`);
+			const newReputation = Math.max(0, reputation - restoredReputationPoints);
+			if (newReputation !== reputation) {
+				getBatchQueue().addQueue(cookie, "", "score_update", {
+					score: newReputation,
+					cookie
+				}, "deferred");
+				log.info(`Update Score for cookie', ${cookie}, 'New Score:', ${String(newReputation)}`);
+				reputationCache.set(cookie, {
+					isBot,
+					score: newReputation
+				}).catch((err) => {
+					log.error({ err }, "Failed to save reputationCache in storage");
+				});
+			}
+		}
+	} catch (err) {
+		log.error({ err }, `An error occurred updating visitor reputation`);
+	}
+}
+
+//#endregion
+//#region src/botDetector/utils/whitelist.ts
+function isInWhiteList(ipAddress) {
+	const { whiteList } = getConfiguration();
+	if (whiteList) return whiteList.includes(ipAddress);
+	return false;
+}
+
+//#endregion
+//#region src/botDetector/utils/nowMysql.ts
+const nowMysql = () => (/* @__PURE__ */ new Date()).toISOString().slice(0, 19).replace("T", " ");
+
+//#endregion
+//#region src/botDetector/middlewares/canaryCookieChecker.ts
+function validator(buildCustomContext) {
+	return async (req, res, next) => {
+		const { checksTimeRateControl } = getConfiguration();
+		let canary = req.cookies.canary_id;
+		const ua = req.get("User-Agent") ?? "";
+		const ip = req.ip ?? "";
+		const log = getLogger().child({
+			service: "BOT DETECTOR",
+			branch: `main`,
+			canary
+		});
+		log.info(`Validator entered for ${req.method} ${req.get("X-Forwarded-Host") ?? ""}`);
+		log.info({ cookies: req.cookies }, `Incoming cookies`);
+		const whiteList = isInWhiteList(ip);
+		if (canary) {
+			const cached = await visitorCache.get(canary);
+			if (cached) {
+				if (cached.banned && !whiteList) {
+					res.sendStatus(403);
+					return;
+				}
+				req.newVisitorId = cached.visitor_id;
+				if (!checksTimeRateControl.checkEveryRequest) {
+					next();
+					return;
+				}
+			}
+		}
+		if (!canary) {
+			log.info(`No canary_id cookie found. Generating a new one.`);
+			const cookieValue = randomBytes(32).toString("hex");
+			canary = cookieValue;
+			makeCookie(res, "canary_id", cookieValue, {
+				httpOnly: true,
+				sameSite: "lax",
+				maxAge: 1e3 * 60 * 60 * 24 * 90,
+				secure: true,
+				path: "/"
+			});
+			req.cookies.canary_id = canary;
+			log.info(`New canary_id cookie set:, ${cookieValue}`);
+		}
+		const geo = getData(ip);
+		const parsedUA = parseUA(ua);
+		const visitorId = randomUUID();
+		const userValidation = {
+			visitorId,
+			cookie: canary,
+			userAgent: ua,
+			ipAddress: ip,
+			device_type: parsedUA.device,
+			browser: parsedUA.browser,
+			is_bot: false,
+			first_seen: nowMysql(),
+			last_seen: nowMysql(),
+			request_count: 1,
+			deviceVendor: parsedUA.deviceVendor,
+			deviceModel: parsedUA.deviceModel,
+			browserType: parsedUA.browserType,
+			browserVersion: parsedUA.browserVersion,
+			os: parsedUA.os,
+			activity_score: "0",
+			...geo
+		};
+		getBatchQueue().addQueue(canary, ip, "visitor_upsert", { insert: userValidation }, "deferred");
+		req.newVisitorId = visitorId;
+		if (whiteList) {
+			log.info(`${ip} is in white list skipping botDetection checks.`);
+			visitorCache.set(canary, {
+				banned: false,
+				visitor_id: visitorId
+			}).catch((err) => {
+				log.error({ err }, "Failed to save visitorCache in storage");
+			});
+			req.botDetection = {
+				success: true,
+				banned: false,
+				time: (/* @__PURE__ */ new Date()).toISOString(),
+				ipAddress: ip
+			};
+			next();
+			return;
+		}
+		const brvConfig = getConfiguration().checkers.enableBehaviorRateCheck;
+		if (brvConfig.enable) {
+			if (!await rateCache.get(canary)) {
+				const ttlSeconds = Math.ceil(brvConfig.behavioral_window / 1e3);
+				rateCache.set(canary, {
+					score: 0,
+					timestamp: Date.now(),
+					request_count: 1
+				}, ttlSeconds).catch((err) => {
+					log.error({ err }, "Failed to pre seed rateCache");
