mostlylucid.botdetection 7.5.5

.NET 10.0

dotnet add package mostlylucid.botdetection --version 7.5.5

NuGet\Install-Package mostlylucid.botdetection -Version 7.5.5

This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.

<PackageReference Include="mostlylucid.botdetection" Version="7.5.5" />

For projects that support PackageReference, copy this XML node into the project file to reference the package.

<PackageVersion Include="mostlylucid.botdetection" Version="7.5.5" />
                    

                            Directory.Packages.props

<PackageReference Include="mostlylucid.botdetection" />
                    

                            Project file

For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.

paket add mostlylucid.botdetection --version 7.5.5

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

#r "nuget: mostlylucid.botdetection, 7.5.5"

#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.

#:package mostlylucid.botdetection@7.5.5

#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.

#addin nuget:?package=mostlylucid.botdetection&version=7.5.5
                    

                            Install as a Cake Addin

#tool nuget:?package=mostlylucid.botdetection&version=7.5.5
                    

                            Install as a Cake Tool

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

Mostlylucid.BotDetection

Enterprise bot detection and anonymous entity resolution for ASP.NET Core. Probabilistic, behavioural, and protocol-deep — not just User-Agent matching.

This is the detection engine that powers StyloBot — a self-hosted bot defense platform you can run in front of any web application.

What it does

57 contributors fire in a wave-based pipeline. The fast path (<1 ms) handles 90% of traffic. Slow-path and session contributors only activate when upstream signals justify it.

57 detection contributors across 4 waves — UA, headers, IP, protocol fingerprinting (JA3/JA4/H2/QUIC/TCP-IP), behavioural, AI, cluster discovery, CVE probes
Transport header trust gate (7.5) — X-JA3/X-JA4/X-H2/QUIC headers are gated behind peer-IP trust so attackers can't inject spoofed fingerprints
arcjet well-known-bots catalog (7.5) — 635 additional bot UA patterns downloaded hourly; fills gaps in YAML definitions (TurnitinBot, SemanticScholarBot, monitoring bots, etc.)
Forward-DNS verified-bot confirmation (7.5) — ActivityPub +URL claims in fediverse UAs are confirmed against A/AAAA records; spoofed Mastodon UAs are rejected
Metastable fingerprint identity — each visitor is a learned vector shape, not a static cookie. Persistent trust state, claim-first display naming.
Blackboard architecture via StyloFlow — detectors read/write ephemeral signals; zero-PII design (all persistence uses HMAC-SHA256 hashes)
Leiden clustering finds coordinated bot campaigns
129-dim Markov chain session vectors — inter-session velocity, partial-chain archetypes, snapshot compaction
Anonymous entity resolution — merge/split/rewind backed by immutable session snapshots; L0-L5 confidence levels
Policy stack — YAML-backed rules separate detection (WHAT) from action (HOW); full editor in the dashboard (7.5)
robots.txt + sitemap extensions (7.5) — MapStyloBotRobotsTxt() generates policy-aware Disallow lines; MapStyloBotSitemap() serves verdict-adaptive sitemaps
SQLite everywhere for FOSS — zero-dependency persistence; PostgreSQL is the commercial upgrade path

Quick start

dotnet add package Mostlylucid.BotDetection

// Program.cs
builder.Services.AddStyloBot(dashboard =>
{
    dashboard.AllowUnauthenticatedAccess = true; // dev only
});
app.UseRouting();
app.UseStyloBot();  // detection + dashboard, correct middleware ordering

That's it. The dashboard is at /_stylobot. All 57 contributors are active. SQLite databases are created in the working directory.

