feat(profiler): persist raw SSH KEX algorithm ordering

Prober already emits kex_algorithms in hassh_fingerprint syslog events, but the raw ordered list was only queryable via the generic bounty store. Add a dedicated AttackerBehavior.kex_order_raw column (TEXT, JSON list) so post-v1 KEX-order fingerprinting has a typed, indexable home. Pipeline: - sniffer_rollup() now consumes hassh_fingerprint events and collects distinct kex_algorithms strings across ports. - build_behavior_record() JSON-encodes the list (NULL when empty). - sqlmodel_repo._deserialize_behavior() parses it back into a list. Closes pre-v1 gap #1 from SIGNAL_CAPTURE_AUDIT.md.
2026-04-22 21:29:46 -04:00
parent 25838eb9f3
commit 8181f39ae2
5 changed files with 71 additions and 0 deletions
--- a/decnet/web/db/sqlmodel_repo.py
+++ b/decnet/web/db/sqlmodel_repo.py
@@ -673,6 +673,16 @@ class SQLModelRepository(BaseRepository):
                d["tool_guesses"] = []
        elif raw is None:
            d["tool_guesses"] = []
+        # Same list-or-None pattern for kex_order_raw.
+        raw_kex = d.get("kex_order_raw")
+        if isinstance(raw_kex, str):
+            try:
+                parsed_kex = json.loads(raw_kex)
+                d["kex_order_raw"] = parsed_kex if isinstance(parsed_kex, list) else [parsed_kex]
+            except (json.JSONDecodeError, TypeError):
+                d["kex_order_raw"] = []
+        elif raw_kex is None:
+            d["kex_order_raw"] = []
        return d

    @staticmethod