From 07b5025b0b57e3573ccaf128087e0acf8f24cdeb Mon Sep 17 00:00:00 2001
From: Malin <malin@cloudhost.es>
Date: Tue, 10 Mar 2026 07:57:16 +0100
Subject: [PATCH] fix: CF7 bypass, auto-flush, layout, contrast, IP geo v2.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CF7:
- Add wpcf7_spam filter registered before is_admin() early-return so
  CF7 AJAX submissions (admin-ajax.php) are properly validated
- Exclude CF7 posts from generic catch-all (prevent double-checking)

Auto-flush:
- Add maybe_flush_overdue() with 5-min transient lock, hooked to
  shutdown action so every PHP request can trigger a flush if overdue
- No longer depends solely on WP-Cron firing

Dashboard layout:
- Top Attackers moved into right column below live feed
- Viewport-fill layout: body/main use flex+overflow:hidden so content
  stays in view; left col scrolls independently if needed
- Feed panel takes flex:1, attackers panel capped at 260px

Colors:
- --dim: #006600 → #44bb77 (legible secondary text, ~5:1 contrast)
- --dim2: #228844 added for slightly darker secondary use
- --muted kept dark for backgrounds only; border lightened slightly

IP geo (server-side, async, non-blocking):
- country + asn columns added to blocks table (migration-safe)
- enrichIP() calls ip-api.com free HTTP API per unique IP, cached 1h
- Background job enriches historic rows missing country (5 per 20s)
- Stats and live feed now include country code + ASN
- Dashboard shows country flag emoji in feed rows and attackers table
- Full AS name shown as tooltip on ASN column

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 api/public/index.html | 743 +++++++++++++++++++-----------------------
 api/server.js         |  78 ++++-
 honeypot-fields.php   |  30 +-
 3 files changed, 437 insertions(+), 414 deletions(-)

diff --git a/api/public/index.html b/api/public/index.html
index a92c45d..e9f33f3 100644
--- a/api/public/index.html
+++ b/api/public/index.html
@@ -6,21 +6,21 @@
 <title>HONEYPOT // NETWORK MONITOR</title>
 <style>
 :root {
-  --bg:      #000a00;
-  --bg2:     #010f01;
-  --green:   #00ff41;
-  --green2:  #00cc33;
-  --dim:     #006600;
-  --muted:   #002800;
-  --border:  #003300;
-  --red:     #ff3333;
-  --amber:   #ffaa00;
-  --white:   #ccffcc;
+  --bg:       #000a00;
+  --bg2:      #010f01;
+  --green:    #00ff41;
+  --green2:   #00dd44;
+  --dim:      #44bb77;   /* was #006600 — now legible secondary text */
+  --dim2:     #228844;   /* slightly darker secondary for non-critical labels */
+  --muted:    #002800;   /* backgrounds only */
+  --border:   #003a00;
+  --red:      #ff4040;
+  --amber:    #ffaa00;
+  --white:    #d4ffd4;
 }
 
 *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
-
-html { scrollbar-color: var(--dim) var(--bg); scrollbar-width: thin; }
+html { scrollbar-color: var(--dim2) var(--bg); scrollbar-width: thin; }
 
 body {
   background: var(--bg);
@@ -28,7 +28,10 @@ body {
   font-family: 'Courier New', 'Lucida Console', monospace;
   font-size: 13px;
   line-height: 1.5;
-  min-height: 100vh;
+  height: 100vh;
+  display: flex;
+  flex-direction: column;
+  overflow: hidden;
 }
 
 /* CRT scanline overlay */
@@ -38,7 +41,7 @@ body::after {
   inset: 0;
   background: repeating-linear-gradient(
     0deg, transparent, transparent 2px,
-    rgba(0,0,0,.07) 2px, rgba(0,0,0,.07) 4px
+    rgba(0,0,0,.06) 2px, rgba(0,0,0,.06) 4px
   );
   pointer-events: none;
   z-index: 9999;
@@ -50,17 +53,18 @@ body::after {
 /* ── Header ─────────────────────────────────────────────────────────── */
 header {
   border-bottom: 1px solid var(--border);
-  padding: 10px 20px;
+  padding: 8px 20px;
   display: flex;
   align-items: center;
   justify-content: space-between;
   background: var(--bg2);
+  flex-shrink: 0;
   flex-wrap: wrap;
-  gap: 8px;
+  gap: 6px;
 }
 
 .logo {
-  font-size: 17px;
+  font-size: 16px;
   font-weight: bold;
   letter-spacing: 4px;
   color: var(--green);
@@ -70,7 +74,7 @@ header {
 .header-right {
   display: flex;
   align-items: center;
-  gap: 16px;
+  gap: 14px;
   font-size: 11px;
   color: var(--green2);
   letter-spacing: 1px;
@@ -84,248 +88,247 @@ header {
   animation: blink 1s step-end infinite;
   box-shadow: 0 0 6px var(--red);
   vertical-align: middle;
-  margin-right: 5px;
+  margin-right: 4px;
 }
 
 @keyframes blink { 50% { opacity: 0; } }
 
-/* ── Lang switcher ───────────────────────────────────────────────────── */
-.lang-switcher { display: flex; gap: 4px; align-items: center; }
+.lang-switcher { display: flex; gap: 3px; align-items: center; }
 .lang-btn {
-  background: none;
-  border: none;
-  cursor: pointer;
-  padding: 1px 2px;
-  line-height: 1;
+  background: none; border: none; cursor: pointer;
+  padding: 1px 2px; line-height: 1;
   transition: opacity .15s, font-size .15s;
 }
-.lang-btn.active  { font-size: 20px; opacity: 1; }
-.lang-btn.inactive { font-size: 14px; opacity: 0.4; }
+.lang-btn.active   { font-size: 20px; opacity: 1; }
+.lang-btn.inactive { font-size: 14px; opacity: 0.35; }
 
 /* ── Main ───────────────────────────────────────────────────────────── */
-main { padding: 14px 16px; max-width: 1700px; margin: 0 auto; }
+main {
+  flex: 1;
+  min-height: 0;
+  padding: 10px 14px;
+  display: flex;
+  flex-direction: column;
+  gap: 8px;
+  overflow: hidden;
+}
 
 /* ── Stat cards ─────────────────────────────────────────────────────── */
 .stats-row {
   display: grid;
   grid-template-columns: repeat(5, 1fr);
-  gap: 10px;
-  margin-bottom: 14px;
+  gap: 8px;
+  flex-shrink: 0;
 }
 
 .stat-card {
   background: var(--bg2);
   border: 1px solid var(--border);
-  padding: 14px 12px 12px;
+  padding: 10px 10px 8px;
   text-align: center;
   position: relative;
   transition: border-color .2s;
 }
 .stat-card::before {
-  content: '';
-  position: absolute;
+  content: ''; position: absolute;
   top: 0; left: 0; right: 0; height: 2px;
   background: var(--muted);
   transition: background .2s, box-shadow .2s;
 }
-.stat-card:hover { border-color: var(--dim); }
+.stat-card:hover { border-color: var(--dim2); }
 .stat-card:hover::before { background: var(--green); box-shadow: 0 0 8px var(--green); }
 
