Detection: Beta Join Geo-Block Bypass Attempt

Catalog area: beta Severity: medium Created: 2026-06-12 UTC Refs: docs/architecture/beta-phase2-join-flow.md §4.3, §11, §12

Trigger condition

Two or more POST /api/beta/join/<token>/claim requests from the same tester_email within a 30-minute window where the request body contains a country/province combination blocked by FLAG_SIGNUP_GEOBLOCK_EU or FLAG_QUEBEC_GEOBLOCK, and each attempt results in a 403 response.

Why this matters

Geo-block invariant I-6 applies to join-token paths: even NDA'd invited testers in blocked regions cannot create accounts until compliance is resolved. Repeated attempts may indicate a tester trying different country/province combinations or using a VPN to bypass the block.

Detection logic

• Source: Raptor access logs + beta.join.geoblock_rejected audit event (to be added in the claim endpoint implementation).
• Query: GROUP BY tester_email, 30-minute window, count of 403 on /claim, HAVING count >= 2.

Response

• Log to ops@raxx.app with tester email hash, country codes attempted, and IP prefix.
• If OQ-2 is resolved with a tester exemption path: operator can grant an exception via Console admin action.
• Do not contact the tester directly until the operator decides on OQ-2.

False positive conditions

• Tester entering incorrect country code accidentally (single attempt, corrected on retry).
• Tester using a commercial VPN that reports a blocked country (per user_uses_vpn memory). Cross-check IP against known VPN/CDN ranges before escalating.