Forem: Francisco López The latest articles on Forem by Francisco López (@franciscuo). https://forem.com/franciscuo https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3749376%2F8fedd4bd-2017-403f-8059-36f615f1d4a6.PNG Forem: Francisco López https://forem.com/franciscuo en Clean Architecture in NestJS — Enforcing the Controller-Service-Repository Pattern with Static Analysis Francisco López Wed, 08 Apr 2026 01:29:04 +0000 https://forem.com/franciscuo/clean-architecture-in-nestjs-enforcing-the-controller-service-repository-pattern-with-static-4ejc https://forem.com/franciscuo/clean-architecture-in-nestjs-enforcing-the-controller-service-repository-pattern-with-static-4ejc <p><em>A beginner-friendly guide to layered architecture and how to make sure your team actually follows it</em></p> <p>When I started working with NestJS, one of the things that attracted me the most was how opinionated the framework felt. Modules, controllers, services, dependency injection — it gives you a clear structure from day one. But after working on a few projects, I slowly realized something: NestJS gives you the <em>tools</em> for clean architecture, but it won't stop you from breaking it.</p> <p>I remember one project where a junior dev on my team was tasked with adding a "deactivate user" feature. Simple enough. But instead of going through the service layer, they injected <code>PrismaService</code> directly into the controller, wrote a database query, added an <code>if/else</code> to check permissions, and sent an email — all inside a <code>@Patch()</code> handler. It worked. The tests passed. The PR got merged because the reviewer was in a rush.</p> <p>That's when I started thinking about <strong>enforcing</strong> architecture, not just documenting it.</p> <p><strong>[TL;DR]</strong> <em>If you already know what layered architecture is and just want to enforce it, you can</em> <strong>jump right to "Enforcing It"</strong> <em>section.</em></p> <p>Before we move forward, I wanted to set some expectations. This article won't be an academic deep dive into hexagonal architecture or clean architecture as defined by Uncle Bob. I will be focusing this writing on a practical pattern that works well for most NestJS projects — the <strong>Controller-Service-Repository</strong> pattern — and how to enforce it automatically using <a href="https://github.com/RoloBits/nestjs-doctor" rel="noopener noreferrer">nestjs-doctor</a>. Having said that, let's jump right into it.</p> <h2> The Three Layers </h2> <p>A useful way to think of this is like a restaurant.</p> <ul> <li><p><strong>The Controller</strong> is the <strong>waiter</strong>. It takes your order (HTTP request), brings it to the kitchen, and delivers the food back (HTTP response). The waiter doesn't cook. The waiter doesn't go to the market to buy ingredients. The waiter just communicates.</p></li> <li><p><strong>The Service</strong> is the <strong>chef</strong>. It receives the order, decides what to do, applies the recipe (business logic), and prepares the dish. The chef doesn't talk to customers directly. The chef doesn't go to the warehouse to grab ingredients — they ask someone else.</p></li> <li><p><strong>The Repository</strong> is the <strong>warehouse manager</strong>. It knows where everything is stored, how to fetch ingredients (data), and how to put them back. It deals with storage (the database) so nobody else has to.</p></li> </ul> <p>In code, it looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Request → Controller → Service → Repository → Database Response ← Controller ← Service ← Repository ← Database </code></pre> </div> <p>Each layer only talks to the one directly below it. The controller calls the service. The service calls the repository. The repository talks to the database. <strong>Never the other way around, never skipping layers.</strong></p> <p>Let's see what each one looks like in NestJS.</p> <h3> The Controller </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">@</span><span class="nd">Controller</span><span class="p">(</span><span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">)</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">UsersController</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="k">readonly</span> <span class="nx">usersService</span><span class="p">:</span> <span class="nx">UsersService</span><span class="p">)</span> <span class="p">{}</span> <span class="p">@</span><span class="nd">Get</span><span class="p">()</span> <span class="nf">findAll</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">usersService</span><span class="p">.</span><span class="nf">findAll</span><span class="p">();</span> <span class="p">}</span> <span class="p">@</span><span class="nd">Post</span><span class="p">()</span> <span class="nf">create</span><span class="p">(@</span><span class="nd">Body</span><span class="p">()</span> <span class="nx">dto</span><span class="p">:</span> <span class="nx">CreateUserDto</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">usersService</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">dto</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Notice how thin this is. No database queries. No <code>if/else</code> logic. No email sending. The controller receives the request, delegates to the service, and returns the response. That's it.</p> <h3> The Service — Business Logic </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">UsersService</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="k">readonly</span> <span class="nx">usersRepository</span><span class="p">:</span> <span class="nx">UsersRepository</span><span class="p">)</span> <span class="p">{}</span> <span class="k">async</span> <span class="nf">findAll</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">usersRepository</span><span class="p">.