 .stat-num {
-  font-size: 30px;
-  font-weight: bold;
-  letter-spacing: 2px;
-  line-height: 1.1;
+  font-size: 26px; font-weight: bold;
+  letter-spacing: 2px; line-height: 1.1;
   color: var(--green);
 }
 .stat-lbl {
-  font-size: 9px;
-  letter-spacing: 3px;
+  font-size: 9px; letter-spacing: 2px;
   text-transform: uppercase;
-  color: var(--green2);
-  margin-top: 5px;
-}
-
-/* ── Content grid ───────────────────────────────────────────────────── */
-.content-grid {
-  display: grid;
-  grid-template-columns: 1fr 360px;
-  gap: 10px;
-  margin-bottom: 10px;
-  align-items: start;
-}
-
-.left-col { display: flex; flex-direction: column; gap: 10px; }
-
-/* ── Panel ──────────────────────────────────────────────────────────── */
-.panel {
-  background: var(--bg2);
-  border: 1px solid var(--border);
-}
-.panel-hdr {
-  padding: 7px 14px;
-  border-bottom: 1px solid var(--border);
-  font-size: 10px;
-  letter-spacing: 3px;
-  color: var(--amber);
-  display: flex;
-  align-items: center;
-  justify-content: space-between;
-}
-.panel-body { padding: 12px 14px; }
-
-/* ── 24h Chart ──────────────────────────────────────────────────────── */
-#chart { width: 100%; height: 80px; display: block; }
-
-/* ── Bar lists ──────────────────────────────────────────────────────── */
-.bars-2col {
-  display: grid;
-  grid-template-columns: 1fr 1fr;
-  gap: 18px;
-}
-.bar-section-title {
-  font-size: 10px;
-  letter-spacing: 2px;
-  color: var(--amber);
-  margin-bottom: 8px;
-}
-.bar-list { list-style: none; }
-.bar-item {
-  display: grid;
-  grid-template-columns: 160px 1fr 55px;
-  align-items: center;
-  gap: 8px;
-  padding: 3px 0;
-  font-size: 12px;
-}
-.bar-lbl {
-  color: var(--white);
-  overflow: hidden;
-  text-overflow: ellipsis;
-  white-space: nowrap;
-}
-.bar-track { background: var(--muted); height: 8px; }
-.bar-fill  { background: var(--green); height: 100%; transition: width .5s ease; }
-.bar-cnt   { color: var(--green2); font-size: 11px; text-align: right; }
-
-/* ── Live feed ──────────────────────────────────────────────────────── */
-.feed-panel { display: flex; flex-direction: column; min-height: 500px; }
-
-#feed {
-  flex: 1;
-  overflow-y: auto;
-  padding: 8px 14px;
-  font-size: 11px;
-  line-height: 1.7;
-}
-#feed::-webkit-scrollbar { width: 3px; }
-#feed::-webkit-scrollbar-track { background: var(--bg); }
-#feed::-webkit-scrollbar-thumb { background: var(--dim); }
-
-.feed-row {
-  display: grid;
-  grid-template-columns: 62px 130px auto;
-  gap: 6px;
-  border-bottom: 1px solid var(--muted);
-  padding: 1px 0;
-  align-items: start;
-}
-.feed-ts     { color: var(--dim); }
-.feed-ip     { color: var(--amber); }
-.feed-form   { color: var(--green2); }
-.feed-reason { color: var(--dim); font-size: 10px; }
-
-.feed-footer {
-  padding: 7px 14px;
-  border-top: 1px solid var(--border);
-  font-size: 10px;
   color: var(--dim);
-  display: flex;
-  justify-content: space-between;
+  margin-top: 3px;
 }
 
