{
  "schema_version": 3,
  "generated_utc": "2026-03-24T00:00:00Z",
  "legal_note": "Public file only. Pattern and bucket aggregates. No raw IPs, no private names, no quoted DMs. Not a criminal complaint against any named person.",
  "automation": {
    "pipeline": "OpenClaw or local jobs may roll up private logs into this file. Run npm run validate-shield-json before every commit. Git push stays human approved.",
    "last_human_review_utc": null
  },
  "transparency": {
    "why_publish": "Phyllux and David E. Sproule work in public on hard technical and creative problems. That draws junk traffic, probes, and platform abuse aimed at reputation and continuity. Partners and the public deserve to see the shape and scale of what we handle, in a form that does not invite pile ons or legal risk.",
    "methodology": "Counters come from gateway logs, CDN or host dashboards, and messaging automation guardrails. We bucket by behavior pattern, not by identity. Numbers may be rounded or windowed. Spikes are described by time slice and category only.",
    "red_lines": "We do not publish raw third party IPs, exact home locations, private communications, medical or family detail, or accusations that name a private individual as a perpetrator. Hashes of buckets may exist internally; public text stays human readable aggregates.",
    "interpretation": "High counts mean we saw many matching events, not that every event was hostile intent. Some traffic is misconfiguration, scanners, or shared infrastructure. Language stays observational.",
    "attribution_public_only": "When we call out sources below, we mean hosting providers, autonomous systems, and scanner behavior visible from public RDAP or reputation data. That is not the same as naming a private person, and it is not a criminal accusation."
  },
  "edge_observatory": {
    "refresh_note": "The UI polls hashed-attacks.json about every 0.5 seconds. Aggregate counters only change when you republish that file or run a sync job from your lab. Below that, the page also shows a live browser session strip: online state, connection hints when the browser exposes them, round trip time for each JSON pull, session uptime, and an optional public exit IP check. Those client metrics are real time for whoever is viewing the page.",
    "home_lab_channel": "Residential gateway, WiFi edge, and workstation side patterns can be merged into the same buckets as other logs after validation. Nothing here reveals your home address or WAN IP.",
    "attribution_policy": "Publish ASN or host org labels from public RDAP only. No raw IPs, no residential subscriber names, no naming private individuals as attackers."
  },
  "edge_feed": [
    {
      "t": "2026-03-24T00:00:00Z",
      "level": "info",
      "line": "HOME_LAB · aggregate channel online · workstation + gateway counters merged to pattern rows"
    },
    {
      "t": "2026-03-24T00:00:01Z",
      "level": "warn",
      "line": "EDGE · reconnaissance weighted toward commercial VPS ASNs (public registry only)"
    },
    {
      "t": "2026-03-24T00:00:02Z",
      "level": "info",
      "line": "POLICY · proven junk is shown as infrastructure class, not as a person’s name"
    }
  ],
  "infrastructure_buckets": [
    {
      "bucket_ref": "AS14061",
      "public_label": "DigitalOcean (public ASN)",
      "events_display": "~180 weighted events (30d, scanner heavy)",
      "stance": "commercial_vps_scan_weighted",
      "note": "Label from public RDAP. Count is aggregate; not every packet was malicious."
    },
    {
      "bucket_ref": "AS16509",
      "public_label": "Amazon AWS (public ASN)",
      "events_display": "~95 weighted events (30d)",
      "stance": "cloud_hosted_automation",
      "note": "Common source for automation and misconfigured clients alike."
    },
    {
      "bucket_ref": "SIG-CRED-STUFF",
      "public_label": "Credential stuffing signature (generic family)",
      "events_display": "folded into pattern #001 totals",
      "stance": "known_attack_pattern_family",
      "note": "Family name only; no victim or attacker identity."
    }
  ],
  "totals": {
    "rolling_window_note": "Mix of rolling seven day and thirty day windows depending on source; not all rows use the same window.",
    "approx_total_events_display": "~5.7k blocked or rejected pattern events (recent windows, composite)",
    "distinct_pattern_rows": 3,
    "extra_context": "Totals are conservative summaries for transparency, not a complete forensic record. Full evidence stays private and counsel ready."
