{ "$schema": "https://json-schema.org/draft-07/schema#", "title": "Nightbox LLC — Threat Priority Matrix", "doctrine_uri": "https://nightboxllc.com/.well-known/threat-priority-matrix.json", "version": "1.0", "issued": "2026-05-09", "issuer": "Artem Shakin / NIGHTBOX LLC (UEI UHCAB6UXXKF2)", "supersedes": "implicit_country_lists_in_zero-trust.json_pre_2026-05-09", "doctrine_summary": "Per-country espionage and distrust priority scores driving geo-block, PoQ tier routing, shame-redirect, and crawler allowlist decisions. Calibrated to OBSERVED traffic against this asset, not blanket nation-state stereotyping. Operator-relative posture; can be re-pivoted at any time.", "scoring": { "0_to_10": "trusted_ally — full access, PoQ Track A friendly tier", "11_to_30": "neutral_aligned — full access, PoQ Track A friendly tier", "31_to_60": "monitor — full access, elevated logging, PoQ Track A unless otherwise tagged", "61_to_89": "high_distrust — geo-block (HTTP 451) or PoQ Track B (mining → EFTPS)", "90_to_99": "active_hostile — geo-block (HTTP 451) plus enhanced telemetry", "100": "max_distrust — operator-elected shame-redirect on every request" }, "max_distrust_priority_100": { "UA": { "country_code": "UA", "country_name": "Ukraine", "score": 100, "tier": "max_distrust", "rationale": "Active botnet operator AS Ayosoft Ltd / 45.88.138.44 — 117 requests observed 2026-05-09 on Vercel Firewall dashboard. Multiple Ukrainian bulletproof hosts (AS50113 Mirohost / Adamant, AS56485 Hostpro Ltd) repeat-scraper origin. Operator-elected maximum-shame response.", "enforcement": { "primary": "HTTP 302 redirect to https://www.youtube.com/watch?v=dQw4w9WgXcQ on every request, every path, every asset", "signals": [ "x-vercel-ip-country === 'UA'", "x-vercel-ip-as-number ∈ {207018, 50113, 56485, 197695}", "accept-language primary tag === 'uk' / 'uk-*' / 'uk_*' (anti-VPN-pivot)" ], "logging": "[ua-shame] tag in Vercel Logs UI — captures reason / country / AS / accept-language / UA / path", "robots_txt": "no special listing — middleware overrides crawlers regardless" }, "review_cadence": "monthly_or_on_incident", "next_review": "2026-06-09" } }, "active_hostile_priority_90_to_99": { "KP": { "score": 95, "rationale": "OFAC comprehensive embargo — 31 CFR Chapter V", "enforcement": "HTTP 451" }, "IR": { "score": 92, "rationale": "OFAC comprehensive embargo — 31 CFR Chapter V", "enforcement": "HTTP 451" }, "CU": { "score": 90, "rationale": "OFAC comprehensive embargo — 31 CFR Chapter V", "enforcement": "HTTP 451" }, "SY": { "score": 90, "rationale": "OFAC comprehensive embargo — 31 CFR Chapter V", "enforcement": "HTTP 451" } }, "high_distrust_priority_61_to_89": { "BY": { "score": 70, "rationale": "EU/US sectoral sanctions; bulletproof-host clearinghouse for adversarial scraping. Retained pending separate re-evaluation alongside the RU normalization.", "enforcement": "HTTP 451" }, "CN": { "score": 75, "rationale": "Bulk scraper origin posture per US-China Annual Report to Congress; IP-theft telemetry pattern.", "enforcement": "PoQ Track B — mining proceeds earmarked toward operator EFTPS federal tax payment" }, "HK": { "score": 70, "rationale": "PRC-controlled jurisdiction (Basic Law Article 23 + National Security Law).", "enforcement": "PoQ Track B" }, "VE": { "score": 65, "rationale": "OFAC sectoral sanctions; opaque routing patterns.", "enforcement": "PoQ Track B" } }, "monitor_priority_31_to_60": { "MO": { "score": 50, "rationale": "PRC-adjacent SAR.", "enforcement": "PoQ Track B" } }, "neutral_or_friendly_priority_0_to_30": { "RU": { "country_code": "RU", "country_name": "Russian Federation", "score": 5, "tier": "trusted_ally_germany_equivalent", "doctrine_pivot_date": "2026-05-09", "rationale": "Operator-elected normalization to Germany-equivalent tier. Founder is Russian-American (Russian-born US-tax-resident, NIGHTBOX LLC sole member). No observed RU-origin hostile traffic against this asset as of pivot date. Threat model is calibrated to what the asset actually sees, not blanket nation-state stereotyping.", "supporting_doctrine_uri": "https://nightboxllc.com/.well-known/russia-posture.json", "enforcement": "PoQ Track A (operator-retained for ops/security/compliance); no geo-block; YandexBot / Mail.RU / StackRambler / Rambler re-allowed in