-/* Blinking cursor */
-.cursor::after { content: '█'; animation: blink 1s step-end infinite; }
-
-/* ── Attackers table ────────────────────────────────────────────────── */
-.atk-table {
-  width: 100%;
-  border-collapse: collapse;
-  font-size: 12px;
-}
-.atk-table th {
-  padding: 7px 14px;
-  text-align: left;
-  color: var(--amber);
-  font-size: 10px;
-  letter-spacing: 2px;
-  border-bottom: 1px solid var(--border);
-  white-space: nowrap;
-}
-.atk-table td { padding: 6px 14px; border-bottom: 1px solid var(--muted); }
-.atk-table tr:hover td { background: var(--muted); }
-
-.atk-rank { color: var(--dim); }
-.atk-ip   { color: var(--amber); font-weight: bold; }
-.atk-hits { color: var(--green); font-weight: bold; }
-
-.mini-bar { height: 8px; background: var(--muted); max-width: 240px; width: 100%; }
-.mini-fill { background: var(--green); height: 100%; box-shadow: 0 0 4px var(--green); transition: width .5s; }
-
-/* ── Footer ─────────────────────────────────────────────────────────── */
-footer {
-  border-top: 1px solid var(--border);
-  padding: 9px 20px;
-  font-size: 10px;
-  color: var(--dim);
-  display: flex;
-  justify-content: space-between;
-  align-items: center;
-  letter-spacing: 1px;
-  flex-wrap: wrap;
-  gap: 6px;
-}
-footer a { color: var(--dim); text-decoration: none; }
-footer a:hover { color: var(--green2); }
-.footer-eu { display: flex; align-items: center; gap: 6px; }
-
 /* ── Top target banner ──────────────────────────────────────────────── */
 #top-target {
   background: var(--bg2);
   border: 1px solid #2a0000;
   border-left: 3px solid var(--red);
-  padding: 10px 16px;
-  margin-bottom: 14px;
+  padding: 7px 14px;
   display: flex;
   align-items: center;
-  gap: 16px;
+  gap: 14px;
   flex-wrap: wrap;
+  flex-shrink: 0;
 }
-#top-target .tt-label {
-  font-size: 10px;
-  letter-spacing: 3px;
-  color: var(--dim);
+#top-target .tt-label { font-size: 10px; letter-spacing: 2px; color: var(--dim2); }
+#top-target .tt-form  { font-size: 14px; font-weight: bold; color: var(--red); text-shadow: 0 0 10px var(--red); }
+#top-target .tt-hits  { font-size: 11px; color: var(--amber); }
+#top-target .tt-pct   { font-size: 11px; color: var(--dim); }
+
+/* ── Content grid ───────────────────────────────────────────────────── */
+.content-grid {
+  display: grid;
+  grid-template-columns: 1fr 420px;
+  gap: 8px;
+  flex: 1;
+  min-height: 0;
+  overflow: hidden;
 }
-#top-target .tt-form {
-  font-size: 15px;
-  font-weight: bold;
-  color: var(--red);
-  text-shadow: 0 0 10px var(--red);
-  letter-spacing: 1px;
+
+/* ── Left column ────────────────────────────────────────────────────── */
+.left-col {
+  display: flex;
+  flex-direction: column;
+  gap: 8px;
+  overflow-y: auto;
+  min-height: 0;
 }
-#top-target .tt-hits { font-size: 11px; color: var(--amber); }
-#top-target .tt-pct  { font-size: 11px; color: var(--dim); }
+.left-col::-webkit-scrollbar { width: 3px; }
+.left-col::-webkit-scrollbar-track { background: var(--bg); }
+.left-col::-webkit-scrollbar-thumb { background: var(--dim2); }
+
+/* ── Right column ───────────────────────────────────────────────────── */
+.right-col {
+  display: flex;
+  flex-direction: column;
+  gap: 8px;
+  min-height: 0;
+  overflow: hidden;
+}
+
+/* ── Panel ──────────────────────────────────────────────────────────── */
+.panel { background: var(--bg2); border: 1px solid var(--border); }
+.panel-hdr {
+  padding: 6px 12px;
+  border-bottom: 1px solid var(--border);
+  font-size: 10px; letter-spacing: 2px;
+  color: var(--amber);
+  display: flex; align-items: center; justify-content: space-between;
+}
+.panel-body { padding: 10px 12px; }
+
+/* ── 24h Chart ──────────────────────────────────────────────────────── */
+#chart { width: 100%; height: 72px; display: block; }
+
+/* ── Bar lists ──────────────────────────────────────────────────────── */
+.bars-2col { display: grid; grid-template-columns: 1fr 1fr; gap: 14px; }
+.bar-section-title { font-size: 10px; letter-spacing: 2px; color: var(--amber); margin-bottom: 6px; }
+.bar-list { list-style: none; }
+.bar-item {
+  display: grid;
+  grid-template-columns: 140px 1fr 50px;
+  align-items: center;
+  gap: 6px; padding: 2px 0; font-size: 11px;
+}
+.bar-lbl  { color: var(--white); overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
+.bar-track { background: var(--muted); height: 6px; }
+.bar-fill  { background: var(--green); height: 100%; transition: width .5s ease; }
+.bar-cnt   { color: var(--dim); font-size: 11px; text-align: right; }
+
+/* ── Live feed ──────────────────────────────────────────────────────── */
+.feed-panel {
+  display: flex;
+  flex-direction: column;
+  flex: 1;
+  min-height: 0;
+  overflow: hidden;
+}
+
+#feed {
+  flex: 1;
+  overflow-y: auto;
+  padding: 6px 12px;
+  font-size: 11px;
+  line-height: 1.6;
+  min-height: 0;
+}
+#feed::-webkit-scrollbar { width: 3px; }
+#feed::-webkit-scrollbar-track { background: var(--bg); }
+#feed::-webkit-scrollbar-thumb { background: var(--dim2); }
+
+.feed-row {
+  display: grid;
+  grid-template-columns: 58px 110px auto;
+  gap: 5px;
+  border-bottom: 1px solid var(--muted);
+  padding: 1px 0;
+  align-items: start;
+}
+.feed-ts     { color: var(--dim2); }
+.feed-ip     { color: var(--amber); }
+.feed-geo    { color: var(--dim); font-size: 10px; }
+.feed-form   { color: var(--green2); }
+.feed-reason { color: var(--dim); font-size: 10px; }
+
+.feed-footer {
+  padding: 5px 12px;
+  border-top: 1px solid var(--border);
+  font-size: 10px; color: var(--dim);
+  display: flex; justify-content: space-between;
+  flex-shrink: 0;
+}
+.cursor::after { content: '█'; animation: blink 1s step-end infinite; }
+
+/* ── Attackers (compact, in right col) ──────────────────────────────── */
+.atk-panel {
+  flex-shrink: 0;
+  max-height: 260px;
+  display: flex;
+  flex-direction: column;
+  overflow: hidden;
+}
+.atk-scroll { overflow-y: auto; flex: 1; }
+.atk-scroll::-webkit-scrollbar { width: 3px; }
+.atk-scroll::-webkit-scrollbar-track { background: var(--bg); }
+.atk-scroll::-webkit-scrollbar-thumb { background: var(--dim2); }
+
+.atk-table { width: 100%; border-collapse: collapse; font-size: 11px; }
+.atk-table th {
+  padding: 5px 10px;
+  text-align: left; color: var(--amber);
+  font-size: 9px; letter-spacing: 2px;
+  border-bottom: 1px solid var(--border);
+  white-space: nowrap;
+  position: sticky; top: 0; background: var(--bg2);
+}
+.atk-table td { padding: 4px 10px; border-bottom: 1px solid var(--muted); }
+.atk-table tr:hover td { background: var(--muted); }
+
+.atk-rank  { color: var(--dim2); font-size: 10px; }
+.atk-ip    { color: var(--amber); font-weight: bold; }
+.atk-hits  { color: var(--green); font-weight: bold; }
+.atk-asn   { color: var(--dim); font-size: 10px; max-width: 90px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
+
+.mini-bar  { height: 6px; background: var(--muted); min-width: 40px; width: 100%; }
+.mini-fill { background: var(--green); height: 100%; box-shadow: 0 0 4px var(--green); transition: width .5s; }
+
+/* ── Footer ─────────────────────────────────────────────────────────── */
+footer {
+  border-top: 1px solid var(--border);
+  padding: 6px 20px;
+  font-size: 10px; color: var(--dim2);
+  display: flex; justify-content: space-between; align-items: center;
+  letter-spacing: 1px; flex-shrink: 0; flex-wrap: wrap; gap: 4px;
+}
+footer a { color: var(--dim); text-decoration: none; }
+footer a:hover { color: var(--green2); }
+.footer-eu { display: flex; align-items: center; gap: 5px; }
 
 /* ── Responsive ─────────────────────────────────────────────────────── */
 @media (max-width: 1100px) {
+  body { overflow: auto; height: auto; }
   .stats-row { grid-template-columns: repeat(3, 1fr); }
-  .content-grid { grid-template-columns: 1fr; }
-  .feed-panel { min-height: 350px; }
+  .content-grid { grid-template-columns: 1fr; height: auto; }
+  .left-col { overflow: visible; }
+  .right-col { height: 700px; }
+  .feed-panel { flex: 1; }
 }
 @media (max-width: 640px) {
   .stats-row { grid-template-columns: 1fr 1fr; }
   .bars-2col { grid-template-columns: 1fr; }
-  .bar-item  { grid-template-columns: 110px 1fr 45px; }
+  .bar-item  { grid-template-columns: 100px 1fr 42px; }
 }
 </style>
 </head>
@@ -346,7 +349,6 @@ footer a:hover { color: var(--green2); }
 
 <main>
 
-  <!-- ── Stats row ──────────────────────────────────────────────────── -->
   <div class="stats-row">
     <div class="stat-card">
       <div class="stat-num glow" id="s-total">…</div>
@@ -370,7 +372,6 @@ footer a:hover { color: var(--green2); }
     </div>
   </div>
 
-  <!-- ── Most attacked form ────────────────────────────────────────── -->
   <div id="top-target">
     <span class="tt-label" id="tt-label" data-i18n="top_target_label">▶ MOST ATTACKED FORM (30D):</span>
     <span class="tt-form" id="tt-form">—</span>
@@ -378,23 +379,21 @@ footer a:hover { color: var(--green2); }
     <span class="tt-pct"  id="tt-pct"></span>
   </div>
 
-  <!-- ── Content grid ───────────────────────────────────────────────── -->
   <div class="content-grid">
 
+    <!-- Left: charts & bars -->
     <div class="left-col">
 
-      <!-- 24h chart -->
       <div class="panel">
         <div class="panel-hdr">
           <span data-i18n="chart_title">▶ 24H ACTIVITY TREND</span>
           <span id="chart-peak" style="color:var(--dim);font-size:11px"></span>
         </div>
-        <div class="panel-body" style="padding:10px 12px">
+        <div class="panel-body" style="padding:8px 10px">
           <canvas id="chart"></canvas>
         </div>
       </div>
 
-      <!-- Bar charts -->
       <div class="panel">
         <div class="panel-hdr" data-i18n="breakdown_title">▶ ATTACK BREAKDOWN // LAST 30 DAYS</div>
         <div class="panel-body">
@@ -411,7 +410,6 @@ footer a:hover { color: var(--green2); }
         </div>
       </div>
 
