Documentation
    Preparing search index...

    Module @kehto/firewall

    @kehto/firewall — Pure, WASM-ready behavioral firewall engine for the napplet protocol.

    Zero dependencies. Zero side effects. All functions are pure: config + state + observation in, decision + next-state out. Designed for deterministic rate-limiting decisions that could be compiled to WASM without modification (the WASM-ready boundary).

    import { evaluate, defaultConfig, createState } from '@kehto/firewall';

    // Create default config with conservative built-in limits
    const config = defaultConfig();
    // config.defaultRate.action === 'flag'    (allow + audit)
    // config.burstGuard.action === 'block'    (stop init floods)
    // config.unfocusedMultiplier === 0.25     (tighten background napplets)

    // Create empty ephemeral counter state (reset on reload)
    let state = createState();

    // Build the observation from the protocol envelope (Phase 81 concern)
    const obs = {
      napplet: 'chat',
      opClass: 'relay:write',
      kind: 1,
      focused: true,
      now: 1_000_000, // injected — evaluate() never reads a wall clock
    };

    // Evaluate — pure, no side effects
    const result = evaluate(config, state, obs);
    // result.decision === 'pass' | 'reject' | 'prompt'
    // result.action  === 'flag' | 'block' | 'ignore'
    // result.ruleId  === 'rate:default' | 'burst' | 'policy:deny' | ...
    // result.reason  === human-readable reason string
    // result.newState — updated token-bucket state; advance for next call
    state = result.newState;

    @kehto/firewall

    Pure, WASM-ready behavioral firewall engine for the napplet protocol — zero dependencies, zero side effects.

    Alpha status: Kehto is an early runtime implementation for a draft NIP-5D protocol. The firewall engine API is not yet final; treat this package as current implementation guidance, not as a stable protocol guarantee.

    pnpm add @kehto/firewall

    @kehto/firewall is Kehto's behavioral abuse-detection engine. It is the temporal complement to @kehto/acl: where ACL asks "is this napplet statically allowed to perform this operation?", the firewall asks "is this napplet abusing an operation over time?".

    Every function is pure: config + state + observation in, decision + next state out. No I/O, no timers, no globals — the module is trivially compilable to WASM and is the single source of truth for behavioral-firewall decisions.

    The core evaluate(config, state, observation) function implements:

    • Token-bucket rate limiting per (napplet dTag, opClass) pair with O(1) lazy refill.
    • Init-burst guard — catches a napplet flooding ops immediately after initialization.
    • Content matchers — declarative rules matching op class, event kind, payload size, or focus state.
    • Focus multiplier — tightens rate budgets for unfocused napplets without hard-blocking.
    • Rule precedence — per-napplet policy override → op-class rule → global fallback → built-in defaults.
    import {
      evaluate,
      defaultConfig,
      createState,
    } from '@kehto/firewall';

    const config = defaultConfig();
    let state = createState();

    const obs = {
      napplet: 'chat',
      opClass: 'relay:write',
      focused: true,
      now: Date.now(),
    };

    const result = evaluate(config, state, obs);
    // result.decision: 'pass' | 'reject' | 'prompt'
    // result.newState: updated counter state (original unchanged)

    state = result.newState;
    • Observation — normalized engine input (never a raw protocol envelope)
    • FirewallConfig — immutable configuration container (rules + defaults)
    • FirewallState — immutable counter state (token buckets + burst counters)
    • EvaluateResult{ decision, action, ruleId, reason, newState }
    • Decision'pass' | 'reject' | 'prompt'
    • Action'flag' | 'block' | 'ignore'
    • NappletPolicy'allow' | 'deny' | 'ask'
    • RateLimit, BurstGuard, ContentMatcher, NappletRules
    • Bucket, BurstCounter
    • DEFAULT_RATE_LIMIT, DEFAULT_BURST_GUARD
    • DEFAULT_EXCEED_ACTION, DEFAULT_BURST_ACTION
    • DEFAULT_UNFOCUSED_MULTIPLIER
    • evaluate — pure decision function (config + state + observation → result)
    • toKey — derive the napplet:opClass bucket key
    • defaultConfig — built-in conservative config
    • createState — empty counter state
    • setPolicy, setRateLimit, addMatcher — immutable config mutations
    • serialize, deserialize — JSON round-trip for persistence

    MIT

    Interfaces

    Bucket
    BurstCounter
    BurstGuard
    ContentMatcher
    EvaluateResult
    FirewallConfig
    FirewallState
    NappletRules
    Observation
    RateLimit

    Type Aliases

    Action
    Decision
    NappletPolicy

    Variables

    DEFAULT_BURST_ACTION
    DEFAULT_BURST_MAX_OPS
    DEFAULT_BURST_WINDOW_MS
    DEFAULT_EXCEED_ACTION
    DEFAULT_RATE_CAPACITY
    DEFAULT_RATE_WINDOW_MS
    DEFAULT_UNFOCUSED_MULTIPLIER

    Functions

    addMatcher
    createState
    defaultConfig
    deserialize
    evaluate
    serialize
    setGlobalRate
    setPolicy
    setRateLimit
    toKey

    Settings

    Member Visibility

    On This Page

    @kehto/firewall
    Interfaces
    Type Aliases
    Variables
    Functions