Guard ticket creation against duplicates using event's existing ticket_id

upsert_event now returns ticket_id (4th element) so callers can skip
ticket creation when one already exists. This prevents calling the ticket
API every poll cycle for ongoing issues while still retrying if the
previous creation attempt failed (ticket_id stays NULL until success).

Cluster events use (is_new or not ticket_id) so they too get retried
on failure rather than relying solely on is_new.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.eslintrc.json

@@ -0,0 +1,21 @@
+{
+  "env": {
+    "browser": true,
+    "es2021": true
+  },
+  "globals": {
+    "lt": "readonly",
+    "GANDALF_CONFIG": "readonly",
+    "CSS": "readonly"
+  },
+  "rules": {
+    "no-undef": "error",
+    "no-unused-vars": ["warn", { "argsIgnorePattern": "^_", "varsIgnorePattern": "^_" }],
+    "no-console": "off",
+    "eqeqeq": ["error", "always", { "null": "ignore" }]
+  },
+  "parserOptions": {
+    "ecmaVersion": 2021,
+    "sourceType": "script"
+  }
+}

app.py

@@ -5,6 +5,7 @@ management UI. Authentication via Authelia forward-auth headers.
 All monitoring and alerting is handled by the separate monitor.py daemon.
 """
 import hashlib
+import html
 import ipaddress
 import json
 import logging
@@ -58,10 +59,12 @@ def inject_config():
 # In-memory diagnostic job store { job_id: { status, result, created_at } }
 _diag_jobs: dict = {}
 _diag_lock = threading.Lock()
+# Per-user rate-limit: { username: [epoch_float, ...] } — cleaned inside _diag_lock
+_diag_rate: dict = {}
 
 
 def _purge_old_jobs_loop():
-    """Background thread: remove stale diag jobs and run daily event purge."""
+    """Background thread: remove stale diagnostic jobs and mark stuck ones done."""
     while True:
         time.sleep(120)
         cutoff = time.time() - 600
@@ -73,8 +76,8 @@ def _purge_old_jobs_loop():
             for jid, j in list(_diag_jobs.items()):
                 if j['status'] == 'running' and j.get('created_at', 0) < stuck_cutoff:
                     j['status'] = 'done'
-                    j['result'] = {'status': 'error', 'error': 'Diagnostic timed out (thread crash)'}
-                    logger.error(f'Diagnostic job {jid} appeared stuck; marked as errored')
+                    j['result'] = {'status': 'error', 'error': 'Diagnostic abandoned — no activity for 5 minutes.'}
+                    logger.error(f'Diagnostic job {jid} stuck (no activity for 5 min); marked done/error')
 
 
 _purge_thread = threading.Thread(target=_purge_old_jobs_loop, daemon=True)
@@ -91,6 +94,14 @@ def _config() -> dict:
     return _cfg
 
 
+@app.after_request
+def add_security_headers(response):
+    response.headers.setdefault('X-Content-Type-Options', 'nosniff')
+    response.headers.setdefault('X-Frame-Options', 'DENY')
+    response.headers.setdefault('Referrer-Policy', 'strict-origin-when-cross-origin')
+    return response
+
+
 def _daemon_ok(last_check: str) -> bool:
     """Return True if monitor last checked within 20 minutes."""
     if not last_check or last_check == 'Never':
@@ -132,23 +143,64 @@ def require_auth(f):
             )
         allowed = _config().get('auth', {}).get('allowed_groups', ['admin'])
         if not any(g in allowed for g in user['groups']):
+            safe_user   = html.escape(user['username'])
+            safe_groups = html.escape(', '.join(allowed))
             return (
                 f'<h1>403 – Access denied</h1>'
-                f'<p>Your account ({user["username"]}) is not in an allowed group '
-                f'({", ".join(allowed)}).</p>',
+                f'<p>Your account ({safe_user}) is not in an allowed group '
+                f'({safe_groups}).</p>',
                 403,
             )
         return f(*args, **kwargs)
     return wrapper
 
 
+def require_admin(f):
+    """Decorator: require require_auth AND membership in the 'admin' group."""
+    @wraps(f)
+    def wrapper(*args, **kwargs):
+        user = _get_user()
+        if 'admin' not in user.get('groups', []):
+            return jsonify({'error': 'Admin access required'}), 403
+        return f(*args, **kwargs)
+    return wrapper
+
+
 # ---------------------------------------------------------------------------
-# Page routes
+# Helpers
 # ---------------------------------------------------------------------------
 
 _PAGE_LIMIT = 200  # max events returned per request
 
 
+def _annotate_suppressions(events: list, suppressions: list) -> None:
+    """Annotate each event dict in-place with an is_suppressed bool.
+
+    Mirrors the suppression check order in monitor.py exactly:
+      interface_down  → interface OR host
+      unifi_device_*  → unifi_device
+      everything else → host
+    """
+    for ev in events:
+        etype = ev.get('event_type', '')
+        name = ev.get('target_name', '')
+        detail = ev.get('target_detail', '') or ''
+        if etype == 'interface_down':
+            ev['is_suppressed'] = (
+                db.check_suppressed(suppressions, 'interface', name, detail) or
+                db.check_suppressed(suppressions, 'host', name)
+            )
+        elif etype == 'unifi_device_offline':
+            ev['is_suppressed'] = db.check_suppressed(suppressions, 'unifi_device', name, detail)
+        else:
+            ev['is_suppressed'] = db.check_suppressed(suppressions, 'host', name, detail)
+
+
+# ---------------------------------------------------------------------------
+# Page routes
+# ---------------------------------------------------------------------------
+
+
 @app.route('/')
 @require_auth
 def index():
@@ -158,18 +210,13 @@ def index():
     summary = db.get_status_summary()
     snapshot_raw = db.get_state('network_snapshot')
     last_check = db.get_state('last_check', 'Never')
-    snapshot = json.loads(snapshot_raw) if snapshot_raw else {}
+    try:
+        snapshot = json.loads(snapshot_raw) if snapshot_raw else {}
+    except Exception as e:
+        logger.error(f'Failed to parse network_snapshot JSON: {e}')
+        snapshot = {}
     suppressions = db.get_active_suppressions()
-    for ev in events:
-        sup_type = (
-            'unifi_device' if ev.get('event_type') == 'unifi_device_offline'
-            else 'interface' if ev.get('event_type') == 'interface_down'
-            else 'host'
-        )
-        ev['is_suppressed'] = db.check_suppressed(
-            suppressions, sup_type,
-            ev.get('target_name', ''), ev.get('target_detail', '') or '',
-        )
+    _annotate_suppressions(events, suppressions)
     recent_resolved = db.get_recent_resolved(hours=24, limit=10)
     return render_template(
         'index.html',
@@ -201,12 +248,17 @@ def inspector():
 
 @app.route('/suppressions')
 @require_auth
+@require_admin
 def suppressions_page():
     user = _get_user()
     active = db.get_active_suppressions()
     history = db.get_suppression_history(limit=50)
     snapshot_raw = db.get_state('network_snapshot')
-    snapshot = json.loads(snapshot_raw) if snapshot_raw else {}
+    try:
+        snapshot = json.loads(snapshot_raw) if snapshot_raw else {}
+    except Exception as e:
+        logger.error(f'Failed to parse network_snapshot JSON: {e}')
+        snapshot = {}
     return render_template(
         'suppressions.html',
         user=user,
@@ -225,16 +277,7 @@ def suppressions_page():
 def api_status():
     active = db.get_active_events(limit=_PAGE_LIMIT)
     suppressions = db.get_active_suppressions()
-    for ev in active:
-        sup_type = (
-            'unifi_device' if ev.get('event_type') == 'unifi_device_offline'
-            else 'interface' if ev.get('event_type') == 'interface_down'
-            else 'host'
-        )
-        ev['is_suppressed'] = db.check_suppressed(
-            suppressions, sup_type,
-            ev.get('target_name', ''), ev.get('target_detail', '') or '',
-        )
+    _annotate_suppressions(active, suppressions)
     last_check = db.get_state('last_check', 'Never')
     return jsonify({
         'summary': db.get_status_summary(),
@@ -262,11 +305,14 @@ def api_network():
 def api_links():
     raw = db.get_state('link_stats')
     if raw:
+        if len(raw) > 10_000_000:
+            logger.error(f'link_stats exceeds 10 MB ({len(raw)} bytes); possible corruption')
+            return jsonify({'error': 'Invalid cached data'}), 503
         try:
             return jsonify(json.loads(raw))
-        except Exception:
-            logger.error('Failed to parse link_stats JSON')
-    return jsonify({'hosts': {}, 'updated': None})
+        except Exception as e:
+            logger.error(f'Failed to parse link_stats JSON: {e}')
+    return jsonify({'hosts': {}, 'unifi_switches': {}, 'updated': None})
 
 
 @app.route('/api/events')
@@ -298,6 +344,7 @@ def api_get_suppressions():
 
 @app.route('/api/suppressions', methods=['POST'])
 @require_auth
+@require_admin
 def api_create_suppression():
     user = _get_user()
     data = request.get_json(silent=True) or {}
@@ -321,13 +368,21 @@ def api_create_suppression():
     if len(target_detail) > 255:
         return jsonify({'error': 'target_detail must be 255 characters or fewer'}), 400
 
+    if expires_minutes is not None:
+        try:
+            expires_minutes = int(expires_minutes)
+            if expires_minutes <= 0 or expires_minutes > 43200:
+                return jsonify({'error': 'expires_minutes must be between 1 and 43200 (30 days)'}), 400
+        except (ValueError, TypeError):
+            return jsonify({'error': 'expires_minutes must be a valid integer'}), 400
+
     sup_id = db.create_suppression(
         target_type=target_type,
         target_name=target_name,
         target_detail=target_detail,
         reason=reason,
         suppressed_by=user['username'],
-        expires_minutes=int(expires_minutes) if expires_minutes else None,
+        expires_minutes=expires_minutes,
     )
     logger.info(
         f'Suppression #{sup_id} created by {user["username"]}: '
@@ -338,6 +393,7 @@ def api_create_suppression():
 
 @app.route('/api/suppressions/<int:sup_id>', methods=['DELETE'])
 @require_auth
+@require_admin
 def api_delete_suppression(sup_id: int):
     user = _get_user()
     db.deactivate_suppression(sup_id)
@@ -365,8 +421,8 @@ def api_diagnose_start():
         return jsonify({'error': 'No link_stats data available'}), 503
     try:
         link_data = json.loads(raw)
-    except Exception:
-        logger.error('Failed to parse link_stats JSON in /api/diagnose')
+    except Exception as e:
+        logger.error(f'Failed to parse link_stats JSON in /api/diagnose: {e}')
         return jsonify({'error': 'Internal data error'}), 500
 
     switches = link_data.get('unifi_switches', {})
@@ -390,6 +446,9 @@ def api_diagnose_start():
         return jsonify({'error': 'No LLDP neighbor data for this port'}), 400
 
     server_name = lldp['system_name']
+    if not re.fullmatch(r'[a-zA-Z0-9._-]+', server_name):
+        logger.error(f'Refusing diagnostic: invalid server_name from LLDP: {server_name!r}')
+        return jsonify({'error': 'LLDP neighbor name contains invalid characters'}), 400
     lldp_port_id = lldp.get('port_id', '')
 
     # Find matching host + interface in link_stats hosts
@@ -415,9 +474,14 @@ def api_diagnose_start():
     # Resolve host IP from link_stats host data
     host_ip = (server_ifaces.get(matched_iface) or {}).get('host_ip')
     if not host_ip:
-        # Fallback: use LLDP mgmt IPs
-        mgmt_ips = lldp.get('mgmt_ips') or []
-        host_ip = mgmt_ips[0] if mgmt_ips else None
+        # Fallback: use first valid IP from LLDP mgmt IPs
+        for candidate in (lldp.get('mgmt_ips') or []):
+            try:
+                ipaddress.ip_address(candidate)
+                host_ip = candidate
+                break
+            except ValueError:
+                continue
     if not host_ip:
         return jsonify({'error': 'Cannot determine host IP for SSH'}), 400
 