-      <!-- Block reasons -->
       <div class="panel">
         <div class="panel-hdr" data-i18n="reasons_title">▶ BLOCK REASONS // LAST 30 DAYS</div>
         <div class="panel-body">
@@ -421,41 +419,44 @@ footer a:hover { color: var(--green2); }
 
     </div><!-- /.left-col -->
 
-    <!-- Live feed -->
-    <div class="panel feed-panel">
-      <div class="panel-hdr">
-        <span data-i18n="feed_title">▶ LIVE THREAT FEED</span>
-        <span id="feed-count" style="color:var(--dim);font-size:11px">0 <span data-i18n="events">events</span></span>
+    <!-- Right: live feed + top attackers -->
+    <div class="right-col">
+
+      <div class="panel feed-panel">
+        <div class="panel-hdr">
+          <span data-i18n="feed_title">▶ LIVE THREAT FEED</span>
+          <span id="feed-count" style="color:var(--dim);font-size:11px">0 <span data-i18n="events">events</span></span>
+        </div>
+        <div id="feed"></div>
+        <div class="feed-footer">
+          <span class="cursor"></span>
+          <span id="feed-status" data-i18n="connecting">connecting…</span>
+        </div>
       </div>
-      <div id="feed"></div>
-      <div class="feed-footer">
-        <span class="cursor"></span>
-        <span id="feed-status" style="color:var(--dim)" data-i18n="connecting">connecting…</span>
+
+      <div class="panel atk-panel">
+        <div class="panel-hdr" data-i18n="attackers_title">▶ TOP ATTACKERS // LAST 30 DAYS</div>
+        <div class="atk-scroll">
+          <table class="atk-table">
+            <thead>
+              <tr>
+                <th>#</th>
+                <th data-i18n="col_ip">IP ADDRESS</th>
+                <th data-i18n="col_hits">HITS</th>
+                <th data-i18n="col_asn">AS</th>
+              </tr>
+            </thead>
+            <tbody id="atk-body">
+              <tr><td colspan="4" style="text-align:center;padding:14px;color:var(--dim)" data-i18n="loading">Loading…</td></tr>
+            </tbody>
+          </table>
+        </div>
       </div>
-    </div>
+
+    </div><!-- /.right-col -->
 
   </div><!-- /.content-grid -->
 
-  <!-- ── Top Attackers ──────────────────────────────────────────────── -->
-  <div class="panel" style="margin-bottom:10px">
-    <div class="panel-hdr" data-i18n="attackers_title">▶ TOP ATTACKERS // LAST 30 DAYS</div>
-    <div style="overflow-x:auto">
-      <table class="atk-table">
-        <thead>
-          <tr>
-            <th style="width:50px" data-i18n="col_rank">RANK</th>
-            <th data-i18n="col_ip">IP ADDRESS</th>
-            <th style="width:110px" data-i18n="col_hits">TOTAL HITS</th>
-            <th data-i18n="col_freq">FREQUENCY</th>
-          </tr>
-        </thead>
-        <tbody id="atk-body">
-          <tr><td colspan="4" style="text-align:center;padding:20px;color:var(--dim)" data-i18n="loading">Loading…</td></tr>
-        </tbody>
-      </table>
-    </div>
-  </div>
-
 </main>
 
