feat(api): GET /credentials endpoint

Surfaces the Credential table (deduped attacker auth attempts) via
a new /api/v1/credentials route. Mirrors the Bounty cache pattern
(5s TTL on the unfiltered default page) and reuses the existing
get_credentials / get_total_credentials repo methods + the already
defined CredentialsResponse DTO. Filters: search, service, attacker_ip.

decnet/web/router/__init__.py

@@ -5,6 +5,7 @@ from .auth.api_change_pass import router as change_pass_router
 from .logs.api_get_logs import router as logs_router
 from .logs.api_get_histogram import router as histogram_router
 from .bounty.api_get_bounties import router as bounty_router
+from .credentials.api_get_credentials import router as credentials_router
 from .stats.api_get_stats import router as stats_router
 from .fleet.api_get_deckies import router as get_deckies_router
 from .fleet.api_mutate_decky import router as mutate_decky_router
@@ -59,6 +60,9 @@ api_router.include_router(histogram_router)
 # Bounty Vault
 api_router.include_router(bounty_router)
 
+# Credentials (deduped attacker auth attempts)
+api_router.include_router(credentials_router)
+
 # Fleet Management
 api_router.include_router(get_deckies_router)
 api_router.include_router(mutate_decky_router)

decnet/web/router/credentials/api_get_credentials.py

@@ -0,0 +1,103 @@
+import asyncio
+import time
+from typing import Any, Optional
+
+from fastapi import APIRouter, Depends, Query
+
+from decnet.telemetry import traced as _traced
+from decnet.web.dependencies import require_viewer, repo
+from decnet.web.db.models import CredentialsResponse
+
+router = APIRouter()
+
+# Mirror the Bounty cache pattern: the dashboard hits the unfiltered
+# default page constantly. Filtered requests bypass — staleness matters
+# when an operator is searching for a specific principal/IP.
+_CRED_TTL = 5.0
+_DEFAULT_LIMIT = 50
+_DEFAULT_OFFSET = 0
+_cred_cache: tuple[Optional[dict[str, Any]], float] = (None, 0.0)
+_cred_lock: Optional[asyncio.Lock] = None
+
+
+def _reset_credentials_cache() -> None:
+    global _cred_cache, _cred_lock
+    _cred_cache = (None, 0.0)
+    _cred_lock = None
+
+
+async def _get_credentials_default_cached() -> dict[str, Any]:
+    global _cred_cache, _cred_lock
+    value, ts = _cred_cache
+    now = time.monotonic()
+    if value is not None and now - ts < _CRED_TTL:
+        return value
+    if _cred_lock is None:
+        _cred_lock = asyncio.Lock()
+    async with _cred_lock:
+        value, ts = _cred_cache
+        now = time.monotonic()
+        if value is not None and now - ts < _CRED_TTL:
+            return value
+        _data = await repo.get_credentials(
+            limit=_DEFAULT_LIMIT, offset=_DEFAULT_OFFSET,
+            search=None, service=None, attacker_ip=None,
+        )
+        _total = await repo.get_total_credentials(
+            search=None, service=None, attacker_ip=None,
+        )
+        value = {"total": _total, "limit": _DEFAULT_LIMIT, "offset": _DEFAULT_OFFSET, "data": _data}
+        _cred_cache = (value, time.monotonic())
+        return value
+
+
+@router.get(
+    "/credentials",
+    response_model=CredentialsResponse,
+    tags=["Credentials"],
+    responses={
+        401: {"description": "Could not validate credentials"},
+        403: {"description": "Insufficient permissions"},
+        422: {"description": "Validation error"},
+    },
+)
+@_traced("api.get_credentials")
+async def get_credentials(
+    limit: int = Query(50, ge=1, le=1000),
+    offset: int = Query(0, ge=0, le=2147483647),
+    search: Optional[str] = None,
+    service: Optional[str] = None,
+    attacker_ip: Optional[str] = None,
+    user: dict = Depends(require_viewer),
+) -> dict[str, Any]:
+    """Retrieve captured credentials (deduped by attacker/decky/service/secret)."""
+    def _norm(v: Optional[str]) -> Optional[str]:
+        if v in (None, "null", "NULL", "undefined", ""):
+            return None
+        return v
+
+    s = _norm(search)
+    svc = _norm(service)
+    aip = _norm(attacker_ip)
+
+    if (
+        s is None
+        and svc is None
+        and aip is None
+        and limit == _DEFAULT_LIMIT
+        and offset == _DEFAULT_OFFSET
+    ):
+        return await _get_credentials_default_cached()
+
+    _data = await repo.get_credentials(
+        limit=limit, offset=offset, search=s, service=svc, attacker_ip=aip,
+    )
+    _total = await repo.get_total_credentials(
+        search=s, service=svc, attacker_ip=aip,
+    )
+    return {
+        "total": _total,
+        "limit": limit,
+        "offset": offset,
+        "data": _data,
+    }

tests/api/credentials/test_get_credentials.py

@@ -0,0 +1,85 @@
+import pytest
+import httpx
+from hypothesis import given, settings, strategies as st
+from ..conftest import _FUZZ_SETTINGS
+
+
+@pytest.mark.anyio
+async def test_get_credentials_empty(client: httpx.AsyncClient, auth_token: str):
+    resp = await client.get(
+        "/api/v1/credentials",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 200
+    data = resp.json()
+    assert "total" in data
+    assert "data" in data
+    assert isinstance(data["data"], list)
+
+
+@pytest.mark.anyio
+async def test_credentials_pagination(client: httpx.AsyncClient, auth_token: str):
+    resp = await client.get(
+        "/api/v1/credentials?limit=1&offset=0",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 200
+    assert resp.json()["limit"] == 1
+
+
+@pytest.mark.anyio
+async def test_credentials_requires_auth(client: httpx.AsyncClient):
+    resp = await client.get("/api/v1/credentials")
+    assert resp.status_code == 401
+
+
+@pytest.mark.anyio
+async def test_credentials_filter_passthrough(
+    client: httpx.AsyncClient, auth_token: str
+):
+    # Filter values that match no rows should still 200 with empty data.
+    resp = await client.get(
+        "/api/v1/credentials",
+        params={"service": "ssh", "attacker_ip": "10.0.0.1", "search": "nope"},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 200
+    body = resp.json()
+    assert body["data"] == []
+
+
+@pytest.mark.fuzz
+@pytest.mark.anyio
+@settings(**_FUZZ_SETTINGS)
+@given(
+    limit=st.integers(min_value=-2000, max_value=5000),
+    offset=st.integers(min_value=-2000, max_value=5000),
+    service=st.one_of(st.none(), st.text(max_size=256)),
+    attacker_ip=st.one_of(st.none(), st.text(max_size=64)),
+    search=st.one_of(st.none(), st.text(max_size=2048)),
+)
+async def test_fuzz_credentials_query(
+    client: httpx.AsyncClient,
+    auth_token: str,
+    limit: int,
+    offset: int,
+    service,
+    attacker_ip,
+    search,
+) -> None:
+    params: dict = {"limit": limit, "offset": offset}
+    if service is not None:
+        params["service"] = service
+    if attacker_ip is not None:
+        params["attacker_ip"] = attacker_ip
+    if search is not None:
+        params["search"] = search
+    try:
+        resp = await client.get(
+            "/api/v1/credentials",
+            params=params,
+            headers={"Authorization": f"Bearer {auth_token}"},
+        )
+        assert resp.status_code in (200, 422)
+    except UnicodeEncodeError:
+        pass