modified: ci.yml, fucked up last time lol

modified: ci.yml, pyproject: added missing installs and modified pip install command
chore: deleted trash
2026-04-08 15:53:49 -04:00 · 2026-04-08 15:50:17 -04:00 · 2026-04-08 02:07:11 -04:00 · 2026-04-08 01:48:05 -04:00 · 2026-04-08 01:42:05 -04:00 · 2026-04-08 01:27:11 -04:00
93 changed files with 9563 additions and 306 deletions
--- a/.env.example
+++ b/.env.example
@@ -0,0 +1,11 @@
 # API Options
 DECNET_API_HOST=0.0.0.0
 DECNET_API_PORT=8000
 DECNET_JWT_SECRET=supersecretkey12345
 DECNET_INGEST_LOG_FILE=/var/log/decnet/decnet.log
 # Web Dashboard Options
 DECNET_WEB_HOST=0.0.0.0
 DECNET_WEB_PORT=8080
 DECNET_ADMIN_USER=admin
 DECNET_ADMIN_PASSWORD=admin
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -3,6 +3,9 @@ name: CI
 on:
  push:
    branches: [dev, testing]
    paths-ignore:
      - "**/*.md"
      - "docs/**"
 jobs:
  lint:
@@ -27,7 +30,7 @@ jobs:
      - uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}
-      - run: pip install -e .
+      - run: pip install -e .[dev]
      - run: pytest tests/ -v --tb=short
  bandit:
@@ -50,7 +53,7 @@ jobs:
        with:
          python-version: "3.11"
      - run: pip install pip-audit
-      - run: pip install -e .
+      - run: pip install -e .[dev]
      - run: pip-audit --skip-editable
  open-pr:
--- a/.gitea/workflows/pr.yml
+++ b/.gitea/workflows/pr.yml
@@ -3,6 +3,9 @@ name: PR Gate
 on:
  pull_request:
    branches: [main]
    paths-ignore:
      - "**/*.md"
      - "docs/**"
 jobs:
  lint:
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -3,6 +3,9 @@ name: Release
 on:
  push:
    branches: [main]
    paths-ignore:
      - "**/*.md"
      - "docs/**"
 env:
  REGISTRY: git.resacachile.cl
--- a/.gitignore
+++ b/.gitignore
@@ -13,6 +13,9 @@ decnet.log*
 *.loggy
 *.nmap
 linterfails.log
 test-scan
 webmail
 windows1
 *.db
 decnet.json
 .env
 .env.local
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -1 +0,0 @@
 CI/CD TEST 2
--- a/GEMINI.md
+++ b/GEMINI.md
@@ -0,0 +1,103 @@
 # DECNET (Deception Network) Project Context
 DECNET is a high-fidelity honeypot framework designed to deploy heterogeneous fleets of fake machines (called **deckies**) that appear as real hosts on a local network.
 ## Project Overview
 - **Core Purpose:** To lure, profile, and log attacker interactions within a controlled, deceptive environment.
 - **Key Technology:** Linux-native container networking (MACVLAN/IPvlan) combined with Docker to give each decoy its own MAC address, IP, and realistic TCP/IP stack behavior.
 - **Main Components:**
  - **Deckies:** Group of containers sharing a network namespace (one base container + multiple service containers).
  - **Archetypes:** Pre-defined machine profiles (e.g., `windows-workstation`, `linux-server`) that bundle services and OS fingerprints.
  - **Services:** Modular honeypot plugins (SSH, SMB, RDP, etc.) built as `BaseService` subclasses.
  - **OS Fingerprinting:** Sysctl-based TCP/IP stack tuning to spoof OS detection (nmap).
  - **Logging Pipeline:** RFC 5424 syslog forwarding to an isolated SIEM/ELK stack.
 ## Technical Stack
 - **Language:** Python 3.11+
 - **CLI Framework:** [Typer](https://typer.tiangolo.com/)
 - **Data Validation:** [Pydantic v2](https://docs.pydantic.dev/)
 - **Orchestration:** Docker Engine 24+ (via Docker SDK for Python)
 - **Networking:** MACVLAN (default) or IPvlan L2 (for WiFi/restricted environments).
 - **Testing:** Pytest (100% pass requirement).
 - **Formatting/Linting:** Ruff, Bandit (SAST), pip-audit.
 ## Architecture
 ```text
 Host NIC (eth0)
  └── MACVLAN Bridge
        ├── Decky-01 (192.168.1.10) -> [Base] + [SSH] + [HTTP]
        ├── Decky-02 (192.168.1.11) -> [Base] + [SMB] + [RDP]
        └── ...
 ```
 - **Base Container:** Owns the IP/MAC, sets `sysctls` for OS spoofing, and runs `sleep infinity`.
 - **Service Containers:** Use `network_mode: service:<base>` to share the identity and networking of the base container.
 - **Isolation:** Decoy traffic is strictly separated from the logging network.
 ## Key Commands
 ### Development & Maintenance
 - **Install (Dev):** 
    - `rm .venv -rf`
    - `python3 -m venv .venv`
    - `source .venv/bin/activate`
    - `pip install -e .`
 - **Run Tests:** `pytest` (Run before any commit)
 - **Linting:** `ruff check .`
 - **Security Scan:** `bandit -r decnet/`
 - **Web Git:** git.resacachile.cl (Gitea)
 ### CLI Usage
 - **List Services:** `decnet services`
 - **List Archetypes:** `decnet archetypes`
 - **Dry Run (Compose Gen):** `decnet deploy --deckies 3 --randomize-services --dry-run`
 - **Deploy (Full):** `sudo .venv/bin/decnet deploy --interface eth0 --deckies 5 --randomize-services`
 - **Status:** `decnet status`
 - **Teardown:** `sudo .venv/bin/decnet teardown --all`
 ## Development Conventions
 - **Code Style:** 
  - Strict adherence to Ruff/PEP8.
  - **Always use typed variables**. If any non-types variables are found, they must be corrected.
    - The correct way is `x: int = 1`, never `x : int = 1`.
    - If assignment is present, always use a space between the type and the equal sign `x: int = 1`.
  - **Never** use lowercase L (l), uppercase o (O) or uppercase i (i) in single-character names.
  - **Internal vars are to be declared with an underscore** (_internal_variable_name).
  - **Internal to internal vars are to be declared with double underscore** (__internal_variable_name).
  - Always use snake_case for code.
  - Always use PascalCase for classes and generics.
 - **Testing:** New features MUST include a `pytest` case. 100% test pass rate is mandatory before merging.
 - **Plugin System:**
  - New services go in `decnet/services/<name>.py`.
  - Subclass `decnet.services.base.BaseService`.
  - The registry uses auto-discovery; no manual registration required.
 - **Configuration:**
  - Use Pydantic models in `decnet/config.py` for any new settings.
  - INI file parsing is handled in `decnet/ini_loader.py`.
 - **State Management:**
  - Runtime state is persisted in `decnet-state.json`.
  - Do not modify this file manually.
 - **General Development Guidelines**:
  - **Never** commit broken code.
  - **No matter how small** the changes, they must be committed.
  - **If new features are addedd** new tests must be added, too.
  - **Never present broken code to the user**. Test, validate, then present.
  - **Extensive testing** for every function must be created.
  - **Always develop in the `dev` branch, never in `main`.**
  - **Test in the `testing` branch.**
 ## Directory Structure
 - `decnet/`: Main source code.
  - `services/`: Honeypot service implementations.
  - `logging/`: Syslog formatting and forwarding logic.
  - `correlation/`: (In Progress) Logic for grouping attacker events.
 - `templates/`: Dockerfiles and entrypoint scripts for services.
 - `tests/`: Pytest suite.
 - `pyproject.toml`: Dependency and entry point definitions.
 - `CLAUDE.md`: Claude-specific environment guidance.
 - `DEVELOPMENT.md`: Roadmap and TODOs.
--- a/NOTES.md
+++ b/NOTES.md
@@ -1,113 +0,0 @@
 # Initial steps
 # Architecture
 ## DECNET-UNIHOST model
 The unihost model is a mode in which DECNET deploys an _n_ amount of machines from a single one. This execution model lives in a decoy network which is accessible to an attacker from the outside.
 Each decky (the son of the DECNET unihost) should have different services (RDP, SMB, SSH, FTP, etc) and all of them should communicate with an external, isolated network, which aggregates data and allows
 visualizations to be made. Think of the ELK stack. That data is then passed back via Logstash or other methods to a SIEM device or something else that may be beneficiated by this collected data.
 ## DECNET-MULTIHOST (SWARM) model
 The SWARM model is similar to the UNIHOST model, but the difference is that instead of one real machine, we have n>1 machines. Same thought process really, but deployment may be different.
 A low cost option and fairly automatable one is the usage of Ansible, sshpass, or other tools.
 # Modus operandi
 ## Docker-Compose
 I will use Docker Compose extensively for this project. The reasons are:
 - Easily managed.
 - Easily extensible.
 - Less overhead.
 To be completely transparent: I asked Deepseek to write the initial `docker-compose.yml` file. It was mostly boilerplate, and most of it mainly modified or deleted. It doesn't exist anymore.
 ## Distro to use.
 I will be using the `debian:bookworm-slim` image for all the containers. I might think about mixing in there some Ubuntu or a Centos, but for now, Debian will do just fine.
 The distro I'm running is WSL Kali Linux. Let's hope this doesn't cause any problems down the road.
 ## Networking
 It was a hussle, but I think MACVLAN or IPVLAN (thanks @Deepseek!) might work. The reasoning behind picking this networking driver is that for the project to work, it requires having containers the entire container accessible from the network. This is to attempt to masquarede them as real, live machines.
 Now, we will need a publicly accesible, real server that has access to this "internal" network. I'll try MACVLAN first.
 ### MACVLAN Tests
 I will first use the default network to see what happens.
 ```
 docker network create -d macvlan \
  --subnet=192.168.1.0/24 \
  --gateway=192.168.1.1 \
  -o parent=eth0 localnet
 ```
 #### Issues
 This initial test doesn't seem to be working. Might be that I'm using WSL, so I downloaded a Ubuntu 22.04 Server ISO. I'll try the MACVLAN network on it. Now, if that doesn't work, I don't see how the 802.1q would work, at least on _my network_. Perhaps if I had a switch I could make it work, but currently I don't have one :c
 ---
 # TODO
 ## Core / Hardening
 - [ ] **Attacker fingerprinting** — Beyond IP logging: capture TLS JA3/JA4 hashes, TCP window sizes, User-Agent strings, SSH client banners, and tool signatures (nmap, masscan, Metasploit, Cobalt Strike). Build attacker profiles across sessions.
 - [ ] **Canary tokens** — Embed canary URLs, fake AWS keys, fake API tokens, and honeydocs (PDF/DOCX with phone-home URLs) into decky filesystems. Fire an alert the moment one is used.
 - [ ] **Tarpit mode** — Slow down attackers by making services respond extremely slowly (e.g., SSH that takes 60s to reject, HTTP that drip-feeds bytes). Wastes attacker time and resources.
 - [ ] **Dynamic decky mutation** — Deckies that change their exposed services or OS fingerprint over time to confuse port-scan caching and appear more "alive."
 - [ ] **Credential harvesting DB** — Every username/password attempt across all services lands in a queryable database. Expose via CLI (`decnet creds`) and flag reuse across deckies.
 - [ ] **Session recording** — Full session capture for SSH/Telnet (keystroke logs, commands run, files downloaded). Cowrie already does this — surface it better in the CLI and correlation engine.
 - [ ] **Payload capture** — Store every file uploaded or command executed by an attacker. Hash and auto-submit to VirusTotal or a local sandbox.
 ## Detection & Intelligence
 - [ ] **Real-time alerting** — Webhook/Slack/Telegram notifications when an attacker hits a decky for the first time, crosses N deckies (lateral movement), or uses a known bad IP.
 - [ ] **Threat intel enrichment** — Auto-lookup attacker IPs against AbuseIPDB, Shodan, GreyNoise, and AlienVault OTX. Tag known scanners vs. targeted attackers.
 - [ ] **Attack campaign clustering** — Group attacker sessions by tooling signatures, timing patterns, and credential sets. Identify coordinated campaigns hitting multiple deckies.
 - [ ] **GeoIP mapping** — Attacker origin on a world map. Correlate with ASN data to identify cloud exit nodes, VPNs, and Tor exits.
 - [ ] **TTPs tagging** — Map observed attacker behaviors to MITRE ATT&CK techniques automatically. Tag events in the correlation engine.
 - [ ] **Honeypot interaction scoring** — Score attackers on a scale: casual scanner vs. persistent targeted attacker, based on depth of interaction and commands run.
 ## Dashboard & Visibility
 - [ ] **Web dashboard** — Real-time web UI showing live decky status, attacker activity, traversal graphs, and credential stats. Could be a simple FastAPI + HTMX or a full React app.
 - [ ] **Pre-built Kibana/Grafana dashboards** — Ship dashboard JSON exports out of the box so ELK/Grafana deployments are plug-and-play.
 - [ ] **CLI live feed** — `decnet watch` command: tail all decky logs in a unified, colored terminal stream (like `docker-compose logs -f` but prettier).
 - [ ] **Traversal graph export** — Export attacker traversal graphs as DOT/Graphviz or JSON for visualization in external tools.
 - [ ] **Daily digest** — Automated daily summary email/report: new attackers, top credentials tried, most-hit services.
 ## Deployment & Infrastructure
 - [ ] **SWARM / multihost mode** — Full Ansible-based orchestration for deploying deckies across N real hosts.
 - [ ] **Terraform/Pulumi provider** — Spin up cloud-hosted deckies on AWS/GCP/Azure with one command. Useful for internet-facing honeynets.
 - [ ] **Auto-scaling** — When attack traffic increases, automatically spawn more deckies to absorb and log more activity.
 - [ ] **Kubernetes deployment mode** — Run deckies as Kubernetes pods for environments already running k8s.
 - [ ] **Proxmox/libvirt backend** — Full VM-based deckies instead of containers, for even more realistic OS fingerprints and behavior. Docker for speed; VMs for realism.
 - [ ] **Raspberry Pi / ARM support** — Low-cost physical honeynets using RPis. Validate ARM image builds.
 - [ ] **Decky health monitoring** — Watchdog that auto-restarts crashed deckies and alerts if a service goes dark.
 ## Services & Realism
 - [ ] **HTTPS/TLS support** — HTTP honeypot with a self-signed or Let's Encrypt cert. Many real-world services use HTTPS; plain HTTP stands out.
 - [ ] **Fake Active Directory** — A convincing fake AD/LDAP with fake users, groups, and GPOs. Attacker tools like BloodHound should get juicy (fake) data.
 - [ ] **Fake file shares** — SMB/NFS shares pre-populated with enticing but fake files: "passwords.xlsx", "vpn_config.ovpn", "backup_keys.tar.gz". All instrumented to detect access.
 - [ ] **Realistic web apps** — HTTP honeypot serving convincing fake apps: a fake WordPress, a fake phpMyAdmin, a fake Grafana login — all logging every interaction.
 - [ ] **OT/ICS profiles** — Expand Conpot support: Modbus, DNP3, BACnet, EtherNet/IP. Convincing industrial control system decoys.
 - [ ] **Printer/IoT archetypes** — Expand existing printer/camera archetypes with actual service emulation (IPP, ONVIF, WS-Discovery).
 - [ ] **Service interaction depth** — Some services currently just log the connection. Deepen interaction: fake MySQL that accepts queries and returns realistic fake data, fake Redis that stores and retrieves dummy keys.
 ## Developer Experience
 - [ ] **Plugin SDK docs** — Full documentation and an example plugin for adding custom services. Lower the barrier for community contributions.
 - [ ] **Integration tests** — Full deploy/teardown cycle tests against a real Docker daemon (not just unit tests).
 - [ ] **Per-service tests** — Each of the 29 service implementations deserves its own test coverage.
 - [ ] **CI/CD pipeline** — GitHub/Gitea Actions: run tests on push, lint, build Docker images, publish releases.
 - [ ] **Config validation CLI** — `decnet validate my.ini` to dry-check an INI config before deploying.
 - [ ] **Config generator wizard** — `decnet wizard` interactive prompt to generate an INI config without writing one by hand.
--- a/README.md
+++ b/README.md
@@ -69,7 +69,7 @@ From the outside a decky looks identical to a real machine: it has its own MAC a
 ## Installation
 ```bash
-git clone <repo-url> DECNET
+git clone https://git.resacachile.cl/anti/DECNET
 cd DECNET
 pip install -e .
 ```
@@ -207,6 +207,26 @@ sudo decnet deploy --deckies 4 --archetype windows-workstation
 [corp-workstations]
 archetype = windows-workstation
 amount    = 4
 [win-fileserver]
 services   = ftp
 nmap_os    = windows
 os_version = Windows Server 2019
 [dbsrv01]
 ip       = 192.168.1.112
 services = mysql, http
 nmap_os  = linux
 [dbsrv01.http]
 server_header = Apache/2.4.54 (Debian)
 response_code = 200
 fake_app      = wordpress
 [dbsrv01.mysql]
 mysql_version = 5.7.38-log
 mysql_banner  = MySQL Community Server
 ```
 ---
@@ -470,6 +490,30 @@ See [`test-full.ini`](test-full.ini) — covers all 25 services across 10 role-t
 ---
 ## Environment Configuration (.env)
 DECNET supports loading configuration from `.env.local` and `.env` files located in the project root. This is useful for securing secrets like the JWT key and configuring default ports without passing flags every time.
 An example `.env.example` is provided:
 ```ini
 # API Options
 DECNET_API_HOST=0.0.0.0
 DECNET_API_PORT=8000
 DECNET_JWT_SECRET=supersecretkey12345
 DECNET_INGEST_LOG_FILE=/var/log/decnet/decnet.log
 # Web Dashboard Options
 DECNET_WEB_HOST=0.0.0.0
 DECNET_WEB_PORT=8080
 DECNET_ADMIN_USER=admin
 DECNET_ADMIN_PASSWORD=admin
 ```
 Copy `.env.example` to `.env.local` and modify it to suit your environment.
 ---
 ## Logging
 All attacker interactions are forwarded off the decoy network to an isolated logging sink. The log pipeline lives on a separate internal Docker bridge (`decnet_logs`) that is not reachable from the fake LAN.
@@ -631,3 +675,9 @@ The test suite covers:
 | `test_cli_service_pool.py` | CLI service resolution |
 Every new feature requires passing tests before merging.
 # AI Disclosure
 This project has been made with lots, and I mean lots of help from AIs. While most of the design was made by me, most of the coding was done by AI models.
 Nevertheless, this project will be kept under high scrutiny by humans.
--- a/decnet.log
+++ b/decnet.log
@@ -1,159 +0,0 @@
 <134>1 2026-04-04T07:40:53.045660+00:00 decky-devops k8s - startup - Kubernetes API server starting as decky-devops
 <134>1 2026-04-04T07:40:53.058000+00:00 decky-devops docker_api - startup - Docker API server starting as decky-devops
 <134>1 2026-04-04T07:40:53.147349+00:00 decky-legacy vnc - startup - VNC server starting as decky-legacy
 <134>1 2026-04-04T07:40:53.224094+00:00 decky-fileserv tftp - startup - TFTP server starting as decky-fileserv
 <134>1 2026-04-04T07:40:53.231313+00:00 decky-fileserv ftp - startup - FTP server starting as decky-fileserv on port 21
 <134>1 2026-04-04T07:40:53.237175+00:00 decky-fileserv smb - startup - SMB server starting as decky-fileserv
 <134>1 2026-04-04T07:40:53.331998+00:00 decky-webmail imap - startup - IMAP server starting as decky-webmail
 <134>1 2026-04-04T07:40:53.441710+00:00 decky-webmail http - startup - HTTP server starting as decky-webmail
 <134>1 2026-04-04T07:40:53.482287+00:00 decky-webmail smtp - startup - SMTP server starting as decky-webmail
 <134>1 2026-04-04T07:40:53.487752+00:00 decky-webmail pop3 - startup - POP3 server starting as decky-webmail
 <134>1 2026-04-04T07:40:53.493478+00:00 decky-iot mqtt - startup - MQTT server starting as decky-iot
 <134>1 2026-04-04T07:40:53.519136+00:00 decky-iot snmp - startup - SNMP server starting as decky-iot
 <134>1 2026-04-04T07:40:53.586186+00:00 decky-voip sip - startup - SIP server starting as decky-voip
 <134>1 2026-04-04T07:40:53.734237+00:00 decky-dbsrv02 postgres - startup - PostgreSQL server starting as decky-dbsrv02
 <134>1 2026-04-04T07:40:53.746573+00:00 decky-voip llmnr - startup - LLMNR/mDNS server starting as decky-voip
 <134>1 2026-04-04T07:40:53.792767+00:00 decky-dbsrv02 elasticsearch - startup - Elasticsearch server starting as decky-dbsrv02
 <134>1 2026-04-04T07:40:53.817558+00:00 decky-dbsrv02 mongodb - startup - MongoDB server starting as decky-dbsrv02
 <134>1 2026-04-04T07:40:53.848912+00:00 decky-ldapdc ldap - startup - LDAP server starting as decky-ldapdc
 <134>1 2026-04-04T07:40:53.860378+00:00 decky-winbox rdp - startup - RDP server starting as decky-winbox on port 3389
 <134>1 2026-04-04T07:40:53.911084+00:00 decky-winbox mssql - startup - MSSQL server starting as decky-winbox
 <134>1 2026-04-04T07:40:53.978994+00:00 decky-winbox smb - startup - SMB server starting as decky-winbox
 <134>1 2026-04-04T07:41:07.439918+00:00 decky-webmail pop3 - connect [decnet@55555 src="192.168.1.5" src_port="46462"]
 <134>1 2026-04-04T07:41:07.439922+00:00 decky-webmail imap - connect [decnet@55555 src="192.168.1.5" src_port="54734"]
 <134>1 2026-04-04T07:41:07.439868+00:00 decky-webmail smtp - connect [decnet@55555 src="192.168.1.5" src_port="54606"]
 <134>1 2026-04-04T07:41:07.440333+00:00 decky-fileserv ftp - connection [decnet@55555 src_ip="192.168.1.5" src_port="39736"]
 <134>1 2026-04-04T07:41:07.442465+00:00 decky-webmail smtp - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:13.446744+00:00 decky-webmail imap - command [decnet@55555 src="192.168.1.5" cmd="GET / HTTP/1.0"]
 <134>1 2026-04-04T07:41:13.446743+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd=""]
 <134>1 2026-04-04T07:41:13.447251+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd=""]
 <134>1 2026-04-04T07:41:13.446995+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/" remote_addr="192.168.1.5" headers="{}" body=""]
 <134>1 2026-04-04T07:41:13.447556+00:00 decky-fileserv ftp - disconnect [decnet@55555 src_ip="192.168.1.5" src_port="39736"]
 <134>1 2026-04-04T07:41:18.451412+00:00 decky-webmail imap - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:18.451529+00:00 decky-webmail pop3 - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:18.451729+00:00 decky-webmail imap - connect [decnet@55555 src="192.168.1.5" src_port="55996"]
 <134>1 2026-04-04T07:41:18.451746+00:00 decky-webmail pop3 - connect [decnet@55555 src="192.168.1.5" src_port="36592"]
 <134>1 2026-04-04T07:41:18.451844+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="OPTIONS / HTTP/1.0"]
 <134>1 2026-04-04T07:41:18.451928+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd=""]
 <134>1 2026-04-04T07:41:23.456442+00:00 decky-webmail pop3 - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:23.456408+00:00 decky-webmail imap - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:24.734697+00:00 decky-webmail pop3 - connect [decnet@55555 src="192.168.1.5" src_port="36604"]
 <134>1 2026-04-04T07:41:24.736542+00:00 decky-webmail pop3 - connect [decnet@55555 src="192.168.1.5" src_port="36606"]
 <134>1 2026-04-04T07:41:24.737069+00:00 decky-webmail smtp - connect [decnet@55555 src="192.168.1.5" src_port="56204"]
