feat: centralized API dashboard + Docker container

API server (api/):
- Node.js + Express + SQLite (better-sqlite3, WAL mode)
- POST /api/v1/submit — receive blocks from WP sites (rate limited 30/min/IP)
- GET  /api/v1/stats  — public aggregated stats with 30s cache
- GET  /api/v1/stream — SSE live feed, pushed every 2s
- GET  /api/v1/health — health check
- IP masking: only first 2 octets stored (192.168.x.x)
- UA family detection: curl, Python, Go, bots, Chrome, etc.
- docker-compose.yml with named volume for SQLite persistence

Dashboard (api/public/index.html):
- Hacker/terminal aesthetic: black + matrix green, CRT scanlines
- Live stat cards: total blocked, today, 7d, 30d, sites reporting
- Canvas 24h activity trend chart with gradient bars
- CSS bar charts: form types, bot toolkit, block reasons
- Live SSE threat feed with countUp animation and auto-scroll
- Top 10 attackers table with frequency bars
- Polls /api/v1/stats every 6s, SSE for instant feed updates

WordPress plugin (honeypot-fields.php):
- SmartHoneypotAPIClient: queue (WP option) + WP-cron batch flush every 5min
- log_spam() now enqueues to central API after local DB write
- Admin 'Central API' tab: enable toggle, endpoint URL, sync stats, manual flush
- Cron properly registered/deregistered on activate/deactivate

