fix(crowdsec): Fix alerts/scenarios/countries stats in dashboard

- alerts_24h now uses local_decisions count instead of empty file
- top_scenarios_raw now extracts from decisions JSON (was parsing CAPI metrics)
- top_countries_raw now correctly parses IsoCode from alerts GeoIP metadata
- Double-buffer caching via cron job already in place

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

package/secubox/luci-app-crowdsec-dashboard/root/usr/libexec/rpcd/luci.crowdsec-dashboard

@@ -2417,9 +2417,8 @@ refresh_overview_cache() {
 		[ -z "$capi_decisions" ] && capi_decisions=0
 		decisions_count=$((local_decisions + capi_decisions))
 
-		# Parse alerts count
-		alerts_count=$(grep -c '"id":' "$alerts_file" 2>/dev/null)
-		[ -z "$alerts_count" ] && alerts_count=0
+		# Alerts count = decisions count (each decision comes from an alert)
+		alerts_count=$local_decisions
 
 		# Parse bouncers count
 		if [ -n "$bouncers_json" ] && [ "$bouncers_json" != "[]" ]; then
@@ -2439,19 +2438,21 @@ refresh_overview_cache() {
 			fi
 		fi
 
-		# Parse scenarios from metrics
-		if [ -n "$metrics_output" ]; then
-			scenarios=$(echo "$metrics_output" | \
-				grep -E '^\| [a-z].*\| CAPI' | \
-				sed 's/|//g;s/^[ ]*//;s/[ ]*$//' | \
-				awk '{print $4, $1}' | sort -rn | head -5 | \
-				awk '{print "{\"scenario\":\"" $2 "\",\"count\":" $1 "}"}' | \
-				tr '\n' ',' | sed 's/,$//')
-		fi
+		# Parse top scenarios from decisions file (count by scenario name)
+		scenarios=$(cat "$decisions_file" | \
+			grep -oE '"scenario"[[:space:]]*:[[:space:]]*"[^"]*"' | \
+			sed 's/"scenario"[[:space:]]*:[[:space:]]*"//;s/"$//' | \
+			sort | uniq -c | sort -rn | head -5 | \
+			awk '{print "{\"scenario\":\"" $2 "\",\"count\":" $1 "}"}' | \
+			tr '\n' ',' | sed 's/,$//')
 
-		# Parse countries from alerts file
-		countries=$(cat "$alerts_file" | \
-			jsonfilter -e '@[*].source.cn' 2>/dev/null | \
+		# Parse top countries from full alerts (with GeoIP metadata)
+		# Format is "key": "IsoCode",\n"value": "US" on separate lines
+		local alerts_full
+		alerts_full=$("$CSCLI" alerts list -o json --limit 50 2>/dev/null || echo "[]")
+		countries=$(echo "$alerts_full" | \
+			grep -A1 '"key": "IsoCode"' | grep '"value":' | \
+			sed 's/.*"value"[[:space:]]*:[[:space:]]*"//;s/".*$//' | \
 			grep -v '^$' | sort | uniq -c | sort -rn | head -10 | \
 			awk '{print "{\"country\":\"" $2 "\",\"count\":" $1 "}"}' | \
 			tr '\n' ',' | sed 's/,$//')
@@ -2554,8 +2555,8 @@ refresh_overview_cache() {
 "geoip_enabled":$([ "$geoip_enabled" = "1" ] && echo true || echo false),
 "acquisition_count":$acquisition_count,
 "scenario_count":$scenario_count,
-"top_scenarios_raw":"[$scenarios]",
-"top_countries_raw":"[$countries]",
+"top_scenarios_raw":[$scenarios],
+"top_countries_raw":[$countries],
 "decisions_raw":$(cat "$decisions_file"),
 "alerts_raw":$(cat "$alerts_file"),
 "logs":$logs_json,