</span><span class="nf">findMany</span><span class="p">();</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">create</span><span class="p">(</span><span class="nx">dto</span><span class="p">:</span> <span class="nx">CreateUserDto</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">existing</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">usersRepository</span><span class="p">.</span><span class="nf">findByEmail</span><span class="p">(</span><span class="nx">dto</span><span class="p">.</span><span class="nx">email</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">existing</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ConflictException</span><span class="p">(</span><span class="dl">'</span><span class="s1">Email already in use</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">usersRepository</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">dto</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The service contains the <strong>business rules</strong> "if the email already exists, throw an error." It doesn't know about HTTP status codes (that's <code>ConflictException</code>'s job). It doesn't know about SQL or Prisma or Mongo — it calls the repository.</p> <h3> The Repository </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">UsersRepository</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="k">readonly</span> <span class="nx">prisma</span><span class="p">:</span> <span class="nx">PrismaService</span><span class="p">)</span> <span class="p">{}</span> <span class="k">async</span> <span class="nf">findMany</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findMany</span><span class="p">();</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">findByEmail</span><span class="p">(</span><span class="nx">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findFirst</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="nx">email</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">create</span><span class="p">(</span><span class="nx">data</span><span class="p">:</span> <span class="nx">CreateUserDto</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="nx">data</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The repository is the <strong>only layer that knows about the database</strong>. If you switch from Prisma to TypeORM tomorrow, you only change this file. The service and controller don't care.</p> <h2> What Goes Wrong When You Break the Layers </h2> <p>Let me show you the common mistakes I see, especially from devs who are new to NestJS.</p> <h3> Mistake 1: ORM in the Controller </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// BAD — The waiter is cooking!</span> <span class="p">@</span><span class="nd">Controller</span><span class="p">(</span><span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">)</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">UsersController</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="k">readonly</span> <span class="nx">prisma</span><span class="p">:</span> <span class="nx">PrismaService</span><span class="p">)</span> <span class="p">{}</span> <span class="p">@</span><span class="nd">Get</span><span class="p">()</span> <span class="nf">findAll</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findMany</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Why is this bad? Because now your controller knows about Prisma, about your database schema, about how data is stored. If you need that same query in a background job or a WebSocket handler, you can't reuse it it's trapped in an HTTP endpoint.</p> <h3> Mistake 2: Business Logic in the Controller </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// BAD — The waiter is deciding the recipe!</span> <span class="p">@</span><span class="nd">Controller</span><span class="p">(</span><span class="dl">'</span><span class="s1">orders</span><span class="dl">'</span><span class="p">)</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">OrdersController</span> <span class="p">{</span> <span class="p">@</span><span class="nd">Post</span><span class="p">()</span> <span class="k">async</span> <span class="nf">create</span><span class="p">(@</span><span class="nd">Body</span><span class="p">()</span> <span class="nx">dto</span><span class="p">:</span> <span class="nx">CreateOrderDto</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">items</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">prisma</span><span class="p">.</span><span class="nx">product</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="p">{</span> <span class="na">in</span><span class="p">:</span> <span class="nx">dto</span><span class="p">.</span><span class="nx">productIds</span> <span class="p">}</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">let</span> <span class="nx">total</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">item</span> <span class="k">of</span> <span class="nx">items</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">item</span><span class="p">.</span><span class="nx">stock</span> <span class="o">&lt;=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">BadRequestException</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">item</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2"> is out of stock`</span><span class="p">);</span> <span class="p">}</span> <span class="nx">total</span> <span class="o">+=</span> <span class="nx">item</span><span class="p">.</span><span class="nx">price</span> <span class="o">*</span> <span class="nx">dto</span><span class="p">.