mostlylucid.botdetection 3.6.6

.NET 10.0 This package targets .NET 10.0. The package is compatible with this framework or higher. 
dotnet add package mostlylucid.botdetection --version 3.6.6
                    


                    

                
NuGet\Install-Package mostlylucid.botdetection -Version 3.6.6
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="mostlylucid.botdetection" Version="3.6.6" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="mostlylucid.botdetection" Version="3.6.6" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="mostlylucid.botdetection" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add mostlylucid.botdetection --version 3.6.6
                    


                    

                
#r "nuget: mostlylucid.botdetection, 3.6.6"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package mostlylucid.botdetection@3.6.6
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=mostlylucid.botdetection&version=3.6.6
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=mostlylucid.botdetection&version=3.6.6
                    


                            Install as a Cake Tool

StyloBot: Mostlylucid.BotDetection

DESTROY ALL ROBOTS! (politely, with HTTP 403s)

Built on StyloFlow, the ephemeral workflow engine.

Bot detection middleware for ASP.NET Core with multi-signal detection, AI-powered classification with continuous learning, auto-updated blocklists, YARP integration, and full observability.

NuGet

Key Features

  • 28 detectors in 4 waves: User-Agent, headers, IP, behavioral, protocol fingerprinting, AI classification, cluster detection, and more
  • Protocol-deep fingerprinting: JA3/JA4 TLS, p0f TCP/IP, AKAMAI HTTP/2, QUIC HTTP/3 — catch bots even when they spoof everything
  • AI-powered classification: Heuristic model (<1ms, ~50 features) with optional LLM escalation for complex cases
  • Continuous learning: Heuristic weights adapt over time based on detection feedback
  • Bot network discovery: Leiden clustering finds coordinated campaigns across thousands of signatures
  • Geo intelligence: Country reputation, geographic drift detection, VPN/proxy/Tor/datacenter identification
  • Composable policies: Separate detection (WHAT) from action (HOW) for maximum flexibility
  • Stealth responses: Throttle, challenge, or honeypot bots without revealing detection
  • Real-time dashboard: World map, country stats, cluster visualization, user agent breakdown, live signature feed
  • Zero PII: All persistence uses HMAC-SHA256 hashed signatures — no raw IPs or user agents stored
  • Auto-updated threat intel: Pulls isbot patterns and cloud IP ranges automatically
  • First-class YARP support: Bot-aware routing and header injection for any-language backends
  • Full observability: OpenTelemetry traces and metrics baked in

Why Use This?

When commercial WAF isn't an option:

  • Self-hosted apps without Cloudflare/AWS/Azure
  • Compliance requirements prohibiting third-party request inspection
  • Cost-sensitive projects where $3K+/month WAF isn't justified

When you need more than User-Agent matching:

  • Bots spoofing browser User-Agents
  • Scripts missing Accept-Language, cookies, or timing signals
  • API abuse from datacenter IPs

When you want adaptive protection:

  • Detection that improves over time with learning
  • Different policies per endpoint (strict for checkout, relaxed for static content)
  • Stealth throttling that bots can't detect

Note: For enterprise applications with stringent security requirements, consider commercial services like Cloudflare Bot Management or AWS WAF Bot Control.

Quick Start

1. Install

dotnet add package Mostlylucid.BotDetection

2. Configure Services

using Mostlylucid.BotDetection.Extensions;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddBotDetection();

var app = builder.Build();

app.UseBotDetection();
app.Run();

{
  "BotDetection": {
    "BotThreshold": 0.7,
    "BlockDetectedBots": true,
    "DefaultActionPolicyName": "throttle-stealth",

    "EnableAiDetection": true,
    "AiDetection": {
      "Provider": "Heuristic",
      "Heuristic": {
        "Enabled": true,
        "EnableWeightLearning": true
      }
    },

    "Learning": {
      "Enabled": true,
      "EnableDriftDetection": true
    },

    "PathPolicies": {
      "/api/login": "strict",
      "/api/checkout/*": "strict",
      "/sitemap.xml": "allowVerifiedBots"
    }
  }
}

This enables:

