From 4d5906e1e92220bde00fc2c0f52e1370da460fb8 Mon Sep 17 00:00:00 2001
From: pyr0ball <pyroballpcs@gmail.com>
Date: Mon, 11 May 2026 13:00:11 -0700
Subject: [PATCH] feat: severity overrides + last_ingested timestamp on
 dashboard

---
 app/rest.py                     |  23 +++++-
 app/services/search.py          |  65 +++++++++++++----
 web/src/views/DashboardView.vue |  26 ++++++-
 web/src/views/SettingsView.vue  | 119 +++++++++++++++++++++++++++++++-
 4 files changed, 214 insertions(+), 19 deletions(-)

diff --git a/app/rest.py b/app/rest.py
index 156ea36..09c3903 100644
--- a/app/rest.py
+++ b/app/rest.py
@@ -62,10 +62,18 @@ def _startup() -> None:
     ensure_schema(DB_PATH)
 
 
-_PREFS_DEFAULTS: dict[str, str] = {
+_PREFS_DEFAULTS: dict = {
     "entry_point_style": "topbar",
     "llm_url": "http://localhost:11434",
     "llm_model": "llama3.1:8b",
+    "severity_overrides": [
+        {
+            "name": "PAM auth noise",
+            "pattern": r"pam_unix.*auth(?:entication)?\s+fail|auth could not identify",
+            "override_severity": "WARN",
+            "enabled": True,
+        }
+    ],
 }
 
 
@@ -89,10 +97,18 @@ class DiagnoseRequest(BaseModel):
     until: str | None = None
 
 
+class SeverityOverride(BaseModel):
+    name: str
+    pattern: str
+    override_severity: str
+    enabled: bool = True
+
+
 class SettingsBody(BaseModel):
     entry_point_style: str | None = None
     llm_url: str | None = None
     llm_model: str | None = None
+    severity_overrides: list[SeverityOverride] | None = None
 
 
 class IncidentCreate(BaseModel):
@@ -244,6 +260,8 @@ def patch_settings(body: SettingsBody) -> dict:
         prefs["llm_url"] = body.llm_url
     if body.llm_model is not None:
         prefs["llm_model"] = body.llm_model
+    if body.severity_overrides is not None:
+        prefs["severity_overrides"] = [o.model_dump() for o in body.severity_overrides]
     _save_prefs(prefs)
     return prefs
 
@@ -257,7 +275,8 @@ def list_sources() -> dict:
 def get_stats(
     window: Annotated[int, Query(ge=1, le=168, description="Hours to look back")] = 24,
 ) -> dict:
-    return _stats(DB_PATH, window_hours=window)
+    prefs = _load_prefs()
+    return _stats(DB_PATH, window_hours=window, severity_overrides=prefs.get("severity_overrides", []))
 
 
 @router.post("/api/incidents")
diff --git a/app/services/search.py b/app/services/search.py
index 9334605..1665eb2 100644
--- a/app/services/search.py
+++ b/app/services/search.py
@@ -317,11 +317,33 @@ def list_sources(db_path: Path) -> list[dict]:
     ]
 
 
-def stats_summary(db_path: Path, window_hours: int = 24) -> dict:
+def _compile_overrides(overrides: list[dict]) -> list[tuple[re.Pattern[str], str]]:
+    """Return (compiled_pattern, override_severity) pairs for enabled rules."""
+    compiled = []
+    for rule in overrides:
+        if not rule.get("enabled", True):
+            continue
+        try:
+            compiled.append((re.compile(rule["pattern"], re.IGNORECASE), rule["override_severity"]))
+        except re.error:
+            pass
+    return compiled
+
+
+def _apply_overrides(text: str, original_severity: str, rules: list[tuple[re.Pattern[str], str]]) -> str:
+    for pattern, new_sev in rules:
+        if pattern.search(text):
+            return new_sev
+    return original_severity
+
+
+def stats_summary(db_path: Path, window_hours: int = 24, severity_overrides: list[dict] | None = None) -> dict:
     """Return aggregate health stats for the dashboard.
 