@@ -432,8 +496,22 @@ def api_diagnose_start():
         return jsonify({'error': 'Resolved interface name contains invalid characters'}), 400
 
     job_id = str(uuid.uuid4())
+    requesting_user = _get_user()['username']
+    now = time.time()
     with _diag_lock:
-        _diag_jobs[job_id] = {'status': 'running', 'result': None, 'created_at': time.time()}
+        # Rate limit: max 5 diagnostic jobs per user per minute; prune stale user entries
+        stale_users = [u for u, ts in _diag_rate.items() if not ts or max(ts) < now - 3600]
+        for u in stale_users:
+            del _diag_rate[u]
+        recent = [t for t in _diag_rate.get(requesting_user, []) if now - t < 60]
+        if len(recent) >= 5:
+            return jsonify({'error': 'Rate limit exceeded: max 5 diagnostics per minute'}), 429
+        recent.append(now)
+        _diag_rate[requesting_user] = recent
+        _diag_jobs[job_id] = {
+            'status': 'running', 'result': None,
+            'created_at': now, 'user': requesting_user,
+        }
 
     def _run():
         try:
@@ -443,7 +521,7 @@ def api_diagnose_start():
             result = runner.run(host_ip, server_name, matched_iface, port_data)
         except Exception as e:
             logger.error(f'Diagnostic job {job_id} failed: {e}', exc_info=True)
-            result = {'status': 'error', 'error': str(e)}
+            result = {'status': 'error', 'error': 'Diagnostic failed; check server logs.'}
         with _diag_lock:
             if job_id in _diag_jobs:
                 _diag_jobs[job_id]['status'] = 'done'
@@ -459,11 +537,15 @@ def api_diagnose_start():
 @require_auth
 def api_diagnose_poll(job_id: str):
     """Poll a diagnostic job. Returns {status, result}."""
+    current_user = _get_user()['username']
     with _diag_lock:
         job = _diag_jobs.get(job_id)
-    if not job:
-        return jsonify({'error': 'Job not found'}), 404
-    return jsonify({'status': job['status'], 'result': job.get('result')})
+        if not job:
+            return jsonify({'error': 'Job not found'}), 404
+        if job.get('user') != current_user:
+            return jsonify({'error': 'Forbidden'}), 403
+        snapshot = {'status': job['status'], 'result': job.get('result')}
+    return jsonify(snapshot)
 
 
 @app.route('/api/avatar')
@@ -480,11 +562,21 @@ def api_avatar():
 
     # Build a safe cache filename from the username (alphanumeric + - _ .)
     safe_name = re.sub(r'[^a-zA-Z0-9._-]', '_', username)
-    cache_dir = ldap_cfg.get('cache_dir', os.path.join(tempfile.gettempdir(), 'gandalf_avatars'))
+    cache_dir = os.path.abspath(
+        ldap_cfg.get('cache_dir', os.path.join(tempfile.gettempdir(), 'gandalf_avatars'))
+    )
     os.makedirs(cache_dir, exist_ok=True)
-    cache_file = os.path.join(cache_dir, f'user_{safe_name}.jpg')
-    sentinel    = os.path.join(cache_dir, f'user_{safe_name}.none')
-    cache_ttl   = int(ldap_cfg.get('cache_ttl', 3600))
+    cache_file = os.path.abspath(os.path.join(cache_dir, f'user_{safe_name}.jpg'))
+    sentinel   = os.path.abspath(os.path.join(cache_dir, f'user_{safe_name}.none'))
+    # Guard against path escape (shouldn't happen with sanitised safe_name, but be explicit)
+    if not cache_file.startswith(cache_dir + os.sep) or not sentinel.startswith(cache_dir + os.sep):
+        logger.error(f'Avatar path escape detected for user {username!r}')
+        return '', 404
+    try:
+        cache_ttl = int(ldap_cfg.get('cache_ttl', 3600))
+    except (ValueError, TypeError):
+        logger.warning('Invalid cache_ttl in ldap config; using default 3600')
+        cache_ttl = 3600
 
     now = time.time()
 
@@ -494,33 +586,48 @@ def api_avatar():
                          max_age=cache_ttl, conditional=True)
 
     # Skip LDAP if we already know this user has no avatar
-    if os.path.exists(sentinel) and now - os.path.getmtime(sentinel) < cache_ttl:
-        return '', 404
+    try:
+        if os.path.exists(sentinel) and now - os.path.getmtime(sentinel) < cache_ttl:
+            return '', 404
+    except OSError:
+        pass
 
     # Query lldap
+    bind_pw = ldap_cfg.get('bind_pw', '')
+    if not bind_pw:
+        logger.error('LDAP bind_pw not configured — avatar lookup disabled')
+        return '', 404
+
     avatar_data = None
+    conn = None
     try:
         import ldap3
         server = ldap3.Server(ldap_cfg['host'], port=int(ldap_cfg.get('port', 3890)))
         conn   = ldap3.Connection(server,
                                   user=ldap_cfg['bind_dn'],
-                                  password=ldap_cfg.get('bind_pw', ''),
+                                  password=bind_pw,
                                   auto_bind=True, receive_timeout=5)
         safe_uid = ldap3.utils.conv.escape_filter_chars(username)
         conn.search(ldap_cfg.get('user_base', 'ou=people,dc=example,dc=com'),
                     f'(uid={safe_uid})', attributes=['avatar'])
         if conn.entries and conn.entries[0]['avatar'].value:
             avatar_data = conn.entries[0]['avatar'].value
-        conn.unbind()
     except ImportError:
         logger.error('ldap3 not installed — run: pip install ldap3')
         return '', 404
     except Exception as e:
         logger.error(f'LDAP avatar lookup failed for {username}: {e}')
         return '', 404
+    finally:
+        if conn is not None:
+            try:
+                conn.unbind()
+            except Exception:
+                pass
 
     if not avatar_data or len(avatar_data) < 100:
-        open(sentinel, 'w').close()
+        with open(sentinel, 'w'):
+            pass
         return '', 404
 
     # Validate JPEG magic bytes (FF D8 FF)
@@ -528,7 +635,8 @@ def api_avatar():
         avatar_data = avatar_data.encode('latin-1')
     if avatar_data[:3] != b'\xFF\xD8\xFF':
         logger.warning(f'Non-JPEG avatar data for {username}')
-        open(sentinel, 'w').close()
+        with open(sentinel, 'w'):
+            pass
         return '', 404
 
     with open(cache_file, 'wb') as f:
@@ -553,7 +661,8 @@ def health():
         db.get_state('last_check')
         checks['db'] = 'ok'
     except Exception as e:
-        checks['db'] = f'error: {e}'
+        logger.error(f'Health check db error: {e}')
+        checks['db'] = 'error'
         overall = 'degraded'
 
     # Monitor freshness: fail if last_check is older than 20 minutes
@@ -563,14 +672,15 @@ def health():
             ts = datetime.strptime(last_check, '%Y-%m-%d %H:%M:%S UTC').replace(tzinfo=timezone.utc)
             age_s = (datetime.now(timezone.utc) - ts).total_seconds()
             if age_s > 1200:
-                checks['monitor'] = f'stale ({int(age_s)}s since last check)'
+                checks['monitor'] = 'stale'
                 overall = 'degraded'
             else:
-                checks['monitor'] = f'ok ({int(age_s)}s ago)'
+                checks['monitor'] = 'ok'
         else:
             checks['monitor'] = 'no data yet'
     except Exception as e:
-        checks['monitor'] = f'error: {e}'
+        logger.error(f'Health check monitor error: {e}')
+        checks['monitor'] = 'error'
         overall = 'degraded'
 
     status_code = 200 if overall == 'ok' else 503

db.py

@@ -3,7 +3,7 @@ import json
 import logging
 import threading
 from contextlib import contextmanager
-from datetime import datetime, timedelta
+from datetime import datetime, timedelta, timezone
 from typing import Optional
 
 import pymysql
@@ -114,12 +114,12 @@ def upsert_event(
     target_detail: str,
     description: str,
 ) -> tuple:
-    """Insert or update a network event. Returns (id, is_new, consecutive_failures)."""
+    """Insert or update a network event. Returns (id, is_new, consecutive_failures, ticket_id)."""
     detail = target_detail or ''
     with get_conn() as conn:
         with conn.cursor() as cur:
             cur.execute(
-                """SELECT id, consecutive_failures FROM network_events
+                """SELECT id, consecutive_failures, ticket_id FROM network_events
                    WHERE event_type=%s AND target_name=%s AND target_detail=%s
                    AND resolved_at IS NULL LIMIT 1""",
                 (event_type, target_name, detail),
@@ -134,7 +134,7 @@ def upsert_event(
                        WHERE id=%s""",
                     (new_count, description, existing['id']),
                 )
-                return existing['id'], False, new_count
+                return existing['id'], False, new_count, existing.get('ticket_id')
             else:
                 cur.execute(
                     """INSERT INTO network_events
@@ -142,7 +142,7 @@ def upsert_event(
                        VALUES (%s, %s, %s, %s, %s, %s)""",
                     (event_type, severity, source_type, target_name, detail, description),
                 )
-                return cur.lastrowid, True, 1
+                return cur.lastrowid, True, 1, None
 
 
 def resolve_event(event_type: str, target_name: str, target_detail: str = '') -> None:
@@ -182,7 +182,7 @@ def get_active_events(limit: int = 200, offset: int = 0) -> list:
             for r in rows:
                 for k in ('first_seen', 'last_seen'):
                     if r.get(k) and hasattr(r[k], 'isoformat'):
-                        r[k] = r[k].isoformat()
+                        r[k] = r[k].isoformat() + 'Z'
             return rows
 
 
@@ -210,7 +210,7 @@ def get_recent_resolved(hours: int = 24, limit: int = 50) -> list:
             for r in rows:
                 for k in ('first_seen', 'last_seen', 'resolved_at'):
                     if r.get(k) and hasattr(r[k], 'isoformat'):
-                        r[k] = r[k].isoformat()
+                        r[k] = r[k].isoformat() + 'Z'
             return rows
 
 
@@ -252,7 +252,7 @@ def get_active_suppressions() -> list:
             for r in rows:
                 for k in ('created_at', 'expires_at'):
                     if r.get(k) and hasattr(r[k], 'isoformat'):
-                        r[k] = r[k].isoformat()
+                        r[k] = r[k].isoformat() + 'Z'
             return rows
 
 
@@ -267,7 +267,7 @@ def get_suppression_history(limit: int = 50) -> list:
             for r in rows:
                 for k in ('created_at', 'expires_at'):
                     if r.get(k) and hasattr(r[k], 'isoformat'):
-                        r[k] = r[k].isoformat()
+                        r[k] = r[k].isoformat() + 'Z'
             return rows
 
 
@@ -281,7 +281,7 @@ def create_suppression(
 ) -> int:
     expires_at = None
     if expires_minutes:
-        expires_at = datetime.utcnow() + timedelta(minutes=int(expires_minutes))
+        expires_at = datetime.now(timezone.utc) + timedelta(minutes=int(expires_minutes))
     with get_conn() as conn:
         with conn.cursor() as cur:
             cur.execute(
@@ -365,7 +365,7 @@ def is_suppressed(target_type: str, target_name: str, target_detail: str = '') -
                 """SELECT id FROM suppression_rules
                    WHERE active=TRUE AND (expires_at IS NULL OR expires_at > NOW())
                    AND target_type=%s AND target_name=%s
-                   AND (target_detail IS NULL OR target_detail='') LIMIT 1""",
+                   AND target_detail='' LIMIT 1""",
                 (target_type, target_name),
             )
             if cur.fetchone():

diagnose.py

@@ -68,17 +68,17 @@ class DiagnosticsRunner:
             f' echo "=== ip_route ===";'
             f' ip route show dev {q} 2>/dev/null;'
             f' echo "=== dmesg ===";'
-            f' dmesg 2>/dev/null | grep {q} | tail -50;'
+            f' dmesg 2>/dev/null | grep -F -- {q} | tail -50;'
             f' echo "=== lldpctl ===";'
             f' lldpctl 2>/dev/null || echo "lldpd not running";'
             f' echo "=== end ==="'
         )
 
         return (
-            f'ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 '
+            f'ssh -o StrictHostKeyChecking=accept-new -o ConnectTimeout=5 '
             f'-o BatchMode=yes -o LogLevel=ERROR '
             f'-o ServerAliveInterval=10 -o ServerAliveCountMax=2 '
-            f'root@{ip_q} \'{remote_cmd}\''
+            f'root@{ip_q} {shlex.quote(remote_cmd)}'
         )
 