 <134>1 2026-04-04T07:41:24.737449+00:00 decky-fileserv ftp - connection [decnet@55555 src_ip="192.168.1.5" src_port="48992"]
 <134>1 2026-04-04T07:41:24.737834+00:00 decky-fileserv ftp - connection [decnet@55555 src_ip="192.168.1.5" src_port="48994"]
 <134>1 2026-04-04T07:41:24.738282+00:00 decky-fileserv ftp - connection [decnet@55555 src_ip="192.168.1.5" src_port="49002"]
 <134>1 2026-04-04T07:41:24.738760+00:00 decky-fileserv ftp - connection [decnet@55555 src_ip="192.168.1.5" src_port="49004"]
 <134>1 2026-04-04T07:41:24.739240+00:00 decky-webmail pop3 - connect [decnet@55555 src="192.168.1.5" src_port="36622"]
 <134>1 2026-04-04T07:41:24.741300+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="STLS"]
 <134>1 2026-04-04T07:41:24.741346+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="STLS"]
 <134>1 2026-04-04T07:41:24.741319+00:00 decky-webmail smtp - ehlo [decnet@55555 src="192.168.1.5" domain="nmap.scanme.org"]
 <134>1 2026-04-04T07:41:24.741391+00:00 decky-fileserv ftp - user [decnet@55555 username="anonymous"]
 <134>1 2026-04-04T07:41:24.741474+00:00 decky-fileserv ftp - user [decnet@55555 username="anonymous"]
 <134>1 2026-04-04T07:41:24.741374+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/nmaplowercheck1775288484" remote_addr="192.168.1.5" headers="{'Host': '192.168.1.110', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Connection': 'close'}" body=""]
 <134>1 2026-04-04T07:41:24.741566+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/.git/HEAD" remote_addr="192.168.1.5" headers="{'Host': '192.168.1.110', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Connection': 'close'}" body=""]
 <134>1 2026-04-04T07:41:24.741988+00:00 decky-webmail http - request [decnet@55555 method="OPTIONS" path="/" remote_addr="192.168.1.5" headers="{'Host': '192.168.1.110', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Connection': 'close'}" body=""]
 <134>1 2026-04-04T07:41:24.742327+00:00 decky-webmail http - request [decnet@55555 method="PROPFIND" path="/" remote_addr="192.168.1.5" headers="{'Depth': '0', 'Host': '192.168.1.110', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Connection': 'close'}" body=""]
 <134>1 2026-04-04T07:41:24.742608+00:00 decky-webmail http - request [decnet@55555 method="POST" path="/" remote_addr="192.168.1.5" headers="{'Content-Length': '88', 'Connection': 'close', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Content-Type': 'application/x-www-form-urlencoded', 'Host': '192.168.1.110'}" body="<methodCall> <methodName>system.listMethods</methodName> <params></params> </methodCall>"]
 <134>1 2026-04-04T07:41:24.742807+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/" remote_addr="192.168.1.5" headers="{'Host': '192.168.1.110', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Connection': 'close'}" body=""]
 <134>1 2026-04-04T07:41:24.741701+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/" remote_addr="192.168.1.5" headers="{}" body=""]
 <134>1 2026-04-04T07:41:24.742699+00:00 decky-webmail http - request [decnet@55555 method="OPTIONS" path="/" remote_addr="192.168.1.5" headers="{'Host': '192.168.1.110', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Connection': 'close'}" body=""]
 <134>1 2026-04-04T07:41:24.742135+00:00 decky-webmail http - request [decnet@55555 method="POST" path="/sdk" remote_addr="192.168.1.5" headers="{'Content-Length': '441', 'Host': '192.168.1.110', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Connection': 'close'}" body="<soap:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"><soap:Header><operationID>00000001-00000001</operationID></soap:Header><soap:Body><RetrieveServiceContent xmlns=\"urn:internalvim25\"><_this xsi:type=\"ManagedObjectReference\" type=\"ServiceInstance\">ServiceInstance</_this></RetrieveServiceContent></soap:Body></soap:Envelope>"]
 <134>1 2026-04-04T07:41:24.742460+00:00 decky-webmail http - request [decnet@55555 method="OPTIONS" path="/" remote_addr="192.168.1.5" headers="{'Connection': 'close', 'Origin': 'example.com', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Access-Control-Request-Method': 'HEAD', 'Host': '192.168.1.110'}" body=""]
 <134>1 2026-04-04T07:41:24.745408+00:00 decky-webmail pop3 - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:24.745793+00:00 decky-webmail pop3 - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:24.745837+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="AUTH NTLM"]
 <134>1 2026-04-04T07:41:24.745797+00:00 decky-fileserv ftp - user [decnet@55555 username="anonymous"]
 <134>1 2026-04-04T07:41:24.745960+00:00 decky-fileserv ftp - auth_attempt [decnet@55555 username="anonymous" password="IEUser@"]
 <134>1 2026-04-04T07:41:24.745842+00:00 decky-webmail http - request [decnet@55555 method="FGDH" path="/" remote_addr="192.168.1.5" headers="{'Host': '192.168.1.110', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Connection': 'close'}" body=""]
 <134>1 2026-04-04T07:41:24.746083+00:00 decky-webmail smtp - connect [decnet@55555 src="192.168.1.5" src_port="56216"]
 <134>1 2026-04-04T07:41:24.746041+00:00 decky-webmail imap - connect [decnet@55555 src="192.168.1.5" src_port="56008"]
 <134>1 2026-04-04T07:41:24.745961+00:00 decky-webmail http - request [decnet@55555 method="OPTIONS" path="/" remote_addr="192.168.1.5" headers="{'Connection': 'close', 'Origin': 'example.com', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Access-Control-Request-Method': 'GET', 'Host': '192.168.1.110'}" body=""]
 <134>1 2026-04-04T07:41:24.746514+00:00 decky-fileserv ftp - auth_attempt [decnet@55555 username="anonymous" password="IEUser@"]
 <134>1 2026-04-04T07:41:24.746245+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/NmapUpperCheck1775288484" remote_addr="192.168.1.5" headers="{'Host': '192.168.1.110', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Connection': 'close'}" body=""]
 <134>1 2026-04-04T07:41:24.746723+00:00 decky-fileserv ftp - disconnect [decnet@55555 src_ip="192.168.1.5" src_port="48994"]
 <134>1 2026-04-04T07:41:24.746073+00:00 decky-webmail http - request [decnet@55555 method="PROPFIND" path="/" remote_addr="192.168.1.5" headers="{'Content-Length': '0', 'Connection': 'close', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Host': '192.168.1.110', 'Depth': '1'}" body=""]
 <134>1 2026-04-04T07:41:24.795603+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="TlRMTVNTUAABAAAAB4IIoAAAAAAAAAAAAAAAAAAAAAA="]
 <134>1 2026-04-04T07:41:24.795629+00:00 decky-webmail smtp - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:24.795621+00:00 decky-webmail imap - connect [decnet@55555 src="192.168.1.5" src_port="56016"]
 <134>1 2026-04-04T07:41:24.795604+00:00 decky-fileserv ftp - auth_attempt [decnet@55555 username="anonymous" password="IEUser@"]
 <134>1 2026-04-04T07:41:24.795738+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/" remote_addr="192.168.1.5" headers="{'Host': '192.168.1.110', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Connection': 'close'}" body=""]
 <134>1 2026-04-04T07:41:24.795928+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/robots.txt" remote_addr="192.168.1.5" headers="{'Host': '192.168.1.110', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Connection': 'close'}" body=""]
 <134>1 2026-04-04T07:41:24.796118+00:00 decky-webmail http - request [decnet@55555 method="PROPFIND" path="/" remote_addr="192.168.1.5" headers="{'Depth': '0', 'Host': '192.168.1.110', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Connection': 'close'}" body=""]
 <134>1 2026-04-04T07:41:24.845180+00:00 decky-webmail smtp - connect [decnet@55555 src="192.168.1.5" src_port="56226"]
 <134>1 2026-04-04T07:41:24.845355+00:00 decky-webmail smtp - ehlo [decnet@55555 src="192.168.1.5" domain="nmap.scanme.org"]
 <134>1 2026-04-04T07:41:24.845379+00:00 decky-webmail http - request [decnet@55555 method="OPTIONS" path="/" remote_addr="192.168.1.5" headers="{'Connection': 'close', 'Origin': 'example.com', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Access-Control-Request-Method': 'POST', 'Host': '192.168.1.110'}" body=""]
 <134>1 2026-04-04T07:41:24.894554+00:00 decky-webmail pop3 - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:24.894871+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/Nmap/folder/check1775288484" remote_addr="192.168.1.5" headers="{'Host': '192.168.1.110', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Connection': 'close'}" body=""]
 <134>1 2026-04-04T07:41:24.895133+00:00 decky-webmail http - request [decnet@55555 method="POST" path="/" remote_addr="192.168.1.5" headers="{'Content-Length': '0', 'Host': '192.168.1.110', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Connection': 'close'}" body=""]
 <134>1 2026-04-04T07:41:24.944224+00:00 decky-webmail smtp - ehlo [decnet@55555 src="192.168.1.5" domain="nmap.scanme.org"]
 <134>1 2026-04-04T07:41:24.944215+00:00 decky-webmail imap - connect [decnet@55555 src="192.168.1.5" src_port="56032"]
 <134>1 2026-04-04T07:41:24.944346+00:00 decky-webmail smtp - unknown_command [decnet@55555 src="192.168.1.5" command="HELP"]
 <134>1 2026-04-04T07:41:24.994175+00:00 decky-webmail imap - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:24.994238+00:00 decky-webmail smtp - connect [decnet@55555 src="192.168.1.5" src_port="56234"]
 <134>1 2026-04-04T07:41:24.994534+00:00 decky-webmail http - request [decnet@55555 method="OPTIONS" path="/" remote_addr="192.168.1.5" headers="{'Connection': 'close', 'Origin': 'example.com', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Access-Control-Request-Method': 'PUT', 'Host': '192.168.1.110'}" body=""]
 <134>1 2026-04-04T07:41:25.044450+00:00 decky-webmail smtp - auth_attempt [decnet@55555 src="192.168.1.5" command="AUTH NTLM"]
 <134>1 2026-04-04T07:41:25.044450+00:00 decky-webmail imap - command [decnet@55555 src="192.168.1.5" cmd="000b AUTHENTICATE NTLM"]
 <134>1 2026-04-04T07:41:25.044580+00:00 decky-webmail smtp - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:25.044674+00:00 decky-webmail smtp - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:25.093812+00:00 decky-webmail smtp - ehlo [decnet@55555 src="192.168.1.5" domain="nmap.scanme.org"]
 <134>1 2026-04-04T07:41:25.094022+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/favicon.ico" remote_addr="192.168.1.5" headers="{'Host': '192.168.1.110', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Connection': 'close'}" body=""]
 <134>1 2026-04-04T07:41:25.142989+00:00 decky-webmail imap - command [decnet@55555 src="192.168.1.5" cmd="TlRMTVNTUAABAAAAB4IIoAAAAAAAAAAAAAAAAAAAAAA="]
 <134>1 2026-04-04T07:41:25.143126+00:00 decky-webmail http - request [decnet@55555 method="OPTIONS" path="/" remote_addr="192.168.1.5" headers="{'Connection': 'close', 'Origin': 'example.com', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Access-Control-Request-Method': 'DELETE', 'Host': '192.168.1.110'}" body=""]
 <134>1 2026-04-04T07:41:25.241565+00:00 decky-webmail imap - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:25.241690+00:00 decky-webmail imap - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:25.290930+00:00 decky-webmail smtp - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:25.291070+00:00 decky-webmail http - request [decnet@55555 method="OPTIONS" path="/" remote_addr="192.168.1.5" headers="{'Connection': 'close', 'Origin': 'example.com', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Access-Control-Request-Method': 'TRACE', 'Host': '192.168.1.110'}" body=""]
 <134>1 2026-04-04T07:41:25.438930+00:00 decky-webmail http - request [decnet@55555 method="OPTIONS" path="/" remote_addr="192.168.1.5" headers="{'Connection': 'close', 'Origin': 'example.com', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Access-Control-Request-Method': 'OPTIONS', 'Host': '192.168.1.110'}" body=""]
 <134>1 2026-04-04T07:41:25.586609+00:00 decky-webmail http - request [decnet@55555 method="OPTIONS" path="/" remote_addr="192.168.1.5" headers="{'Connection': 'close', 'Origin': 'example.com', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Access-Control-Request-Method': 'CONNECT', 'Host': '192.168.1.110'}" body=""]
 <134>1 2026-04-04T07:41:25.734144+00:00 decky-webmail http - request [decnet@55555 method="OPTIONS" path="/" remote_addr="192.168.1.5" headers="{'Connection': 'close', 'Origin': 'example.com', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Access-Control-Request-Method': 'PATCH', 'Host': '192.168.1.110'}" body=""]
 <134>1 2026-04-04T07:41:29.778527+00:00 decky-fileserv ftp - disconnect [decnet@55555 src_ip="192.168.1.5" src_port="49004"]
 <134>1 2026-04-04T07:41:31.976898+00:00 decky-fileserv ftp - disconnect [decnet@55555 src_ip="192.168.1.5" src_port="48992"]
 <134>1 2026-04-04T07:41:33.746244+00:00 decky-fileserv ftp - disconnect [decnet@55555 src_ip="192.168.1.5" src_port="49002"]
 <134>1 2026-04-04T07:41:33.747544+00:00 decky-webmail imap - connect [decnet@55555 src="192.168.1.5" src_port="39972"]
 <134>1 2026-04-04T07:41:33.748339+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/" remote_addr="192.168.1.5" headers="{}" body=""]
 <134>1 2026-04-04T07:41:33.748742+00:00 decky-webmail imap - connect [decnet@55555 src="192.168.1.5" src_port="39984"]
 <134>1 2026-04-04T07:41:33.748916+00:00 decky-webmail imap - command [decnet@55555 src="192.168.1.5" cmd="($<03>i<EFBFBD><69>jÁ{Bк<>F<EFBFBD><46><02><>(ri[;z	<09>s~_?<3F> <20>+Ō,7n/.<0F><><14>P<EFBFBD>PO<50><4F>3=<3D>\\<5C>0RS<19>r395/<2F>,<2C>0<00>̨̩̪<CCA8><CCAA><EFBFBD><EFBFBD><EFBFBD>\]<5D>a<EFBFBD>S<EFBFBD>+<2B>/<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>\\<5C>`<60>R<EFBFBD>$"]
 <134>1 2026-04-04T07:41:33.748959+00:00 decky-webmail imap - command [decnet@55555 src="192.168.1.5" cmd="<22><00><>	<09>E<00><><EFBFBD><EFBFBD>Q<00><><EFBFBD><EFBFBD>P=<00><<00><00>Ai<>"]
 <134>1 2026-04-04T07:41:33.748983+00:00 decky-webmail imap - command [decnet@55555 src="192.168.1.5" cmd="<11><11><11>#
 (&				"]
 <134>1 2026-04-04T07:41:33.749009+00:00 decky-webmail imap - command [decnet@55555 src="192.168.1.5" cmd="+-3<04><04><11><04>aq<61>څv<DA85>+DS[\\<5C><><EFBFBD>c-'4R<34>(<28><>a<EFBFBD>J<08><>L<>2^7<><37>luѡ<75><D1A1>v<EFBFBD>^<05>g%Y<><59><EFBFBD><EFBFBD>Sx<53>r<EFBFBD>-jR<12><>C#b<><62><EFBFBD>r<EFBFBD><72>"]
 <134>1 2026-04-04T07:41:33.749035+00:00 decky-webmail imap - command [decnet@55555 src="192.168.1.5" cmd="<22>i<EFBFBD><69><EFBFBD>TLػ<4C><13>A<EFBFBD>1<EFBFBD>s<EFBFBD><73>'"]
 <134>1 2026-04-04T07:41:33.749060+00:00 decky-webmail imap - command [decnet@55555 src="192.168.1.5" cmd="<22>4,<2C><><0C>
 <EFBFBD>G<1B><>q<EFBFBD>B仠<42><01>K7O<37>Y<EFBFBD>rq<><71><EFBFBD>3VtzD<7A><44>̨"]
 <134>1 2026-04-04T07:41:33.749041+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/" remote_addr="192.168.1.5" headers="{'Host': '192.168.1.110'}" body=""]
 <134>1 2026-04-04T07:41:33.749083+00:00 decky-webmail imap - command [decnet@55555 src="192.168.1.5" cmd="Ѓu<0F>Y<EFBFBD><59><EFBFBD><EFBFBD>-<2D>\"<22><>eSp*Zֹ	L<><4C>{	<09>#<23>:<3A><><EFBFBD><EFBFBD>9!ɂCm<43>I<EFBFBD>$ݦ1ϻo-H<><48><EFBFBD>*<2A><17>X<EFBFBD><58>{<7B><><EFBFBD><EFBFBD>p<EFBFBD>ޚ|W<><57>ƫf<16><>T<EFBFBD>%<25>F5<46>8<EFBFBD><38><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>WU<57>a<EFBFBD><61>c	><3E><>u\]<5D><>i~<7E>V<EFBFBD><56><EFBFBD>&<26>z"]
 <134>1 2026-04-04T07:41:33.749104+00:00 decky-webmail imap - command [decnet@55555 src="192.168.1.5" cmd="<22>1<16>\\<5C><>Wc<57>C<EFBFBD><1B><>v˺<76>6z<36> <20><>0<EFBFBD>$iS<69>3'<27>8<<3C>"]
 <134>1 2026-04-04T07:41:33.749122+00:00 decky-webmail imap - command [decnet@55555 src="192.168.1.5" cmd="<10><>2<EFBFBD><32>"]
 <134>1 2026-04-04T07:41:33.749138+00:00 decky-webmail imap - command [decnet@55555 src="192.168.1.5" cmd="<22><>\"/<2F><0B>E<08><><EFBFBD>tv!"]
 <134>1 2026-04-04T07:41:33.749160+00:00 decky-webmail imap - command [decnet@55555 src="192.168.1.5" cmd="񋞸<>)<29><>[j}<7D>`<60><>\\V|k<><6B>ԣy<D4A3>Y<EFBFBD><59>?<05>2<EFBFBD>`<17>w¬ܶ#<23>X}<7D><>[cg3<67>W8E<38>tl<74>y<<3C>Z<1B>ʇ<EFBFBD><CA87><EFBFBD>%dQBk9=+<2B><07>ȳ<EFBFBD><16><>(<28>y<EFBFBD><79><EFBFBD><EFBFBD>*[8<><38><EFBFBD>qyN`<60><><EFBFBD>5>j<><6A>	825<13>f<EFBFBD><66>2.	s\\dLar"]
 <134>1 2026-04-04T07:41:33.749238+00:00 decky-webmail imap - connect [decnet@55555 src="192.168.1.5" src_port="39996"]
 <134>1 2026-04-04T07:41:33.749290+00:00 decky-webmail imap - command [decnet@55555 src="192.168.1.5" cmd="WSi<><69><EFBFBD>,g<>O<EFBFBD>(T<>YC<59><01>ѢO<D1A2>Ę<EFBFBD><16><><EFBFBD><EFBFBD>"]
 <134>1 2026-04-04T07:41:33.749328+00:00 decky-webmail imap - command [decnet@55555 src="192.168.1.5" cmd="/"]
 <134>1 2026-04-04T07:41:33.749369+00:00 decky-webmail imap - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:33.749411+00:00 decky-webmail imap - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:33.749441+00:00 decky-webmail imap - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:33.749484+00:00 decky-webmail smtp - connect [decnet@55555 src="192.168.1.5" src_port="47822"]
 <134>1 2026-04-04T07:41:33.749708+00:00 decky-webmail smtp - ehlo [decnet@55555 src="192.168.1.5" domain="nmap.scanme.org"]
 <134>1 2026-04-04T07:41:33.749852+00:00 decky-webmail smtp - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:33.749936+00:00 decky-webmail smtp - connect [decnet@55555 src="192.168.1.5" src_port="47834"]
 <134>1 2026-04-04T07:41:33.750118+00:00 decky-webmail smtp - connect [decnet@55555 src="192.168.1.5" src_port="47846"]
 <134>1 2026-04-04T07:41:33.750202+00:00 decky-webmail smtp - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:33.750261+00:00 decky-webmail smtp - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:33.750423+00:00 decky-webmail pop3 - connect [decnet@55555 src="192.168.1.5" src_port="48678"]
 <134>1 2026-04-04T07:41:33.750684+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="STLS"]
 <134>1 2026-04-04T07:41:33.750772+00:00 decky-webmail pop3 - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:33.750852+00:00 decky-webmail pop3 - connect [decnet@55555 src="192.168.1.5" src_port="48684"]
 <134>1 2026-04-04T07:41:33.750920+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="($h_\\n<>W<EFBFBD>f	6~<10><><EFBFBD>'U<><55>ԥ\"{<7B><><EFBFBD>jg<04> <20>*M<>$<24><><EFBFBD>at}5gq<67><71>)<29>X<7F>w<EFBFBD>7<EFBFBD><37>_<>r395/<2F>,<2C>0<00>̨̩̪<CCA8><CCAA><EFBFBD><EFBFBD><EFBFBD>\]<5D>a<EFBFBD>S<EFBFBD>+<2B>/<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>\\<5C>`<60>R<EFBFBD>"]
 <134>1 2026-04-04T07:41:33.750964+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="<22><00><>	<09>E<00><><EFBFBD><EFBFBD>Q<00><><EFBFBD><EFBFBD>P=<00><<00><00>Ai<>"]
 <134>1 2026-04-04T07:41:33.750997+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="<11><11><11>#
 (&				"]
 <134>1 2026-04-04T07:41:33.751027+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="+-3<04><04><11><04><>pEt<45>\"g3<67>Ff`c<>FY4<59>2<EFBFBD>$3<>t<EFBFBD><74>Q<EFBFBD>QKR/ <20>+5<><35><EFBFBD><EFBFBD>q
 <EFBFBD>&<26>@<40><><EFBFBD><EFBFBD><07><><1F>B<EFBFBD><42>(?<3F>3<EFBFBD>R/
 <EFBFBD>3<EFBFBD>qr<EFBFBD>! <20>"]
 <134>1 2026-04-04T07:41:33.751096+00:00 decky-webmail pop3 - connect [decnet@55555 src="192.168.1.5" src_port="48698"]
 <134>1 2026-04-04T07:41:33.751153+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="WSi<><69><EFBFBD>{<7B><><EFBFBD>5<EFBFBD><35>5т<01>R<EFBFBD><52>!<21>;jj
 <EFBFBD>7ވ<EFBFBD><EFBFBD> "]
 <134>1 2026-04-04T07:41:33.751197+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="/"]
 <134>1 2026-04-04T07:41:33.751245+00:00 decky-webmail pop3 - disconnect [decnet@55555 src="192.168.1.5"]
 <134>1 2026-04-04T07:41:33.751285+00:00 decky-webmail pop3 - disconnect [decnet@55555 src="192.168.1.5"]
--- a/decnet/cli.py
+++ b/decnet/cli.py
@@ -15,6 +15,13 @@ import typer
 from rich.console import Console
 from rich.table import Table
 from decnet.env import (
    DECNET_API_HOST,
    DECNET_API_PORT,
    DECNET_INGEST_LOG_FILE,
    DECNET_WEB_HOST,
    DECNET_WEB_PORT,
 )
 from decnet.archetypes import Archetype, all_archetypes, get_archetype
 from decnet.config import (
    DeckyConfig,
@@ -116,9 +123,12 @@ def _build_deckies_from_ini(
    gateway: str,
    host_ip: str,
    randomize: bool,
    cli_mutate_interval: int | None = None,
 ) -> list[DeckyConfig]:
    """Build DeckyConfig list from an IniConfig, auto-allocating missing IPs."""
    from ipaddress import IPv4Address, IPv4Network
    import time
    now = time.time()
    explicit_ips: set[IPv4Address] = {
        IPv4Address(s.ip) for s in ini.deckies if s.ip
@@ -139,11 +149,7 @@ def _build_deckies_from_ini(
        # Resolve archetype (if any) — explicit services/distro override it
        arch: Archetype | None = None
        if spec.archetype:
            try:
            arch = get_archetype(spec.archetype)
            except ValueError as e:
                console.print(f"[red]{e}[/]")
                raise typer.Exit(1)
        # Distro: archetype preferred list → random → global cycle
        distro_pool = arch.preferred_distros if arch else list(all_distros().keys())
@@ -152,19 +158,16 @@ def _build_deckies_from_ini(
        ip = spec.ip or next(auto_pool, None)
        if ip is None:
-            raise RuntimeError(
+            raise ValueError(f"Not enough free IPs in {subnet_cidr} while assigning IP for '{spec.name}'.")
                f"Not enough free IPs in {subnet_cidr} while assigning IP for '{spec.name}'."
            )
        if spec.services:
            known = set(_all_service_names())
            unknown = [s for s in spec.services if s not in known]
            if unknown:
-                console.print(
+                raise ValueError(
-                    f"[red]Unknown service(s) in [{spec.name}]: {unknown}. "
+                    f"Unknown service(s) in [{spec.name}]: {unknown}. "
-                    f"Available: {_all_service_names()}[/]"
+                    f"Available: {_all_service_names()}"
                )
                raise typer.Exit(1)
            svc_list = spec.services
        elif arch:
            svc_list = list(arch.services)
@@ -173,14 +176,19 @@ def _build_deckies_from_ini(
            count = random.randint(1, min(3, len(svc_pool)))
            svc_list = random.sample(svc_pool, count)
        else:
-            console.print(
+            raise ValueError(
-                f"[red]Decky '[{spec.name}]' has no services= in config. "
+                f"Decky '[{spec.name}]' has no services= in config. "
-                "Add services=, archetype=, or use --randomize-services.[/]"
+                "Add services=, archetype=, or use --randomize-services."