 <footer>
@@ -472,106 +473,64 @@ footer a:hover { color: var(--green2); }
 // ── i18n ──────────────────────────────────────────────────────────────────────
 const I18N = {
   en: {
-    live_feed:        'LIVE FEED',
-    stat_total:       'TOTAL BLOCKED',
-    stat_today:       'TODAY',
-    stat_7d:          'LAST 7 DAYS',
-    stat_30d:         'LAST 30 DAYS',
-    stat_sites:       'SITES REPORTING',
+    live_feed: 'LIVE FEED', stat_total: 'TOTAL BLOCKED', stat_today: 'TODAY',
+    stat_7d: 'LAST 7 DAYS', stat_30d: 'LAST 30 DAYS', stat_sites: 'SITES REPORTING',
     top_target_label: '▶ MOST ATTACKED FORM (30D):',
-    chart_title:      '▶ 24H ACTIVITY TREND',
-    breakdown_title:  '▶ ATTACK BREAKDOWN // LAST 30 DAYS',
-    form_types:       'FORM TYPES',
-    bot_toolkit:      'BOT TOOLKIT',
-    reasons_title:    '▶ BLOCK REASONS // LAST 30 DAYS',
-    feed_title:       '▶ LIVE THREAT FEED',
-    events:           'events',
-    connecting:       'connecting…',
-    connected:        'connected',
-    reconnecting:     'reconnecting…',
-    attackers_title:  '▶ TOP ATTACKERS // LAST 30 DAYS',
-    col_rank:         'RANK',
-    col_ip:           'IP ADDRESS',
-    col_hits:         'TOTAL HITS',
-    col_freq:         'FREQUENCY',
-    loading:          'Loading…',
-    no_data:          'No data yet',
-    footer_copy:      'HONEYPOT NETWORK MONITOR // CENTRALIZED THREAT INTELLIGENCE',
-    refreshed:        'REFRESHED:',
-    made_in_eu:       '🇪🇺 Made & hosted in the EU by',
+    chart_title: '▶ 24H ACTIVITY TREND',
+    breakdown_title: '▶ ATTACK BREAKDOWN // LAST 30 DAYS',
+    form_types: 'FORM TYPES', bot_toolkit: 'BOT TOOLKIT',
+    reasons_title: '▶ BLOCK REASONS // LAST 30 DAYS',
+    feed_title: '▶ LIVE THREAT FEED', events: 'events',
+    connecting: 'connecting…', connected: 'connected', reconnecting: 'reconnecting…',
+    attackers_title: '▶ TOP ATTACKERS // LAST 30 DAYS',
+    col_ip: 'IP ADDRESS', col_hits: 'HITS', col_asn: 'AS',
+    loading: 'Loading…', no_data: 'No data yet',
+    footer_copy: 'HONEYPOT NETWORK MONITOR // CENTRALIZED THREAT INTELLIGENCE',
+    refreshed: 'REFRESHED:', made_in_eu: '🇪🇺 Made & hosted in the EU by',
   },
   es: {
-    live_feed:        'EN VIVO',
-    stat_total:       'TOTAL BLOQUEADOS',
-    stat_today:       'HOY',
-    stat_7d:          'ÚLTIMOS 7 DÍAS',
-    stat_30d:         'ÚLTIMOS 30 DÍAS',
-    stat_sites:       'SITIOS REPORTANDO',
+    live_feed: 'EN VIVO', stat_total: 'TOTAL BLOQUEADOS', stat_today: 'HOY',
+    stat_7d: 'ÚLTIMOS 7 DÍAS', stat_30d: 'ÚLTIMOS 30 DÍAS', stat_sites: 'SITIOS REPORTANDO',
     top_target_label: '▶ FORMULARIO MÁS ATACADO (30D):',
-    chart_title:      '▶ TENDENCIA DE ACTIVIDAD 24H',
-    breakdown_title:  '▶ DESGLOSE DE ATAQUES // ÚLTIMOS 30 DÍAS',
-    form_types:       'TIPOS DE FORMULARIO',
-    bot_toolkit:      'HERRAMIENTAS BOT',
-    reasons_title:    '▶ MOTIVOS DE BLOQUEO // ÚLTIMOS 30 DÍAS',
-    feed_title:       '▶ FEED DE AMENAZAS EN VIVO',
-    events:           'eventos',
-    connecting:       'conectando…',
-    connected:        'conectado',
-    reconnecting:     'reconectando…',
-    attackers_title:  '▶ TOP ATACANTES // ÚLTIMOS 30 DÍAS',
-    col_rank:         'RANGO',
-    col_ip:           'DIRECCIÓN IP',
-    col_hits:         'TOTAL IMPACTOS',
-    col_freq:         'FRECUENCIA',
-    loading:          'Cargando…',
-    no_data:          'Sin datos aún',
-    footer_copy:      'MONITOR DE RED HONEYPOT // INTELIGENCIA CENTRALIZADA DE AMENAZAS',
-    refreshed:        'ACTUALIZADO:',
-    made_in_eu:       '🇪🇺 Hecho y alojado en la UE por',
+    chart_title: '▶ TENDENCIA 24H',
+    breakdown_title: '▶ DESGLOSE DE ATAQUES // ÚLTIMOS 30 DÍAS',
+    form_types: 'TIPOS DE FORMULARIO', bot_toolkit: 'HERRAMIENTAS BOT',
+    reasons_title: '▶ MOTIVOS DE BLOQUEO // ÚLTIMOS 30 DÍAS',
+    feed_title: '▶ FEED EN VIVO', events: 'eventos',
+    connecting: 'conectando…', connected: 'conectado', reconnecting: 'reconectando…',
+    attackers_title: '▶ TOP ATACANTES // ÚLTIMOS 30 DÍAS',
+    col_ip: 'DIRECCIÓN IP', col_hits: 'IMPACTOS', col_asn: 'AS',
+    loading: 'Cargando…', no_data: 'Sin datos aún',
+    footer_copy: 'MONITOR HONEYPOT // INTELIGENCIA CENTRALIZADA DE AMENAZAS',
+    refreshed: 'ACTUALIZADO:', made_in_eu: '🇪🇺 Hecho y alojado en la UE por',
   },
   ro: {
-    live_feed:        'LIVE',
-    stat_total:       'TOTAL BLOCATE',
-    stat_today:       'AZI',
-    stat_7d:          'ULTIMELE 7 ZILE',
-    stat_30d:         'ULTIMELE 30 ZILE',
-    stat_sites:       'SITE-URI RAPORTÂND',
+    live_feed: 'LIVE', stat_total: 'TOTAL BLOCATE', stat_today: 'AZI',
+    stat_7d: 'ULTIMELE 7 ZILE', stat_30d: 'ULTIMELE 30 ZILE', stat_sites: 'SITE-URI RAPORTÂND',
     top_target_label: '▶ FORMULARUL CEL MAI ATACAT (30Z):',
-    chart_title:      '▶ TENDINȚĂ ACTIVITATE 24H',
-    breakdown_title:  '▶ ANALIZA ATACURILOR // ULTIMELE 30 ZILE',
-    form_types:       'TIPURI FORMULAR',
-    bot_toolkit:      'INSTRUMENTE BOT',
-    reasons_title:    '▶ MOTIVE BLOCARE // ULTIMELE 30 ZILE',
-    feed_title:       '▶ FLUX LIVE AMENINȚĂRI',
-    events:           'evenimente',
-    connecting:       'conectare…',
-    connected:        'conectat',
-    reconnecting:     'reconectare…',
-    attackers_title:  '▶ TOP ATACATORI // ULTIMELE 30 ZILE',
-    col_rank:         'RANG',
-    col_ip:           'ADRESĂ IP',
-    col_hits:         'TOTAL ACCESĂRI',
-    col_freq:         'FRECVENȚĂ',
-    loading:          'Se încarcă…',
-    no_data:          'Fără date încă',
-    footer_copy:      'MONITOR REȚEA HONEYPOT // INFORMAȚII CENTRALIZATE DESPRE AMENINȚĂRI',
-    refreshed:        'ACTUALIZAT:',
-    made_in_eu:       '🇪🇺 Realizat și găzduit în UE de',
+    chart_title: '▶ TENDINȚĂ 24H',
+    breakdown_title: '▶ ANALIZA ATACURILOR // ULTIMELE 30 ZILE',
+    form_types: 'TIPURI FORMULAR', bot_toolkit: 'INSTRUMENTE BOT',
+    reasons_title: '▶ MOTIVE BLOCARE // ULTIMELE 30 ZILE',
+    feed_title: '▶ FLUX LIVE AMENINȚĂRI', events: 'evenimente',
+    connecting: 'conectare…', connected: 'conectat', reconnecting: 'reconectare…',
+    attackers_title: '▶ TOP ATACATORI // ULTIMELE 30 ZILE',
+    col_ip: 'ADRESĂ IP', col_hits: 'ACCESĂRI', col_asn: 'AS',
+    loading: 'Se încarcă…', no_data: 'Fără date încă',
+    footer_copy: 'MONITOR REȚEA HONEYPOT // INFORMAȚII CENTRALIZATE DESPRE AMENINȚĂRI',
+    refreshed: 'ACTUALIZAT:', made_in_eu: '🇪🇺 Realizat și găzduit în UE de',
   },
 };
 
 function detectLang() {
-  const saved = localStorage.getItem('hp_lang');
-  if (saved && I18N[saved]) return saved;
+  const s = localStorage.getItem('hp_lang');
+  if (s && I18N[s]) return s;
   const nav = (navigator.language || 'en').slice(0, 2).toLowerCase();
   return I18N[nav] ? nav : 'en';
 }
-
 let currentLang = detectLang();
 
-function t(key) {
-  return (I18N[currentLang] || I18N.en)[key] || (I18N.en[key] || key);
-}
+function t(k) { return (I18N[currentLang] || I18N.en)[k] || (I18N.en[k] || k); }
 
 function setLang(lang) {
   if (!I18N[lang]) return;
@@ -584,35 +543,34 @@ function setLang(lang) {
 
 function applyTranslations() {
   document.querySelectorAll('[data-i18n]').forEach(el => {
-    const key = el.getAttribute('data-i18n');
-    // Don't overwrite elements that also have dynamic child content
-    if (el.children.length === 0) el.textContent = t(key);
+    if (el.children.length === 0) el.textContent = t(el.getAttribute('data-i18n'));
   });
-  document.title = t('chart_title').replace('▶ ', '').split('//')[0].trim() + ' // NETWORK MONITOR';
 }
 
 function updateLangButtons() {
   document.querySelectorAll('.lang-btn').forEach(btn => {
-    const active = btn.dataset.lang === currentLang;
-    btn.className = 'lang-btn ' + (active ? 'active' : 'inactive');
+    btn.className = 'lang-btn ' + (btn.dataset.lang === currentLang ? 'active' : 'inactive');
   });
 }
 
+// ── Country flag helper ───────────────────────────────────────────────────────
+function flag(cc) {
+  if (!cc || cc.length !== 2) return '';
+  // Regional indicator symbols: offset 127397 from ASCII
+  return String.fromCodePoint(...[...cc.toUpperCase()].map(c => c.charCodeAt(0) + 127397));
+}
+
 // ── Clock ─────────────────────────────────────────────────────────────────────
 const clockEl = document.getElementById('clock');
-function tick() {
-  const d = new Date();
-  clockEl.textContent = d.toISOString().slice(11,19) + ' UTC';
-}
+function tick() { clockEl.textContent = new Date().toISOString().slice(11,19) + ' UTC'; }
 tick(); setInterval(tick, 1000);
 