  },
  "summary": {
    "block_rate_display": "Set from your observability pipeline when wired",
    "avg_latency_ms_display": "Set from Netlify or CDN analytics when wired",
    "operator_load_note": "Extra review time, false positive checks, and incident context are real costs even when counts look like noise."
  },
  "work_surfaces": [
    {
      "surface": "phyllux.io and related static sites",
      "threat_note": "Path guessing, asset scraping, and junk form or bot traffic aimed at the public brand."
    },
    {
      "surface": "Repositories and build automation",
      "threat_note": "Probes that look like credential or workspace enumeration against tooling and hooks."
    },
    {
      "surface": "Messaging and notification channels",
      "threat_note": "Invalid delivery targets, permission games in groups, and automation abuse that burns operator attention."
    },
    {
      "surface": "Reputation and narrative pressure",
      "threat_note": "Coordinated volume patterns (reports, flags, spam mentions) show up as platform signals and manual review queues, not always as a single log line."
    }
  ],
  "timeline": [
    {
      "period": "2025 Q4 through 2026 Q1",
      "title": "Sustained reconnaissance style traffic",
      "category": "reconnaissance",
      "detail": "Repeated requests for nonexistent workspace paths and tooling endpoints. Consistent with bulk scanning rather than casual visitors. Handled at edge and in application guardrails."
    },
    {
      "period": "2026 Q1",
      "title": "Messaging layer validation failures",
      "category": "automation_abuse",
      "detail": "High volume of send attempts that fail validation or target checks. Reduces signal to noise for real humans and forces stricter automation policy."
    },
    {
      "period": "Ongoing",
      "title": "Permission and role friction in large channels",
      "category": "platform_abuse",
      "detail": "Patterns that look like probing group permissions or exploiting loose defaults. Mitigated with explicit role policy and manual review when automation cannot decide safely."
    }
  ],
  "patterns": [
    {
      "attack_id": "001",
      "label": "Workspace and tooling path probes",
      "blocked_count": 2848,
      "severity": "elevated",
      "vectors": ["web", "automation"],
      "window_note": "rolling thirty days, primary web edge",
      "public_detail": "Requests that look for common dev paths, env files, or repo shaped URLs that do not exist on our hosts. This is background noise for many sites, but volume still costs time, log storage, and alert tuning. We block or rate limit at pattern level and do not fingerprint casual users.",
      "impact_note": "Noise crowds real incidents; we spend cycles distinguishing scan traffic from genuine misconfiguration reports.",
      "response_note": "WAF style rules, static host hardening, and clear 404 behavior. No naming of scanner owners."
    },
    {
      "attack_id": "002",
      "label": "Invalid messaging delivery targets",
      "blocked_count": 1924,
      "severity": "moderate",
      "vectors": ["messaging", "automation"],
      "window_note": "rolling thirty days",
      "public_detail": "Attempts to reach chat IDs or handles that fail validation, are not ours, or violate send policy. Includes malformed payloads and obvious automation churn. This is the kind of traffic that makes platform operators look abusive even when the intent is third party spam infrastructure.",
      "impact_note": "Operator time validating failures; risk of false association with bulk send behavior.",
      "response_note": "Strict allow lists, validation before send, and logging at pattern level only."
    },
    {
      "attack_id": "003",
      "label": "Group permission denials and escalation attempts",
      "blocked_count": 896,
      "severity": "moderate",
      "vectors": ["messaging", "social_graph"],
      "window_note": "rolling thirty days",
      "public_detail": "Automated or semi automated flows that hit permission errors in large groups or channels. Some are innocent clients retrying; some look like probing for elevated actions. We document the aggregate because it is part of the abuse surface around public technical leadership, not because every row is malicious.",
      "impact_note": "Manual policy fixes where bots cannot safely auto remediate.",
      "response_note": "Role hygiene, rate limits on sensitive actions, human review on repeated failures.",
      "note": "403 auto fix is manual or bot policy; not guaranteed by shield software alone"
    }
  ],
  "regions": [
    {
      "code": "AGG",
      "lat": 20,
      "lon": 0,
      "weight": 1,
      "note": "Global coarse aggregate bucket for map display only"
    }
  ]
}