</span><span class="nx">quantities</span><span class="p">[</span><span class="nx">item</span><span class="p">.</span><span class="nx">id</span><span class="p">];</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">total</span> <span class="o">&gt;</span> <span class="mi">10000</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// send approval email</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">mailer</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">dto</span><span class="p">.</span><span class="nx">managerEmail</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Approval needed</span><span class="dl">'</span><span class="p">,</span> <span class="p">...);</span> <span class="p">}</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">prisma</span><span class="p">.</span><span class="nx">order</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="nx">total</span><span class="p">,</span> <span class="na">items</span><span class="p">:</span> <span class="p">...</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This handler is doing <em>everything</em> — fetching products, checking stock, calculating totals, sending emails, creating the order. Long story short, it's a mess. You can't test the business logic without making HTTP requests. You can't reuse the stock check from another part of your app.</p> <h3> Mistake 3: Repository in the Controller </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// BAD — The waiter is going to the warehouse!</span> <span class="p">@</span><span class="nd">Controller</span><span class="p">(</span><span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">)</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">UsersController</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="k">readonly</span> <span class="nx">usersRepository</span><span class="p">:</span> <span class="nx">UsersRepository</span><span class="p">)</span> <span class="p">{}</span> <span class="p">@</span><span class="nd">Get</span><span class="p">(</span><span class="dl">'</span><span class="s1">:id</span><span class="dl">'</span><span class="p">)</span> <span class="nf">findOne</span><span class="p">(@</span><span class="nd">Param</span><span class="p">(</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">)</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">usersRepository</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">id</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This one is more subtle. You have a proper repository, which is good! But the controller is calling it directly, skipping the service layer. Today it's a simple <code>find-by-id</code>, but tomorrow someone adds authorization logic directly in the controller because "there's no service to put it in."</p> <h2> Enforcing It </h2> <p>Knowing the pattern is one thing. Making sure your entire team follows it — especially under deadline pressure — is another. This is where <strong>nestjs-doctor</strong> comes in.</p> <h3> Install and Run </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">--save-dev</span> nestjs-doctor npx nestjs-doctor </code></pre> </div> <p>You'll see something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> 82 / 100 Good ✗ Controller 'OrdersController' injects ORM service 'PrismaService' directly. (2) Inject a service that wraps the ORM instead of using it in controllers. ✗ Controller 'OrdersController' contains business logic: found loop and 3 branches. (1) Extract branches, loops, and complex calculations into a service method. ⚠ Constructor parameter 'prismaService' should be readonly. (5) Add the 'readonly' modifier to the constructor parameter. </code></pre> </div> <h2> Custom Rules </h2> <p>A custom rule is a <code>.ts</code> file with two parts: <code>meta</code> (what the rule is) and <code>check</code> (what it detects). Let's create one.</p> <h3> Example: Services Must End With "Service" </h3> <p>Maybe your team requires consistent naming — all <code>@Injectable()</code> classes in the service layer should end with <code>Service</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// nestjs-doctor-rules/require-service-suffix.ts</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">requireServiceSuffix</span> <span class="o">=</span> <span class="p">{</span> <span class="na">meta</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">require-service-suffix</span><span class="dl">"</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Injectable classes that are not repositories must end with 'Service'</span><span class="dl">"</span><span class="p">,</span> <span class="na">help</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Rename the class to end with 'Service' (e.g., UsersService).</span><span class="dl">"</span><span class="p">,</span> <span class="na">category</span><span class="p">:</span> <span class="dl">"</span><span class="s2">architecture</span><span class="dl">"</span><span class="p">,</span> <span class="na">severity</span><span class="p">:</span> <span class="dl">"</span><span class="s2">warning</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="nf">check</span><span class="p">(</span><span class="nx">context</span><span class="p">)</span> <span class="p">{</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">cls</span> <span class="k">of</span> <span class="nx">context</span><span class="p">.</span><span class="nx">sourceFile</span><span class="p">.</span><span class="nf">getClasses</span><span class="p">())</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">cls</span><span class="p">.