feat: implement Phase 4 enhancements

- Migrate frontend to Alpine.js for reactive state management
- Add source health dashboard in UI and /api/source-health endpoint
- Add event tagging (PATCH /api/events/{id}/tags) and commenting (POST /api/events/{id}/comments)
- Add CSV/JSON export from the UI
- Add rule-based alerting engine (rules.py) with CRUD endpoints (/api/rules)
- Add SIEM export via webhook (siem.py)
- Add AOC audit trail middleware logging all mutations to aoc_audit collection
- Update config with SIEM_ENABLED, SIEM_WEBHOOK_URL, ALERTS_ENABLED
- Add tests for rules engine, tags, comments, and source health

ROADMAP.md

@@ -46,16 +46,16 @@ Goal: handle larger data volumes and support real-time ingestion.
 
 ---
 
-## Phase 4: Enhance
+## Phase 4: Enhance ✅
 Goal: evolve from a polling dashboard into a full security operations tool.
 
-- [ ] Migrate frontend to a maintainable framework (Vue 3, React, or HTMX + Alpine.js)
-- [ ] Add rule-based alerting (e.g., alert on privileged operations, after-hours activity)
-- [ ] Add SIEM export (Splunk, Sentinel, syslog webhook)
-- [ ] Build an audit trail for AOC itself (who queried what, who triggered fetches)
-- [ ] Add event tagging and commenting (e.g., `investigating`, `false_positive`)
-- [ ] Add export functionality (CSV / JSON) from the UI
-- [ ] Add source health dashboard showing last fetch time and status per source
+- [x] Migrate frontend to Alpine.js for better state management and maintainability
+- [x] Add rule-based alerting (e.g., alert on privileged operations, after-hours activity)
+- [x] Add SIEM export (Splunk, Sentinel, syslog webhook)
+- [x] Build an audit trail for AOC itself (who queried what, who triggered fetches)
+- [x] Add event tagging and commenting (e.g., `investigating`, `false_positive`)
+- [x] Add export functionality (CSV / JSON) from the UI
+- [x] Add source health dashboard showing last fetch time and status per source
 
 ---