mostlylucid.botdetection 7.5.5

There is a newer prerelease version of this package available.
See the version list below for details.
dotnet add package mostlylucid.botdetection --version 7.5.5
                    
NuGet\Install-Package mostlylucid.botdetection -Version 7.5.5
                    
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="mostlylucid.botdetection" Version="7.5.5" />
                    
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="mostlylucid.botdetection" Version="7.5.5" />
                    
Directory.Packages.props
<PackageReference Include="mostlylucid.botdetection" />
                    
Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add mostlylucid.botdetection --version 7.5.5
                    
#r "nuget: mostlylucid.botdetection, 7.5.5"
                    
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package mostlylucid.botdetection@7.5.5
                    
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=mostlylucid.botdetection&version=7.5.5
                    
Install as a Cake Addin
#tool nuget:?package=mostlylucid.botdetection&version=7.5.5
                    
Install as a Cake Tool

Mostlylucid.BotDetection

Enterprise bot detection and anonymous entity resolution for ASP.NET Core. Probabilistic, behavioural, and protocol-deep — not just User-Agent matching.

This is the detection engine that powers StyloBot — a self-hosted bot defense platform you can run in front of any web application.

NuGet GitHub StyloBot


What it does

57 contributors fire in a wave-based pipeline. The fast path (<1 ms) handles 90% of traffic. Slow-path and session contributors only activate when upstream signals justify it.

  • 57 detection contributors across 4 waves — UA, headers, IP, protocol fingerprinting (JA3/JA4/H2/QUIC/TCP-IP), behavioural, AI, cluster discovery, CVE probes
  • Transport header trust gate (7.5) — X-JA3/X-JA4/X-H2/QUIC headers are gated behind peer-IP trust so attackers can't inject spoofed fingerprints
  • arcjet well-known-bots catalog (7.5) — 635 additional bot UA patterns downloaded hourly; fills gaps in YAML definitions (TurnitinBot, SemanticScholarBot, monitoring bots, etc.)
  • Forward-DNS verified-bot confirmation (7.5) — ActivityPub +URL claims in fediverse UAs are confirmed against A/AAAA records; spoofed Mastodon UAs are rejected
  • Metastable fingerprint identity — each visitor is a learned vector shape, not a static cookie. Persistent trust state, claim-first display naming.
  • Blackboard architecture via StyloFlow — detectors read/write ephemeral signals; zero-PII design (all persistence uses HMAC-SHA256 hashes)
  • Leiden clustering finds coordinated bot campaigns
  • 129-dim Markov chain session vectors — inter-session velocity, partial-chain archetypes, snapshot compaction
  • Anonymous entity resolution — merge/split/rewind backed by immutable session snapshots; L0-L5 confidence levels
  • Policy stack — YAML-backed rules separate detection (WHAT) from action (HOW); full editor in the dashboard (7.5)
  • robots.txt + sitemap extensions (7.5) — MapStyloBotRobotsTxt() generates policy-aware Disallow lines; MapStyloBotSitemap() serves verdict-adaptive sitemaps
  • SQLite everywhere for FOSS — zero-dependency persistence; PostgreSQL is the commercial upgrade path

Quick start

dotnet add package Mostlylucid.BotDetection
// Program.cs
builder.Services.AddStyloBot(dashboard =>
{
    dashboard.AllowUnauthenticatedAccess = true; // dev only
});
app.UseRouting();
app.UseStyloBot();  // detection + dashboard, correct middleware ordering

That's it. The dashboard is at /_stylobot. All 57 contributors are active. SQLite databases are created in the working directory.


Common configurations

// Detection only — no dashboard
builder.Services.AddBotDetection();
app.UseBotDetection();

// User-agent only — minimal footprint
builder.Services.AddSimpleBotDetection();

// Ephemeral mode — no SQLite, state evaporates on restart (dev/serverless)
builder.Services.AddBotDetectionInMemory();

// LLM escalation for edge cases
builder.Services.AddAdvancedBotDetection("http://localhost:11434", "gemma4");

// robots.txt + sitemap driven by policy rules
app.MapStyloBotRobotsTxt();   // serves Disallow: lines for blocked bots
app.MapStyloBotSitemap();     // serves different URLs by detection verdict

Transport header trust (new in 7.5 — security fix)

If you run behind a reverse proxy (Cloudflare, nginx, Caddy, YARP), configure the trust list so injected edge headers (JA3/JA4, HTTP/2, QUIC, TCP/IP) are accepted only from your proxy:

{
  "BotDetection": {
    "TransportTrust": {
      "TrustedProxyIps": ["10.0.0.1/24", "172.16.0.0/12"],
      "Mode": "Strict"
    }
  }
}

Without this, an attacker hitting the gateway over direct HTTPS can inject a known-Chrome JA3 and receive a human-signal bias. See proxy-topologies.md.