</span><span class="nf">getDecorator</span><span class="p">(</span><span class="dl">"</span><span class="s2">Injectable</span><span class="dl">"</span><span class="p">))</span> <span class="k">continue</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">name</span> <span class="o">=</span> <span class="nx">cls</span><span class="p">.</span><span class="nf">getName</span><span class="p">()</span> <span class="o">??</span> <span class="dl">""</span><span class="p">;</span> <span class="c1">// Skip repositories, guards, pipes, filters, interceptors</span> <span class="k">if </span><span class="p">(</span><span class="sr">/Repository|Repo|Guard|Pipe|Filter|Interceptor|Gateway|Resolver/</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">name</span><span class="p">))</span> <span class="k">continue</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">name</span><span class="p">.</span><span class="nf">endsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">Service</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="nx">context</span><span class="p">.</span><span class="nf">report</span><span class="p">({</span> <span class="na">filePath</span><span class="p">:</span> <span class="nx">context</span><span class="p">.</span><span class="nx">filePath</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="s2">`Injectable '</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">' should end with 'Service'.`</span><span class="p">,</span> <span class="na">line</span><span class="p">:</span> <span class="nx">cls</span><span class="p">.</span><span class="nf">getStartLineNumber</span><span class="p">(),</span> <span class="na">column</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">};</span> </code></pre> </div> <h3> Example: Repositories Must Not Import Other Repositories </h3> <p>In a clean architecture, repositories are independent data access objects. They shouldn't depend on each other — that kind of orchestration belongs in the service layer.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// nestjs-doctor-rules/no-cross-repository-imports.ts</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">noCrossRepositoryImports</span> <span class="o">=</span> <span class="p">{</span> <span class="na">meta</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">no-cross-repository-imports</span><span class="dl">"</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Repositories must not inject other repositories</span><span class="dl">"</span><span class="p">,</span> <span class="na">help</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Move the cross-repository logic to a service that orchestrates both.</span><span class="dl">"</span><span class="p">,</span> <span class="na">category</span><span class="p">:</span> <span class="dl">"</span><span class="s2">architecture</span><span class="dl">"</span><span class="p">,</span> <span class="na">severity</span><span class="p">:</span> <span class="dl">"</span><span class="s2">error</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="nf">check</span><span class="p">(</span><span class="nx">context</span><span class="p">)</span> <span class="p">{</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">cls</span> <span class="k">of</span> <span class="nx">context</span><span class="p">.</span><span class="nx">sourceFile</span><span class="p">.</span><span class="nf">getClasses</span><span class="p">())</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">name</span> <span class="o">=</span> <span class="nx">cls</span><span class="p">.</span><span class="nf">getName</span><span class="p">()</span> <span class="o">??</span> <span class="dl">""</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">name</span><span class="p">.</span><span class="nf">endsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">Repository</span><span class="dl">"</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">name</span><span class="p">.</span><span class="nf">endsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">Repo</span><span class="dl">"</span><span class="p">))</span> <span class="k">continue</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">ctor</span> <span class="o">=</span> <span class="nx">cls</span><span class="p">.</span><span class="nf">getConstructors</span><span class="p">()[</span><span class="mi">0</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">ctor</span><span class="p">)</span> <span class="k">continue</span><span class="p">;</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">param</span> <span class="k">of</span> <span class="nx">ctor</span><span class="p">.</span><span class="nf">getParameters</span><span class="p">())</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">typeName</span> <span class="o">=</span> <span class="nx">param</span><span class="p">.</span><span class="nf">getTypeNode</span><span class="p">()?.</span><span class="nf">getText</span><span class="p">()</span> <span class="o">??</span> <span class="dl">""</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">typeName</span><span class="p">.</span><span class="nf">endsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">Repository</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="nx">typeName</span><span class="p">.</span><span class="nf">endsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">Repo</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="nx">context</span><span class="p">.</span><span class="nf">report</span><span class="p">({</span> <span class="na">filePath</span><span class="p">:</span> <span class="nx">context</span><span class="p">.