  • AI detection with Heuristic model (sub-millisecond, learns from feedback)
  • Learning system that improves detection over time
  • Stealth throttling (bots don't know they're being slowed)
  • Path-based policies (strict for sensitive endpoints)

Basic Usage

HttpContext Extensions

if (context.IsBot())
    return Results.StatusCode(403);

var confidence = context.GetBotConfidence();
var botType = context.GetBotType();

Endpoint Filters

app.MapGet("/api/data", () => "sensitive")
   .BlockBots();

app.MapPost("/api/submit", () => "ok")
   .RequireHuman();

MVC Attributes

[BlockBots(AllowVerifiedBots = true)]
public IActionResult Index() => View();

Detection Methods (28 Detectors)

All detectors execute in a wave-based pipeline. Fast-path detectors run in parallel in <1ms. Advanced detectors fire only when triggered by upstream signals.

Wave 0 — Fast Path (<1ms)

Detector Description
UserAgent Pattern matching against 1000+ known bot signatures with category classification
Header Suspicious/missing header detection (Accept-Language, encoding, connection patterns)
IP Datacenter, cloud provider, and known botnet IP range identification
SecurityTool Penetration testing tool detection (Nikto, sqlmap, Burp Suite, Metasploit)
CacheBehavior HTTP cache header interaction analysis (ETag, If-Modified-Since, gzip)
VersionAge Browser/OS version staleness detection (outdated clients = suspicious)
AiScraper AI training bot detection (GPTBot, ClaudeBot, PerplexityBot, Google-Extended)
FastPathReputation Ultra-fast cached reputation from previous detections (ConfirmedGood/Bad)
ReputationBias Signature-based reputation tracking from historical patterns
VerifiedBot DNS-verified identification of Googlebot, Bingbot, and 30+ legitimate crawlers

Wave 1 — Behavioral (1-5ms)

Detector Description
Behavioral Rate limiting, request pattern analysis, timing anomalies
AdvancedBehavioral Deep statistical analysis — entropy, Markov chains, anomaly detection
BehavioralWaveform FFT-based spectral fingerprinting of request timing patterns
ClientSide Headless browser detection via JavaScript fingerprinting signals
GeoChange Geographic drift detection, country reputation, origin verification
ResponseBehavior Honeypot path detection, response-side behavioral patterns

Wave 2 — Protocol Fingerprinting (<1ms)

Detector Description
TLS Fingerprint JA3/JA4 TLS fingerprint analysis — identifies client libraries
TCP/IP Fingerprint p0f-style passive OS fingerprinting via TCP stack behavior
HTTP/2 Fingerprint AKAMAI-style HTTP/2 frame analysis (settings, priorities, pseudo-headers)
HTTP/3 Fingerprint QUIC transport parameter fingerprinting and version negotiation analysis
MultiLayerCorrelation Cross-layer consistency analysis (does TLS match TCP match HTTP match UA?)

Wave 3 — AI + Learning (1-500ms)

Detector Description
Heuristic Feature-weighted classification extracting ~50 features with online learning
HeuristicLate Post-AI refinement with full evidence from all prior waves
Similarity Fuzzy signature matching via HNSW/Qdrant vector search
Cluster Bot network detection with Leiden community discovery
TimescaleReputation Time-series IP/signature reputation aggregation
LLM Full reasoning via Ollama (escalation only, e.g., qwen3:0.6b) — 50-500ms

Slow Path

Detector Description
ProjectHoneypot HTTP:BL IP reputation via DNS lookup (~100ms)

AI Detection & Learning (Key Differentiator)

The AI detection and learning system is what sets this library apart:

Request → Fast Detectors → Heuristic Model → Decision → Learning Bus
                ↓                                ↓            ↓
           Quick signals                   Risk score    Pattern Reputation
                                                ↓            ↓
                                         Action Policy   Weight Updates

Enable with:

{
  "BotDetection": {
    "EnableAiDetection": true,
    "AiDetection": {
      "Provider": "Heuristic",
      "Heuristic": { "Enabled": true, "EnableWeightLearning": true }
    },
    "Learning": { "Enabled": true }
  }
}

See ai-detection.md and learning-and-reputation.md for details.

