refactor: replace hardcoded mabase_prod DB prefix with configurable settings

Replace all hardcoded 'mabase_prod.' table prefixes in dashboard route
SQL queries with configurable database names from settings:

- http_logs, http_logs_raw → settings.CLICKHOUSE_DB_LOGS
- All other tables → settings.CLICKHOUSE_DB_PROCESSING

Also qualify previously unqualified table references (bare FROM/JOIN
table_name) with the appropriate database prefix for consistency.

Each route file now imports 'from ..config import settings' and uses
f-strings with {settings.CLICKHOUSE_DB_PROCESSING} or
{settings.CLICKHOUSE_DB_LOGS} for database-qualified table names.

Files updated: analysis, attributes, audit, botnets, bruteforce,
clustering, detections, entities, fingerprints, header_fingerprint,
heatmap, incidents, investigation_summary, metrics, ml_features,
rotation, search, tcp_spoofing, variability (19 files).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

services/dashboard/backend/routes/detections.py

@@ -5,6 +5,7 @@ from fastapi import APIRouter, HTTPException, Query
 from typing import Optional, List
 from ..database import db
 from ..models import DetectionsListResponse, Detection
+from ..config import settings
 
 router = APIRouter(prefix="/api/detections", tags=["detections"])
 
@@ -82,7 +83,7 @@ async def get_detections(
         # Requête de comptage
         count_query = f"""
         SELECT count()
-        FROM ml_detected_anomalies
+        FROM {settings.CLICKHOUSE_DB_PROCESSING}.ml_detected_anomalies
         WHERE {where_clause}
         """
         
@@ -107,7 +108,7 @@ async def get_detections(
             # Count distinct IPs
             count_ip_query = f"""
             SELECT uniq(src_ip)
-            FROM ml_detected_anomalies
+            FROM {settings.CLICKHOUSE_DB_PROCESSING}.ml_detected_anomalies
             WHERE {where_clause}
             """
             cr = db.query(count_ip_query, params)
@@ -154,11 +155,11 @@ async def get_detections(
                     argMin(anubis_bot_name,     anomaly_score)    AS anubis_bot_name_best,
                     argMin(anubis_bot_action,   anomaly_score)    AS anubis_bot_action_best,
                     argMin(anubis_bot_category, anomaly_score)    AS anubis_bot_category_best
-                FROM ml_detected_anomalies
+                FROM {settings.CLICKHOUSE_DB_PROCESSING}.ml_detected_anomalies
                 WHERE {where_clause}
                 GROUP BY src_ip
             ) ip_data
-            LEFT JOIN mabase_prod.asn_reputation ar
+            LEFT JOIN {settings.CLICKHOUSE_DB_PROCESSING}.asn_reputation ar
                    ON ar.src_asn = toUInt32OrZero(ip_data.asn_number)
             ORDER BY {outer_sort} {sort_order}
             LIMIT %(limit)s OFFSET %(offset)s
@@ -248,8 +249,8 @@ async def get_detections(
             anubis_bot_name,
             anubis_bot_action,
             anubis_bot_category
-        FROM ml_detected_anomalies
-        LEFT JOIN mabase_prod.asn_reputation ar ON ar.src_asn = toUInt32OrZero(asn_number)
+        FROM {settings.CLICKHOUSE_DB_PROCESSING}.ml_detected_anomalies
+        LEFT JOIN {settings.CLICKHOUSE_DB_PROCESSING}.asn_reputation ar ON ar.src_asn = toUInt32OrZero(asn_number)
         WHERE {where_clause}
         ORDER BY {sort_by} {sort_order}
         LIMIT %(limit)s OFFSET %(offset)s
@@ -312,7 +313,7 @@ async def get_detection_details(detection_id: str):
     detection_id peut être une IP ou un identifiant
     """
     try:
-        query = """
+        query = f"""
         SELECT
             detected_at,
             src_ip,
@@ -363,7 +364,7 @@ async def get_detection_details(detection_id: str):
             ja4_asn_concentration,
             ja4_country_concentration,
             is_rare_ja4
-        FROM ml_detected_anomalies
+        FROM {settings.CLICKHOUSE_DB_PROCESSING}.ml_detected_anomalies
         WHERE src_ip = %(ip)s
         ORDER BY detected_at DESC
         LIMIT 1