</span><span class="nx">filePath</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="s2">`Repository '</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">' injects '</span><span class="p">${</span><span class="nx">typeName</span><span class="p">}</span><span class="s2">' — repositories should not depend on each other.`</span><span class="p">,</span> <span class="na">line</span><span class="p">:</span> <span class="nx">param</span><span class="p">.</span><span class="nf">getStartLineNumber</span><span class="p">(),</span> <span class="na">column</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">};</span> </code></pre> </div> <h3> Example: Flag God Services (Too Many Dependencies) </h3> <p>A service with 10 dependencies is probably doing too much. This rule uses <strong>project scope</strong> to access the full provider map:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// nestjs-doctor-rules/no-god-services.ts</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">noGodServices</span> <span class="o">=</span> <span class="p">{</span> <span class="na">meta</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">no-god-services</span><span class="dl">"</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Services with too many dependencies should be split</span><span class="dl">"</span><span class="p">,</span> <span class="na">help</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Extract related dependencies into smaller, focused services.</span><span class="dl">"</span><span class="p">,</span> <span class="na">category</span><span class="p">:</span> <span class="dl">"</span><span class="s2">architecture</span><span class="dl">"</span><span class="p">,</span> <span class="na">severity</span><span class="p">:</span> <span class="dl">"</span><span class="s2">warning</span><span class="dl">"</span><span class="p">,</span> <span class="na">scope</span><span class="p">:</span> <span class="dl">"</span><span class="s2">project</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="nf">check</span><span class="p">(</span><span class="nx">context</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">MAX</span> <span class="o">=</span> <span class="mi">8</span><span class="p">;</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="p">[</span><span class="nx">name</span><span class="p">,</span> <span class="nx">provider</span><span class="p">]</span> <span class="k">of</span> <span class="nx">context</span><span class="p">.</span><span class="nx">providers</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">provider</span><span class="p">.</span><span class="nx">dependencies</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="nx">MAX</span><span class="p">)</span> <span class="p">{</span> <span class="nx">context</span><span class="p">.</span><span class="nf">report</span><span class="p">({</span> <span class="na">filePath</span><span class="p">:</span> <span class="nx">provider</span><span class="p">.</span><span class="nx">filePath</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="s2">`'</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">' has </span><span class="p">${</span><span class="nx">provider</span><span class="p">.</span><span class="nx">dependencies</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2"> dependencies (max </span><span class="p">${</span><span class="nx">MAX</span><span class="p">}</span><span class="s2">).`</span><span class="p">,</span> <span class="na">line</span><span class="p">:</span> <span class="nx">provider</span><span class="p">.</span><span class="nx">classDeclaration</span><span class="p">.</span><span class="nf">getStartLineNumber</span><span class="p">(),</span> <span class="na">column</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">};</span> </code></pre> </div> <h3> Wiring Custom Rules </h3> <p>Tell nestjs-doctor where to find them. In your <code>nestjs-doctor.config.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"customRulesDir"</span><span class="p">:</span><span class="w"> </span><span class="s2">"./nestjs-doctor-rules"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Run again and your rules show up with a <code>custom/</code> prefix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>⚠ Injectable 'UserHelper' should end with 'Service'. (1) ✗ Repository 'OrdersRepository' injects 'UsersRepository'. (1) </code></pre> </div> <h2> The Shortcut — Let AI Write the Rules For You </h2> <p>I know what you might be thinking — "I don't want to learn the ts-morph AST API just to write a linting rule." Fair enough. Here's the thing: you don't have to.</p> <p>If you use an AI coding agent — Claude Code, Cursor, Windsurf, Codex, Gemini CLI, or others — you can install a <strong>skill</strong> that generates custom rules from plain English:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx nestjs-doctor <span class="nt">--init</span> </code></pre> </div> <p>This installs two skills into your agent. The one we care about is <code>/nestjs-doctor-create-rule</code>. Now just describe what you want:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/nestjs-doctor-create-rule repositories must not inject other repositories </code></pre> </div> <p>The agent will assess feasibility, generate the rule file, create the directory, update your config, and verify it loads. All from a single prompt.