aiwaf-js 0.0.1

package/.github/workflows/node.js.yml

@@ -0,0 +1,31 @@
+# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node
+ # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs
+ 
+ name: Node.js CI
+ 
+ on:
+   push:
+     branches: [ "main" ]
+   pull_request:
+     branches: [ "main" ]
+ 
+ jobs:
+   build:
+ 
+     runs-on: ubuntu-latest
+ 
+     strategy:
+       matrix:
+         node-version: [18.x, 20.x, 22.x]
+         # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
+ 
+     steps:
+     - uses: actions/checkout@v4
+     - name: Use Node.js ${{ matrix.node-version }}
+       uses: actions/setup-node@v4
+       with:
+         node-version: ${{ matrix.node-version }}
+         cache: 'npm'
+     - run: npm ci
+     - run: npm run build --if-present
+     - run: npm test

package/.github/workflows/npm-publish.yml

@@ -0,0 +1,22 @@
+on:
+  release:
+    types: [created]
+  push:
+    branches: [ "main" ]
+
+jobs:
+  build-and-publish:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          registry-url: https://registry.npmjs.org/
+
+      - run: npm install
+      - run: npm run test
+      - run: npm publish --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Aayush Gauba
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,88 @@
+# aiwaf‑js
+
+> **Adaptive Web Application Firewall** middleware for Node.js & Express  
+> Self‑learning, plug‑and‑play WAF with rate‑limiting, static & dynamic keyword blocking, honeypot traps, UUID‑tamper protection and IsolationForest anomaly detection—fully configurable and trainable on your own access logs.
+
+[![npm version](https://img.shields.io/npm/v/aiwaf-js.svg)](https://www.npmjs.com/package/aiwaf-js)  
+[![Build Status](https://img.shields.io/github/actions/workflow/status/your‑user/aiwaf-js/ci.yml)](https://github.com/your‑user/aiwaf-js/actions)  
+[![License](https://img.shields.io/npm/l/aiwaf-js.svg)](LICENSE)
+
+## Features
+
+- Rate Limiting
+- Static Keyword Blocking
+- Dynamic Keyword Learning
+- Honeypot Field Detection
+- UUID‑Tamper Protection
+- Anomaly Detection (Isolation Forest)
+- Offline Retraining
+
+## Installation
+
+```bash
+npm install aiwaf-js --save
+```
+
+## Quick Start
+
+```js
+const express = require('express')
+const aiwaf   = require('aiwaf-js')
+
+const app = express()
+app.use(express.json())
+app.use(aiwaf())
+app.get('/', (req, res) => res.send('Protected'))
+app.listen(3000)
+```
+
+## Training
+
+```bash
+NODE_LOG_PATH=/path/to/access.log npm run train
+```
+
+
+## Usage Example
+
+Here’s a simple Express app that uses `aiwaf-js` with custom settings:
+
+```js
+const express = require('express');
+const aiwaf = require('aiwaf-js');
+
+const app = express();
+app.use(express.json());
+
+app.use(aiwaf({
+  staticKeywords: ['.php', '.env', '.git'],  // ← add .php here
+  dynamicTopN: 10,
+  WINDOW_SEC: 10,
+  MAX_REQ: 20,
+  FLOOD_REQ: 10,
+  HONEYPOT_FIELD: 'hp_field',
+}));
+
+app.get('/', (req, res) => res.send('Protected by AIWAF-JS'));
+app.listen(3000, () => console.log('Server running on http://localhost:3000'));
+```
+
+## License
+
+MIT License © 2025 Aayush Gauba
+
+## Configuration Options
+
+You can pass an options object to `aiwaf(opts)` or use environment variables.
+
+| Option             | Env Var             | Default                               | Description                                                             |
+|--------------------|---------------------|---------------------------------------|-------------------------------------------------------------------------|
+| `staticKeywords`   | —                   | [".php",".xmlrpc","wp-",…]            | Substrings to block immediately.                                       |
+| `dynamicTopN`      | `DYNAMIC_TOP_N`     | 10                                    | Number of top “learned” keywords to match per request.                 |
+| `windowSec`        | `WINDOW_SEC`        | 10                                    | Time window (in seconds) for rate limiting and burst calculation.      |
+| `maxReq`           | `MAX_REQ`           | 20                                    | Maximum requests allowed in `windowSec`.                               |
+| `floodReq`         | `FLOOD_REQ`         | 10                                    | If requests exceed this in `windowSec`, IP is blacklisted outright.    |
+| `honeypotField`    | `HONEYPOT_FIELD`    | "hp_field"                            | Name of the hidden form field to detect bots.                          |
+| `anomalyThreshold` | `ANOMALY_THRESHOLD` | 0.5                                   | IsolationForest score threshold above which requests are anomalous.    |
+| `logPath`          | `NODE_LOG_PATH`     | "/var/log/nginx/access.log"           | Path to your main access log (used by `train.js`).                     |
+| `logGlob`          | `NODE_LOG_GLOB`     | `${logPath}.*`                        | Glob pattern to include rotated/gzipped logs.                          |