     Queries plain log_entries (not FTS) so it works even before the index is built.
     """
+    rules = _compile_overrides(severity_overrides or [])
+
     conn = sqlite3.connect(str(db_path))
     conn.execute("PRAGMA journal_mode=WAL")
     conn.row_factory = sqlite3.Row
@@ -365,25 +387,36 @@ def stats_summary(db_path: Path, window_hours: int = 24) -> dict:
         for r in source_rows
     ]
 
-    # 5 most recent critical entries
+    # Fetch candidate criticals (fetch more so filtering doesn't leave us with too few)
     crit_rows = conn.execute("""
-        SELECT id as entry_id, source_id, sequence, timestamp_iso, severity,
-               repeat_count, out_of_order, matched_patterns, text, 0.0 as rank
+        SELECT id as entry_id, source_id, timestamp_iso, severity, text
         FROM log_entries
         WHERE severity = 'CRITICAL' AND repeat_count = 1
         ORDER BY timestamp_iso DESC
-        LIMIT 5
+        LIMIT 25
     """).fetchall()
-    recent_criticals = [
-        {
-            "entry_id": r["entry_id"],
-            "source_id": r["source_id"],
-            "timestamp_iso": r["timestamp_iso"],
-            "severity": r["severity"],
-            "text": r["text"],
-        }
-        for r in crit_rows
-    ]
+
+    # Apply overrides: skip entries whose effective severity is no longer CRITICAL
+    suppressed = 0
+    recent_criticals = []
+    for r in crit_rows:
+        effective = _apply_overrides(r["text"], r["severity"], rules)
+        if effective == "CRITICAL":
+            recent_criticals.append({
+                "entry_id": r["entry_id"],
+                "source_id": r["source_id"],
+                "timestamp_iso": r["timestamp_iso"],
+                "severity": r["severity"],
+                "text": r["text"],
+            })
+            if len(recent_criticals) == 5:
+                break
+        else:
+            suppressed += 1
+
+    # When did we last ingest anything?
+    last_row = conn.execute("SELECT MAX(ingest_time) AS t FROM log_entries").fetchone()
+    last_ingested: str | None = last_row["t"] if last_row else None
 
     conn.close()
 
@@ -394,6 +427,8 @@ def stats_summary(db_path: Path, window_hours: int = 24) -> dict:
         "errors_24h": errors_24h,
         "source_health": source_health,
         "recent_criticals": recent_criticals,
+        "suppressed_criticals": suppressed,
+        "last_ingested": last_ingested,
     }
 
 
diff --git a/web/src/views/DashboardView.vue b/web/src/views/DashboardView.vue
index 9b88ff4..21805bc 100644
--- a/web/src/views/DashboardView.vue
+++ b/web/src/views/DashboardView.vue
@@ -1,6 +1,15 @@
 <template>
   <div class="p-6 max-w-5xl mx-auto space-y-8">
 
+    <!-- Data freshness banner -->
+    <div
+      v-if="!loading && stats && isStale"
+      class="flex items-center gap-2 rounded border border-surface-border bg-surface-raised px-4 py-2.5 text-xs text-text-dim"
+    >
+      <span class="text-sev-warn">⚠</span>
+      <span>Last ingested: <span class="text-text-muted">{{ shortTs(stats.last_ingested) }}</span> — 24h counts reflect this window, not today.</span>
+    </div>
+
     <!-- Stat cards -->
     <div class="grid grid-cols-1 sm:grid-cols-3 gap-4">
       <div class="rounded border border-surface-border bg-surface-raised p-5">
@@ -8,6 +17,9 @@
         <p class="text-3xl font-semibold tabular-nums" :class="stats?.criticals_24h ? 'text-sev-critical' : 'text-text-muted'">
           {{ loading ? '…' : (stats?.criticals_24h ?? 0) }}
         </p>
+        <p v-if="stats?.suppressed_criticals" class="text-xs text-text-dim mt-1">
+          {{ stats.suppressed_criticals }} suppressed by overrides
+        </p>
       </div>
       <div class="rounded border border-surface-border bg-surface-raised p-5">
         <p class="text-text-dim text-xs uppercase tracking-widest mb-2">Errors (24h)</p>
@@ -99,6 +111,10 @@
           <p class="text-text-primary text-sm font-mono leading-relaxed line-clamp-2">{{ entry.text }}</p>
         </div>
       </div>
+      <p v-if="stats.suppressed_criticals" class="text-xs text-text-dim mt-2">
+        {{ stats.suppressed_criticals }} additional critical{{ stats.suppressed_criticals !== 1 ? 's' : '' }} hidden by
+        <RouterLink to="/settings" class="text-accent hover:underline">severity overrides</RouterLink>.
+      </p>
     </div>
 