     # ------------------------------------------------------------------
@@ -221,8 +221,6 @@ class DiagnosticsRunner:
                 data['auto_neg'] = (val.lower() == 'on')
             elif key == 'Link detected':
                 data['link_detected'] = (val.lower() == 'yes')
-            elif 'Supported link modes' in key:
-                data.setdefault('supported_modes', []).append(val)
         return data
 
     @staticmethod

monitor.py

@@ -11,9 +11,8 @@ import json
 import logging
 import re
 import shlex
-import subprocess
 import time
-from datetime import datetime
+from datetime import datetime, timezone
 from typing import Dict, List, Optional
 
 import requests
@@ -21,7 +20,6 @@ from urllib3.exceptions import InsecureRequestWarning
 
 import db
 
-requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 
 logging.basicConfig(
     level=logging.INFO,
@@ -91,7 +89,9 @@ class UnifiClient:
         self.base_url = cfg['controller']
         self.site_id = cfg.get('site_id', 'default')
         self.session = requests.Session()
-        self.session.verify = False
+        self.session.verify = cfg.get('verify_ssl', True)
+        if not self.session.verify:
+            requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
         self.headers = {
             'X-API-KEY': cfg['api_key'],
             'Accept': 'application/json',
@@ -215,7 +215,10 @@ class TicketClient:
             resp.raise_for_status()
             data = resp.json()
             if data.get('success'):
-                tid = data['ticket_id']
+                tid = data.get('ticket_id')
+                if not tid:
+                    logger.warning(f'Ticket API success but no ticket_id in response: {data}')
+                    return None
                 logger.info(f'Created ticket #{tid}: {title}')
                 return tid
             if data.get('existing_ticket_id'):
@@ -263,7 +266,10 @@ class PulseClient:
                 timeout=10,
             )
             resp.raise_for_status()
-            execution_id = resp.json()['execution_id']
+            execution_id = resp.json().get('execution_id')
+            if not execution_id:
+                logger.error('Pulse submit response missing execution_id')
+                return None
             self.last_execution_id = execution_id
         except Exception as e:
             logger.error(f'Pulse command submit failed: {e}')
@@ -315,6 +321,14 @@ class PulseClient:
             return self.run_command(command, _retry=False)
         return None
 
+    def ping(self, ip: str, count: int = 3, timeout: int = 2) -> bool:
+        """Ping *ip* via the Pulse worker. Returns True if host responds."""
+        ip_q = shlex.quote(ip)
+        output = self.run_command(
+            f'ping -c {count} -W {timeout} {ip_q} >/dev/null 2>&1 && echo REACHABLE || echo UNREACHABLE'
+        )
+        return output is not None and output.strip() == 'REACHABLE'
+
 
 # --------------------------------------------------------------------------
 # Link stats collector (ethtool + Prometheus traffic metrics)
@@ -344,8 +358,8 @@ class LinkStatsCollector:
         if not ifaces or not self.pulse.url:
             return {}
 
-        # Validate interface names (kernel names only contain [a-zA-Z0-9_.-])
-        safe_ifaces = [i for i in ifaces if re.match(r'^[a-zA-Z0-9_.@-]+$', i)]
+        # Validate interface names (kernel names: [a-zA-Z0-9_.-], max 15 chars per IFNAMSIZ)
+        safe_ifaces = [i for i in ifaces if re.match(r'^[a-zA-Z0-9_.-]{1,15}$', i)]
         if not safe_ifaces:
             return {}
 
@@ -363,10 +377,10 @@ class LinkStatsCollector:
         shell_cmd = ' '.join(parts)
 
         ssh_cmd = (
-            f'ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 '
+            f'ssh -o StrictHostKeyChecking=accept-new -o ConnectTimeout=5 '
             f'-o BatchMode=yes -o LogLevel=ERROR '
             f'-o ServerAliveInterval=10 -o ServerAliveCountMax=2 '
-            f'root@{ip} "{shell_cmd}"'
+            f'root@{ip} {shlex.quote(shell_cmd)}'
         )
         output = self.pulse.run_command(ssh_cmd)
         if output is None:
@@ -604,7 +618,7 @@ class LinkStatsCollector:
         return {
             'hosts':          result_hosts,
             'unifi_switches': unifi_switches,
-            'updated':        datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S UTC'),
+            'updated':        datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M:%S UTC'),
         }
 
     def _compute_unifi_rates(self, raw: Dict[str, dict], now: float) -> Dict[str, dict]:
@@ -638,21 +652,8 @@ class LinkStatsCollector:
 # --------------------------------------------------------------------------
 # Helpers
 # --------------------------------------------------------------------------
-def ping(ip: str, count: int = 3, timeout: int = 2) -> bool:
-    try:
-        r = subprocess.run(
-            ['ping', '-c', str(count), '-W', str(timeout), ip],
-            stdout=subprocess.DEVNULL,
-            stderr=subprocess.DEVNULL,
-            timeout=30,
-        )
-        return r.returncode == 0
-    except Exception:
-        return False
-
-
 def _now_utc() -> str:
-    return datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S UTC')
+    return datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M:%S UTC')
 
 
 # --------------------------------------------------------------------------
@@ -671,6 +672,7 @@ class NetworkMonitor:
         self.unifi = UnifiClient(self.cfg['unifi'])
         self.tickets = TicketClient(self.cfg.get('ticket_api', {}))
         self.link_stats = LinkStatsCollector(self.cfg, self.prom, self.unifi)
+        self.pulse = self.link_stats.pulse  # convenience alias
 
         mon = self.cfg.get('monitor', {})
         self.poll_interval = mon.get('poll_interval', 120)
@@ -726,13 +728,13 @@ class NetworkMonitor:
                             db.check_suppressed(suppressions, 'interface', host, iface) or
                             db.check_suppressed(suppressions, 'host', host)
                         )
-                        event_id, is_new, consec = db.upsert_event(
+                        event_id, is_new, consec, ticket_id = db.upsert_event(
                             'interface_down', 'critical', 'prometheus',
                             host, iface,
                             f'Interface {iface} on {host} went link-down ({_now_utc()})',
                         )
-                        if not sup and consec >= self.fail_thresh:
-                            self._ticket_interface(event_id, is_new, host, iface, consec)
+                        if not sup and consec >= self.fail_thresh and not ticket_id:
+                            self._ticket_interface(event_id, host, iface, consec)
 
             if host_has_regression:
                 hosts_with_regression.append(host)
@@ -742,13 +744,13 @@ class NetworkMonitor:
         # Cluster-wide check – only genuine regressions count
         if len(hosts_with_regression) >= self.cluster_thresh:
             sup = db.check_suppressed(suppressions, 'all', '')
-            event_id, is_new, consec = db.upsert_event(
+            event_id, is_new, consec, ticket_id = db.upsert_event(
                 'cluster_network_issue', 'critical', 'prometheus',
                 self.cluster_name, '',
                 f'{len(hosts_with_regression)} hosts reporting simultaneous interface failures: '
                 f'{", ".join(hosts_with_regression)}',
             )
-            if not sup and is_new:
+            if not sup and (is_new or not ticket_id):
                 title = (
                     f'[{self.cluster_name}][auto][production][issue][network][cluster-wide] '
                     f'Multiple hosts reporting interface failures'
@@ -769,7 +771,7 @@ class NetworkMonitor:
             db.resolve_event('cluster_network_issue', self.cluster_name, '')
 
     def _ticket_interface(
-        self, event_id: int, is_new: bool, host: str, iface: str, consec: int
+        self, event_id: int, host: str, iface: str, consec: int
     ) -> None:
         title = (
             f'[{host}][auto][production][issue][network][single-node] '
@@ -787,7 +789,7 @@ class NetworkMonitor:
             f'Please inspect the cable/SFP/switch port for {host}/{iface}.'
         )
         tid = self.tickets.create(title, desc, priority='2')
-        if tid and is_new:
+        if tid:
             db.set_ticket_id(event_id, tid)
 
     # ------------------------------------------------------------------
@@ -802,17 +804,17 @@ class NetworkMonitor:
             name = d['name']
             if not d['connected']:
                 sup = db.check_suppressed(suppressions, 'unifi_device', name)
-                event_id, is_new, consec = db.upsert_event(
+                event_id, is_new, consec, ticket_id = db.upsert_event(
                     'unifi_device_offline', 'critical', 'unifi',
                     name, d.get('type', ''),
                     f'UniFi {name} ({d.get("ip","")}) offline ({_now_utc()})',
                 )
-                if not sup and consec >= self.fail_thresh:
-                    self._ticket_unifi(event_id, is_new, d)
+                if not sup and consec >= self.fail_thresh and not ticket_id:
+                    self._ticket_unifi(event_id, d)
             else:
                 db.resolve_event('unifi_device_offline', name, d.get('type', ''))
 
-    def _ticket_unifi(self, event_id: int, is_new: bool, device: dict) -> None:
+    def _ticket_unifi(self, event_id: int, device: dict) -> None:
         name = device['name']
         title = (
             f'[{name}][auto][production][issue][network][single-node] '
@@ -829,31 +831,31 @@ class NetworkMonitor:
             f'Please check power and cable connectivity.'
         )
         tid = self.tickets.create(title, desc, priority='2')
-        if tid and is_new:
+        if tid:
             db.set_ticket_id(event_id, tid)
 
     # ------------------------------------------------------------------
     # Ping-only hosts (no node_exporter)
     # ------------------------------------------------------------------
-    def _process_ping_hosts(self, suppressions: list) -> None:
+    def _process_ping_hosts(self, suppressions: list, ping_states: Dict[str, bool]) -> None:
         for h in self.cfg.get('monitor', {}).get('ping_hosts', []):
             name, ip = h['name'], h['ip']
-            reachable = ping(ip)
+            reachable = ping_states.get(name, False)
 
             if not reachable:
                 sup = db.check_suppressed(suppressions, 'host', name)
-                event_id, is_new, consec = db.upsert_event(
+                event_id, is_new, consec, ticket_id = db.upsert_event(
                     'host_unreachable', 'critical', 'ping',
                     name, ip,
                     f'Host {name} ({ip}) unreachable via ping ({_now_utc()})',
                 )
-                if not sup and consec >= self.fail_thresh:
-                    self._ticket_unreachable(event_id, is_new, name, ip, consec)
+                if not sup and consec >= self.fail_thresh and not ticket_id:
+                    self._ticket_unreachable(event_id, name, ip, consec)
             else:
                 db.resolve_event('host_unreachable', name, ip)
 
     def _ticket_unreachable(
-        self, event_id: int, is_new: bool, name: str, ip: str, consec: int
+        self, event_id: int, name: str, ip: str, consec: int
     ) -> None:
         title = (
             f'[{name}][auto][production][issue][network][single-node] '
@@ -871,7 +873,7 @@ class NetworkMonitor:
             f'Please check the host power, management interface, and network connectivity.'
         )
         tid = self.tickets.create(title, desc, priority='2')
-        if tid and is_new:
+        if tid:
             db.set_ticket_id(event_id, tid)
 
     # ------------------------------------------------------------------
@@ -880,6 +882,7 @@ class NetworkMonitor:
     def _collect_snapshot(
         self, iface_states: Dict[str, Dict[str, bool]],
         unifi_devices: Optional[List[dict]] = None,
+        ping_states: Optional[Dict[str, bool]] = None,
     ) -> dict:
         # Accept pre-fetched devices; fall back to empty list if unavailable
         display_unifi = unifi_devices if unifi_devices is not None else []
@@ -908,7 +911,7 @@ class NetworkMonitor:
 
         for h in self.cfg.get('monitor', {}).get('ping_hosts', []):
             name, ip = h['name'], h['ip']
-            reachable = ping(ip, count=1, timeout=2)
+            reachable = (ping_states or {}).get(name, False)
             hosts[name] = {
                 'ip': ip,
                 'interfaces': {},
@@ -919,7 +922,7 @@ class NetworkMonitor:
         return {
             'hosts': hosts,
             'unifi': display_unifi,
-            'updated': datetime.utcnow().isoformat(),
+            'updated': datetime.now(timezone.utc).isoformat().replace('+00:00', 'Z'),
         }
 
