feat(security): login anomaly detection & suspicious activity dashboard

[chengyixu]

Summary

Implements login anomaly detection with a full-stack security dashboard for issue #124.

Backend (packages/backend/)

New model — LoginEvent in app/models.py:

• Stores IP address, user-agent, success flag, anomaly score (0.0–1.0), and anomaly reasons per login event

New service — app/services/login_anomaly.py:

• compute_anomaly_score(): detects 4 anomaly signals
  • New IP address (never seen for this user): +0.30
  • New device/user-agent: +0.25
  • Brute-force: ≥5 failed attempts within 15 minutes: +0.40
  • Unusual hour (2–5 AM UTC): +0.15
• record_login(): persists a LoginEvent with computed score

Modified — app/routes/auth.py:

• Captures X-Forwarded-For / remote_addr and User-Agent on every login attempt
• Calls record_login() for both successful and failed logins

New blueprint — app/routes/security.py:

• GET /security/login-history — paginated login events (JWT protected)
• GET /security/anomalies — events with anomaly_score > 0 (JWT protected)
• GET /security/login-stats — aggregate stats: total logins, unique IPs, unique devices, suspicious count (JWT protected)

Schema — app/db/schema.sql + _ensure_schema_compatibility() in app/__init__.py:

• Creates login_events table with proper indexes on user_id, created_at, and (user_id, anomaly_score) partial index

Frontend (app/src/)

New API client — src/api/security.ts:

• getLoginHistory(), getAnomalies(), getLoginStats() TypeScript functions

New page — src/pages/Security.tsx:

• Stat cards: Total Logins, Unique IPs, Unique Devices, Suspicious Events
• Login history table with color-coded risk badges (Safe / Low / Medium / High)

Wired up — App.tsx route /security (ProtectedRoute) + Navbar.tsx nav item

Tests (packages/backend/tests/test_login_anomaly.py)

19 pytest tests:

• 9 unit tests for compute_anomaly_score (baseline, new IP, new device, brute-force, unusual hour, combined signals)
• 2 integration tests for record_login persistence
• 8 API route tests for all three /security/ endpoints (unauthenticated 401, authenticated responses, empty state, data population)

/claim #124

Closes #124

[chengyixu]

Hi @rohitdash08! Could you please approve the CI workflows to run? As a first-time contributor, GitHub requires repo owner approval before CI can execute on fork PRs for security reasons.

The workflows (CI, CodeQL, Frontend Tests) are queued at runs #23691858138, #23691858142, and #23691858148 - they just need your approval to run.

Thank you!

[chengyixu]

Hi @rohitdash08! This PR implements the login anomaly detection feature (#124) with a full-stack solution: LoginEvent model, anomaly detection service, /security API blueprint, React Security page, and 19 pytest tests. Ready for review!