package/index.js

@@ -0,0 +1,3 @@
+// aiwaf‑js/index.js
+// Export the middleware factory from lib/wafMiddleware.js
+module.exports = require('./lib/wafMiddleware');  // :contentReference[oaicite:0]{index=0}​:contentReference[oaicite:1]{index=1}

package/knexfile.js

@@ -0,0 +1,9 @@
+module.exports = {
+    development: {
+      client: 'sqlite3',
+      connection: {
+        filename: './data/aiwaf.sqlite'
+      },
+      useNullAsDefault: true
+    }
+  };

package/lib/anomalyDetector.js

@@ -0,0 +1,47 @@
+// lib/anomalyDetector.js
+
+const { IsolationForest } = require('./isolationForest');
+let model;
+let trained = false;
+
+module.exports = {
+  /**
+   * Initialize a fresh forest instance.
+   * @param {Object} opts
+   * @param {number} opts.nTrees      Number of trees to build (default 100)
+   * @param {number} opts.sampleSize  Subsample size per tree (default 256)
+   */
+  init({ nTrees = 100, sampleSize = 256 } = {}) {
+    model = new IsolationForest({ nTrees, sampleSize });
+    trained = false;
+  },
+
+  /**
+   * Train the isolation forest on feature vectors.
+   * @param {Array<Array<number>>} data  Array of feature vectors.
+   */
+  train(data) {
+    if (!model) this.init();      // ensure model initialized
+    model.fit(data);
+    trained = true;
+  },
+
+  /**
+   * Check if a request is anomalous.
+   * @param {Object} req  Express request object
+   * @returns {boolean}   true if anomalous, false otherwise
+   */
+  isAnomalous(req) {
+    if (!trained) return false;
+    // build your feature vector here; add more features as needed
+    const feat = [
+      req.path.length,  // path length
+      0,                // placeholder: keyword hits
+      0,                // placeholder: status code index
+      0,                // placeholder: response time
+      0,                // placeholder: burst count
+      0                 // placeholder: total 404s
+    ];
+    return model.isAnomaly(feat);
+  }
+};

package/lib/blacklistManager.js

@@ -0,0 +1,10 @@
+const db = require('../utils/db');
+module.exports = {
+  async isBlocked(ip) {
+    const row = await db('blocked_ips').where('ip_address', ip).first();
+    return !!row;
+  },
+  async block(ip, reason) {
+    await db('blocked_ips').insert({ ip_address: ip, reason }).onConflict('ip_address').ignore();
+  }
+};

