Add submodule for private risk engine and refactor risk score calculations

- Introduced a new submodule for the private risk engine, allowing dynamic loading of risk assessment logic.
- Refactored risk score calculations in `risk-scores.tsx` to improve clarity and maintainability, including the addition of new types for risk assessment.
- Updated `sign-up-heuristics.tsx` to create neutral heuristic facts, simplifying the handling of sign-up data.
- Enhanced test cases to validate new risk score behaviors and ensure robust functionality across sign-up processes.

Author: mantrakp04

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "packages/private"]
+	path = packages/private
+	url = https://github.com/stack-auth/private.git

apps/backend/src/lib/risk-scores.tsx

@@ -1,26 +1,3 @@
-import { isIpAddress } from "@stackframe/stack-shared/dist/utils/ips";
-import { StackAssertionError } from "@stackframe/stack-shared/dist/utils/errors";
-import { normalizeEmail } from "./emails";
-
-type EmailProviderRule = {
-  canonicalDomain: string,
-  stripPlusTag: boolean,
-  stripDots: boolean,
-};
-
-const emailProviderRules = new Map<string, EmailProviderRule>([
-  ["gmail.com", { canonicalDomain: "gmail.com", stripPlusTag: true, stripDots: true }],
-  ["googlemail.com", { canonicalDomain: "gmail.com", stripPlusTag: true, stripDots: true }],
-  ["outlook.com", { canonicalDomain: "outlook.com", stripPlusTag: true, stripDots: false }],
-  ["hotmail.com", { canonicalDomain: "hotmail.com", stripPlusTag: true, stripDots: false }],
-  ["live.com", { canonicalDomain: "live.com", stripPlusTag: true, stripDots: false }],
-  ["msn.com", { canonicalDomain: "msn.com", stripPlusTag: true, stripDots: false }],
-  ["icloud.com", { canonicalDomain: "icloud.com", stripPlusTag: true, stripDots: false }],
-  ["me.com", { canonicalDomain: "icloud.com", stripPlusTag: true, stripDots: false }],
-  ["mac.com", { canonicalDomain: "icloud.com", stripPlusTag: true, stripDots: false }],
-  ["fastmail.com", { canonicalDomain: "fastmail.com", stripPlusTag: true, stripDots: false }],
-]);
-
 export type DerivedSignUpHeuristicFacts = {
   signUpAt: Date,
   signUpIp: string | null,
@@ -31,181 +8,28 @@ export type DerivedSignUpHeuristicFacts = {
   emailBase: string | null,
 };
 