            )
            raise typer.Exit(1)
        # nmap_os priority: explicit INI key > archetype default > "linux"
        resolved_nmap_os = spec.nmap_os or (arch.nmap_os if arch else "linux")
        # mutation interval priority: CLI > per-decky INI > global INI
        decky_mutate_interval = cli_mutate_interval
        if decky_mutate_interval is None:
            decky_mutate_interval = spec.mutate_interval if spec.mutate_interval is not None else ini.mutate_interval
        deckies.append(DeckyConfig(
            name=spec.name,
            ip=ip,
@@ -192,10 +200,38 @@ def _build_deckies_from_ini(
            archetype=arch.slug if arch else None,
            service_config=spec.service_config,
            nmap_os=resolved_nmap_os,
            mutate_interval=decky_mutate_interval,
            last_mutated=now,
        ))
    return deckies
@app.command()
 def api(
    port: int = typer.Option(DECNET_API_PORT, "--port", help="Port for the backend API"),
    host: str = typer.Option(DECNET_API_HOST, "--host", help="Host IP for the backend API"),
    log_file: str = typer.Option(DECNET_INGEST_LOG_FILE, "--log-file", help="Path to the DECNET log file to monitor"),
 ) -> None:
    """Run the DECNET API and Web Dashboard in standalone mode."""
    import subprocess
    import sys
    import os
    console.print(f"[green]Starting DECNET API on {host}:{port}...[/]")
    _env: dict[str, str] = os.environ.copy()
    _env["DECNET_INGEST_LOG_FILE"] = str(log_file)
    try:
        subprocess.run(
            [sys.executable, "-m", "uvicorn", "decnet.web.api:app", "--host", host, "--port", str(port)],
            env=_env
        )
    except KeyboardInterrupt:
        pass
    except (FileNotFoundError, subprocess.SubprocessError):
        console.print("[red]Failed to start API. Ensure 'uvicorn' is installed in the current environment.[/]")
@app.command()
 def deploy(
    mode: str = typer.Option("unihost", "--mode", "-m", help="Deployment mode: unihost | swarm"),
@@ -208,14 +244,18 @@ def deploy(
    distro: Optional[str] = typer.Option(None, "--distro", help="Comma-separated distro slugs, e.g. debian,ubuntu22,rocky9"),
    randomize_distros: bool = typer.Option(False, "--randomize-distros", help="Assign a random distro to each decky"),
    log_target: Optional[str] = typer.Option(None, "--log-target", help="Forward logs to ip:port (e.g. 192.168.1.5:5140)"),
-    log_file: Optional[str] = typer.Option(None, "--log-file", help="Write RFC 5424 syslog to this path inside containers (e.g. /var/log/decnet/decnet.log)"),
+    log_file: Optional[str] = typer.Option(DECNET_INGEST_LOG_FILE, "--log-file", help="Write RFC 5424 syslog to this path inside containers (e.g. /var/log/decnet/decnet.log)"),
    archetype_name: Optional[str] = typer.Option(None, "--archetype", "-a", help="Machine archetype slug (e.g. linux-server, windows-workstation)"),
    mutate_interval: Optional[int] = typer.Option(30, "--mutate-interval", help="Automatically rotate services every N minutes"),
    dry_run: bool = typer.Option(False, "--dry-run", help="Generate compose file without starting containers"),
    no_cache: bool = typer.Option(False, "--no-cache", help="Force rebuild all images, ignoring Docker layer cache"),
    ipvlan: bool = typer.Option(False, "--ipvlan", help="Use IPvlan L2 instead of MACVLAN (required on WiFi interfaces)"),
    config_file: Optional[str] = typer.Option(None, "--config", "-c", help="Path to INI config file"),
    api: bool = typer.Option(False, "--api", help="Start the FastAPI backend to ingest and serve logs"),
    api_port: int = typer.Option(8000, "--api-port", help="Port for the backend API"),
 ) -> None:
    """Deploy deckies to the LAN."""
    import os
    if mode not in ("unihost", "swarm"):
        console.print("[red]--mode must be 'unihost' or 'swarm'[/]")
        raise typer.Exit(1)
@@ -260,9 +300,13 @@ def deploy(
        effective_log_target = log_target or ini.log_target
        effective_log_file = log_file
        try:
            decky_configs = _build_deckies_from_ini(
-            ini, subnet_cidr, effective_gateway, host_ip, randomize_services
+                ini, subnet_cidr, effective_gateway, host_ip, randomize_services, cli_mutate_interval=mutate_interval
            )
        except ValueError as e:
            console.print(f"[red]{e}[/]")
            raise typer.Exit(1)
    # ------------------------------------------------------------------ #
    # Classic CLI path                                                     #
    # ------------------------------------------------------------------ #
@@ -316,11 +360,16 @@ def deploy(
        decky_configs = _build_deckies(
            deckies, ips, services_list, randomize_services,
            distros_explicit=distros_list, randomize_distros=randomize_distros,
-            archetype=arch,
+            archetype=arch, mutate_interval=mutate_interval,
        )
        effective_log_target = log_target
        effective_log_file = log_file
    # Handle automatic log file for API
    if api and not effective_log_file:
        effective_log_file = os.path.join(os.getcwd(), "decnet.log")
        console.print(f"[cyan]API mode enabled: defaulting log-file to {effective_log_file}[/]")
    config = DecnetConfig(
        mode=mode,
        interface=iface,
@@ -330,6 +379,7 @@ def deploy(
        log_target=effective_log_target,
        log_file=effective_log_file,
        ipvlan=ipvlan,
        mutate_interval=mutate_interval,
    )
    if effective_log_target and not dry_run:
@@ -341,6 +391,57 @@ def deploy(
    from decnet.deployer import deploy as _deploy
    _deploy(config, dry_run=dry_run, no_cache=no_cache)
    if mutate_interval is not None and not dry_run:
        import subprocess
        import sys
        console.print(f"[green]Starting DECNET Mutator watcher in the background (interval: {mutate_interval}m)...[/]")
        try:
            subprocess.Popen(
                [sys.executable, "-m", "decnet.cli", "mutate", "--watch"],
                stdout=subprocess.DEVNULL,
                stderr=subprocess.STDOUT
            )
        except (FileNotFoundError, subprocess.SubprocessError):
            console.print("[red]Failed to start mutator watcher.[/]")
    if api and not dry_run:
        import subprocess
        import sys
        console.print(f"[green]Starting DECNET API on port {api_port}...[/]")
        _env: dict[str, str] = os.environ.copy()
        _env["DECNET_INGEST_LOG_FILE"] = str(effective_log_file)
        try:
            subprocess.Popen(
                [sys.executable, "-m", "uvicorn", "decnet.web.api:app", "--host", "0.0.0.0", "--port", str(api_port)],
                env=_env,
                stdout=subprocess.DEVNULL,
                stderr=subprocess.STDOUT
            )
            console.print(f"[dim]API running at http://0.0.0.0:{api_port}[/]")
        except (FileNotFoundError, subprocess.SubprocessError):
            console.print("[red]Failed to start API. Ensure 'uvicorn' is installed in the current environment.[/]")
@app.command()
 def mutate(
    watch: bool = typer.Option(False, "--watch", "-w", help="Run continuously and mutate deckies according to their interval"),
    decky_name: Optional[str] = typer.Option(None, "--decky", "-d", help="Force mutate a specific decky immediately"),
    force_all: bool = typer.Option(False, "--all", help="Force mutate all deckies immediately"),
 ) -> None:
    """Manually trigger or continuously watch for decky mutation."""
    from decnet.mutator import mutate_decky, mutate_all, run_watch_loop
    if watch:
        run_watch_loop()
        return
    if decky_name:
        mutate_decky(decky_name)
    elif force_all:
        mutate_all(force=True)
    else:
        mutate_all(force=False)
@app.command()
 def status() -> None:
@@ -459,3 +560,40 @@ def list_archetypes() -> None:
            arch.description,
        )
    console.print(table)
@app.command(name="web")
 def serve_web(
    web_port: int = typer.Option(DECNET_WEB_PORT, "--web-port", help="Port to serve the DECNET Web Dashboard"),
    host: str = typer.Option(DECNET_WEB_HOST, "--host", help="Host IP to serve the Web Dashboard"),
 ) -> None:
    """Serve the DECNET Web Dashboard frontend."""
    import http.server
    import socketserver
    from pathlib import Path
    # Assuming decnet_web/dist is relative to the project root
    dist_dir = Path(__file__).parent.parent / "decnet_web" / "dist"
    if not dist_dir.exists():
        console.print(f"[red]Frontend build not found at {dist_dir}. Make sure you run 'npm run build' inside 'decnet_web'.[/]")
        raise typer.Exit(1)
    class SPAHTTPRequestHandler(http.server.SimpleHTTPRequestHandler):
        def do_GET(self):
            # Try to serve the requested file
            path = self.translate_path(self.path)
            if not Path(path).exists() or Path(path).is_dir():
                # If not found or is a directory, serve index.html (for React Router)
                self.path = "/index.html"
            return super().do_GET()
    import os
    os.chdir(dist_dir)
    with socketserver.TCPServer((host, web_port), SPAHTTPRequestHandler) as httpd:
        console.print(f"[green]Serving DECNET Web Dashboard on http://{host}:{web_port}[/]")
        try:
            httpd.serve_forever()
        except KeyboardInterrupt:
            console.print("\n[dim]Shutting down dashboard server.[/]")
--- a/decnet/config.py
+++ b/decnet/config.py
@@ -11,7 +11,10 @@ from pydantic import BaseModel, field_validator
 from decnet.distros import random_hostname as _random_hostname
-STATE_FILE = Path("decnet-state.json")
+# Calculate absolute path to the project root (where the config file resides)
 _ROOT: Path = Path(__file__).parent.parent.absolute()
 STATE_FILE: Path = _ROOT / "decnet-state.json"
 DEFAULT_MUTATE_INTERVAL: int = 30  # default rotation interval in minutes
 def random_hostname(distro_slug: str = "debian") -> str:
@@ -29,6 +32,8 @@ class DeckyConfig(BaseModel):
    archetype: str | None = None  # archetype slug if spawned from an archetype profile
    service_config: dict[str, dict] = {}  # optional per-service persona config
    nmap_os: str = "linux"        # OS family for TCP/IP stack spoofing (see os_fingerprint.py)
    mutate_interval: int | None = None  # automatic rotation interval in minutes
    last_mutated: float = 0.0     # timestamp of last mutation
    @field_validator("services")
    @classmethod
@@ -47,6 +52,7 @@ class DecnetConfig(BaseModel):
    log_target: str | None = None  # "ip:port" or None
    log_file: str | None = None    # path for RFC 5424 syslog file output
    ipvlan: bool = False           # use IPvlan L2 instead of MACVLAN (WiFi-friendly)
    mutate_interval: int | None = DEFAULT_MUTATE_INTERVAL # global automatic rotation interval in minutes
    @field_validator("log_target")
    @classmethod
--- a/decnet/deployer.py
+++ b/decnet/deployer.py
@@ -131,6 +131,33 @@ def deploy(config: DecnetConfig, dry_run: bool = False, no_cache: bool = False)
    _print_status(config)
 def _kill_api() -> None:
    """Find and kill any running DECNET API (uvicorn) or mutator processes."""
    import psutil
    import signal
    import os
    _killed: bool = False
    for _proc in psutil.process_iter(['pid', 'name', 'cmdline']):
        try:
            _cmd = _proc.info['cmdline']
            if not _cmd:
                continue
            if "uvicorn" in _cmd and "decnet.web.api:app" in _cmd:
                console.print(f"[yellow]Stopping DECNET API (PID {_proc.info['pid']})...[/]")
                os.kill(_proc.info['pid'], signal.SIGTERM)
                _killed = True
            elif "decnet.cli" in _cmd and "mutate" in _cmd and "--watch" in _cmd:
                console.print(f"[yellow]Stopping DECNET Mutator Watcher (PID {_proc.info['pid']})...[/]")
                os.kill(_proc.info['pid'], signal.SIGTERM)
                _killed = True
        except (psutil.NoSuchProcess, psutil.AccessDenied):
            continue
    if _killed:
        console.print("[green]Background processes stopped.[/]")
 def teardown(decky_id: str | None = None) -> None:
    state = load_state()
    if state is None:
@@ -159,6 +186,10 @@ def teardown(decky_id: str | None = None) -> None:
            teardown_host_macvlan(decky_range)
        remove_macvlan_network(client)
        clear_state()
        # Kill API when doing full teardown
        _kill_api()
        net_driver = "IPvlan" if config.ipvlan else "MACVLAN"
        console.print(f"[green]All deckies torn down. {net_driver} network removed.[/]")
--- a/decnet/env.py
+++ b/decnet/env.py
@@ -0,0 +1,22 @@
 import os
 from pathlib import Path
 from dotenv import load_dotenv
 # Calculate absolute path to the project root
 _ROOT: Path = Path(__file__).parent.parent.absolute()
 # Load .env.local first, then fallback to .env
 load_dotenv(_ROOT / ".env.local")
 load_dotenv(_ROOT / ".env")
 # API Options
 DECNET_API_HOST: str = os.environ.get("DECNET_API_HOST", "0.0.0.0")
 DECNET_API_PORT: int = int(os.environ.get("DECNET_API_PORT", "8000"))
 DECNET_JWT_SECRET: str = os.environ.get("DECNET_JWT_SECRET", "fallback-secret-key-change-me")
 DECNET_INGEST_LOG_FILE: str | None = os.environ.get("DECNET_INGEST_LOG_FILE", "/var/log/decnet/decnet.log")
 # Web Dashboard Options
 DECNET_WEB_HOST: str = os.environ.get("DECNET_WEB_HOST", "0.0.0.0")
 DECNET_WEB_PORT: int = int(os.environ.get("DECNET_WEB_PORT", "8080"))
 DECNET_ADMIN_USER: str = os.environ.get("DECNET_ADMIN_USER", "admin")
 DECNET_ADMIN_PASSWORD: str = os.environ.get("DECNET_ADMIN_PASSWORD", "admin")
--- a/decnet/ini_loader.py
+++ b/decnet/ini_loader.py
@@ -54,6 +54,7 @@ class DeckySpec:
    archetype: str | None = None
    service_config: dict[str, dict] = field(default_factory=dict)
    nmap_os: str | None = None     # explicit OS family override (linux/windows/bsd/embedded/cisco)
    mutate_interval: int | None = None
@dataclass
@@ -71,6 +72,7 @@ class IniConfig:
    gateway: str | None = None
    interface: str | None = None
    log_target: str | None = None
    mutate_interval: int | None = None
    deckies: list[DeckySpec] = field(default_factory=list)
    custom_services: list[CustomServiceSpec] = field(default_factory=list)
@@ -81,7 +83,33 @@ def load_ini(path: str | Path) -> IniConfig:
    read = cp.read(str(path))
    if not read:
        raise FileNotFoundError(f"Config file not found: {path}")
    return _parse_configparser(cp)
 def load_ini_from_string(content: str) -> IniConfig:
    """Parse a DECNET INI string and return an IniConfig."""
    validate_ini_string(content)
    cp = configparser.ConfigParser()
    cp.read_string(content)
    return _parse_configparser(cp)
 def validate_ini_string(content: str) -> None:
    """Perform safety and sanity checks on raw INI content string."""
    # 1. Size limit (e.g. 512KB)
    if len(content) > 512 * 1024:
        raise ValueError("INI content too large (max 512KB).")
    # 2. Ensure it's not empty
    if not content.strip():
        raise ValueError("INI content is empty.")
    # 3. Basic structure check (must contain at least one section header)
    if "[" not in content or "]" not in content:
        raise ValueError("Invalid INI format: no sections found.")
 def _parse_configparser(cp: configparser.ConfigParser) -> IniConfig:
    cfg = IniConfig()
    if cp.has_section("general"):
@@ -91,12 +119,23 @@ def load_ini(path: str | Path) -> IniConfig:
        cfg.interface = g.get("interface")
        cfg.log_target = g.get("log_target") or g.get("log-target")
    from decnet.services.registry import all_services
    known_services = set(all_services().keys())
    # First pass: collect decky sections and custom service definitions
    for section in cp.sections():
        if section == "general":
            continue
        # A service sub-section is identified if the section name has at least one dot
        # AND the last segment is a known service name.
        # e.g. "decky-01.ssh" -> sub-section
        # e.g. "decky.webmail" -> decky section (if "webmail" is not a service)
        if "." in section:
-            continue  # subsections handled in second pass
+            _, _, last_segment = section.rpartition(".")
            if last_segment in known_services:
                continue  # sub-section handled in second pass
        if section.startswith("custom-"):
            # Bring-your-own service definition
            s = cp[section]
@@ -115,17 +154,30 @@ def load_ini(path: str | Path) -> IniConfig:
        services = [sv.strip() for sv in svc_raw.split(",")] if svc_raw else None
        archetype = s.get("archetype")
        nmap_os = s.get("nmap_os") or s.get("nmap-os") or None
        mi_raw = s.get("mutate_interval") or s.get("mutate-interval")
        mutate_interval = None
        if mi_raw:
            try:
                mutate_interval = int(mi_raw)
            except ValueError:
                raise ValueError(f"[{section}] mutate_interval= must be an integer, got '{mi_raw}'")
        amount_raw = s.get("amount", "1")
        try:
            amount = int(amount_raw)
            if amount < 1:
                raise ValueError
-        except ValueError:
+            if amount > 100:
                raise ValueError(f"[{section}] amount={amount} exceeds maximum allowed (100).")
        except ValueError as e:
            if "exceeds maximum" in str(e):
                raise e
            raise ValueError(f"[{section}] amount= must be a positive integer, got '{amount_raw}'")
        if amount == 1:
            cfg.deckies.append(DeckySpec(
-                name=section, ip=ip, services=services, archetype=archetype, nmap_os=nmap_os,
+                name=section, ip=ip, services=services, archetype=archetype, nmap_os=nmap_os, mutate_interval=mutate_interval,
            ))
        else:
            # Expand into N deckies; explicit ip is ignored (can't share one IP)
@@ -141,6 +193,7 @@ def load_ini(path: str | Path) -> IniConfig:
                    services=services,
                    archetype=archetype,
                    nmap_os=nmap_os,
                    mutate_interval=mutate_interval,
                ))
    # Second pass: collect per-service subsections [decky-name.service]
@@ -149,7 +202,11 @@ def load_ini(path: str | Path) -> IniConfig:
    for section in cp.sections():
        if "." not in section:
            continue
-        decky_name, _, svc_name = section.partition(".")
+        
        decky_name, dot, svc_name = section.rpartition(".")
        if svc_name not in known_services:
            continue # not a service sub-section
        svc_cfg = {k: v for k, v in cp[section].items()}
        if decky_name in decky_map:
            # Direct match — single decky
--- a/decnet/mutator.py
+++ b/decnet/mutator.py
@@ -0,0 +1,152 @@
 """
 Mutation Engine for DECNET.
 Handles dynamic rotation of exposed honeypot services over time.
 """
 import random
 import subprocess
 import time
 from pathlib import Path
 from typing import Optional
 from rich.console import Console
 from decnet.archetypes import get_archetype
 from decnet.cli import _all_service_names
 from decnet.composer import write_compose
 from decnet.config import DeckyConfig, load_state, save_state
 from decnet.deployer import COMPOSE_FILE
 console = Console()
 def _compose_with_retry(
    *args: str,
    compose_file: Path = COMPOSE_FILE,
    retries: int = 3,
    delay: float = 5.0,
 ) -> None:
    """Run a docker compose command, retrying on transient failures."""
    last_exc: subprocess.CalledProcessError | None = None
    cmd = ["docker", "compose", "-f", str(compose_file), *args]
    for attempt in range(1, retries + 1):
        result = subprocess.run(cmd, capture_output=True, text=True)
        if result.returncode == 0:
            if result.stdout:
                print(result.stdout, end="")
            return
        last_exc = subprocess.CalledProcessError(
            result.returncode, cmd, result.stdout, result.stderr
        )
        if attempt < retries:
            time.sleep(delay)
            delay *= 2
    raise last_exc
 def mutate_decky(decky_name: str) -> bool:
    """
    Perform an Intra-Archetype Shuffle for a specific decky.
    Returns True if mutation succeeded, False otherwise.
    """
    state = load_state()
    if state is None:
        console.print("[red]No active deployment found (no decnet-state.json).[/]")
        return False
    config, compose_path = state
    decky: Optional[DeckyConfig] = next((d for d in config.deckies if d.name == decky_name), None)
    if not decky:
        console.print(f"[red]Decky '{decky_name}' not found in state.[/]")
        return False
    # Determine allowed services pool
    if decky.archetype:
        try:
            arch = get_archetype(decky.archetype)
            svc_pool = list(arch.services)
        except ValueError:
            svc_pool = _all_service_names()
    else:
        svc_pool = _all_service_names()
    if not svc_pool:
        console.print(f"[yellow]No services available for mutating '{decky_name}'.[/]")
        return False
    # Prevent mutating to the exact same set if possible
    current_services = set(decky.services)
    attempts = 0
    while True:
        count = random.randint(1, min(3, len(svc_pool)))
        chosen = set(random.sample(svc_pool, count))
        attempts += 1
        if chosen != current_services or attempts > 20:
            break
    decky.services = list(chosen)
    decky.last_mutated = time.time()
    # Save new state
    save_state(config, compose_path)
    # Regenerate compose file
    write_compose(config, compose_path)
    console.print(f"[cyan]Mutating '{decky_name}' to services: {', '.join(decky.services)}[/]")
    # Bring up the new services and remove old orphans
    try:
        _compose_with_retry("up", "-d", "--remove-orphans", compose_file=compose_path)
    except subprocess.CalledProcessError as e:
        console.print(f"[red]Failed to mutate '{decky_name}': {e.stderr}[/]")
        return False
    return True
 def mutate_all(force: bool = False) -> None:
    """
    Check all deckies and mutate those that are due.
    If force=True, mutates all deckies regardless of schedule.
    """
    state = load_state()
    if state is None:
        console.print("[red]No active deployment found.[/]")
        return
    config, _ = state
    now = time.time()
    mutated_count = 0
    for decky in config.deckies:
        interval_mins = decky.mutate_interval or config.mutate_interval
        if interval_mins is None and not force:
            continue
        if force:
            due = True
        else:
            elapsed_secs = now - decky.last_mutated
            due = elapsed_secs >= (interval_mins * 60)
        if due:
            success = mutate_decky(decky.name)
            if success:
                mutated_count += 1
            # Re-load state for next decky just in case, but mutate_decky saves it.
            # However, mutate_decky operates on its own loaded state.
            # Since mutate_decky loads and saves the state, our loop over `config.deckies`
            # has an outdated `last_mutated` if we don't reload. It's fine because we process one by one.
    if mutated_count == 0 and not force:
        console.print("[dim]No deckies are due for mutation.[/]")
 def run_watch_loop(poll_interval_secs: int = 10) -> None:
    """Run an infinite loop checking for deckies that need mutation."""
    console.print(f"[green]DECNET Mutator Watcher started (polling every {poll_interval_secs}s).[/]")
    try:
        while True:
            mutate_all(force=False)
            time.sleep(poll_interval_secs)
    except KeyboardInterrupt:
        console.print("\n[dim]Mutator watcher stopped.[/]")
--- a/decnet/web/api.py
+++ b/decnet/web/api.py
@@ -0,0 +1,344 @@
 import uuid
 from contextlib import asynccontextmanager
 from datetime import timedelta
 from typing import Any, AsyncGenerator, Optional
 import jwt
 from fastapi import Depends, FastAPI, HTTPException, Query, status, Request
 from fastapi.responses import StreamingResponse
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.security import OAuth2PasswordBearer
 from pydantic import BaseModel, Field
 from decnet.web.auth import (
    ACCESS_TOKEN_EXPIRE_MINUTES,
    ALGORITHM,
    SECRET_KEY,
    create_access_token,
    get_password_hash,
    verify_password,
 )
 from decnet.web.sqlite_repository import SQLiteRepository
 from decnet.web.ingester import log_ingestion_worker
 from decnet.env import DECNET_ADMIN_USER, DECNET_ADMIN_PASSWORD
 import asyncio
 repo: SQLiteRepository = SQLiteRepository()
 ingestion_task: Optional[asyncio.Task[Any]] = None
@asynccontextmanager
 async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
    global ingestion_task
    await repo.initialize()
    # Create default admin if no users exist
    _admin_user: Optional[dict[str, Any]] = await repo.get_user_by_username(DECNET_ADMIN_USER)
    if not _admin_user:
        await repo.create_user(
            {
                "uuid": str(uuid.uuid4()),
                "username": DECNET_ADMIN_USER,
                "password_hash": get_password_hash(DECNET_ADMIN_PASSWORD),
                "role": "admin",
                "must_change_password": True
            }
        )
    # Start background ingestion task
    ingestion_task = asyncio.create_task(log_ingestion_worker(repo))
    yield
    # Shutdown ingestion task
    if ingestion_task:
        ingestion_task.cancel()
 app: FastAPI = FastAPI(
    title="DECNET Web Dashboard API", 
    version="1.0.0", 
    lifespan=lifespan
 )
 app.add_middleware(
    CORSMiddleware,
    allow_origins=["*"],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
 )
 oauth2_scheme: OAuth2PasswordBearer = OAuth2PasswordBearer(tokenUrl="/api/v1/auth/login")
 async def get_current_user(request: Request) -> str:
    _credentials_exception: HTTPException = HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail="Could not validate credentials",
        headers={"WWW-Authenticate": "Bearer"},
    )
    # Extract token from header or query param
    token: str | None = None
    auth_header = request.headers.get("Authorization")
    if auth_header and auth_header.startswith("Bearer "):
        token = auth_header.split(" ")[1]
    elif request.query_params.get("token"):
        token = request.query_params.get("token")
    if not token:
        raise _credentials_exception
    try:
        _payload: dict[str, Any] = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
        _user_uuid: Optional[str] = _payload.get("uuid")
        if _user_uuid is None:
            raise _credentials_exception
        return _user_uuid
    except jwt.PyJWTError:
        raise _credentials_exception
 class Token(BaseModel):
    access_token: str
    token_type: str
    must_change_password: bool = False
 class LoginRequest(BaseModel):
    username: str
    password: str
 class ChangePasswordRequest(BaseModel):
    old_password: str
    new_password: str
 class LogsResponse(BaseModel):
    total: int
    limit: int
    offset: int
    data: list[dict[str, Any]]
@app.post("/api/v1/auth/login", response_model=Token)
 async def login(request: LoginRequest) -> dict[str, Any]:
    _user: Optional[dict[str, Any]] = await repo.get_user_by_username(request.username)
    if not _user or not verify_password(request.password, _user["password_hash"]):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Incorrect username or password",
            headers={"WWW-Authenticate": "Bearer"},
        )
    _access_token_expires: timedelta = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
    # Token uses uuid instead of sub
    _access_token: str = create_access_token(
        data={"uuid": _user["uuid"]}, expires_delta=_access_token_expires
    )
    return {
        "access_token": _access_token, 
        "token_type": "bearer",
        "must_change_password": bool(_user.get("must_change_password", False))
    }
@app.post("/api/v1/auth/change-password")
 async def change_password(request: ChangePasswordRequest, current_user: str = Depends(get_current_user)) -> dict[str, str]:
    _user: Optional[dict[str, Any]] = await repo.get_user_by_uuid(current_user)
    if not _user or not verify_password(request.old_password, _user["password_hash"]):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Incorrect old password",
        )
    _new_hash: str = get_password_hash(request.new_password)
    await repo.update_user_password(current_user, _new_hash, must_change_password=False)
    return {"message": "Password updated successfully"}
@app.get("/api/v1/logs", response_model=LogsResponse)
 async def get_logs(
    limit: int = Query(50, ge=1, le=1000),
    offset: int = Query(0, ge=0),
    search: Optional[str] = None,
    current_user: str = Depends(get_current_user)
 ) -> dict[str, Any]:
    _logs: list[dict[str, Any]] = await repo.get_logs(limit=limit, offset=offset, search=search)
    _total: int = await repo.get_total_logs(search=search)
    return {
        "total": _total,
        "limit": limit,
        "offset": offset,
        "data": _logs
    }
 class StatsResponse(BaseModel):
    total_logs: int
    unique_attackers: int
    active_deckies: int
    deployed_deckies: int
@app.get("/api/v1/stats", response_model=StatsResponse)
 async def get_stats(current_user: str = Depends(get_current_user)) -> dict[str, Any]:
    return await repo.get_stats_summary()
@app.get("/api/v1/deckies")
 async def get_deckies(current_user: str = Depends(get_current_user)) -> list[dict[str, Any]]:
    return await repo.get_deckies()
 class MutateIntervalRequest(BaseModel):
    mutate_interval: int | None
@app.post("/api/v1/deckies/{decky_name}/mutate")
 async def api_mutate_decky(decky_name: str, current_user: str = Depends(get_current_user)) -> dict[str, str]:
    from decnet.mutator import mutate_decky
    success = mutate_decky(decky_name)
    if success:
        return {"message": f"Successfully mutated {decky_name}"}
    raise HTTPException(status_code=404, detail=f"Decky {decky_name} not found or failed to mutate")
@app.put("/api/v1/deckies/{decky_name}/mutate-interval")
 async def api_update_mutate_interval(decky_name: str, req: MutateIntervalRequest, current_user: str = Depends(get_current_user)) -> dict[str, str]:
    from decnet.config import load_state, save_state
    state = load_state()
    if not state:
        raise HTTPException(status_code=500, detail="No active deployment")
    config, compose_path = state
    decky = next((d for d in config.deckies if d.name == decky_name), None)
    if not decky:
        raise HTTPException(status_code=404, detail="Decky not found")
    decky.mutate_interval = req.mutate_interval
    save_state(config, compose_path)
    return {"message": "Mutation interval updated"}
@app.get("/api/v1/stream")
 async def stream_events(
    request: Request, 
    last_event_id: int = Query(0, alias="lastEventId"), 
    search: Optional[str] = None,
    current_user: str = Depends(get_current_user)
 ) -> StreamingResponse:
    import json
    import asyncio
    async def event_generator() -> AsyncGenerator[str, None]:
        # Start tracking from the provided ID, or current max if 0
        last_id = last_event_id
        if last_id == 0:
            last_id = await repo.get_max_log_id()
        stats_interval_sec = 10
        loops_since_stats = 0
        while True:
            if await request.is_disconnected():
                break
            # Poll for new logs
            new_logs = await repo.get_logs_after_id(last_id, limit=50, search=search)
            if new_logs:
                # Update last_id to the max id in the fetched batch
                last_id = max(log["id"] for log in new_logs)
                payload = json.dumps({"type": "logs", "data": new_logs})
                yield f"event: message\ndata: {payload}\n\n"
                # If we have new logs, stats probably changed, so force a stats update
                loops_since_stats = stats_interval_sec
            # Periodically poll for stats
            if loops_since_stats >= stats_interval_sec:
                stats = await repo.get_stats_summary()
                payload = json.dumps({"type": "stats", "data": stats})
                yield f"event: message\ndata: {payload}\n\n"
                loops_since_stats = 0
            loops_since_stats += 1
            await asyncio.sleep(1)
    return StreamingResponse(event_generator(), media_type="text/event-stream")
 class DeployIniRequest(BaseModel):
    ini_content: str = Field(..., min_length=5, max_length=512 * 1024)
@app.post("/api/v1/deckies/deploy")
 async def api_deploy_deckies(req: DeployIniRequest, current_user: str = Depends(get_current_user)) -> dict[str, str]:
    from decnet.ini_loader import load_ini_from_string
    from decnet.cli import _build_deckies_from_ini
    from decnet.config import load_state, DecnetConfig, DEFAULT_MUTATE_INTERVAL
    from decnet.network import detect_interface, detect_subnet, get_host_ip
    from decnet.deployer import deploy as _deploy
    import logging
    import os
    try:
        ini = load_ini_from_string(req.ini_content)
    except Exception as e:
        raise HTTPException(status_code=400, detail=f"Failed to parse INI: {e}")
    state = load_state()
    ingest_log_file = os.environ.get("DECNET_INGEST_LOG_FILE")
    if state:
        config, _ = state
        subnet_cidr = ini.subnet or config.subnet
        gateway = ini.gateway or config.gateway
        host_ip = get_host_ip(config.interface)
        randomize_services = False
        # Always sync config log_file with current API ingestion target
        if ingest_log_file:
            config.log_file = ingest_log_file
    else:
        # If no state exists, we need to infer network details
        iface = ini.interface or detect_interface()
        subnet_cidr, gateway = ini.subnet, ini.gateway
        if not subnet_cidr or not gateway:
            detected_subnet, detected_gateway = detect_subnet(iface)
            subnet_cidr = subnet_cidr or detected_subnet
            gateway = gateway or detected_gateway
        host_ip = get_host_ip(iface)
        randomize_services = False
        config = DecnetConfig(
            mode="unihost",
            interface=iface,
            subnet=subnet_cidr,
            gateway=gateway,
            deckies=[],
            log_target=ini.log_target,
            log_file=ingest_log_file,
            ipvlan=False,
            mutate_interval=ini.mutate_interval or DEFAULT_MUTATE_INTERVAL
        )
    try:
        new_decky_configs = _build_deckies_from_ini(
            ini, subnet_cidr, gateway, host_ip, randomize_services, cli_mutate_interval=None
        )
    except ValueError as e:
        raise HTTPException(status_code=400, detail=str(e))
    # Merge deckies
    existing_deckies_map = {d.name: d for d in config.deckies}
    for new_decky in new_decky_configs:
        existing_deckies_map[new_decky.name] = new_decky
    config.deckies = list(existing_deckies_map.values())
