cdp-edge 2.0.3 → 2.0.5

package/server-edge-tracker/modules/ml/fraud.js

@@ -0,0 +1,301 @@
+/**
+ * CDP Edge — Fraud Detection (Fase 4)
+ * checkFraudGate, logFraudSignal, handlers das rotas /api/fraud/*
+ */
+
+import { sha256, tryParseJson } from '../utils.js';
+
+// ── Listas de detecção ────────────────────────────────────────────────────────
+export const DISPOSABLE_EMAIL_DOMAINS = new Set([
+  'mailinator.com','guerrillamail.com','tempmail.com','throwaway.email',
+  'yopmail.com','sharklasers.com','guerrillamailblock.com','spam4.me',
+  '10minutemail.com','trashmail.com','maildrop.cc','fakeinbox.com',
+  'dispostable.com','getairmail.com','mailnull.com',
+]);
+
+export const DATACENTER_PATTERNS = /amazon|google|microsoft|digitalocean|linode|ovh|vultr|hetzner|contabo|cloudflare|packet|rackspace|leaseweb/i;
+
+// ── checkFraudGate — roda ANTES de qualquer processamento de evento ────────────
+// Retorna { allowed, score, reasons, action }
+// Falhas no gate = fail-safe (deixa passar)
+export async function checkFraudGate(env, request, payload) {
+  const result = { allowed: true, score: 0, reasons: [], action: 'allowed' };
+
+  try {
+    const ip          = request.headers.get('CF-Connecting-IP') || '';
+    const ua          = request.headers.get('User-Agent')        || '';
+    const fingerprint = payload.fingerprint                       || '';
+    const email       = payload.email                             || '';
+    const botScore    = parseInt(payload.botScore || payload.bot_score || 0);
+    const asn         = String(request.cf?.asOrganization || '').toLowerCase();
+    const country     = (request.cf?.country || '').toUpperCase();
+    const acceptLang  = request.headers.get('Accept-Language');
+
+    // 1. KV blocklist check — instantâneo (~0ms)
+    if (env.GEO_CACHE && ip) {
+      const ipBlocked = await env.GEO_CACHE.get(`fraud_block:ip:${ip}`);
+      if (ipBlocked) {
+        return { allowed: false, score: 100, reasons: ['ip_blocklisted'], action: 'dropped' };
+      }
+    }
+    if (env.GEO_CACHE && fingerprint) {
+      const fpBlocked = await env.GEO_CACHE.get(`fraud_block:fp:${fingerprint}`);
+      if (fpBlocked) {
+        return { allowed: false, score: 100, reasons: ['fingerprint_blocklisted'], action: 'dropped' };
+      }
+    }
+
+    // 2. Bot score
+    if (botScore >= 3) { result.score += 60; result.reasons.push('bot_score_high'); }
+    else if (botScore === 2) { result.score += 30; result.reasons.push('bot_score_medium'); }
+
+    // 3. User-Agent suspeito
+    if (/headless|phantomjs|selenium|webdriver|curl|python|scrapy|bot|crawler|spider/i.test(ua)) {
+      result.score += 40; result.reasons.push('suspicious_user_agent');
+    }
+
+    // 4. Datacenter IP
+    if (ip && DATACENTER_PATTERNS.test(asn)) {
+      result.score += 35; result.reasons.push('datacenter_ip');
+    }
+
+    // 5. Sem Accept-Language
+    if (!acceptLang) {
+      result.score += 20; result.reasons.push('no_accept_language');
+    }
+
+    // 6. Email descartável
+    if (email) {
+      const domain = email.split('@')[1]?.toLowerCase();
+      if (domain && DISPOSABLE_EMAIL_DOMAINS.has(domain)) {
+        result.score += 25; result.reasons.push('disposable_email');
+      }
+    }
+
+    // 7. Velocity check via KV
+    if (env.GEO_CACHE && ip) {
+      const velKey1h = `fraud_velocity:${ip}:h`;
+      const velStr   = await env.GEO_CACHE.get(velKey1h);
+      const vel1h    = parseInt(velStr || '0') + 1;
+
+      await env.GEO_CACHE.put(velKey1h, String(vel1h), { expirationTtl: 3600 });
+
+      if (vel1h > 20) { result.score += 50; result.reasons.push('ip_velocity_very_high'); }
+      else if (vel1h > 10) { result.score += 25; result.reasons.push('ip_velocity_high'); }
+    }
+
+    result.score = Math.min(100, result.score);