-export function normalizeSignUpHeuristicIp(ipAddress: string | null): string | null {
-  if (ipAddress == null) {
-    return null;
-  }
-
-  const normalized = ipAddress.trim().toLowerCase();
-  if (!isIpAddress(normalized)) {
-    throw new StackAssertionError("Expected sign-up heuristic IP address to already be valid", { ipAddress });
-  }
-
-  return normalized;
-}
-
-function normalizeEmailParts(primaryEmail: string | null): { localPart: string, domain: string } | null {
-  if (primaryEmail == null) {
-    return null;
-  }
-
-  const normalized = normalizeEmail(primaryEmail);
-  const atIndex = normalized.indexOf("@");
-  if (atIndex < 0) {
-    throw new StackAssertionError("normalizeEmail returned an invalid address shape", { primaryEmail, normalized });
-  }
-  const localPart = normalized.slice(0, atIndex);
-  const domain = normalized.slice(atIndex + 1);
-
-  return { localPart, domain };
-}
-
-export function normalizeEmailForSignUpHeuristics(primaryEmail: string | null): string | null {
-  const parts = normalizeEmailParts(primaryEmail);
-  if (parts == null) {
-    return null;
-  }
-
-  const providerRule = emailProviderRules.get(parts.domain);
-  const canonicalDomain = providerRule?.canonicalDomain ?? parts.domain;
-
-  let canonicalLocalPart = parts.localPart;
-  if (providerRule?.stripPlusTag) {
-    canonicalLocalPart = canonicalLocalPart.split("+")[0] ?? canonicalLocalPart;
-  }
-  if (providerRule?.stripDots) {
-    canonicalLocalPart = canonicalLocalPart.replace(/\./g, "");
-  }
-
-  return `${canonicalLocalPart}@${canonicalDomain}`;
-}
-
-export function getBaseEmailForSignUpHeuristics(primaryEmail: string | null): string | null {
-  const parts = normalizeEmailParts(primaryEmail);
-  if (parts == null) {
-    return null;
-  }
-
-  const canonicalDomain = emailProviderRules.get(parts.domain)?.canonicalDomain ?? parts.domain;
-  const dealiased = parts.localPart.replace(/\+.*$/, "");
-  const base = dealiased
-    .replace(/[._-]+/g, "-")       // normalize separators to a single dash
-    .replace(/(-\d+)+$/, "")       // strip trailing -N segments (e.g. alice-12-34 → alice)
-    .replace(/\d+$/, "")           // strip remaining bare trailing digits (e.g. alice123 → alice)
-    .replace(/(^-|-$)/g, "");      // trim leading/trailing dashes
-
-  return `${base || dealiased || parts.localPart}@${canonicalDomain}`;
-}
-
-export function deriveSignUpHeuristicFacts(params: {
-  primaryEmail: string | null,
-  ipAddress: string | null,
-  ipTrusted: boolean | null,
-  recordedAt?: Date,
-}): DerivedSignUpHeuristicFacts {
-  const recordedAt = params.recordedAt ?? new Date();
-  const normalizedIp = normalizeSignUpHeuristicIp(params.ipAddress);
-  const emailNormalized = normalizeEmailForSignUpHeuristics(params.primaryEmail);
-  const emailBase = getBaseEmailForSignUpHeuristics(params.primaryEmail);
-
+export function createNeutralSignUpHeuristicFacts(recordedAt: Date = new Date()): DerivedSignUpHeuristicFacts {
   return {
     signUpAt: recordedAt,
-    signUpIp: normalizedIp,
-    signUpIpTrusted: normalizedIp == null ? null : params.ipTrusted,
-    signUpEmailNormalized: emailNormalized,
-    signUpEmailBase: emailBase,
-    emailNormalized,
-    emailBase,
+    signUpIp: null,
+    signUpIpTrusted: null,
+    signUpEmailNormalized: null,
+    signUpEmailBase: null,
+    emailNormalized: null,
+    emailBase: null,
   };
 }
 
-import.meta.vitest?.test("normalizeEmailForSignUpHeuristics(...)", ({ expect }) => {
-  const localPartCases = [
-    { localPart: "Example.Test+123", expectedByDomain: new Map([
-      ["googlemail.com", "exampletest@gmail.com"],
-      ["gmail.com", "exampletest@gmail.com"],
-      ["outlook.com", "example.test@outlook.com"],
-      ["example.com", "example.test+123@example.com"],
-    ]) },
-    { localPart: "Jane.Doe", expectedByDomain: new Map([
-      ["googlemail.com", "janedoe@gmail.com"],
-      ["gmail.com", "janedoe@gmail.com"],
-      ["outlook.com", "jane.doe@outlook.com"],
-      ["example.com", "jane.doe@example.com"],
-    ]) },
-  ];
-
-  for (const localPartCase of localPartCases) {
-    for (const [domain, expected] of localPartCase.expectedByDomain) {
-      expect(normalizeEmailForSignUpHeuristics(`${localPartCase.localPart}@${domain}`)).toBe(expected);
-    }
-  }
-
-  expect(normalizeEmailForSignUpHeuristics(null)).toBeNull();
-});
-
-import.meta.vitest?.test("getBaseEmailForSignUpHeuristics(...)", ({ expect }) => {
-  const baseLocalPart = "alice";
-  const noisySuffixes = ["+1", "+2", "-3", "_004", ".005", "--006"];
-  for (const suffix of noisySuffixes) {
-    expect(getBaseEmailForSignUpHeuristics(`${baseLocalPart}${suffix}@example.com`)).toBe("alice@example.com");
-  }
-
-  // Plus aliases are stripped regardless of content (not just numeric suffixes)
-  const plusAliasCases = ["alice+sales@example.com", "alice+team@example.com", "alice+abc123@example.com"];
-  for (const plusAliasCase of plusAliasCases) {
-    expect(getBaseEmailForSignUpHeuristics(plusAliasCase)).toBe("alice@example.com");
-  }
-
-  // Turnstile demo pattern: random hex plus tags all map to the same base
-  const demoEmails = ["turnstile-demo+a1b2c3d4@example.com", "turnstile-demo+e5f6a7b8@example.com"];
-  for (const demoEmail of demoEmails) {
-    expect(getBaseEmailForSignUpHeuristics(demoEmail)).toBe("turnstile-demo@example.com");
-  }
+import.meta.vitest?.test("createNeutralSignUpHeuristicFacts(...)", ({ expect }) => {
+  const recordedAt = new Date("2026-03-11T00:00:00.000Z");
 
