Security System

1. Feature Brief

The Security System is a comprehensive, GUI-driven protection suite covering everything from real-time raid detection to full server backups. All configuration is done through an interactive dashboard - no config files, no complex command arguments.

Anti-nuke protection - monitors bans, kicks, channel deletes, and webhook spam in real time; takes automatic action when any threshold is exceeded within a monitored time window
CAPTCHA verification - new members must solve a 6-character code challenge before gaining access; integrates with a dedicated verification channel and a verified role
Server lockdown - instantly revokes Send Messages and Connect permissions across every text and voice channel; original permissions are backed up and fully restored on unlock
Whitelist system - specific users, roles, and channels can be exempted from anti-nuke detection and webhook spam checks
Server backups - snapshot the entire server structure (roles, channels, permissions, emojis, bans) and restore it at any time
Security dashboard - interactive control panel for all sub-systems, togglable and configurable from a single /security dashboard command
Event logging - every security action is recorded in a log channel with colour-coded embeds and full audit details

2. Sub-Systems

Anti-nuke runs passively on every relevant Discord event. When any non-whitelisted member exceeds a threshold within a short time window, the configured response action fires automatically and the server owner receives a DM alert.

Monitored events:

Mass bans
Mass kicks
Channel creates and deletes
Webhook spam

Thresholds for each event are fully configurable via the dashboard to match your server’s normal activity levels.

Response actions (one is active at a time, changeable from the dashboard):

Action	What it does
`remove_perms` (default)	Strips all roles carrying Administrator, Ban, Kick, Manage Channels, Manage Guild, or Manage Roles permissions
`kick`	Kicks the offending member from the server
`ban`	Permanently bans the offending member

When webhook spam is detected, the bot also bulk-deletes all tracked spam messages from that webhook across every channel.

When enabled, every new member joining the server is added to a pending verification queue. A persistent embed with a “Click Here to Verify” button lives in the configured verification channel.

Verification flow:

Member clicks the button → a modal appears with a freshly generated 6-character CAPTCHA code (letters and numbers, visually ambiguous characters excluded)
Member types the code and submits → if correct, the verified role is granted immediately
Challenges expire after 5 minutes - the member must click the button again if they miss the window
Members who already have the verified role are told so and the interaction ends

Requirements before enabling:

A dedicated verification channel must be selected
A verified role must be configured
@everyone (or the member role) should have its channel permissions restricted so unverified users cannot see the rest of the server

Both the channel and role are set via select menus in the dashboard; a manual Role ID entry option is available for roles that don’t appear in the menu.

/security lockdown action:Lock immediately sets SendMessages: false and Connect: false for the targeted role across every text and voice channel in the server.

Role targeting logic:

If a verified role is configured, that role is locked (only verified members are blocked)
If no verified role is set, @everyone is locked (the whole server is locked down)

Permission backup: before locking, the bot saves the existing SendMessages and Connect overrides for every channel. On unlock, each channel is restored to exactly its pre-lockdown state.

The whitelist determines who and what is exempt from anti-nuke detection. The server owner is always exempt. Administrators are not automatically exempt - this is intentional, as compromised admin accounts are a common attack vector.

What can be whitelisted:

Scope	Description
Users	Specific members who bypass all anti-nuke triggers
Roles	Any member holding a whitelisted role bypasses detection
Channels	Webhook spam detection is disabled in these channels

Whitelisted users and roles are managed via the dashboard’s Whitelist panel (add via user ID modal or role select menu; remove via matching select menus). Stale entries (deleted roles/channels) are automatically cleaned up when the whitelist panel is opened.

/security whitelist also provides a quick command-line alternative for adding or removing a single user or role without opening the dashboard.

Backups capture a full snapshot of the server structure and are stored in the database. Administrator permission is required to create or restore backups.

What is backed up:

Server name and icon URL
All non-managed roles (name, color, permissions, position, hoist/mentionable flags, member assignments)
All channels (name, type, position, category, topic, NSFW flag, slowmode, permission overwrites)
All custom emojis
All active bans with reasons

Restore process: Restoring a backup will recreate your saved roles and channels. Use with care as this is a destructive action that replaces current settings.

Up to 10 backups are shown in the /security backups list. Individual backups are deleted with /security delete-backup backup-id:<id>.

Every security action - automatic or manual - is securely logged and, if a log channel is configured, posted as a colour-coded embed in real time.

Embed Colour	Event Types
🟢 Green	Member verified, anti-nuke enabled, backup created, backup restored
🔴 Red	Anti-nuke triggered, webhook spam deleted, lockdown enabled
🟡 Yellow	System or feature disabled, lockdown lifted
🔵 Blue	Config changes (log channel set, default role set, etc.)

/security stats shows a breakdown of event counts by type for the last 7 days alongside the total all-time event count and the number of pending verifications.

3. Setup

Run the setup command - use /security setup to initialise the system. Optionally pass a log-channel to start receiving security event embeds immediately. Anti-nuke is enabled by default.

If the bot’s role is not in the top 3 roles, the setup reply will include a warning with instructions to move it up.
Open the dashboard - run /security dashboard. From here, navigate between the four panels:
- Anti-Nuke - toggle, configure thresholds, and set the response action
- Verification - set up and enable CAPTCHA gating for new members
- Whitelist - manage trusted users, roles, and webhook-exempt channels
- Settings - toggle the entire system on/off and set the log channel
Configure anti-nuke Recommended - inside the Anti-Nuke panel, click Configure Thresholds to set ban, kick, channel-delete, and webhook thresholds to match your server’s normal activity. Click Set Action to choose the response (remove_perms, kick, or ban).
Configure verification Optional - inside the Verification panel, click Setup and select a dedicated text channel and a verified role. Then remove @everyone’s ability to see other channels so unverified members are gated. Finally, click Enable to activate.
Create a baseline backup Recommended - run /security backup name:<name> after setup to capture your current server structure. Store additional backups before major permission changes.

Setting	Configured via	Default
Log Channel	`/security setup log-channel:` or Dashboard → Settings	None
Anti-Nuke	Dashboard → Anti-Nuke → Toggle	Enabled
Mass Ban Threshold	Dashboard → Anti-Nuke → Configure Thresholds	5 per minute
Mass Kick Threshold	Dashboard → Anti-Nuke → Configure Thresholds	5 per minute
Channel Delete Threshold	Dashboard → Anti-Nuke → Configure Thresholds	10 per minute
Webhook Spam Threshold	Dashboard → Anti-Nuke → Configure Thresholds	5 per minute
Anti-Nuke Action	Dashboard → Anti-Nuke → Set Action	remove_perms
Verification Channel	Dashboard → Verification → Setup	None
Verified Role	Dashboard → Verification → Setup	None
Default Lockdown Role	Dashboard → Settings → Set Default Role	@everyone