Sentinel — Zelnoo

Sentinel watches every actor, and acts before damage is done.

A self-contained fraud & abuse subsystem that ingests behavioral events from across the platform, runs them against 80+ configurable rules, scores entity risk in real time, and auto-blocks the worst offenders in under a second — all visible on a live operator dashboard.

NestJS API · port 4020 BullMQ workers Socket.io live feed Internal shared-secret channel

How it works

Event in, signal out, action back

The core platform emits events — logins, bookings, collections, payouts, report uploads — over a private internal channel. Sentinel queues them idempotently, runs each through its rule engine to raise weighted fraud signals, recomputes the entity’s risk score, and — when risk turns critical — calls back into the core to block the lab or remove the phlebotomist.

Ingest

Events arrive via an internal x-internal-key endpoint, deduplicated by event ID and logged against the entity profile.

Evaluate

BullMQ workers run the event through every matching rule — velocity windows, GPS checks, duplicate-identity lookups, behavioral baselines.

Score

Active signal weights are summed (capped at 100) into a live risk score with a Low / Medium / High / Critical band.

Act

Score ≥ 25 raises an alert; Critical (≥80) auto-blocks — the lab is deactivated or the phlebo removed on the core API instantly.

80+ detectors across the whole ecosystem

Every actor and money path is covered. A representative slice of the highest-signal rules:

Detector	Catches	Trigger	Weight
Phlebo Fake Collection	Marked “collected” far from the patient	GPS gap > 500 m	65
Phlebo Rapid Completion	Physically impossible collection time	< 3 min	55
Account Takeover	Credential change + new-device login	1 event	70
Geo-Velocity Anomaly	Impossible travel between logins	~900+ km/h	60
KYC / Aadhaar Reuse	Same identity doc on multiple accounts	2+ entities	65
Payout Account Swap	Bank change then instant payout request	within 24h	65
Chargeback Pattern	Repeated disputed payments	2+ / 60 days	60
Single-Center Referral	Doctor kickback concentration	90% to one lab	45
All-Normal Report Pattern	Fabricated lab results	95% all-normal	35
Partner Signup OTP Bypass	Onboarding without verification	1 event	70
Admin Bulk Export	Possible data exfiltration	1000+ / 10 min	55

Auth & identity Bookings & orders Phlebotomist gaming Payments & payouts Lab operations Reports & AI Doctor referrals Admin & CRM abuse Inventory fraud KYC & GST reuse Gamification farming Partner signup (lab + phlebo)

Risk scoring & the operator dashboard

One number, four bands, instant action

●

Low < 25

Monitored only — no alert raised.

●

Medium 25–49

Alert raised for operator review.

●

High 50–79

Prioritized case; manual action likely.

●

Critical ≥ 80

Auto-blocked on the core API in < 1s.

A live command center

📡

Live feed

A WebSocket stream of every incoming event and new alert — colour-coded by severity, no refresh needed.

🎯

High-risk entities

Drill into any lab, phlebo, doctor or patient: their score, every active signal, alert history and raw activity.

🧰

Rules & actions

Enable/disable rules and tune weights; every block, refund and intervention is captured in an action log.

🧪

Quality scoring runs in parallel. Alongside fraud, Sentinel computes a TAT-and-cancellation quality score for labs and phlebotomists — the same pipeline that protects the platform also measures its operational health.

A safety net under the whole platform

Sentinel is deliberately decoupled — it listens to everything and can act on anything, without slowing the core request path.

CORE API →

Event source

Auth, booking, collection, payment, report and admin events all stream into Sentinel over the internal channel.

→ CORE API

Enforcement

Sentinel calls back to /internal/block-lab and /internal/remove-phlebo to neutralize critical threats automatically.

↔ ADMIN

Admin Portal

Risk flags surface in Admin as actionable alerts; operators acknowledge, resolve, or escalate from a single console.

→ ALLOTMENT

Dispatch pool

A flagged phlebotomist is pulled from the eligible pool, so risky actors stop receiving jobs.

CRM / SIGNUP →

Onboarding gate

Partner-signup detectors catch duplicate PAN/Aadhaar, OTP bypass and bot floods before a bad lab ever goes live.

PAYOUTS →

Money movement

Account swaps, payout inflation and chargeback patterns are caught at the exact moment money is at risk.