-  // Gmail plus aliases also map to the same base
-  expect(getBaseEmailForSignUpHeuristics("alice+1@gmail.com")).toBe("alice@gmail.com");
-  expect(getBaseEmailForSignUpHeuristics("alice+sales@gmail.com")).toBe("alice@gmail.com");
-});
-
-import.meta.vitest?.test("deriveSignUpHeuristicFacts(...)", ({ expect }) => {
-  const recordedAt = new Date("2026-03-10T00:00:00.000Z");
-  const cases = [
-    {
-      primaryEmail: "alice+1@example.com",
-      ipAddress: " 127.0.0.1 ",
-      ipTrusted: false,
-      expected: {
-        signUpIp: "127.0.0.1",
-        signUpIpTrusted: false,
-        signUpEmailNormalized: "alice+1@example.com",
-        signUpEmailBase: "alice@example.com",
-      },
-    },
-    {
-      primaryEmail: "Example.Test+123@googlemail.com",
-      ipAddress: null,
-      ipTrusted: true,
-      expected: {
-        signUpIp: null,
-        signUpIpTrusted: null,
-        signUpEmailNormalized: "exampletest@gmail.com",
-        signUpEmailBase: "example-test@gmail.com",
-      },
-    },
-  ];
-
-  for (const testCase of cases) {
-    expect(deriveSignUpHeuristicFacts({
-      primaryEmail: testCase.primaryEmail,
-      ipAddress: testCase.ipAddress,
-      ipTrusted: testCase.ipTrusted,
-      recordedAt,
-    })).toMatchObject({
-      signUpAt: recordedAt,
-      ...testCase.expected,
-      emailNormalized: testCase.expected.signUpEmailNormalized,
-      emailBase: testCase.expected.signUpEmailBase,
-    });
-  }
+  expect(createNeutralSignUpHeuristicFacts(recordedAt)).toEqual({
+    signUpAt: recordedAt,
+    signUpIp: null,
+    signUpIpTrusted: null,
+    signUpEmailNormalized: null,
+    signUpEmailBase: null,
+    emailNormalized: null,
+    emailBase: null,
+  });
 });

apps/backend/src/lib/sign-up-heuristics.tsx

@@ -1,12 +1,12 @@
 "use client";
 
-import { stackAppInternalsSymbol } from "@/lib/stack-app-internals";
 import { UserTable } from "@/components/data-table/user-table";
 import { ExportUsersDialog } from "@/components/export-users-dialog";
 import { StyledLink } from "@/components/link";
 import { Alert, Button, SimpleTooltip, Skeleton } from "@/components/ui";
-import { cn } from "@/lib/utils";
 import { UserDialog } from "@/components/user-dialog";
+import { stackAppInternalsSymbol } from "@/lib/stack-app-internals";
+import { cn } from "@/lib/utils";
 import { ArrowsClockwiseIcon, DownloadSimpleIcon } from "@phosphor-icons/react";
 import { runAsynchronously } from "@stackframe/stack-shared/dist/utils/promises";
 import { Suspense, useCallback, useState } from "react";

apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/users/page-client.tsx

@@ -1,25 +1,18 @@
-import { riskScoreWeights } from "@stackframe/stack-shared/dist/utils/risk-score-weights";
 import { describe } from "vitest";
 import { it } from "../../../../../helpers";
 import { Project, backendContext, niceBackendFetch } from "../../../../backend-helpers";
 
-type ScorePair = {
-  bot: number,
-  free_trial_abuse: number,
-};
-
 const EMAILABLE_NOT_DELIVERABLE_TEST_DOMAIN = "emailable-not-deliverable.example.com";
 
-function sumScores(...contributions: ScorePair[]): ScorePair {
-  return {
-    bot: Math.min(100, contributions.reduce((score, contribution) => score + contribution.bot, 0)),
-    free_trial_abuse: Math.min(100, contributions.reduce((score, contribution) => score + contribution.free_trial_abuse, 0)),
-  };
+function expectValidRiskScores(expect: typeof import("vitest").expect, scores: { bot: number, free_trial_abuse: number }) {
+  expect(scores.bot).toBeGreaterThanOrEqual(0);
+  expect(scores.bot).toBeLessThanOrEqual(100);
+  expect(scores.free_trial_abuse).toBeGreaterThanOrEqual(0);
+  expect(scores.free_trial_abuse).toBeLessThanOrEqual(100);
+  expect(Number.isInteger(scores.bot)).toBe(true);
+  expect(Number.isInteger(scores.free_trial_abuse)).toBe(true);
 }
 