</p> <p>Here are some more prompts you can try:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/nestjs-doctor-create-rule every controller must have @ApiTags <span class="k">for </span>swagger docs /nestjs-doctor-create-rule services should not have more than 8 constructor dependencies /nestjs-doctor-create-rule ban imports from <span class="s2">"moment"</span> — suggest dayjs instead /nestjs-doctor-create-rule POST and PUT handlers must use @UsePipes<span class="o">(</span>ValidationPipe<span class="o">)</span> /nestjs-doctor-create-rule flag injectable classes that don<span class="s1">'t follow the naming convention </span></code></pre> </div> <p>The skill knows the full custom rule API — what fields <code>meta</code> needs, how <code>context.sourceFile</code> works, when to use <code>scope: "project"</code> for cross-file analysis, and all the validation requirements. It handles the boilerplate so you focus on <em>what</em> to enforce, not <em>how</em> to traverse an AST.</p> <h2> Adding It to CI </h2> <p>Once your rules are in place — both built-in and custom — add nestjs-doctor to your CI pipeline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx nestjs-doctor <span class="nt">--min-score</span> 85 </code></pre> </div> <p>The <code>--min-score</code> flag makes the command exit with a non-zero code if the health score drops below 85. PRs that break the architecture get blocked before they're merged. No more "I'll fix it later."</p> <h2> Sum Up </h2> <p>The <code>Controller-Service-Repository</code> pattern is simple to understand but hard to maintain across a team. Let's recap:</p> <ul> <li> <strong>Controllers</strong> are waiters — they take orders and deliver responses. No cooking (business logic), no warehouse trips (database queries).</li> <li> <strong>Services</strong> are chefs — they apply the recipes (business rules). They don't talk to customers (HTTP) or manage storage (database) directly.</li> <li> <strong>Repositories</strong> are warehouse managers — they handle data storage. They don't depend on each other.</li> <li> <strong>nestjs-doctor</strong> enforces these layers automatically with built-in rules for the common violations.</li> <li> <strong>Custom rules</strong> let you encode your team's specific conventions — naming, dependency limits, import restrictions — in code that runs on every scan.</li> <li> <strong>AI skills</strong> let you generate those custom rules from plain-English prompts, so you don't need to learn the AST API.</li> </ul> <p>There is no silver bullet, but having automated checks that block architectural violations in CI is the closest thing. Architecture decisions that live only in documentation will be violated. Architecture decisions enforced by tooling won't.</p> <h2> Resources </h2> <ul> <li> <strong>[Implementation]</strong> <a href="https://github.com/RoloBits/nestjs-doctor" rel="noopener noreferrer">https://github.com/RoloBits/nestjs-doctor</a> </li> <li> <strong>[Docs]</strong> Custom Rules: <a href="https://nestjs.doctor/docs/custom-rules" rel="noopener noreferrer">https://nestjs.doctor/docs/custom-rules</a> </li> </ul> nestjs backend typescript node Your Phone Already Has the Hardware to Prove a Photo Is Real. Nothing Uses It. Francisco López Mon, 16 Feb 2026 18:22:01 +0000 https://forem.com/franciscuo/your-phone-already-has-the-hardware-to-prove-a-photo-is-real-nothing-uses-it-3ik6 https://forem.com/franciscuo/your-phone-already-has-the-hardware-to-prove-a-photo-is-real-nothing-uses-it-3ik6 <h2> Your Phone Already Has the Hardware to Prove a Photo Is Real. Nothing Uses It. </h2> <p><code>#opensource</code> <code>#mobile</code> <code>#security</code> <code>#reactnative</code></p> <h2> The Problem Is Already Here </h2> <p>In 2025 Adobe's Content Authenticity Initiative reported that <strong>97% of organizations</strong> have encountered AI-generated content being used against them. Deepfakes, synthetic product photos, fabricated evidence.</p> <p>Meanwhile every phone in your pocket has a tamper-resistant cryptographic chip sitting idle. Secure Enclave on iOS. StrongBox or TEE on Android. Hardware designed to sign things in a way that can't be extracted or faked.</p> <p>Nobody is connecting these two facts.</p> <h2> C2PA: The Standard Nobody Talks About </h2> <p>C2PA is an open standard from Adobe, Microsoft, Intel and others. It works like HTTPS but for media files. A cryptographic manifest gets embedded directly into the JPEG containing:</p> <ul> <li>What device captured it</li> <li>When and where</li> <li>Every edit made after capture</li> <li>A signature that breaks if a single pixel changes</li> </ul> <p>Leica, Sony and Nikon already ship C2PA in some cameras. But on mobile, where 90%+ of photos are taken? Almost nothing.</p> <h2> Enter <code>attestation-photo-mobile</code> </h2> <p>I built <strong><a href="https://github.com/RoloBits/attestation-photo-mobile" rel="noopener noreferrer"><code>attestation-photo-mobile</code></a></strong> to close that gap.</p> <p>It's a React Native package. You bring your own camera lib, take a photo, and pass the path. The package does the rest: hashes the image, signs it with hardware-backed keys, and embeds a full C2PA manifest before the file ever touches disk.</p> <h3> How It Works </h3> <p>The architecture has three layers:</p> <ol> <li> <strong>Native layer (Swift/Kotlin):</strong> Handles hardware keystore access. Provisions an ECDSA P-256 key inside Secure Enclave or StrongBox. This key never leaves the hardware.</li> <li> <strong>Rust layer (c2pa-rs):</strong> Builds the JUMBF manifest, computes the asset hash, constructs the C2PA claim. I tried doing this in pure JS first. Don't.</li> <li> <strong>React Native bridge:</strong> Exposes a single <code>signPhoto(path)</code> function and a <code>useAttestedCapture</code> hook that handles key provisioning, location prefetch, and error wrapping.