package/lib/dynamicKeyword.js

@@ -0,0 +1,26 @@
+// lib/dynamicKeyword.js
+let opts, counts;
+
+module.exports = {
+  init(o = {}) {
+    // normalize option name
+    const topN = o.dynamicTopN ?? o.DYNAMIC_TOP_N ?? 10;
+    opts = { dynamicTopN: topN };
+    counts = {};
+  },
+
+  learn(path) {
+    const segments = path.split('/').filter(s => s.length > 3);
+    segments.forEach(s => {
+      counts[s] = (counts[s] || 0) + 1;
+    });
+  },
+
+  check(path) {
+    // only block segments whose count exceeds the threshold
+    return Object.entries(counts)
+      .find(([seg, cnt]) => cnt > opts.dynamicTopN && path.includes(seg))
+      ?. [0]  // return the segment string
+    || null;
+  }
+};

package/lib/honeypotDetector.js

@@ -0,0 +1,5 @@
+let field;
+module.exports = {
+  init(o) { field = o.HONEYPOT_FIELD; },
+  isTriggered(req) { return req.body && req.body[field]; }
+};

package/lib/isolationForest.js

@@ -0,0 +1,97 @@
+// lib/isolationForest.js
+
+class IsolationTree {
+    constructor(depth = 0, maxDepth = 0) {
+      this.depth = depth;
+      this.maxDepth = maxDepth;
+      this.left = null;
+      this.right = null;
+      this.splitAttr = null;
+      this.splitValue = null;
+      this.size = 0;
+    }
+  
+    fit(data) {
+      this.size = data.length;
+      // stop criteria
+      if (this.depth >= this.maxDepth || data.length <= 1) return;
+      // choose random feature
+      const numFeatures = data[0].length;
+      this.splitAttr = Math.floor(Math.random() * numFeatures);
+      // find min/max on that feature
+      let vals = data.map(row => row[this.splitAttr]);
+      const min = Math.min(...vals), max = Math.max(...vals);
+      if (min === max) return; 
+      // choose random split
+      this.splitValue = min + Math.random() * (max - min);
+      // partition data
+      const leftData = [], rightData = [];
+      for (let row of data) {
+        (row[this.splitAttr] < this.splitValue ? leftData : rightData).push(row);
+      }
+      // build subtrees
+      this.left  = new IsolationTree(this.depth+1, this.maxDepth);
+      this.right = new IsolationTree(this.depth+1, this.maxDepth);
+      this.left.fit(leftData);
+      this.right.fit(rightData);
+    }
+  
+    pathLength(point) {
+      // if leaf or no split, path ends here
+      if (!this.left || !this.right) {
+        // use average c(size) for external nodes
+        return this.depth + c(this.size);
+      }
+      // descend
+      if (point[this.splitAttr] < this.splitValue) {
+        return this.left.pathLength(point);
+      } else {
+        return this.right.pathLength(point);
+      }
+    }
+  }
+  
+  // average path length of unsuccessful search in a BST
+  function c(n) {
+    if (n <= 1) return 1;
+    return 2 * (Math.log(n - 1) + 0.5772156649) - (2*(n-1)/n);
+  }
+  
+  class IsolationForest {
+    constructor({ nTrees = 100, sampleSize = 256 } = {}) {
+      this.nTrees = nTrees;
+      this.sampleSize = sampleSize;
+      this.trees = [];
+    }
+  
+    fit(data) {
+      const heightLimit = Math.ceil(Math.log2(this.sampleSize));
+      for (let i = 0; i < this.nTrees; i++) {
+        // random subsample
+        const sample = [];
+        for (let j = 0; j < this.sampleSize; j++) {
+          sample.push(data[Math.floor(Math.random() * data.length)]);
+        }
+        const tree = new IsolationTree(0, heightLimit);
+        tree.fit(sample);
+        this.trees.push(tree);
+      }
+    }
+  
+    anomalyScore(point) {
+      // average path length
+      const pathLens = this.trees.map(t => t.pathLength(point));
+      const avgPath = pathLens.reduce((a,b) => a+b, 0) / this.nTrees;
+      // score: 2^(-E[h(x)]/c(sampleSize))
+      const cn = c(this.sampleSize);
+      return Math.pow(2, -avgPath / cn);
+    }
+  
+    // simple threshold helper
+    isAnomaly(point, thresh = 0.5) {
+      return this.anomalyScore(point) > thresh;
+    }
+  }
+  
+  module.exports = { IsolationForest };
+  

