Major performance and storage improvements

- live-attack-monitor.sh: Remove snapshot loading, fix Apache log monitoring, add IP file sync for auto-blocking
- bot-analyzer.sh:
  * Implement gzip compression for large temp files (10-20x space savings)
  * Move temp files from /tmp to toolkit/tmp directory
  * Prevents filling up system /tmp on large servers
- run.sh: Add HISTFILE fallback to prevent crashes when sourced
- user-manager.sh:
  * Initialize TEMP_SESSION_DIR to fix user indexing errors
  * Remove unnecessary temp file I/O for faster user indexing

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

modules/security/live-attack-monitor.sh

@@ -1789,7 +1789,20 @@ monitor_apache_logs() {
 
                 # Show ET detection if found
                 if [ "$et_attack_score" -gt 0 ]; then
-                    log_line+=" | 🛡️ET:$et_attack_types"
+                    # Show primary attack type (cleaner than full list)
+                    local primary_type=$(echo "$et_attack_types" | grep -oE 'SQLI|XSS|CMD|TRAVERSAL|WEBSHELL|RCE|UPLOAD|CVE' | head -1)
+                    if [ -z "$primary_type" ]; then
+                        primary_type=$(echo "$et_attack_types" | cut -d',' -f1)
+                    fi
+                    log_line+=" | 🛡️ET:$primary_type"
+
+                    # Show signature names (the key improvement!)
+                    if [ -n "$et_signatures" ]; then
+                        # Limit to first 3 signatures to keep display clean
+                        local sig_display=$(echo "$et_signatures" | tr ',' '\n' | head -3 | tr '\n' ',' | sed 's/,$//')
+                        log_line+=" | Sigs:$sig_display"
+                    fi
+
                     # Show rate info if elevated
                     if [ "$et_rate_score" -gt 0 ]; then
                         log_line+=" | 🌊Rate:+$et_rate_score"