+
+    // 8. Decisão final
+    if (result.score >= 80) {
+      result.allowed = false;
+      result.action  = 'dropped';
+    } else if (result.score >= 40) {
+      result.action = 'flagged';
+    }
+
+    return result;
+
+  } catch (err) {
+    console.error('[Fraud] checkFraudGate error:', err.message);
+    return { allowed: true, score: 0, reasons: ['gate_error_fallback'], action: 'allowed' };
+  }
+}
+
+// ── logFraudSignal — persiste no D1 em background ────────────────────────────
+export async function logFraudSignal(env, request, payload, fraudResult) {
+  if (!env.DB || fraudResult.action === 'allowed') return;
+  try {
+    const ip          = request.headers.get('CF-Connecting-IP') || '';
+    const ua          = request.headers.get('User-Agent')        || '';
+    const fingerprint = payload.fingerprint                       || '';
+    const botScore    = parseInt(payload.botScore || payload.bot_score || 0);
+    const asn         = String(request.cf?.asOrganization || '');
+    const country     = (request.cf?.country              || '');
+    const velKey1h    = `fraud_velocity:${ip}:h`;
+    const vel1h       = env.GEO_CACHE ? parseInt(await env.GEO_CACHE.get(velKey1h) || '0') : 0;
+
+    let emailHash = null;
+    if (payload.email) {
+      try { emailHash = await sha256(payload.email.trim().toLowerCase()); } catch {}
+    }
+
+    await env.DB.prepare(`
+      INSERT INTO fraud_signals (
+        ip_address, fingerprint, user_id, email_hash, event_name, event_id,
+        fraud_score, action_taken, reasons,
+        ip_country, ip_asn, user_agent, bot_score, velocity_1h, detected_at
+      ) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,datetime('now'))
+    `).bind(
+      ip, fingerprint || null, payload.userId || null, emailHash,
+      payload.eventName || null, payload.eventId || null,
+      fraudResult.score, fraudResult.action, JSON.stringify(fraudResult.reasons),
+      country, asn, ua.substring(0, 255), botScore, vel1h,
+    ).run();
+
+    if (fraudResult.action === 'dropped' && ip) {
+      await env.DB.prepare(`
+        INSERT INTO fraud_alerts (alert_type, entity_type, entity_value, events_total, events_dropped, peak_score, first_seen, last_seen, top_reasons)
+        VALUES ('ip_attack', 'ip', ?, 1, 1, ?, datetime('now'), datetime('now'), ?)
+        ON CONFLICT(entity_type, entity_value) DO UPDATE SET
+          events_total   = events_total + 1,
+          events_dropped = events_dropped + 1,
+          peak_score     = MAX(peak_score, excluded.peak_score),
+          last_seen      = datetime('now'),
+          updated_at     = datetime('now')
+      `).bind(ip, fraudResult.score, JSON.stringify(fraudResult.reasons)).run().catch(() => {});
+    }
+  } catch (err) {
+    console.error('[Fraud] logFraudSignal error:', err.message);
+  }
+}
+
+// ── GET /api/fraud/alerts ─────────────────────────────────────────────────────
+export async function handleFraudAlerts(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  const url    = new URL(request.url);
+  const action = url.searchParams.get('action') || null;
+  const hours  = parseInt(url.searchParams.get('hours') || '24');
+  const limit  = Math.min(parseInt(url.searchParams.get('limit') || '50'), 200);
+
+  try {
+    const cond     = action ? 'AND action_taken = ?' : '';
+    const bindings = action ? [hours, action, limit] : [hours, limit];
+
+    const result = await env.DB.prepare(`
+      SELECT ip_address, fingerprint, event_name, fraud_score, action_taken,
+             reasons, ip_country, ip_asn, bot_score, velocity_1h, detected_at
+      FROM fraud_signals
+      WHERE detected_at >= datetime('now', '-' || ? || ' hours')
+        ${cond}
+      ORDER BY fraud_score DESC, detected_at DESC
+      LIMIT ?