package/lib/keywordDetector.js

@@ -0,0 +1,5 @@
+let staticKeywords = [];
+module.exports = {
+  init(o) { staticKeywords = o.staticKeywords || []; },
+  check(path) { return staticKeywords.find(kw => path.includes(kw)); }
+};

package/lib/rateLimiter.js

@@ -0,0 +1,19 @@
+const NodeCache = require('node-cache');
+const blacklistManager = require('./blacklistManager');
+let cache, opts;
+module.exports = {
+  init(o) { opts = o; cache = new NodeCache({ stdTTL: opts.WINDOW_SEC }); },
+  async record(ip) {
+    const recs = cache.get(ip) || [];
+    recs.push(Date.now()); cache.set(ip, recs);
+    if (recs.length > opts.FLOOD_REQ) {
+      await blacklistManager.block(ip, 'flood');
+    }
+  },
+  async isBlocked(ip) {
+    if (await blacklistManager.isBlocked(ip)) return true;
+    const recs = cache.get(ip) || [];
+    const within = recs.filter(t => Date.now() - t < opts.WINDOW_SEC*1000);
+    return within.length > opts.MAX_REQ;
+  }
+};

package/lib/uuidDetector.js

@@ -0,0 +1,17 @@
+const { validate: isUuid } = require('uuid');
+
+module.exports = {
+  init(opts = {}) {
+    this.prefix = opts.uuidRoutePrefix || '/user';
+  },
+  isSuspicious(req) {
+    const { path } = req;
+    const regex = new RegExp(`^${this.prefix}/([^/]+)$`);
+    const match = path.match(regex);
+    if (!match) {
+      return false;
+    }
+    const uid = match[1];
+    return !isUuid(uid);
+  }
+};

package/lib/wafMiddleware.js

@@ -0,0 +1,80 @@
+// lib/wafMiddleware.js
+
+const rateLimiter      = require('./rateLimiter');
+const blacklistManager = require('./blacklistManager');
+const keywordDetector  = require('./keywordDetector');
+const dynamicKeyword   = require('./dynamicKeyword');
+const honeypotDetector = require('./honeypotDetector');
+const uuidDetector     = require('./uuidDetector');
+const anomalyDetector  = require('./anomalyDetector');
+
+module.exports = function aiwaf(opts = {}) {
+  // initialize all sub‑modules
+  rateLimiter.init(opts);
+  keywordDetector.init(opts);
+  dynamicKeyword.init(opts);
+  honeypotDetector.init(opts);
+  uuidDetector.init(opts);
+  anomalyDetector.init(opts);
+
+  return async (req, res, next) => {
+    // honor X‑Forwarded‑For for tests or real proxies
+    const ipHdr = req.headers['x-forwarded-for'];
+    const ip    = ipHdr ? ipHdr.split(',')[0].trim() : req.ip;
+    const path  = req.path.toLowerCase();
+
+    // learn every request for dynamic keywords
+    dynamicKeyword.learn(path);
+
+    // 1) IP blacklist
+    if (await blacklistManager.isBlocked(ip)) {
+      return res.status(403).json({ error: 'blocked' });
+    }
+
+    // 2) Honeypot trap
+    if (honeypotDetector.isTriggered(req)) {
+      await blacklistManager.block(ip, 'honeypot');
+      return res.status(403).json({ error: 'bot_detected' });
+    }
+
+    // 3) Rate limiting
+    await rateLimiter.record(ip);
+
+    // If recs > MAX_REQ but not yet blacklisted (flood), return 429
+    if (await rateLimiter.isBlocked(ip)) {
+      if (await blacklistManager.isBlocked(ip)) {
+        return res.status(403).json({ error: 'blocked' });
+      }
+      return res.status(429).json({ error: 'too_many_requests' });
+    }
+
+    // 4) Static keyword
+    const sk = keywordDetector.check(path);
+    if (sk) {
+      await blacklistManager.block(ip, `static:${sk}`);
+      return res.status(403).json({ error: 'blocked' });
+    }
+
+    // 5) Dynamic keyword
+    const dk = dynamicKeyword.check(path);
+    if (dk) {
+      await blacklistManager.block(ip, `dynamic:${dk}`);
+      return res.status(403).json({ error: 'blocked' });
+    }
+
+    // 6) UUID tamper
+    if (uuidDetector.isSuspicious(req)) {
+      await blacklistManager.block(ip, 'uuid');
+      return res.status(403).json({ error: 'blocked' });
+    }
+
+    // 7) Anomaly detection
+    if (await anomalyDetector.isAnomalous(req)) {
+      await blacklistManager.block(ip, 'anomaly');
+      return res.status(403).json({ error: 'blocked' });
+    }
+
+    // no block, pass through
+    next();
+  };
+};