HttpContext extensions

if (context.IsBot()) return Results.StatusCode(403);

var confidence = context.GetBotConfidence();  // 0.0–1.0
var botType    = context.GetBotType();        // BotType enum
var botName    = context.GetBotName();        // "Googlebot", "curl", etc.

Action policies

Policy Effect
block HTTP 403
throttle-stealth Silent delay (bots don't know they're throttled)
throttle-tools HTTP 429 + Retry-After
throttle-status Fast HTTP 429 for friendly bots (Mastodon, UptimeRobot)
challenge Proof-of-work or CAPTCHA
redirect-honeypot Silent redirect to trap
logonly Shadow mode — observe without acting

Apply globally or per-path:

{
  "BotDetection": {
    "DefaultActionPolicyName": "throttle-stealth",
    "BlockDetectedBots": true
  }
}

Detection waves

Fast path (<1 ms, every request)

UserAgent (YAML + arcjet catalog fallback), Header, IP, SecurityTool, Behavioral, ClientSide, Inconsistency, VersionAge, Heuristic, FastPathReputation, CacheBehavior, CookieBehavior, ResourceWaterfall, ReputationBias, AiScraper (YAML + arcjet AI fallback), Haxxor, CveProbe, PiiQueryString, VerifiedBot, VerifiedBotInline, FediverseDomain, BrowserModeClassifier, CveFingerprint, HeuristicLate, ClaimedIdentity, ThreatIntel

Advanced fingerprinting

TlsFingerprint (JA3/JA4), TcpIpFingerprint (p0f), Http2Fingerprint (AKAMAI), Http3Fingerprint (QUIC), MultiLayerCorrelation, BehavioralWaveform, ResponseBehavior, TransportProtocol, StreamAbuse

Session / behavioural analysis

SessionVector (Markov chain → 129-dim vector), Periodicity, ReactivePattern, Similarity, Cluster

Entity resolution

AccountTakeover, IdentityChange, GeoChange, PoolCollision

Post-round-trip

ChallengeVerification, FingerprintApproval, ClickFraud, Honeypot.EndpointHistory, Honeypot.HoneypotLink

LLM escalation (opt-in)

Llm (enrichment only, not the decision-maker)

Slow path (~100 ms, opt-in)

ProjectHoneypot (DNS lookup against http:BL)


Detector timing (Apple M5, .NET 10, warm cache, full 57-contributor pipeline)

Scenario Mean Allocated
AiScraper — GPTBot 269 ns 1,008 B
Haxxor — clean 198 ns 0 B
Haxxor — SQL injection 1,202 ns 1,744 B
Heuristic — bot 1,653 ns 2,528 B
Heuristic — human 1,704 ns 2,512 B
Intent — navigation 2,540 ns 5,784 B
IP — datacenter 320 ns 1,136 B
TLS fingerprint — Chrome 262 ns 896 B
Header — curl (bot) 424 ns 1,544 B
Header — Chrome (human) 417 ns 1,320 B
CookieBehavior — cookies 18 ns 184 B
Http2 — Chrome 110 ns 176 B
HeaderCorrelation — full 15 ns 104 B
UserAgent — Googlebot (full pipeline) 13,272 ns 2,568 B
UserAgent — Chrome (full pipeline) 104,821 ns 1,817 B

The full-pipeline Chrome number (105 µs) reflects all 57 contributors running; the detection-code share of a typical gateway request is ~0.1% of total latency (remainder is network + Kestrel).


Real-time dashboard

Mount at /_stylobot (or configure BasePath). Features: live signature feed, session timeline with Markov drill-in, behavioural radar, world threat map, cluster visualisation, UA breakdown, Threats tab, policy editor (7.5).


YARP / gateway integration

Use Stylobot.Gateway or stylobot CLI for edge deployments. Edge-injected client signals (X-JA3-Hash, X-Client-HTTP-Version, X-Client-TLS-*) are forwarded by the gateway and read by the contributors — gated by TransportTrust config.


Requirements

  • .NET 10.0
  • LlamaSharp or Ollama for optional LLM escalation

License

GNU AGPL-3.0-only — free for open-source and internal use; public-facing SaaS deployments must share source or obtain a commercial licence.