     <!-- Zero state: everything clean -->
@@ -115,7 +131,7 @@
 
 <script setup lang="ts">
 import { ref, computed, onMounted } from 'vue'
-import { useRouter } from 'vue-router'
+import { useRouter, RouterLink } from 'vue-router'
 
 const router = useRouter()
 const BASE = import.meta.env.BASE_URL.replace(/\/$/, '')
@@ -132,6 +148,8 @@ interface StatsResponse {
   total_24h: number
   criticals_24h: number
   errors_24h: number
+  suppressed_criticals: number
+  last_ingested: string | null
   source_health: SourceHealth[]
   recent_criticals: Array<{
     entry_id: string
@@ -156,6 +174,12 @@ const activeIncidents = computed(() =>
   incidents.value.filter(i => !i.ended_at).length
 )
 
+const isStale = computed(() => {
+  if (!stats.value?.last_ingested) return false
+  const age = Date.now() - new Date(stats.value.last_ingested).getTime()
+  return age > 25 * 60 * 60 * 1000  // older than 25h
+})
+
 onMounted(async () => {
   await Promise.all([loadStats(), loadIncidents()])
 })
diff --git a/web/src/views/SettingsView.vue b/web/src/views/SettingsView.vue
index ef8f069..dd8a268 100644
--- a/web/src/views/SettingsView.vue
+++ b/web/src/views/SettingsView.vue
@@ -66,6 +66,84 @@
         </div>
       </div>
 
+      <!-- Severity overrides -->
+      <div>
+        <h2 class="text-text-primary text-sm font-semibold mb-1">Severity Overrides</h2>
+        <p class="text-text-dim text-xs mb-3">
+          Regex rules applied at query time — entries that match are shown at the overridden severity on the dashboard. DB values are unchanged.
+        </p>
+
+        <div class="space-y-2 mb-3">
+          <div
+            v-for="(rule, i) in prefs.severity_overrides"
+            :key="i"
+            class="flex items-start gap-3 rounded border border-surface-border bg-surface p-3"
+          >
+            <button
+              @click="toggleOverride(i)"
+              :class="[
+                'mt-0.5 w-9 h-5 rounded-full flex-shrink-0 transition-colors relative',
+                rule.enabled ? 'bg-accent' : 'bg-surface-border'
+              ]"
+              :title="rule.enabled ? 'Enabled — click to disable' : 'Disabled — click to enable'"
+            >
+              <span :class="['absolute top-0.5 w-4 h-4 rounded-full bg-white shadow transition-transform', rule.enabled ? 'translate-x-4' : 'translate-x-0.5']"></span>
+            </button>
+            <div class="flex-1 min-w-0">
+              <div class="flex items-center gap-2 flex-wrap">
+                <span class="text-sm text-text-primary font-medium">{{ rule.name }}</span>
+                <span class="text-xs px-1.5 py-0.5 rounded bg-surface-border text-text-dim">→ {{ rule.override_severity }}</span>
+              </div>
+              <p class="text-xs text-text-dim font-mono mt-0.5 truncate">{{ rule.pattern }}</p>
+            </div>
+            <button
+              @click="deleteOverride(i)"
+              class="text-text-dim hover:text-sev-error text-xs flex-shrink-0 mt-0.5"
+              title="Delete rule"
+            >✕</button>
+          </div>
+          <p v-if="!prefs.severity_overrides?.length" class="text-text-dim text-xs">No rules configured.</p>
+        </div>
+
+        <!-- Add rule form -->
+        <div v-if="!showAddOverride">
+          <button
+            @click="showAddOverride = true"
+            class="text-accent text-xs hover:underline"
+          >+ Add override rule</button>
+        </div>
+        <div v-else class="rounded border border-surface-border bg-surface p-3 space-y-2">
+          <div class="grid grid-cols-1 sm:grid-cols-2 gap-2">
+            <div>
+              <label class="block text-xs text-text-dim mb-1">Name</label>
+              <input v-model="newRule.name" type="text" placeholder="e.g. PAM auth noise"
+                class="w-full bg-surface-raised border border-surface-border rounded px-2 py-1.5 text-sm text-text-primary placeholder-text-dim focus:outline-none focus:border-accent" />
+            </div>
+            <div>
+              <label class="block text-xs text-text-dim mb-1">Override severity</label>
+              <select v-model="newRule.override_severity"
+                class="w-full bg-surface-raised border border-surface-border rounded px-2 py-1.5 text-sm text-text-primary focus:outline-none focus:border-accent">
+                <option>WARN</option>
+                <option>INFO</option>
+                <option>DEBUG</option>
+              </select>
+            </div>
+          </div>
+          <div>
+            <label class="block text-xs text-text-dim mb-1">Pattern (regex)</label>
+            <input v-model="newRule.pattern" type="text" placeholder="e.g. pam_unix.*auth"
+              class="w-full bg-surface-raised border border-surface-border rounded px-2 py-1.5 text-sm font-mono text-text-primary placeholder-text-dim focus:outline-none focus:border-accent" />
+          </div>
+          <div class="flex gap-2">
+            <button @click="addOverride"
+              class="px-3 py-1.5 bg-accent text-surface text-xs rounded font-medium hover:opacity-90 transition-opacity">
+              Add
+            </button>
+            <button @click="showAddOverride = false" class="text-text-dim hover:text-text-primary text-xs">Cancel</button>
+          </div>
+        </div>
+      </div>
+
       <p
         v-if="saveStatus"
         class="text-xs"
@@ -82,14 +160,24 @@ import { ref, onMounted } from 'vue'
 