</li> </ol> <h3> Usage </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">useAttestedCapture</span><span class="p">,</span> <span class="nx">saveToGallery</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@rolobits/attestation-photo-mobile</span><span class="dl">'</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">CaptureScreen</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">signPhoto</span><span class="p">,</span> <span class="nx">isReady</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useAttestedCapture</span><span class="p">({</span> <span class="na">includeLocation</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">appName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">My App</span><span class="dl">"</span><span class="p">,</span> <span class="na">nonce</span><span class="p">:</span> <span class="dl">"</span><span class="s2">server-challenge-token</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">onCapture</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">photoPath</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Sign and embed C2PA manifest</span> <span class="kd">const</span> <span class="nx">signed</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">signPhoto</span><span class="p">(</span><span class="nx">photoPath</span><span class="p">);</span> <span class="c1">// signed.trustLevel -&gt; "secure_enclave" | "strongbox" | "tee"</span> <span class="c1">// signed.embeddedManifest -&gt; true</span> <span class="c1">// signed.signature -&gt; SHA-256 hex of original asset</span> <span class="k">await</span> <span class="nf">saveToGallery</span><span class="p">({</span> <span class="na">filePath</span><span class="p">:</span> <span class="nx">signed</span><span class="p">.</span><span class="nx">path</span> <span class="p">});</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>The output JPEG can be verified with any C2PA tool. Upload it to <a href="https://verify.contentauthenticity.org" rel="noopener noreferrer">verify.contentauthenticity.org</a> or run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cargo <span class="nb">install </span>c2patool c2patool verify output.jpg </code></pre> </div> <h3> What Gets Blocked </h3> <p>The SDK runs device integrity checks before signing. Jailbroken or rooted devices get <code>E_COMPROMISED_DEVICE</code>. No Secure Enclave or StrongBox? <code>E_NO_TRUSTED_HARDWARE</code>. You can control this with <code>requireTrustedHardware: true|false</code>.</p> <h2> Where This Actually Matters </h2> <p>This isn't a solution looking for a problem. These are scenarios where someone has a financial incentive to submit fake photos:</p> <ul> <li> <strong>Insurance claims:</strong> Snap damage photos in-app. Each one is hardware-signed with device, location, timestamp. The adjuster's backend verifies the manifest automatically.</li> <li> <strong>Marketplace listings:</strong> Verified photos for cars, real estate, rentals. Buyers know the images aren't AI-generated or recycled from 2019.</li> <li> <strong>Field inspections:</strong> Construction sites, equipment audits. Timestamped proof of conditions for compliance.</li> <li> <strong>KYC:</strong> Selfie-based identity verification where the photo is provably from a real device, not a generated face fed through a virtual camera.</li> </ul> <p>This is a v1. Here's what's missing:</p> <ul> <li> <strong>Self-signed certificates.</strong> The signing key has no CA chain. Verifiers will show a valid signature but "unknown signer." This means tamper detection works today but attribution doesn't. CA integration is the next priority.</li> </ul> <p>👉 <strong><a href="https://github.com/RoloBits/attestation-photo-mobile" rel="noopener noreferrer">GitHub: RoloBits/attestation-photo-mobile</a></strong></p> opensource reactnative mobile security Stop Using CAPTCHA. Start Measuring Entropy. Francisco López Mon, 09 Feb 2026 00:26:05 +0000 https://forem.com/franciscuo/stop-using-captcha-start-measuring-entropy-5hj6 https://forem.com/franciscuo/stop-using-captcha-start-measuring-entropy-5hj6 <h2> Stop Using CAPTCHA. Start Measuring Entropy. </h2> <p>In late 2024, researchers at ETH Zurich quietly published an obituary for the web as we know it. They didn't call it that, of course. They called it <em>"Breaking reCAPTCHAv2."</em></p> <p>Their findings were stark: modern AI models (specifically YOLO-based vision models) can now solve Google's image CAPTCHAs with <strong>100% accuracy</strong>.</p> <p>Read that again. <strong>100%.</strong></p> <p>The Turing Test hasn't just been passed; it’s been automated, containerized, and scaled. The "I am not a robot" checkbox is now effectively a "Welcome" mat for bots.</p> <p>According to the <strong>2025 Imperva Bad Bot Report</strong>, automated traffic has officially surpassed human traffic, accounting for <strong>51% of all internet activity</strong>. We are effectively the minority on our own network.</p> <p>If we want to save the web from becoming a "Dead Internet" of bots talking to bots, we need to stop asking users to identify traffic lights and start listening to their heartbeat.</p> <h2> The Hypothesis: Identity vs. Humanity </h2> <p>The current knee-jerk reaction is "Proof of Personhood" (scanning your ID or face to use the web). I believe this is a dystopian overcorrection.</p> <p>We don't need to know <em>who</em> you are (Identity). We just need to know <em>what</em> you are (Biology).</p> <ul> <li> <strong>Identity</strong> is static data (Names, IDs).</li> <li> <strong>Humanity</strong> is dynamic behavior (Reaction times, hesitation, errors).</li> </ul> <p>Humans are messy. We are beautifully, consistently imperfect. When you type, you don't hit keys at a perfect 150ms interval. You "rollover" keys. You pause to think. You speed up on common bigrams like "th" or "er."