Product Compatible and additional computed target framework versions.
.NET net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages (8)

Showing the top 5 NuGet packages that depend on mostlylucid.botdetection:

Package Downloads
Mostlylucid.BotDetection.UI

DEPRECATION NOTICE: This package will be renamed to 'stylobot.ui' on June 1 2025. See https://github.com/scottgal/stylobot/blob/main/docs/migration-v7.md -- Real-time bot detection dashboard with SignalR and DaisyUI. Includes sb-badge, sb-confidence, sb-gate, sb-honeypot, sb-human, sb-risk, sb-signal, and sb-summary Tag Helpers plus View Components for embedding detection results in ASP.NET Core views.

Mostlylucid.BotDetection.UI.PostgreSQL

PostgreSQL storage provider for Stylobot Dashboard with GIN-indexed signature search, TimescaleDB time-series optimizations, and pgvector ML-based similarity search using Dapper

Mostlylucid.BotDetection.Llm

Package Description

Mostlylucid.StyloExtract.StyloBot

Bridge between StyloExtract and StyloBot's IActionPolicy registry. Provides extract-markdown / extract-headers / extract-sidecar / extract-passthrough action policies that operators reference by name from EndpointPolicy rules or [BotAction] attributes.

Mostlylucid.GeoDetection.Contributor

GeoDetection contributor for BotDetection - provides geographic location analysis and geo-based bot detection signals including country/region validation and geo-inconsistency detection.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
8.0.0-alpha2 0 7/3/2026
8.0.0-alpha1 38 7/2/2026
7.5.5 257 6/16/2026
7.5.3 59 6/16/2026
7.5.2 71 6/16/2026
7.5.1 69 6/16/2026
7.5.0 63 6/16/2026
7.0.1-alpha0 97 6/4/2026
7.0.0 348 6/1/2026
7.0.0-rc0 100 5/31/2026
7.0.0-alpha2 90 5/31/2026
7.0.0-alpha1 103 5/31/2026
7.0.0-alpha0 103 5/31/2026
6.9.0-alpha0 99 5/28/2026
6.8.9 238 5/26/2026
6.8.8 126 5/26/2026
6.8.6 104 5/26/2026
6.8.5 107 5/25/2026
6.8.4 115 5/25/2026
6.8.3 99 5/25/2026
Loading failed

6.5.0

Remote-mode dashboard + new binaries:

- stylobot-ui (Stylobot.Ui): dashboard host that reads everything from a remote
 stylobot gateway's /api/v1/* over HTTP. Designed to be hosted inside a network
 as a viewer with local-only access. Configurable via StyloBot:Source:Pull:Type
 (rest|local) and StyloBot:Source:Live:Type (signalr|none).

- stylobot-all (Stylobot.All): YARP gateway + detection + dashboard in one
 process. One container, simplest deployment.

- stylobot (Console gateway) --enable-api flag: opts into the /api/v1/* REST
 surface + SignalR invalidation hub at /api/v1/hub. Off by default to preserve
 the small-surface posture. Fails fast at startup if no StyloBot:ApiKeys are
 configured.

- 10 new /api/v1/* endpoints: clusters, labels, approvals, endpoint-pins,
 sessions, useragents/search, investigate (+ shape-search + presets), bdf
 export, config manifests, fingerprints (+ unabsorbed counts).

- IConfigEditorService, IFingerprintReader, IBotClusterReader interfaces
 extracted from concrete classes so remote HTTP-backed adapters can substitute.

- SignalR live-feed relay: stylobot-ui opens a HubConnection to the gateway's
 /api/v1/hub and forwards invalidation beacons into the local hub so browsers
 refresh on detection events end-to-end.

- CLI: -d / --daemon shorthand for the start subcommand;
 --output-config <file> dumps the effective BotDetectionOptions to disk in
 appsettings.json shape for editing.

- Naming: ResolveDisplayName falls through to FingerprintNameComposer so
 humans always get a derived display name ("Chrome on Windows (US:abcd)")
 even when the metastable identity layer is off.

- AOT: sidecar publishes at 37MB (down from 131MB self-contained-single-file)
 after the VYaml + TypedResults + RequestDelegateGenerator work; Console
 gateway with --enable-api publishes at 59MB AOT.

See CHANGELOG.md for the full 6.5.0 entry.

