feat: host-centric network map, analysis dashboard, deduped inventory

- Rewrote NetworkMap to use deduplicated host inventory (163 hosts from 394K rows) - New host_inventory.py service: scans datasets, groups by FQDN/ClientId, extracts IPs/users/OS - New /api/network/host-inventory endpoint - Added AnalysisDashboard with 6 tabs (IOC, anomaly, host profile, query, triage, reports) - Added 16 analysis API endpoints with job queue and load balancer - Added 4 AI/analysis ORM models (ProcessingJob, AnalysisResult, HostProfile, IOCEntry) - Filters system accounts (DWM-*, UMFD-*, LOCAL/NETWORK SERVICE) - Infers OS from hostname patterns (W10-* -> Windows 10) - Canvas 2D force-directed graph with host/external-IP node types - Click popover shows hostname, FQDN, IPs, OS, users, datasets, connections
2026-03-01 14:00:20 -05:00 · 2026-02-20 07:16:17 -05:00
parent 9b98ab9614
commit 04a9946891
24 changed files with 4774 additions and 620 deletions
--- a/backend/app/main.py
+++ b/backend/app/main.py
@@ -1,10 +1,12 @@
 """ThreatHunt backend application.

 Wires together: database, CORS, agent routes, dataset routes, hunt routes,
-annotation/hypothesis routes.  DB tables are auto-created on startup.
+annotation/hypothesis routes, analysis routes, network routes, job queue,
+load balancer. DB tables are auto-created on startup.
 """

 import logging
+import os
 from contextlib import asynccontextmanager

 from fastapi import FastAPI
@@ -21,6 +23,8 @@ from app.api.routes.correlation import router as correlation_router
 from app.api.routes.reports import router as reports_router
 from app.api.routes.auth import router as auth_router
 from app.api.routes.keywords import router as keywords_router
+from app.api.routes.analysis import router as analysis_router
+from app.api.routes.network import router as network_router

 logger = logging.getLogger(__name__)

@@ -28,17 +32,45 @@ logger = logging.getLogger(__name__)
@asynccontextmanager
 async def lifespan(app: FastAPI):
    """Startup / shutdown lifecycle."""
-    logger.info("Starting ThreatHunt API …")
+    logger.info("Starting ThreatHunt API ...")
    await init_db()
    logger.info("Database initialised")
+
+    # Ensure uploads directory exists
+    os.makedirs(settings.UPLOAD_DIR, exist_ok=True)
+    logger.info("Upload dir: %s", os.path.abspath(settings.UPLOAD_DIR))
+
    # Seed default AUP keyword themes
    from app.db import async_session_factory
    from app.services.keyword_defaults import seed_defaults
    async with async_session_factory() as seed_db:
        await seed_defaults(seed_db)
    logger.info("AUP keyword defaults checked")
+
+    # Start job queue (Phase 10)
+    from app.services.job_queue import job_queue, register_all_handlers
+    register_all_handlers()
+    await job_queue.start()
+    logger.info("Job queue started (%d workers)", job_queue._max_workers)
+
+    # Start load balancer health loop (Phase 10)
+    from app.services.load_balancer import lb
+    await lb.start_health_loop(interval=30.0)
+    logger.info("Load balancer health loop started")
+
    yield
-    logger.info("Shutting down …")
+
+    logger.info("Shutting down ...")
+    # Stop job queue
+    from app.services.job_queue import job_queue as jq
+    await jq.stop()
+    logger.info("Job queue stopped")
+
+    # Stop load balancer
+    from app.services.load_balancer import lb as _lb
+    await _lb.stop_health_loop()
+    logger.info("Load balancer stopped")
+
    from app.agents.providers_v2 import cleanup_client
    from app.services.enrichment import enrichment_engine
    await cleanup_client()
@@ -46,15 +78,13 @@ async def lifespan(app: FastAPI):
    await dispose_db()


-# Create FastAPI application
 app = FastAPI(
    title="ThreatHunt API",
    description="Analyst-assist threat hunting platform powered by Wile & Roadrunner LLM cluster",
-    version="0.3.0",
+    version=settings.APP_VERSION,
    lifespan=lifespan,
 )

-# Configure CORS
 app.add_middleware(
    CORSMiddleware,
    allow_origins=settings.cors_origins,
@@ -74,11 +104,12 @@ app.include_router(enrichment_router)
 app.include_router(correlation_router)
 app.include_router(reports_router)
 app.include_router(keywords_router)
+app.include_router(analysis_router)
+app.include_router(network_router)


@app.get("/", tags=["health"])
 async def root():
-    """API health check."""
    return {
        "service": "ThreatHunt API",
        "version": settings.APP_VERSION,
@@ -89,4 +120,4 @@ async def root():
            "roadrunner": settings.roadrunner_url,
            "openwebui": settings.OPENWEBUI_URL,
        },
-    }
+    }