Action Policies

Control HOW to respond to detected bots:

Policy Description
block Return 403 Forbidden
throttle-stealth Delay response (bots don't notice)
challenge Present CAPTCHA or proof-of-work
redirect-honeypot Silent redirect to trap
logonly Shadow mode (log but allow)

See action-policies.md for full details.

Architecture: StyloFlow & Entity Types

BotDetection is built on StyloFlow, a YAML-driven orchestration framework. Each detector is configured via a manifest file that defines its inputs, outputs, and behavior.

Entity Types

Entity types define the data contracts between detectors:

Entity Type Description Persistence
botdetection.request HTTP request with all detection signals Ephemeral
botdetection.signature Aggregated signals for classification Ephemeral
botdetection.contribution Single detector contribution Ephemeral
botdetection.ledger Accumulated detection evidence Ephemeral
botdetection.result Final classification result JSON
botdetection.learning_record Training data for learning system Database
botdetection.embedding Vector embedding for similarity search Embedded
botdetection.multivector_embedding Multi-vector ColBERT-style embedding Embedded

Detector Manifests

Each detector has a YAML manifest defining its input/output contracts:

# useragent.detector.yaml
name: UserAgentContributor
priority: 10
enabled: true

input:
  accepts:
    - type: botdetection.request
      required: true
      signal_pattern: request.headers.*
  required_signals:
    - request.headers.user-agent

output:
  produces:
    - type: botdetection.contribution
    - type: botdetection.ua_signal
  signals:
    - key: detection.useragent.confidence
      entity_type: number
      salience: 0.8

defaults:
  weights:
    bot_signal: 1.5
    verified: 2.0
  confidence:
    bot_detected: 0.3
    strong_signal: 0.85
  parameters:
    min_ua_length: 10
    verify_known_bots: true

Overriding Configuration

Override detector defaults via appsettings.json:

{
  "BotDetection": {
    "Detectors": {
      "UserAgentContributor": {
        "Weights": {
          "BotSignal": 2.0
        },
        "Parameters": {
          "min_ua_length": 20
        }
      }
    }
  }
}

Multi-Vector Embeddings

For advanced similarity-based detection, embeddings support named vectors:

# In botdetection.entity.yaml
- type: botdetection.multivector_embedding
  persistence: embedded
  schema:
    properties:
      vectors:
        items:
          properties:
            name:
              description: Vector identifier (e.g., "ua", "ip", "tls")
            vector:
              type: array
            weight:
              description: Relative importance for MaxSim scoring
      aggregation:
        enum: [maxsim, avgpool, concat]

Documentation

Feature Description Docs
Quick Start Two-line setup, all 28 detectors quickstart.md
Configuration Full options reference configuration.md
AI Detection Heuristic model, LLM escalation, learning ai-detection.md
AI Scraper Detection GPTBot, ClaudeBot, PerplexityBot ai-scraper-detection.md
Learning & Reputation Pattern learning, drift detection learning-and-reputation.md
Action Policies Block, throttle, challenge, redirect action-policies.md
Detection Policies Path-based detection configuration policies.md
Extensibility Custom detectors and policies extensibility.md
User-Agent Detection Pattern matching with reputation user-agent-detection.md
Header Detection HTTP header anomaly analysis header-detection.md
IP Detection Datacenter and cloud IP identification ip-detection.md
Version Age Detection Browser/OS version staleness detection version-age-detection.md
Security Tools Detection Penetration testing tool detection security-tools-detection.md
Project Honeypot HTTP:BL IP reputation checking project-honeypot.md
Behavioral Analysis Rate limiting and anomaly detection behavioral-analysis.md
Advanced Behavioral Entropy, Markov chains, anomalies advanced-behavioral-detection.md
Behavioral Waveform FFT spectral request timing analysis behavioral-waveform.md
Client-Side Fingerprinting Headless browser detection client-side-fingerprinting.md
Cache Behavior HTTP cache header analysis cache-behavior-detection.md
Response Behavior Honeypot and response-side patterns response-behavior.md
TLS/TCP/HTTP2 Fingerprinting JA3/JA4, p0f, AKAMAI fingerprints AdvancedFingerprintingDetectors.md
HTTP/3 Fingerprinting QUIC transport parameter analysis http3-fingerprinting.md
Multi-Layer Correlation Cross-layer consistency analysis multi-layer-correlation.md
Cluster Detection Leiden clustering for bot networks cluster-detection.md
TCP/IP Fingerprint Passive OS fingerprinting (p0f) tcp-ip-fingerprint.md
Timescale Reputation Time-series reputation aggregation timescale-reputation.md
YARP Integration Bot-aware reverse proxy yarp-integration.md
Telemetry OpenTelemetry traces and metrics telemetry-and-metrics.md
Stylobot Gateway Companion Docker gateway yarp-gateway.md