     # ------------------------------------------------------------------
@@ -940,8 +943,14 @@ class NetworkMonitor:
                 # 2. Fetch UniFi devices once — used by both snapshot and alert processing
                 unifi_devices = self.unifi.get_devices()
 
-                # 3. Collect and store snapshot for dashboard
-                snapshot = self._collect_snapshot(iface_states, unifi_devices)
+                # 3a. Ping-only hosts once — shared by snapshot and alert processing
+                ping_states: Dict[str, bool] = {
+                    h['name']: self.pulse.ping(h['ip'])
+                    for h in self.cfg.get('monitor', {}).get('ping_hosts', [])
+                }
+
+                # 3b. Collect and store snapshot for dashboard
+                snapshot = self._collect_snapshot(iface_states, unifi_devices, ping_states)
                 db.set_state('network_snapshot', snapshot)
                 db.set_state('last_check', _now_utc())
 
@@ -957,7 +966,7 @@ class NetworkMonitor:
                 self._process_interfaces(iface_states, suppressions)
                 self._process_unifi(unifi_devices, suppressions)
 
-                self._process_ping_hosts(suppressions)
+                self._process_ping_hosts(suppressions, ping_states)
 
                 # Housekeeping: deactivate expired suppressions and purge old resolved events
                 db.cleanup_expired_suppressions()
@@ -967,6 +976,8 @@ class NetworkMonitor:
 
             except Exception as e:
                 logger.error(f'Monitor loop error: {e}', exc_info=True)
+                time.sleep(30)
+                continue
 
             time.sleep(self.poll_interval)
 

static/app.js

@@ -220,7 +220,7 @@ function updateEventsTable(events, totalActive) {
       ? GANDALF_CONFIG.ticket_web_url : 'http://t.lotusguild.org/ticket/';
     const ticket = e.ticket_id
       ? `<a href="${lt.escHtml(ticketBase)}${lt.escHtml(String(e.ticket_id))}" target="_blank"
-            class="ticket-link">#${e.ticket_id}</a>`
+            class="ticket-link">#${lt.escHtml(String(e.ticket_id))}</a>`
       : '–';
     const supBadge = e.is_suppressed
       ? `<span class="lt-badge badge-suppressed" title="Alert suppressed">🔕 sup</span>`
@@ -276,9 +276,12 @@ function openSuppressModal(type, name, detail) {
   updateSuppressForm();
   lt.modal.open('suppress-modal');
 
-  document.querySelectorAll('#suppress-modal .pill').forEach(p => p.classList.remove('active'));
+  document.querySelectorAll('#suppress-modal .pill').forEach(p => {
+    p.classList.remove('active');
+    p.setAttribute('aria-pressed', 'false');
+  });
   const manualPill = document.querySelector('#suppress-modal .pill-manual');
-  if (manualPill) manualPill.classList.add('active');
+  if (manualPill) { manualPill.classList.add('active'); manualPill.setAttribute('aria-pressed', 'true'); }
   const hint = document.getElementById('duration-hint');
   if (hint) hint.textContent = 'Suppression will persist until manually removed.';
 }
@@ -291,15 +294,33 @@ function updateSuppressForm() {
   const type      = document.getElementById('sup-type').value;
   const nameGrp   = document.getElementById('sup-name-group');
   const detailGrp = document.getElementById('sup-detail-group');
+  const nameInput   = document.getElementById('sup-name');
+  const detailInput = document.getElementById('sup-detail');
   if (nameGrp)   nameGrp.style.display   = (type === 'all') ? 'none' : '';
   if (detailGrp) detailGrp.style.display = (type === 'interface') ? '' : 'none';
+  if (nameInput) {
+    const req = (type !== 'all');
+    nameInput.required = req;
+    nameInput.setAttribute('aria-required', String(req));
+  }
+  if (detailInput) {
+    const req = (type === 'interface');
+    detailInput.required = req;
+    detailInput.setAttribute('aria-required', String(req));
+  }
 }
 
-function setDuration(mins, el) {
-  document.getElementById('sup-expires').value = mins || '';
-  document.querySelectorAll('#suppress-modal .pill').forEach(p => p.classList.remove('active'));
-  if (el) el.classList.add('active');
-  const hint = document.getElementById('duration-hint');
+function setDuration(mins, el, opts) {
+  const o         = opts || {};
+  const expiresEl = document.getElementById(o.expiresId || 'sup-expires');
+  const pillSel   = o.pillSel || '#suppress-modal .pill';
+  const hint      = document.getElementById(o.hintId || 'duration-hint');
+  if (expiresEl) expiresEl.value = mins || '';
+  document.querySelectorAll(pillSel).forEach(p => {
+    p.classList.remove('active');
+    p.setAttribute('aria-pressed', 'false');
+  });
+  if (el) { el.classList.add('active'); el.setAttribute('aria-pressed', 'true'); }
   if (hint) {
     if (mins) {
       const h = Math.floor(mins / 60), m = mins % 60;

static/style.css

@@ -121,8 +121,35 @@
 /* ── Form group modifiers ────────────────────────────────────────── */
 .lt-form-group--last { margin-bottom: 0; }
 
-/* ── Divider compact variant ─────────────────────────────────────── */
+/* ── Search input size variant ───────────────────────────────────── */
+.lt-search-input--sm { width: 180px; }
+
+/* ── Notification panel helpers ──────────────────────────────────── */
+.lt-notif-empty {
+  padding: 1rem;
+  font-size: 0.75rem;
+  color: var(--text-muted);
+  text-align: center;
+}
+.lt-notif-view-all {
+  width: 100%;
+  text-align: center;
+  display: block;
+  font-size: 0.72rem;
+}
+.lt-notif-dot {
+  border-radius: 50%;
+  margin-top: 4px;
+  flex-shrink: 0;
+}
+
+/* ── Divider variants ────────────────────────────────────────────── */
 .lt-divider--compact { margin: 1rem 0 0.75rem; }
+.lt-divider--unifi   { margin: 20px 0 12px; }
+.lt-divider-label--unifi { color: var(--cyan); letter-spacing: .1em; }
+
+/* ── Stats grid spacing variant ──────────────────────────────────── */
+.lt-stats-grid--mb { margin-bottom: 16px; }
 
 /* ── Topology section collapse toggle ────────────────────────────── */
 .topo-collapse-btn {
@@ -187,10 +214,10 @@
   padding: 1px 7px;
 }
 .g-section-actions  { margin-left: auto; }
-.events-filter-bar  { display: flex; align-items: center; gap: 8px; flex-wrap: wrap; }
-.events-filter-bar .lt-input-sm { width: 220px; }
 .sev-pills          { display: flex; gap: 4px; }
 .g-page-sub { font-size: .78em; color: var(--text-muted); margin-top: 4px; }
+.g-page-sub-aside { font-size: .78em; color: var(--text-muted); margin-left: 8px; }
+.g-stale-warn { color: var(--orange); font-weight: 600; }
 
 /* ── Badge severity color variants (used with lt-badge) ───────────── */
 .badge-critical { color: var(--red);    border-color: var(--red);    text-shadow: var(--glow-red); }

templates/base.html

@@ -133,10 +133,10 @@
             <button type="button" class="lt-notif-panel-clear" id="lt-notif-clear-btn">Mark all read</button>
           </div>
           <div class="lt-notif-panel-list" id="lt-notif-list">
-            <div style="padding:0.75rem;font-size:0.75rem;color:var(--text-muted);text-align:center">Loading&hellip;</div>
+            <div class="lt-notif-empty">Loading&hellip;</div>
           </div>
           <div class="lt-notif-panel-footer">
-            <a href="{{ url_for('index') }}" class="lt-btn lt-btn-ghost lt-btn-sm" style="width:100%;text-align:center;display:block;font-size:0.72rem">View dashboard</a>
+            <a href="{{ url_for('index') }}" class="lt-btn lt-btn-ghost lt-btn-sm lt-notif-view-all">View dashboard</a>
           </div>
         </div>
       </div>
@@ -144,9 +144,9 @@
       <!-- ⌘K affordance -->
       <button type="button"
               class="lt-btn lt-btn-ghost lt-btn-sm lt-cmd-hint-btn"
+              data-action="open-cmdpalette"
               title="Command palette (Ctrl+K)"
-              aria-label="Open command palette"
-              onclick="if(window.lt&&lt.cmdPalette)lt.cmdPalette.open()">&#x2315;&nbsp;K</button>
+              aria-label="Open command palette">&#x2315;&nbsp;K</button>
 
       <button type="button" class="lt-theme-btn" id="lt-theme-btn"
               aria-label="Toggle theme" title="Toggle light/dark mode">&#x2600;</button>
@@ -227,16 +227,16 @@
           <div class="lt-form-group">
             <label class="lt-label" for="sup-reason">Reason <span class="required">*</span></label>
             <input type="text" class="lt-input" id="sup-reason" name="reason"
-                   placeholder="e.g. Planned switch reboot" required>
+                   placeholder="e.g. Planned switch reboot" required aria-required="true">
           </div>
           <div class="lt-form-group lt-form-group--last">
             <label class="lt-label">Duration</label>
-            <div class="duration-pills">
-              <button type="button" class="pill" data-duration="30">30 min</button>
-              <button type="button" class="pill" data-duration="60">1 hr</button>
-              <button type="button" class="pill" data-duration="240">4 hr</button>
-              <button type="button" class="pill" data-duration="480">8 hr</button>
-              <button type="button" class="pill pill-manual active" data-duration="">Manual &#x221E;</button>
+            <div class="duration-pills" role="group" aria-label="Select suppression duration">
+              <button type="button" class="pill" data-duration="30" aria-pressed="false" aria-label="30 minutes">30 min</button>
+              <button type="button" class="pill" data-duration="60" aria-pressed="false" aria-label="1 hour">1 hr</button>
+              <button type="button" class="pill" data-duration="240" aria-pressed="false" aria-label="4 hours">4 hr</button>
+              <button type="button" class="pill" data-duration="480" aria-pressed="false" aria-label="8 hours">8 hr</button>
+              <button type="button" class="pill pill-manual active" data-duration="" aria-pressed="true" aria-label="Manual, no expiry">Manual &#x221E;</button>
             </div>
             <input type="hidden" id="sup-expires" name="expires_minutes" value="">
             <div class="lt-field-hint" id="duration-hint">Persists until manually removed.</div>
@@ -286,12 +286,12 @@
       <div class="lt-modal-body">
         <div class="lt-form-group">
           <label class="lt-label">Auto-refresh interval</label>
-          <div class="duration-pills" id="settings-refresh-pills">
-            <button type="button" class="pill" data-refresh-interval="15">15 s</button>
-            <button type="button" class="pill" data-refresh-interval="30">30 s</button>
-            <button type="button" class="pill" data-refresh-interval="60">1 min</button>
-            <button type="button" class="pill" data-refresh-interval="300">5 min</button>
-            <button type="button" class="pill" data-refresh-interval="0">Off</button>
+          <div class="duration-pills" id="settings-refresh-pills" role="group" aria-label="Select auto-refresh interval">
+            <button type="button" class="pill" data-refresh-interval="15" aria-pressed="false">15 s</button>
+            <button type="button" class="pill" data-refresh-interval="30" aria-pressed="false">30 s</button>
+            <button type="button" class="pill" data-refresh-interval="60" aria-pressed="false">1 min</button>
+            <button type="button" class="pill" data-refresh-interval="300" aria-pressed="false">5 min</button>
+            <button type="button" class="pill" data-refresh-interval="0" aria-pressed="false">Off</button>
           </div>
           <div class="lt-field-hint" id="settings-refresh-hint"></div>
         </div>
@@ -313,7 +313,7 @@
 
   <script>
     const GANDALF_CONFIG = {
-      ticket_web_url: "{{ config.get('ticket_api', {}).get('web_url', 'http://t.lotusguild.org/ticket/') }}"
+      ticket_web_url: {{ config.get('ticket_api', {}).get('web_url', 'http://t.lotusguild.org/ticket/') | tojson }}
     };
   </script>
   <script src="{{ url_for('static', filename='app.js') }}"></script>
@@ -324,7 +324,7 @@
       lt.init({ bootName: 'GANDALF' });
 
