Build with AI

You are helping me integrate ShieldLabs visitor identification into my web app.

Stack: <your framework, e.g. Next.js App Router, React, Vue, or plain HTML>.
Public key: <YOUR_PUBLIC_KEY>.

How ShieldLabs loads:
- It is a browser ES module loaded from a CDN. It is NOT an npm package and not a native SDK.
- Load and run it like this:
    const mod = await import('https://cdn.shieldlabs.ai/snippet.js?publicKey=YOUR_PUBLIC_KEY');
    mod.checkAnonymous();
- It runs in the browser, posts signals to ShieldLabs automatically, requests no
  permissions, and must not block page load (use a dynamic import, run it async).
- For a signed-in user, call mod.checkAuthenticatedUser('<hashed-account-id>') instead,
  passing a hash of my user id, never the raw id.

Write the integration for my stack, show exactly where the code goes, and load it on
the pages I want to identify visitors on.

Write a <Node + Express, Go, or Python + Flask> webhook handler for ShieldLabs.

Delivery format: ShieldLabs POSTs JSON shaped like
  {
    "Data": {
      ...identification fields...,
      "Score": <0-100>,
      "Details": [ { "Value": <points>, "Description": "<signal>" } ],
      "Phase": "initial"
    },
    "Assing": "<hmac>"
  }

Verification:
- "Assing" is an HMAC-SHA256 of the raw "Data" JSON, keyed with my Secret Key <YOUR_SECRET>.
- Compute the HMAC over the exact received bytes (do not re-serialize) and compare in
  constant time. Reject the request if it does not match.

Reliability:
- Delivery is at-most-once with no retries and a ~1 second timeout.
- Make the handler idempotent on Data.RequestID and return 200 quickly.

Give me the full handler with signature verification and an idempotency guard.

I receive a ShieldLabs Risk Score per visit and want to turn it into an action.

Facts:
- Score is 0-100. Bands: Clean 0-9, Low 10-29, Medium 30-59, High 60-100.
- Details is an array of { Value, Description }: the signals that built the score and the
  points each one added.
- Branch on the Score band and on the Details Value, NOT on exact Description text. The
  Description strings are human-readable and not a stable API contract.
- ShieldLabs does not block anything. My code owns the decision: allow, challenge (step-up
  or 2FA), send to manual review, or block.
- A legitimate user can score high (corporate VPN, privacy browser), so weigh the score
  against how sensitive the action is.

Write a function decide(score, details, actionSensitivity) that returns one of
allow | challenge | review | block, with sensible thresholds I can tune per action.

Write a <language> function that reads a visitor's history from the ShieldLabs Server API.

Endpoint base: https://api.shieldlabs.ai/<YOUR_DOMAIN>:<YOUR_SECRET>/
- The History endpoint returns an array of past snapshots, newest first, each with the
  identifiers, Country, and Score for that visit.
- Auth is the {domain}:{secret} segment in the path. Keep the secret server-side only.
- Billing: a History read bills one request per returned row, so cap how far back I read.

Give me the function plus a short example that fetches the last few snapshots for one
VisitorID and prints how its Score changed over time.