Companion Project: Stylobot Gateway

For edge deployments, use Stylobot.Gateway - a lightweight Docker-first reverse proxy:

Docker Hub

# Zero-config reverse proxy in seconds
docker run -p 80:8080 -e DEFAULT_UPSTREAM=http://your-app:3000 scottgal/stylobot-gateway

Why use it with BotDetection?

  • Edge routing and load balancing
  • Hot-reload YARP configuration
  • Admin API for health/metrics
  • Multi-arch: amd64, arm64, Raspberry Pi (arm/v7)
  • ~90MB Alpine image

See yarp-gateway.md for integration patterns.

Diagnostic Endpoints

app.MapBotDetectionEndpoints("/bot-detection");

// GET /bot-detection/check   - Current request analysis
// GET /bot-detection/stats   - Detection statistics
// GET /bot-detection/health  - Health check

Service Registration Options

// Default: all detectors + Heuristic AI with learning
builder.Services.AddBotDetection();

// User-agent only (fastest, minimal)
builder.Services.AddSimpleBotDetection();

// All detectors + LLM escalation (requires Ollama)
builder.Services.AddAdvancedBotDetection("http://localhost:11434", "qwen3:0.6b");

Requirements

  • .NET 10.0
  • Optional: Ollama for LLM-based detection escalation

License

The Unlicense - Public Domain

Product Compatible and additional computed target framework versions.
.NET net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
3.6.6 0 2/17/2026
3.6.5 0 2/17/2026
3.6.3 0 2/17/2026
3.6.2 0 2/17/2026
3.6.1 0 2/17/2026
3.6.0 0 2/17/2026
3.5.5 0 2/17/2026
3.5.4 26 2/17/2026
3.5.3 25 2/17/2026
3.5.2 27 2/17/2026
3.5.1 35 2/16/2026
3.5.0 38 2/16/2026
3.1.8 43 2/16/2026
3.1.7 42 2/15/2026
3.1.6 34 2/15/2026
3.1.5 36 2/15/2026
3.1.3 38 2/15/2026
3.1.2 37 2/15/2026
3.1.1 39 2/15/2026
3.0.0 43 2/15/2026
Loading failed

3.5.0

UI Components, Dashboard Enhancements & Hardening:

New Sb* Tag Helpers (Mostlylucid.BotDetection.UI):
- <sb-badge>: Inline bot/human badge with risk colouring
- <sb-confidence>: Confidence score bar or text display
- <sb-gate>: Conditional rendering based on bot detection result
- <sb-honeypot>: Honeypot form field insertion
- <sb-human>: Show content only for verified humans
- <sb-risk>: Risk level display
- <sb-risk-pill>: Compact risk pill/badge
- <sb-signal>: Individual signal display
- <sb-summary>: Full detection summary (inline or card variant)

New View Components:
- SbBadgeViewComponent, SbConfidenceViewComponent, SbSummaryViewComponent
- Card and Default views for SbSummary
- Standalone CSS: sb-components.css

SignatureOnlyPaths:
- New BotDetectionOptions.SignatureOnlyPaths property
- Paths compute visitor HMAC signature without running the 27-detector pipeline
- Dashboard automatically registers its BasePath as signature-only
- Enables "Your Detection" panel to look up cached results from real page visits

Dashboard Improvements:
- Embed mode: pass ?embed=1 to hide the brand header (for iframe embedding)
- /api/me sentinel endpoint: returns current visitor's cached detection
- Client-side retry: fetchMeWithRetry polls api/me when initial data is null
- General API rate limiting (60 req/min per IP) on all dashboard endpoints
- Authorization failure logging