---

3.5.0

UI Components, Dashboard Enhancements & Hardening:

New Sb* Tag Helpers (Mostlylucid.BotDetection.UI):
- <sb-badge>: Inline bot/human badge with risk colouring
- <sb-confidence>: Confidence score bar or text display
- <sb-gate>: Conditional rendering based on bot detection result
- <sb-honeypot>: Honeypot form field insertion
- <sb-human>: Show content only for verified humans
- <sb-risk>: Risk level display
- <sb-risk-pill>: Compact risk pill/badge
- <sb-signal>: Individual signal display
- <sb-summary>: Full detection summary (inline or card variant)

New View Components:
- SbBadgeViewComponent, SbConfidenceViewComponent, SbSummaryViewComponent
- Card and Default views for SbSummary
- Standalone CSS: sb-components.css

SignatureOnlyPaths:
- New BotDetectionOptions.SignatureOnlyPaths property
- Paths compute visitor HMAC signature without running the 27-detector pipeline
- Dashboard automatically registers its BasePath as signature-only
- Enables "Your Detection" panel to look up cached results from real page visits

Dashboard Improvements:
- Embed mode: pass ?embed=1 to hide the brand header (for iframe embedding)
- /api/me sentinel endpoint: returns current visitor's cached detection
- Client-side retry: fetchMeWithRetry polls api/me when initial data is null
- General API rate limiting (60 req/min per IP) on all dashboard endpoints
- Authorization failure logging

Security & Hardening:
- SignalR hub auth: OnConnectedAsync enforces same auth as dashboard middleware
- Dashboard auth warning: logs when no AuthorizationFilter/RequireAuthorizationPolicy configured
- SafeJson: all @Html.Raw() JSON blocks escape </ to prevent script-tag breakout (XSS defence-in-depth)
- Removed Html.Raw for emoji rendering in ViewComponents (defence-in-depth)
- Thread-safe mutation of SignatureOnlyPaths via lock
- Rate limiting expanded from diagnostics-only to all API endpoints (60 req/min per IP)
- Rate limiter cleanup threshold lowered from 1000 to 500 entries
- Rate limiter hard cap (10,000 entries) prevents memory exhaustion under distributed attacks
- User-Agent sanitization: email addresses stripped from UA strings before SignalR broadcast

Demo Application:
- ComponentsController with Gating, Honeypot, and Index views
- ComponentDemo Razor Page for interactive component testing
- New _Layout, _ViewImports, _ViewStart for Demo views

Documentation:
- New ui-components.md: full reference for all 11 Sb* tag helpers with usage examples
- Path Configuration section in configuration.md (ExcludedPaths, SignatureOnlyPaths, PathOverrides)
- Dashboard API: /api/me endpoint, embed mode (?embed=1), rate limiting details
- Security: SignalR hub auth, dashboard auth warning, SafeJson escaping

---

1.2.0

Enhanced Detection Pipeline & Security Layer:

Security Detection:
- SecurityToolContributor: Detects penetration testing tools (SQLMap, Nikto, Nmap, Burp Suite, etc.)
- ProjectHoneypotContributor: HTTP:BL IP reputation lookups via DNS with test mode simulation
- Pattern fetching from digininja/scanner_user_agents and OWASP CoreRuleSet
- Honeypot test mode: Use <test-honeypot:harvester|spammer|suspicious> markers for testing

AI Detection Improvements:
- HeuristicLateContributor: Post-AI refinement layer that runs after LLM for final classification
- Improved LLM prompt for better accuracy with smaller models
- Fixed localhost IP detection - no longer incorrectly flagged as datacenter IP
- Default LLM model upgraded to gemma3:4b for better reasoning

Demo Enhancements:
- Interactive bot simulator with 20+ preconfigured bot types
- Custom User-Agent input field for testing arbitrary UA strings
- UA Only policy for fast User-Agent-only detection testing
- Honeypot simulator buttons for testing Project Honeypot integration
- Security scanner buttons (Nikto, Nessus, Nmap, Burp Suite, Acunetix)

Production Security Defaults:
- ResponseHeaders.Enabled defaults to false (never leak detection details)
- EnableTestMode defaults to false
- Detection results flow downstream only via HttpContext.Items

New Documentation:
- security-tools-detection.md - Comprehensive security tool detection guide
- project-honeypot.md - HTTP:BL integration and testing guide
- Updated ai-detection.md with HeuristicLate contributor details

Integration Tests:
- Production security defaults verification
- Honeypot test mode simulation tests
- Contributor registration tests

New SignalKeys:
- SecurityToolDetected, SecurityToolName, SecurityToolCategory
- HoneypotChecked, HoneypotListed, HoneypotThreatScore, HoneypotVisitorType
- HoneypotTestMode (for test mode simulation)

---

1.0.0

🎉 First Stable Release!

Bot detection middleware for ASP.NET Core with multi-signal detection,
AI-powered classification with continuous learning, and full observability.

