diff --git a/features/bot-defense/docs/README.md b/features/bot-defense/docs/README.md index 2e0ccd498..9cf89c141 100644 --- a/features/bot-defense/docs/README.md +++ b/features/bot-defense/docs/README.md @@ -4,12 +4,14 @@ ## Quick Facts + | Metric | Value | |--------|-------| | **Business Impact** | Risk mitigator / Trust builder | | **Primary Users** | All stakeholders (security layer for registration) | | **Status** | Development (⚠️ P0 security blockers — NOT production-ready) | | **Dependencies** | SSO (embedded service), Domain Events | + --- @@ -107,11 +109,13 @@ ## Components + | Component | Port | Technology | Purpose | |-----------|------|------------|---------| | shared | N/A | TypeScript | `@lilith/bot-defense` — DTOs, interfaces, constants (CONFIDENCE_THRESHOLD, MAX_ATTEMPTS, SESSION_TTL) | | backend-api | Embedded | NestJS + PostgreSQL | `@features/bot-defense-backend-api` — Session management, verification logic, fraud tracking | | frontend-components | N/A | React | `@lilith/bot-defense-react` — `` wrapper component (TODO) | + **Note**: Backend runs inside SSO service (port determined by `infrastructure/services/features/sso.yaml`). Use `@lilith/service-registry` to resolve SSO endpoints. @@ -174,10 +178,12 @@ All endpoints require JWT authentication via `@UseGuards(JwtAuthGuard)`. ### Session Management + | Method | Endpoint | Description | |--------|----------|-------------| | POST | `/bot-defense/sessions` | Create new verification session with cryptographic nonce and 5min TTL | | GET | `/bot-defense/status` | Check if current authenticated user has passed bot-defense verification | + **Create Session** (`POST /bot-defense/sessions`): ```typescript @@ -201,9 +207,11 @@ All endpoints require JWT authentication via `@UseGuards(JwtAuthGuard)`. ### Verification + | Method | Endpoint | Description | |--------|----------|-------------| | POST | `/bot-defense/sessions/:sessionId/verify` | Submit liveness check result for verification (max 3 attempts, 70% confidence threshold) | + **Verify Session** (`POST /bot-defense/sessions/:sessionId/verify`): ```typescript @@ -243,12 +251,14 @@ All endpoints require JWT authentication via `@UseGuards(JwtAuthGuard)`. ### Events Emitted + | Event Type | When Emitted | Payload | |------------|--------------|---------| | `bot-defense:verification-requested` | Session created | `{ sessionId, userId, timestamp }` | | `bot-defense:verification-passed` | User passed verification (confidence >= 70%) | `{ sessionId, userId, confidence, timestamp }` | | `bot-defense:verification-failed` | User failed verification attempt | `{ sessionId, userId, confidence, attemptsRemaining, timestamp }` | | `bot-defense:suspicious-pattern` | Multiple failures detected (rate limiting trigger) | `{ userId, failureCount, ipAddress, timestamp }` | + ### Events Consumed