    # We call deploy(config) which regenerates docker-compose and runs `up -d --remove-orphans`.
    try:
        _deploy(config)
    except Exception as e:
        logging.getLogger("decnet.web.api").error(f"Deployment failed: {e}")
        raise HTTPException(status_code=500, detail=f"Deployment failed: {e}")
    return {"message": "Deckies deployed successfully"}
--- a/decnet/web/auth.py
+++ b/decnet/web/auth.py
@@ -0,0 +1,38 @@
 from datetime import datetime, timedelta, timezone
 from typing import Optional, Any
 import jwt
 import bcrypt
 from decnet.env import DECNET_JWT_SECRET
 SECRET_KEY: str = DECNET_JWT_SECRET
 ALGORITHM: str = "HS256"
 ACCESS_TOKEN_EXPIRE_MINUTES: int = 1440
 def verify_password(plain_password: str, hashed_password: str) -> bool:
    return bcrypt.checkpw(
        plain_password.encode("utf-8"), 
        hashed_password.encode("utf-8")
    )
 def get_password_hash(password: str) -> str:
    # Use a cost factor of 12 (default for passlib/bcrypt)
    _salt: bytes = bcrypt.gensalt(rounds=12)
    _hashed: bytes = bcrypt.hashpw(password.encode("utf-8"), _salt)
    return _hashed.decode("utf-8")
 def create_access_token(data: dict[str, Any], expires_delta: Optional[timedelta] = None) -> str:
    _to_encode: dict[str, Any] = data.copy()
    _expire: datetime
    if expires_delta:
        _expire = datetime.now(timezone.utc) + expires_delta
    else:
        _expire = datetime.now(timezone.utc) + timedelta(minutes=15)
    _to_encode.update({"exp": _expire})
    _to_encode.update({"iat": datetime.now(timezone.utc)})
    _encoded_jwt: str = jwt.encode(_to_encode, SECRET_KEY, algorithm=ALGORITHM)
    return _encoded_jwt
--- a/decnet/web/ingester.py
+++ b/decnet/web/ingester.py
@@ -0,0 +1,68 @@
 import asyncio
 import os
 import logging
 import json
 from typing import Any
 from pathlib import Path
 from decnet.web.repository import BaseRepository
 logger: logging.Logger = logging.getLogger("decnet.web.ingester")
 async def log_ingestion_worker(repo: BaseRepository) -> None:
    """
    Background task that tails the DECNET_INGEST_LOG_FILE.json and
    inserts structured JSON logs into the SQLite repository.
    """
    _base_log_file: str | None = os.environ.get("DECNET_INGEST_LOG_FILE")
    if not _base_log_file:
        logger.warning("DECNET_INGEST_LOG_FILE not set. Log ingestion disabled.")
        return
    _json_log_path: Path = Path(_base_log_file).with_suffix(".json")
    _position: int = 0
    logger.info(f"Starting JSON log ingestion from {_json_log_path}")
    while True:
        try:
            if not _json_log_path.exists():
                await asyncio.sleep(2)
                continue
            _stat: os.stat_result = _json_log_path.stat()
            if _stat.st_size < _position:
                # File rotated or truncated
                _position = 0
            if _stat.st_size == _position:
                # No new data
                await asyncio.sleep(1)
                continue
            with open(_json_log_path, "r", encoding="utf-8", errors="replace") as _f:
                _f.seek(_position)
                while True:
                    _line: str = _f.readline()
                    if not _line:
                        break # EOF reached
                    if not _line.endswith('\n'):
                        # Partial line read, don't process yet, don't advance position
                        break
                    try:
                        _log_data: dict[str, Any] = json.loads(_line.strip())
                        await repo.add_log(_log_data)
                    except json.JSONDecodeError:
                        logger.error(f"Failed to decode JSON log line: {_line}")
                        continue
                    # Update position after successful line read
                    _position = _f.tell()
        except Exception as _e:
            logger.error(f"Error in log ingestion worker: {_e}")
            await asyncio.sleep(5)
        await asyncio.sleep(1)
--- a/decnet/web/repository.py
+++ b/decnet/web/repository.py
@@ -0,0 +1,61 @@
 from abc import ABC, abstractmethod
 from typing import Any, Optional
 class BaseRepository(ABC):
    """Abstract base class for DECNET web dashboard data storage."""
    @abstractmethod
    async def initialize(self) -> None:
        """Initialize the database schema."""
        pass
    @abstractmethod
    async def add_log(self, log_data: dict[str, Any]) -> None:
        """Add a new log entry to the database."""
        pass
    @abstractmethod
    async def get_logs(
        self, 
        limit: int = 50, 
        offset: int = 0, 
        search: Optional[str] = None
    ) -> list[dict[str, Any]]:
        """Retrieve paginated log entries."""
        pass
    @abstractmethod
    async def get_total_logs(self, search: Optional[str] = None) -> int:
        """Retrieve the total count of logs, optionally filtered by search."""
        pass
    @abstractmethod
    async def get_stats_summary(self) -> dict[str, Any]:
        """Retrieve high-level dashboard metrics."""
        pass
    @abstractmethod
    async def get_deckies(self) -> list[dict[str, Any]]:
        """Retrieve the list of currently deployed deckies."""
        pass
    @abstractmethod
    async def get_user_by_username(self, username: str) -> Optional[dict[str, Any]]:
        """Retrieve a user by their username."""
        pass
    @abstractmethod
    async def get_user_by_uuid(self, uuid: str) -> Optional[dict[str, Any]]:
        """Retrieve a user by their UUID."""
        pass
    @abstractmethod
    async def create_user(self, user_data: dict[str, Any]) -> None:
        """Create a new dashboard user."""
        pass
    @abstractmethod
    async def update_user_password(self, uuid: str, password_hash: str, must_change_password: bool = False) -> None:
        """Update a user's password and change the must_change_password flag."""
        pass
--- a/decnet/web/sqlite_repository.py
+++ b/decnet/web/sqlite_repository.py
@@ -0,0 +1,222 @@
 import aiosqlite
 from typing import Any, Optional
 from decnet.web.repository import BaseRepository
 from decnet.config import load_state, _ROOT
 class SQLiteRepository(BaseRepository):
    """SQLite implementation of the DECNET web repository."""
    def __init__(self, db_path: str = str(_ROOT / "decnet.db")) -> None:
        self.db_path: str = db_path
    async def initialize(self) -> None:
        async with aiosqlite.connect(self.db_path) as _db:
            # Logs table
            await _db.execute("""
                CREATE TABLE IF NOT EXISTS logs (
                    id INTEGER PRIMARY KEY AUTOINCREMENT,
                    timestamp DATETIME DEFAULT CURRENT_TIMESTAMP,
                    decky TEXT,
                    service TEXT,
                    event_type TEXT,
                    attacker_ip TEXT,
                    raw_line TEXT,
                    fields TEXT,
                    msg TEXT
                )
            """)
            try:
                await _db.execute("ALTER TABLE logs ADD COLUMN fields TEXT")
            except aiosqlite.OperationalError:
                pass
            try:
                await _db.execute("ALTER TABLE logs ADD COLUMN msg TEXT")
            except aiosqlite.OperationalError:
                pass
            # Users table (internal RBAC)
            await _db.execute("""
                CREATE TABLE IF NOT EXISTS users (
                    uuid TEXT PRIMARY KEY,
                    username TEXT UNIQUE,
                    password_hash TEXT,
                    role TEXT DEFAULT 'viewer',
                    must_change_password BOOLEAN DEFAULT 0
                )
            """)
            try:
                await _db.execute("ALTER TABLE users ADD COLUMN must_change_password BOOLEAN DEFAULT 0")
            except aiosqlite.OperationalError:
                pass  # Column already exists
            await _db.commit()
    async def add_log(self, log_data: dict[str, Any]) -> None:
        async with aiosqlite.connect(self.db_path) as _db:
            _timestamp: Any = log_data.get("timestamp")
            if _timestamp:
                await _db.execute(
                    "INSERT INTO logs (timestamp, decky, service, event_type, attacker_ip, raw_line, fields, msg) VALUES (?, ?, ?, ?, ?, ?, ?, ?)",
                    (
                        _timestamp,
                        log_data.get("decky"),
                        log_data.get("service"),
                        log_data.get("event_type"),
                        log_data.get("attacker_ip"),
                        log_data.get("raw_line"),
                        log_data.get("fields"),
                        log_data.get("msg")
                    )
                )
            else:
                await _db.execute(
                    "INSERT INTO logs (decky, service, event_type, attacker_ip, raw_line, fields, msg) VALUES (?, ?, ?, ?, ?, ?, ?)",
                    (
                        log_data.get("decky"),
                        log_data.get("service"),
                        log_data.get("event_type"),
                        log_data.get("attacker_ip"),
                        log_data.get("raw_line"),
                        log_data.get("fields"),
                        log_data.get("msg")
                    )
                )
            await _db.commit()
    async def get_logs(
        self, 
        limit: int = 50, 
        offset: int = 0, 
        search: Optional[str] = None
    ) -> list[dict[str, Any]]:
        _query: str = "SELECT * FROM logs"
        _params: list[Any] = []
        if search:
            _query += " WHERE raw_line LIKE ? OR decky LIKE ? OR service LIKE ? OR attacker_ip LIKE ?"
            _like_val: str = f"%{search}%"
            _params.extend([_like_val, _like_val, _like_val, _like_val])
        _query += " ORDER BY timestamp DESC LIMIT ? OFFSET ?"
        _params.extend([limit, offset])
        async with aiosqlite.connect(self.db_path) as _db:
            _db.row_factory = aiosqlite.Row
            async with _db.execute(_query, _params) as _cursor:
                _rows: list[aiosqlite.Row] = await _cursor.fetchall()
                return [dict(_row) for _row in _rows]
    async def get_max_log_id(self) -> int:
        _query: str = "SELECT MAX(id) as max_id FROM logs"
        async with aiosqlite.connect(self.db_path) as _db:
            _db.row_factory = aiosqlite.Row
            async with _db.execute(_query) as _cursor:
                _row: aiosqlite.Row | None = await _cursor.fetchone()
                return _row["max_id"] if _row and _row["max_id"] is not None else 0
    async def get_logs_after_id(self, last_id: int, limit: int = 50, search: Optional[str] = None) -> list[dict[str, Any]]:
        _query: str = "SELECT * FROM logs WHERE id > ?"
        _params: list[Any] = [last_id]
        if search:
            _query += " AND (raw_line LIKE ? OR decky LIKE ? OR service LIKE ? OR attacker_ip LIKE ?)"
            _like_val: str = f"%{search}%"
            _params.extend([_like_val, _like_val, _like_val, _like_val])
        _query += " ORDER BY id ASC LIMIT ?"
        _params.append(limit)
        async with aiosqlite.connect(self.db_path) as _db:
            _db.row_factory = aiosqlite.Row
            async with _db.execute(_query, _params) as _cursor:
                _rows: list[aiosqlite.Row] = await _cursor.fetchall()
                return [dict(_row) for _row in _rows]
    async def get_total_logs(self, search: Optional[str] = None) -> int:
        _query: str = "SELECT COUNT(*) as total FROM logs"
        _params: list[Any] = []
        if search:
            _query += " WHERE raw_line LIKE ? OR decky LIKE ? OR service LIKE ? OR attacker_ip LIKE ?"
            _like_val: str = f"%{search}%"
            _params.extend([_like_val, _like_val, _like_val, _like_val])
        async with aiosqlite.connect(self.db_path) as _db:
            _db.row_factory = aiosqlite.Row
            async with _db.execute(_query, _params) as _cursor:
                _row: Optional[aiosqlite.Row] = await _cursor.fetchone()
                return _row["total"] if _row else 0
    async def get_stats_summary(self) -> dict[str, Any]:
        async with aiosqlite.connect(self.db_path) as _db:
            _db.row_factory = aiosqlite.Row
            async with _db.execute("SELECT COUNT(*) as total_logs FROM logs") as _cursor:
                _row: Optional[aiosqlite.Row] = await _cursor.fetchone()
                _total_logs: int = _row["total_logs"] if _row else 0
            async with _db.execute("SELECT COUNT(DISTINCT attacker_ip) as unique_attackers FROM logs") as _cursor:
                _row = await _cursor.fetchone()
                _unique_attackers: int = _row["unique_attackers"] if _row else 0
            # Active deckies are those that HAVE interaction logs
            async with _db.execute("SELECT COUNT(DISTINCT decky) as active_deckies FROM logs") as _cursor:
                _row = await _cursor.fetchone()
                _active_deckies: int = _row["active_deckies"] if _row else 0
            # Deployed deckies are all those in the state file
            _state = load_state()
            _deployed_deckies: int = 0
            if _state:
                _deployed_deckies = len(_state[0].deckies)
            return {
                "total_logs": _total_logs,
                "unique_attackers": _unique_attackers,
                "active_deckies": _active_deckies,
                "deployed_deckies": _deployed_deckies
            }
    async def get_deckies(self) -> list[dict[str, Any]]:
        _state = load_state()
        if not _state:
            return []
        # We can also enrich this with interaction counts/last seen from DB
        _deckies: list[dict[str, Any]] = []
        for _d in _state[0].deckies:
            _deckies.append(_d.model_dump())
        return _deckies
    async def get_user_by_username(self, username: str) -> Optional[dict[str, Any]]:
        async with aiosqlite.connect(self.db_path) as _db:
            _db.row_factory = aiosqlite.Row
            async with _db.execute("SELECT * FROM users WHERE username = ?", (username,)) as _cursor:
                _row: Optional[aiosqlite.Row] = await _cursor.fetchone()
                return dict(_row) if _row else None
    async def get_user_by_uuid(self, uuid: str) -> Optional[dict[str, Any]]:
        async with aiosqlite.connect(self.db_path) as _db:
            _db.row_factory = aiosqlite.Row
            async with _db.execute("SELECT * FROM users WHERE uuid = ?", (uuid,)) as _cursor:
                _row: Optional[aiosqlite.Row] = await _cursor.fetchone()
                return dict(_row) if _row else None
    async def create_user(self, user_data: dict[str, Any]) -> None:
        async with aiosqlite.connect(self.db_path) as _db:
            await _db.execute(
                "INSERT INTO users (uuid, username, password_hash, role, must_change_password) VALUES (?, ?, ?, ?, ?)",
                (
                    user_data["uuid"],
                    user_data["username"],
                    user_data["password_hash"],
                    user_data["role"],
                    user_data.get("must_change_password", False)
                )
            )
            await _db.commit()
    async def update_user_password(self, uuid: str, password_hash: str, must_change_password: bool = False) -> None:
        async with aiosqlite.connect(self.db_path) as _db:
            await _db.execute(
                "UPDATE users SET password_hash = ?, must_change_password = ? WHERE uuid = ?",
                (password_hash, must_change_password, uuid)
            )
            await _db.commit()
--- a/decnet_web/.gitignore
+++ b/decnet_web/.gitignore
@@ -0,0 +1,26 @@
 # Logs
 logs
 *.log
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 pnpm-debug.log*
 lerna-debug.log*
 node_modules
 dist
 dist-ssr
 *.local
 # Editor directories and files
 .vscode/*
 !.vscode/extensions.json
 .idea
 .DS_Store
 *.suo
 *.ntvs*
 *.njsproj
 *.sln
 *.sw?
 .env
 .env.local
--- a/decnet_web/README.md
+++ b/decnet_web/README.md
@@ -0,0 +1,73 @@
 # React + TypeScript + Vite
 This template provides a minimal setup to get React working in Vite with HMR and some ESLint rules.
 Currently, two official plugins are available:
 - [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react) uses [Oxc](https://oxc.rs)
 - [@vitejs/plugin-react-swc](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react-swc) uses [SWC](https://swc.rs/)
 ## React Compiler
 The React Compiler is not enabled on this template because of its impact on dev & build performances. To add it, see [this documentation](https://react.dev/learn/react-compiler/installation).
 ## Expanding the ESLint configuration
 If you are developing a production application, we recommend updating the configuration to enable type-aware lint rules:
 ```js
 export default defineConfig([
  globalIgnores(['dist']),
  {
    files: ['**/*.{ts,tsx}'],
    extends: [
      // Other configs...
      // Remove tseslint.configs.recommended and replace with this
      tseslint.configs.recommendedTypeChecked,
      // Alternatively, use this for stricter rules
      tseslint.configs.strictTypeChecked,
      // Optionally, add this for stylistic rules
      tseslint.configs.stylisticTypeChecked,
      // Other configs...
    ],
    languageOptions: {
      parserOptions: {
        project: ['./tsconfig.node.json', './tsconfig.app.json'],
        tsconfigRootDir: import.meta.dirname,
      },
      // other options...
    },
  },
 ])
 ```
 You can also install [eslint-plugin-react-x](https://github.com/Rel1cx/eslint-react/tree/main/packages/plugins/eslint-plugin-react-x) and [eslint-plugin-react-dom](https://github.com/Rel1cx/eslint-react/tree/main/packages/plugins/eslint-plugin-react-dom) for React-specific lint rules:
 ```js
 // eslint.config.js
 import reactX from 'eslint-plugin-react-x'
 import reactDom from 'eslint-plugin-react-dom'
 export default defineConfig([
  globalIgnores(['dist']),
  {
    files: ['**/*.{ts,tsx}'],
    extends: [
      // Other configs...
      // Enable lint rules for React
      reactX.configs['recommended-typescript'],
      // Enable lint rules for React DOM
      reactDom.configs.recommended,
    ],
    languageOptions: {
      parserOptions: {
        project: ['./tsconfig.node.json', './tsconfig.app.json'],
        tsconfigRootDir: import.meta.dirname,
      },
      // other options...