       // Theme toggle
-      var themeBtn = document.getElementById('lt-theme-btn');
+      const themeBtn = document.getElementById('lt-theme-btn');
       if (themeBtn) themeBtn.addEventListener('click', function() { lt.theme.toggle(); });
 
       // Command palette
@@ -343,11 +343,12 @@
 
     // ── Global footer + key actions ───────────────────────────────────────
     document.addEventListener('click', function(e) {
-      var btn = e.target.closest('[data-action]');
+      const btn = e.target.closest('[data-action]');
       if (!btn) return;
-      var action = btn.getAttribute('data-action');
-      if (action === 'show-keyboard-help' && window.lt)  lt.modal.open('lt-keys-help');
-      if (action === 'open-settings' && window.lt)       lt.modal.open('lt-settings-modal');
+      const action = btn.getAttribute('data-action');
+      if (action === 'open-cmdpalette' && window.lt && lt.cmdPalette) lt.cmdPalette.open();
+      if (action === 'show-keyboard-help' && window.lt)               lt.modal.open('lt-keys-help');
+      if (action === 'open-settings' && window.lt)                    lt.modal.open('lt-settings-modal');
     });
 
     lt.keys.on('r', function() { lt.autoRefresh.now(); });
@@ -366,8 +367,8 @@
 
     // ── Settings modal ────────────────────────────────────────────────────
     (function() {
-      var LS_KEY = 'gandalf_settings';
-      var DEFAULT = { refreshInterval: 30 };
+      const LS_KEY = 'gandalf_settings';
+      const DEFAULT = { refreshInterval: 30 };
 
       function loadSettings() {
         try { return Object.assign({}, DEFAULT, JSON.parse(localStorage.getItem(LS_KEY) || '{}')); }
@@ -381,9 +382,11 @@
 
       function applyRefreshPillUI(interval) {
         document.querySelectorAll('#settings-refresh-pills .pill').forEach(function(p) {
-          p.classList.toggle('active', parseInt(p.dataset.refreshInterval) === interval);
+          const isActive = parseInt(p.dataset.refreshInterval) === interval;
+          p.classList.toggle('active', isActive);
+          p.setAttribute('aria-pressed', isActive ? 'true' : 'false');
         });
-        var hint = document.getElementById('settings-refresh-hint');
+        const hint = document.getElementById('settings-refresh-hint');
         if (hint) {
           if (interval === 0)        hint.textContent = 'Auto-refresh disabled.';
           else if (interval < 60)    hint.textContent = 'Refreshes every ' + interval + ' seconds.';
@@ -392,16 +395,16 @@
       }
 
       // Init pill UI from saved settings
-      var _settings = loadSettings();
+      const _settings = loadSettings();
       applyRefreshPillUI(_settings.refreshInterval);
 
       // Expose for pages that need to read it (e.g. index.html for autoRefresh)
       window.gandalfSettings = _settings;
 
       document.addEventListener('click', function(e) {
-        var pill = e.target.closest('#settings-refresh-pills .pill[data-refresh-interval]');
+        const pill = e.target.closest('#settings-refresh-pills .pill[data-refresh-interval]');
         if (!pill) return;
-        var interval = parseInt(pill.dataset.refreshInterval);
+        const interval = parseInt(pill.dataset.refreshInterval);
         _settings.refreshInterval = interval;
         saveSettings(_settings);
         applyRefreshPillUI(interval);
@@ -410,16 +413,16 @@
 
     // ── Notification Bell — shows active monitoring alerts ────────────────
     (function() {
-      var bell     = document.getElementById('lt-notif-bell');
-      var panel    = document.getElementById('lt-notif-panel');
-      var list     = document.getElementById('lt-notif-list');
-      var clearBtn = document.getElementById('lt-notif-clear-btn');
-      var wrapEl   = document.getElementById('lt-notif-wrap');
+      const bell     = document.getElementById('lt-notif-bell');
+      const panel    = document.getElementById('lt-notif-panel');
+      const list     = document.getElementById('lt-notif-list');
+      const clearBtn = document.getElementById('lt-notif-clear-btn');
+      const wrapEl   = document.getElementById('lt-notif-wrap');
       if (!bell || !panel) return;
 
-      var _open      = false;
-      var _lastEvents = [];
-      var LS_READ_KEY = 'gandalf_notif_read_before';
+      let _open       = false;
+      let _lastEvents = [];
+      const LS_READ_KEY = 'gandalf_notif_read_before';
 
       function getReadBefore() {
         try { return parseInt(localStorage.getItem(LS_READ_KEY) || '0'); } catch(_) { return 0; }
@@ -438,31 +441,31 @@
       }
 
       function fmtAgo(dateStr) {
-        var diff = Math.floor((Date.now() - toMs(dateStr)) / 1000);
+        const diff = Math.floor((Date.now() - toMs(dateStr)) / 1000);
         if (diff < 60)    return diff + 's ago';
         if (diff < 3600)  return Math.floor(diff/60) + 'm ago';
         if (diff < 86400) return Math.floor(diff/3600) + 'h ago';
         return Math.floor(diff/86400) + 'd ago';
       }
 
-      var SEV_DOT = { critical: 'var(--red)', warning: 'var(--amber)' };
+      const SEV_DOT = { critical: 'var(--red)', warning: 'var(--amber)' };
 
       function renderAlerts(events) {
         _lastEvents = events || [];
-        var readBefore = getReadBefore();
-        var active = _lastEvents.filter(function(e) { return e.severity !== 'info'; });
-        var unreadCount = active.filter(function(e) { return toMs(e.last_seen) > readBefore; }).length;
+        const readBefore = getReadBefore();
+        const active = _lastEvents.filter(function(e) { return e.severity !== 'info'; });
+        const unreadCount = active.filter(function(e) { return toMs(e.last_seen) > readBefore; }).length;
         lt.notif.set(bell, unreadCount);
 
         if (!active.length) {
-          list.innerHTML = '<div style="padding:1rem;font-size:0.75rem;color:var(--text-muted);text-align:center">&#x2714; No active alerts</div>';
+          list.innerHTML = '<div class="lt-notif-empty">&#x2714; No active alerts</div>';
           return;
         }
         list.innerHTML = active.slice(0, 25).map(function(e) {
-          var isUnread = toMs(e.last_seen) > readBefore;
-          var dotColor = SEV_DOT[e.severity] || 'var(--text-muted)';
+          const isUnread = toMs(e.last_seen) > readBefore;
+          const dotColor = SEV_DOT[e.severity] || 'var(--text-muted)';
           return '<div class="lt-notif-item' + (isUnread ? ' lt-notif-item--unread' : '') + '">' +
-            '<div class="lt-notif-dot' + (isUnread ? '' : ' lt-notif-dot--read') + '" style="background:' + dotColor + ';border-radius:50%;margin-top:4px"></div>' +
+            '<div class="lt-notif-dot' + (isUnread ? '' : ' lt-notif-dot--read') + '" style="background:' + dotColor + '"></div>' +
             '<div class="lt-notif-item-body">' +
               '<div class="lt-notif-item-title">' + esc(e.target_name) + (e.target_detail ? ' &middot; ' + esc(e.target_detail) : '') + '</div>' +
               '<div class="lt-notif-item-time">' + esc(e.event_type.replace(/_/g,' ')) + ' &middot; ' + fmtAgo(e.last_seen) + '</div>' +
@@ -474,19 +477,19 @@
         fetch('/api/status', { credentials: 'same-origin' })
           .then(function(r) { return r.json(); })
           .then(function(data) {
-            var events = data.events || [];
+            const events = data.events || [];
             if (andRender) {
               renderAlerts(events);
             } else {
               _lastEvents = events;
-              var readBefore = getReadBefore();
-              var active = events.filter(function(e) { return e.severity !== 'info'; });
-              var unread = active.filter(function(e) { return toMs(e.last_seen) > readBefore; }).length;
+              const readBefore = getReadBefore();
+              const active = events.filter(function(e) { return e.severity !== 'info'; });
+              const unread = active.filter(function(e) { return toMs(e.last_seen) > readBefore; }).length;
               lt.notif.set(bell, unread);
             }
           })
           .catch(function() {
-            if (andRender) list.innerHTML = '<div style="padding:0.75rem;font-size:0.75rem;color:var(--text-muted);text-align:center">Could not load</div>';
+            if (andRender) list.innerHTML = '<div class="lt-notif-empty">Could not load</div>';
           });
       }
 