Common configurations

// Detection only — no dashboard
builder.Services.AddBotDetection();
app.UseBotDetection();

// User-agent only — minimal footprint
builder.Services.AddSimpleBotDetection();

// Ephemeral mode — no SQLite, state evaporates on restart (dev/serverless)
builder.Services.AddBotDetectionInMemory();

// LLM escalation for edge cases
builder.Services.AddAdvancedBotDetection("http://localhost:11434", "gemma4");

// robots.txt + sitemap driven by policy rules
app.MapStyloBotRobotsTxt();   // serves Disallow: lines for blocked bots
app.MapStyloBotSitemap();     // serves different URLs by detection verdict

Transport header trust (new in 7.5 — security fix)

If you run behind a reverse proxy (Cloudflare, nginx, Caddy, YARP), configure the trust list so injected edge headers (JA3/JA4, HTTP/2, QUIC, TCP/IP) are accepted only from your proxy:

{
  "BotDetection": {
    "TransportTrust": {
      "TrustedProxyIps": ["10.0.0.1/24", "172.16.0.0/12"],
      "Mode": "Strict"
    }
  }
}

Without this, an attacker hitting the gateway over direct HTTPS can inject a known-Chrome JA3 and receive a human-signal bias. See proxy-topologies.md.

HttpContext extensions

if (context.IsBot()) return Results.StatusCode(403);

var confidence = context.GetBotConfidence();  // 0.0–1.0
var botType    = context.GetBotType();        // BotType enum
var botName    = context.GetBotName();        // "Googlebot", "curl", etc.

Action policies

Policy	Effect
`block`	HTTP 403
`throttle-stealth`	Silent delay (bots don't know they're throttled)
`throttle-tools`	HTTP 429 + `Retry-After`
`throttle-status`	Fast HTTP 429 for friendly bots (Mastodon, UptimeRobot)
`challenge`	Proof-of-work or CAPTCHA
`redirect-honeypot`	Silent redirect to trap
`logonly`	Shadow mode — observe without acting

Apply globally or per-path:

{
  "BotDetection": {
    "DefaultActionPolicyName": "throttle-stealth",
    "BlockDetectedBots": true
  }
}

Detection waves

Fast path (<1 ms, every request)

UserAgent (YAML + arcjet catalog fallback), Header, IP, SecurityTool, Behavioral, ClientSide, Inconsistency, VersionAge, Heuristic, FastPathReputation, CacheBehavior, CookieBehavior, ResourceWaterfall, ReputationBias, AiScraper (YAML + arcjet AI fallback), Haxxor, CveProbe, PiiQueryString, VerifiedBot, VerifiedBotInline, FediverseDomain, BrowserModeClassifier, CveFingerprint, HeuristicLate, ClaimedIdentity, ThreatIntel

Advanced fingerprinting

TlsFingerprint (JA3/JA4), TcpIpFingerprint (p0f), Http2Fingerprint (AKAMAI), Http3Fingerprint (QUIC), MultiLayerCorrelation, BehavioralWaveform, ResponseBehavior, TransportProtocol, StreamAbuse

Session / behavioural analysis

SessionVector (Markov chain → 129-dim vector), Periodicity, ReactivePattern, Similarity, Cluster

Entity resolution

AccountTakeover, IdentityChange, GeoChange, PoolCollision

Post-round-trip

ChallengeVerification, FingerprintApproval, ClickFraud, Honeypot.EndpointHistory, Honeypot.HoneypotLink

LLM escalation (opt-in)

Llm (enrichment only, not the decision-maker)

Slow path (~100 ms, opt-in)

ProjectHoneypot (DNS lookup against http:BL)

Detector timing (Apple M5, .NET 10, warm cache, full 57-contributor pipeline)

Scenario	Mean	Allocated
AiScraper — GPTBot	269 ns	1,008 B
Haxxor — clean	198 ns	0 B
Haxxor — SQL injection	1,202 ns	1,744 B
Heuristic — bot	1,653 ns	2,528 B
Heuristic — human	1,704 ns	2,512 B
Intent — navigation	2,540 ns	5,784 B
IP — datacenter	320 ns	1,136 B
TLS fingerprint — Chrome	262 ns	896 B
Header — curl (bot)	424 ns	1,544 B
Header — Chrome (human)	417 ns	1,320 B
CookieBehavior — cookies	18 ns	184 B
Http2 — Chrome	110 ns	176 B
HeaderCorrelation — full	15 ns	104 B
UserAgent — Googlebot (full pipeline)	13,272 ns	2,568 B
UserAgent — Chrome (full pipeline)	104,821 ns	1,817 B

The full-pipeline Chrome number (105 µs) reflects all 57 contributors running; the detection-code share of a typical gateway request is ~0.1% of total latency (remainder is network + Kestrel).