+				});
+			}
+		}
+		const isBot = await uaAndGeoBotDetector(req, ip, ua, geo, parsedUA, buildCustomContext);
+		visitorCache.set(canary, {
+			banned: isBot,
+			visitor_id: visitorId
+		}).catch((err) => {
+			log.error({ err }, "Failed to save visitorCache in storage");
+		});
+		if (isBot) {
+			res.sendStatus(403);
+			return;
+		}
+		req.botDetection = {
+			success: true,
+			banned: isBot,
+			time: (/* @__PURE__ */ new Date()).toISOString(),
+			ipAddress: ip
+		};
+		userReputation(canary).catch((err) => {
+			consola.error("[BOT DETECTION - MIDDLEWARE] userReputation failed:", err);
+		});
+		next();
+	};
+}
+
+//#endregion
+//#region src/botDetector/routes/visitorLog.ts
+const router = Router();
+router.use("/check", validator(), (req, res) => {
+	res.json({
+		results: req.botDetection,
+		message: "Fingerprint logged successfully"
+	});
+});
+
+//#endregion
+//#region src/botDetector/db/generator.ts
+const MMDB_DIR = path.resolve(getLibraryRoot(), "_data-sources");
+async function buildBannedMmdb(generateTypes, mmdbctlPath) {
+	const log = getLogger().child({
+		service: "BOT DETECTOR",
+		branch: "generator",
+		db: "banned"
+	});
+	const db = getDb();
+	const rows = await db.prepare(`SELECT ip_address, country, user_agent, reason, score
+         FROM banned
+         WHERE ip_address IS NOT NULL`).all();
+	if (rows.length === 0) {
+		log.info("No banned IPs — skipping banned.mmdb");
+		return;
+	}
+	const data = rows.map((r) => ({
+		range: r.ip_address,
+		score: r.score,
+		country: r.country,
+		userAgent: r.user_agent,
+		reason: r.reason,
+		comment: "Automatically generated by @riavzon/botDetector"
+	}));
+	await compiler({
+		type: "mmdb",
+		input: {
+			data,
+			dataBaseName: "banned",
+			outputPath: MMDB_DIR,
+			mmdbPath: mmdbctlPath,
+			generateTypes
+		}
+	});
+	log.info(`banned.mmdb compiled — ${String(data.length)} entries`);
+	if (getConfiguration().generator.deleteAfterBuild) {
+		const compiled = rows.map((r) => r.ip_address);
+		await prep(db, `DELETE FROM banned WHERE ip_address IN (${placeholders(db, compiled.length)})`).run(...compiled);
+		log.info(`Deleted ${String(compiled.length)} rows from banned after build`);
+	}
+}
+async function buildHighRiskMmdb(scoreThreshold, generateTypes, mmdbctlPath) {
+	const log = getLogger().child({
+		service: "BOT DETECTOR",
+		branch: "generator",
+		db: "highRisk"
+	});
+	const db = getDb();
+	const rows = await prep(db, `SELECT
+           ip_address, visitor_id, suspicious_activity_score,
+           country, region, region_name, city, lat, lon, timezone,
+           isp, org, browser, browserType, browserVersion, os,
+           device_type, deviceVendor, deviceModel,
+           proxy, hosting, request_count, first_seen, last_seen
+         FROM visitors
+         WHERE suspicious_activity_score >= ? AND ip_address IS NOT NULL`).all(scoreThreshold);
+	if (rows.length === 0) {
+		log.info(`No high-risk visitors (score >= ${String(scoreThreshold)}) — skipping highRisk.mmdb`);
+		return;
+	}
+	const data = rows.map((r) => ({
+		range: r.ip_address,
+		visitorId: r.visitor_id,
+		score: r.suspicious_activity_score,
+		country: r.country,
+		region: r.region,
+		regionName: r.region_name,
+		city: r.city,
+		lat: r.lat,
+		lon: r.lon,
+		timezone: r.timezone,
+		isp: r.isp,
+		org: r.org,
+		browser: r.browser,
+		browserType: r.browserType,
+		browserVersion: r.browserVersion,
+		os: r.os,
+		deviceType: r.device_type,
+		deviceVendor: r.deviceVendor,
+		deviceModel: r.deviceModel,
+		proxy: Boolean(r.proxy),
+		hosting: Boolean(r.hosting),
+		requestCount: r.request_count,
+		firstSeen: r.first_seen ? r.first_seen.toISOString() : null,
+		lastSeen: r.last_seen ? r.last_seen.toISOString() : null,
+		comment: "Automatically generated by @riavzon/botDetector"
+	}));
+	await compiler({
+		type: "mmdb",
+		input: {
+			data,