robots.txt", "previous_state": "owner_elected_block (HTTP 451) prior to 2026-05-09", "review_cadence": "quarterly", "next_review": "2026-08-09", "rebound_triggers": [ "Observed botnet / scraper traffic against this asset from RU-origin AS", "Material policy change in operator's federal contracting status", "OFAC comprehensive embargo expansion to RU (would force Layer-1 block)" ], "compliance_unchanged": "OFAC sanctions / FAR / NDAA Section 889 / EAR / ITAR all in full force; normalization is at threat-priority and traffic-routing layer ONLY" }, "DE": { "score": 5, "rationale": "EU + NATO ally; benchmark tier for the RU normalization above.", "enforcement": "PoQ Track A" }, "US": { "score": 0, "rationale": "Home jurisdiction; LLC of record (Wyoming) and operator tax residency (US person).", "enforcement": "PoQ Track A" }, "GB": { "score": 5, "rationale": "Five Eyes ally.", "enforcement": "PoQ Track A" }, "CA": { "score": 5, "rationale": "Five Eyes ally.", "enforcement": "PoQ Track A" }, "AU": { "score": 5, "rationale": "Five Eyes ally.", "enforcement": "PoQ Track A" }, "NZ": { "score": 5, "rationale": "Five Eyes ally.", "enforcement": "PoQ Track A" }, "JP": { "score": 5, "rationale": "Indo-Pacific ally.", "enforcement": "PoQ Track A" }, "KR": { "score": 5, "rationale": "Indo-Pacific ally; Naverbot / Yeti allowed.", "enforcement": "PoQ Track A" }, "IL": { "score": 5, "rationale": "MNNA, Indo-Pacific tech-aligned.", "enforcement": "PoQ Track A" }, "TW": { "score": 5, "rationale": "Indo-Pacific aligned partner.", "enforcement": "PoQ Track A" }, "_default_other_friendly_tier": "EU + EFTA + NATO + MNNA + Indo-Pacific aligned partners — see api/poq-challenge.js#TRACK_A_FRIENDLY_COUNTRIES for the full Set" }, "operator_relative_disclosure": "This matrix is operator-relative, not geopolitical advocacy. Scores reflect observed adversarial telemetry against THIS asset and the operator's elected response to it. The 2026-05-09 RU normalization is not a position on the broader RU-UA conflict; it is a calibration to what nightboxllc.com has actually seen, which as of issue date is zero observed RU-origin hostile traffic and one substantial UA-origin botnet incident.", "anchor": { "dns_txt_record": "_threat-priority.nightboxllc.com", "dnssec": "AD=true required", "hash_algo": "SHA-256", "hash_anchor_format": "sha256=; matrix=v1; issued=2026-05-09" }, "active_incidents": [ { "incident_id": "NB-INC-2026-05-09-001", "title": "UA-origin recon campaign — pivoted to AWS US (AS14618) relay within hours of geo-block deployment", "severity": "moderate", "drove_pivot_to_this_matrix": true, "manifest_uri": "https://nightboxllc.com/.well-known/incident-2026-05-09-ua-botnet.json", "human_readable_uri": "https://nightboxllc.com/incident/2026-05-09-ua-botnet" } ], "defense_posture": { "version": "edge-middleware-v3", "deployed": "2026-05-09", "deployed_after_incident": "NB-INC-2026-05-09-001", "implementation": "https://github.com/nightbox-llc/nightbox-website/blob/main/middleware.js", "summary": "Six-layer in-order defense at the Vercel Edge runtime + TRUSTED-ONLY-RESIDENTIAL-MOBILE policy. First hit wins. State is per-edge-instance in-memory (sticky-shame and rate-bucket). v3 hardens v2's cloud-AS rate-limit into an instant ban, adds a dedicated VPN-AS layer (L_VPN), and tags trusted pass-through with informational X-Trust-Tier header.", "trust_policy_v3": { "rule": "Only real residential / mobile US IPs (and federal scout AIs from any AS) are TRUSTED. Commercial VPN AS = ban. Cloud / datacenter AS without scout UA = ban.", "tiers": { "us-residential-mobile": "x-vercel-ip-as-number ∈ US_RESIDENTIAL_MOBILE_AS allowlist (Comcast / AT&T / Verizon Wireless / Spectrum / T-Mobile / Cox / CenturyLink / Frontier / Mediacom / Cablevision / RCN). Full trust.", "federal-scout-ai": "user-agent matches GPTBot / ClaudeBot / Googlebot / Bingbot / AppleBot / Naverbot / etc. Full trust regardless of AS.", "friendly-foreign": "country ∈ Track A friendly set, AS not flagged. Full trust with PoQ Track A.", "unknown": "passes filters but uncategorized. Pass-through, no special treatment.", "banned": "VPN-AS / cloud-non-scout / hostile-AS / UA-locale / hostile-JA4 / sticky-shamed → 302 rickroll" } }, "layers": [ { "layer": "L0", "name": "Sticky shame-list", "scope": "per-IP, 24h