+    `).bind(...bindings).all();
+
+    const signals = (result.results || []).map(s => ({ ...s, reasons: tryParseJson(s.reasons, []) }));
+    const stats = await env.DB.prepare(`SELECT * FROM v_fraud_dashboard`).first().catch(() => null);
+
+    return new Response(JSON.stringify({ success: true, period_hours: hours, total: signals.length, stats, alerts: signals }), { status: 200, headers });
+  } catch (err) {
+    console.error('[Fraud] alerts error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── GET /api/fraud/blocklist ──────────────────────────────────────────────────
+export async function handleFraudBlocklist(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  try {
+    const result = await env.DB.prepare(`
+      SELECT entity_type, entity_value, events_total, events_dropped,
+             peak_score, first_seen, last_seen, blocked_at, block_expires, top_reasons
+      FROM fraud_alerts WHERE is_blocked = 1 ORDER BY events_dropped DESC LIMIT 100
+    `).all();
+
+    const blocklist = (result.results || []).map(r => ({ ...r, top_reasons: tryParseJson(r.top_reasons, []) }));
+    return new Response(JSON.stringify({ success: true, total: blocklist.length, blocklist }), { status: 200, headers });
+  } catch (err) {
+    console.error('[Fraud] blocklist error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── POST /api/fraud/blocklist/add ─────────────────────────────────────────────
+export async function handleFraudBlocklistAdd(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  let body;
+  try { body = await request.json(); }
+  catch { return new Response(JSON.stringify({ error: 'JSON inválido' }), { status: 400, headers }); }
+
+  const { entity_type, entity_value, ttl_hours = 24, reason = 'manual_block' } = body;
+  if (!entity_type || !entity_value) {
+    return new Response(JSON.stringify({ error: 'entity_type (ip|fingerprint) e entity_value são obrigatórios' }), { status: 400, headers });
+  }
+  if (!['ip', 'fingerprint'].includes(entity_type)) {
+    return new Response(JSON.stringify({ error: 'entity_type deve ser: ip ou fingerprint' }), { status: 400, headers });
+  }
+
+  try {
+    const kvKey    = `fraud_block:${entity_type}:${entity_value}`;
+    const ttlSec   = Math.min(ttl_hours * 3600, 7 * 24 * 3600);
+    const expiresAt = new Date(Date.now() + ttlSec * 1000).toISOString();
+
+    if (env.GEO_CACHE) {
+      await env.GEO_CACHE.put(kvKey, JSON.stringify({ reason, blocked_at: new Date().toISOString() }), { expirationTtl: ttlSec });
+    }
+
+    await env.DB.prepare(`
+      INSERT INTO fraud_alerts (alert_type, entity_type, entity_value, events_total, events_dropped, peak_score, first_seen, last_seen, is_blocked, blocked_at, block_expires, top_reasons)
+      VALUES ('manual', ?, ?, 0, 0, 100, datetime('now'), datetime('now'), 1, datetime('now'), ?, ?)
+      ON CONFLICT DO UPDATE SET is_blocked = 1, blocked_at = datetime('now'), block_expires = excluded.block_expires, updated_at = datetime('now')
+    `).bind(entity_type, entity_value, expiresAt, JSON.stringify([reason])).run().catch(() => {});
+
+    return new Response(JSON.stringify({
+      success: true, entity_type, entity_value, kv_key: kvKey, ttl_hours, expires_at: expiresAt,
+      message: `${entity_type} '${entity_value}' bloqueado por ${ttl_hours}h. Efeito imediato via KV.`,
+    }), { status: 200, headers });
+  } catch (err) {
+    console.error('[Fraud] blocklist add error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── DELETE /api/fraud/blocklist/remove ───────────────────────────────────────
+export async function handleFraudBlocklistRemove(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  let body;
+  try { body = await request.json(); }
+  catch { return new Response(JSON.stringify({ error: 'JSON inválido' }), { status: 400, headers }); }
+
+  const { entity_type, entity_value } = body;
+  if (!entity_type || !entity_value) {
+    return new Response(JSON.stringify({ error: 'entity_type e entity_value são obrigatórios' }), { status: 400, headers });