-const derivedTurnstileRiskScore = riskScoreWeights.turnstile;
-const derivedNonDeliverablePasswordRiskScore = sumScores(riskScoreWeights.emailable, riskScoreWeights.turnstile);
-
 describe("with admin access", () => {
   it("uses default action when no rules match", async ({ expect }) => {
     await Project.createAndSwitch({ config: {} });
@@ -113,7 +106,7 @@ describe("with admin access", () => {
         enabled: true,
         displayName: "Block high bot score",
         priority: 1,
-        condition: `riskScores.bot >= ${derivedNonDeliverablePasswordRiskScore.bot}`,
+        condition: "riskScores.bot >= 50",
         action: {
           type: "reject",
           message: "High bot risk",
@@ -153,15 +146,15 @@ describe("with admin access", () => {
     });
   });
 
-  it("derives risk score conditions from disposable-email heuristics", async ({ expect }) => {
+  it("returns derived risk_scores when no override is provided", async ({ expect }) => {
     await Project.createAndSwitch();
     backendContext.set({ ipData: undefined });
     await Project.updateConfig({
       "auth.signUpRules.block-high-bot-score": {
         enabled: true,
         displayName: "Block high bot score",
         priority: 1,
-        condition: `riskScores.bot >= ${derivedNonDeliverablePasswordRiskScore.bot}`,
+        condition: "riskScores.bot >= 1",
         action: {
           type: "reject",
           message: "High bot risk",
@@ -182,29 +175,22 @@ describe("with admin access", () => {
     });
 
     expect(response.status).toBe(200);
-    expect(response.body).toMatchObject({
-      context: {
-        risk_scores: {
-          ...derivedNonDeliverablePasswordRiskScore,
-        },
-      },
-      outcome: {
-        should_allow: false,
-        decision: "reject",
-        decision_rule_id: "block-high-bot-score",
-      },
+    expectValidRiskScores(expect, response.body.context.risk_scores);
+    expect(response.body.outcome).toMatchObject({
+      should_allow: response.body.context.risk_scores.bot >= 1 ? false : true,
+      decision: response.body.context.risk_scores.bot >= 1 ? "reject" : "default-allow",
     });
   });
 
-  it("derives risk score conditions from Turnstile overrides unless risk_scores are overridden", async ({ expect }) => {
+  it("uses derived risk_scores for turnstile input unless risk_scores are overridden", async ({ expect }) => {
     await Project.createAndSwitch();
     backendContext.set({ ipData: undefined });
     await Project.updateConfig({
       "auth.signUpRules.block-high-bot-score": {
         enabled: true,
         displayName: "Block high bot score",
         priority: 1,
-        condition: `riskScores.bot >= ${derivedTurnstileRiskScore.bot}`,
+        condition: "riskScores.bot >= 1",
         action: {
           type: "reject",
           message: "High bot risk",
@@ -226,19 +212,8 @@ describe("with admin access", () => {
     });
 
     expect(derivedResponse.status).toBe(200);
-    expect(derivedResponse.body).toMatchObject({
-      context: {
-        turnstile_result: "invalid",
-        risk_scores: {
-          ...derivedTurnstileRiskScore,
-        },
-      },
-      outcome: {
-        should_allow: false,
-        decision: "reject",
-        decision_rule_id: "block-high-bot-score",
-      },
-    });
+    expect(derivedResponse.body.context.turnstile_result).toBe("invalid");
+    expectValidRiskScores(expect, derivedResponse.body.context.risk_scores);
 
     const overriddenResponse = await niceBackendFetch("/api/v1/internal/sign-up-rules-test", {
       method: "POST",
@@ -250,8 +225,8 @@ describe("with admin access", () => {
         country_code: null,
         turnstile_result: "invalid",
         risk_scores: {
-          bot: 0,
-          free_trial_abuse: 0,
+          bot: 10,
+          free_trial_abuse: 10,
         },
       },
     });
@@ -261,13 +236,14 @@ describe("with admin access", () => {
       context: {
         turnstile_result: "invalid",
         risk_scores: {
-          bot: 0,
-          free_trial_abuse: 0,
+          bot: 10,
+          free_trial_abuse: 10,
         },
       },
       outcome: {
-        should_allow: true,
-        decision: "default-allow",
+        should_allow: false,
+        decision: "reject",
+        decision_rule_id: "block-high-bot-score",
       },
     });
   });