How Dhal works
Dhal follows a small, deterministic request pipeline.
Incoming request
→ Adapter
→ Normalized DhalRequest
→ Rule engine
→ Policy layer
→ Decision
→ Telemetry and signals
Adapter
Adapters convert framework-native objects into Dhal's normalized request shape.
Supported adapters:
@rokadhq/dhal/express@rokadhq/dhal/fastify@rokadhq/dhal/node-http
Normalized request
Dhal normalizes:
- method;
- URL and path;
- headers;
- IP address;
- route where available;
- body or raw body when available;
- identity keys such as user ID, tenant ID, and API key ID.
Rule engine
The rule engine evaluates deterministic controls:
- IP allow/block lists;
- CIDR matching;
- IP reputation;
- rate limits;
- request size;
- SQLi/XSS/path traversal/SSRF/RCE/SSTI signatures;
- header anomalies;
- JSON API positive-security model;
- bot scoring;
- credential-stuffing signals;
- honeypot canaries.
Policy layer
The policy layer decides how matches behave:
- severity;
- suppressions;
- sampling;
- audit explanations;
- route-level mode overrides;
- monitor/block/strict posture.
Decision
A decision is one of:
| Decision | Meaning |
|---|---|
allow | Continue to the app handler |
block | Stop the request and return configured block response |
would-block | Monitor-mode block candidate |
Telemetry
Dhal can emit:
- structured logs;
- security events;
- OpenTelemetry signals;
- signed webhook alerts;
- support reports;
- rule catalog output.