api/server.js

@@ -0,0 +1,237 @@
+'use strict';
+
+const express  = require('express');
+const Database = require('better-sqlite3');
+const path     = require('path');
+
+const app  = express();
+const PORT = Number(process.env.PORT) || 3000;
+const DB   = new Database(process.env.DB_PATH || '/data/honeypot.db');
+
+// ── Database setup ────────────────────────────────────────────────────────────
+
+DB.pragma('journal_mode = WAL');
+DB.pragma('synchronous  = NORMAL');
+DB.pragma('cache_size   = -8000');
+
+DB.exec(`
+  CREATE TABLE IF NOT EXISTS blocks (
+    id          INTEGER PRIMARY KEY AUTOINCREMENT,
+    received_at INTEGER NOT NULL DEFAULT (unixepoch()),
+    site_id     TEXT    NOT NULL DEFAULT '',
+    ip_masked   TEXT    NOT NULL DEFAULT '',
+    form_type   TEXT    NOT NULL DEFAULT '',
+    reason      TEXT    NOT NULL DEFAULT '',
+    ua_family   TEXT    NOT NULL DEFAULT ''
+  );
+  CREATE TABLE IF NOT EXISTS sites (
+    site_id     TEXT    PRIMARY KEY,
+    first_seen  INTEGER NOT NULL DEFAULT (unixepoch()),
+    last_seen   INTEGER NOT NULL DEFAULT (unixepoch()),
+    block_count INTEGER NOT NULL DEFAULT 0
+  );
+  CREATE INDEX IF NOT EXISTS idx_recv ON blocks(received_at DESC);
+  CREATE INDEX IF NOT EXISTS idx_ip   ON blocks(ip_masked);
+  CREATE INDEX IF NOT EXISTS idx_site ON blocks(site_id);
+`);
+
+// ── Helpers ───────────────────────────────────────────────────────────────────
+
+function maskIP(ip = '') {
+  ip = String(ip).trim();
+  if (!ip) return 'x.x.x.x';
+  if (ip.includes(':')) {                           // IPv6 — keep first 2 groups
+    const p = ip.split(':');
+    return `${p[0]||'x'}:${p[1]||'x'}:…:x`;
+  }
+  const p = ip.split('.');                          // IPv4 — keep first 2 octets
+  return p.length === 4 ? `${p[0]}.${p[1]}.x.x` : 'x.x.x.x';
+}
+
+const UA_MAP = [
+  [/curl\//i,                       'curl'],
+  [/python-requests|python\//i,     'Python'],
+  [/go-http-client/i,               'Go'],
+  [/wget\//i,                       'Wget'],
+  [/java\//i,                       'Java'],
+  [/ruby/i,                         'Ruby'],
+  [/perl\//i,                       'Perl'],
+  [/php\//i,                        'PHP'],
+  [/scrapy/i,                       'Scrapy'],
+  [/postman/i,                      'Postman'],
+  [/axios/i,                        'Axios'],
+  [/node-fetch|node\.js/i,          'Node.js'],
+  [/headlesschrome|phantomjs/i,     'Headless Browser'],
+  [/(bot|crawler|spider|slurp)/i,   'Bot/Crawler'],
+  [/chrome/i,                       'Chrome'],
+  [/firefox/i,                      'Firefox'],
+  [/safari/i,                       'Safari'],
+  [/edge|edg\//i,                   'Edge'],
+  [/opera|opr\//i,                  'Opera'],
+  [/msie|trident/i,                 'IE'],
+];
+
+function parseUA(ua = '') {
+  for (const [re, label] of UA_MAP) if (re.test(ua)) return label;
+  return ua.length ? 'Other' : 'No UA';
+}
+
+// ── In-memory rate limiter ────────────────────────────────────────────────────
+
+const rl = new Map();
+setInterval(() => { const n = Date.now(); for (const [k, v] of rl) if (n > v.r) rl.delete(k); }, 30_000);
+
+function allowed(ip, max = 30, win = 60_000) {
+  const n = Date.now();
+  let e = rl.get(ip);
+  if (!e || n > e.r) { e = { c: 0, r: n + win }; rl.set(ip, e); }
+  return ++e.c <= max;
+}
+
+// ── Stats cache (30s TTL) ─────────────────────────────────────────────────────
+
+let _cache = null, _cacheTs = 0;
+
+function getStats() {
+  if (_cache && Date.now() - _cacheTs < 30_000) return _cache;
+  const now = Math.floor(Date.now() / 1000);
+
+  _cache = {
+    total:        DB.prepare('SELECT COUNT(*) n FROM blocks').get().n,
+    today:        DB.prepare('SELECT COUNT(*) n FROM blocks WHERE received_at > ?').get(now - 86400).n,
+    last_7d:      DB.prepare('SELECT COUNT(*) n FROM blocks WHERE received_at > ?').get(now - 604800).n,
+    last_30d:     DB.prepare('SELECT COUNT(*) n FROM blocks WHERE received_at > ?').get(now - 2592000).n,
+    total_sites:  DB.prepare('SELECT COUNT(*) n FROM sites').get().n,
+    top_ips:      DB.prepare(`
+      SELECT ip_masked ip, COUNT(*) hits
+      FROM blocks WHERE received_at > ?
+      GROUP BY ip_masked ORDER BY hits DESC LIMIT 10
+    `).all(now - 2592000),
+    top_forms:    DB.prepare(`
+      SELECT form_type, COUNT(*) hits
