v1.9 — Dragon: hardening, full-window intel & data-consistency

v1.9 — Dragon: hardening, full-window intel & data-consistency

A large correctness, performance, and feature release. Headlined by a sweep that made every dashboard widget draw from authoritative full-data queries (or honestly disclose when it's showing a capped sample), plus seven-provider IP enrichment and a proper uninstaller.

Threat intel

• Seven IP-reputation providers (was three): added Shodan InternetDB (keyless), AlienVault OTX, IPQualityScore, and IPinfo alongside AbuseIPDB / VirusTotal / GreyNoise. Parallel lookups, normalized verdict + score + tags, 24h cache. See the new IP Reputation Enrichment README section for env keys.
• Full-window analytics. MITRE, TTP, IOC export, threat graph, deobfuscation, and wordlists now analyze the entire selected window instead of a recent ~5,000-event sample — a "30d" view is really 30 days. Capped widgets (graph nodes, sessions, payload library) now disclose "N of M" instead of silently truncating.

Dashboard correctness

• Attack Geography / By-country now reflects true hits-by-country across all events (a dominant high-volume attacker can no longer vanish from the chart); both pages share one authoritative aggregation.
• Top Actors / Brute-Force Radar sort by real volume/rate from the DB (not a recent-actor slice).
• Honest counts everywhere: payload "unique", session totals, country counts, pending-uploads — all reconciled with the database.
• Dashboard auth token is now forwarded on every API request and across page navigation (the dashboard no longer 401s its own data when SHARDLURE_DASH_TOKEN is set), with a loud warning when no token is set.

Performance (1-vCPU friendly)

• Incremental cowrie actor rebuild — a live ingest tick is now O(touched actors), not O(all history) (RSS dropped from ~2.7 GB to ~40 MB on the reference box).
• Indexes for the dashboard/artifact hot paths; single-read payload classification; dedup-before-copy on capture; cached country aggregation.
• Writes are serialized by an application mutex (single SQLite writer) without capping the connection pool, so analytics reads run concurrently and never stall live ingest.

Security / hardening

• SSRF guard now blocks unspecified (0.0.0.0/::), CGNAT (100.64/10), and other reserved ranges the stdlib predicates miss; path-containment for cowrie download archiving.
• CSV/IOC export neutralizes spreadsheet formula injection (CWE-1236) on attacker-controlled fields.
• Frontend XSS pass (escaped TTP tags / session fields; safeUrl blocks javascript:/data: schemes).
• admin_ips supports CIDR ranges (e.g. a Tailscale CGNAT range); config written 0600 (it can hold the abuse.ch key).

Installer / ops

• uninstall [--purge] command — reverses the full install in lockout-safe order (SSH restored first), reading the persisted config for accurate firewall/teardown. Documented alongside a step-by-step setup guide in the README.
• Release binaries are now version+commit stamped.

New widgets

• Red Team Pending uploads panel (only not-yet-shared, MalwareBazaar-eligible payloads).
• Overview uptime stat.

Full diff: v1.6...v1.9.

Installer

• Hand-holding setup from the basics: the installer now greets you with what it will do, helps you paste in an SSH public key if the server doesn't have one yet (installing it with correct perms), and pauses at a verify gate to confirm ssh -p <admin-port> works before continuing — so a fresh-VPS user can't get locked out. Ports are validated; uninstall reads the persisted config for accurate teardown.