{% extends "base.html" %}
{% block title %}Lookup — psyc{% endblock %}
{% block content %}
<section class="panel">
  <div class="panel-head">
    <h1>Indicator Lookup</h1>
    <span class="count">{{ total_iocs }} indicators indexed</span>
  </div>
  <p class="page-intro">Paste any indicator — IP, domain, URL, file hash, or CVE — and psyc tells you whether it's known-bad across the whole case corpus, which feed flagged it, and at what severity. This is the "is this thing dangerous?" desk check.</p>
  <details class="page-help">
    <summary>how to use this view</summary>
    <div class="help-body">
      <p><b>How to use.</b> Type or paste an indicator and hit Look up. A green banner means it's clean (not in the corpus); a red banner means it matched known threat intel — open the case to see the full context.</p>
      <p><b>What you're seeing.</b> Matches come from the IOC index built across all {{ total_iocs }} indicators in the corpus. Lookup is case- and format-insensitive (EVIL.COM = evil.com).</p>
      <p><b>Why it matters.</b> A defender investigating an alert needs a fast verdict on a raw indicator — and a way to push the whole known-bad set into a firewall or DNS sinkhole (see Blocklist export below).</p>
    </div>
  </details>

  <form method="get" action="/lookup" class="lookup-form">
    <input type="text" name="q" value="{{ query }}" placeholder="1.2.3.4  ·  evil.com  ·  http://…  ·  &lt;sha256&gt;  ·  CVE-2024-3721" class="lookup-input" autofocus>
    <button type="submit" class="btn btn-approve">Look up</button>
  </form>

  {% if searched %}
    {% if matches %}
      <div class="verdict verdict-bad">⚠ <strong>{{ query }}</strong> is KNOWN-BAD — {{ matches|length }} match(es) in the corpus</div>
      <table class="ledger">
        <thead>
          <tr><th>Type</th><th>Case</th><th>Feed</th><th>Severity</th><th>First seen</th></tr>
        </thead>
        <tbody>
        {% for m in matches %}
          <tr class="ledger-row sev-{{ m.severity or 'none' }}">
            <td>{{ m.ioc_type }}</td>
            <td class="lg-case"><a href="/cases/{{ m.case_id }}">{{ m.case_id }}</a></td>
            <td class="lg-dest">{{ m.feed or '—' }}</td>
            <td>{% if m.severity %}<span class="sev-badge">{{ m.severity }}</span>{% else %}—{% endif %}</td>
            <td class="lg-ts">{{ (m.first_seen or '')[:10] }}</td>
          </tr>
        {% endfor %}
        </tbody>
      </table>
    {% else %}
      <div class="verdict verdict-clean">✓ <strong>{{ query }}</strong> is not in the corpus — no known-bad match</div>
    {% endif %}
  {% endif %}
</section>

<section class="panel">
  <div class="panel-head"><h2>Blocklist export</h2></div>
  <p class="page-intro">Download the deduplicated set of known-bad indicators of one type as plain text — ready to paste into a firewall denylist, DNS sinkhole, or SIEM watchlist.</p>
  <table class="ledger">
    <thead><tr><th>Type</th><th>Count</th><th>Download (all)</th><th>Download (high+)</th></tr></thead>
    <tbody>
    {% for t, n in counts.items() %}
      <tr class="ledger-row">
        <td>{{ t }}</td>
        <td>{{ n }}</td>
        <td><a href="/export/blocklist?type={{ t }}" target="_blank">{{ t }} blocklist ▾</a></td>
        <td><a href="/export/blocklist?type={{ t }}&min_severity=high" target="_blank">{{ t }} (high+) ▾</a></td>
      </tr>
    {% endfor %}
    </tbody>
  </table>
</section>
{% endblock %}