v2.1.3 — Fix AbuseIPDB Data Mixing Between WAN and Attacker IPs

AbuseIPDB Enrichment Fix (Issue #30)

• Fixed hostname and usage_type mixing where the WAN IP's AbuseIPDB data (e.g. ISP hostname) was displayed on attacker log rows
• Log detail query now uses direction-aware field selection — inbound logs pull from src IP threats, outbound from dst, eliminating cross-contamination via COALESCE
• Manual enrichment endpoint rejects WAN/gateway IPs with HTTP 400, preventing future contamination
• Manual enrichment log patching split into two direction-aware passes (src and dst) instead of a single direction-blind UPDATE
• Blacklist import now filters out WAN/gateway IPs before inserting into ip_threats
• upsert_threat() guard prevents WAN/gateway IPs from being stored as threats (defense-in-depth)
• One-time migration repairs ~64k previously corrupted log rows by re-patching from the correct source IP's threat data

Key Files Modified

• receiver/routes/logs.py — direction-aware CASE WHEN for all 7 abuse COALESCE fields
• receiver/routes/abuseipdb.py — WAN IP rejection + two-pass direction-aware UPDATE
• receiver/backfill.py — one-time repair migration for contaminated log rows
• receiver/blacklist.py — WAN/gateway IP filtering on blacklist import
• receiver/db.py — upsert_threat guard + migration flag seed