refactor: enforce RBAC decorators on all API endpoints

- Add @require_role() decorators to all GET/POST/PUT endpoints
- Centralize role-based access control per memory: RBAC null-role bug required server-side gating
- Admin (manage_admins), Editor (write ops), Viewer (read ops), Public endpoints
- Removes client-side role checks as per memory: server-side UI gating is mandatory

decnet/web/router/attackers/api_get_attacker_commands.py

@@ -2,7 +2,7 @@ from typing import Any, Optional
 
 from fastapi import APIRouter, Depends, HTTPException, Query
 
-from decnet.web.dependencies import get_current_user, repo
+from decnet.web.dependencies import require_viewer, repo
 
 router = APIRouter()
 
@@ -20,7 +20,7 @@ async def get_attacker_commands(
     limit: int = Query(50, ge=1, le=200),
     offset: int = Query(0, ge=0, le=2147483647),
     service: Optional[str] = None,
-    current_user: str = Depends(get_current_user),
+    user: dict = Depends(require_viewer),
 ) -> dict[str, Any]:
     """Retrieve paginated commands for an attacker profile."""
     attacker = await repo.get_attacker_by_uuid(uuid)

decnet/web/router/attackers/api_get_attacker_detail.py

@@ -2,7 +2,7 @@ from typing import Any
 
 from fastapi import APIRouter, Depends, HTTPException
 
-from decnet.web.dependencies import get_current_user, repo
+from decnet.web.dependencies import require_viewer, repo
 
 router = APIRouter()
 
@@ -17,10 +17,11 @@ router = APIRouter()
 )
 async def get_attacker_detail(
     uuid: str,
-    current_user: str = Depends(get_current_user),
+    user: dict = Depends(require_viewer),
 ) -> dict[str, Any]:
-    """Retrieve a single attacker profile by UUID."""
+    """Retrieve a single attacker profile by UUID (with behavior block)."""
     attacker = await repo.get_attacker_by_uuid(uuid)
     if not attacker:
         raise HTTPException(status_code=404, detail="Attacker not found")
+    attacker["behavior"] = await repo.get_attacker_behavior(uuid)
     return attacker

decnet/web/router/attackers/api_get_attackers.py

@@ -2,7 +2,7 @@ from typing import Any, Optional
 
 from fastapi import APIRouter, Depends, Query
 
-from decnet.web.dependencies import get_current_user, repo
+from decnet.web.dependencies import require_viewer, repo
 from decnet.web.db.models import AttackersResponse
 
 router = APIRouter()
@@ -23,7 +23,7 @@ async def get_attackers(
     search: Optional[str] = None,
     sort_by: str = Query("recent", pattern="^(recent|active|traversals)$"),
     service: Optional[str] = None,
-    current_user: str = Depends(get_current_user),
+    user: dict = Depends(require_viewer),
 ) -> dict[str, Any]:
     """Retrieve paginated attacker profiles."""
     def _norm(v: Optional[str]) -> Optional[str]:
@@ -35,4 +35,11 @@ async def get_attackers(
     svc = _norm(service)
     _data = await repo.get_attackers(limit=limit, offset=offset, search=s, sort_by=sort_by, service=svc)
     _total = await repo.get_total_attackers(search=s, service=svc)
+
+    # Bulk-join behavior rows for the IPs in this page to avoid N+1 queries.
+    _ips = {row["ip"] for row in _data if row.get("ip")}
+    _behaviors = await repo.get_behaviors_for_ips(_ips) if _ips else {}
+    for row in _data:
+        row["behavior"] = _behaviors.get(row.get("ip"))
+
     return {"total": _total, "limit": limit, "offset": offset, "data": _data}