+  }
+
+  try {
+    const kvKey = `fraud_block:${entity_type}:${entity_value}`;
+    if (env.GEO_CACHE) await env.GEO_CACHE.delete(kvKey);
+    await env.DB.prepare(`UPDATE fraud_alerts SET is_blocked = 0, resolved_at = datetime('now'), resolved_by = 'manual' WHERE entity_type = ? AND entity_value = ?`).bind(entity_type, entity_value).run();
+
+    return new Response(JSON.stringify({
+      success: true, entity_type, entity_value,
+      message: `${entity_type} '${entity_value}' removido do blocklist. Efeito imediato via KV.`,
+    }), { status: 200, headers });
+  } catch (err) {
+    console.error('[Fraud] blocklist remove error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── GET /api/fraud/stats ──────────────────────────────────────────────────────
+export async function handleFraudStats(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  try {
+    const dashboard  = await env.DB.prepare(`SELECT * FROM v_fraud_dashboard`).first();
+    const topIps     = await env.DB.prepare(`
+      SELECT ip_address, COUNT(*) as events, MAX(fraud_score) as peak_score
+      FROM fraud_signals
+      WHERE detected_at >= datetime('now', '-24 hours') AND action_taken = 'dropped'
+      GROUP BY ip_address ORDER BY events DESC LIMIT 10
+    `).all();
+    const topReasons = await env.DB.prepare(`
+      SELECT action_taken, COUNT(*) as count FROM fraud_signals
+      WHERE detected_at >= datetime('now', '-24 hours')
+      GROUP BY action_taken
+    `).all();
+
+    return new Response(JSON.stringify({
+      success: true, period: '24h', dashboard,
+      top_attacking_ips: topIps.results || [],
+      by_action: topReasons.results || [],
+    }), { status: 200, headers });
+  } catch (err) {
+    console.error('[Fraud] stats error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}

package/server-edge-tracker/modules/ml/logistic.js

@@ -0,0 +1,195 @@
+/**
+ * CDP Edge — Logistic Regression (pure JS, sem deps externas)
+ * Treina modelo de predição de conversão com dados reais do D1.
+ *
+ * Features usadas (todas normalizadas 0-1):
+ *   utm_source, engagement_score, intention_level, recency,
+ *   has_email, has_phone, is_br, hour_normalized
+ */
+
+// ── Feature Engineering ───────────────────────────────────────────────────────
+
+const UTM_SCORES = {
+  facebook: 0.90, instagram: 0.90, meta: 0.90,
+  google:   0.82, youtube:   0.82,
+  tiktok:   0.75,
+  email:    0.68, sms: 0.68,
+  organic:  0.30,
+  direct:   0.20,
+};
+
+const INTENTION_SCORES = {
+  comprador:   1.00, high_intent: 1.00,
+  interessado: 0.60,
+  nurture:     0.30,
+  curioso:     0.15,
+};
+
+export function extractFeatures(row) {
+  const src       = (row.utm_source || '').toLowerCase().trim();
+  const intention = (row.intention_level || '').toLowerCase().trim();
+  const daysSince = row.days_since_lead || 0;
+
+  return [
+    UTM_SCORES[src] ?? (src ? 0.10 : 0.05),                    // utm_score
+    Math.min((row.engagement_score || 0) / 5, 1),               // engagement (0-5 → 0-1)
+    INTENTION_SCORES[intention] ?? 0,                           // intention
+    Math.max(0, 1 - daysSince / 90),                            // recency (0=90 dias, 1=hoje)
+    row.has_email    ? 1 : 0,                                   // has_email
+    row.has_phone    ? 1 : 0,                                   // has_phone
+    row.is_br        ? 1 : 0,                                   // is_br
+    ((row.hour || 12) / 23),                                    // hour normalized
+  ];
+}
+
+// ── Sigmoid ───────────────────────────────────────────────────────────────────
+
+function sigmoid(z) {
+  if (z > 20)  return 1;
+  if (z < -20) return 0;
+  return 1 / (1 + Math.exp(-z));
+}
+
+function dot(weights, features) {
+  return features.reduce((sum, f, i) => sum + (weights[i] || 0) * f, 0);
+}
+
+// ── Treinamento ───────────────────────────────────────────────────────────────
+
+/**
+ * Treina regressão logística com gradiente descendente.
