Keeps operating essentials (template gate, ports, build/deploy, env, What's New,\nrepo-specific quirks); moves architecture/endpoints/tables/topics to the HiveIQ\nGuide (guide.bcos.dev) which is kept in sync with code. Part of the guide-KB rollout.\n\nCo-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Single VITE_API_URL replaces apiUrl+authUrl. Gateway URL for auth calls
is derived at runtime via apiUrl.replace(/\/aria$/, '').
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Path was /api/auth/users/me but the auth controller is at /auth/api/users/me.
Caused a CORS-then-404 error on every page load.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace cryptic SVG countdown circle with a clear labeled toggle switch
in ThreatEvents, DevicePosture, and PrecursorAlerts. State is persisted
to localStorage per-component (aria_threats_autoRefresh, aria_posture_autoRefresh,
aria_alerts_autoRefresh).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add reported_at field to threat_ioc (V7 migration) — tracks when the source
originally published the IOC, distinct from addedAt (ingestion time); wired
into OTX (created field), MalwareBazaar and ThreatFox (first_seen field),
and the manual IOC creation endpoint
- Fix threat event stats to use a 24h time window for critical/high counts
(countBySeverityAndDetectedAtAfter) instead of all-time totals
- Rebuild IOC Management with canonical filter sidebar: collapsible left sidebar
with per-type toggle pills, active filter chips with individual removal
- DevicePosture: collapse institutions and filter sidebar by default
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
All institutions expanded by default. Header row shows device count,
avg posture score, and a warning badge when any device scores below 80.
Fetches all records in one call (size=500) instead of paginating.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Root cause: IocFeeds.svelte called feeds.find() on a Map (backend returned
Map<String,Object> not List) → reactive statement crash → entire Svelte tree
broken, all sidebar nav dead.
Backend:
- /feeds/status now returns List<Map> with feedName/configured/enabled/
lastRunAt/lastRunStatus/lastIocsAdded/lastIocsUpdated fields
- /feeds/runs now returns full Page<IocFeedRun> (not stripped .getContent())
- IocFeedService.isConfigured(feedName) added for per-feed key check
- Feed order fixed to [OTX, MALWARE_BAZAAR, THREAT_FOX] (deterministic)
Frontend:
- loadFeeds: Array.isArray guard prevents crash if shape is ever wrong
- loadRuns: safe fallback for both Page and plain-array responses
- api.ts refreshFeed URL fixed: /feeds/refresh/{name} not /feeds/{name}/refresh
- IocFeedStatus type: added lastIocsUpdated
- IocFeeds.svelte: Refresh All moved from header to toolbar; all buttons
use canonical btn/btn-primary/btn-secondary/btn-sm classes; pollInterval
now calls pollStatus (status-only poll) not full refresh trigger
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
All three list pages (ThreatEvents, PrecursorAlerts, DevicePosture) now
use the template's btn-manual-refresh icon button + SVG countdown timer
in header-controls, matching the canonical TablePage.svelte pattern.
Plain text Refresh button removed from toolbar-right.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
PrecursorAlerts and DevicePosture were using custom inline select
dropdowns for filtering. Both now use the canonical left filter sidebar
with collapsible status-pills, active filter chips, and content-frame
layout from hiveops-template/TablePage.svelte.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds per-device security posture reports and compliance dashboard. Agents POST
posture data (disk encryption, audit policy, image hashes, OS version/EOL) to
POST /api/aria/posture/report (service-secret authenticated). DevicePostureService
upserts the record and calculates a 0–100 posture score using a penalty model:
disk encryption off −25, audit policy off −20, OS EOL −20, image hash drift −20,
whitelist off −10, stale check −5/day (capped at −15). REST API adds GET /posture
(filterable by EOL status and score band) and GET /posture/{deviceId}. Stats
endpoint gains lowPostureCount (<50) and eolDeviceCount. Dashboard reorganised
into Threat Activity and Compliance rows. Device Posture SPA view enables the
previously-disabled nav item with score bar, EOL badges, and full detail panel.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds multi-phase attack sequence detection to ARIA. After each event is
ingested, SequenceDetectionService queries events within a 15-minute window
for the same device and fires a PrecursorSequenceAlert when jackpotting
(PHYSICAL_ACCESS + malware phase) or skimming (PHYSICAL_ACCESS + card reader
tamper/USB) patterns are detected. Confidence is scored 0–1 based on phases
and severity. Detected sequences are published to hiveops.aria.sequences Kafka
topic. Adds REST API (GET /sequences, GET /{id}/events, POST /{id}/resolve) and
enables the Precursor Alerts view in the SPA with filter sidebar, confidence
bar, and event detail slide panel.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- frontend/: full aria.bcos.dev SPA (port 5187) with Dashboard, Threat Events,
and IOC Management views; Phase 2-3 nav items disabled as placeholders
- ThreatEventController: GET /api/aria/events (paginated, severity/device filter)
and GET /api/aria/stats (total/critical/high/activeIoc counts)
- Deployed to bcos.dev: hiveiq-aria-frontend container + aria.bcos.dev NPM proxy
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>