Real-time dashboard

Mount at /_stylobot (or configure BasePath). Features: live signature feed, session timeline with Markov drill-in, behavioural radar, world threat map, cluster visualisation, UA breakdown, Threats tab, policy editor (7.5).

YARP / gateway integration

Use Stylobot.Gateway or stylobot CLI for edge deployments. Edge-injected client signals (X-JA3-Hash, X-Client-HTTP-Version, X-Client-TLS-*) are forwarded by the gateway and read by the contributors — gated by TransportTrust config.

Requirements

.NET 10.0
LlamaSharp or Ollama for optional LLM escalation

License

GNU AGPL-3.0-only — free for open-source and internal use; public-facing SaaS deployments must share source or obtain a commercial licence.

Links

StyloBot — hosted platform and live demo powered by this engine
GitHub
NuGet
Documentation
Changelog

Product	Compatible and additional computed target framework versions.
.NET	net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed.

Compatible target framework(s)

Included target framework(s) (in package)

Learn more about Target Frameworks and .NET Standard.

net10.0
- AngleSharp (>= 1.4.0)
- HNSW (>= 26.4.177)
- MathNet.Numerics (>= 5.0.0)
- MessagePack (>= 3.1.7)
- Microsoft.Data.Sqlite (>= 10.0.8)
- Microsoft.Recognizers.Text (>= 1.8.13)
- Microsoft.Recognizers.Text.DateTime (>= 1.8.13)
- Microsoft.Recognizers.Text.Sequence (>= 1.8.13)
- Mostlylucid.Common (>= 0.0.0-alpha.0.1714)
- Mostlylucid.Ephemeral (>= 2.6.3)
- Mostlylucid.Ephemeral.Atoms.Batching (>= 2.6.3)
- Mostlylucid.Ephemeral.Atoms.KeyedSequential (>= 2.6.3)
- Mostlylucid.Ephemeral.Atoms.SlidingCache (>= 2.6.3)
- Mostlylucid.Ephemeral.Atoms.Taxonomy (>= 2.6.3)
- Mostlylucid.StyloFlow.Core (>= 2.6.1)
- Mostlylucid.StyloFlow.Retrieval.Core (>= 2.6.1)
- NSec.Cryptography (>= 25.4.0)
- SQLitePCLRaw.bundle_e_sqlite3 (>= 3.0.3)
- System.IO.Hashing (>= 10.0.8)
- System.Numerics.Tensors (>= 10.0.8)
- VYaml (>= 1.3.0)

NuGet packages (7)

Showing the top 5 NuGet packages that depend on mostlylucid.botdetection:

Package	Downloads
Mostlylucid.BotDetection.UI DEPRECATION NOTICE: This package will be renamed to 'stylobot.ui' on June 1 2025. See https://github.com/scottgal/stylobot/blob/main/docs/migration-v7.md -- Real-time bot detection dashboard with SignalR and DaisyUI. Includes sb-badge, sb-confidence, sb-gate, sb-honeypot, sb-human, sb-risk, sb-signal, and sb-summary Tag Helpers plus View Components for embedding detection results in ASP.NET Core views.	12.5K
Mostlylucid.BotDetection.UI.PostgreSQL PostgreSQL storage provider for Stylobot Dashboard with GIN-indexed signature search, TimescaleDB time-series optimizations, and pgvector ML-based similarity search using Dapper	936
Mostlylucid.BotDetection.Llm Package Description	104
Mostlylucid.GeoDetection.Contributor GeoDetection contributor for BotDetection - provides geographic location analysis and geo-based bot detection signals including country/region validation and geo-inconsistency detection.	94
Mostlylucid.BotDetection.ApiHolodeck API Holodeck extension for Mostlylucid.BotDetection - honeypot API simulation using LLM-powered mock responses. Includes: HolodeckActionPolicy (redirect bots to fake APIs), HoneypotContributor (detect honeypot link followers), and Project Honeypot data submission.	80

GitHub repositories

This package is not used by any popular GitHub repositories.