templates/index.html

@@ -5,7 +5,7 @@
 
 <!-- ── Status bar ──────────────────────────────────────────────────── -->
 <div class="status-bar">
-  <div class="status-chips">
+  <div class="status-chips" id="status-chips" aria-live="polite" aria-atomic="true">
     {% if not daemon_ok %}
     <span class="chip chip-critical">⚠ MONITOR OFFLINE</span>
     {% endif %}
@@ -30,33 +30,35 @@
 <div class="lt-stats-grid">
   <div class="lt-stat-card{% if summary.critical %} lt-stat-card--alert{% endif %}"
        id="stat-critical" role="button" tabindex="0"
-       data-stat-filter="critical" aria-label="{{ summary.critical or 0 }} critical alerts">
-    <span class="lt-stat-icon" aria-hidden="true" style="color:var(--red);text-shadow:var(--glow-red)">●</span>
+       data-stat-filter="critical" aria-label="{{ summary.critical or 0 }} critical alerts"
+       aria-controls="events-table-wrap">
+    <span class="lt-stat-icon lt-text-red" aria-hidden="true">●</span>
     <div class="lt-stat-info">
-      <span class="lt-stat-value" id="stat-critical-val" style="color:var(--red)">{{ summary.critical or 0 }}</span>
+      <span class="lt-stat-value lt-text-red" id="stat-critical-val">{{ summary.critical or 0 }}</span>
       <span class="lt-stat-label">Critical</span>
     </div>
   </div>
   <div class="lt-stat-card"
        id="stat-warning" role="button" tabindex="0"
-       data-stat-filter="warning" aria-label="{{ summary.warning or 0 }} warning alerts">
-    <span class="lt-stat-icon" aria-hidden="true" style="color:var(--amber)">●</span>
+       data-stat-filter="warning" aria-label="{{ summary.warning or 0 }} warning alerts"
+       aria-controls="events-table-wrap">
+    <span class="lt-stat-icon lt-text-amber" aria-hidden="true">●</span>
     <div class="lt-stat-info">
-      <span class="lt-stat-value" id="stat-warning-val" style="color:var(--amber)">{{ summary.warning or 0 }}</span>
+      <span class="lt-stat-value lt-text-amber" id="stat-warning-val">{{ summary.warning or 0 }}</span>
       <span class="lt-stat-label">Warning</span>
     </div>
   </div>
   <div class="lt-stat-card" id="stat-hosts" aria-label="Monitored hosts">
-    <span class="lt-stat-icon" aria-hidden="true" style="color:var(--cyan)">⬡</span>
+    <span class="lt-stat-icon lt-text-cyan" aria-hidden="true">⬡</span>
     <div class="lt-stat-info">
-      <span class="lt-stat-value" id="stat-hosts-val" style="color:var(--cyan)">{{ snapshot.hosts | length }}</span>
+      <span class="lt-stat-value lt-text-cyan" id="stat-hosts-val">{{ snapshot.hosts | length }}</span>
       <span class="lt-stat-label">Hosts</span>
     </div>
   </div>
   <div class="lt-stat-card" id="stat-resolved" aria-label="{{ recent_resolved | length }} alerts resolved in last 24 hours">
-    <span class="lt-stat-icon" aria-hidden="true" style="color:var(--green);text-shadow:var(--glow)">✔</span>
+    <span class="lt-stat-icon lt-text-green" aria-hidden="true">✔</span>
     <div class="lt-stat-info">
-      <span class="lt-stat-value" id="stat-resolved-val" style="color:var(--green)">{{ recent_resolved | length }}</span>
+      <span class="lt-stat-value lt-text-green" id="stat-resolved-val">{{ recent_resolved | length }}</span>
       <span class="lt-stat-label">Resolved 24h</span>
     </div>
   </div>
@@ -73,12 +75,13 @@
     <div class="lt-toolbar-left">
       <div class="lt-search">
         <input type="search" class="lt-input lt-search-input" id="events-search"
-               placeholder="Filter by target, type, description…" autocomplete="off">
+               placeholder="Filter by target, type, description…" autocomplete="off"
+               aria-label="Filter active alerts">
       </div>
-      <div class="sev-pills">
-        <button type="button" class="pill active" data-sev="">All</button>
-        <button type="button" class="pill" data-sev="critical">Critical</button>
-        <button type="button" class="pill" data-sev="warning">Warning</button>
+      <div class="sev-pills" role="group" aria-label="Filter by severity">
+        <button type="button" class="pill active" data-sev="" aria-pressed="true">All</button>
+        <button type="button" class="pill" data-sev="critical" aria-pressed="false">Critical</button>
+        <button type="button" class="pill" data-sev="warning" aria-pressed="false">Warning</button>
       </div>
     </div>
   </div>
@@ -89,7 +92,7 @@
     <div id="events-table-wrap">
     {% if events %}
     {% if total_active is defined and total_active > events|length %}
-    <div class="pagination-notice">Showing {{ events|length }} of {{ total_active }} active alerts &mdash; <a href="/api/events?limit=1000">view all via API</a></div>
+    <div class="pagination-notice">Showing {{ events|length }} of {{ total_active }} active alerts — use the search box to filter, or <a href="/api/events?limit=1000" target="_blank" rel="noopener">export all as JSON</a></div>
     {% endif %}
     <div class="lt-table-wrap">
       <table class="lt-table" id="events-table">
@@ -315,12 +318,13 @@
   <div class="lt-toolbar" id="host-toolbar">
     <div class="lt-toolbar-left">
       <div class="lt-search">
-        <input type="search" class="lt-input lt-search-input" id="host-search"
-               placeholder="Filter hosts…" autocomplete="off" style="width:180px">
+        <input type="search" class="lt-input lt-search-input lt-search-input--sm" id="host-search"
+               placeholder="Filter hosts…" autocomplete="off" aria-label="Filter hosts">
       </div>
     </div>
   </div>
   <div class="host-grid" id="host-grid">
+    {%- set has_global_sup = suppressions | selectattr('target_type', 'equalto', 'all') | list | length > 0 -%}
     {% for name, host in snapshot.hosts.items() %}
     {% set suppressed = suppressions | selectattr('target_name', 'equalto', name) | list %}
     <div class="host-card host-card-{{ host.status }}" data-host="{{ name }}">
@@ -328,7 +332,7 @@
         <div class="host-name-row">
           <span class="host-status-dot dot-{{ host.status }}"></span>
           <span class="host-name">{{ name }}</span>
-          {% if suppressed %}
+          {% if suppressed or has_global_sup %}
           <span class="badge-suppressed" title="Suppressed">🔕</span>
           {% endif %}
         </div>
@@ -357,7 +361,7 @@
                 data-sup-type="host"
                 data-sup-name="{{ name }}"
                 data-sup-detail=""
-                title="Suppress alerts for this host">
+                aria-label="Suppress alerts for {{ name }}">
           🔕 Suppress
         </button>
         <a href="{{ url_for('links_page') }}#{{ name }}"
@@ -416,7 +420,8 @@
               <button class="lt-btn lt-btn-ghost lt-btn-sm btn-suppress"
                       data-sup-type="unifi_device"
                       data-sup-name="{{ d.name }}"
-                      data-sup-detail="">
+                      data-sup-detail=""
+                      aria-label="Suppress alerts for {{ d.name }}">
                 🔕 Suppress
               </button>
               {% endif %}
@@ -464,7 +469,7 @@
 {% block scripts %}
 <script>
   // Start auto-refresh using saved settings interval (default 30 s)
-  var _savedInterval = (window.gandalfSettings && window.gandalfSettings.refreshInterval) || 30;
+  const _savedInterval = window.gandalfSettings?.refreshInterval ?? 30;
   if (_savedInterval > 0) lt.autoRefresh.start(refreshAll, _savedInterval * 1000);
 
   // When settings change, restart auto-refresh with new interval
@@ -475,19 +480,20 @@
 
   // ── Topology collapse toggle ───────────────────────────────────
   (function() {
-    var LS_KEY = 'gandalf_topo_collapsed';
-    var btn    = document.getElementById('topo-toggle-btn');
-    var wrap   = document.getElementById('topo-collapsible-wrap');
+    const LS_KEY = 'gandalf_topo_collapsed';
+    const btn    = document.getElementById('topo-toggle-btn');
+    const wrap   = document.getElementById('topo-collapsible-wrap');
     if (!btn || !wrap) return;
 
     function setCollapsed(v) {
       wrap.classList.toggle('is-collapsed', v);
+      wrap.setAttribute('aria-hidden', v ? 'true' : 'false');
       btn.setAttribute('aria-expanded', v ? 'false' : 'true');
       btn.textContent = v ? '▾ Expand' : '▴ Collapse';
       try { localStorage.setItem(LS_KEY, v ? '1' : '0'); } catch(_) {}
     }
 
-    var saved = false;
+    let saved = false;
     try { saved = localStorage.getItem(LS_KEY) === '1'; } catch(_) {}
     setCollapsed(saved);
 
@@ -540,8 +546,12 @@
   document.querySelector('.sev-pills')?.addEventListener('click', e => {
     const pill = e.target.closest('.pill[data-sev]');
     if (!pill) return;
-    document.querySelectorAll('.sev-pills .pill').forEach(p => p.classList.remove('active'));
+    document.querySelectorAll('.sev-pills .pill').forEach(p => {
+      p.classList.remove('active');
+      p.setAttribute('aria-pressed', 'false');
+    });
     pill.classList.add('active');
+    pill.setAttribute('aria-pressed', 'true');
     _filterSev = pill.dataset.sev;
     applyEventsFilter();
   });
@@ -563,9 +573,12 @@
   document.querySelectorAll('.lt-stat-card[data-stat-filter]').forEach(card => {
     card.addEventListener('click', () => {
       const sev = card.dataset.statFilter;
-      document.querySelectorAll('.sev-pills .pill').forEach(p => p.classList.remove('active'));
+      document.querySelectorAll('.sev-pills .pill').forEach(p => {
+        p.classList.remove('active');
+        p.setAttribute('aria-pressed', 'false');
+      });
       const matchPill = document.querySelector(`.sev-pills .pill[data-sev="${sev}"]`);
-      if (matchPill) matchPill.classList.add('active');
+      if (matchPill) { matchPill.classList.add('active'); matchPill.setAttribute('aria-pressed', 'true'); }
       _filterSev = sev;
       applyEventsFilter();
       document.getElementById('events-table-wrap')?.scrollIntoView({ behavior: 'smooth', block: 'start' });

templates/inspector.html

@@ -8,16 +8,16 @@
     <h1 class="lt-page-title">Network Inspector</h1>
     <p class="g-page-sub">
       Visual switch chassis diagrams. Click a port to see detailed stats and LLDP path debug.
-      <span id="inspector-updated" style="margin-left:8px"></span>
+      <span id="inspector-updated" class="g-page-sub-aside"></span>
     </p>
   </div>
 </div>
 
 <div class="inspector-layout">
-  <div class="inspector-main" id="inspector-main">
+  <div class="inspector-main" id="inspector-main" role="region" aria-label="Switch chassis diagrams">
     <div class="link-loading">Loading inspector data</div>
   </div>
-  <div class="inspector-panel" id="inspector-panel">
+  <div class="inspector-panel" id="inspector-panel" role="complementary" aria-label="Port detail panel">
     <div class="inspector-panel-inner" id="inspector-panel-inner"></div>
   </div>
 </div>
@@ -107,10 +107,8 @@ function portBlockHtml(idx, port, swName, sfpBlock) {
   const sfpCls    = sfpBlock ? ' sfp-block' : '';
   const speedTxt  = portSpeedLabel(port);
   // LLDP neighbor: first 6 chars of hostname
-  const lldpName  = (port && port.lldp_table && port.lldp_table.length)
-                    ? escHtml((port.lldp_table[0].chassis_id_subtype === 'local'
-                        ? port.lldp_table[0].chassis_id
-                        : port.lldp_table[0].system_name || port.lldp_table[0].chassis_id || '').slice(0, 6))
+  const lldpName  = (port && port.lldp && (port.lldp.system_name || port.lldp.chassis_id))
+                    ? escHtml((port.lldp.system_name || port.lldp.chassis_id || '').slice(0, 6))
                     : '';
   const lldpHtml  = lldpName ? `<span class="port-lldp">${lldpName}</span>` : '';
   const speedHtml = speedTxt ? `<span class="port-speed">${speedTxt}</span>` : '';
@@ -162,10 +160,8 @@ function renderChassis(swName, sw) {
         const state  = portBlockState(port);
         const title  = port ? escHtml(port.name) : `Port ${idx}`;
         const speedTxt  = portSpeedLabel(port);
-        const lldpName  = (port && port.lldp_table && port.lldp_table.length)
-                          ? escHtml((port.lldp_table[0].chassis_id_subtype === 'local'
-                              ? port.lldp_table[0].chassis_id
-                              : port.lldp_table[0].system_name || port.lldp_table[0].chassis_id || '').slice(0, 6))
+        const lldpName  = (port && port.lldp && (port.lldp.system_name || port.lldp.chassis_id))
+                          ? escHtml((port.lldp.system_name || port.lldp.chassis_id || '').slice(0, 6))
                           : '';
         const speedHtml = speedTxt ? `<span class="port-speed">${speedTxt}</span>` : '';
         const lldpHtml  = lldpName ? `<span class="port-lldp">${lldpName}</span>` : '';
@@ -222,6 +218,7 @@ let _apiData        = null;
 function selectPort(el) {
   const swName = el.dataset.switch;
   const idx    = parseInt(el.dataset.portIdx, 10);
+  if (_diagPollTimer) { clearInterval(_diagPollTimer); _diagPollTimer = null; }
   document.querySelectorAll('.switch-port-block.selected')
     .forEach(e => e.classList.remove('selected'));
   el.classList.add('selected');
@@ -231,6 +228,7 @@ function selectPort(el) {
 }
 
 function closePanel() {
+  if (_diagPollTimer) { clearInterval(_diagPollTimer); _diagPollTimer = null; }
   document.getElementById('inspector-panel').classList.remove('open');
   document.querySelectorAll('.switch-port-block.selected')
     .forEach(el => el.classList.remove('selected'));
@@ -262,7 +260,7 @@ function renderPanel(swName, idx) {
     const poeCurStr = (d.poe_power != null && d.poe_power > 0) ? ` / draw <span class="val-amber">${d.poe_power.toFixed(1)}W</span>` : '';
     poeHtml = `
       <div class="lt-divider"><span class="lt-divider-label">PoE</span></div>
-      <div class="panel-row"><span class="panel-label">Class</span><span class="panel-val">class ${d.poe_class}${poeMaxStr}</span></div>
+      <div class="panel-row"><span class="panel-label">Class</span><span class="panel-val">class ${escHtml(String(d.poe_class))}${poeMaxStr}</span></div>
       ${d.poe_power != null ? `<div class="panel-row"><span class="panel-label">Draw</span><span class="panel-val">${d.poe_power > 0 ? `<span class="val-amber">${d.poe_power.toFixed(1)}W</span>` : '0W'}</span></div>` : ''}
       ${d.poe_mode ? `<div class="panel-row"><span class="panel-label">Mode</span><span class="panel-val">${escHtml(d.poe_mode)}</span></div>` : ''}`;
   }
@@ -320,7 +318,9 @@ function renderPanel(swName, idx) {
     _apiData.hosts && _apiData.hosts[d.lldp.system_name]);
   const diagHtml = hasDiagTarget ? `
     <div class="diag-bar">
-      <button class="btn-diag" data-action="run-diagnostic" data-sw="${escHtml(swName)}" data-idx="${idx}">Run Link Diagnostics</button>
+      <button class="btn-diag lt-btn lt-btn-secondary lt-btn-sm" data-action="run-diagnostic"
+              data-sw="${escHtml(swName)}" data-idx="${idx}"
+              aria-label="Run link diagnostics for port ${idx} on ${escHtml(swName)}">Run Diagnostics</button>
       <span class="diag-status" id="diag-status"></span>
     </div>
     <div class="diag-results" id="diag-results"></div>` : '';
@@ -429,11 +429,18 @@ function renderInspector(data) {
 
   const updEl = document.getElementById('inspector-updated');
   if (updEl && data.updated) {
-    updEl.textContent = 'Updated: ' + new Date(data.updated + (data.updated.includes('Z') ? '' : 'Z')).toLocaleTimeString();
+    const updMs = new Date(_toIso(data.updated));
+    const ageMin = (Date.now() - updMs) / 60000;
+    const timeStr = updMs.toLocaleTimeString();
+    if (ageMin > 15) {
+      updEl.innerHTML = `<span class="g-stale-warn" title="Data is ${Math.floor(ageMin)} minutes old — monitor may be down">⚠ Stale: ${timeStr}</span>`;
+    } else {
+      updEl.textContent = 'Updated: ' + timeStr;
+    }
   }
 
   if (!Object.keys(switches).length) {
-    main.innerHTML = '<p class="empty-state">No switch data available. Monitor may still be initialising.</p>';
+    main.innerHTML = '<div class="lt-empty-state lt-empty-state--sm"><div class="lt-empty-state-icon">⬡</div><div class="lt-empty-state-title">No switch data available</div><div class="lt-empty-state-body">Monitor may still be initialising.</div></div>';
     return;
   }
 