+			dataBaseName: "highRisk",
+			outputPath: MMDB_DIR,
+			mmdbPath: mmdbctlPath,
+			generateTypes
+		}
+	});
+	log.info(`highRisk.mmdb compiled — ${String(data.length)} entries`);
+	if (getConfiguration().generator.deleteAfterBuild) {
+		const compiled = rows.map((r) => r.ip_address);
+		await prep(db, `DELETE FROM visitors WHERE ip_address IN (${placeholders(db, compiled.length)}) AND suspicious_activity_score >= ${placeholders(db, 1, compiled.length)}`).run(...compiled, scoreThreshold);
+		log.info(`Deleted ${String(compiled.length)} rows from visitors after build`);
+	}
+}
+async function runCycle() {
+	const log = getLogger().child({
+		service: "BOT DETECTOR",
+		branch: "generator"
+	});
+	const { generator } = getConfiguration();
+	log.info("MMDB generation cycle started");
+	try {
+		await Promise.all([buildBannedMmdb(generator.generateTypes, generator.mmdbctlPath), buildHighRiskMmdb(generator.scoreThreshold, generator.generateTypes, generator.mmdbctlPath)]);
+		log.info("MMDB generation cycle complete");
+	} catch (err) {
+		log.error({ err }, "MMDB generation cycle failed");
+	}
+}
+async function runGeneration() {
+	return runCycle();
+}
+
+//#endregion
+//#region src/botDetector/db/warmUp.ts
+async function warmUp() {
+	const db = getDb();
+	await Promise.all(Array.from({ length: 10 }, () => db.sql`SELECT 1`));
+	await prep(db, `SELECT last_seen, request_count
+     FROM visitors
+    WHERE canary_id = ?
+    LIMIT 1`).get("00000000‑warm‑up‑row");
+	consola.info("botDetector is ready!");
+}
+
+//#endregion
+//#region src/botDetector/db/customUpdate.ts
+async function updateVisitors(data, cookie, visitor_id) {
+	const db = getDb();
+	const log = getLogger().child({
+		service: "BOT DETECTOR",
+		branch: "customUpdate"
+	});
+	const params = [
+		data.userAgent,
+		data.ipAddress,
+		data.country,
+		data.region,
+		data.regionName,
+		data.city,
+		data.district,
+		data.lat,
+		data.lon,
+		data.timezone,
+		data.currency,
+		data.isp,
+		data.org,
+		data.as,
+		data.device_type,
+		data.browser,
+		data.proxy,
+		data.hosting,
+		data.deviceVendor,
+		data.deviceModel,
+		data.browserType,
+		data.browserVersion,
+		data.os
+	];
+	try {
+		if (!(await prep(db, `
+            UPDATE visitors
+            SET
+                user_agent = ?,
+                ip_address = ?,
+                country = ?,
+                region = ?,
+                region_name = ?,
+                city = ?,
+                district = ?,
+                lat = ?,
+                lon = ?,
+                timezone = ?,
+                currency = ?,
+                isp = ?,
+                org = ?,
+                as_org = ?,
+                device_type = ?,
+                browser = ?,
+                proxy = ?,
+                hosting = ?,
+                deviceVendor = ?,
+                deviceModel = ?,
+                browserType = ?,
+                browserVersion = ?,
+                os = ?
+            WHERE canary_id  = ?
+              AND visitor_id = ?
+        `).run(...params, cookie, visitor_id)).success) {
+			log.warn({
+				cookie,
+				visitor_id
+			}, `updateVisitors: no rows affected`);
+			return {
+				success: false,
+				reason: `No visitor found for canary_id=${cookie} visitor_id=${visitor_id}`
+			};
+		}
+		log.info({ visitor_id }, `updateVisitors: visitor updated`);
+		return { success: true };
+	} catch (err) {
+		log.error({ err }, `updateVisitors: query failed`);
+		return {
+			success: false,
+			reason: "DB error — check logs for details"
+		};
+	}
+}
+
+//#endregion
+export { router as ApiResponse, BadBotDetected, CheckerRegistry, GoodBotDetected, banIp, configuration as defineConfiguration, validator as detectBots, getBatchQueue, getDataSources, getData as getGeoData, getStorage, parseUA, runGeneration, updateBannedIP, updateIsBot, updateVisitors, warmUp };
+//# sourceMappingURL=main.mjs.map