feat: 6 améliorations SOC — synthèse IP, baseline, sophistication, chasse proactive, badge ASN, 2 nouveaux onglets rotation

- investigation_summary.py: nouveau endpoint GET /api/investigation/{ip}/summary
  agrège 6 sources (ML, bruteforce, TCP spoofing, JA4 rotation, persistance, timeline 24h)
  en un score de risque 0-100 avec signaux détaillés
- InvestigationView.tsx: widget IPActivitySummary avec jauge Risk Score SVG,
  badges multi-sources et mini-timeline 24h barres
- metrics.py: endpoint GET /api/metrics/baseline — comparaison 24h vs hier
  (total détections, IPs uniques, alertes CRITICAL) avec % de variation
- IncidentsView.tsx: widget baseline avec ▲▼ sur le dashboard principal
- rotation.py: endpoints /sophistication et /proactive-hunt
  Score sophistication = JOIN 3 tables (rotation×10 + récurrence×20 + log(bf+1)×5)
  Chasse proactive = IPs récurrentes sous le seuil ML (abs(score) < 0.5)
- RotationView.tsx: onglets 🏆 Sophistication et 🕵️ Chasse proactive
  avec tier APT-like/Advanced/Automated/Basic et boutons investigation
- detections.py: LEFT JOIN asn_reputation, badge coloré rouge/orange/vert
  selon label (bot/scanner → score 0.05, human → 0.9)
- models.py: ajout champs asn_score et asn_rep_label dans Detection

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

backend/routes/metrics.py

@@ -120,3 +120,56 @@ async def get_threat_distribution():
         
     except Exception as e:
         raise HTTPException(status_code=500, detail=f"Erreur: {str(e)}")
+
+
+@router.get("/baseline")
+async def get_metrics_baseline():
+    """
+    Compare les métriques actuelles (24h) vs hier (24h-48h) pour afficher les tendances.
+    """
+    try:
+        query = """
+        SELECT
+            countIf(detected_at >= now() - INTERVAL 24 HOUR)                            AS today_total,
+            countIf(detected_at >= now() - INTERVAL 48 HOUR AND detected_at < now() - INTERVAL 24 HOUR) AS yesterday_total,
+            uniqIf(src_ip, detected_at >= now() - INTERVAL 24 HOUR)                     AS today_ips,
+            uniqIf(src_ip, detected_at >= now() - INTERVAL 48 HOUR AND detected_at < now() - INTERVAL 24 HOUR) AS yesterday_ips,
+            countIf(threat_level = 'CRITICAL' AND detected_at >= now() - INTERVAL 24 HOUR) AS today_critical,
+            countIf(threat_level = 'CRITICAL' AND detected_at >= now() - INTERVAL 48 HOUR AND detected_at < now() - INTERVAL 24 HOUR) AS yesterday_critical
+        FROM ml_detected_anomalies
+        WHERE detected_at >= now() - INTERVAL 48 HOUR
+        """
+        r = db.query(query)
+        row = r.result_rows[0] if r.result_rows else None
+
+        def pct_change(today: int, yesterday: int) -> float:
+            if yesterday == 0:
+                return 100.0 if today > 0 else 0.0
+            return round((today - yesterday) / yesterday * 100, 1)
+
+        today_total     = int(row[0] or 0) if row else 0
+        yesterday_total = int(row[1] or 0) if row else 0
+        today_ips       = int(row[2] or 0) if row else 0
+        yesterday_ips   = int(row[3] or 0) if row else 0
+        today_crit      = int(row[4] or 0) if row else 0
+        yesterday_crit  = int(row[5] or 0) if row else 0
+
+        return {
+            "total_detections": {
+                "today":      today_total,
+                "yesterday":  yesterday_total,
+                "pct_change": pct_change(today_total, yesterday_total),
+            },
+            "unique_ips": {
+                "today":      today_ips,
+                "yesterday":  yesterday_ips,
+                "pct_change": pct_change(today_ips, yesterday_ips),
+            },
+            "critical_alerts": {
+                "today":      today_crit,
+                "yesterday":  yesterday_crit,
+                "pct_change": pct_change(today_crit, yesterday_crit),
+            },
+        }
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=f"Erreur baseline: {str(e)}")