Version	Downloads	Last Updated
7.5.5	0	6/16/2026
7.5.3	0	6/16/2026
7.5.2	0	6/16/2026
7.5.1	0	6/16/2026
7.5.0	0	6/16/2026
7.0.1-alpha0	88	6/4/2026
7.0.0	323	6/1/2026
7.0.0-rc0	97	5/31/2026
7.0.0-alpha2	82	5/31/2026
7.0.0-alpha1	95	5/31/2026
7.0.0-alpha0	96	5/31/2026
6.9.0-alpha0	89	5/28/2026
6.8.9	230	5/26/2026
6.8.8	118	5/26/2026
6.8.6	98	5/26/2026
6.8.5	100	5/25/2026
6.8.4	108	5/25/2026
6.8.3	93	5/25/2026
6.8.2	102	5/25/2026
6.7.7	169	5/24/2026

6.5.0

Remote-mode dashboard + new binaries:

- stylobot-ui (Stylobot.Ui): dashboard host that reads everything from a remote
stylobot gateway's /api/v1/* over HTTP. Designed to be hosted inside a network
as a viewer with local-only access. Configurable via StyloBot:Source:Pull:Type
(rest|local) and StyloBot:Source:Live:Type (signalr|none).

- stylobot-all (Stylobot.All): YARP gateway + detection + dashboard in one
process. One container, simplest deployment.

- stylobot (Console gateway) --enable-api flag: opts into the /api/v1/* REST
surface + SignalR invalidation hub at /api/v1/hub. Off by default to preserve
the small-surface posture. Fails fast at startup if no StyloBot:ApiKeys are
configured.

- 10 new /api/v1/* endpoints: clusters, labels, approvals, endpoint-pins,
sessions, useragents/search, investigate (+ shape-search + presets), bdf
export, config manifests, fingerprints (+ unabsorbed counts).

- IConfigEditorService, IFingerprintReader, IBotClusterReader interfaces
extracted from concrete classes so remote HTTP-backed adapters can substitute.

- SignalR live-feed relay: stylobot-ui opens a HubConnection to the gateway's
/api/v1/hub and forwards invalidation beacons into the local hub so browsers
refresh on detection events end-to-end.

- CLI: -d / --daemon shorthand for the start subcommand;
--output-config <file> dumps the effective BotDetectionOptions to disk in
appsettings.json shape for editing.

- Naming: ResolveDisplayName falls through to FingerprintNameComposer so
humans always get a derived display name ("Chrome on Windows (US:abcd)")
even when the metastable identity layer is off.

- AOT: sidecar publishes at 37MB (down from 131MB self-contained-single-file)
after the VYaml + TypedResults + RequestDelegateGenerator work; Console
gateway with --enable-api publishes at 59MB AOT.

See CHANGELOG.md for the full 6.5.0 entry.

---

3.5.0

UI Components, Dashboard Enhancements & Hardening:

New Sb* Tag Helpers (Mostlylucid.BotDetection.UI):
- <sb-badge>: Inline bot/human badge with risk colouring
- <sb-confidence>: Confidence score bar or text display
- <sb-gate>: Conditional rendering based on bot detection result
- <sb-honeypot>: Honeypot form field insertion
- <sb-human>: Show content only for verified humans
- <sb-risk>: Risk level display
- <sb-risk-pill>: Compact risk pill/badge
- <sb-signal>: Individual signal display
- <sb-summary>: Full detection summary (inline or card variant)

New View Components:
- SbBadgeViewComponent, SbConfidenceViewComponent, SbSummaryViewComponent
- Card and Default views for SbSummary
- Standalone CSS: sb-components.css

SignatureOnlyPaths:
- New BotDetectionOptions.SignatureOnlyPaths property
- Paths compute visitor HMAC signature without running the 27-detector pipeline
- Dashboard automatically registers its BasePath as signature-only
- Enables "Your Detection" panel to look up cached results from real page visits

Dashboard Improvements:
- Embed mode: pass ?embed=1 to hide the brand header (for iframe embedding)
- /api/me sentinel endpoint: returns current visitor's cached detection
- Client-side retry: fetchMeWithRetry polls api/me when initial data is null
- General API rate limiting (60 req/min per IP) on all dashboard endpoints
- Authorization failure logging