    },
  },
 ])
 ```
--- a/decnet_web/eslint.config.js
+++ b/decnet_web/eslint.config.js
@@ -0,0 +1,23 @@
 import js from '@eslint/js'
 import globals from 'globals'
 import reactHooks from 'eslint-plugin-react-hooks'
 import reactRefresh from 'eslint-plugin-react-refresh'
 import tseslint from 'typescript-eslint'
 import { defineConfig, globalIgnores } from 'eslint/config'
 export default defineConfig([
  globalIgnores(['dist']),
  {
    files: ['**/*.{ts,tsx}'],
    extends: [
      js.configs.recommended,
      tseslint.configs.recommended,
      reactHooks.configs.flat.recommended,
      reactRefresh.configs.vite,
    ],
    languageOptions: {
      ecmaVersion: 2020,
      globals: globals.browser,
    },
  },
 ])
--- a/decnet_web/index.html
+++ b/decnet_web/index.html
@@ -0,0 +1,13 @@
 <!doctype html>
 <html lang="en">
  <head>
    <meta charset="UTF-8" />
    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>decnet_web</title>
  </head>
  <body>
    <div id="root"></div>
    <script type="module" src="/src/main.tsx"></script>
  </body>
 </html>
--- a/decnet_web/package-lock.json
+++ b/decnet_web/package-lock.json
--- a/decnet_web/package.json
+++ b/decnet_web/package.json
@@ -0,0 +1,33 @@
 {
  "name": "decnet_web",
  "private": true,
  "version": "0.0.0",
  "type": "module",
  "scripts": {
    "dev": "vite",
    "build": "tsc -b && vite build",
    "lint": "eslint .",
    "preview": "vite preview"
  },
  "dependencies": {
    "axios": "^1.14.0",
    "lucide-react": "^1.7.0",
    "react": "^19.2.4",
    "react-dom": "^19.2.4",
    "react-router-dom": "^7.14.0"
  },
  "devDependencies": {
    "@eslint/js": "^9.39.4",
    "@types/node": "^24.12.2",
    "@types/react": "^19.2.14",
    "@types/react-dom": "^19.2.3",
    "@vitejs/plugin-react": "^6.0.1",
    "eslint": "^9.39.4",
    "eslint-plugin-react-hooks": "^7.0.1",
    "eslint-plugin-react-refresh": "^0.5.2",
    "globals": "^17.4.0",
    "typescript": "~6.0.2",
    "typescript-eslint": "^8.58.0",
    "vite": "^8.0.4"
  }
 }
--- a/decnet_web/public/favicon.svg
+++ b/decnet_web/public/favicon.svg
--- a/decnet_web/public/icons.svg
+++ b/decnet_web/public/icons.svg
@@ -0,0 +1,24 @@
 <svg xmlns="http://www.w3.org/2000/svg">
  <symbol id="bluesky-icon" viewBox="0 0 16 17">
    <g clip-path="url(#bluesky-clip)"><path fill="#08060d" d="M7.75 7.735c-.693-1.348-2.58-3.86-4.334-5.097-1.68-1.187-2.32-.981-2.74-.79C.188 2.065.1 2.812.1 3.251s.241 3.602.398 4.13c.52 1.744 2.367 2.333 4.07 2.145-2.495.37-4.71 1.278-1.805 4.512 3.196 3.309 4.38-.71 4.987-2.746.608 2.036 1.307 5.91 4.93 2.746 2.72-2.746.747-4.143-1.747-4.512 1.702.189 3.55-.4 4.07-2.145.156-.528.397-3.691.397-4.13s-.088-1.186-.575-1.406c-.42-.19-1.06-.395-2.741.79-1.755 1.24-3.64 3.752-4.334 5.099"/></g>
    <defs><clipPath id="bluesky-clip"><path fill="#fff" d="M.1.85h15.3v15.3H.1z"/></clipPath></defs>
  </symbol>
  <symbol id="discord-icon" viewBox="0 0 20 19">
    <path fill="#08060d" d="M16.224 3.768a14.5 14.5 0 0 0-3.67-1.153c-.158.286-.343.67-.47.976a13.5 13.5 0 0 0-4.067 0c-.128-.306-.317-.69-.476-.976A14.4 14.4 0 0 0 3.868 3.77C1.546 7.28.916 10.703 1.231 14.077a14.7 14.7 0 0 0 4.5 2.306q.545-.748.965-1.587a9.5 9.5 0 0 1-1.518-.74q.191-.14.372-.293c2.927 1.369 6.107 1.369 8.999 0q.183.152.372.294-.723.437-1.52.74.418.838.963 1.588a14.6 14.6 0 0 0 4.504-2.308c.37-3.911-.63-7.302-2.644-10.309m-9.13 8.234c-.878 0-1.599-.82-1.599-1.82 0-.998.705-1.82 1.6-1.82.894 0 1.614.82 1.599 1.82.001 1-.705 1.82-1.6 1.82m5.91 0c-.878 0-1.599-.82-1.599-1.82 0-.998.705-1.82 1.6-1.82.893 0 1.614.82 1.599 1.82 0 1-.706 1.82-1.6 1.82"/>
  </symbol>
  <symbol id="documentation-icon" viewBox="0 0 21 20">
    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="m15.5 13.333 1.533 1.322c.645.555.967.833.967 1.178s-.322.623-.967 1.179L15.5 18.333m-3.333-5-1.534 1.322c-.644.555-.966.833-.966 1.178s.322.623.966 1.179l1.534 1.321"/>
    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M17.167 10.836v-4.32c0-1.41 0-2.117-.224-2.68-.359-.906-1.118-1.621-2.08-1.96-.599-.21-1.349-.21-2.848-.21-2.623 0-3.935 0-4.983.369-1.684.591-3.013 1.842-3.641 3.428C3 6.449 3 7.684 3 10.154v2.122c0 2.558 0 3.838.706 4.726q.306.383.713.671c.76.536 1.79.64 3.581.66"/>
    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M3 10a2.78 2.78 0 0 1 2.778-2.778c.555 0 1.209.097 1.748-.047.48-.129.854-.503.982-.982.145-.54.048-1.194.048-1.749a2.78 2.78 0 0 1 2.777-2.777"/>
  </symbol>
  <symbol id="github-icon" viewBox="0 0 19 19">
    <path fill="#08060d" fill-rule="evenodd" d="M9.356 1.85C5.05 1.85 1.57 5.356 1.57 9.694a7.84 7.84 0 0 0 5.324 7.44c.387.079.528-.168.528-.376 0-.182-.013-.805-.013-1.454-2.165.467-2.616-.935-2.616-.935-.349-.91-.864-1.143-.864-1.143-.71-.48.051-.48.051-.48.787.051 1.2.805 1.2.805.695 1.194 1.817.857 2.268.649.064-.507.27-.857.49-1.052-1.728-.182-3.545-.857-3.545-3.87 0-.857.31-1.558.8-2.104-.078-.195-.349-1 .077-2.078 0 0 .657-.208 2.14.805a7.5 7.5 0 0 1 1.946-.26c.657 0 1.328.092 1.946.26 1.483-1.013 2.14-.805 2.14-.805.426 1.078.155 1.883.078 2.078.502.546.799 1.247.799 2.104 0 3.013-1.818 3.675-3.558 3.87.284.247.528.714.528 1.454 0 1.052-.012 1.896-.012 2.156 0 .208.142.455.528.377a7.84 7.84 0 0 0 5.324-7.441c.013-4.338-3.48-7.844-7.773-7.844" clip-rule="evenodd"/>
  </symbol>
  <symbol id="social-icon" viewBox="0 0 20 20">
    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M12.5 6.667a4.167 4.167 0 1 0-8.334 0 4.167 4.167 0 0 0 8.334 0"/>
    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M2.5 16.667a5.833 5.833 0 0 1 8.75-5.053m3.837.474.513 1.035c.07.144.257.282.414.309l.93.155c.596.1.736.536.307.965l-.723.73a.64.64 0 0 0-.152.531l.207.903c.164.715-.213.991-.84.618l-.872-.52a.63.63 0 0 0-.577 0l-.872.52c-.624.373-1.003.094-.84-.618l.207-.903a.64.64 0 0 0-.152-.532l-.723-.729c-.426-.43-.289-.864.306-.964l.93-.156a.64.64 0 0 0 .412-.31l.513-1.034c.28-.562.735-.562 1.012 0"/>
  </symbol>
  <symbol id="x-icon" viewBox="0 0 19 19">
    <path fill="#08060d" fill-rule="evenodd" d="M1.893 1.98c.052.072 1.245 1.769 2.653 3.77l2.892 4.114c.183.261.333.48.333.486s-.068.089-.152.183l-.522.593-.765.867-3.597 4.087c-.375.426-.734.834-.798.905a1 1 0 0 0-.118.148c0 .01.236.017.664.017h.663l.729-.83c.4-.457.796-.906.879-.999a692 692 0 0 0 1.794-2.038c.034-.037.301-.34.594-.675l.551-.624.345-.392a7 7 0 0 1 .34-.374c.006 0 .93 1.306 2.052 2.903l2.084 2.965.045.063h2.275c1.87 0 2.273-.003 2.266-.021-.008-.02-1.098-1.572-3.894-5.547-2.013-2.862-2.28-3.246-2.273-3.266.008-.019.282-.332 2.085-2.38l2-2.274 1.567-1.782c.022-.028-.016-.03-.65-.03h-.674l-.3.342a871 871 0 0 1-1.782 2.025c-.067.075-.405.458-.75.852a100 100 0 0 1-.803.91c-.148.172-.299.344-.99 1.127-.304.343-.32.358-.345.327-.015-.019-.904-1.282-1.976-2.808L6.365 1.85H1.8zm1.782.91 8.078 11.294c.772 1.08 1.413 1.973 1.425 1.984.016.017.241.02 1.05.017l1.03-.004-2.694-3.766L7.796 5.75 5.722 2.852l-1.039-.004-1.039-.004z" clip-rule="evenodd"/>
  </symbol>
 </svg>
--- a/decnet_web/src/App.css
+++ b/decnet_web/src/App.css
@@ -0,0 +1,184 @@
 .counter {
  font-size: 16px;
  padding: 5px 10px;
  border-radius: 5px;
  color: var(--accent);
  background: var(--accent-bg);
  border: 2px solid transparent;
  transition: border-color 0.3s;
  margin-bottom: 24px;
  &:hover {
    border-color: var(--accent-border);
  }
  &:focus-visible {
    outline: 2px solid var(--accent);
    outline-offset: 2px;
  }
 }
 .hero {
  position: relative;
  .base,
  .framework,
  .vite {
    inset-inline: 0;
    margin: 0 auto;
  }
  .base {
    width: 170px;
    position: relative;
    z-index: 0;
  }
  .framework,
  .vite {
    position: absolute;
  }
  .framework {
    z-index: 1;
    top: 34px;
    height: 28px;
    transform: perspective(2000px) rotateZ(300deg) rotateX(44deg) rotateY(39deg)
      scale(1.4);
  }
  .vite {
    z-index: 0;
    top: 107px;
    height: 26px;
    width: auto;
    transform: perspective(2000px) rotateZ(300deg) rotateX(40deg) rotateY(39deg)
      scale(0.8);
  }
 }
 #center {
  display: flex;
  flex-direction: column;
  gap: 25px;
  place-content: center;
  place-items: center;
  flex-grow: 1;
  @media (max-width: 1024px) {
    padding: 32px 20px 24px;
    gap: 18px;
  }
 }
 #next-steps {
  display: flex;
  border-top: 1px solid var(--border);
  text-align: left;
  & > div {
    flex: 1 1 0;
    padding: 32px;
    @media (max-width: 1024px) {
      padding: 24px 20px;
    }
  }
  .icon {
    margin-bottom: 16px;
    width: 22px;
    height: 22px;
  }
  @media (max-width: 1024px) {
    flex-direction: column;
    text-align: center;
  }
 }
 #docs {
  border-right: 1px solid var(--border);
  @media (max-width: 1024px) {
    border-right: none;
    border-bottom: 1px solid var(--border);
  }
 }
 #next-steps ul {
  list-style: none;
  padding: 0;
  display: flex;
  gap: 8px;
  margin: 32px 0 0;
  .logo {
    height: 18px;
  }
  a {
    color: var(--text-h);
    font-size: 16px;
    border-radius: 6px;
    background: var(--social-bg);
    display: flex;
    padding: 6px 12px;
    align-items: center;
    gap: 8px;
    text-decoration: none;
    transition: box-shadow 0.3s;
    &:hover {
      box-shadow: var(--shadow);
    }
    .button-icon {
      height: 18px;
      width: 18px;
    }
  }
  @media (max-width: 1024px) {
    margin-top: 20px;
    flex-wrap: wrap;
    justify-content: center;
    li {
      flex: 1 1 calc(50% - 8px);
    }
    a {
      width: 100%;
      justify-content: center;
      box-sizing: border-box;
    }
  }
 }
 #spacer {
  height: 88px;
  border-top: 1px solid var(--border);
  @media (max-width: 1024px) {
    height: 48px;
  }
 }
 .ticks {
  position: relative;
  width: 100%;
  &::before,
  &::after {
    content: '';
    position: absolute;
    top: -4.5px;
    border: 5px solid transparent;
  }
  &::before {
    left: 0;
    border-left-color: var(--border);
  }
  &::after {
    right: 0;
    border-right-color: var(--border);
  }
 }
--- a/decnet_web/src/App.tsx
+++ b/decnet_web/src/App.tsx
@@ -0,0 +1,55 @@
 import { useState, useEffect } from 'react';
 import { BrowserRouter as Router, Routes, Route, Navigate } from 'react-router-dom';
 import Login from './components/Login';
 import Layout from './components/Layout';
 import Dashboard from './components/Dashboard';
 import DeckyFleet from './components/DeckyFleet';
 import LiveLogs from './components/LiveLogs';
 import Attackers from './components/Attackers';
 import Config from './components/Config';
 function App() {
  const [token, setToken] = useState<string | null>(localStorage.getItem('token'));
  const [searchQuery, setSearchQuery] = useState('');
  useEffect(() => {
    const savedToken = localStorage.getItem('token');
    if (savedToken) {
      setToken(savedToken);
    }
  }, []);
  const handleLogin = (newToken: string) => {
    setToken(newToken);
  };
  const handleLogout = () => {
    localStorage.removeItem('token');
    setToken(null);
  };
  const handleSearch = (query: string) => {
    setSearchQuery(query);
  };
  if (!token) {
    return <Login onLogin={handleLogin} />;
  }
  return (
    <Router>
      <Layout onLogout={handleLogout} onSearch={handleSearch}>
        <Routes>
          <Route path="/" element={<Dashboard searchQuery={searchQuery} />} />
          <Route path="/fleet" element={<DeckyFleet />} />
          <Route path="/live-logs" element={<LiveLogs />} />
          <Route path="/attackers" element={<Attackers />} />
          <Route path="/config" element={<Config />} />
          <Route path="*" element={<Navigate to="/" replace />} />
        </Routes>
      </Layout>
    </Router>
  );
 }
 export default App;
--- a/decnet_web/src/assets/hero.png
+++ b/decnet_web/src/assets/hero.png
--- a/decnet_web/src/assets/react.svg
+++ b/decnet_web/src/assets/react.svg
@@ -0,0 +1 @@
 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="iconify iconify--logos" width="35.93" height="32" preserveAspectRatio="xMidYMid meet" viewBox="0 0 256 228"><path fill="#00D8FF" d="M210.483 73.824a171.49 171.49 0 0 0-8.24-2.597c.465-1.9.893-3.777 1.273-5.621c6.238-30.281 2.16-54.676-11.769-62.708c-13.355-7.7-35.196.329-57.254 19.526a171.23 171.23 0 0 0-6.375 5.848a155.866 155.866 0 0 0-4.241-3.917C100.759 3.829 77.587-4.822 63.673 3.233C50.33 10.957 46.379 33.89 51.995 62.588a170.974 170.974 0 0 0 1.892 8.48c-3.28.932-6.445 1.924-9.474 2.98C17.309 83.498 0 98.307 0 113.668c0 15.865 18.582 31.778 46.812 41.427a145.52 145.52 0 0 0 6.921 2.165a167.467 167.467 0 0 0-2.01 9.138c-5.354 28.2-1.173 50.591 12.134 58.266c13.744 7.926 36.812-.22 59.273-19.855a145.567 145.567 0 0 0 5.342-4.923a168.064 168.064 0 0 0 6.92 6.314c21.758 18.722 43.246 26.282 56.54 18.586c13.731-7.949 18.194-32.003 12.4-61.268a145.016 145.016 0 0 0-1.535-6.842c1.62-.48 3.21-.974 4.76-1.488c29.348-9.723 48.443-25.443 48.443-41.52c0-15.417-17.868-30.326-45.517-39.844Zm-6.365 70.984c-1.4.463-2.836.91-4.3 1.345c-3.24-10.257-7.612-21.163-12.963-32.432c5.106-11 9.31-21.767 12.459-31.957c2.619.758 5.16 1.557 7.61 2.4c23.69 8.156 38.14 20.213 38.14 29.504c0 9.896-15.606 22.743-40.946 31.14Zm-10.514 20.834c2.562 12.94 2.927 24.64 1.23 33.787c-1.524 8.219-4.59 13.698-8.382 15.893c-8.067 4.67-25.32-1.4-43.927-17.412a156.726 156.726 0 0 1-6.437-5.87c7.214-7.889 14.423-17.06 21.459-27.246c12.376-1.098 24.068-2.894 34.671-5.345a134.17 134.17 0 0 1 1.386 6.193ZM87.276 214.515c-7.882 2.783-14.16 2.863-17.955.675c-8.075-4.657-11.432-22.636-6.853-46.752a156.923 156.923 0 0 1 1.869-8.499c10.486 2.32 22.093 3.988 34.498 4.994c7.084 9.967 14.501 19.128 21.976 27.15a134.668 134.668 0 0 1-4.877 4.492c-9.933 8.682-19.886 14.842-28.658 17.94ZM50.35 144.747c-12.483-4.267-22.792-9.812-29.858-15.863c-6.35-5.437-9.555-10.836-9.555-15.216c0-9.322 13.897-21.212 37.076-29.293c2.813-.98 5.757-1.905 8.812-2.773c3.204 10.42 7.406 21.315 12.477 32.332c-5.137 11.18-9.399 22.249-12.634 32.792a134.718 134.718 0 0 1-6.318-1.979Zm12.378-84.26c-4.811-24.587-1.616-43.134 6.425-47.789c8.564-4.958 27.502 2.111 47.463 19.835a144.318 144.318 0 0 1 3.841 3.545c-7.438 7.987-14.787 17.08-21.808 26.988c-12.04 1.116-23.565 2.908-34.161 5.309a160.342 160.342 0 0 1-1.76-7.887Zm110.427 27.268a347.8 347.8 0 0 0-7.785-12.803c8.168 1.033 15.994 2.404 23.343 4.08c-2.206 7.072-4.956 14.465-8.193 22.045a381.151 381.151 0 0 0-7.365-13.322Zm-45.032-43.861c5.044 5.465 10.096 11.566 15.065 18.186a322.04 322.04 0 0 0-30.257-.006c4.974-6.559 10.069-12.652 15.192-18.18ZM82.802 87.83a323.167 323.167 0 0 0-7.227 13.238c-3.184-7.553-5.909-14.98-8.134-22.152c7.304-1.634 15.093-2.97 23.209-3.984a321.524 321.524 0 0 0-7.848 12.897Zm8.081 65.352c-8.385-.936-16.291-2.203-23.593-3.793c2.26-7.3 5.045-14.885 8.298-22.6a321.187 321.187 0 0 0 7.257 13.246c2.594 4.48 5.28 8.868 8.038 13.147Zm37.542 31.03c-5.184-5.592-10.354-11.779-15.403-18.433c4.902.192 9.899.29 14.978.29c5.218 0 10.376-.117 15.453-.343c-4.985 6.774-10.018 12.97-15.028 18.486Zm52.198-57.817c3.422 7.8 6.306 15.345 8.596 22.52c-7.422 1.694-15.436 3.058-23.88 4.071a382.417 382.417 0 0 0 7.859-13.026a347.403 347.403 0 0 0 7.425-13.565Zm-16.898 8.101a358.557 358.557 0 0 1-12.281 19.815a329.4 329.4 0 0 1-23.444.823c-7.967 0-15.716-.248-23.178-.732a310.202 310.202 0 0 1-12.513-19.846h.001a307.41 307.41 0 0 1-10.923-20.627a310.278 310.278 0 0 1 10.89-20.637l-.001.001a307.318 307.318 0 0 1 12.413-19.761c7.613-.576 15.42-.876 23.31-.876H128c7.926 0 15.743.303 23.354.883a329.357 329.357 0 0 1 12.335 19.695a358.489 358.489 0 0 1 11.036 20.54a329.472 329.472 0 0 1-11 20.722Zm22.56-122.124c8.572 4.944 11.906 24.881 6.52 51.026c-.344 1.668-.73 3.367-1.15 5.09c-10.622-2.452-22.155-4.275-34.23-5.408c-7.034-10.017-14.323-19.124-21.64-27.008a160.789 160.789 0 0 1 5.888-5.4c18.9-16.447 36.564-22.941 44.612-18.3ZM128 90.808c12.625 0 22.86 10.235 22.86 22.86s-10.235 22.86-22.86 22.86s-22.86-10.235-22.86-22.86s10.235-22.86 22.86-22.86Z"></path></svg>
--- a/decnet_web/src/assets/vite.svg
+++ b/decnet_web/src/assets/vite.svg
--- a/decnet_web/src/components/Attackers.tsx
+++ b/decnet_web/src/components/Attackers.tsx
@@ -0,0 +1,20 @@
 import React from 'react';
 import { Activity } from 'lucide-react';
 import './Dashboard.css';
 const Attackers: React.FC = () => {
  return (
    <div className="logs-section">
      <div className="section-header">
        <Activity size={20} />
        <h2>ATTACKER PROFILES</h2>
      </div>
      <div style={{ padding: '40px', textAlign: 'center', opacity: 0.5 }}>
        <p>NO ACTIVE THREATS PROFILED YET.</p>
        <p style={{ marginTop: '10px', fontSize: '0.8rem' }}>(Attackers view placeholder)</p>
      </div>
    </div>
  );
 };
 export default Attackers;
--- a/decnet_web/src/components/Config.tsx
+++ b/decnet_web/src/components/Config.tsx
@@ -0,0 +1,20 @@
 import React from 'react';
 import { Settings } from 'lucide-react';
 import './Dashboard.css';
 const Config: React.FC = () => {
  return (
    <div className="logs-section">
      <div className="section-header">
        <Settings size={20} />
        <h2>SYSTEM CONFIGURATION</h2>
      </div>
      <div style={{ padding: '40px', textAlign: 'center', opacity: 0.5 }}>
        <p>CONFIGURATION READ-ONLY MODE ACTIVE.</p>
        <p style={{ marginTop: '10px', fontSize: '0.8rem' }}>(Config view placeholder)</p>
      </div>
    </div>
  );
 };
 export default Config;
--- a/decnet_web/src/components/Dashboard.css
+++ b/decnet_web/src/components/Dashboard.css
@@ -0,0 +1,129 @@
 .dashboard {
  display: flex;
  flex-direction: column;
  gap: 32px;
 }
 .stats-grid {
  display: grid;
  grid-template-columns: repeat(3, 1fr);
  gap: 24px;
 }
 .stat-card {
  background-color: var(--secondary-color);
  border: 1px solid var(--border-color);
  padding: 24px;
  display: flex;
  align-items: center;
  gap: 20px;
  transition: all 0.3s ease;
 }
 .stat-card:hover {
  border-color: var(--text-color);
  box-shadow: var(--matrix-green-glow);
  transform: translateY(-2px);
 }
 .stat-icon {
  color: var(--accent-color);
  filter: drop-shadow(var(--violet-glow));
 }
 .stat-content {
  display: flex;
  flex-direction: column;
 }
 .stat-label {
  font-size: 0.7rem;
  opacity: 0.6;
  letter-spacing: 1px;
 }
 .stat-value {
  font-size: 1.8rem;
  font-weight: bold;
 }
 .logs-section {
  background-color: var(--secondary-color);
  border: 1px solid var(--border-color);
  display: flex;
  flex-direction: column;
 }
 .section-header {
  padding: 16px 24px;
  border-bottom: 1px solid var(--border-color);
  display: flex;
  align-items: center;
  gap: 12px;
 }
 .section-header h2 {
  font-size: 0.9rem;
  letter-spacing: 2px;
 }
 .logs-table-container {
  overflow-x: auto;
 }
 .logs-table {
  width: 100%;
  border-collapse: collapse;
  font-size: 0.8rem;
  text-align: left;
 }
 .logs-table th {
  padding: 12px 24px;
  border-bottom: 1px solid var(--border-color);
  opacity: 0.5;
  font-weight: normal;
 }
 .logs-table td {
  padding: 12px 24px;
  border-bottom: 1px solid rgba(48, 54, 61, 0.5);
 }
 .logs-table tr:hover {
  background-color: rgba(0, 255, 65, 0.03);
 }
 .raw-line {
  max-width: 400px;
  overflow: hidden;
  text-overflow: ellipsis;
  white-space: nowrap;
 }
 .dim {
  opacity: 0.5;
 }
 .loader {
  display: flex;
  align-items: center;
  justify-content: center;
  height: 200px;
  letter-spacing: 4px;
  animation: pulse 1s infinite alternate;
 }
@keyframes pulse {
  from { opacity: 0.5; }
  to { opacity: 1; }
 }
 .spin {
  animation: spin 1.5s linear infinite;
 }
@keyframes spin {
  from { transform: rotate(0deg); }
  to { transform: rotate(360deg); }
 }
--- a/decnet_web/src/components/Dashboard.tsx
+++ b/decnet_web/src/components/Dashboard.tsx
@@ -0,0 +1,198 @@
 import React, { useEffect, useState } from 'react';
 import api from '../utils/api';
 import './Dashboard.css';
 import { Shield, Users, Activity, Clock } from 'lucide-react';
 interface Stats {
  total_logs: number;
  unique_attackers: number;
  active_deckies: number;
  deployed_deckies: number;
 }
 interface LogEntry {
  id: number;
  timestamp: string;
  decky: string;
  service: string;
  event_type: string | null;
  attacker_ip: string;
  raw_line: string;
  fields: string | null;
  msg: string | null;
 }
 interface DashboardProps {
  searchQuery: string;
 }
 const Dashboard: React.FC<DashboardProps> = ({ searchQuery }) => {
  const [stats, setStats] = useState<Stats | null>(null);
  const [logs, setLogs] = useState<LogEntry[]>([]);
  const [loading, setLoading] = useState(true);
  const fetchData = async () => {
    try {
      const [statsRes, logsRes] = await Promise.all([
        api.get('/stats'),
        api.get('/logs', { params: { limit: 50, search: searchQuery } })
      ]);
      setStats(statsRes.data);
      setLogs(logsRes.data.data);
    } catch (err) {
      console.error('Failed to fetch dashboard data', err);
    } finally {
      setLoading(false);
    }
  };
  useEffect(() => {
    // Initial fetch to populate UI immediately
    fetchData();
    // Setup SSE connection
    const token = localStorage.getItem('token');
    const baseUrl = import.meta.env.VITE_API_URL || 'http://localhost:8000/api/v1';
    let url = `${baseUrl}/stream?token=${token}`;
    if (searchQuery) {
      url += `&search=${encodeURIComponent(searchQuery)}`;
    }
    const eventSource = new EventSource(url);
    eventSource.onmessage = (event) => {
      try {
        const payload = JSON.parse(event.data);
        if (payload.type === 'logs') {
          setLogs(prev => {
            const newLogs = payload.data;
            // Prepend new logs, keep up to 100 in UI to prevent infinite DOM growth
            return [...newLogs, ...prev].slice(0, 100);
          });
        } else if (payload.type === 'stats') {
          setStats(payload.data);
        }
      } catch (err) {
        console.error('Failed to parse SSE payload', err);
      }
    };
    eventSource.onerror = (err) => {
      console.error('SSE connection error, attempting to reconnect...', err);
    };
    return () => {
      eventSource.close();
    };
  }, [searchQuery]);
  if (loading && !stats) return <div className="loader">INITIALIZING SENSORS...</div>;
  return (
    <div className="dashboard">
      <div className="stats-grid">
        <StatCard 
          icon={<Activity size={32} />} 
          label="TOTAL INTERACTIONS" 
          value={stats?.total_logs || 0} 
        />
        <StatCard 
          icon={<Users size={32} />} 
          label="UNIQUE ATTACKERS" 
          value={stats?.unique_attackers || 0} 
        />
        <StatCard 
          icon={<Shield size={32} />} 
          label="ACTIVE DECKIES" 
          value={`${stats?.active_deckies || 0} / ${stats?.deployed_deckies || 0}`} 
        />
      </div>
      <div className="logs-section">
        <div className="section-header">
          <Clock size={20} />
          <h2>LIVE INTERACTION LOG</h2>
        </div>
        <div className="logs-table-container">
          <table className="logs-table">
            <thead>
              <tr>
                <th>TIMESTAMP</th>
                <th>DECKY</th>
                <th>SERVICE</th>
                <th>ATTACKER IP</th>
                <th>EVENT</th>
              </tr>
            </thead>
            <tbody>
              {logs.length > 0 ? logs.map(log => {
                let parsedFields: Record<string, string> = {};
                if (log.fields) {
                  try {
                    parsedFields = JSON.parse(log.fields);
                  } catch (e) {
                    // Ignore parsing errors
                  }
                }
                return (
                  <tr key={log.id}>
                    <td className="dim">{new Date(log.timestamp).toLocaleString()}</td>
                    <td className="violet-accent">{log.decky}</td>
                    <td className="matrix-text">{log.service}</td>
                    <td>{log.attacker_ip}</td>
                    <td>
                      <div style={{ display: 'flex', flexDirection: 'column', gap: '8px' }}>
                        <div style={{ fontWeight: 'bold', color: 'var(--text-color)' }}>
                          {log.event_type} {log.msg && log.msg !== '-' && <span style={{ fontWeight: 'normal', opacity: 0.8 }}>— {log.msg}</span>}
                        </div>
                        {Object.keys(parsedFields).length > 0 && (
                          <div style={{ display: 'flex', gap: '8px', flexWrap: 'wrap' }}>
                            {Object.entries(parsedFields).map(([k, v]) => (
                              <span key={k} style={{ 
                                fontSize: '0.7rem', 
                                backgroundColor: 'rgba(0, 255, 65, 0.1)', 
                                padding: '2px 8px', 
                                borderRadius: '4px', 
                                border: '1px solid rgba(0, 255, 65, 0.3)',
                                wordBreak: 'break-all'
                              }}>
                                <span style={{ opacity: 0.6 }}>{k}:</span> {v}
                              </span>
                            ))}
                          </div>
                        )}
                      </div>
                    </td>
                  </tr>
                );
              }) : (
                <tr>
                  <td colSpan={5} style={{textAlign: 'center', padding: '40px'}}>NO INTERACTION DETECTED</td>
                </tr>
              )}
            </tbody>
          </table>
        </div>
      </div>
    </div>
  );
 };
 interface StatCardProps {
  icon: React.ReactNode;
  label: string;
  value: string | number;
 }
 const StatCard: React.FC<StatCardProps> = ({ icon, label, value }) => (
  <div className="stat-card">
    <div className="stat-icon">{icon}</div>
    <div className="stat-content">
      <span className="stat-label">{label}</span>
      <span className="stat-value">{value.toLocaleString()}</span>
    </div>
  </div>
 );
 export default Dashboard;
--- a/decnet_web/src/components/DeckyFleet.tsx
+++ b/decnet_web/src/components/DeckyFleet.tsx
@@ -0,0 +1,278 @@
 import React, { useEffect, useState } from 'react';
 import api from '../utils/api';
 import './Dashboard.css'; // Re-use common dashboard styles
 import { Server, Cpu, Globe, Database, Clock, RefreshCw, Upload } from 'lucide-react';
 interface Decky {
  name: string;
  ip: string;
  services: string[];
  distro: string;
  hostname: string;
  archetype: string | null;
  service_config: Record<string, Record<string, any>>;
  mutate_interval: number | null;
  last_mutated: number;
 }
 const DeckyFleet: React.FC = () => {
  const [deckies, setDeckies] = useState<Decky[]>([]);
  const [loading, setLoading] = useState(true);
  const [mutating, setMutating] = useState<string | null>(null);
  const [showDeploy, setShowDeploy] = useState(false);
  const [iniContent, setIniContent] = useState('');
  const [deploying, setDeploying] = useState(false);
  const fetchDeckies = async () => {
    try {
      const _res = await api.get('/deckies');
      setDeckies(_res.data);
    } catch (err) {
      console.error('Failed to fetch decky fleet', err);
    } finally {
      setLoading(false);
    }
  };
  const handleMutate = async (name: string) => {
    setMutating(name);
    try {
      await api.post(`/deckies/${name}/mutate`, {}, { timeout: 120000 });
      await fetchDeckies();
    } catch (err: any) {
      console.error('Failed to mutate', err);
      if (err.code === 'ECONNABORTED') {
        alert('Mutation is still running in the background but the UI timed out.');
      } else {
        alert('Mutation failed');
      }
    } finally {
      setMutating(null);
    }
  };
  const handleIntervalChange = async (name: string, current: number | null) => {
    const _val = prompt(`Enter new mutation interval in minutes for ${name} (leave empty to disable):`, current?.toString() || '');
    if (_val === null) return;
    const mutate_interval = _val.trim() === '' ? null : parseInt(_val);
    try {
      await api.put(`/deckies/${name}/mutate-interval`, { mutate_interval });
      fetchDeckies();
    } catch (err) {
      console.error('Failed to update interval', err);
      alert('Update failed');
    }
  };
  const handleDeploy = async () => {
    if (!iniContent.trim()) return;
    setDeploying(true);
    try {
      await api.post('/deckies/deploy', { ini_content: iniContent }, { timeout: 120000 });
      setIniContent('');
      setShowDeploy(false);
      fetchDeckies();
    } catch (err: any) {
      console.error('Deploy failed', err);
      alert(`Deploy failed: ${err.response?.data?.detail || err.message}`);
