feat: v0.1.4 — device intelligence dashboard

Add tabbed dashboard at /dashboard/ with three D3.js visualizations:
- Vendor treemap (devices grouped by type and vendor)
- SSID social graph (force-directed, shared probed SSIDs as edges)
- Fingerprint clusters (packed circles by device behavior)

Intelligence API endpoints at /api/v1/intelligence/ with param
validation. Dashboard built on htmx + Pico CSS dark theme + D3 v7,
all vendored locally (make vendor). 13 new tests (59 total).

TODO.md

@@ -2,22 +2,25 @@
 
 ## API
 
-- [ ] Pagination for all list endpoints
+- [x] Pagination for all list endpoints (with total count)
+- [x] Request logging middleware
+- [x] Data retention policy (auto-cleanup old records)
 - [ ] Filter by date range
 - [ ] Sort options
 - [ ] Rate limiting (flask-limiter)
 - [ ] API authentication (JWT or API keys)
-- [ ] Request logging middleware
 
 ## OSINT
 
 - [ ] Device fingerprinting by advertisement patterns
 - [ ] SSID categorization (home, corporate, mobile hotspot)
+- [ ] MAC randomization detection (correlate probe bursts, RSSI, timing)
+- [ ] Device reputation scoring (randomized MAC, probe hygiene, visit frequency)
+- [ ] Organizational mapping (group devices by vendor + behavior)
 
 ## Collector
 
 - [ ] CSI data storage (optional, high volume)
-- [ ] Data retention policy (auto-cleanup old records)
 
 ## Fleet Management
 
@@ -38,6 +41,50 @@
 - [ ] Integration tests with mock sensors
 - [ ] Load testing
 
+## Visualizations
+
+### Spatial / RF (D3.js)
+- [ ] RSSI heatmap — triangulate device positions from multi-sensor readings, animate over time
+- [ ] Sensor coverage Voronoi — show reach/overlap/blind spots
+- [ ] Channel utilization spectrogram — waterfall display per sensor
+
+### Device Intelligence
+- [x] Device fingerprint clusters — group by behavior (probes, BLE company, cadence)
+- [x] SSID social graph — devices as nodes, shared probed SSIDs as edges (reveals co-location history)
+- [ ] Probe request worldmap — map probed SSIDs to geolocations via WiGLE
+- [x] Vendor treemap — OUI + BLE company breakdown, anomaly spotting
+
+### Temporal
+- [ ] Presence timeline / Gantt — per-device strips showing enter/leave range (routines, anomalies)
+- [ ] First-seen drift — highlight novel devices vs. known regulars
+- [ ] Dwell time distributions — histogram, bimodal = passers-by vs. occupants
+
+### Purple Team
+- [ ] Deauth attack timeline — overlay alerts with source/target, correlate with device disappearances
+- [ ] Evil twin detection — flag when probed SSID appears as local AP
+- [ ] Flood intensity gauge — real-time deauth rate + historical sparklines
+- [ ] Attack surface dashboard — broadcast probes (evil twin targets), static MACs (trackable), deauth-vulnerable
+- [ ] Kill chain tracker — map events to MITRE ATT&CK for WiFi
+
+### Experimental
+- [ ] CSI radar — amplitude/phase matrix as real-time presence radar (if CSI enabled)
+- [ ] Mesh consensus view — sensor agreement graph, fork/resolve visualization
+- [ ] Temporal knowledge graph — devices/SSIDs/sensors/alerts with timestamped edges
+- [ ] Adversarial simulation replay — VCR-style event playback with what-if scenarios
+- [ ] Entropy dashboard — single ambient metric (new devices/hr, probe diversity, alert rate)
+
+### Priority picks (high value, low-medium effort)
+1. ~~Presence timeline (low effort, high value)~~ — next up
+2. ~~Deauth attack timeline (low effort, high value)~~ — next up
+3. ~~SSID social graph (medium effort, high value)~~ — done v0.1.4
+4. ~~Device fingerprint clusters (medium effort, high value)~~ — done v0.1.4
+5. RSSI heatmap / triangulation (high effort, very high value)
+
+### Tech notes
+- D3.js v7 + htmx + Pico CSS served locally from `static/vendor/`
+- Dashboard at `/dashboard/` with htmx tab switching
+- Intelligence API at `/api/v1/intelligence/*`
+
 ## Ideas
 
 - WebSocket for live updates