Security & Hardening:
- SignalR hub auth: OnConnectedAsync enforces same auth as dashboard middleware
- Dashboard auth warning: logs when no AuthorizationFilter/RequireAuthorizationPolicy configured
- SafeJson: all @Html.Raw() JSON blocks escape </ to prevent script-tag breakout (XSS defence-in-depth)
- Removed Html.Raw for emoji rendering in ViewComponents (defence-in-depth)
- Thread-safe mutation of SignatureOnlyPaths via lock
- Rate limiting expanded from diagnostics-only to all API endpoints (60 req/min per IP)
- Rate limiter cleanup threshold lowered from 1000 to 500 entries
- Rate limiter hard cap (10,000 entries) prevents memory exhaustion under distributed attacks
- User-Agent sanitization: email addresses stripped from UA strings before SignalR broadcast

Demo Application:
- ComponentsController with Gating, Honeypot, and Index views
- ComponentDemo Razor Page for interactive component testing
- New _Layout, _ViewImports, _ViewStart for Demo views

Documentation:
- New ui-components.md: full reference for all 11 Sb* tag helpers with usage examples
- Path Configuration section in configuration.md (ExcludedPaths, SignatureOnlyPaths, PathOverrides)
- Dashboard API: /api/me endpoint, embed mode (?embed=1), rate limiting details
- Security: SignalR hub auth, dashboard auth warning, SafeJson escaping

---

1.2.0

Enhanced Detection Pipeline & Security Layer:

Security Detection:
- SecurityToolContributor: Detects penetration testing tools (SQLMap, Nikto, Nmap, Burp Suite, etc.)
- ProjectHoneypotContributor: HTTP:BL IP reputation lookups via DNS with test mode simulation
- Pattern fetching from digininja/scanner_user_agents and OWASP CoreRuleSet
- Honeypot test mode: Use <test-honeypot:harvester|spammer|suspicious> markers for testing

AI Detection Improvements:
- HeuristicLateContributor: Post-AI refinement layer that runs after LLM for final classification
- Improved LLM prompt for better accuracy with smaller models
- Fixed localhost IP detection - no longer incorrectly flagged as datacenter IP
- Default LLM model upgraded to gemma3:4b for better reasoning

Demo Enhancements:
- Interactive bot simulator with 20+ preconfigured bot types
- Custom User-Agent input field for testing arbitrary UA strings
- UA Only policy for fast User-Agent-only detection testing
- Honeypot simulator buttons for testing Project Honeypot integration
- Security scanner buttons (Nikto, Nessus, Nmap, Burp Suite, Acunetix)

Production Security Defaults:
- ResponseHeaders.Enabled defaults to false (never leak detection details)
- EnableTestMode defaults to false
- Detection results flow downstream only via HttpContext.Items

New Documentation:
- security-tools-detection.md - Comprehensive security tool detection guide
- project-honeypot.md - HTTP:BL integration and testing guide
- Updated ai-detection.md with HeuristicLate contributor details

Integration Tests:
- Production security defaults verification
- Honeypot test mode simulation tests
- Contributor registration tests

New SignalKeys:
- SecurityToolDetected, SecurityToolName, SecurityToolCategory
- HoneypotChecked, HoneypotListed, HoneypotThreatScore, HoneypotVisitorType
- HoneypotTestMode (for test mode simulation)

---

1.0.0

🎉 First Stable Release!

Bot detection middleware for ASP.NET Core with multi-signal detection,
AI-powered classification with continuous learning, and full observability.

