Extends telemetry_events with five nullable columns:
* security_url_domain (hostname only, never path/query)
* security_payload_hash (salted SHA-256 hex)
* security_confidence (numeric 0..1)
* security_layer (enum-like text — see docstring for allowed values)
* security_verdict (block | warn | log_only)
Fields map 1:1 to the flags that gstack-telemetry-log accepts on
--event-type attack_attempt (bin/gstack-telemetry-log commits 28ce883c +
f68fa4a9). All nullable so existing skill_run inserts keep working.
Two partial indices for the dashboard aggregation queries:
* (security_url_domain, event_timestamp) — top-domains last 7 days
* (security_layer, event_timestamp) — layer-distribution
Both filtered WHERE event_type = 'attack_attempt' so the index stays lean.
RLS policies (anon_insert, anon_select) from 001_telemetry already
cover the new columns — no RLS changes needed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Garry Tan