← Back to Guard Center
Architecture

The system is built as a defense pipeline: collect, detect, review, respond, and archive.

Niubi Guard is moving away from a pure product-page posture toward a reviewable abuse-defense architecture. The key idea is to keep public evidence, model decisions, and response controls connected, while preserving clear boundaries around private operations data.

Core modules

  • `collector`: GitHub issues, comments, actors, repository snapshots
  • `detector`: rules, features, LLM classification, risk scoring
  • `responder`: delete, close, lock, interaction limits, audit logs
  • `intel`: attack waves, suspicious accounts, sample fingerprints
  • `trainer`: review queue, labeling, prompt evaluation, threshold tuning

Decision flow

  1. Collect the new event from GitHub.
  2. Run lightweight rules first for fast recall.
  3. Extract actor and cross-repository features.
  4. Send medium and high-risk events to an LLM classifier.
  5. Produce a risk label, confidence score, evidence, and suggested action.
  6. Either review, mitigate, or contain based on repository policy.

Learning loop

The learning loop is intentionally conservative. New samples go into review, review results become labeled cases, and only evaluated prompt or rule updates get pushed through staged rollout. This keeps the project adaptive without becoming a black-box self-training system.