package/migrations/001_create_blocked_ips.js

@@ -0,0 +1,11 @@
+exports.up = function(knex) {
+    return knex.schema.createTable('blocked_ips', table => {
+      table.increments('id');
+      table.string('ip_address').notNullable().unique();
+      table.string('reason');
+      table.timestamp('created_at').defaultTo(knex.fn.now());
+    });
+  };
+  exports.down = function(knex) {
+    return knex.schema.dropTable('blocked_ips');
+  };

package/migrations/002_create_dynamic_keywords.js

@@ -0,0 +1,11 @@
+exports.up = function(knex) {
+    return knex.schema.createTable('dynamic_keywords', table => {
+      table.increments('id');
+      table.string('keyword').notNullable().unique();
+      table.integer('count').notNullable().defaultTo(0);
+      table.timestamp('updated_at').defaultTo(knex.fn.now());
+    });
+  };
+  exports.down = function(knex) {
+    return knex.schema.dropTable('dynamic_keywords');
+  };

package/package.json

@@ -0,0 +1,32 @@
+{
+    "name": "aiwaf-js",
+    "version": "0.0.1",
+    "description": "Adaptive Web Application Firewall middleware for Node.js (Express, Fastify, Hapi, Next.js)",
+    "main": "index.js",
+    "scripts": {
+        "retrain": "AIWAF_LOG_PATH=/var/log/nginx/access.log npm run train",
+        "train": "node train.js",
+        "test": "jest --runInBand"
+    },
+    "dependencies": {
+        "express": "^4.18.2",
+        "jest": "^29.7.0",
+        "knex": "^2.4.2",
+        "node-cache": "^5.1.2",
+        "redis": "^4.6.5",
+        "sqlite3": "^5.1.6",
+        "supertest": "^7.1.0",
+        "uuid": "^9.0.0"
+    },
+    "keywords": [
+        "waf",
+        "firewall",
+        "security",
+        "express",
+        "nodejs",
+        "middleware",
+        "ml"
+    ],
+    "author": "Aayush Gauba",
+    "license": "MIT"
+}

