Secret Features
Cerno’s open-source @cernosh/core package exposes 7 public behavioral features. The server computes additional features that never appear in any client-facing package.
Why server-only matters
The client code is fully inspectable. Anyone can read the GitHub source. The defense model accepts this:
- Script-kiddie barrier — most bots won’t analyze server scoring at all
- Rotation without client changes — server features can be swapped, reweighted, or replaced without shipping a new client version
- High-dimensional space — combining public + secret features creates a scoring space that’s expensive to optimize against simultaneously
Even if an attacker finds the server source, they still need to produce traces that satisfy all features at once. Each additional dimension makes brute-force tuning exponentially harder.
How it works
The server extracts additional motion metrics from the raw pointer events after 60 Hz resampling. These metrics target biomechanical properties of human motor control that are difficult to synthesize.
Details of the specific features, their baselines, and scoring weights are intentionally not published. The security value depends partly on attackers not knowing exactly which properties to optimize for.
Managed service advantage
Self-hosters get a solid default set of secret features from the @cernosh/server package. The managed service at api.cerno.sh uses a broader feature set calibrated from production data, providing stronger detection against sophisticated attacks.
SecretFeaturesProvider interface
If you need custom server-only scoring, implement the SecretFeaturesProvider interface:
import type { SecretFeaturesProvider, ScoringContext } from '@cernosh/server'
const customProvider: SecretFeaturesProvider = { score(ctx: ScoringContext) { // Your custom scoring logic return { score: 0.8 } }}Pass it via ServerConfig.secretFeaturesProvider. When set, it replaces the built-in secret feature scoring entirely.