CRITICAL FIX: Load persistent IP data BEFORE threshold calculation

Bug: Threshold calculation used undefined 'hits' variable.
Code tried to use lifetime_hits at line 2622, but hits wasn't loaded until line 2652.
Result: Adaptive threshold never actually worked - always used default threshold.

Fix: Load IP data (score|hits|bot_type|attacks|ban_count|rep_score) from persistent
ip_data file BEFORE calculating threshold, so we have accurate lifetime hit count.

Now the flow is:
1. Load persistent IP data from ip_data (includes current lifetime hits)
2. Calculate threshold based on CURRENT lifetime hits
3. Check if count > threshold
4. If yes, increment hits and process
5. Write back to ip_data with incremented hits

Example: IP with 5 detections in 3 minutes
- Detection 1: hits=1, threshold=3, needs 3+ connections
- Detection 2: hits=2, threshold=2, needs 2+ connections
- Detection 3: hits=3, threshold=2, needs 2+ connections
- Detection 4: hits=4, threshold=2, needs 2+ connections
- Detection 5: hits=5, threshold=1, needs 1+ connection ✓

If IP has 2+ connections on each scan, detected on scans 2-5+.
If IP has 1+ connection on each scan, detected on scan 5+ (or earlier if more connections).

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

modules/security/live-attack-monitor-v2.sh

@@ -2586,6 +2586,14 @@ monitor_network_attacks() {
                         # Track connection count for this IP
                         CONNECTION_COUNT[$ip]=$count
 
+                        # Load IP's persistent data FIRST (before threshold calculation)
+                        # This gets the current lifetime hits count from ip_data
+                        local current_data="0|0|human||0|0"
+                        if [ -f "$TEMP_DIR/ip_data" ]; then
+                            current_data=$(grep "^${ip}=" "$TEMP_DIR/ip_data" 2>/dev/null | cut -d= -f2 || echo "0|0|human||0|0")
+                        fi
+                        IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data"
+
                         # Dynamic threshold based on attack severity + momentum:
                         # CRITICAL FIX: Changed Tier 0 threshold from 20 to 3
                         # Bug: Tier 0 (< 75 total SYN) had threshold=20, preventing detection of distributed attacks
@@ -2644,16 +2652,8 @@ monitor_network_attacks() {
                             if [ -z "${ALERT_SENT[$ip]}" ]; then
                                 ALERT_SENT[$ip]=1
 
-                                # Load IP reputation from PERSISTENT central database (ip_data)
-                                # This preserves hits across monitor restarts for historical tracking
-                                local current_data="0|0|human||0|0"
-                                if [ -f "$TEMP_DIR/ip_data" ]; then
-                                    # Extract this IP's data from central database
-                                    current_data=$(grep "^${ip}=" "$TEMP_DIR/ip_data" 2>/dev/null | cut -d= -f2 || echo "0|0|human||0|0")
-                                fi
-                                IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data"
-
-                                # Increment hits (persistent across monitor restarts)
+                                # Data already loaded earlier (before threshold calculation)
+                                # Just increment hits (persistent across monitor restarts)
                                 # This is the total lifetime detection count for this IP
                                 hits=$((hits + 1))