package/test/waf.test.js

@@ -0,0 +1,105 @@
+const request = require('supertest');
+const express = require('express');
+const path = require('path');
+
+process.env.NODE_ENV = 'test';
+jest.setTimeout(15000); // Set global test timeout to 15s
+
+const db = require('../utils/db'); // Adjust path if needed
+const aiwaf = require('../index');
+const dynamicKeyword = require('../lib/dynamicKeyword');
+
+beforeAll(async () => {
+  const hasTable = await db.schema.hasTable('blocked_ips');
+  if (!hasTable) {
+    await db.schema.createTable('blocked_ips', table => {
+      table.increments('id');
+      table.string('ip_address').unique();
+      table.string('reason');
+      table.timestamp('blocked_at').defaultTo(db.fn.now());
+    });
+  }
+});
+
+describe('AIWAF-JS Middleware', () => {
+  let app, ip;
+
+  beforeEach(() => {
+    ip = `192.0.2.${Math.floor(Math.random() * 254) + 1}`;
+    dynamicKeyword.init({ dynamicTopN: 3 });
+
+    app = express();
+    app.use(express.json());
+    app.use(aiwaf({
+      staticKeywords: ['.php', '.env', '.git'],
+      dynamicTopN: 3,
+      WINDOW_SEC: 1,
+      MAX_REQ: 5,
+      FLOOD_REQ: 10,
+      HONEYPOT_FIELD: 'hp_field'
+    }));
+
+    app.get('/', (req, res) => res.send('OK'));
+    app.post('/', (req, res) => res.send('POST OK'));
+    app.get('/user/:uuid', (req, res) => res.send('USER OK'));
+    app.use((req, res) => res.status(404).send('Not Found'));
+  });
+
+  it('blocks static keyword .php', () =>
+    request(app)
+      .get('/wp-config.php')
+      .set('X-Forwarded-For', ip)
+      .expect(403, { error: 'blocked' })
+  );
+
+  it('allows safe paths', () =>
+    request(app)
+      .get('/')
+      .set('X-Forwarded-For', ip)
+      .expect(200, 'OK')
+  );
+
+  it('blocks after exceeding rate limit', async () => {
+    for (let i = 0; i < 7; i++) {
+      const resp = await request(app)
+        .get('/')
+        .set('X-Forwarded-For', ip);
+      if (i < 5) {
+        expect(resp.status).toBe(200);
+      } else {
+        expect([429, 403]).toContain(resp.status);
+      }
+    }
+  });
+
+  it('blocks honeypot field', () =>
+    request(app)
+      .post('/')
+      .set('X-Forwarded-For', ip)
+      .send({ hp_field: 'caught' })
+      .expect(403, { error: 'bot_detected' })
+  );
+
+  it('blocks invalid UUIDs', () =>
+    request(app)
+      .get('/user/not-a-uuid')
+      .set('X-Forwarded-For', ip)
+      .expect(403)
+  );
+
+  it('learns and blocks dynamic keywords', async () => {
+    const segment = '/secretABC';
+    for (let i = 0; i < 3; i++) {
+      await request(app)
+        .get(segment)
+        .set('X-Forwarded-For', ip)
+        .expect(404);
+    }
+    await request(app)
+      .get(segment)
+      .set('X-Forwarded-For', ip)
+      .expect(403, { error: 'blocked' });
+  });
+});
+
+afterAll(() => db.destroy());