-// ── CountUp animation ─────────────────────────────────────────────────────────
+// ── CountUp ───────────────────────────────────────────────────────────────────
 const ctMap = new Map();
 function countUp(el, to) {
   const from = parseInt(el.textContent.replace(/,/g,'')) || 0;
   if (from === to) return;
-  const steps = 25, diff = to - from;
-  let s = 0;
+  const steps = 25, diff = to - from; let s = 0;
   clearInterval(ctMap.get(el));
   const id = setInterval(() => {
     s++;
@@ -625,13 +583,13 @@ function countUp(el, to) {
 // ── Bar charts ────────────────────────────────────────────────────────────────
 function renderBars(listEl, items) {
   if (!items || !items.length) {
-    listEl.innerHTML = `<li style="color:var(--dim);font-size:11px;padding:4px 0">${t('no_data')}</li>`;
+    listEl.innerHTML = `<li style="color:var(--dim);font-size:11px;padding:3px 0">${t('no_data')}</li>`;
     return;
   }
   const max = items[0].hits;
   listEl.innerHTML = items.map(item => {
     const label = item.form_type || item.ua_family || item.reason || item.ip || '?';
-    const pct   = max > 0 ? Math.round((item.hits / max) * 100) : 0;
+    const pct   = max > 0 ? Math.round(item.hits / max * 100) : 0;
     return `<li class="bar-item">
       <span class="bar-lbl" title="${esc(label)}">${esc(label)}</span>
       <div class="bar-track"><div class="bar-fill" style="width:${pct}%"></div></div>
@@ -645,130 +603,113 @@ const canvas = document.getElementById('chart');
 const ctx    = canvas.getContext('2d');
 
 function drawChart(hourly) {
-  const W = canvas.offsetWidth || 600;
-  const H = 80;
+  const W = canvas.offsetWidth || 600, H = 72;
   canvas.width  = W * (window.devicePixelRatio || 1);
   canvas.height = H * (window.devicePixelRatio || 1);
   ctx.scale(window.devicePixelRatio || 1, window.devicePixelRatio || 1);
   ctx.clearRect(0, 0, W, H);
 
   if (!hourly || !hourly.length) {
-    ctx.fillStyle = '#005500';
-    ctx.font = '12px Courier New';
-    ctx.fillText(t('no_data'), 10, 44);
-    return;
+    ctx.fillStyle = '#226644'; ctx.font = '12px Courier New';
+    ctx.fillText(t('no_data'), 10, 38); return;
   }
 
-  // Fill all 24 hours (missing = 0)
   const base = Math.floor(Date.now() / 1000 / 3600) * 3600;
   const map  = new Map(hourly.map(r => [r.h, r.n]));
-  const hrs  = Array.from({length: 24}, (_, i) => ({ h: base - (23 - i) * 3600, n: map.get(base - (23 - i) * 3600) || 0 }));
+  const hrs  = Array.from({length: 24}, (_, i) => ({ h: base - (23-i)*3600, n: map.get(base-(23-i)*3600)||0 }));
   const max  = Math.max(...hrs.map(h => h.n), 1);
+  const pad  = { l:2, r:2, t:5, b:3 };
+  const cW   = W - pad.l - pad.r, cH = H - pad.t - pad.b;
+  const bW   = cW / hrs.length - 1;
 
-  const pad = { l: 2, r: 2, t: 6, b: 4 };
-  const cW  = W - pad.l - pad.r;
-  const cH  = H - pad.t - pad.b;
-  const bW  = cW / hrs.length - 1;
-
-  // Grid lines
-  ctx.strokeStyle = '#001800';
-  ctx.lineWidth = 1;
+  ctx.strokeStyle = '#001a00'; ctx.lineWidth = 1;
   [0.33, 0.66].forEach(f => {
-    const y = pad.t + cH * (1 - f);
-    ctx.beginPath(); ctx.moveTo(pad.l, y); ctx.lineTo(W - pad.r, y); ctx.stroke();
+    const y = pad.t + cH*(1-f);
+    ctx.beginPath(); ctx.moveTo(pad.l, y); ctx.lineTo(W-pad.r, y); ctx.stroke();
   });
 
-  // Bars
   hrs.forEach((h, i) => {
-    const x  = pad.l + i * (cW / hrs.length);
-    const bH = Math.max(1, (h.n / max) * cH);
-    const y  = pad.t + cH - bH;
-    const grad = ctx.createLinearGradient(0, y, 0, y + bH);
-    grad.addColorStop(0, '#00ff41');
-    grad.addColorStop(1, '#004400');
-    ctx.fillStyle = grad;
-    ctx.fillRect(x + 0.5, y, Math.max(bW, 1), bH);
+    const x  = pad.l + i*(cW/hrs.length);
+    const bH = Math.max(1, h.n/max*cH), y = pad.t+cH-bH;
+    const g  = ctx.createLinearGradient(0, y, 0, y+bH);
+    g.addColorStop(0, '#00ff41'); g.addColorStop(1, '#004400');
+    ctx.fillStyle = g;
+    ctx.fillRect(x+0.5, y, Math.max(bW,1), bH);
     if (h.n === max) {
       ctx.shadowColor = '#00ff41'; ctx.shadowBlur = 10;
-      ctx.fillRect(x + 0.5, y, Math.max(bW, 1), bH);
+      ctx.fillRect(x+0.5, y, Math.max(bW,1), bH);
       ctx.shadowBlur = 0;
     }
   });
 
   document.getElementById('chart-peak').textContent =
-    `PEAK ${max.toLocaleString()} / hr  |  TOTAL ${hrs.reduce((a, h) => a + h.n, 0).toLocaleString()}`;
+    `PEAK ${max.toLocaleString()}/hr  TOTAL ${hrs.reduce((a,h)=>a+h.n,0).toLocaleString()}`;
 }
-
 window.addEventListener('resize', () => { if (window._hourly) drawChart(window._hourly); });
 
 // ── Attackers table ───────────────────────────────────────────────────────────
 function renderAttackers(ips) {
   const tbody = document.getElementById('atk-body');
   if (!ips || !ips.length) {
-    tbody.innerHTML = `<tr><td colspan="4" style="text-align:center;padding:20px;color:var(--dim)">${t('no_data')}</td></tr>`;
+    tbody.innerHTML = `<tr><td colspan="4" style="text-align:center;padding:14px;color:var(--dim)">${t('no_data')}</td></tr>`;
     return;
   }
   const max = ips[0].hits;
-  tbody.innerHTML = ips.map((row, i) => `
-    <tr>
-      <td class="atk-rank">#${i + 1}</td>
-      <td class="atk-ip">${esc(row.ip)}</td>
+  tbody.innerHTML = ips.map((row, i) => {
+    const f     = flag(row.country);
+    const asnNo = (row.asn || '').split(' ')[0]; // e.g. "AS12345"
+    return `<tr>
+      <td class="atk-rank">#${i+1}</td>
+      <td class="atk-ip">${f ? f+' ' : ''}${esc(row.ip)}</td>
       <td class="atk-hits">${row.hits.toLocaleString()}</td>
-      <td><div class="mini-bar"><div class="mini-fill" style="width:${Math.round(row.hits/max*100)}%"></div></div></td>
-    </tr>`).join('');
+      <td class="atk-asn" title="${esc(row.asn || '')}">${esc(asnNo)}</td>
+    </tr>`;
+  }).join('');
 }
 
