v1.3.24 -- /security tabs + Dashboard security widget¶

The frontend half of the security-panel work the v1.3.23 backend endpoints staged. Pure-frontend release: zero new backend surface, zero migrations, no env vars. Smoke is browser-driven.

What ships¶

`/security` is now the global security panel¶

Three tabs over the v1.3.23 endpoints:

Tab	Endpoint	What it does
Banned IPs	`GET /api/security/decisions` + `DELETE /:id`	Search by value/scenario, filter by scope (Ip/Range/Country/AS) and origin, paginate, per-row Unban with confirmation
Whitelist	`GET /api/security/whitelist` + `POST` + `DELETE /:id`	Add scope=ip or scope=range entries, per-row Remove, every action surfaces the `setup-appsec.sh` reload command in the toast
Activity	`GET /api/security/audit-log`	Paginated audit trail with action, resource, source IP, user, expandable JSON diff

Per-host WAF moved to `/security/hosts`¶

The host-WAF overview (formerly the only thing at /security) moved to /security/hosts. The new /security is a different domain — global state across all hosts vs per-host config. Mixing them in one tabbed shell would have forced operators to mentally filter which view is per-host every time.

Discoverability:

The /security tab strip carries a visually-distinct Hosts ↗ link as its rightmost item (separator + arrow icon), so an operator visiting the new page on first load sees the moved page is one click away.
A session-dismissable banner at the top of /security explicitly says "Looking for the host-WAF overview? It moved to /security/hosts." — covers operators with bookmarks who expected to land on the old page.

The session-dismiss flag lives in sessionStorage under argos.security.hostsMoveBannerDismissed.v1.3.24 so a future v1.4.x reorganisation can re-prompt cleanly.

New section between Security (existing WAF activity charts) and Health on the dashboard. Polls GET /api/security/dashboard-stats on the standard 30s dashboard refresh cadence. Renders:

Active bans count + scope breakdown (Ip · Range · Country · AS)
Whitelist entries count
Audit events 24h count
Country expansions count + top 3 ISO codes
A "Country expansions (active)" sub-table with the top 10 expansions, their CIDR count after rollup (v1.3.22's /16 floor), and the active LAPI decision count for each origin.

The widget is wrapped in the same ErrorBoundary pattern as every other dashboard section so a transient API failure degrades to a single section error rather than blanking the whole dashboard.

The widget complements (does not replace) the existing Security section, which renders WAF detection/block timeseries, top attack types, world map, and top attacking IPs from the existing /api/dashboard/security endpoint. Two different concerns; both stay.

What does NOT ship in v1.3.24¶

The original v1.3.20+ elevated-priority list had four UI items; v1.3.24 ships two of them:

Item	Status
`/security` tabs (Banned IPs / Whitelist / Activity)	shipped
Dashboard Security widget	shipped
Scenarios management UI	deferred to v1.3.25
AppSec threshold tuning UI	deferred to v1.3.25

The deferred items both follow the v1.3.19 sentinel-file pattern (panel writes /data/shared/<sentinel>.txt, setup-appsec.sh consumes on next run) and share the same script-extension work, so co-developing them is less work than splitting. Plan doc: docs/planning/v1.3.25-scenarios-and-appsec-tuning.md (to be written when that release starts).

Smoke¶

Pure-frontend release, browser-driven smoke:

Tab navigation: visit /security, click each tab, confirm each renders without error and the data matches what curl returns from the corresponding endpoint.
Banned IPs unban: ban a test IP via cscli, see it appear in the table, click Unban → confirmation dialog → on confirm, cscli decisions list --ip <IP> returns empty.
Whitelist add + remove: add 192.0.2.42 (test IP), see it appear, remove it, see it disappear. Toast surfaces the setup-appsec.sh reload command both times.
Activity tab: confirm rows from earlier actions in this same smoke session appear with non-empty source_ip (v1.3.23-or-later audit entries). Pre-v1.3.23 entries render with empty source IP as expected.
Hosts link: click the Hosts ↗ rightmost item in the tab strip, confirm it routes to /security/hosts and the host-WAF overview renders unchanged.
Bookmark-rescue banner: hard-reload /security, banner says "moved to /security/hosts", click Dismiss, reload — banner stays dismissed for the rest of the browser session.
Dashboard widget: load /, confirm "Bans & whitelist" section renders below "Security" with non-zero audit-24h count (since the smoke just produced audit events), the "manage →" link routes to /security.

NO tag until smoke real PASSes against prod stack.

Files changed¶

Frontend (only)¶

frontend/src/api/client.ts -- 7 new methods (securityListDecisions, securityDeleteDecisionByID, securityListWhitelist, securityDeleteWhitelistEntry, securityAuditLog, securityDashboardStats, securityPublicIPSelf) + 7 new response types covering the v1.3.23 endpoints.
frontend/src/pages/Security.tsx (new) -- tabbed page with Banned IPs / Whitelist / Activity tab bodies + Hosts link
bookmark-rescue banner.
frontend/src/App.tsx -- routes: /security → SecurityPage, /security/hosts → existing SecurityOverviewPage (moved).
frontend/src/pages/Dashboard.tsx -- BansAndWhitelistSection between Security and Health.

Docs¶

docs/release-notes/v1.3.24.md (this file)
CHANGELOG.md, mkdocs.yml, version bump

Upgrade¶

cd argos-edge
git pull
docker compose build
docker compose up -d

No backend changes. The frontend rebuilds with the new bundle; operators with /security bookmarked will land on the new tabs page (with the bookmark-rescue banner).

Not changed¶

All 7 /api/security/* v1.3.23 endpoints unchanged.
Migration 030 still latest.
enable_streaming: false from v1.3.20, country-expansion rollup from v1.3.22, audit IP capture from v1.3.23 -- all unchanged.
The existing Security dashboard section (WAF activity, world map) stays as-is; the new widget is additive.