</p> <p>This is your <strong>Keystroke Dynamics</strong> signature. It is a behavioral biometric that is incredibly hard for bots to fake convincingly without slowing them down to useless human speeds.</p> <h2> Enter <code>isHumanCadence</code> </h2> <p>I built <strong><a href="https://github.com/RoloBits/isHumanCadence" rel="noopener noreferrer"><code>isHumanCadence</code></a></strong> as a Proof of Concept (PoC) to test this hypothesis.</p> <p>It is a lightweight, privacy-focused library that analyzes the <em>timing</em> of keystrokes—not the content. It runs entirely in the browser, sends no data to a server, and doesn't know <em>what</em> you typed, only <em>how</em> you typed it.</p> <h3> How It Works (The Technical Deep Dive) </h3> <p>Bots are deterministic. Even when programmed with <code>Math.random()</code> delays, they tend to follow a uniform or Gaussian distribution that is statistically "too clean."</p> <p><code>isHumanCadence</code> measures four primary biological constraints:</p> <ol> <li> <strong>Dwell Time:</strong> The duration a key is physically depressed. Humans rarely tap keys for exactly 50ms every time.</li> <li> <strong>Flight Time:</strong> The time between releasing one key and pressing the next.</li> <li> <strong>Rollover Rate:</strong> The overlap where Key B is pressed <em>before</em> Key A is released. This is a high-signal human trait; simple bots often type strictly sequentially (Key A down -&gt; Key A up -&gt; Key B down).</li> <li> <strong>Entropy:</strong> The statistical variance of the timing deltas.</li> </ol> <h3> The "Secret Sauce": Hysteresis </h3> <p>One major challenge with heuristic analysis is "flickering." A user might type one word rhythmically (High Human Score) and then pause abruptly to think (Score drops). You don't want the UI to flash "BOT DETECTED" instantly.</p> <p>I implemented a <strong>Schmitt Trigger</strong> (Hysteresis) to stabilize the classification. We use different thresholds for entering and exiting states:</p> <ul> <li> <strong>To become Human:</strong> Score must exceed <code>0.70</code>.</li> <li> <strong>To drop to Unknown:</strong> Score must fall below <code>0.60</code>.</li> <li> <strong>To become Bot:</strong> Score must fall below <code>0.35</code>.</li> </ul> <p>This creates a "dead zone" where the state remains stable, preventing false positives during natural cognitive pauses.</p> <h2> Implementation </h2> <p>The library attaches non-intrusive listeners to the target input field. It uses <code>performance.now()</code> for sub-millisecond precision.</p> <p><strong>1. Install the package:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @rolobits/is-human-cadence </code></pre> </div> <p><strong>2. Attach it to an input:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createCadence</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@rolobits/is-human-cadence</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Select any textarea or input on your page</span> <span class="c1">// We use a broad selector here to ensure we find *something*</span> <span class="kd">const</span> <span class="nx">input</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">textarea, input</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">input</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">cadence</span> <span class="o">=</span> <span class="nf">createCadence</span><span class="p">(</span><span class="nx">input</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// Wait for 20 keystrokes before making a confident judgment</span> <span class="na">minSamples</span><span class="p">:</span> <span class="mi">20</span><span class="p">,</span> <span class="na">onScore</span><span class="p">:</span> <span class="p">(</span><span class="nx">result</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Score: </span><span class="p">${</span><span class="nx">result</span><span class="p">.</span><span class="nx">score</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// 0.0 (Bot) -&gt; 1.0 (Human)</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Status: </span><span class="p">${</span><span class="nx">result</span><span class="p">.</span><span class="nx">classification</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// 'bot' | 'human' | 'unknown'</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// Start listening</span> <span class="nx">cadence</span><span class="p">.</span><span class="nf">start</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">isHumanCadence: Listening for keystrokes...</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="dl">"</span><span class="s2">isHumanCadence: No input element found on this page.</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> The Reality Check: A Proof of Concept </h2> <p>Right now, this library detects standard scripts and even sophisticated bots using randomized delays. But "Generative Keystrokes" are the next frontier. Eventually, AI agents will be trained on massive datasets of human typing patterns to spoof these very metrics. They will learn to "stumble" on purpose.</p> <p>Furthermore, <strong>client-side security is inherently trustless.</strong> If the browser can measure it, a determined attacker can eventually spoof the environment to fake it.</p> <p>This package is not a silver bullet. It is a conversation starter. </p> <h2> Join </h2> <p>The web is drowning in AI noise. If we want to keep a space for human connection, we need to build filters that recognize us not by our passwords, but by our rhythm.</p> <p>👉 <strong><a href="https://github.com/RoloBits/isHumanCadence" rel="noopener noreferrer">GitHub: RoloBits/isHumanCadence</a></strong></p> ai webdev tutorial opensource