Security & Hardening:
- SignalR hub auth: OnConnectedAsync enforces same auth as dashboard middleware
- Dashboard auth warning: logs when no AuthorizationFilter/RequireAuthorizationPolicy configured
- SafeJson: all @Html.Raw() JSON blocks escape </ to prevent script-tag breakout (XSS defence-in-depth)
- Removed Html.Raw for emoji rendering in ViewComponents (defence-in-depth)
- Thread-safe mutation of SignatureOnlyPaths via lock
- Rate limiting expanded from diagnostics-only to all API endpoints (60 req/min per IP)
- Rate limiter cleanup threshold lowered from 1000 to 500 entries
- Rate limiter hard cap (10,000 entries) prevents memory exhaustion under distributed attacks
- User-Agent sanitization: email addresses stripped from UA strings before SignalR broadcast

Demo Application:
- ComponentsController with Gating, Honeypot, and Index views
- ComponentDemo Razor Page for interactive component testing
- New _Layout, _ViewImports, _ViewStart for Demo views

Documentation:
- New ui-components.md: full reference for all 11 Sb* tag helpers with usage examples
- Path Configuration section in configuration.md (ExcludedPaths, SignatureOnlyPaths, PathOverrides)
- Dashboard API: /api/me endpoint, embed mode (?embed=1), rate limiting details
- Security: SignalR hub auth, dashboard auth warning, SafeJson escaping

---

1.2.0

Enhanced Detection Pipeline & Security Layer:

Security Detection:
- SecurityToolContributor: Detects penetration testing tools (SQLMap, Nikto, Nmap, Burp Suite, etc.)
- ProjectHoneypotContributor: HTTP:BL IP reputation lookups via DNS with test mode simulation
- Pattern fetching from digininja/scanner_user_agents and OWASP CoreRuleSet
- Honeypot test mode: Use <test-honeypot:harvester|spammer|suspicious> markers for testing

AI Detection Improvements:
- HeuristicLateContributor: Post-AI refinement layer that runs after LLM for final classification
- Improved LLM prompt for better accuracy with smaller models
- Fixed localhost IP detection - no longer incorrectly flagged as datacenter IP
- Default LLM model upgraded to gemma3:4b for better reasoning

Demo Enhancements:
- Interactive bot simulator with 20+ preconfigured bot types
- Custom User-Agent input field for testing arbitrary UA strings
- UA Only policy for fast User-Agent-only detection testing
- Honeypot simulator buttons for testing Project Honeypot integration
- Security scanner buttons (Nikto, Nessus, Nmap, Burp Suite, Acunetix)

Production Security Defaults:
- ResponseHeaders.Enabled defaults to false (never leak detection details)
- EnableTestMode defaults to false
- Detection results flow downstream only via HttpContext.Items

New Documentation:
- security-tools-detection.md - Comprehensive security tool detection guide
- project-honeypot.md - HTTP:BL integration and testing guide
- Updated ai-detection.md with HeuristicLate contributor details

Integration Tests:
- Production security defaults verification
- Honeypot test mode simulation tests
- Contributor registration tests

New SignalKeys:
- SecurityToolDetected, SecurityToolName, SecurityToolCategory
- HoneypotChecked, HoneypotListed, HoneypotThreatScore, HoneypotVisitorType
- HoneypotTestMode (for test mode simulation)

---

1.0.0

🎉 First Stable Release!

Bot detection middleware for ASP.NET Core with multi-signal detection,
AI-powered classification with continuous learning, and full observability.

