guardian-risk 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/README.md +93 -4
  2. package/dist/index.cjs +459 -18
  3. package/dist/index.d.cts +157 -6
  4. package/dist/index.d.ts +157 -6
  5. package/dist/index.js +450 -19
  6. package/package.json +21 -4
  7. package/dist/index.cjs.map +0 -1
  8. package/dist/index.js.map +0 -1
package/README.md CHANGED
@@ -6,8 +6,6 @@ Configurable risk decision engine for TypeScript. Evaluate signals against rules
6
6
 
7
7
  ```bash
8
8
  npm install guardian-risk
9
- # or
10
- pnpm add guardian-risk
11
9
  ```
12
10
 
13
11
  ## Usage
@@ -36,7 +34,51 @@ console.log(report.score); // 35
36
34
  console.log(report.level); // MEDIUM
37
35
  ```
38
36
 
39
- ## Plugins
37
+ ## Official plugins
38
+
39
+ Install **core first**, then add only the plugins you need:
40
+
41
+ | Package | Install | Purpose |
42
+ |---------|---------|---------|
43
+ | **guardian-risk** (this) | `npm i guardian-risk` | Core engine |
44
+ | guardian-risk-express | `npm i guardian-risk-express` | Express request signals |
45
+ | guardian-risk-browser | `npm i guardian-risk-browser` | Browser behavioral signals |
46
+ | guardian-risk-redis | `npm i guardian-risk-redis` | Redis session counters |
47
+ | guardian-risk-vpn | `npm i guardian-risk-vpn` | VPN / proxy / Tor detection |
48
+ | guardian-risk-logger | `npm i guardian-risk-logger` | Audit logging |
49
+
50
+ ```bash
51
+ # Example: Express + VPN + Logger stack
52
+ npm install guardian-risk guardian-risk-express guardian-risk-vpn guardian-risk-logger
53
+ ```
54
+
55
+ ```typescript
56
+ import express from 'express';
57
+ import { Guardian } from 'guardian-risk';
58
+ import { expressPlugin, guardianMiddleware, type ExpressRequest } from 'guardian-risk-express';
59
+ import { redisPlugin } from 'guardian-risk-redis';
60
+ import { vpnPlugin, StaticIpProvider } from 'guardian-risk-vpn';
61
+ import { loggerPlugin } from 'guardian-risk-logger';
62
+
63
+ const app = express();
64
+
65
+ const riskTemplate = new Guardian()
66
+ .use(expressPlugin({ trustProxy: true }))
67
+ .use(redisPlugin())
68
+ .use(vpnPlugin({ provider: new StaticIpProvider({}) }))
69
+ .use(loggerPlugin())
70
+ .rule({ name: 'Burst', when: (s) => (s.requestsPerMinute as number) > 30, score: 40 });
71
+
72
+ app.use(guardianMiddleware(riskTemplate, { blockAboveScore: 80 }));
73
+
74
+ app.post('/login', (req: ExpressRequest, res) => {
75
+ res.json(req.riskReport);
76
+ });
77
+ ```
78
+
79
+ > Plugin packages are early stubs — APIs may change before `1.0.0`.
80
+
81
+ ## Plugins API
40
82
 
41
83
  ```typescript
42
84
  import type { Plugin } from 'guardian-risk';
@@ -51,6 +93,34 @@ const myPlugin: Plugin = {
51
93
  new Guardian().use(myPlugin);
52
94
  ```
53
95
 
96
+ ## Typed signals & presets (v0.3)
97
+
98
+ ```typescript
99
+ import { defineSignals, applyRules, botDetectionRules } from 'guardian-risk';
100
+
101
+ const bot = defineSignals<{ mouseLinearity: number; headlessUA: boolean }>();
102
+
103
+ const guardian = applyRules(bot.create(), botDetectionRules)
104
+ .signal('mouseLinearity', 0.95)
105
+ .signal('headlessUA', true);
106
+
107
+ const report = await guardian.analyzeAsync();
108
+ ```
109
+
110
+ ## Rule groups (v0.3)
111
+
112
+ ```typescript
113
+ guardian.ruleGroup({
114
+ name: 'login',
115
+ maxScore: 40,
116
+ rules: [
117
+ { name: 'BruteForce', when: (s) => (s.loginAttempts as number) > 5, score: 45 },
118
+ ],
119
+ });
120
+ ```
121
+
122
+ See [MIGRATION.md](../../MIGRATION.md) when upgrading versions.
123
+
54
124
  ## API
55
125
 
56
126
  | Method | Description |
@@ -58,10 +128,29 @@ new Guardian().use(myPlugin);
58
128
  | `guardian.signal(key, value)` | Add a signal |
59
129
  | `guardian.rule({ name, when, score, reason? })` | Register a rule |
60
130
  | `guardian.use(plugin)` | Install a plugin (once per name) |
61
- | `guardian.analyze()` | Run evaluation, returns `RiskReport` |
131
+ | `guardian.beforeAnalyze(hook)` | Run hook before evaluation (async OK) |
132
+ | `guardian.afterAnalyze(hook)` | Run hook after report is built |
133
+ | `guardian.analyze()` | Sync analysis (no hooks registered) |
134
+ | `guardian.analyzeAsync(context?)` | Async analysis with lifecycle hooks |
135
+ | `guardian.fork()` | Clone rules/plugins for per-request use |
62
136
  | `guardian.reset()` | Clear signals (rules + plugins persist) |
63
137
  | `guardian.getInstalledPlugins()` | List installed plugin names |
64
138
 
139
+ ## Security
140
+
141
+ - **Zero runtime dependencies** — minimal supply chain risk
142
+ - **No install scripts** — nothing runs on `npm install`
143
+ - Prototype pollution protection on signal keys
144
+ - Rule `when()` errors isolated — engine stays stable
145
+ - Score bounds: ±10,000 per rule, ±1,000,000 total
146
+ - Plugin `install()` failures throw `PluginInstallError` without registering
147
+ - See [SECURITY.md](SECURITY.md) for vulnerability reporting
148
+
149
+ ## Links
150
+
151
+ - [GitHub monorepo](https://github.com/himanshu6306singh/guardian-risk)
152
+ - [All packages guide](https://github.com/himanshu6306singh/guardian-risk/blob/main/ECOSYSTEM.md)
153
+
65
154
  ## License
66
155
 
67
156
  MIT