StreamPay-Frontend/detector.ts at main · Windowlight/StreamPay-Frontend · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
import { AnomalyAlert, AnomalyThresholds, MetricSnapshot } from "./types";
import { getConfig } from "./app/lib/config";

/**
 * Default thresholds tunable via environment variables.
 * Now sourced from centralized config for validation.
 */
const DEFAULT_THRESHOLDS: AnomalyThresholds = {
  creationBurstLimit: getConfig().anomalyThresholds.creationBurstLimit,
  settleRateLimit: getConfig().anomalyThresholds.settleRateLimit,
};

/**
 * In-memory whitelist for snoozing alerts per tenant during incidents.
 * In production, this should be backed by a distributed cache or DB.
 */
const whitelist = new Set<string>();

/**
 * Rule-based anomaly detection for early fraud/bug mitigation.
 * SECURITY NOTE: These alerts are for observation and manual review.
 * Do not use for unilateral fund freezing without a compliance policy.
 */
export const AnomalyDetector = {
  evaluate(snapshot: MetricSnapshot, config: AnomalyThresholds = DEFAULT_THRESHOLDS): AnomalyAlert[] {
    if (whitelist.has(snapshot.tenantId)) {
      return [];
    }

    const alerts: AnomalyAlert[] = [];

    // Rule 1: High frequency of new stream creation
    if (snapshot.streamCreations > config.creationBurstLimit) {
      alerts.push({
        tenantId: snapshot.tenantId,
        ruleName: "STREAM_CREATION_BURST",
        observedValue: snapshot.streamCreations,
        threshold: config.creationBurstLimit,
        severity: "high",
        detectedAt: new Date().toISOString(),
      });
    }

    // Rule 2: Abnormal settlement activity
    if (snapshot.settleAttempts > config.settleRateLimit) {
      alerts.push({
        tenantId: snapshot.tenantId,
        ruleName: "SETTLE_RATE_SPIKE",
        observedValue: snapshot.settleAttempts,
        threshold: config.settleRateLimit,
        severity: "medium",
        detectedAt: new Date().toISOString(),
      });
    }

    // Rule 3: High submission failure rate
    const submissionsTotal = snapshot.stellarSubmissionsTotal || 0;
    const submissionsFailed = snapshot.stellarSubmissionsFailed || 0;
    const failureRate = submissionsTotal > 0
      ? submissionsFailed / submissionsTotal
      : 0;
    if (failureRate > (config.submissionFailureThreshold ?? 0.05)) {
      alerts.push({
        tenantId: snapshot.tenantId,
        ruleName: "HIGH_SUBMISSION_FAILURE_RATE" as any,
        observedValue: failureRate,
        threshold: config.submissionFailureThreshold ?? 0.05,
        severity: "high",
        detectedAt: new Date().toISOString(),
      });
    }

    // Rule 4: DLQ Growth
    const dlqDepth = snapshot.dlqDepth || 0;
    if (dlqDepth > (config.maxDlqDepth ?? 10)) {
      alerts.push({
        tenantId: snapshot.tenantId,
        ruleName: "DLQ_DEPTH_EXCEEDED" as any,
        observedValue: dlqDepth,
        threshold: config.maxDlqDepth ?? 10,
        severity: "high",
        detectedAt: new Date().toISOString(),
      });
    }

    return alerts;
  },

  setWhitelist(tenantId: string, active: boolean) {
    active ? whitelist.add(tenantId) : whitelist.delete(tenantId);
  }
};