 const BASE = import.meta.env.BASE_URL.replace(/\/$/, '')
 
+interface SeverityOverride {
+  name: string
+  pattern: string
+  override_severity: string
+  enabled: boolean
+}
+
 interface Prefs {
   entry_point_style: 'topbar' | 'fab'
   llm_url: string
   llm_model: string
+  severity_overrides: SeverityOverride[]
 }
 
-const prefs      = ref<Prefs>({ entry_point_style: 'topbar', llm_url: '', llm_model: '' })
+const prefs      = ref<Prefs>({ entry_point_style: 'topbar', llm_url: '', llm_model: '', severity_overrides: [] })
 const saveStatus = ref<{ ok: boolean; msg: string } | null>(null)
+const showAddOverride = ref(false)
+const newRule = ref<SeverityOverride>({ name: '', pattern: '', override_severity: 'WARN', enabled: true })
 
 const entryPointOptions = [
   { value: 'topbar', label: 'Top bar',  desc: 'Persistent input bar below the nav on every page' },
@@ -134,4 +222,33 @@ async function saveLlm() {
     saveStatus.value = { ok: false, msg: 'Save failed — check server connection' }
   }
 }
+
+async function saveOverrides() {
+  try {
+    await patch({ severity_overrides: prefs.value.severity_overrides })
+    saveStatus.value = { ok: true, msg: 'Overrides saved' }
+    setTimeout(() => { saveStatus.value = null }, 2000)
+  } catch {
+    saveStatus.value = { ok: false, msg: 'Save failed — check server connection' }
+  }
+}
+
+async function toggleOverride(i: number) {
+  const rule = prefs.value.severity_overrides[i]
+  if (rule) rule.enabled = !rule.enabled
+  await saveOverrides()
+}
+
+async function deleteOverride(i: number) {
+  prefs.value.severity_overrides.splice(i, 1)
+  await saveOverrides()
+}
+
+async function addOverride() {
+  if (!newRule.value.name.trim() || !newRule.value.pattern.trim()) return
+  prefs.value.severity_overrides.push({ ...newRule.value })
+  newRule.value = { name: '', pattern: '', override_severity: 'WARN', enabled: true }
+  showAddOverride.value = false
+  await saveOverrides()
+}
 </script>