+ * @param {Array<{features: number[], label: number}>} dataset
+ * @param {{ iterations?, learningRate?, lambda? }} opts
+ * @returns {{ bias, weights, accuracy, positiveRate }}
+ */
+export function trainLogisticRegression(dataset, opts = {}) {
+  if (!dataset || dataset.length < 50) {
+    return null; // dados insuficientes
+  }
+
+  const iterations   = opts.iterations   || 200;
+  const learningRate = opts.learningRate  || 0.1;
+  const lambda       = opts.lambda        || 0.01; // L2 regularization
+  const nFeatures    = dataset[0].features.length;
+
+  let bias    = 0;
+  let weights = new Array(nFeatures).fill(0);
+
+  const positives = dataset.filter(d => d.label === 1).length;
+  const positiveRate = positives / dataset.length;
+
+  // Se menos de 5% positivos, não treina (dados de compra insuficientes)
+  if (positiveRate < 0.03) return null;
+
+  for (let iter = 0; iter < iterations; iter++) {
+    let dBias    = 0;
+    const dWeights = new Array(nFeatures).fill(0);
+
+    for (const { features, label } of dataset) {
+      const z     = dot(weights, features) + bias;
+      const pred  = sigmoid(z);
+      const error = pred - label;
+
+      dBias += error;
+      for (let j = 0; j < nFeatures; j++) {
+        dWeights[j] += error * features[j];
+      }
+    }
+
+    const n = dataset.length;
+    bias -= learningRate * (dBias / n);
+    for (let j = 0; j < nFeatures; j++) {
+      // L2: penaliza pesos grandes para evitar overfitting
+      weights[j] -= learningRate * ((dWeights[j] / n) + lambda * weights[j]);
+    }
+  }
+
+  // Calcular acurácia no conjunto de treino
+  let correct = 0;
+  const threshold = positiveRate > 0.3 ? 0.5 : Math.max(0.3, positiveRate * 1.5);
+
+  for (const { features, label } of dataset) {
+    const z    = dot(weights, features) + bias;
+    const pred = sigmoid(z) >= threshold ? 1 : 0;
+    if (pred === label) correct++;
+  }
+
+  const accuracy = correct / dataset.length;
+
+  return {
+    bias,
+    weights,
+    accuracy,
+    positiveRate,
+    sampleSize: dataset.length,
+    threshold,
+    featureNames: ['utm_score', 'engagement', 'intention', 'recency', 'has_email', 'has_phone', 'is_br', 'hour'],
+    trainedAt: new Date().toISOString(),
+  };
+}
+
+// ── Inferência ────────────────────────────────────────────────────────────────
+
+/**
+ * Prediz score de conversão (0-100) usando pesos treinados.
+ * @param {{ bias, weights, threshold }} model
+ * @param {number[]} features
+ * @returns {number} score 0-100
+ */
+export function predictWithWeights(model, features) {
+  const z    = dot(model.weights, features) + model.bias;
+  const prob = sigmoid(z);
+  return Math.round(prob * 100);
+}
+
+// ── Helpers de persistência ───────────────────────────────────────────────────
+
+export const LTV_WEIGHTS_KV_KEY = 'ltv_weights_active';
+
+export async function loadActiveWeights(env) {
+  // 1. Tentar KV (cache ~7 dias)
+  if (env.GEO_CACHE) {
+    try {
+      const cached = await env.GEO_CACHE.get(LTV_WEIGHTS_KV_KEY, 'json');
+      if (cached?.weights?.length) return cached;
+    } catch {}
+  }
+
+  // 2. Fallback: D1
+  if (!env.DB) return null;
+  try {
+    const row = await env.DB.prepare(
+      `SELECT weights_json FROM ltv_model_weights WHERE is_active = 1 ORDER BY trained_at DESC LIMIT 1`
+    ).first();
+    if (!row?.weights_json) return null;
+    const model = JSON.parse(row.weights_json);
+
+    // Popular KV para próximas requests
+    if (env.GEO_CACHE && model?.weights?.length) {
+      env.GEO_CACHE.put(LTV_WEIGHTS_KV_KEY, JSON.stringify(model), { expirationTtl: 604800 }).catch(() => {});
+    }
+    return model;
+  } catch {
+    return null;
+  }
+}
+
+export async function saveWeights(DB, model) {
+  if (!DB || !model) return;
+  const now = new Date().toISOString();
+
+  // Desativar modelo anterior
+  await DB.prepare(`UPDATE ltv_model_weights SET is_active = 0 WHERE is_active = 1`).run();
+
+  // Inserir novo como ativo
+  await DB.prepare(`
+    INSERT INTO ltv_model_weights (trained_at, is_active, sample_size, positive_rate, accuracy, weights_json)
+    VALUES (?, 1, ?, ?, ?, ?)
+  `).bind(
+    now,
+    model.sampleSize,
+    model.positiveRate,
+    model.accuracy,
+    JSON.stringify(model),
+  ).run();
+}