feat: ja4-platform monorepo — 5 services unified, tests & RPM builds standardized

Services:
- ja4sentinel: TLS/JA4 fingerprint capture daemon (Go, libpcap)
- logcorrelator: JA4 log correlation engine (Go, ClickHouse)
- mod_reqin_log: Apache module (C, JSON request logging)
- bot_detector: ML bot detection pipeline (Python)
- dashboard: FastAPI/Streamlit analytics UI (Python)

Shared libraries:
- shared/go/ja4common: logger, config, shutdown, ipfilter (Go module)
- shared/python/ja4_common: ClickHouseClient, ClickHouseSettings (Python package)
- shared/clickhouse/: canonical SQL migrations (10 files)

Build & packaging:
- Unified 3-stage Dockerfile.package for Go RPMs (el8/el9/el10)
- go.work workspace linking sentinel, correlator, ja4common
- Makefile with test-all, build-all, rpm-* targets

Fixes applied:
- go.work: 1.21 → 1.24.6 (required by sentinel)
- correlator Dockerfiles: golang:1.21 → golang:1.24
- replace directives in go.mod for ja4common local path
- pyproject.toml: setuptools.backends → setuptools.build_meta
- Removed static libpcap linking (unavailable on Rocky 9)
- Fixed data races in output/writers_test.go (sync.Mutex + atomic.Int32)
- Rewrote corrupted test files (logger_test.go × 2)

Test coverage:
- correlator: 67.1% total (unixsocket 80.5%, config 91.7%, app 83.3%, multi 87.7%, stdout 100%)
- sentinel: all 10 packages pass (api, capture, config, fingerprint, ipfilter, logging, output, tlsparse)

Documentation:
- README.md + docs/ (architecture, development, 5 services, shared libs, DB schema & migrations)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

services/dashboard/backend/routes/botnets.py

@@ -0,0 +1,105 @@
+"""
+Endpoints pour l'analyse des botnets via la propagation des fingerprints JA4
+"""
+from fastapi import APIRouter, HTTPException, Query
+
+from ..database import db
+
+router = APIRouter(prefix="/api/botnets", tags=["botnets"])
+
+
+def _botnet_class(unique_countries: int) -> str:
+    if unique_countries > 100:
+        return "global_botnet"
+    if unique_countries > 20:
+        return "regional_botnet"
+    return "concentrated"
+
+
+@router.get("/ja4-spread")
+async def get_ja4_spread():
+    """Propagation des JA4 fingerprints à travers les pays et les IPs."""
+    try:
+        sql = """
+        SELECT
+            ja4,
+            unique_ips,
+            unique_countries,
+            targeted_hosts
+        FROM mabase_prod.view_host_ja4_anomalies
+        ORDER BY unique_countries DESC
+        """
+        result = db.query(sql)
+        items = []
+        for row in result.result_rows:
+            ja4              = str(row[0])
+            unique_ips       = int(row[1])
+            unique_countries = int(row[2])
+            targeted_hosts   = int(row[3])
+            dist_score       = round(
+                unique_countries / max(unique_ips ** 0.5, 0.001), 2
+            )
+            items.append({
+                "ja4":               ja4,
+                "unique_ips":        unique_ips,
+                "unique_countries":  unique_countries,
+                "targeted_hosts":    targeted_hosts,
+                "distribution_score":dist_score,
+                "botnet_class":      _botnet_class(unique_countries),
+            })
+        return {"items": items, "total": len(items)}
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=str(e))
+
+
+@router.get("/ja4/{ja4}/countries")
+async def get_ja4_countries(ja4: str, limit: int = Query(30, ge=1, le=200)):
+    """Top pays pour un JA4 donné depuis agg_host_ip_ja4_1h."""
+    try:
+        sql = """
+        SELECT
+            src_country_code                                                        AS country_code,
+            uniq(replaceRegexpAll(toString(src_ip), '^::ffff:', ''))               AS unique_ips,
+            sum(hits)                                                               AS hits
+        FROM mabase_prod.agg_host_ip_ja4_1h
+        WHERE ja4 = %(ja4)s
+        GROUP BY src_country_code
+        ORDER BY unique_ips DESC
+        LIMIT %(limit)s
+        """
+        result = db.query(sql, {"ja4": ja4, "limit": limit})
+        items = [
+            {
+                "country_code": str(row[0]),
+                "unique_ips":   int(row[1]),
+                "hits":         int(row[2]),
+            }
+            for row in result.result_rows
+        ]
+        return {"items": items, "total": len(items)}
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=str(e))
+
+
+@router.get("/summary")
+async def get_botnets_summary():
+    """Statistiques globales sur les botnets détectés."""
+    try:
+        sql = """
+        SELECT
+            countIf(unique_countries > 100)                         AS total_global_botnets,
+            sumIf(unique_ips, unique_countries > 50)                AS total_ips_in_botnets,
+            argMax(ja4, unique_countries)                           AS most_spread_ja4,
+            argMax(ja4, unique_ips)                                 AS most_ips_ja4
+        FROM mabase_prod.view_host_ja4_anomalies
+        """
+        result = db.query(sql)
+        row = result.result_rows[0]
+        return {
+            "total_global_botnets": int(row[0]),
+            "total_ips_in_botnets": int(row[1]),
+            "most_spread_ja4":      str(row[2]),
+            "most_ips_ja4":         str(row[3]),
+        }
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=str(e))