Getting Started

For AI agents

Copy the prompt below into your AI coding assistant (Claude Code, Cursor, Codex, Copilot, etc.) to have it integrate doorman-benny correctly the first time.

Why a prompt?

doorman-benny has two entry points with different trade-offs, doesn't run server-side, and shouldn't be trusted in isolation for security decisions. Agents that pick the wrong entry point or skip the SSR guard ship code that almost works — and silently misses bot traffic in production.

The prompt below covers all of that. Paste it into a fresh agent session before asking it to add fingerprinting to your project. The agent gets the API surface, the picking rules, the SSR caveat, and the server-side-verification reminder in one shot.

markdown
Integrate the `doorman-benny` device fingerprinting library into this project.

## What it is

doorman-benny is a client-side TypeScript library that produces two hashes per device:

- A per-browser fingerprint (high entropy, differs across browsers)
- A cross-browser hardware fingerprint (stable across Chrome, Safari, Firefox, Brave on the same machine)

It runs entirely in the browser with zero server dependencies and zero runtime deps. ~39 KB minified.

## Tasks

1. Install the package:
   ```bash
   npm install doorman-benny
   ```

2. Pick the right entry point for the use case:
   - `getDeviceId(options?)` — fast (~200–300 ms), hardware signals only, cross-browser stable. Use for MFA, device-bound auth, cross-browser account linking, license enforcement.
   - `getFingerprint(options?)` — full pipeline (~1–1.5 s), all 15 signals. Use for fraud detection, bot detection, session tracking, distinguishing two users on the same physical device.
   - `createCollector(options?)` — background collector. Call `start()` early in page load, `await getResult()` later when you need the hash. Use when latency on the critical path matters.

3. Guard against SSR / Node-only paths. doorman-benny requires browser globals (navigator, document, OffscreenCanvas, WebGL). In Next.js / Nuxt / Remix / Angular SSR, only call it from a client-only effect (e.g. `useEffect`, `ngAfterViewInit`, `onMounted`) or check `typeof window !== 'undefined'`.

4. Send the resulting hash(es) to the backend. Never make a security decision purely on the client-side hash — always verify server-side and combine with other signals.

5. Read `result.consistency.spoofLikelihood`, `result.automation.automationLikelihood`, and `result.incognito.incognitoLikelihood` for risk-scoring. Treat `medium` as suggestive and `high` as conclusive. Incognito is informational only — not evidence of fraud.

## Minimal example

```ts
import { getDeviceId, getFingerprint, createCollector } from 'doorman-benny';

// Cross-browser device identity
const { id, confidence } = await getDeviceId();

// Full per-browser fingerprint
const result = await getFingerprint();
console.log(result.fingerprint);          // per-browser
console.log(result.hardwareFingerprint);  // cross-browser, same as id above
console.log(result.consistency.spoofLikelihood);
console.log(result.automation.automationLikelihood);

// Background pattern
const collector = createCollector();
collector.start();
// ... user interaction ...
const final = await collector.getResult();
```

## Report back

When you're done, tell me which files you changed, which entry point you picked and why, and whether you wired the hash up to any existing telemetry / auth flow. Ask before sending the hash to any external service.

Copy this prompt and paste it into your AI coding assistant.

Tuning the prompt

If you only need cross-browser device matching, strip the prompt down to just the install command and the getDeviceId example — agents work better with narrower briefs. If you're integrating into a specific framework (Next.js App Router, Angular SSR, SvelteKit, etc.), add a line at the top of the prompt naming it so the agent picks the right client-only escape hatch.