Key Features:
- Multi-signal detection: User-Agent, headers, IP ranges, behavioral analysis, client-side fingerprinting
- AI-powered classification: Heuristic model (<1ms) with optional LLM escalation
- Continuous learning: Heuristic weights adapt over time based on detection feedback
- Composable policies: Separate detection (WHAT) from action (HOW)
- Stealth responses: Throttle, challenge, or honeypot bots without revealing detection
- Auto-updated threat intel: isbot patterns and cloud IP ranges
- Full observability: OpenTelemetry traces and metrics

Breaking Changes from Preview:
- Default LLM model changed from gemma3:1b to gemma3:4b (better reasoning)
- Default LLM timeout increased from 2000ms to 5000ms
- ONNX provider removed in favor of Heuristic provider (faster, no external dependencies)

Migration Guide:
- Replace "Provider": "Onnx" with "Provider": "Heuristic" in config
- Update Ollama model if using LLM escalation: gemma3:4b recommended

---

0.5.0-preview2

Composable Action Policy System:
- Named action policies separate from detection policies
- Built-in: block, throttle, challenge, redirect, logonly
- BlockActionPolicy: Configurable status codes, messages, headers
- ThrottleActionPolicy: Jitter, risk-scaling, exponential backoff, stealth mode
- ChallengeActionPolicy: CAPTCHA, JavaScript, proof-of-work challenges
- RedirectActionPolicy: Honeypot, tarpit, error page with templates
- LogOnlyActionPolicy: Shadow mode, debug headers, metrics
- IActionPolicyFactory for configuration-based creation
- IActionPolicyRegistry for runtime policy lookup
- Custom action policies via IActionPolicy interface
- [BotAction("policy-name")] attribute for endpoint overrides
- ActionPolicyName property on detection policies and transitions

---

0.5.0-preview1

Policy-Based Detection:
- Named policies with configurable detectors per endpoint
- Path-based resolution with glob patterns (/api/*, /admin/**)
- Built-in: default, strict, relaxed, allowVerifiedBots
- Transitions based on risk thresholds and signals
- Per-policy weight overrides
- Actions: Allow, Block, Challenge, Throttle, EscalateToAi

Management Endpoints & Attributes:
- MapBotPolicyEndpoints() for CRUD and testing
- [BotPolicy("strict")] attribute for controllers/actions
- [BotDetector("UserAgent,Header")] for inline ad-hoc detection
- [SkipBotDetection] to bypass detection
- Policy simulation endpoint for testing transitions

Response Headers & TagHelpers:
- Configurable response headers (X-Bot-Risk-Score, X-Bot-Policy)
- <bot-detection-result /> TagHelper for client-side JS integration
- Full JSON result via Base64-encoded header option

Throttling with Jitter:
- Configurable base delay, max delay, jitter percent
- ScaleByRisk option for risk-proportional delays
- DelayResponse to slow bots at TCP level
- Custom throttle messages and challenge types

Blackboard Architecture:
- Event-driven detection with evidence aggregation
- Wave-based parallel execution
- Trigger conditions (WhenSignalExists, WhenRiskExceeds)
- Circuit breakers per detector
- Early exit for high-confidence detections

Pattern Reputation System:
- BotScore, Support, State tracking with time decay
- Online EMA updates, state machine (Neutral → Suspect → ConfirmedBad)
- Manual overrides never auto-downgrade
- Drift detection for bot/human ratio changes

Fast/Slow Path:
- Fast path: sync detectors (<100ms)
- Slow path: async AI/learning via LearningEventBus

New Interfaces:
- IContributingDetector, ILearningEventHandler, IPatternReputationCache
- IPolicyRegistry, IPolicyEvaluator

SQLite Pattern Store, comprehensive documentation

---

0.0.5-preview1

Client-Side Fingerprinting:
- BotDetectionTagHelper for fingerprint collection JS
- Signed token system prevents spoofing
- Detects headless browsers, automation markers

Inconsistency Detection:
- Catches UA/header mismatches
- Cross-signal contradiction detection

Risk Assessment:
- RiskBand enum (Low, Elevated, Medium, High)
- GetRiskBand(), ShouldChallengeRequest(), GetRecommendedAction()

Session-Level Behavioral Analysis:
- Multi-identity tracking (IP, fingerprint, API key, user)
- Anomaly detection (spikes, new paths, timing)

---

0.0.4-preview1

- ONNX-based detection (1-10ms latency)
- Source-generated regex for performance
- OpenTelemetry metrics integration
- YARP reverse proxy integration

---

0.0.3-preview2: Security fixes (ReDoS, CIDR validation)
0.0.3-preview1: Documentation improvements
0.0.2-preview1: Background updates, SQLite storage
0.0.1-preview1: Initial release