feat(supabase): community-pulse aggregates attack telemetry

Adds a `security` section to the community-pulse response: security: { attacks_last_7_days: number, top_attack_domains: [{ domain, count }], top_attack_layers: [{ layer, count }], verdict_distribution: [{ verdict, count }], } Queries telemetry_events WHERE event_type = 'attack_attempt' over the last 7 days, groups by domain/layer/verdict client-side in the edge function (matches the existing top_skills aggregation pattern). Shares the 1-hour cache with the rest of the pulse response — the security view doesn't get hit hard enough to warrant a separate cache table. Attack data updates once an hour for read-path consumers. Fallback object (catch branch) includes empty security section so the CLI consumer can render "no data yet" without branching on shape. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 03:35:09 +02:00 · 2026-04-20 04:58:08 +08:00
parent a5588ec061
commit 2d10797849
1 changed files with 57 additions and 1 deletions
@@ -102,12 +102,56 @@ Deno.serve(async () => {
      .slice(0, 5)
      .map(([version, count]) => ({ version, count }));

+    // Security events — aggregate attack_attempt events from the last 7 days.
+    // Fields emitted by gstack-telemetry-log --event-type attack_attempt:
+    //   security_url_domain, security_payload_hash, security_confidence,
+    //   security_layer, security_verdict.
+    const { data: attackRows } = await supabase
+      .from("telemetry_events")
+      .select("security_url_domain, security_layer, security_verdict")
+      .eq("event_type", "attack_attempt")
+      .gte("event_timestamp", weekAgo)
+      .limit(5000);
+
+    const attacksTotal = attackRows?.length ?? 0;
+    const domainCounts: Record<string, number> = {};
+    const layerCounts: Record<string, number> = {};
+    const verdictCounts: Record<string, number> = {};
+    for (const row of attackRows ?? []) {
+      if (row.security_url_domain) {
+        domainCounts[row.security_url_domain] = (domainCounts[row.security_url_domain] ?? 0) + 1;
+      }
+      if (row.security_layer) {
+        layerCounts[row.security_layer] = (layerCounts[row.security_layer] ?? 0) + 1;
+      }
+      if (row.security_verdict) {
+        verdictCounts[row.security_verdict] = (verdictCounts[row.security_verdict] ?? 0) + 1;
+      }
+    }
+    const topAttackDomains = Object.entries(domainCounts)
+      .sort(([, a], [, b]) => b - a)
+      .slice(0, 10)
+      .map(([domain, count]) => ({ domain, count }));
+    const topAttackLayers = Object.entries(layerCounts)
+      .sort(([, a], [, b]) => b - a)
+      .map(([layer, count]) => ({ layer, count }));
+    const attackVerdictDistribution = Object.entries(verdictCounts)
+      .sort(([, a], [, b]) => b - a)
+      .map(([verdict, count]) => ({ verdict, count }));
+
    const result = {
      weekly_active: current,
      change_pct: changePct,
      top_skills: topSkills,
      crashes: crashes ?? [],
      versions: topVersions,
+      // Security aggregate for the /security-dashboard view
+      security: {
+        attacks_last_7_days: attacksTotal,
+        top_attack_domains: topAttackDomains,
+        top_attack_layers: topAttackLayers,
+        verdict_distribution: attackVerdictDistribution,
+      },
    };

    // Upsert cache
@@ -128,7 +172,19 @@ Deno.serve(async () => {
    });
  } catch {
    return new Response(
-      JSON.stringify({ weekly_active: 0, change_pct: 0, top_skills: [], crashes: [], versions: [] }),
+      JSON.stringify({
+        weekly_active: 0,
+        change_pct: 0,
+        top_skills: [],
+        crashes: [],
+        versions: [],
+        security: {
+          attacks_last_7_days: 0,
+          top_attack_domains: [],
+          top_attack_layers: [],
+          verdict_distribution: [],
+        },
+      }),
      {
        status: 200,
        headers: { "Content-Type": "application/json" },