package/train.js

@@ -0,0 +1,146 @@
+// train.js
+
+const fs       = require('fs');
+const path     = require('path');
+const glob     = require('glob');
+const zlib     = require('zlib');
+const readline = require('readline');
+const { IsolationForest } = require('./lib/isolationForest');
+
+//
+// Configuration
+//
+
+// Static malicious keywords to count in URLs
+const STATIC_KW  = [
+  '.php', '.xmlrpc', 'wp-', '.env', '.git', '.bak',
+  'conflg', 'shell', 'filemanager'
+];
+
+// Status codes we index
+const STATUS_IDX = ['200','403','404','500'];
+
+// Default log input paths (can be overridden with env vars)
+const LOG_PATH = process.env.NODE_LOG_PATH
+  || '/var/log/nginx/access.log';
+const LOG_GLOB = process.env.NODE_LOG_GLOB
+  || `${LOG_PATH}.*`;
+
+// Regex to parse each access‐log line.
+// Captures: 1) client IP, 2) request URI, 3) status code, 4) response‐time
+const LINE_RX = /(\d+\.\d+\.\d+\.\d+).*"(?:GET|POST) (.*?) HTTP\/.*?" (\d{3}).*?response-time=(\d+\.\d+)/;
+
+//
+// Helpers to read log files
+//
+
+async function* readLines(file) {
+  const stream = file.endsWith('.gz')
+    ? fs.createReadStream(file).pipe(zlib.createGunzip())
+    : fs.createReadStream(file);
+  const rl = readline.createInterface({ input: stream, crlfDelay: Infinity });
+  for await (const line of rl) {
+    yield line;
+  }
+}
+
+async function readAllLogs() {
+  const lines = [];
+
+  // main log
+  if (fs.existsSync(LOG_PATH)) {
+    for await (const l of readLines(LOG_PATH)) {
+      lines.push(l);
+    }
+  }
+
+  // rotated / gzipped files
+  for (const f of glob.sync(LOG_GLOB)) {
+    for await (const l of readLines(f)) {
+      lines.push(l);
+    }
+  }
+
+  return lines;
+}
+
+//
+// Convert a single log line into a 6‑dimensional feature vector:
+// [ pathLength, keywordHits, statusIdx, responseTime, burst=0, total404=0 ]
+//
+
+function parseLineToFeatures(line) {
+  const m = LINE_RX.exec(line);
+  if (!m) return null;
+
+  // m[2] = URI with optional query
+  // m[3] = status code
+  // m[4] = response‐time
+  const uri    = m[2].split('?')[0];
+  const status = m[3];
+  const rt     = parseFloat(m[4]);
+
+  // Feature 1: length of the path
+  const pathLen = uri.length;
+
+  // Feature 2: count of static keywords in the path
+  const kwHits = STATIC_KW.reduce(
+    (sum, kw) => sum + (uri.toLowerCase().includes(kw) ? 1 : 0),
+    0
+  );
+
+  // Feature 3: status code index
+  const statusIdx = STATUS_IDX.indexOf(status) >= 0
+    ? STATUS_IDX.indexOf(status)
+    : -1;
+
+  // Feature 4: response time
+  const respTime = rt;
+
+  // Features 5 & 6 are placeholders (burst count and total 404s)
+  const burst    = 0;
+  const total404 = 0;
+
+  return [pathLen, kwHits, statusIdx, respTime, burst, total404];
+}
+
+//
+// Main training routine
+//
+
+(async () => {
+  try {
+    const raw = await readAllLogs();
+    if (raw.length === 0) {
+      console.warn('No logs found – please set NODE_LOG_PATH to your access log.');
+      return;
+    }
+
+    // Build feature matrix
+    const feats = raw
+      .map(parseLineToFeatures)
+      .filter(f => f !== null);
+
+    if (feats.length === 0) {
+      console.warn('No valid log lines parsed into features.');
+      return;
+    }
+
+    // Train the Isolation Forest
+    const model = new IsolationForest({ nTrees: 100, sampleSize: 256 });
+    model.fit(feats);
+
+    // Persist the trained model
+    const outDir  = path.join(__dirname, 'resources');
+    const outFile = path.join(outDir, 'model.json');
+    fs.mkdirSync(outDir, { recursive: true });
+
+    // Serialize the model; if your IsolationForest supports .serialize(), use that.
+    // Otherwise we simply JSON‐stringify the internal tree structure.
+    fs.writeFileSync(outFile, JSON.stringify(model), 'utf8');
+
+    console.log(`✅ Trained on ${feats.length} samples → ${outFile}`);
+  } catch (err) {
+    console.error('Training failed:', err);
+  }
+})();

package/utils/cache.js

@@ -0,0 +1,3 @@
+const NodeCache = require('node-cache');
+const redis = require('redis');
+module.exports = (useRedis=false) => useRedis ? redis.createClient() : new NodeCache();

package/utils/db.js

@@ -0,0 +1,11 @@
+const knex = require('knex');
+
+const isTest = process.env.NODE_ENV === 'test';
+
+module.exports = knex({
+  client: 'sqlite3',
+  connection: {
+    filename: isTest ? ':memory:' : './aiwaf.sqlite'
+  },
+  useNullAsDefault: true,
+});