Live defense
This page is the widest safe public slice of junk traffic, noisy automation, and platform pressure aimed at Phyllux, this site, and David E. Sproule’s public work. You get coarse timelines, the surfaces we watch, pattern level counts, and methodology in plain language. We stop short of anything that could dox someone, smear a private name, or paste raw third party network identifiers.
The file hashed-attacks.json drives the rollups. Jobs may draft that file from private logs; a validator blocks common PII shapes before commit. Deploy stays human approved. The browser polls that file often so the UI feels alive; the aggregates still only change when a new file ships (or you add a live API later).
Key facts and data path
When this snapshot was stamped in the published JSON.
Sum of counts in radar: (from table rows).
How often this page refetches the JSON. Not the same as log ingestion on your edge.
Aggregates, not a wiretap. Big numbers describe buckets and windows from our side. They are not a live mirror of every request on earth.
High count ≠ proven malice. Scanners, misconfigured clients, and shared cloud IPs inflate many signals. Language here stays observational on purpose.
Your session strip is yours. Browser hints below are for the tab you are in. They are not a readout of our lab LAN unless you put that story in JSON yourself.
How a line on this page is born
Logs and dashboards stay off the open web. Analyst or automation rolls them up.
Patterns, windows, and public ASN style labels only. Validator catches risky literals.
Human checks the file before push when automation drafts it.
Static JSON on the CDN. This page polls it and renders what you see.
Static snapshot, timed poll.
Aggregates change when hashed-attacks.json is republished. The strip below is your browser only, not our LAN.
Full refresh model (from JSON)
Add infrastructure_buckets in JSON (ASN labels from RDAP, scanner families). No raw IPs, no private names.
Your session (live)
These rows come from this browser and from timed requests. They change every visit and while you stay on the page. They do not read your LAN or replace a full network audit. The static shield JSON above still only updates when someone publishes a new file.
Why this exists
How we count
How to read it
Public callouts only
This file does not yet expose transparency.why_publish or transparency.methodology. Open hashed-attacks.json to inspect the snapshot.
Rollup
Snapshot
Surfaces we defend
Timeline (coarse)
Pattern mix (relative weight)
Bars compare each pattern’s blocked_count to the largest row in this file. They are a visual index, not a second data source.
Patterns (full detail)
| ID | Severity | Pattern | Count | Detail |
|---|---|---|---|---|
|
|
Full public detailImpact: Response: |
Coarse map
Regions are aggregate buckets for visualization, not precise geolocation of anyone.
Terms used here
- Pattern row
- One labeled family of similar events (for example path probes or invalid message targets) with a count and a time window note.
- edge_feed
- Sanitized ticker lines in JSON meant for the mission control column. No raw IPs or private names.
- infrastructure_buckets
- Public ASN or host org style labels from registry data, plus aggregate weights. Not the same as blaming a named person.
- JSON pull round trip
- Time for your browser to fetch
hashed-attacks.jsonagain. Useful for network feel, not for threat scoring. - Rolling window
- A slice such as seven or thirty days. Rows may use different slices; read each row’s note.
- Validator
- Repo script
npm run validate-shield-jsonthat blocks many unsafe string shapes before deploy.
What is safe to put on this page
The public site is for rolled up, validated story: pattern counts, time windows, categories, coarse regions, and infrastructure labels drawn from public registry style data. The JSON pipeline runs npm run validate-shield-json to catch many unsafe literals.
- OK here: aggregate counters, sanitized
edge_feedlines, ASN or host org buckets, methodology notes, and honesty copy that stays observational. - Not for the public site: raw
netstatdumps, full DNS cache,hostsfile contents, Security or System event exports, Defender reports, process or startup inventories, or anything from a local audit folder such asD:\logs\audit_*(those stay private for your review or counsel). - Session strip above: each visitor sees their own browser hints. Do not treat a screenshot of it as proof of your lab or of site wide attacks.
Full boundary list: OPENCLAW_SHIELD.md (safe vs private) in the repo.