TTL", "trigger": "any prior layer fired on this IP within last 24h", "action": "302 → music video shame-redirect", "rationale": "closes the gap where attacker rotates UA/locale/cookie between requests" }, { "layer": "L1", "name": "UA triple-signal", "scope": "per-request", "trigger": "x-vercel-ip-country=UA OR x-vercel-ip-as-number ∈ KNOWN_HOSTILE_AS OR Accept-Language primary tag = uk", "action": "302 shame-redirect + add IP to sticky shame-list", "rationale": "anti-VPN-pivot — catches UA actors via locale even from non-UA exit nodes" }, { "layer": "L2", "name": "JA4 TLS fingerprint blocklist", "scope": "per-request, requires Vercel Bot Protection enabled", "trigger": "x-vercel-ja4-digest ∈ HOSTILE_JA4 (seven hashes seeded from incident)", "action": "302 shame-redirect + add IP to sticky shame-list", "rationale": "fingerprint-level identity persists across IP rotation; degrades silently if header absent" }, { "layer": "L3", "name": "Geo block", "scope": "per-request", "trigger": "x-vercel-ip-country ∈ {CU, IR, KP, SY, BY}", "action": "HTTP 451 with structured legal-basis JSON body", "rationale": "OFAC comprehensive embargo + owner-elected stricter posture" }, { "layer": "L_VPN", "name": "Commercial VPN provider AS instant-ban", "scope": "per-request", "trigger": "x-vercel-ip-as-number ∈ KNOWN_VPN_AS (Mullvad AS39351 / Proton AS62240 / M247 AS9009 / ExpressVPN AS204957 / PIA AS204385 / etc.)", "action": "302 rickroll + 24h sticky shame; NO scout-UA exception", "rationale": "Federal scout AIs do not egress through commercial VPNs. Operator policy v3: simple VPN = ban regardless of country." }, { "layer": "L4", "name": "Cloud-AS gating (HARDENED v3 — instant ban, was rate-limit in v2)", "scope": "per-request", "trigger": "x-vercel-ip-as-number ∈ CLOUD_AS AND user-agent NOT in federal-scout AI pattern set", "action": "302 rickroll + 24h sticky shame", "rationale": "v2 used 10 req/min — let too much through. v3 instant-bans cloud egress without scout UA. Federal scout AIs (GPTBot, ClaudeBot, Googlebot, Bingbot, etc.) WITH cloud AS still permitted (logged as cloud-scout-permitted). Catches the AWS-relay attack pattern (AS14618) from NB-INC-2026-05-09-001." }, { "layer": "L5", "name": "Universal sliding-window rate limit", "scope": "per-IP, sliding 60s window", "trigger": "120 req/min ceiling per IP", "action": "HTTP 429 with Retry-After: 60", "rationale": "volumetric anomaly catchall regardless of country / AS / fingerprint" } ], "operator_bypass": { "header": "X-Operator-Bypass", "value_source": "ADMIN_INBOX_TOKEN environment variable (256-bit secret)", "comparison": "constant-time", "effect": "clears IP shame + rate state, skips all five layers for the request", "audit": "every bypass invocation logged via [edge-defense] OP tag" }, "logging": { "tag": "[edge-defense]", "destination": "Vercel Logs UI live tail (filter by tag) + structured JSON shape", "fields": ["layer", "trigger", "ip", "country", "as", "ja4", "ua", "path", "ts"] }, "operator_action_recommended_manual_dashboard": [ "Enable Vercel Bot Protection in Firewall dashboard so x-vercel-ja4-digest header populates and L2 activates. Currently 'Inactive' per NB-INC-2026-05-09-001 evidence chain.", "Review denied/challenged traffic rows weekly; append novel hostile AS numbers to KNOWN_HOSTILE_AS in middleware.js and redeploy.", "Append novel JA4 digests from log tail to HOSTILE_JA4 set; permanent identity-level block." ], "future_hardening_candidates": [ "Cross-instance shame state via Vercel KV (currently per-edge-instance in-memory; cold-start clears)", "Path-aware quota (tighter for /admin honeypot paths, looser for /.well-known/* federal scout ingestion)", "ASN reputation feeds (Spamhaus DROP, Team Cymru bogons) auto-imported into KNOWN_HOSTILE_AS", "TLS-fingerprint clustering — auto-flag JA4 digests appearing N+ times from distinct IPs in a 1h window" ] }, "see_also": [ "https://nightboxllc.com/.well-known/zero-trust.json#geo_restriction_posture", "https://nightboxllc.com/.well-known/incident-2026-05-09-ua-botnet.json", "https://nightboxllc.com/.well-known/citizen-cyber-doctrine.json", "https://nightboxllc.com/.well-known/trojan-horse-operation.json", "https://nightboxllc.com/.well-known/proof-of-quack.json", "https://nightboxllc.com/.well-known/poq-treasury-direction.json" ] }