 // ── Helpers ───────────────────────────────────────────────────────────────────
 function esc(s) {
-  return String(s || '').replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;');
-}
-function fmtTime(ts) {
-  return new Date(ts * 1000).toISOString().slice(11, 19);
+  return String(s||'').replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;');
 }
+function fmtTime(ts) { return new Date(ts*1000).toISOString().slice(11,19); }
 
 // ── Live feed ─────────────────────────────────────────────────────────────────
-let feedCount   = 0;
-let autoScroll  = true;
+let feedCount    = 0;
 const feedEl     = document.getElementById('feed');
 const feedCount$ = document.getElementById('feed-count');
 const feedStatus = document.getElementById('feed-status');
 
-feedEl.addEventListener('mouseenter', () => autoScroll = false);
-feedEl.addEventListener('mouseleave', () => { autoScroll = true; });
-
 function addRow(row) {
   feedCount++;
   feedCount$.textContent = `${feedCount.toLocaleString()} ${t('events')}`;
-  const el = document.createElement('div');
+  const el   = document.createElement('div');
   el.className = 'feed-row';
+  const f    = flag(row.country || '');
   el.innerHTML = `
     <span class="feed-ts">${fmtTime(row.received_at)}</span>
     <span class="feed-ip">${esc(row.ip_masked || row.ip || '?')}</span>
     <span>
-      <span class="feed-form">${esc(row.form_type || '?')}</span>
-      <br><span class="feed-reason">${esc(row.reason || '')}</span>
+      ${f ? `<span class="feed-geo">${f} ${esc(row.country||'')}</span><br>` : ''}
+      <span class="feed-form">${esc(row.form_type||'?')}</span>
+      <br><span class="feed-reason">${esc(row.reason||'')}</span>
     </span>`;
   feedEl.prepend(el);
   while (feedEl.children.length > 120) feedEl.removeChild(feedEl.lastChild);
 }
 
-// Seed from recent history on load
 async function seedFeed() {
   try {
     const r = await fetch('/api/v1/stats');
     const s = await r.json();
     if (s.recent) [...s.recent].reverse().forEach(addRow);
-  } catch (e) { console.warn('[seed]', e); }
+  } catch {}
 }
 
-// SSE for live updates
 function connectSSE() {
   const es = new EventSource('/api/v1/stream');
   es.onopen    = () => { feedStatus.textContent = t('connected'); };
-  es.onmessage = e => {
-    try { JSON.parse(e.data).reverse().forEach(addRow); } catch {}
-  };
-  es.onerror = () => {
+  es.onmessage = e => { try { JSON.parse(e.data).reverse().forEach(addRow); } catch {} };
+  es.onerror   = () => {
     es.close();
     feedStatus.textContent = t('reconnecting');
     setTimeout(connectSSE, 5000);
@@ -779,7 +720,7 @@ function connectSSE() {
 async function fetchStats() {
   try {
     const r = await fetch('/api/v1/stats');
-    if (!r.ok) throw new Error(r.status);
+    if (!r.ok) return;
     const s = await r.json();
 
     countUp(document.getElementById('s-total'), s.total);
@@ -793,22 +734,19 @@ async function fetchStats() {
     renderBars(document.getElementById('bars-reasons'), s.top_reasons);
     renderAttackers(s.top_ips);
 
-    // Top attacked form banner
     if (s.top_forms && s.top_forms.length) {
       const top = s.top_forms[0];
       document.getElementById('tt-label').textContent = t('top_target_label');
       document.getElementById('tt-form').textContent  = top.form_type;
       document.getElementById('tt-hits').textContent  = `${top.hits.toLocaleString()} hits`;
-      const pct = s.last_30d > 0 ? Math.round(top.hits / s.last_30d * 100) : 0;
+      const pct = s.last_30d > 0 ? Math.round(top.hits/s.last_30d*100) : 0;
       document.getElementById('tt-pct').textContent   = `(${pct}% of all blocks)`;
     }
 
     window._hourly = s.hourly;
     drawChart(s.hourly);
-
-    document.getElementById('last-update').textContent =
-      new Date().toISOString().slice(11, 19) + ' UTC';
-  } catch (e) { console.error('[stats]', e); }
+    document.getElementById('last-update').textContent = new Date().toISOString().slice(11,19) + ' UTC';
+  } catch {}
 }
 
 // ── Boot ──────────────────────────────────────────────────────────────────────
@@ -820,6 +758,5 @@ connectSSE();
 fetchStats();
 setInterval(fetchStats, 6000);
 </script>
-
 </body>
 </html>
diff --git a/api/server.js b/api/server.js
index ff4a5fa..60eafeb 100644
--- a/api/server.js
+++ b/api/server.js
@@ -3,6 +3,7 @@
 const express            = require('express');
 const Database           = require('better-sqlite3');
 const path               = require('path');
+const http               = require('http');
 const { timingSafeEqual } = require('crypto');
 
 const app  = express();
@@ -23,7 +24,9 @@ DB.exec(`
     ip_masked   TEXT    NOT NULL DEFAULT '',
     form_type   TEXT    NOT NULL DEFAULT '',
     reason      TEXT    NOT NULL DEFAULT '',
-    ua_family   TEXT    NOT NULL DEFAULT ''
+    ua_family   TEXT    NOT NULL DEFAULT '',
+    country     TEXT    NOT NULL DEFAULT '',
+    asn         TEXT    NOT NULL DEFAULT ''
   );
   CREATE TABLE IF NOT EXISTS sites (
     site_id     TEXT    PRIMARY KEY,
@@ -36,6 +39,10 @@ DB.exec(`
   CREATE INDEX IF NOT EXISTS idx_site ON blocks(site_id);
 `);
 
+// Add country/asn columns to existing tables (migration — ignored if already present)
+try { DB.exec(`ALTER TABLE blocks ADD COLUMN country TEXT NOT NULL DEFAULT ''`); } catch {}
+try { DB.exec(`ALTER TABLE blocks ADD COLUMN asn     TEXT NOT NULL DEFAULT ''`); } catch {}
+
 // ── Auth token ────────────────────────────────────────────────────────────────
 
 const API_TOKEN = (process.env.API_TOKEN || '').trim();
@@ -90,6 +97,51 @@ function parseUA(ua = '') {
   return ua.length ? 'Other' : 'No UA';
 }
 
+// ── IP geo-enrichment (ip-api.com free tier, HTTP) ────────────────────────────
+
+const stmtEnrich = DB.prepare('UPDATE blocks SET country=?, asn=? WHERE id=?');
+const enrichCache = new Map(); // ip -> expiry ms (deduplicate within 1h)
+
+function isPrivateIP(ip) {
+  return /^(10\.|192\.168\.|172\.(1[6-9]|2\d|3[01])\.|127\.|::1$|fc|fd)/.test(ip);
+}
+
+function enrichIP(rowId, ip) {
+  if (!ip || ip === '?' || isPrivateIP(ip)) return;
+  const now = Date.now();
+  if ((enrichCache.get(ip) || 0) > now) return; // recently done
+  enrichCache.set(ip, now + 3_600_000);          // cache 1 h
+
+  http.get(
+    `http://ip-api.com/json/${encodeURIComponent(ip)}?fields=status,countryCode,as`,
+    { timeout: 5000 },
+    res => {
+      let data = '';
+      res.on('data', d => data += d);
+      res.on('end', () => {
+        try {
+          const j = JSON.parse(data);
+          if (j.status === 'success') {
+            stmtEnrich.run(
+              (j.countryCode || '').slice(0, 2),
+              (j.as || '').slice(0, 50),
+              rowId
+            );
+          }
+        } catch {}
+      });
+    }
+  ).on('error', () => enrichCache.delete(ip)); // retry next time
+}
+
+// Background enrichment: fill any rows missing country (e.g. from history import)
+const stmtUnenriched = DB.prepare(
+  "SELECT id, ip_masked FROM blocks WHERE country='' AND ip_masked != '' AND ip_masked != '?' LIMIT 5"
+);
+setInterval(() => {
+  for (const row of stmtUnenriched.all()) enrichIP(row.id, row.ip_masked);
+}, 20_000);
+
 // ── In-memory rate limiter ────────────────────────────────────────────────────
 