    } finally {
      setDeploying(false);
    }
  };
  const handleFileUpload = (e: React.ChangeEvent<HTMLInputElement>) => {
    const file = e.target.files?.[0];
    if (!file) return;
    const reader = new FileReader();
    reader.onload = (event) => {
      const content = event.target?.result as string;
      setIniContent(content);
    };
    reader.readAsText(file);
  };
  useEffect(() => {
    fetchDeckies();
    const _interval = setInterval(fetchDeckies, 10000); // Fleet state updates less frequently than logs
    return () => clearInterval(_interval);
  }, []);
  if (loading) return <div className="loader">SCANNING NETWORK FOR DECOYS...</div>;
  return (
    <div className="dashboard">
      <div className="section-header" style={{ display: 'flex', justifyContent: 'space-between', alignItems: 'center', border: '1px solid var(--border-color)', backgroundColor: 'var(--secondary-color)', marginBottom: '24px' }}>
        <div style={{ display: 'flex', alignItems: 'center', gap: '12px' }}>
          <Server size={20} />
          <h2 style={{ margin: 0 }}>DECOY FLEET ASSET INVENTORY</h2>
        </div>
        <button 
          onClick={() => setShowDeploy(!showDeploy)}
          style={{ display: 'flex', alignItems: 'center', gap: '8px', border: '1px solid var(--accent-color)', color: 'var(--accent-color)' }}
        >
          + DEPLOY DECKIES
        </button>
      </div>
      {showDeploy && (
        <div style={{ marginBottom: '24px', padding: '24px', backgroundColor: 'var(--secondary-color)', border: '1px solid var(--accent-color)', display: 'flex', flexDirection: 'column', gap: '16px' }}>
          <div style={{ display: 'flex', justifyContent: 'space-between', alignItems: 'center' }}>
            <h3 style={{ fontSize: '1rem', color: 'var(--text-color)' }}>Deploy via INI Configuration</h3>
            <div>
              <input 
                type="file" 
                id="ini-upload" 
                accept=".ini" 
                onChange={handleFileUpload} 
                style={{ display: 'none' }} 
              />
              <label 
                htmlFor="ini-upload" 
                style={{ 
                  cursor: 'pointer', 
                  display: 'flex', 
                  alignItems: 'center', 
                  gap: '8px', 
                  fontSize: '0.8rem', 
                  color: 'var(--accent-color)',
                  border: '1px solid var(--accent-color)',
                  padding: '4px 12px'
                }}
              >
                <Upload size={14} /> UPLOAD FILE
              </label>
            </div>
          </div>
          <textarea 
            value={iniContent}
            onChange={(e) => setIniContent(e.target.value)}
            placeholder="[decky-01]&#10;archetype=linux-server&#10;services=ssh,http"
            style={{ width: '100%', height: '200px', backgroundColor: '#000', color: 'var(--text-color)', border: '1px solid var(--border-color)', padding: '12px', fontFamily: 'monospace' }}
          />
          <div style={{ display: 'flex', justifyContent: 'flex-end', gap: '12px' }}>
            <button onClick={() => setShowDeploy(false)} style={{ border: '1px solid var(--border-color)', color: 'var(--dim-color)' }}>CANCEL</button>
            <button onClick={handleDeploy} disabled={deploying} style={{ background: 'var(--accent-color)', color: '#000', border: 'none', display: 'flex', alignItems: 'center', gap: '8px' }}>
              {deploying && <RefreshCw size={14} className="spin" />}
              {deploying ? 'DEPLOYING...' : 'DEPLOY'}
            </button>
          </div>
        </div>
      )}
      <div className="deckies-grid" style={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fill, minmax(350px, 1fr))', gap: '24px' }}>
        {deckies.length > 0 ? deckies.map(decky => (
          <div key={decky.name} className="stat-card" style={{ flexDirection: 'column', alignItems: 'flex-start', gap: '16px', padding: '24px' }}>
            <div style={{ width: '100%', display: 'flex', justifyContent: 'space-between', alignItems: 'center', borderBottom: '1px solid var(--border-color)', paddingBottom: '12px' }}>
              <span className="matrix-text" style={{ fontSize: '1.2rem', fontWeight: 'bold' }}>{decky.name}</span>
              <span className="dim" style={{ fontSize: '0.8rem', backgroundColor: 'rgba(0, 255, 65, 0.1)', padding: '2px 8px', borderRadius: '4px' }}>{decky.ip}</span>
            </div>
            <div style={{ display: 'flex', flexDirection: 'column', gap: '8px', width: '100%' }}>
              <div style={{ display: 'flex', alignItems: 'center', gap: '8px', fontSize: '0.85rem' }}>
                <Cpu size={14} className="dim" />
                <span className="dim">HOSTNAME:</span> {decky.hostname}
              </div>
              <div style={{ display: 'flex', alignItems: 'center', gap: '8px', fontSize: '0.85rem' }}>
                <Globe size={14} className="dim" />
                <span className="dim">DISTRO:</span> {decky.distro}
              </div>
              {decky.archetype && (
                <div style={{ display: 'flex', alignItems: 'center', gap: '8px', fontSize: '0.85rem' }}>
                  <Database size={14} className="dim" />
                  <span className="dim">ARCHETYPE:</span> <span style={{ color: 'var(--highlight-color)' }}>{decky.archetype}</span>
                </div>
              )}
              <div style={{ display: 'flex', alignItems: 'center', gap: '8px', fontSize: '0.85rem', marginTop: '8px' }}>
                <Clock size={14} className="dim" />
                <span className="dim">MUTATION:</span>
                <span 
                  style={{ color: 'var(--accent-color)', cursor: 'pointer', textDecoration: 'underline' }}
                  onClick={() => handleIntervalChange(decky.name, decky.mutate_interval)}
                >
                  {decky.mutate_interval ? `EVERY ${decky.mutate_interval}m` : 'DISABLED'}
                </span>
                <button 
                  onClick={() => handleMutate(decky.name)}
                  disabled={!!mutating}
                  style={{
                    background: 'transparent', border: '1px solid var(--accent-color)', 
                    color: 'var(--accent-color)', padding: '2px 8px', fontSize: '0.7rem', 
                    cursor: mutating ? 'not-allowed' : 'pointer', display: 'flex', alignItems: 'center', gap: '4px', marginLeft: 'auto',
                    opacity: mutating ? 0.5 : 1
                  }}
                >
                  <RefreshCw size={10} className={mutating === decky.name ? "spin" : ""} /> {mutating === decky.name ? 'MUTATING...' : 'FORCE'}
                </button>
              </div>
              {decky.last_mutated > 0 && (
                <div style={{ fontSize: '0.7rem', color: 'var(--dim-color)', fontStyle: 'italic', marginTop: '4px' }}>
                  Last mutated: {new Date(decky.last_mutated * 1000).toLocaleString()}
                </div>
              )}
            </div>
            <div style={{ width: '100%' }}>
              <div className="dim" style={{ fontSize: '0.7rem', marginBottom: '8px', letterSpacing: '1px' }}>EXPOSED SERVICES:</div>
              <div style={{ display: 'flex', flexWrap: 'wrap', gap: '8px' }}>
                {decky.services.map(svc => {
                  const _config = decky.service_config[svc];
                  return (
                    <div key={svc} className="service-tag-container" style={{ position: 'relative' }}>
                      <span className="service-tag" style={{ 
                        display: 'inline-block',
                        padding: '4px 10px',
                        fontSize: '0.75rem',
                        backgroundColor: 'var(--bg-color)',
                        border: '1px solid var(--accent-color)',
                        color: 'var(--accent-color)',
                        borderRadius: '2px',
                        cursor: 'help'
                      }}>
                        {svc}
                      </span>
                      {_config && Object.keys(_config).length > 0 && (
                        <div className="service-config-tooltip" style={{
                          display: 'none',
                          position: 'absolute',
                          bottom: '100%',
                          left: '0',
                          backgroundColor: 'rgba(10, 10, 10, 0.95)',
                          border: '1px solid var(--accent-color)',
                          padding: '12px',
                          zIndex: 100,
                          minWidth: '200px',
                          boxShadow: '0 0 15px rgba(0, 255, 65, 0.2)',
                          marginBottom: '8px'
                        }}>
                          {Object.entries(_config).map(([k, v]) => (
                            <div key={k} style={{ fontSize: '0.7rem', marginBottom: '4px' }}>
                              <span style={{ color: 'var(--highlight-color)', fontWeight: 'bold' }}>{k}:</span> 
                              <span style={{ marginLeft: '6px', opacity: 0.9 }}>{String(v)}</span>
                            </div>
                          ))}
                        </div>
                      )}
                    </div>
                  );
                })}
              </div>
            </div>
          </div>
        )) : (
          <div className="stat-card" style={{ gridColumn: '1 / -1', justifyContent: 'center', padding: '60px' }}>
            <span className="dim">NO DECOYS CURRENTLY DEPLOYED IN THIS SECTOR</span>
          </div>
        )}
      </div>
      <style dangerouslySetInnerHTML={{ __html: `
        .service-tag-container:hover .service-config-tooltip {
          display: block !important;
        }
      `}} />
    </div>
  );
 };
 export default DeckyFleet;
--- a/decnet_web/src/components/Layout.css
+++ b/decnet_web/src/components/Layout.css
@@ -0,0 +1,179 @@
 .layout-container {
  display: flex;
  height: 100vh;
  width: 100vw;
  background-color: var(--background-color);
 }
 /* Sidebar Styling */
 .sidebar {
  background-color: var(--secondary-color);
  border-right: 1px solid var(--border-color);
  height: 100%;
  display: flex;
  flex-direction: column;
  transition: width 0.3s cubic-bezier(0.4, 0, 0.2, 1);
  overflow: hidden;
  flex-shrink: 0;
 }
 .sidebar.open {
  width: 240px;
 }
 .sidebar.closed {
  width: 70px;
 }
 .sidebar-header {
  padding: 20px;
  display: flex;
  align-items: center;
  justify-content: space-between;
  border-bottom: 1px solid var(--border-color);
 }
 .logo-text {
  font-weight: bold;
  font-size: 1.2rem;
  margin-left: 10px;
  letter-spacing: 2px;
 }
 .toggle-btn {
  background: transparent;
  border: none;
  color: var(--text-color);
  padding: 0;
  display: flex;
  align-items: center;
  justify-content: center;
 }
 .toggle-btn:hover {
  box-shadow: none;
  color: var(--accent-color);
 }
 .sidebar-nav {
  flex-grow: 1;
  padding: 20px 0;
 }
 .nav-item {
  display: flex;
  align-items: center;
  padding: 12px 24px;
  cursor: pointer;
  transition: all 0.2s ease;
  color: var(--text-color);
  opacity: 0.7;
 }
 .nav-item:hover, .nav-item.active {
  background-color: rgba(0, 255, 65, 0.1);
  opacity: 1;
  color: var(--text-color);
  border-left: 3px solid var(--text-color);
 }
 .nav-label {
  margin-left: 12px;
  font-size: 0.9rem;
  white-space: nowrap;
 }
 .sidebar-footer {
  padding: 20px;
  border-top: 1px solid var(--border-color);
 }
 .logout-btn {
  display: flex;
  align-items: center;
  gap: 12px;
  width: 100%;
  padding: 10px;
  border: 1px solid transparent;
 }
 .logout-btn:hover {
  border: 1px solid var(--accent-color);
  color: var(--accent-color);
  background: transparent;
 }
 /* Main Content Area */
 .main-content {
  flex-grow: 1;
  display: flex;
  flex-direction: column;
  overflow: hidden;
  min-width: 0;
 }
 /* Topbar Styling */
 .topbar {
  height: 64px;
  border-bottom: 1px solid var(--border-color);
  display: flex;
  align-items: center;
  justify-content: space-between;
  padding: 0 32px;
  background-color: var(--background-color);
 }
 .search-container {
  display: flex;
  align-items: center;
  background-color: var(--secondary-color);
  border: 1px solid var(--border-color);
  padding: 4px 12px;
  max-width: 400px;
  width: 100%;
 }
 .search-icon {
  margin-right: 8px;
  opacity: 0.5;
 }
 .search-container input {
  background: transparent;
  border: none;
  width: 100%;
  padding: 4px;
 }
 .search-container input:focus {
  box-shadow: none;
 }
 .topbar-status {
  font-size: 0.8rem;
 }
 .neon-blink {
  animation: blink 2s infinite;
 }
@keyframes blink {
  0%, 100% { opacity: 1; text-shadow: var(--matrix-green-glow); }
  50% { opacity: 0.5; }
 }
 .violet-accent {
  color: var(--accent-color);
  filter: drop-shadow(var(--violet-glow));
 }
 .matrix-text {
  color: var(--text-color);
 }
 /* Viewport for dynamic content */
 .content-viewport {
  flex-grow: 1;
  padding: 32px;
  overflow-y: auto;
 }
--- a/decnet_web/src/components/Layout.tsx
+++ b/decnet_web/src/components/Layout.tsx
@@ -0,0 +1,90 @@
 import React, { useState } from 'react';
 import { NavLink } from 'react-router-dom';
 import { Menu, X, Search, Activity, LayoutDashboard, Terminal, Settings, LogOut, Server } from 'lucide-react';
 import './Layout.css';
 interface LayoutProps {
  children: React.ReactNode;
  onLogout: () => void;
  onSearch: (q: string) => void;
 }
 const Layout: React.FC<LayoutProps> = ({ children, onLogout, onSearch }) => {
  const [sidebarOpen, setSidebarOpen] = useState(true);
  const [search, setSearch] = useState('');
  const handleSearchSubmit = (e: React.FormEvent) => {
    e.preventDefault();
    onSearch(search);
  };
  return (
    <div className="layout-container">
      {/* Sidebar */}
      <aside className={`sidebar ${sidebarOpen ? 'open' : 'closed'}`}>
        <div className="sidebar-header">
          <Activity size={24} className="violet-accent" />
          {sidebarOpen && <span className="logo-text">DECNET</span>}
          <button className="toggle-btn" onClick={() => setSidebarOpen(!sidebarOpen)}>
            {sidebarOpen ? <X size={20} /> : <Menu size={20} />}
          </button>
        </div>
        <nav className="sidebar-nav">
          <NavItem to="/" icon={<LayoutDashboard size={20} />} label="Dashboard" open={sidebarOpen} />
          <NavItem to="/fleet" icon={<Server size={20} />} label="Decoy Fleet" open={sidebarOpen} />
          <NavItem to="/live-logs" icon={<Terminal size={20} />} label="Live Logs" open={sidebarOpen} />
          <NavItem to="/attackers" icon={<Activity size={20} />} label="Attackers" open={sidebarOpen} />
          <NavItem to="/config" icon={<Settings size={20} />} label="Config" open={sidebarOpen} />
        </nav>
        <div className="sidebar-footer">
          <button className="logout-btn" onClick={onLogout}>
            <LogOut size={20} />
            {sidebarOpen && <span>Logout</span>}
          </button>
        </div>
      </aside>
      {/* Main Content Area */}
      <main className="main-content">
        {/* Topbar */}
        <header className="topbar">
          <form onSubmit={handleSearchSubmit} className="search-container">
            <Search size={18} className="search-icon" />
            <input 
              type="text" 
              placeholder="Search logs, deckies, IPs..." 
              value={search}
              onChange={(e) => setSearch(e.target.value)}
            />
          </form>
          <div className="topbar-status">
             <span className="matrix-text neon-blink">SYSTEM: ACTIVE</span>
          </div>
        </header>
        {/* Dynamic Content */}
        <div className="content-viewport">
          {children}
        </div>
      </main>
    </div>
  );
 };
 interface NavItemProps {
  to: string;
  icon: React.ReactNode;
  label: string;
  open: boolean;
 }
 const NavItem: React.FC<NavItemProps> = ({ to, icon, label, open }) => (
  <NavLink to={to} className={({ isActive }) => `nav-item ${isActive ? 'active' : ''}`} end={to === '/'}>
    {icon}
    {open && <span className="nav-label">{label}</span>}
  </NavLink>
 );
 export default Layout;
--- a/decnet_web/src/components/LiveLogs.tsx
+++ b/decnet_web/src/components/LiveLogs.tsx
@@ -0,0 +1,20 @@
 import React from 'react';
 import { Terminal } from 'lucide-react';
 import './Dashboard.css';
 const LiveLogs: React.FC = () => {
  return (
    <div className="logs-section">
      <div className="section-header">
        <Terminal size={20} />
        <h2>FULL LIVE LOG STREAM</h2>
      </div>
      <div style={{ padding: '40px', textAlign: 'center', opacity: 0.5 }}>
        <p>STREAM ESTABLISHED. WAITING FOR INCOMING DATA...</p>
        <p style={{ marginTop: '10px', fontSize: '0.8rem' }}>(Dedicated Live Logs view placeholder)</p>
      </div>
    </div>
  );
 };
 export default LiveLogs;
--- a/decnet_web/src/components/Login.css
+++ b/decnet_web/src/components/Login.css
@@ -0,0 +1,90 @@
 .login-container {
  height: 100vh;
  width: 100vw;
  display: flex;
  align-items: center;
  justify-content: center;
  background-color: var(--background-color);
  background-image: 
    linear-gradient(rgba(0, 255, 65, 0.05) 1px, transparent 1px),
    linear-gradient(90deg, rgba(0, 255, 65, 0.05) 1px, transparent 1px);
  background-size: 20px 20px;
 }
 .login-box {
  width: 100%;
  max-width: 400px;
  background-color: var(--secondary-color);
  border: 1px solid var(--border-color);
  padding: 40px;
  box-shadow: 0 0 20px rgba(0, 0, 0, 0.5);
  display: flex;
  flex-direction: column;
  gap: 32px;
 }
 .login-header {
  text-align: center;
  display: flex;
  flex-direction: column;
  align-items: center;
  gap: 12px;
 }
 .login-header h1 {
  font-size: 2.5rem;
  letter-spacing: 10px;
  font-weight: bold;
 }
 .login-header p {
  font-size: 0.7rem;
  letter-spacing: 2px;
  opacity: 0.6;
 }
 .login-form {
  display: flex;
  flex-direction: column;
  gap: 24px;
 }
 .form-group {
  display: flex;
  flex-direction: column;
  gap: 8px;
 }
 .form-group label {
  font-size: 0.7rem;
  opacity: 0.8;
  letter-spacing: 1px;
 }
 .login-form input {
  width: 100%;
  background-color: rgba(0, 0, 0, 0.5);
 }
 .error-msg {
  color: #ff4141;
  font-size: 0.8rem;
  text-align: center;
  padding: 8px;
  border: 1px solid #ff4141;
  background-color: rgba(255, 65, 65, 0.1);
 }
 .login-form button {
  padding: 12px;
  margin-top: 8px;
  font-weight: bold;
  letter-spacing: 2px;
 }
 .login-footer {
  text-align: center;
  font-size: 0.6rem;
  opacity: 0.4;
  letter-spacing: 1px;
 }
--- a/decnet_web/src/components/Login.tsx
+++ b/decnet_web/src/components/Login.tsx
@@ -0,0 +1,154 @@
 import React, { useState } from 'react';
 import api from '../utils/api';
 import './Login.css';
 import { Activity } from 'lucide-react';
 interface LoginProps {
  onLogin: (token: string) => void;
 }
 const Login: React.FC<LoginProps> = ({ onLogin }) => {
  const [username, setUsername] = useState('');
  const [password, setPassword] = useState('');
  const [error, setError] = useState('');
  const [loading, setLoading] = useState(false);
  const [needsPasswordChange, setNeedsPasswordChange] = useState(false);
  const [newPassword, setNewPassword] = useState('');
  const [confirmPassword, setConfirmPassword] = useState('');
  const [tempToken, setTempToken] = useState('');
  const handleLoginSubmit = async (e: React.FormEvent) => {
    e.preventDefault();
    setLoading(true);
    setError('');
    try {
      const response = await api.post('/auth/login', { username, password });
      const { access_token, must_change_password } = response.data;
      if (must_change_password) {
        setTempToken(access_token);
        setNeedsPasswordChange(true);
      } else {
        localStorage.setItem('token', access_token);
        onLogin(access_token);
      }
    } catch (err: any) {
      setError(err.response?.data?.detail || 'Authentication failed');
    } finally {
      setLoading(false);
    }
  };
  const handleChangePasswordSubmit = async (e: React.FormEvent) => {
    e.preventDefault();
    if (newPassword !== confirmPassword) {
      setError('Passwords do not match');
      return;
    }
    setLoading(true);
    setError('');
    try {
      await api.post('/auth/change-password', 
        { old_password: password, new_password: newPassword },
        { headers: { Authorization: `Bearer ${tempToken}` } }
      );
      // Re-authenticate to get a fresh token with must_change_password=false
      const response = await api.post('/auth/login', { username, password: newPassword });
      const { access_token } = response.data;
      localStorage.setItem('token', access_token);
      onLogin(access_token);
    } catch (err: any) {
      setError(err.response?.data?.detail || 'Password change failed');
    } finally {
      setLoading(false);
    }
  };
  return (
    <div className="login-container">
      <div className="login-box">
        <div className="login-header">
          <Activity size={48} className="violet-accent neon-blink" />
          <h1>DECNET</h1>
          <p>AUTHORIZED PERSONNEL ONLY</p>
        </div>
        {!needsPasswordChange ? (
          <form onSubmit={handleLoginSubmit} className="login-form">
            <div className="form-group">
              <label>IDENTIFIER</label>
              <input 
                type="text" 
                value={username} 
                onChange={(e) => setUsername(e.target.value)} 
                required 
              />
            </div>
            <div className="form-group">
              <label>ACCESS KEY</label>
              <input 
                type="password" 
                value={password} 
                onChange={(e) => setPassword(e.target.value)} 
                required 
              />
            </div>
            {error && <div className="error-msg">{error}</div>}
            <button type="submit" disabled={loading}>
              {loading ? 'VERIFYING...' : 'ESTABLISH CONNECTION'}
            </button>
          </form>
        ) : (
          <form onSubmit={handleChangePasswordSubmit} className="login-form">
            <div className="form-group" style={{ textAlign: 'center', marginBottom: '10px' }}>
              <p className="violet-accent">MANDATORY SECURITY UPDATE</p>
              <p style={{ fontSize: '0.8rem', opacity: 0.7 }}>Please establish a new access key</p>
            </div>
            <div className="form-group">
              <label>NEW ACCESS KEY</label>
              <input 
                type="password" 
                value={newPassword} 
                onChange={(e) => setNewPassword(e.target.value)} 
                required 
                minLength={8}
              />
            </div>
            <div className="form-group">
              <label>CONFIRM KEY</label>
              <input 
                type="password" 
                value={confirmPassword} 
                onChange={(e) => setConfirmPassword(e.target.value)} 
                required 
                minLength={8}
              />
            </div>
            {error && <div className="error-msg">{error}</div>}
            <button type="submit" disabled={loading}>
              {loading ? 'UPDATING...' : 'UPDATE SECURE KEY'}
            </button>
          </form>
        )}
        <div className="login-footer">
          <span>SECURE PROTOCOL v1.0</span>
        </div>
      </div>
    </div>
  );
 };
 export default Login;
--- a/decnet_web/src/index.css
+++ b/decnet_web/src/index.css
@@ -0,0 +1,69 @@
 :root {
  --background-color: #000000;
  --text-color: #00ff41;
  --accent-color: #ee82ee;
  --secondary-color: #0d1117;
  --border-color: #30363d;
  --matrix-green-glow: 0 0 10px rgba(0, 255, 65, 0.5);
  --violet-glow: 0 0 10px rgba(238, 130, 238, 0.5);
 }
 * {
  box-sizing: border-box;
  margin: 0;
  padding: 0;
 }
 body {
  font-family: 'Courier New', Courier, monospace;
  background-color: var(--background-color);
  color: var(--text-color);
  line-height: 1.5;
  overflow-x: hidden;
 }
 button {
  cursor: pointer;
  background: transparent;
  border: 1px solid var(--text-color);
  color: var(--text-color);
  padding: 8px 16px;
  transition: all 0.3s ease;
 }
 button:hover {
  background: var(--text-color);
  color: var(--background-color);
  box-shadow: var(--matrix-green-glow);
 }
 input {
  background: #0d1117;
  border: 1px solid var(--border-color);
  color: var(--text-color);
  padding: 8px 12px;
 }
 input:focus {
  outline: none;
  border-color: var(--text-color);
  box-shadow: var(--matrix-green-glow);
 }
 /* Custom scrollbar */
 ::-webkit-scrollbar {
  width: 8px;
 }
 ::-webkit-scrollbar-track {
  background: var(--background-color);
 }
 ::-webkit-scrollbar-thumb {
  background: var(--secondary-color);
  border: 1px solid var(--border-color);
 }
 ::-webkit-scrollbar-thumb:hover {
  background: var(--border-color);
 }
--- a/decnet_web/src/main.tsx
+++ b/decnet_web/src/main.tsx
@@ -0,0 +1,10 @@
 import { StrictMode } from 'react'
 import { createRoot } from 'react-dom/client'
 import './index.css'
 import App from './App.tsx'
 createRoot(document.getElementById('root')!).render(
  <StrictMode>
    <App />
  </StrictMode>,
 )
--- a/decnet_web/src/utils/api.ts
+++ b/decnet_web/src/utils/api.ts
@@ -0,0 +1,15 @@
 import axios from 'axios';
 const api = axios.create({
  baseURL: import.meta.env.VITE_API_URL || 'http://localhost:8000/api/v1',
 });
 api.interceptors.request.use((config) => {
  const token = localStorage.getItem('token');
  if (token) {
    config.headers.Authorization = `Bearer ${token}`;
  }
  return config;
 });
 export default api;
--- a/decnet_web/tsconfig.app.json
+++ b/decnet_web/tsconfig.app.json
@@ -0,0 +1,25 @@
 {
  "compilerOptions": {
    "tsBuildInfoFile": "./node_modules/.tmp/tsconfig.app.tsbuildinfo",
    "target": "es2023",
    "lib": ["ES2023", "DOM", "DOM.Iterable"],
    "module": "esnext",
    "types": ["vite/client"],
    "skipLibCheck": true,
    /* Bundler mode */
    "moduleResolution": "bundler",
    "allowImportingTsExtensions": true,
    "verbatimModuleSyntax": true,
    "moduleDetection": "force",
    "noEmit": true,
    "jsx": "react-jsx",
    /* Linting */
    "noUnusedLocals": true,
    "noUnusedParameters": true,
    "erasableSyntaxOnly": true,
    "noFallthroughCasesInSwitch": true
  },
  "include": ["src"]
 }
--- a/decnet_web/tsconfig.json
+++ b/decnet_web/tsconfig.json
@@ -0,0 +1,7 @@
 {
  "files": [],
  "references": [
    { "path": "./tsconfig.app.json" },
    { "path": "./tsconfig.node.json" }
  ]
 }
--- a/decnet_web/tsconfig.node.json
+++ b/decnet_web/tsconfig.node.json
@@ -0,0 +1,24 @@
 {
  "compilerOptions": {
    "tsBuildInfoFile": "./node_modules/.tmp/tsconfig.node.tsbuildinfo",
    "target": "es2023",
    "lib": ["ES2023"],
    "module": "esnext",
    "types": ["node"],
    "skipLibCheck": true,
    /* Bundler mode */
    "moduleResolution": "bundler",
    "allowImportingTsExtensions": true,
    "verbatimModuleSyntax": true,
    "moduleDetection": "force",
    "noEmit": true,
    /* Linting */
    "noUnusedLocals": true,
    "noUnusedParameters": true,
    "erasableSyntaxOnly": true,
    "noFallthroughCasesInSwitch": true
  },
  "include": ["vite.config.ts"]
 }
--- a/decnet_web/vite.config.ts
+++ b/decnet_web/vite.config.ts
@@ -0,0 +1,7 @@
 import { defineConfig } from 'vite'
 import react from '@vitejs/plugin-react'
 // https://vite.dev/config/
 export default defineConfig({
  plugins: [react()],
 })
--- a/deploy/decnet-api.service
+++ b/deploy/decnet-api.service
@@ -0,0 +1,29 @@
 [Unit]
 Description=DECNET API Service
 After=network.target docker.service
 Requires=docker.service
 [Service]
 Type=simple
 User=decnet
 Group=decnet
 WorkingDirectory=/path/to/DECNET
 # Ensure environment is loaded from the .env file
 EnvironmentFile=/path/to/DECNET/.env
 # Use the virtualenv python to run the decnet api command
 ExecStart=/path/to/DECNET/.venv/bin/decnet api
 # Capabilities required to manage MACVLAN interfaces and network links without root
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
 # Security Hardening
 NoNewPrivileges=yes
 ProtectSystem=full
 ProtectHome=read-only
 Restart=on-failure
 RestartSec=5
 [Install]
 WantedBy=multi-user.target
--- a/deploy/decnet-web.service
+++ b/deploy/decnet-web.service
@@ -0,0 +1,30 @@
 [Unit]
 Description=DECNET Web Dashboard Service
 After=network.target decnet-api.service
 [Service]
