feat(dashboard): complete SOC dashboard with full monitoring and workflows

- models.html: Full rewrite — 6 KPIs, scoring volume timeline, anomaly rate
  chart, threat breakdown per model, enhanced model cards with validation gate
- classify.html: SOC workflow — suggested unclassified IPs, quick-classify
  buttons, classification stats pie, pre-fill from URL params
- traffic.html: Clickable rows → ip_detail, column sorting, status column,
  search filter, doc tooltips on all chart sections
- scores.html: Search input, clickable rows → ip_detail, LEGITIMATE_BROWSER
  filter button, doc tooltips on distribution + scatter charts
- ip_detail.html: Resource cascade section (headless browser detection),
  status column in HTTP logs table
- detections.html: Doc tooltips on threat/reason/ASN chart sections
- features.html: Doc tooltips on radar/importance/scatter sections
- api.py: 4 new endpoints — /api/models/timeline, /api/models/threats,
  /api/classify/stats, /api/classify/suggested. Traffic API: status + search.

46 routes total. All tests pass (dashboard + bot-detector 36/36).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

services/dashboard/backend/templates/detections.html

@@ -14,15 +14,33 @@
     <!-- Summary charts -->
     <div class="grid grid-cols-1 lg:grid-cols-3 gap-3">
         <div class="section-card">
-            <div class="section-header"><span class="section-title">Par threat level</span></div>
+            <div class="section-header"><span class="section-title">Par threat level
+                <span class="relative inline-block"><button onclick="docToggle(this)" class="doc-btn">?</button><div class="doc-panel">
+                    <h4>Répartition des menaces</h4>
+                    <p>CRITICAL = score très élevé + multi-signal. HIGH = score au-dessus du seuil. KNOWN_BOT = identifié par dictionnaire. Cliquez sur un segment pour filtrer.</p>
+                    <p class="doc-source">Source : ml_detected_anomalies</p>
+                </div></span>
+            </span></div>
             <div class="p-3"><div id="det-threat-chart" style="height:140px"></div></div>
         </div>
         <div class="section-card">
-            <div class="section-header"><span class="section-title">Top raisons</span></div>
+            <div class="section-header"><span class="section-title">Top raisons
+                <span class="relative inline-block"><button onclick="docToggle(this)" class="doc-btn">?</button><div class="doc-panel">
+                    <h4>Raisons de détection</h4>
+                    <p>Motifs de déclenchement : score IF élevé, bot connu, Anubis DENY, etc. Aide à comprendre pourquoi une IP est détectée.</p>
+                    <p class="doc-source">Source : ml_detected_anomalies.reason</p>
+                </div></span>
+            </span></div>
             <div class="p-3"><div id="det-reason-chart" style="height:140px"></div></div>
         </div>
         <div class="section-card">
-            <div class="section-header"><span class="section-title">Top ASN détectés</span></div>
+            <div class="section-header"><span class="section-title">Top ASN détectés
+                <span class="relative inline-block"><button onclick="docToggle(this)" class="doc-btn">?</button><div class="doc-panel">
+                    <h4>ASN des détections</h4>
+                    <p>Autonomous Systems d'où proviennent les menaces. Les hébergeurs (OVH, Hetzner, DigitalOcean) sont souvent en tête car utilisés par les botnets.</p>
+                    <p class="doc-source">Source : ml_detected_anomalies.asn_org</p>
+                </div></span>
+            </span></div>
             <div class="p-3"><div id="det-asn-chart" style="height:140px"></div></div>
         </div>
     </div>