feat(dashboard): SOC workflow overhaul — sidebar nav, doc tooltips, full-width layout

- base.html: collapsible sidebar navigation, doc tooltip system, JS helpers
  (fmtNum, fmtPct, fmtDuration, ecGrid, buildTable, docHTML)
- overview.html: SOC command center with stacked timeline, live alerts,
  campaigns panel, browser donut, 6 KPIs
- detections.html: threat color dots, raw score column, click-to-navigate rows
- network.html: JA4 rotation, brute-force, persistent threats tables, 6 KPIs
- ip_detail.html: ASN/country KPIs, AE/XGB/campaign columns, enriched features
- scores/traffic/features/models/classify: page_title blocks + doc tooltips
- api.py: 9 new endpoints (campaigns, brute-force, ja4-rotation, recurrence,
  cascade, alerts, timeline-detail, ua-rotation)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

services/dashboard/backend/templates/features.html

@@ -1,8 +1,16 @@
 {% extends "base.html" %}
 {% block title %}JA4 SOC — Features ML{% endblock %}
+{% block page_title %}
+    Features ML
+    <span class="relative inline-block ml-1"><button onclick="docToggle(this)" class="doc-btn">?</button><div class="doc-panel">
+        <h4>Exploration des features</h4>
+        <p>Visualisez les 72 features ML extraites : comportementales (velocity, fuzzing), réseau (port_density, JA4), et thesis §5 (entropie, cadence, drift).</p>
+        <p><strong>Radar :</strong> Compare les profils ISP (humain) vs datacenter (bot). <strong>Scatter :</strong> Identifiez visuellement les clusters anormaux.</p>
+        <p class="doc-source">Source : view_ai_features_1h, view_thesis_features_1h</p>
+    </div></span>
+{% endblock %}
 {% block content %}
 <div class="space-y-6">
-    <h2 class="text-lg font-semibold text-white">Features ML — Exploration</h2>
 
     <!-- Row 1: Radar + Feature Importance -->
     <div class="grid grid-cols-1 lg:grid-cols-2 gap-4">