 Type=simple
 User=decnet
 Group=decnet
 WorkingDirectory=/path/to/DECNET
 # Ensure environment is loaded from the .env file
 EnvironmentFile=/path/to/DECNET/.env
 # Use the virtualenv python to run the decnet web command
 ExecStart=/path/to/DECNET/.venv/bin/decnet web
 # The Web Dashboard service does not require network administration privileges.
 # Enable the following lines if you wish to bind the Dashboard to a privileged port (e.g., 80 or 443) 
 # while still running as a non-root user.
 # CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 # AmbientCapabilities=CAP_NET_BIND_SERVICE
 # Security Hardening
 NoNewPrivileges=yes
 ProtectSystem=full
 ProtectHome=read-only
 Restart=on-failure
 RestartSec=5
 [Install]
 WantedBy=multi-user.target
--- a/development/DEVELOPMENT.md
+++ b/development/DEVELOPMENT.md
@@ -0,0 +1,50 @@
 # DECNET Development Roadmap
 ## Core / Hardening
 - [ ] **Attacker fingerprinting** — Capture TLS JA3/JA4 hashes, TCP window sizes, User-Agent strings, and SSH client banners.
 - [ ] **Canary tokens** — Embed fake AWS keys and honeydocs into decky filesystems.
 - [ ] **Tarpit mode** — Slow down attackers by drip-feeding bytes or delaying responses.
 - [x] **Dynamic decky mutation** — Rotate exposed services or OS fingerprints over time.
 - [ ] **Credential harvesting DB** — Centralized database for all username/password attempts.
 - [ ] **Session recording** — Full capture for SSH/Telnet sessions.
 - [ ] **Payload capture** — Store and hash files uploaded by attackers.
 ## Detection & Intelligence
 - [ ] **Real-time alerting** — Webhook/Slack/Telegram notifications for first-hits.
 - [ ] **Threat intel enrichment** — Auto-lookup IPs against AbuseIPDB, Shodan, and GreyNoise.
 - [ ] **Attack campaign clustering** — Group sessions by signatures and timing patterns.
 - [ ] **GeoIP mapping** — Visualize attacker origin and ASN data on a map.
 - [ ] **TTPs tagging** — Map observed behaviors to MITRE ATT&CK techniques.
 ## Dashboard & Visibility
 - [x] **Web dashboard** — Real-time React SPA + FastAPI backend for logs and fleet status.
 - [x] **Decky Inventory** — Dedicated "Decoy Fleet" page showing all deployed assets.
 - [ ] **Pre-built Kibana/Grafana dashboards** — Ship JSON exports for ELK/Grafana.
 - [ ] **CLI live feed** — `decnet watch` command for a unified, colored terminal stream.
 - [ ] **Traversal graph export** — Export attacker movement as DOT or JSON.
 ## Deployment & Infrastructure
 - [ ] **SWARM / multihost mode** — Ansible-based orchestration for multi-node deployments.
 - [ ] **Terraform/Pulumi provider** — Cloud-hosted decky deployment.
 - [ ] **Kubernetes deployment mode** — Run deckies as K8s pods.
 - [x] **Lifecycle Management** — Automatic API process termination on `teardown`.
 - [x] **Health monitoring** — Active vs. Deployed decky tracking in the dashboard.
 ## Services & Realism
 - [ ] **HTTPS/TLS support** — Honeypots with SSL certificates.
 - [ ] **Fake Active Directory** — Convincing AD/LDAP emulation.
 - [ ] **Realistic web apps** — Fake WordPress, Grafana, and phpMyAdmin templates.
 - [ ] **OT/ICS profiles** — Expanded Modbus, DNP3, and BACnet support.
 ## Developer Experience
 - [x] **API Fuzzing** — Property-based testing for all web endpoints.
 - [x] **CI/CD pipeline** — Automated testing and linting via Gitea Actions.
 - [x] **Strict Typing** — Project-wide enforcement of PEP 484 type hints.
 - [ ] **Plugin SDK docs** — Documentation for adding custom services.
 - [ ] **Config generator wizard** — `decnet wizard` for interactive setup.
--- a/development/EVENTS.md
+++ b/development/EVENTS.md
@@ -0,0 +1,190 @@
 # DECNET Honeypot Events
 This document details the events generated by each DECNET honeypot service, as found in their respective `server.py` files.
 ## Service: `docker_api`
 | Event Type | Included Fields |
 | --- | --- |
 | `request` | `method`, `path`, `remote_addr`, `body` |
 | `startup` | *None* |
 ## Service: `elasticsearch`
 | Event Type | Included Fields |
 | --- | --- |
 | `startup` | *None* |
 | `post_request` | `src`, `method`, `path`, `body_preview`, `user_agent` |
 | `put_request` | `src`, `method`, `path`, `body_preview` |
 | `delete_request` | `src`, `method`, `path` |
 | `head_request` | `src`, `method`, `path` |
 | `root_probe` | `src`, `method`, `path` |
 | `cat_api` | `src`, `method`, `path` |
 | `cluster_recon` | `src`, `method`, `path` |
 | `nodes_recon` | `src`, `method`, `path` |
 | `security_probe` | `src`, `method`, `path` |
 | `request` | `src`, `method`, `path` |
 ## Service: `ftp`
 | Event Type | Included Fields |
 | --- | --- |
 | `startup` | *None* |
 | `connection` | `src_ip`, `src_port` |
 | `user` | `username` |
 | `auth_attempt` | `username`, `password` |
 | `download_attempt` | `path` |
 | `disconnect` | `src_ip`, `src_port` |
 ## Service: `http`
 | Event Type | Included Fields |
 | --- | --- |
 | `request` | `method`, `path`, `remote_addr`, `headers`, `body` |
 | `startup` | *None* |
 ## Service: `imap`
 | Event Type | Included Fields |
 | --- | --- |
 | `startup` | *None* |
 | `connect` | `src`, `src_port` |
 | `disconnect` | `src` |
 | `auth` | `src`, `username`, `password` |
 | `command` | `src`, `cmd` |
 ## Service: `k8s`
 | Event Type | Included Fields |
 | --- | --- |
 | `request` | `method`, `path`, `remote_addr`, `auth`, `body` |
 | `startup` | *None* |
 ## Service: `ldap`
 | Event Type | Included Fields |
 | --- | --- |
 | `startup` | *None* |
 | `connect` | `src`, `src_port` |
 | `bind` | `src`, `dn`, `password` |
 | `disconnect` | `src` |
 ## Service: `llmnr`
 | Event Type | Included Fields |
 | --- | --- |
 | `startup` | *None* |
 | `query` | `proto`, `src`, `src_port`, `name`, `qtype` |
 | `raw_packet` | `proto`, `src`, `data`, `error` |
 ## Service: `mongodb`
 | Event Type | Included Fields |
 | --- | --- |
 | `startup` | *None* |
 | `connect` | `src`, `src_port` |
 | `message` | `src`, `opcode`, `length` |
 | `disconnect` | `src` |
 ## Service: `mqtt`
 | Event Type | Included Fields |
 | --- | --- |
 | `startup` | *None* |
 | `connect` | `src`, `src_port` |
 | `disconnect` | `src` |
 | `auth` | `src` |
 | `packet` | `src`, `pkt_type` |
 ## Service: `mssql`
 | Event Type | Included Fields |
 | --- | --- |
 | `startup` | *None* |
 | `connect` | `src`, `src_port` |
 | `disconnect` | `src` |
 | `auth` | `src`, `username` |
 | `unknown_packet` | `src`, `pkt_type` |
 ## Service: `mysql`
 | Event Type | Included Fields |
 | --- | --- |
 | `startup` | *None* |
 | `connect` | `src`, `src_port` |
 | `disconnect` | `src` |
 | `auth` | `src`, `username` |
 ## Service: `pop3`
 | Event Type | Included Fields |
 | --- | --- |
 | `startup` | *None* |
 | `connect` | `src`, `src_port` |
 | `disconnect` | `src` |
 | `user` | `src`, `username` |
 | `auth` | `src`, `username`, `password` |
 | `command` | `src`, `cmd` |
 ## Service: `postgres`
 | Event Type | Included Fields |
 | --- | --- |
 | `startup` | *None* |
 | `connect` | `src`, `src_port` |
 | `startup` | `src`, `username`, `database` |
 | `auth` | `src`, `pw_hash` |
 | `disconnect` | `src` |
 ## Service: `rdp`
 | Event Type | Included Fields |
 | --- | --- |
 | `startup` | *None* |
 | `connection` | `src_ip`, `src_port` |
 | `data` | `src_ip`, `src_port`, `bytes`, `hex` |
 | `disconnect` | `src_ip`, `src_port` |
 ## Service: `redis`
 | Event Type | Included Fields |
 | --- | --- |
 | `startup` | *None* |
 | `connect` | `src`, `src_port` |
 | `command` | `src`, `cmd`, `args` |
 | `disconnect` | `src` |
 | `auth` | `src`, `password` |
 ## Service: `sip`
 | Event Type | Included Fields |
 | --- | --- |
 | `request` | `src`, `src_port`, `method`, `from_`, `to`, `username`, `auth` |
 | `startup` | *None* |
 ## Service: `smb`
 | Event Type | Included Fields |
 | --- | --- |
 | `startup` | *None* |
 | `shutdown` | *None* |
 ## Service: `smtp`
 | Event Type | Included Fields |
 | --- | --- |
 | `startup` | *None* |
 | `connect` | `src`, `src_port` |
 | `disconnect` | `src` |
 | `ehlo` | `src`, `domain` |
 | `auth_attempt` | `src`, `command` |
 | `mail_from` | `src`, `value` |
 | `rcpt_to` | `src`, `value` |
 | `vrfy` | `src`, `value` |
 | `unknown_command` | `src`, `command` |
 ## Service: `snmp`
 | Event Type | Included Fields |
 | --- | --- |
 | `startup` | *None* |
 | `get_request` | `src`, `src_port`, `version`, `community`, `oids` |
 | `parse_error` | `src`, `error`, `data` |
 ## Service: `tftp`
 | Event Type | Included Fields |
 | --- | --- |
 | `startup` | *None* |
 | `request` | `src`, `src_port`, `op`, `filename`, `mode` |
 | `unknown_opcode` | `src`, `opcode`, `data` |
 ## Service: `vnc`
 | Event Type | Included Fields |
 | --- | --- |
 | `startup` | *None* |
 | `connect` | `src`, `src_port` |
 | `disconnect` | `src` |
 | `version` | `src`, `client_version` |
 | `security_choice` | `src`, `type` |
 | `auth_response` | `src`, `response` |
--- a/development/NOTES.md
+++ b/development/NOTES.md
@@ -0,0 +1,57 @@
 # Initial steps
 # Architecture
 ## DECNET-UNIHOST model
 The unihost model is a mode in which DECNET deploys an _n_ amount of machines from a single one. This execution model lives in a decoy network which is accessible to an attacker from the outside.
 Each decky (the son of the DECNET unihost) should have different services (RDP, SMB, SSH, FTP, etc) and all of them should communicate with an external, isolated network, which aggregates data and allows
 visualizations to be made. Think of the ELK stack. That data is then passed back via Logstash or other methods to a SIEM device or something else that may be beneficiated by this collected data.
 ## DECNET-MULTIHOST (SWARM) model
 The SWARM model is similar to the UNIHOST model, but the difference is that instead of one real machine, we have n>1 machines. Same thought process really, but deployment may be different.
 A low cost option and fairly automatable one is the usage of Ansible, sshpass, or other tools.
 # Modus operandi
 ## Docker-Compose
 I will use Docker Compose extensively for this project. The reasons are:
 - Easily managed.
 - Easily extensible.
 - Less overhead.
 To be completely transparent: I asked Deepseek to write the initial `docker-compose.yml` file. It was mostly boilerplate, and most of it mainly modified or deleted. It doesn't exist anymore.
 ## Distro to use.
 I will be using the `debian:bookworm-slim` image for all the containers. I might think about mixing in there some Ubuntu or a Centos, but for now, Debian will do just fine.
 The distro I'm running is WSL Kali Linux. Let's hope this doesn't cause any problems down the road.
 ## Networking
 It was a hussle, but I think MACVLAN or IPVLAN (thanks @Deepseek!) might work. The reasoning behind picking this networking driver is that for the project to work, it requires having containers the entire container accessible from the network. This is to attempt to masquarede them as real, live machines.
 Now, we will need a publicly accesible, real server that has access to this "internal" network. I'll try MACVLAN first.
 ### MACVLAN Tests
 I will first use the default network to see what happens.
 ```
 docker network create -d macvlan \
  --subnet=192.168.1.0/24 \
  --gateway=192.168.1.1 \
  -o parent=eth0 localnet
 ```
 #### Issues
 This initial test doesn't seem to be working. Might be that I'm using WSL, so I downloaded a Ubuntu 22.04 Server ISO. I'll try the MACVLAN network on it. Now, if that doesn't work, I don't see how the 802.1q would work, at least on _my network_. Perhaps if I had a switch I could make it work, but currently I don't have one :c
 ---
 # End of Notes
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -13,10 +13,23 @@ dependencies = [
    "docker>=7.0",
    "pyyaml>=6.0",
    "jinja2>=3.1",
    "fastapi>=0.110.0",
    "uvicorn>=0.29.0",
    "aiosqlite>=0.20.0",
    "PyJWT>=2.8.0",
    "bcrypt>=4.1.0",
    "psutil>=5.9.0",
    "python-dotenv>=1.0.0",
 ]
 [project.optional-dependencies]
 dev = [
    "pytest>=8.0",
    "ruff>=0.4",
    "bandit>=1.7",
    "pip-audit>=2.0",
    "httpx>=0.27.0",
    "hypothesis>=6.0",
 ]
 [project.scripts]
--- a/templates/decnet_logging.py
+++ b/templates/decnet_logging.py
@@ -103,10 +103,8 @@ def _get_file_logger() -> logging.Logger:
    log_path = Path(os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE))
    try:
        log_path.parent.mkdir(parents=True, exist_ok=True)
-        handler = logging.handlers.RotatingFileHandler(
+        handler = logging.FileHandler(
            log_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
@@ -120,10 +118,111 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.FileHandler(
            json_path,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/docker_api/decnet_logging.py
+++ b/templates/docker_api/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/elasticsearch/decnet_logging.py
+++ b/templates/elasticsearch/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/ftp/decnet_logging.py
+++ b/templates/ftp/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/http/decnet_logging.py
+++ b/templates/http/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/imap/decnet_logging.py
+++ b/templates/imap/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/k8s/decnet_logging.py
+++ b/templates/k8s/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/ldap/decnet_logging.py
+++ b/templates/ldap/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/llmnr/decnet_logging.py
+++ b/templates/llmnr/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/mongodb/decnet_logging.py
+++ b/templates/mongodb/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/mqtt/decnet_logging.py
+++ b/templates/mqtt/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/mssql/decnet_logging.py
+++ b/templates/mssql/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/mysql/decnet_logging.py
+++ b/templates/mysql/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/pop3/decnet_logging.py
+++ b/templates/pop3/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/postgres/decnet_logging.py
+++ b/templates/postgres/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/rdp/decnet_logging.py
+++ b/templates/rdp/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/redis/decnet_logging.py
+++ b/templates/redis/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/sip/decnet_logging.py
+++ b/templates/sip/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/smb/decnet_logging.py
+++ b/templates/smb/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/smtp/decnet_logging.py
+++ b/templates/smtp/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/snmp/decnet_logging.py
+++ b/templates/snmp/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/tftp/decnet_logging.py
+++ b/templates/tftp/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/templates/vnc/decnet_logging.py
+++ b/templates/vnc/decnet_logging.py
@@ -120,10 +120,113 @@ def _get_file_logger() -> logging.Logger:
    return _file_logger
 _json_logger: logging.Logger | None = None
 def _get_json_logger() -> logging.Logger:
    global _json_logger
    if _json_logger is not None:
        return _json_logger
    log_path_str = os.environ.get(_LOG_FILE_ENV, _DEFAULT_LOG_FILE)
    json_path = Path(log_path_str).with_suffix(".json")
    try:
        json_path.parent.mkdir(parents=True, exist_ok=True)
        handler = logging.handlers.RotatingFileHandler(
            json_path,
            maxBytes=_MAX_BYTES,
            backupCount=_BACKUP_COUNT,
            encoding="utf-8",
        )
    except OSError:
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(message)s"))
    _json_logger = logging.getLogger("decnet.json")
    _json_logger.setLevel(logging.DEBUG)
    _json_logger.propagate = False
    _json_logger.addHandler(handler)
    return _json_logger
 def write_syslog_file(line: str) -> None:
    """Append a syslog line to the rotating log file."""