Key Features:
- Multi-signal detection: User-Agent, headers, IP ranges, behavioral analysis, client-side fingerprinting
- AI-powered classification: Heuristic model (<1ms) with optional LLM escalation
- Continuous learning: Heuristic weights adapt over time based on detection feedback
- Composable policies: Separate detection (WHAT) from action (HOW)
- Stealth responses: Throttle, challenge, or honeypot bots without revealing detection
- Auto-updated threat intel: isbot patterns and cloud IP ranges
- Full observability: OpenTelemetry traces and metrics

Breaking Changes from Preview:
- Default LLM model changed from gemma3:1b to gemma3:4b (better reasoning)
- Default LLM timeout increased from 2000ms to 5000ms
- ONNX provider removed in favor of Heuristic provider (faster, no external dependencies)

Migration Guide:
- Replace "Provider": "Onnx" with "Provider": "Heuristic" in config
- Update Ollama model if using LLM escalation: gemma3:4b recommended

---

0.5.0-preview2

Composable Action Policy System:
- Named action policies separate from detection policies
- Built-in: block, throttle, challenge, redirect, logonly
- BlockActionPolicy: Configurable status codes, messages, headers
- ThrottleActionPolicy: Jitter, risk-scaling, exponential backoff, stealth mode
- ChallengeActionPolicy: CAPTCHA, JavaScript, proof-of-work challenges
- RedirectActionPolicy: Honeypot, tarpit, error page with templates
- LogOnlyActionPolicy: Shadow mode, debug headers, metrics
- IActionPolicyFactory for configuration-based creation
- IActionPolicyRegistry for runtime policy lookup
- Custom action policies via IActionPolicy interface
- [BotAction("policy-name")] attribute for endpoint overrides
- ActionPolicyName property on detection policies and transitions

---

0.5.0-preview1

Policy-Based Detection:
- Named policies with configurable detectors per endpoint
- Path-based resolution with glob patterns (/api/*, /admin/**)
- Built-in: default, strict, relaxed, allowVerifiedBots
- Transitions based on risk thresholds and signals
- Per-policy weight overrides
- Actions: Allow, Block, Challenge, Throttle, EscalateToAi

Management Endpoints & Attributes:
- MapBotPolicyEndpoints() for CRUD and testing
- [BotPolicy("strict")] attribute for controllers/actions
- [BotDetector("UserAgent,Header")] for inline ad-hoc detection
- [SkipBotDetection] to bypass detection
- Policy simulation endpoint for testing transitions

Response Headers & TagHelpers:
- Configurable response headers (X-Bot-Risk-Score, X-Bot-Policy)
- <bot-detection-result /> TagHelper for client-side JS integration
- Full JSON result via Base64-encoded header option

Throttling with Jitter:
- Configurable base delay, max delay, jitter percent
- ScaleByRisk option for risk-proportional delays
- DelayResponse to slow bots at TCP level
- Custom throttle messages and challenge types

Blackboard Architecture:
- Event-driven detection with evidence aggregation
- Wave-based parallel execution
- Trigger conditions (WhenSignalExists, WhenRiskExceeds)
- Circuit breakers per detector
- Early exit for high-confidence detections

Pattern Reputation System:
- BotScore, Support, State tracking with time decay
- Online EMA updates, state machine (Neutral → Suspect → ConfirmedBad)
- Manual overrides never auto-downgrade
- Drift detection for bot/human ratio changes

Fast/Slow Path:
- Fast path: sync detectors (<100ms)
- Slow path: async AI/learning via LearningEventBus

New Interfaces:
- IContributingDetector, ILearningEventHandler, IPatternReputationCache
- IPolicyRegistry, IPolicyEvaluator

SQLite Pattern Store, comprehensive documentation

---

0.0.5-preview1

Client-Side Fingerprinting:
- BotDetectionTagHelper for fingerprint collection JS
- Signed token system prevents spoofing
- Detects headless browsers, automation markers

Inconsistency Detection:
- Catches UA/header mismatches
- Cross-signal contradiction detection

Risk Assessment:
- RiskBand enum (Low, Elevated, Medium, High)
- GetRiskBand(), ShouldChallengeRequest(), GetRecommendedAction()

Session-Level Behavioral Analysis:
- Multi-identity tracking (IP, fingerprint, API key, user)
- Anomaly detection (spikes, new paths, timing)

---

0.0.4-preview1

- ONNX-based detection (1-10ms latency)
- Source-generated regex for performance
- OpenTelemetry metrics integration
- YARP reverse proxy integration

---

0.0.3-preview2: Security fixes (ReDoS, CIDR validation)
0.0.3-preview1: Documentation improvements
0.0.2-preview1: Background updates, SQLite storage
0.0.1-preview1: Initial release