feat(dashboard): SOC workflow overhaul — sidebar nav, doc tooltips, full-width layout

- base.html: collapsible sidebar navigation, doc tooltip system, JS helpers
  (fmtNum, fmtPct, fmtDuration, ecGrid, buildTable, docHTML)
- overview.html: SOC command center with stacked timeline, live alerts,
  campaigns panel, browser donut, 6 KPIs
- detections.html: threat color dots, raw score column, click-to-navigate rows
- network.html: JA4 rotation, brute-force, persistent threats tables, 6 KPIs
- ip_detail.html: ASN/country KPIs, AE/XGB/campaign columns, enriched features
- scores/traffic/features/models/classify: page_title blocks + doc tooltips
- api.py: 9 new endpoints (campaigns, brute-force, ja4-rotation, recurrence,
  cascade, alerts, timeline-detail, ua-rotation)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

services/dashboard/backend/templates/classify.html

@@ -1,8 +1,16 @@
 {% extends "base.html" %}
 {% block title %}JA4 SOC — Classifier{% endblock %}
+{% block page_title %}
+    Classification SOC
+    <span class="relative inline-block ml-1"><button onclick="docToggle(this)" class="doc-btn">?</button><div class="doc-panel">
+        <h4>Feedback analyste SOC</h4>
+        <p>Classifiez les IPs pour entraîner le modèle XGBoost supervisé. Les labels sont utilisés au prochain cycle ML.</p>
+        <p><strong>Bot :</strong> Confirme que l'IP est malveillante. <strong>Légitime :</strong> Faux positif. <strong>Suspect :</strong> À surveiller.</p>
+        <p class="doc-source">Source : soc_feedback → XGBoost training</p>
+    </div></span>
+{% endblock %}
 {% block content %}
-<div class="space-y-6 max-w-2xl">
-    <h2 class="text-lg font-semibold text-white">Classification SOC</h2>
+<div class="space-y-6">
     <div class="bg-gray-900 rounded-xl p-6 border border-gray-800 space-y-4">
         <div>
             <label class="block text-sm text-gray-400 mb-1">Adresse IP</label>