 const rl = new Map();
@@ -117,7 +169,7 @@ function getStats() {
     last_30d:     DB.prepare('SELECT COUNT(*) n FROM blocks WHERE received_at > ?').get(now - 2592000).n,
     total_sites:  DB.prepare('SELECT COUNT(*) n FROM sites').get().n,
     top_ips:      DB.prepare(`
-      SELECT ip_masked ip, COUNT(*) hits
+      SELECT ip_masked ip, country, asn, COUNT(*) hits
       FROM blocks WHERE received_at > ?
       GROUP BY ip_masked ORDER BY hits DESC LIMIT 10
     `).all(now - 2592000),
@@ -137,7 +189,7 @@ function getStats() {
       GROUP BY ua_family ORDER BY hits DESC LIMIT 8
     `).all(now - 2592000),
     recent:       DB.prepare(`
-      SELECT received_at, ip_masked ip, form_type, reason, ua_family
+      SELECT received_at, ip_masked ip, country, form_type, reason, ua_family
       FROM blocks ORDER BY id DESC LIMIT 40
     `).all(),
     hourly:       DB.prepare(`
@@ -167,7 +219,7 @@ setInterval(() => {
 // ── Prepared statements ───────────────────────────────────────────────────────
 
 const stmtIns = DB.prepare(
-  'INSERT INTO blocks (received_at, site_id, ip_masked, form_type, reason, ua_family) VALUES (?,?,?,?,?,?)'
+  'INSERT INTO blocks (received_at, site_id, ip_masked, form_type, reason, ua_family, country, asn) VALUES (?,?,?,?,?,?,?,?)'
 );
 const stmtSite = DB.prepare(`
   INSERT INTO sites (site_id, first_seen, last_seen, block_count) VALUES (?,?,?,?)
@@ -178,17 +230,21 @@ const stmtSite = DB.prepare(`
 
 const insertBatch = DB.transaction((siteId, blocks) => {
   const now = Math.floor(Date.now() / 1000);
+  const ids = [];
   for (const b of blocks) {
-    const ts = b.blocked_at ? Math.floor(new Date(b.blocked_at) / 1000) : now;
-    stmtIns.run(
-      ts, siteId,
-      sanitizeIP(b.ip),
+    const ts  = b.blocked_at ? Math.floor(new Date(b.blocked_at) / 1000) : now;
+    const ip  = sanitizeIP(b.ip);
+    const r   = stmtIns.run(
+      ts, siteId, ip,
       String(b.form_type   || '').slice(0, 100),
       String(b.reason      || '').slice(0, 255),
-      parseUA(b.user_agent || '')
+      parseUA(b.user_agent || ''),
+      '', '' // country / asn filled async
     );
+    ids.push({ id: Number(r.lastInsertRowid), ip });
   }
   stmtSite.run(siteId, now, now, blocks.length);
+  return ids;
 });
 
 // ── Express routes ────────────────────────────────────────────────────────────
@@ -215,8 +271,10 @@ app.post('/api/v1/submit', requireToken, (req, res) => {
   }
 
   try {
-    insertBatch(site_hash.slice(0, 20), blocks);
+    const ids = insertBatch(site_hash.slice(0, 20), blocks);
     _cache = null; // invalidate stats cache
+    // Enrich IPs asynchronously without blocking the response
+    setImmediate(() => ids.forEach(({ id, ip }) => enrichIP(id, ip)));
     res.json({ ok: true, received: blocks.length });
   } catch (e) {
     console.error('[submit]', e.message);
diff --git a/honeypot-fields.php b/honeypot-fields.php
index 0b23275..1c9a10a 100644
--- a/honeypot-fields.php
+++ b/honeypot-fields.php
@@ -3,7 +3,7 @@
  * Plugin Name: Honeypot Fields
  * Plugin URI: https://informatiq.services
  * Description: Adds invisible honeypot fields to all forms to block spam bots. Works with WordPress core forms, Elementor, Gravity Forms, Contact Form 7, WooCommerce, and more.
- * Version: 2.3.0
+ * Version: 2.4.0
  * Author: Malin
  * Author URI: https://malin.ro
  * License: GPL v2 or later
@@ -378,6 +378,20 @@ class SmartHoneypotAPIClient {
         return count((array) get_option(self::OPT_QUEUE, []));
     }
 
+    /**
+     * Fallback flush triggered on every PHP shutdown.
+     * A transient lock ensures we attempt at most once per 5 minutes
+     * regardless of traffic volume, so WP-Cron is not the sole trigger.
+     */
+    public static function maybe_flush_overdue(): void {
+        $s = self::settings();
+        if (!$s['enabled'] || empty($s['api_url'])) return;
+        if (self::queue_size() === 0) return;
+        if (get_transient('hp_flush_lock')) return;
+        set_transient('hp_flush_lock', 1, 300); // 5-min lock
+        self::flush();
+    }
+
     /**
      * Returns the API token.
      * Checks the HP_API_TOKEN constant (defined in wp-config.php) first,
@@ -1181,6 +1195,10 @@ class SmartHoneypotAntiSpam {
 
     /* ── Init ──────────────────────────────────────────────────────── */
     public function init() {
+        // CF7 submits via admin-ajax.php where is_admin()=true, so hook here
+        // before the early return so spam validation still runs.
+        add_filter('wpcf7_spam', [$this, 'validate_cf7_spam'], 10, 2);
+
         if (is_admin()) {
             add_action('admin_notices', [$this, 'activation_notice']);
             return;
@@ -1423,6 +1441,13 @@ class SmartHoneypotAntiSpam {
         }
     }
 
+    /* ── Contact Form 7 ────────────────────────────────────────────── */
+    public function validate_cf7_spam($spam, $submission) {
+        if ($spam) return true; // already flagged
+        $this->current_form_type = 'Contact Form 7';
+        return !$this->check_submission(true);
+    }
+
     /* ── Generic catch-all ─────────────────────────────────────────── */
     public function validate_generic_post() {
         if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
@@ -1436,6 +1461,7 @@ class SmartHoneypotAntiSpam {
             isset($_POST['woocommerce-login-nonce'])            ||
             isset($_POST['woocommerce-process-checkout-nonce']) ||
             isset($_POST['comment_post_ID'])                    ||
+            isset($_POST['_wpcf7'])                             || // CF7: handled by wpcf7_spam filter
             (isset($_POST['action']) && $_POST['action'] === 'elementor_pro_forms_send_form')
         ) {
             return;
@@ -1514,6 +1540,8 @@ add_action('plugins_loaded', function () {
     }
     new SmartHoneypotAntiSpam();
     SmartHoneypotAdmin::register();
+    // Fallback: flush queue on every request's shutdown (rate-limited via transient)
+    add_action('shutdown', ['SmartHoneypotAPIClient', 'maybe_flush_overdue']);
 });
 
 // Custom cron interval (5 minutes)