@@ -460,13 +467,13 @@ async function loadInspector() {
     renderInspector(data);
   } catch (e) {
     document.getElementById('inspector-main').innerHTML =
-      '<p class="empty-state">Failed to load inspector data.</p>';
+      '<div class="lt-empty-state lt-empty-state--sm"><div class="lt-empty-state-icon">✕</div><div class="lt-empty-state-title">Failed to load inspector data</div></div>';
     lt.toast.error('Failed to load inspector data');
   }
 }
 
 loadInspector();
-var _inspInterval = (window.gandalfSettings && window.gandalfSettings.refreshInterval) || 60;
+const _inspInterval = window.gandalfSettings?.refreshInterval ?? 60;
 if (_inspInterval > 0) lt.autoRefresh.start(loadInspector, Math.max(_inspInterval, 15) * 1000);
 
 window.onGandalfSettingsChanged = function(s) {
@@ -488,7 +495,13 @@ document.addEventListener('click', e => {
   if (diagBtn) { runDiagnostic(diagBtn.dataset.sw, parseInt(diagBtn.dataset.idx, 10)); return; }
 
   const toggleDiag = e.target.closest('[data-action="toggle-diag"]');
-  if (toggleDiag) { toggleDiag.parentElement.classList.toggle('diag-open'); return; }
+  if (toggleDiag) {
+    const section = toggleDiag.parentElement;
+    const nowOpen = section.classList.toggle('diag-open');
+    const hint = toggleDiag.querySelector('.diag-toggle-hint');
+    if (hint) hint.textContent = nowOpen ? '[collapse]' : '[expand]';
+    return;
+  }
 });
 
 // ── Link Diagnostics ─────────────────────────────────────────────────
@@ -511,7 +524,10 @@ function runDiagnostic(swName, portIdx) {
       pollDiagnostic(resp.job_id, statusEl, resultsEl);
     })
     .catch(e => {
-      statusEl.textContent = 'Error: ' + (e.message || 'Request failed');
+      const msg = (e && e.status === 429)
+        ? 'Rate limit reached — max 5 diagnostics per minute. Please wait.'
+        : 'Error: ' + (e && e.message || 'Request failed');
+      statusEl.textContent = msg;
     });
 }
 
@@ -521,7 +537,13 @@ function pollDiagnostic(jobId, statusEl, resultsEl) {
     attempts++;
     if (attempts > 120) {  // 2min timeout
       clearInterval(_diagPollTimer);
-      statusEl.textContent = 'Timed out waiting for results.';
+      _diagPollTimer = null;
+      statusEl.innerHTML = 'Timed out waiting for results. '
+        + '<button class="lt-btn lt-btn-ghost lt-btn-sm" id="diag-retry-btn">Retry</button>';
+      document.getElementById('diag-retry-btn')?.addEventListener('click', () => {
+        const sel = document.querySelector('.switch-port-block.selected');
+        if (sel) runDiagnostic(sel.dataset.switch, parseInt(sel.dataset.portIdx));
+      });
       return;
     }
     lt.api.get(`/api/diagnose/${jobId}`)
@@ -536,7 +558,12 @@ function pollDiagnostic(jobId, statusEl, resultsEl) {
     .catch(() => {
       clearInterval(_diagPollTimer);
       _diagPollTimer = null;
-      statusEl.textContent = 'Error: lost connection while collecting diagnostics.';
+      statusEl.innerHTML = 'Error: lost connection while collecting diagnostics. '
+        + '<button class="lt-btn lt-btn-ghost lt-btn-sm" id="diag-retry-btn">Retry</button>';
+      document.getElementById('diag-retry-btn')?.addEventListener('click', () => {
+        const sel = document.querySelector('.switch-port-block.selected');
+        if (sel) runDiagnostic(sel.dataset.switch, parseInt(sel.dataset.portIdx));
+      });
     });
   }, 2000);
 }

templates/links.html

@@ -8,7 +8,7 @@
     <h1 class="lt-page-title">Link Debug</h1>
     <p class="g-page-sub">
       Per-interface stats: speed, duplex, SFP optical levels, TX/RX rates, errors, and carrier changes.
-      <span id="links-updated" style="margin-left:8px"></span>
+      <span id="links-updated" class="g-page-sub-aside"></span>
     </p>
   </div>
 </div>
@@ -17,7 +17,8 @@
   <div class="lt-toolbar-left">
     <div class="lt-search">
       <input type="search" class="lt-input lt-search-input" id="links-search"
-             placeholder="Filter by host or switch name…" autocomplete="off">
+             placeholder="Filter by host or switch name…" autocomplete="off"
+             aria-label="Filter by host or switch name">
     </div>
   </div>
   <div class="lt-toolbar-right">
@@ -325,7 +326,7 @@ function renderPortCard(portName, d) {
 function renderUnifiSwitches(unifiSwitches, dataUpdated) {
   if (!unifiSwitches || !Object.keys(unifiSwitches).length) return '';
   const updStr = dataUpdated
-    ? new Date(dataUpdated.replace(' UTC', 'Z').replace(' ', 'T')).toLocaleTimeString()
+    ? new Date(_toIso(dataUpdated)).toLocaleTimeString()
     : '';
   const html = Object.entries(unifiSwitches).map(([swName, sw]) => {
     const ports = sw.ports || {};
@@ -347,7 +348,7 @@ function renderUnifiSwitches(unifiSwitches, dataUpdated) {
 
     return `
       <div class="link-host-panel" id="panel-${CSS.escape(swName)}">
-        <div class="link-host-title" data-action="toggle-panel">
+        <div class="link-host-title" data-action="toggle-panel" role="button" tabindex="0" aria-expanded="true">
           <span class="link-host-name">${escHtml(swName)}</span>
           <span class="link-host-ip">${escHtml(sw.ip || '')}</span>
           <span class="link-host-upd">${escHtml(sw.model || '')}${updStr ? ' · ' + updStr : ''}${poeLoad}</span>
@@ -358,31 +359,38 @@ function renderUnifiSwitches(unifiSwitches, dataUpdated) {
       </div>`;
   }).join('');
 
-  return `<div class="lt-divider" style="margin:20px 0 12px"><span class="lt-divider-label" style="color:var(--cyan);letter-spacing:.1em">UNIFI SWITCH PORTS</span></div>${html}`;
+  return `<div class="lt-divider lt-divider--unifi"><span class="lt-divider-label lt-divider-label--unifi">UNIFI SWITCH PORTS</span></div>${html}`;
 }
 
 // ── Panel collapse / expand ───────────────────────────────────────
 function togglePanel(panel) {
   panel.classList.toggle('collapsed');
-  const btn = panel.querySelector('.panel-toggle');
-  if (btn) btn.textContent = panel.classList.contains('collapsed') ? '[+]' : '[–]';
+  const isCollapsed = panel.classList.contains('collapsed');
+  const btn   = panel.querySelector('.panel-toggle');
+  const title = panel.querySelector('.link-host-title');
+  if (btn)   btn.textContent = isCollapsed ? '[+]' : '[–]';
+  if (title) title.setAttribute('aria-expanded', isCollapsed ? 'false' : 'true');
   const id = panel.id;
   if (id) {
-    const collapsed = JSON.parse(sessionStorage.getItem('linksCollapsed') || '{}');
+    let collapsed = {};
+    try { collapsed = JSON.parse(sessionStorage.getItem('linksCollapsed') || '{}'); } catch(_) {}
     collapsed[id] = panel.classList.contains('collapsed');
-    sessionStorage.setItem('linksCollapsed', JSON.stringify(collapsed));
+    try { sessionStorage.setItem('linksCollapsed', JSON.stringify(collapsed)); } catch(_) {}
   }
 }
 
 function restoreCollapseState() {
-  const collapsed = JSON.parse(sessionStorage.getItem('linksCollapsed') || '{}');
+  let collapsed = {};
+  try { collapsed = JSON.parse(sessionStorage.getItem('linksCollapsed') || '{}'); } catch(_) {}
   for (const [id, isCollapsed] of Object.entries(collapsed)) {
     const panel = document.getElementById(id);
     if (!panel) continue;
     if (isCollapsed) {
       panel.classList.add('collapsed');
-      const btn = panel.querySelector('.panel-toggle');
-      if (btn) btn.textContent = '[+]';
+      const btn   = panel.querySelector('.panel-toggle');
+      const title = panel.querySelector('.link-host-title');
+      if (btn)   btn.textContent = '[+]';
+      if (title) title.setAttribute('aria-expanded', 'false');
     }
   }
 }
@@ -407,37 +415,37 @@ function buildLinkSummary(hosts, unifiSwitches) {
   }
   const allTotal = totalIfaces + swTotal;
   const allDown  = downIfaces  + swDown;
-  const downColor = allDown  > 0 ? 'var(--red)'   : 'var(--green)';
-  const errColor  = errIfaces > 0 ? 'var(--amber)' : 'var(--green)';
+  const downCls    = allDown  > 0 ? 'lt-text-red'   : 'lt-text-green';
+  const errCls     = errIfaces > 0 ? 'lt-text-amber' : 'lt-text-green';
   const downCardCls = allDown  > 0 ? ' lt-stat-card--alert' : '';
   const poeCard = totalPoe > 0 ? `
     <div class="lt-stat-card">
-      <span class="lt-stat-icon" aria-hidden="true" style="color:var(--amber)">⚡</span>
+      <span class="lt-stat-icon lt-text-amber" aria-hidden="true">⚡</span>
       <div class="lt-stat-info">
-        <span class="lt-stat-value" style="color:var(--amber)">${totalPoe.toFixed(1)}</span>
+        <span class="lt-stat-value lt-text-amber">${totalPoe.toFixed(1)}</span>
         <span class="lt-stat-label">PoE Load (W)</span>
       </div>
     </div>` : '';
   return `
-    <div class="lt-stats-grid" style="margin-bottom:16px">
+    <div class="lt-stats-grid lt-stats-grid--mb">
       <div class="lt-stat-card">
-        <span class="lt-stat-icon" aria-hidden="true" style="color:var(--cyan)">⬡</span>
+        <span class="lt-stat-icon lt-text-cyan" aria-hidden="true">⬡</span>
         <div class="lt-stat-info">
-          <span class="lt-stat-value" style="color:var(--cyan)">${allTotal}</span>
+          <span class="lt-stat-value lt-text-cyan">${allTotal}</span>
           <span class="lt-stat-label">Interfaces</span>
         </div>
       </div>
       <div class="lt-stat-card${downCardCls}">
-        <span class="lt-stat-icon" aria-hidden="true" style="color:${downColor}">●</span>
+        <span class="lt-stat-icon ${downCls}" aria-hidden="true">●</span>
         <div class="lt-stat-info">
-          <span class="lt-stat-value" style="color:${downColor}">${allDown}</span>
+          <span class="lt-stat-value ${downCls}">${allDown}</span>
           <span class="lt-stat-label">Ports Down</span>
         </div>
       </div>
       <div class="lt-stat-card">
-        <span class="lt-stat-icon" aria-hidden="true" style="color:${errColor}">▲</span>
+        <span class="lt-stat-icon ${errCls}" aria-hidden="true">▲</span>
         <div class="lt-stat-info">
-          <span class="lt-stat-value" style="color:${errColor}">${errIfaces}</span>
+          <span class="lt-stat-value ${errCls}">${errIfaces}</span>
           <span class="lt-stat-label">With Errors</span>
         </div>
       </div>
@@ -461,12 +469,12 @@ function renderLinks(data) {
     const sample  = Object.values(ifaces)[0] || {};
     const ip      = sample.host_ip || '';
     const updStr  = data.updated
-      ? new Date(data.updated.replace(' UTC', 'Z').replace(' ', 'T')).toLocaleTimeString()
+      ? new Date(_toIso(data.updated)).toLocaleTimeString()
       : '';
 