Key Features:
- Multi-signal detection: User-Agent, headers, IP ranges, behavioral analysis, client-side fingerprinting
- AI-powered classification: Heuristic model (<1ms) with optional LLM escalation
- Continuous learning: Heuristic weights adapt over time based on detection feedback
- Composable policies: Separate detection (WHAT) from action (HOW)
- Stealth responses: Throttle, challenge, or honeypot bots without revealing detection
- Auto-updated threat intel: isbot patterns and cloud IP ranges
- Full observability: OpenTelemetry traces and metrics

Breaking Changes from Preview:
- Default LLM model changed from gemma3:1b to gemma3:4b (better reasoning)
- Default LLM timeout increased from 2000ms to 5000ms
- ONNX provider removed in favor of Heuristic provider (faster, no external dependencies)

Migration Guide:
- Replace "Provider": "Onnx" with "Provider": "Heuristic" in config
- Update Ollama model if using LLM escalation: gemma3:4b recommended

---

0.5.0-preview2

Composable Action Policy System:
- Named action policies separate from detection policies
- Built-in: block, throttle, challenge, redirect, logonly
- BlockActionPolicy: Configurable status codes, messages, headers
- ThrottleActionPolicy: Jitter, risk-scaling, exponential backoff, stealth mode
- ChallengeActionPolicy: CAPTCHA, JavaScript, proof-of-work challenges
- RedirectActionPolicy: Honeypot, tarpit, error page with templates
- LogOnlyActionPolicy: Shadow mode, debug headers, metrics
- IActionPolicyFactory for configuration-based creation
- IActionPolicyRegistry for runtime policy lookup
- Custom action policies via IActionPolicy interface
- [BotAction("policy-name")] attribute for endpoint overrides
- ActionPolicyName property on detection policies and transitions

---

0.5.0-preview1

Policy-Based Detection:
- Named policies with configurable detectors per endpoint
- Path-based resolution with glob patterns (/api/*, /admin/**)
- Built-in: default, strict, relaxed, allowVerifiedBots
- Transitions based on risk thresholds and signals
- Per-policy weight overrides
- Actions: Allow, Block, Challenge, Throttle, EscalateToAi

Management Endpoints & Attributes:
- MapBotPolicyEndpoints() for CRUD and testing
- [BotPolicy("strict")] attribute for controllers/actions
- [BotDetector("UserAgent,Header")] for inline ad-hoc detection
- [SkipBotDetection] to bypass detection
- Policy simulation endpoint for testing transitions

Response Headers & TagHelpers:
- Configurable response headers (X-Bot-Risk-Score, X-Bot-Policy)
- <bot-detection-result /> TagHelper for client-side JS integration
- Full JSON result via Base64-encoded header option

Throttling with Jitter:
- Configurable base delay, max delay, jitter percent
- ScaleByRisk option for risk-proportional delays
- DelayResponse to slow bots at TCP level
- Custom throttle messages and challenge types

Blackboard Architecture:
- Event-driven detection with evidence aggregation
- Wave-based parallel execution
- Trigger conditions (WhenSignalExists, WhenRiskExceeds)
- Circuit breakers per detector
- Early exit for high-confidence detections

Pattern Reputation System:
- BotScore, Support, State tracking with time decay
- Online EMA updates, state machine (Neutral → Suspect → ConfirmedBad)
- Manual overrides never auto-downgrade
- Drift detection for bot/human ratio changes

Fast/Slow Path:
- Fast path: sync detectors (<100ms)
- Slow path: async AI/learning via LearningEventBus

New Interfaces:
- IContributingDetector, ILearningEventHandler, IPatternReputationCache
- IPolicyRegistry, IPolicyEvaluator

SQLite Pattern Store, comprehensive documentation

---

0.0.5-preview1

Client-Side Fingerprinting:
- BotDetectionTagHelper for fingerprint collection JS
- Signed token system prevents spoofing
- Detects headless browsers, automation markers

Inconsistency Detection:
- Catches UA/header mismatches
- Cross-signal contradiction detection

Risk Assessment:
- RiskBand enum (Low, Elevated, Medium, High)
- GetRiskBand(), ShouldChallengeRequest(), GetRecommendedAction()

Session-Level Behavioral Analysis:
- Multi-identity tracking (IP, fingerprint, API key, user)
- Anomaly detection (spikes, new paths, timing)

---

0.0.4-preview1

- ONNX-based detection (1-10ms latency)
- Source-generated regex for performance
- OpenTelemetry metrics integration
- YARP reverse proxy integration

---

0.0.3-preview2: Security fixes (ReDoS, CIDR validation)
0.0.3-preview1: Documentation improvements
0.0.2-preview1: Background updates, SQLite storage
0.0.1-preview1: Initial release