    try:
        _get_file_logger().info(line)
        # Also parse and write JSON log
        import json
        import re
        from datetime import datetime
        from typing import Optional, Any
        _RFC5424_RE: re.Pattern = re.compile(
            r"^<\d+>1 "
            r"(\S+) "       # 1: TIMESTAMP
            r"(\S+) "       # 2: HOSTNAME (decky name)
            r"(\S+) "       # 3: APP-NAME (service)
            r"- "           # PROCID always NILVALUE
            r"(\S+) "       # 4: MSGID (event_type)
            r"(.+)$",       # 5: SD element + optional MSG
        )
        _SD_BLOCK_RE: re.Pattern = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
        _PARAM_RE: re.Pattern = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
        _IP_FIELDS: tuple[str, ...] = ("src_ip", "src", "client_ip", "remote_ip", "ip")
        _m: Optional[re.Match] = _RFC5424_RE.match(line)
        if _m:
            _ts_raw: str
            _decky: str
            _service: str
            _event_type: str
            _sd_rest: str
            _ts_raw, _decky, _service, _event_type, _sd_rest = _m.groups()
            _fields: dict[str, str] = {}
            _msg: str = ""
            if _sd_rest.startswith("-"):
                _msg = _sd_rest[1:].lstrip()
            elif _sd_rest.startswith("["):
                _block: Optional[re.Match] = _SD_BLOCK_RE.search(_sd_rest)
                if _block:
                    for _k, _v in _PARAM_RE.findall(_block.group(1)):
                        _fields[_k] = _v.replace('\\"', '"').replace("\\\\", "\\").replace("\\]", "]")
                    # extract msg after the block
                    _msg_match: Optional[re.Match] = re.search(r'\]\s+(.+)$', _sd_rest)
                    if _msg_match:
                        _msg = _msg_match.group(1).strip()
            else:
                _msg = _sd_rest
            _attacker_ip: str = "Unknown"
            for _fname in _IP_FIELDS:
                if _fname in _fields:
                    _attacker_ip = _fields[_fname]
                    break
            # Parse timestamp to normalize it
            _ts_formatted: str
            try:
                _ts_formatted = datetime.fromisoformat(_ts_raw).strftime("%Y-%m-%d %H:%M:%S")
            except ValueError:
                _ts_formatted = _ts_raw
            _payload: dict[str, Any] = {
                "timestamp": _ts_formatted,
                "decky": _decky,
                "service": _service,
                "event_type": _event_type,
                "attacker_ip": _attacker_ip,
                "fields": json.dumps(_fields),
                "msg": _msg,
                "raw_line": line
            }
            _get_json_logger().info(json.dumps(_payload))
    except Exception:
        pass
--- a/tests/.hypothesis/constants/19d5adc9efd5ec68
+++ b/tests/.hypothesis/constants/19d5adc9efd5ec68
@@ -0,0 +1,4 @@
 # file: /home/anti/Tools/DECNET/decnet/web/ingester.py
 # hypothesis_version: 6.151.11
 ['.json', 'decnet.web.ingester', 'r', 'replace', 'utf-8']
--- a/tests/.hypothesis/constants/219a36e8b671f84b
+++ b/tests/.hypothesis/constants/219a36e8b671f84b
@@ -0,0 +1,4 @@
 # file: /home/anti/Tools/DECNET/decnet/web/repository.py
 # hypothesis_version: 6.151.11
 []
--- a/tests/.hypothesis/constants/a3207e9522fed10c
+++ b/tests/.hypothesis/constants/a3207e9522fed10c
@@ -0,0 +1,4 @@
 # file: /home/anti/Tools/DECNET/decnet/web/api.py
 # hypothesis_version: 6.151.11
 [1000, '*', '/api/v1/auth/login', '/api/v1/logs', '/api/v1/stats', '1.0.0', 'Bearer', 'WWW-Authenticate', 'access_token', 'admin', 'bearer', 'data', 'limit', 'message', 'must_change_password', 'offset', 'password_hash', 'role', 'token_type', 'total', 'username', 'uuid']
--- a/tests/.hypothesis/constants/ceb1d0465029fa83
+++ b/tests/.hypothesis/constants/ceb1d0465029fa83
@@ -0,0 +1,4 @@
 # file: /home/anti/.local/bin/pytest
 # hypothesis_version: 6.151.11
 ['__main__']
--- a/tests/.hypothesis/constants/da39a3ee5e6b4b0d
+++ b/tests/.hypothesis/constants/da39a3ee5e6b4b0d
@@ -0,0 +1,4 @@
 # file: /home/anti/Tools/DECNET/decnet/__init__.py
 # hypothesis_version: 6.151.11
 []
--- a/tests/.hypothesis/constants/da43cd4d80a43169
+++ b/tests/.hypothesis/constants/da43cd4d80a43169
@@ -0,0 +1,4 @@
 # file: /home/anti/Tools/DECNET/decnet/web/sqlite_repository.py
 # hypothesis_version: 6.151.11
 ['SELECT * FROM logs', 'active_deckies', 'attacker_ip', 'decky', 'decnet.db', 'event_type', 'fields', 'msg', 'must_change_password', 'password_hash', 'raw_line', 'role', 'service', 'timestamp', 'total', 'total_logs', 'unique_attackers', 'username', 'uuid']
--- a/tests/.hypothesis/constants/df40fa14165138c7
+++ b/tests/.hypothesis/constants/df40fa14165138c7
@@ -0,0 +1,4 @@
 # file: /home/anti/Tools/DECNET/decnet/web/auth.py
 # hypothesis_version: 6.151.11
 [1440, 'DECNET_SECRET_KEY', 'HS256', 'exp', 'iat', 'utf-8']
--- a/tests/.hypothesis/unicode_data/16.0.0/charmap.json.gz
+++ b/tests/.hypothesis/unicode_data/16.0.0/charmap.json.gz
--- a/tests/.hypothesis/unicode_data/16.0.0/codec-utf-8.json.gz
+++ b/tests/.hypothesis/unicode_data/16.0.0/codec-utf-8.json.gz
--- a/tests/test_fleet_api.py
+++ b/tests/test_fleet_api.py
@@ -0,0 +1,86 @@
 import json
 import pytest
 from fastapi.testclient import TestClient
 from decnet.web.api import app
 import decnet.config
 from pathlib import Path
 TEST_STATE_FILE = Path("test-decnet-state.json")
@pytest.fixture(autouse=True)
 def patch_state_file(monkeypatch):
    # Patch the global STATE_FILE variable in the config module
    monkeypatch.setattr(decnet.config, "STATE_FILE", TEST_STATE_FILE)
@pytest.fixture
 def mock_state_file():
    # Create a dummy state file for testing
    _test_state = {
        "config": {
            "mode": "unihost",
            "interface": "eth0",
            "subnet": "192.168.1.0/24",
            "gateway": "192.168.1.1",
            "deckies": [
                {
                    "name": "test-decky-1",
                    "ip": "192.168.1.10",
                    "services": ["ssh"],
                    "distro": "debian",
                    "base_image": "debian",
                    "hostname": "test-host-1",
                    "service_config": {"ssh": {"banner": "SSH-2.0-OpenSSH_8.9"}},
                    "archetype": "deaddeck",
                    "nmap_os": "linux",
                    "build_base": "debian:bookworm-slim"
                },
                {
                    "name": "test-decky-2",
                    "ip": "192.168.1.11",
                    "services": ["http"],
                    "distro": "ubuntu",
                    "base_image": "ubuntu",
                    "hostname": "test-host-2",
                    "service_config": {},
                    "archetype": None,
                    "nmap_os": "linux",
                    "build_base": "debian:bookworm-slim"
                }
            ],
            "log_target": None,
            "log_file": "test.log",
            "ipvlan": False
        },
        "compose_path": "test-compose.yml"
    }
    TEST_STATE_FILE.write_text(json.dumps(_test_state))
    yield _test_state
    # Cleanup
    if TEST_STATE_FILE.exists():
        TEST_STATE_FILE.unlink()
 def test_get_deckies_endpoint(mock_state_file):
    with TestClient(app) as _client:
        # Login to get token
        _login_resp = _client.post("/api/v1/auth/login", json={"username": "admin", "password": "admin"})
        _token = _login_resp.json()["access_token"]
        _response = _client.get("/api/v1/deckies", headers={"Authorization": f"Bearer {_token}"})
        assert _response.status_code == 200
        _data = _response.json()
        assert len(_data) == 2
        assert _data[0]["name"] == "test-decky-1"
        assert _data[0]["service_config"]["ssh"]["banner"] == "SSH-2.0-OpenSSH_8.9"
 def test_stats_includes_deployed_count(mock_state_file):
    with TestClient(app) as _client:
        _login_resp = _client.post("/api/v1/auth/login", json={"username": "admin", "password": "admin"})
        _token = _login_resp.json()["access_token"]
        _response = _client.get("/api/v1/stats", headers={"Authorization": f"Bearer {_token}"})
        assert _response.status_code == 200
        _data = _response.json()
        assert "deployed_deckies" in _data
        assert _data["deployed_deckies"] == 2
--- a/tests/test_ini_validation.py
+++ b/tests/test_ini_validation.py
@@ -0,0 +1,41 @@
 import pytest
 from decnet.ini_loader import load_ini_from_string, validate_ini_string
 def test_validate_ini_string_too_large():
    content = "[" + "a" * (512 * 1024 + 1) + "]"
    with pytest.raises(ValueError, match="too large"):
        validate_ini_string(content)
 def test_validate_ini_string_empty():
    with pytest.raises(ValueError, match="is empty"):
        validate_ini_string("")
    with pytest.raises(ValueError, match="is empty"):
        validate_ini_string("   ")
 def test_validate_ini_string_no_sections():
    with pytest.raises(ValueError, match="no sections found"):
        validate_ini_string("key=value")
 def test_load_ini_from_string_amount_limit():
    content = """
 [general]
 net=192.168.1.0/24
 [decky-01]
 amount=101
 archetype=linux-server
 """
    with pytest.raises(ValueError, match="exceeds maximum allowed"):
        load_ini_from_string(content)
 def test_load_ini_from_string_valid():
    content = """
 [general]
 net=192.168.1.0/24
 [decky-01]
 amount=5
 archetype=linux-server
 """
    cfg = load_ini_from_string(content)
    assert len(cfg.deckies) == 5
--- a/tests/test_web_api.py
+++ b/tests/test_web_api.py
@@ -0,0 +1,131 @@
 import os
 from typing import Generator
 import pytest
 from fastapi.testclient import TestClient
 from decnet.web.api import app, repo
@pytest.fixture(autouse=True)
 def setup_db() -> Generator[None, None, None]:
    repo.db_path = "test_decnet.db"
    if os.path.exists(repo.db_path):
        os.remove(repo.db_path)
    # Yield control to the test function
    yield
    # Teardown
    if os.path.exists(repo.db_path):
        os.remove(repo.db_path)
 def test_login_success() -> None:
    with TestClient(app) as client:
        # The TestClient context manager triggers startup/shutdown events
        response = client.post(
            "/api/v1/auth/login", 
            json={"username": "admin", "password": "admin"}
        )
        assert response.status_code == 200
        data = response.json()
        assert "access_token" in data
        assert data["token_type"] == "bearer"
        assert "must_change_password" in data
        assert data["must_change_password"] is True
 def test_login_failure() -> None:
    with TestClient(app) as client:
        response = client.post(
            "/api/v1/auth/login", 
            json={"username": "admin", "password": "wrongpassword"}
        )
        assert response.status_code == 401
        response = client.post(
            "/api/v1/auth/login", 
            json={"username": "nonexistent", "password": "wrongpassword"}
        )
        assert response.status_code == 401
 def test_change_password() -> None:
    with TestClient(app) as client:
        # First login to get token
        login_resp = client.post("/api/v1/auth/login", json={"username": "admin", "password": "admin"})
        token = login_resp.json()["access_token"]
        # Try changing password with wrong old password
        resp1 = client.post(
            "/api/v1/auth/change-password",
            json={"old_password": "wrong", "new_password": "new_secure_password"},
            headers={"Authorization": f"Bearer {token}"}
        )
        assert resp1.status_code == 401
        # Change password successfully
        resp2 = client.post(
            "/api/v1/auth/change-password",
            json={"old_password": "admin", "new_password": "new_secure_password"},
            headers={"Authorization": f"Bearer {token}"}
        )
        assert resp2.status_code == 200
        # Verify old password no longer works
        resp3 = client.post("/api/v1/auth/login", json={"username": "admin", "password": "admin"})
        assert resp3.status_code == 401
        # Verify new password works and must_change_password is False
        resp4 = client.post("/api/v1/auth/login", json={"username": "admin", "password": "new_secure_password"})
        assert resp4.status_code == 200
        assert resp4.json()["must_change_password"] is False
 def test_get_logs_unauthorized() -> None:
    with TestClient(app) as client:
        response = client.get("/api/v1/logs")
        assert response.status_code == 401
 def test_get_logs_success() -> None:
    with TestClient(app) as client:
        login_response = client.post(
            "/api/v1/auth/login",
            json={"username": "admin", "password": "admin"}
        )
        token = login_response.json()["access_token"]
        response = client.get(
            "/api/v1/logs",
            headers={"Authorization": f"Bearer {token}"}
        )
        assert response.status_code == 200
        data = response.json()
        assert "data" in data
        assert data["total"] >= 0
        assert isinstance(data["data"], list)
 def test_get_stats_unauthorized() -> None:
    with TestClient(app) as client:
        response = client.get("/api/v1/stats")
        assert response.status_code == 401
 def test_get_stats_success() -> None:
    with TestClient(app) as client:
        login_response = client.post(
            "/api/v1/auth/login",
            json={"username": "admin", "password": "admin"}
        )
        token = login_response.json()["access_token"]
        response = client.get(
            "/api/v1/stats",
            headers={"Authorization": f"Bearer {token}"}
        )
        assert response.status_code == 200
        data = response.json()
        assert "total_logs" in data
        assert "unique_attackers" in data
        assert "active_deckies" in data
--- a/tests/test_web_api_fuzz.py
+++ b/tests/test_web_api_fuzz.py
@@ -0,0 +1,106 @@
 import os
 import pytest
 import json
 from typing import Generator, Any, Optional
 from fastapi.testclient import TestClient
 from hypothesis import given, strategies as st, settings, HealthCheck
 import httpx
 from decnet.web.api import app, repo
 # Re-use setup from test_web_api
@pytest.fixture(scope="function", autouse=True)
 def setup_db() -> Generator[None, None, None]:
    repo.db_path = "test_fuzz_decnet.db"
    if os.path.exists(repo.db_path):
        os.remove(repo.db_path)
    yield
    if os.path.exists(repo.db_path):
        os.remove(repo.db_path)
 # bcrypt is intentionally slow, so we disable/extend the deadline
 _FUZZ_SETTINGS: dict[str, Any] = {
    "max_examples": 50,
    "deadline": None, # bcrypt hashing takes >200ms
    "suppress_health_check": [HealthCheck.function_scoped_fixture]
 }
@settings(**_FUZZ_SETTINGS)
@given(
    username=st.text(min_size=0, max_size=2048),
    password=st.text(min_size=0, max_size=2048)
 )
 def test_fuzz_login(username: str, password: str) -> None:
    """Fuzz the login endpoint with random strings (including non-ASCII)."""
    with TestClient(app) as _client:
        _payload: dict[str, str] = {"username": username, "password": password}
        try:
            _response: httpx.Response = _client.post("/api/v1/auth/login", json=_payload)
            # 200, 401, or 422 are acceptable. 500 is a failure.
            assert _response.status_code in (200, 401, 422)
        except (UnicodeEncodeError, json.JSONDecodeError):
            pass
@settings(**_FUZZ_SETTINGS)
@given(
    old_password=st.text(min_size=0, max_size=2048),
    new_password=st.text(min_size=0, max_size=2048)
 )
 def test_fuzz_change_password(old_password: str, new_password: str) -> None:
    """Fuzz the change-password endpoint with random strings."""
    with TestClient(app) as _client:
        # Get valid token first
        _login_resp: httpx.Response = _client.post("/api/v1/auth/login", json={"username": "admin", "password": "admin"})
        _token: str = _login_resp.json()["access_token"]
        _payload: dict[str, str] = {"old_password": old_password, "new_password": new_password}
        try:
            _response: httpx.Response = _client.post(
                "/api/v1/auth/change-password",
                json=_payload,
                headers={"Authorization": f"Bearer {_token}"}
            )
            assert _response.status_code in (200, 401, 422)
        except (UnicodeEncodeError, json.JSONDecodeError):
            pass
@settings(**_FUZZ_SETTINGS)
@given(
    limit=st.integers(min_value=-2000, max_value=5000),
    offset=st.integers(min_value=-2000, max_value=5000),
    search=st.one_of(st.none(), st.text(max_size=2048))
 )
 def test_fuzz_get_logs(limit: int, offset: int, search: Optional[str]) -> None:
    """Fuzz the logs pagination and search."""
    with TestClient(app) as _client:
        _login_resp: httpx.Response = _client.post("/api/v1/auth/login", json={"username": "admin", "password": "admin"})
        _token: str = _login_resp.json()["access_token"]
        _params: dict[str, Any] = {"limit": limit, "offset": offset}
        if search is not None:
            _params["search"] = search
        _response: httpx.Response = _client.get(
            "/api/v1/logs",
            params=_params,
            headers={"Authorization": f"Bearer {_token}"}
        )
        assert _response.status_code in (200, 422)
@settings(**_FUZZ_SETTINGS)
@given(
    token=st.text(min_size=0, max_size=4096)
 )
 def test_fuzz_auth_header(token: str) -> None:
    """Fuzz the Authorization header with full unicode noise."""
    with TestClient(app) as _client:
        try:
            _response: httpx.Response = _client.get(
                "/api/v1/stats",
                headers={"Authorization": f"Bearer {token}"}
            )
            assert _response.status_code in (401, 422)
        except (UnicodeEncodeError, httpx.InvalidURL, httpx.CookieConflict):
            # Expected client-side rejection of invalid header characters
            pass
Author	SHA1	Message	Date
anti	fe6b349e5e	modified: ci.yml, fucked up last time lol Some checks failed CI / Lint (ruff) (push) Successful in 11s Details CI / Test (pytest) (3.11) (push) Successful in 1m42s Details CI / Test (pytest) (3.12) (push) Successful in 1m45s Details CI / SAST (bandit) (push) Failing after 12s Details CI / Dependency audit (pip-audit) (push) Successful in 20s Details CI / Open PR to main (push) Has been skipped Details	2026-04-08 15:53:49 -04:00
anti	65b220fdbe	modified: ci.yml, pyproject: added missing installs and modified pip install command Some checks failed CI / Lint (ruff) (push) Successful in 16s Details CI / Test (pytest) (3.11) (push) Failing after 20s Details CI / Test (pytest) (3.12) (push) Failing after 20s Details CI / SAST (bandit) (push) Failing after 11s Details CI / Dependency audit (pip-audit) (push) Successful in 19s Details CI / Open PR to main (push) Has been skipped Details	2026-04-08 15:50:17 -04:00
anti	6f10e7556f	chore: deleted trash Some checks failed CI / Lint (ruff) (push) Successful in 11s Details CI / Test (pytest) (3.11) (push) Failing after 18s Details CI / Test (pytest) (3.12) (push) Failing after 18s Details CI / SAST (bandit) (push) Failing after 11s Details CI / Dependency audit (pip-audit) (push) Successful in 18s Details CI / Open PR to main (push) Has been skipped Details	2026-04-08 02:07:11 -04:00
anti	fc99375c62	feat: add systemd service templates for API and Web Dashboard Some checks failed CI / Lint (ruff) (push) Successful in 15s Details CI / Test (pytest) (3.11) (push) Failing after 21s Details CI / Test (pytest) (3.12) (push) Failing after 22s Details CI / SAST (bandit) (push) Failing after 13s Details CI / Dependency audit (pip-audit) (push) Successful in 19s Details CI / Open PR to main (push) Has been skipped Details	2026-04-08 01:48:05 -04:00
anti	6bdb5922fa	fix: ensure shared log volume mount by default and disable container-side rotation	2026-04-08 01:42:05 -04:00
anti	32b06afef6	feat: add .env based configuration for API, Web, and Auth options	2026-04-08 01:27:11 -04:00
anti	31e0c5151b	fix: ensure API-deployed deckies inherit the correct log ingestion path	2026-04-08 01:09:48 -04:00
anti	cc3d434c02	feat: add server-side validation for web-based INI deployments	2026-04-08 01:04:59 -04:00
anti	1b5d366b38	ui: add file upload support to web-based INI deployment	2026-04-08 00:59:53 -04:00
anti	168ecf14ab	feat: add API-only mode and web-based INI deployment	2026-04-08 00:56:25 -04:00
anti	db9a2699b9	ui: fix dashboard overflow and overlap with sidebar	2026-04-08 00:44:33 -04:00
anti	d139729fa2	docs: revert incorrect roadmap ticks	2026-04-08 00:38:03 -04:00
anti	dd363629ab	docs: update roadmap items in DEVELOPMENT.md	2026-04-08 00:35:43 -04:00
anti	c544964f57	feat: migrate dashboard live logs to Server-Sent Events (SSE)	2026-04-08 00:30:31 -04:00
anti	6e19848723	ui: improve mutation feedback and increase timeout for long-running docker ops	2026-04-08 00:22:23 -04:00
anti	e24da92e0f	fix: increase timeout for mutate API call to handle slow docker ops	2026-04-08 00:21:16 -04:00
anti	47f0e6da8f	fix: correctly iterate over all deckies in _build_deckies_from_ini	2026-04-08 00:19:42 -04:00
anti	18de381a43	feat: implement dynamic decky mutation and fix dot-separated INI sections	2026-04-08 00:16:57 -04:00
anti	1f5c6604d6	feat: integrate API lifecycle with teardown and update dependencies	2026-04-07 23:30:08 -04:00
anti	a9c7ddec2b	fix: enforce absolute paths for state and database files	2026-04-07 23:21:16 -04:00
anti	eb4be44c9a	feat: add dedicated Decoy Fleet inventory page and API	2026-04-07 23:15:20 -04:00
anti	1a2ad27eca	test: add comprehensive property-based fuzzing for all API endpoints	2026-04-07 20:14:53 -04:00
anti	b1f09b9c6a	chore: move development docs to development/ and clean up project root	2026-04-07 20:07:56 -04:00
anti	3656a89d60	docs: add comprehensive EVENTS.md detailing all service log events	2026-04-07 20:02:54 -04:00
anti	ba2faba5d5	chore: enforce strict typing and internal naming conventions across web components	2026-04-07 19:56:15 -04:00
anti	950280a97b	feat: render structured syslog tags and msg in Dashboard	2026-04-07 15:56:45 -04:00
anti	7bc8d75242	feat: parse RFC 5424 fields and msg directly in backend	2026-04-07 15:56:01 -04:00
anti	5f637b5272	feat: switch to JSON-based log ingestion for higher reliability	2026-04-07 15:47:29 -04:00
anti	6ed92d080f	fix: invoke uvicorn via sys.executable to handle sudo PATH restrictions	2026-04-07 15:39:32 -04:00
anti	1b593920cd	feat: add --api flag to deploy and new web command for dashboard	2026-04-07 15:32:04 -04:00
anti	bad90dfb75	feat: implement background log ingestion from local file	2026-04-07 15:30:44 -04:00
anti	05e71f6d2e	feat: frontend support for mandatory password change and react-router integration	2026-04-07 15:16:11 -04:00
anti	52c26a2891	feat: backend support for mandatory password change on first login	2026-04-07 15:15:03 -04:00
anti	81135cb861	fix: switch to direct bcrypt usage for Python 3.14 compatibility	2026-04-07 15:07:46 -04:00
anti	50e53120df	feat: initialize React frontend with minimalistic Matrix theme	2026-04-07 15:05:06 -04:00
anti	697929a127	feat: implement Stats endpoints for web dashboard	2026-04-07 14:58:09 -04:00
anti	b46934db46	feat: implement Logs endpoints for web dashboard	2026-04-07 14:56:25 -04:00
anti	5b990743db	feat: implement Auth endpoints for web dashboard	2026-04-07 14:54:36 -04:00
anti	fbb16a960c	feat: add web dashboard dependencies to support real-time monitoring	2026-04-07 14:51:37 -04:00
anti	c32ad82d0a	Modified README: added more examples to the config.ini section and modified instructions for quick setup.	2026-04-06 11:28:29 -04:00
anti	850a6f2ad7	Finished: CI/CD pipeline.	2026-04-06 11:18:10 -04:00
Samuel P. Vega	d344e4c8bb	revert `f8a9f8fc64` revert Added: modified notes. Finished CI/CD pipeline.	2026-04-06 17:17:31 +02:00
anti	f8a9f8fc64	Added: modified notes. Finished CI/CD pipeline. All checks were successful PR Gate / Lint (ruff) (pull_request) Successful in 18s Details PR Gate / Test (pytest) (3.11) (pull_request) Successful in 20s Details PR Gate / Test (pytest) (3.12) (pull_request) Successful in 22s Details	2026-04-06 11:10:56 -04:00
anti	a428410c8e	Modified README.md: added AI disclosure	2026-04-06 11:09:44 -04:00
anti	e5a6c2d9a7	Skip CI on markdown-only changes All checks were successful CI / Lint (ruff) (push) Successful in 16s Details CI / Test (pytest) (3.11) (push) Successful in 19s Details CI / Test (pytest) (3.12) (push) Successful in 20s Details CI / SAST (bandit) (push) Successful in 12s Details CI / Dependency audit (pip-audit) (push) Successful in 19s Details CI / Open PR to main (push) Successful in 6s Details PR Gate / Lint (ruff) (pull_request) Successful in 11s Details PR Gate / Test (pytest) (3.11) (pull_request) Successful in 18s Details PR Gate / Test (pytest) (3.12) (pull_request) Successful in 20s Details	2026-04-04 23:07:40 -04:00
		`@@ -0,0 +1 @@`
							<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="iconify iconify--logos" width="35.93" height="32" preserveAspectRatio="xMidYMid meet" viewBox="0 0 256 228"><path fill="#00D8FF" d="M210.483 73.824a171.49 171.49 0 0 0-8.24-2.597c.465-1.9.893-3.777 1.273-5.621c6.238-30.281 2.16-54.676-11.769-62.708c-13.355-7.7-35.196.329-57.254 19.526a171.23 171.23 0 0 0-6.375 5.848a155.866 155.866 0 0 0-4.241-3.917C100.759 3.829 77.587-4.822 63.673 3.233C50.33 10.957 46.379 33.89 51.995 62.588a170.974 170.974 0 0 0 1.892 8.48c-3.28.932-6.445 1.924-9.474 2.98C17.309 83.498 0 98.307 0 113.668c0 15.865 18.582 31.778 46.812 41.427a145.52 145.52 0 0 0 6.921 2.165a167.467 167.467 0 0 0-2.01 9.138c-5.354 28.2-1.173 50.591 12.134 58.266c13.744 7.926 36.812-.22 59.273-19.855a145.567 145.567 0 0 0 5.342-4.923a168.064 168.064 0 0 0 6.92 6.314c21.758 18.722 43.246 26.282 56.54 18.586c13.731-7.949 18.194-32.003 12.4-61.268a145.016 145.016 0 0 0-1.535-6.842c1.62-.48 3.21-.974 4.76-1.488c29.348-9.723 48.443-25.443 48.443-41.52c0-15.417-17.868-30.326-45.517-39.844Zm-6.365 70.984c-1.4.463-2.836.91-4.3 1.345c-3.24-10.257-7.612-21.163-12.963-32.432c5.106-11 9.31-21.767 12.459-31.957c2.619.758 5.16 1.557 7.61 2.4c23.69 8.156 38.14 20.213 38.14 29.504c0 9.896-15.606 22.743-40.946 31.14Zm-10.514 20.834c2.562 12.94 2.927 24.64 1.23 33.787c-1.524 8.219-4.59 13.698-8.382 15.893c-8.067 4.67-25.32-1.4-43.927-17.412a156.726 156.726 0 0 1-6.437-5.87c7.214-7.889 14.423-17.06 21.459-27.246c12.376-1.098 24.068-2.894 34.671-5.345a134.17 134.17 0 0 1 1.386 6.193ZM87.276 214.515c-7.882 2.783-14.16 2.863-17.955.675c-8.075-4.657-11.432-22.636-6.853-46.752a156.923 156.923 0 0 1 1.869-8.499c10.486 2.32 22.093 3.988 34.498 4.994c7.084 9.967 14.501 19.128 21.976 27.15a134.668 134.668 0 0 1-4.877 4.492c-9.933 8.682-19.886 14.842-28.658 17.94ZM50.35 144.747c-12.483-4.267-22.792-9.812-29.858-15.863c-6.35-5.437-9.555-10.836-9.555-15.216c0-9.322 13.897-21.212 37.076-29.293c2.813-.98 5.757-1.905 8.812-2.773c3.204 10.42 7.406 21.315 12.477 32.332c-5.137 11.18-9.399 22.249-12.634 32.792a134.718 134.718 0 0 1-6.318-1.979Zm12.378-84.26c-4.811-24.587-1.616-43.134 6.425-47.789c8.564-4.958 27.502 2.111 47.463 19.835a144.318 144.318 0 0 1 3.841 3.545c-7.438 7.987-14.787 17.08-21.808 26.988c-12.04 1.116-23.565 2.908-34.161 5.309a160.342 160.342 0 0 1-1.76-7.887Zm110.427 27.268a347.8 347.8 0 0 0-7.785-12.803c8.168 1.033 15.994 2.404 23.343 4.08c-2.206 7.072-4.956 14.465-8.193 22.045a381.151 381.151 0 0 0-7.365-13.322Zm-45.032-43.861c5.044 5.465 10.096 11.566 15.065 18.186a322.04 322.04 0 0 0-30.257-.006c4.974-6.559 10.069-12.652 15.192-18.18ZM82.802 87.83a323.167 323.167 0 0 0-7.227 13.238c-3.184-7.553-5.909-14.98-8.134-22.152c7.304-1.634 15.093-2.97 23.209-3.984a321.524 321.524 0 0 0-7.848 12.897Zm8.081 65.352c-8.385-.936-16.291-2.203-23.593-3.793c2.26-7.3 5.045-14.885 8.298-22.6a321.187 321.187 0 0 0 7.257 13.246c2.594 4.48 5.28 8.868 8.038 13.147Zm37.542 31.03c-5.184-5.592-10.354-11.779-15.403-18.433c4.902.192 9.899.29 14.978.29c5.218 0 10.376-.117 15.453-.343c-4.985 6.774-10.018 12.97-15.028 18.486Zm52.198-57.817c3.422 7.8 6.306 15.345 8.596 22.52c-7.422 1.694-15.436 3.058-23.88 4.071a382.417 382.417 0 0 0 7.859-13.026a347.403 347.403 0 0 0 7.425-13.565Zm-16.898 8.101a358.557 358.557 0 0 1-12.281 19.815a329.4 329.4 0 0 1-23.444.823c-7.967 0-15.716-.248-23.178-.732a310.202 310.202 0 0 1-12.513-19.846h.001a307.41 307.41 0 0 1-10.923-20.627a310.278 310.278 0 0 1 10.89-20.637l-.001.001a307.318 307.318 0 0 1 12.413-19.761c7.613-.576 15.42-.876 23.31-.876H128c7.926 0 15.743.303 23.354.883a329.357 329.357 0 0 1 12.335 19.695a358.489 358.489 0 0 1 11.036 20.54a329.472 329.472 0 0 1-11 20.722Zm22.56-122.124c8.572 4.944 11.906 24.881 6.52 51.026c-.344 1.668-.73 3.367-1.15 5.09c-10.622-2.452-22.155-4.275-34.23-5.408c-7.034-10.017-14.323-19.124-21.64-27.008a160.789 160.789 0 0 1 5.888-5.4c18.9-16.447 36.564-22.941 44.612-18.3ZM128 90.808c12.625 0 22.86 10.235 22.86 22.86s-10.235 22.86-22.86 22.86s-22.86-10.235-22.86-22.86s10.235-22.86 22.86-22.86Z"></path></svg>