     parts.push(`
       <div class="link-host-panel" id="panel-${CSS.escape(hostname)}">
-        <div class="link-host-title" data-action="toggle-panel">
+        <div class="link-host-title" data-action="toggle-panel" role="button" tabindex="0" aria-expanded="true">
           <span class="link-host-name">${escHtml(hostname)}</span>
           <span class="link-host-ip">${escHtml(ip)}</span>
           <span class="link-host-upd">${updStr}</span>
@@ -496,27 +504,33 @@ function applyLinksSearch() {
 function collapseAll() {
   document.querySelectorAll('.link-host-panel').forEach(p => {
     p.classList.add('collapsed');
-    const btn = p.querySelector('.panel-toggle');
-    if (btn) btn.textContent = '[+]';
+    const btn   = p.querySelector('.panel-toggle');
+    const title = p.querySelector('.link-host-title');
+    if (btn)   btn.textContent = '[+]';
+    if (title) title.setAttribute('aria-expanded', 'false');
   });
-  sessionStorage.setItem('linksCollapsed', JSON.stringify(
-    Object.fromEntries([...document.querySelectorAll('.link-host-panel')].map(p => [p.id, true]))
-  ));
+  try {
+    sessionStorage.setItem('linksCollapsed', JSON.stringify(
+      Object.fromEntries([...document.querySelectorAll('.link-host-panel')].map(p => [p.id, true]))
+    ));
+  } catch(_) {}
 }
 
 function expandAll() {
   document.querySelectorAll('.link-host-panel').forEach(p => {
     p.classList.remove('collapsed');
-    const btn = p.querySelector('.panel-toggle');
-    if (btn) btn.textContent = '[–]';
+    const btn   = p.querySelector('.panel-toggle');
+    const title = p.querySelector('.link-host-title');
+    if (btn)   btn.textContent = '[–]';
+    if (title) title.setAttribute('aria-expanded', 'true');
   });
-  sessionStorage.setItem('linksCollapsed', '{}');
+  try { sessionStorage.setItem('linksCollapsed', '{}'); } catch(_) {}
 }
 
 // ── Stale data warning ────────────────────────────────────────────
 function checkLinksStale(updatedStr) {
   if (!updatedStr) return;
-  const age = (Date.now() - new Date(updatedStr + (updatedStr.includes('Z') ? '' : 'Z'))) / 1000;
+  const age = (Date.now() - new Date(_toIso(updatedStr))) / 1000;
   let banner = document.getElementById('links-stale-banner');
   if (age > 120) {
     if (!banner) {
@@ -538,14 +552,14 @@ function checkLinksStale(updatedStr) {
 async function loadLinks() {
   try {
     const data = await lt.api.get('/api/links');
-    if (!data.hosts && !data.unifi_switches) {
+    if ((!data.hosts || !Object.keys(data.hosts).length) && (!data.unifi_switches || !Object.keys(data.unifi_switches).length)) {
       document.getElementById('links-container').innerHTML =
         '<div class="link-no-data">No link data yet — monitor has not completed a full cycle.</div>';
       return;
     }
     const updEl = document.getElementById('links-updated');
     if (updEl && data.updated) {
-      updEl.textContent = 'Updated: ' + new Date(data.updated + (data.updated.includes('Z') ? '' : 'Z')).toLocaleTimeString();
+      updEl.textContent = 'Updated: ' + new Date(_toIso(data.updated)).toLocaleTimeString();
     }
     renderLinks(data);
     checkLinksStale(data.updated);
@@ -557,7 +571,7 @@ async function loadLinks() {
 }
 
 loadLinks();
-var _linksInterval = (window.gandalfSettings && window.gandalfSettings.refreshInterval) || 60;
+const _linksInterval = window.gandalfSettings?.refreshInterval ?? 60;
 if (_linksInterval > 0) lt.autoRefresh.start(loadLinks, Math.max(_linksInterval, 15) * 1000);
 
 window.onGandalfSettingsChanged = function(s) {
@@ -573,6 +587,12 @@ document.addEventListener('click', e => {
   if (e.target.closest('[data-action="expand-all"]'))   { expandAll();   return; }
 });
 
+document.addEventListener('keydown', e => {
+  if (e.key !== 'Enter' && e.key !== ' ') return;
+  const toggleTitle = e.target.closest('[data-action="toggle-panel"]');
+  if (toggleTitle) { e.preventDefault(); togglePanel(toggleTitle.closest('.link-host-panel')); }
+});
+
 document.getElementById('links-search')?.addEventListener('input', applyLinksSearch);
 </script>
 {% endblock %}

templates/suppressions.html

@@ -32,7 +32,7 @@
             <label class="lt-label" for="s-name">Target Name <span class="required">*</span></label>
             <input type="text" class="lt-input" id="s-name" name="target_name"
                    placeholder="hostname or device name" autocomplete="off"
-                   list="target-name-list">
+                   required aria-required="true" list="target-name-list">
             <datalist id="target-name-list">
               {% for name in snapshot.hosts.keys() | sort %}
               <option value="{{ name }}">
@@ -51,19 +51,19 @@
             <label class="lt-label" for="s-reason">Reason <span class="required">*</span></label>
             <input type="text" class="lt-input" id="s-reason" name="reason"
                    placeholder="e.g. Planned switch maintenance, replacing SFP on large1/enp43s0"
-                   required>
+                   required aria-required="true">
           </div>
         </div>
 
         <div class="form-row form-row-align">
           <div class="lt-form-group">
             <label class="lt-label">Duration</label>
-            <div class="duration-pills">
-              <button type="button" class="pill" data-duration="30">30 min</button>
-              <button type="button" class="pill" data-duration="60">1 hr</button>
-              <button type="button" class="pill" data-duration="240">4 hr</button>
-              <button type="button" class="pill" data-duration="480">8 hr</button>
-              <button type="button" class="pill pill-manual active" data-duration="">Manual ∞</button>
+            <div class="duration-pills" role="group" aria-label="Select suppression duration">
+              <button type="button" class="pill" data-duration="30" aria-pressed="false" aria-label="30 minutes">30 min</button>
+              <button type="button" class="pill" data-duration="60" aria-pressed="false" aria-label="1 hour">1 hr</button>
+              <button type="button" class="pill" data-duration="240" aria-pressed="false" aria-label="4 hours">4 hr</button>
+              <button type="button" class="pill" data-duration="480" aria-pressed="false" aria-label="8 hours">8 hr</button>
+              <button type="button" class="pill pill-manual active" data-duration="" aria-pressed="true" aria-label="Manual, no expiry">Manual ∞</button>
             </div>
             <input type="hidden" id="s-expires" name="expires_minutes" value="">
             <div class="lt-field-hint" id="s-dur-hint">Persists until manually removed.</div>
@@ -110,7 +110,8 @@
             <td class="ts-cell">{{ s.created_at }}</td>
             <td class="ts-cell">{% if s.expires_at %}{{ s.expires_at }}{% else %}<em>manual</em>{% endif %}</td>
             <td>
-              <button class="lt-btn lt-btn-danger lt-btn-sm" data-action="remove-sup" data-sup-id="{{ s.id }}">Remove</button>
+              <button class="lt-btn lt-btn-danger lt-btn-sm" data-action="remove-sup" data-sup-id="{{ s.id }}"
+                      aria-label="Remove suppression for {{ s.target_name or 'global' }}">Remove</button>
             </td>
           </tr>
           {% endfor %}
@@ -216,20 +217,16 @@
     const t = document.getElementById('s-type').value;
     document.getElementById('name-group').style.display = (t==='all') ? 'none' : '';
     document.getElementById('detail-group').style.display = (t==='interface') ? '' : 'none';
-    document.getElementById('s-name').required = (t!=='all');
+    const nameInput = document.getElementById('s-name');
+    if (nameInput) {
+      const req = (t !== 'all');
+      nameInput.required = req;
+      nameInput.setAttribute('aria-required', String(req));
+    }
   }
 
   function setDur(mins, el) {
-    document.getElementById('s-expires').value = mins || '';
-    document.querySelectorAll('.duration-pills .pill').forEach(p => p.classList.remove('active'));
-    if (el) el.classList.add('active');
-    const hint = document.getElementById('s-dur-hint');
-    if (mins) {
-      const h = Math.floor(mins/60), m = mins%60;
-      hint.textContent = `Expires in ${h?h+'h ':''}${m?m+'m':''}`.trim()+'.';
-    } else {
-      hint.textContent = 'Persists until manually removed.';
-    }
+    setDuration(mins, el, { expiresId: 's-expires', pillSel: '#create-suppression-form .pill', hintId: 's-dur-hint' });
   }
 
   function renderActiveRows(rows) {
@@ -251,7 +248,8 @@
         <td>${lt.escHtml(s.suppressed_by)}</td>
         <td class="ts-cell">${lt.escHtml(s.created_at || '')}</td>
         <td class="ts-cell">${s.expires_at ? lt.escHtml(s.expires_at) : '<em>manual</em>'}</td>
-        <td><button class="lt-btn lt-btn-danger lt-btn-sm" data-action="remove-sup" data-sup-id="${s.id}">Remove</button></td>
+        <td><button class="lt-btn lt-btn-danger lt-btn-sm" data-action="remove-sup" data-sup-id="${s.id}"
+            aria-label="Remove suppression for ${lt.escHtml(s.target_name || 'global')}">Remove</button></td>
       </tr>`).join('');
     wrap.innerHTML = `
       <div class="lt-frame">
@@ -297,9 +295,7 @@
       showToast('Suppression applied', 'success');
       form.reset();
       onTypeChange();
-      document.querySelectorAll('.duration-pills .pill').forEach(p => p.classList.remove('active'));
-      document.querySelector('.duration-pills .pill-manual')?.classList.add('active');
-      document.getElementById('s-dur-hint').textContent = 'Persists until manually removed.';
+      setDur(null, document.querySelector('#create-suppression-form .pill-manual'));
       await refreshActive();
     } catch (err) {
       showToast(err.message || 'Error', 'error');

tests/test_diagnose.py

@@ -9,9 +9,9 @@ from diagnose import DiagnosticsRunner  # noqa: E402
 # ── build_ssh_command ────────────────────────────────────────────────────────
 
 class TestBuildSshCommand:
-    def test_contains_stricthostkeychecking_no(self):
+    def test_contains_stricthostkeychecking_accept_new(self):
         cmd = DiagnosticsRunner.build_ssh_command('10.0.0.1', 'eth0')
-        assert 'StrictHostKeyChecking=no' in cmd
+        assert 'StrictHostKeyChecking=accept-new' in cmd
 
     def test_contains_host_ip(self):
         cmd = DiagnosticsRunner.build_ssh_command('10.0.0.1', 'eth0')
@@ -36,6 +36,12 @@ class TestBuildSshCommand:
         cmd = DiagnosticsRunner.build_ssh_command('10.0.0.1', 'eth0')
         assert 'ethtool' in cmd
 
+    def test_dmesg_uses_fixed_string_grep(self):
+        # grep -F prevents iface names with dots (e.g. eth0.1) being treated as
+        # regex wildcards; -- prevents leading - from being parsed as a flag
+        cmd = DiagnosticsRunner.build_ssh_command('10.0.0.1', 'eth0')
+        assert 'grep -F --' in cmd
+
 
 # ── parse_output ─────────────────────────────────────────────────────────────