From 4b6e655123adb703d44c47387401989a112153bf Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Tue, 6 Jan 2026 18:25:41 -0500
Subject: [PATCH] CRITICAL FIX: Prevent main loop from overwriting subprocess
 updates
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Problem:
- IPs reaching Score:100 but STILL not being auto-blocked
- write_ip_data_to_file was working correctly in subprocesses
- BUT main loop was OVERWRITING entire ip_data file every 2 seconds
- Line 3539 used ">" which truncates the file
- Auto-mitigation engine reads stale data from parent's IP_DATA array
- Parent's IP_DATA doesn't have subprocess updates (subshell isolation)

Example:
1. HTTP subprocess: IP reaches score=100, writes to file
2. 2 seconds later: Main loop OVERWRITES file with parent's IP_DATA
3. Auto-mitigation reads file: Score shows 0 or old value
4. IP never blocked!

Root Cause:
The original fix (write_ip_data_to_file) was correct, but the main
loop's periodic file write was destroying those updates.

Solution:
- Main loop now MERGES data instead of overwriting
- Reads existing file (contains fresh subprocess updates)
- Adds only NEW IPs from parent process
- Writes back existing entries (subprocess data takes priority)
- Uses flock to prevent race conditions
- Atomic replacement with .new file

This preserves subprocess updates while still allowing parent
process to add IPs it discovers.

Result:
- Subprocess updates (Score:100) now PERSIST
- Auto-mitigation engine sees correct scores
- IPs with score >= 80 will be blocked within 10 seconds

Testing:
Before: Score:100 shown but IP never blocked
After:  Score:100 → INSTANT_BLOCK within 10 seconds
---
 modules/security/live-attack-monitor-v2.sh | 28 ++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index cb12c3b..676acb0 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -3532,11 +3532,35 @@ while true; do
     draw_quick_actions
 
     # Write IP_DATA to ip_data file for auto-mitigation engine
+    # NOTE: Subprocesses use write_ip_data_to_file() for real-time updates
+    # This merges parent process data without overwriting subprocess updates
     {
+        flock -w 2 200 || exit 1
+
+        # Read existing file (contains subprocess updates)
+        declare -A existing_ips
+        if [ -f "$TEMP_DIR/ip_data" ]; then
+            while IFS='=' read -r ip data; do
+                [ -n "$ip" ] && existing_ips[$ip]="$data"
+            done < "$TEMP_DIR/ip_data"
+        fi
+
+        # Merge parent's IP_DATA with existing (subprocess updates take priority)
         for ip in "${!IP_DATA[@]}"; do
-            echo "$ip=${IP_DATA[$ip]}"
+            # Only write if not already in file (subprocess updates are fresher)
+            if [ -z "${existing_ips[$ip]}" ]; then
+                echo "$ip=${IP_DATA[$ip]}"
+            fi
         done
-    } > "$TEMP_DIR/ip_data" 2>/dev/null
+
+        # Write back existing entries (from subprocesses)
+        for ip in "${!existing_ips[@]}"; do
+            echo "$ip=${existing_ips[$ip]}"
+        done
+
+    } > "$TEMP_DIR/ip_data.new" 2>/dev/null 200>"$TEMP_DIR/ip_data.lock"
+
+    mv "$TEMP_DIR/ip_data.new" "$TEMP_DIR/ip_data" 2>/dev/null
 
     # Update total blocks from file
     if [ -f "$TEMP_DIR/total_blocks" ]; then