+      FROM blocks WHERE received_at > ?
+      GROUP BY form_type ORDER BY hits DESC LIMIT 8
+    `).all(now - 2592000),
+    top_reasons:  DB.prepare(`
+      SELECT reason, COUNT(*) hits
+      FROM blocks WHERE received_at > ?
+      GROUP BY reason ORDER BY hits DESC LIMIT 8
+    `).all(now - 2592000),
+    top_ua:       DB.prepare(`
+      SELECT ua_family, COUNT(*) hits
+      FROM blocks WHERE received_at > ?
+      GROUP BY ua_family ORDER BY hits DESC LIMIT 8
+    `).all(now - 2592000),
+    recent:       DB.prepare(`
+      SELECT received_at, ip_masked ip, form_type, reason, ua_family
+      FROM blocks ORDER BY id DESC LIMIT 40
+    `).all(),
+    hourly:       DB.prepare(`
+      SELECT (received_at / 3600) * 3600 h, COUNT(*) n
+      FROM blocks WHERE received_at > ?
+      GROUP BY h ORDER BY h ASC
+    `).all(now - 86400),
+  };
+  _cacheTs = Date.now();
+  return _cache;
+}
+
+// ── SSE live stream ───────────────────────────────────────────────────────────
+
+const sseClients = new Set();
+let lastId = DB.prepare('SELECT MAX(id) id FROM blocks').get().id || 0;
+
+setInterval(() => {
+  if (!sseClients.size) return;
+  const rows = DB.prepare('SELECT * FROM blocks WHERE id > ? ORDER BY id ASC LIMIT 20').all(lastId);
+  if (!rows.length) return;
+  lastId = rows.at(-1).id;
+  const msg = `data: ${JSON.stringify(rows)}\n\n`;
+  for (const r of sseClients) { try { r.write(msg); } catch { sseClients.delete(r); } }
+}, 2000);
+
+// ── Prepared statements ───────────────────────────────────────────────────────
+
+const stmtIns = DB.prepare(
+  'INSERT INTO blocks (received_at, site_id, ip_masked, form_type, reason, ua_family) VALUES (?,?,?,?,?,?)'
+);
+const stmtSite = DB.prepare(`
+  INSERT INTO sites (site_id, first_seen, last_seen, block_count) VALUES (?,?,?,?)
+  ON CONFLICT(site_id) DO UPDATE SET
+    last_seen   = excluded.last_seen,
+    block_count = block_count + excluded.block_count
+`);
+
+const insertBatch = DB.transaction((siteId, blocks) => {
+  const now = Math.floor(Date.now() / 1000);
+  for (const b of blocks) {
+    const ts = b.blocked_at ? Math.floor(new Date(b.blocked_at) / 1000) : now;
+    stmtIns.run(
+      ts, siteId,
+      maskIP(b.ip),
+      String(b.form_type   || '').slice(0, 100),
+      String(b.reason      || '').slice(0, 255),
+      parseUA(b.user_agent || '')
+    );
+  }
+  stmtSite.run(siteId, now, now, blocks.length);
+});
+
+// ── Express routes ────────────────────────────────────────────────────────────
+
+app.use(express.json({ limit: '128kb' }));
+app.use(express.static(path.join(__dirname, 'public')));
+
+// Submit blocks from a WordPress site
+app.post('/api/v1/submit', (req, res) => {
+  const clientIP = (req.headers['x-forwarded-for'] || '').split(',')[0].trim()
+    || req.socket.remoteAddress || '';
+
+  if (!allowed(clientIP)) {
+    return res.status(429).json({ error: 'Rate limit exceeded' });
+  }
+
+  const { site_hash, blocks } = req.body || {};
+
+  if (!site_hash || typeof site_hash !== 'string' || site_hash.length < 8) {
+    return res.status(400).json({ error: 'Invalid site_hash' });
+  }
+  if (!Array.isArray(blocks) || !blocks.length || blocks.length > 50) {
+    return res.status(400).json({ error: 'blocks must be array of 1–50 items' });
+  }
+
+  try {
+    insertBatch(site_hash.slice(0, 20), blocks);
+    _cache = null; // invalidate stats cache
+    res.json({ ok: true, received: blocks.length });
+  } catch (e) {
+    console.error('[submit]', e.message);
+    res.status(500).json({ error: 'Internal error' });
+  }
+});
+
+// Public aggregated stats
+app.get('/api/v1/stats', (_, res) => res.json(getStats()));
+
+// SSE live feed
+app.get('/api/v1/stream', (req, res) => {
+  res.writeHead(200, {
+    'Content-Type':      'text/event-stream',
+    'Cache-Control':     'no-cache',
+    'Connection':        'keep-alive',
+    'X-Accel-Buffering': 'no',
+  });
+  res.write(':\n\n'); // flush headers
+  sseClients.add(res);
+  req.on('close', () => sseClients.delete(res));
+});
+
+// Health check
+app.get('/api/v1/health', (_, res) =>
+  res.json({ ok: true, uptime: process.uptime(), sse_clients: sseClients.size })
+);
+
+app.listen(PORT, '0.0.0.0', () => {
+  console.log(`[honeypot-api] listening on :${PORT}`);
+  console.log(`[honeypot-api] db: ${process.env.DB_PATH || '/data/honeypot.db'}`);
+});