Fix some blocked/allow laggards after migrating. Add DuckDB for outstanding analyitcs performance. Start adding an import for all bot networks

app/models/event.rb

@@ -10,6 +10,17 @@ class Event < ApplicationRecord
 
   # Enums for fixed value sets
   # Canonical WAF action order - aligned with Rule and Agent models
+  #
+  # IMPORTANT: These values were swapped to match baffle-agent convention:
+  # - deny: 0 (blocked traffic)
+  # - allow: 1 (allowed traffic)
+  #
+  # When using raw integer values in queries:
+  # - waf_action = 0  -> denied/blocked requests
+  # - waf_action = 1  -> allowed requests
+  # - waf_action = 2  -> redirect requests
+  # - waf_action = 3  -> challenge requests
+  # - waf_action = 4  -> log-only requests
   enum :waf_action, {
     deny: 0,        # deny/block
     allow: 1,       # allow/pass
@@ -341,11 +352,11 @@ class Event < ApplicationRecord
   end
 
   def blocked?
-    waf_action.in?(['block', 'deny'])
+    waf_action == 'deny'  # deny = 0
   end
 
   def allowed?
-    waf_action.in?(['allow', 'pass'])
+    waf_action == 'allow'  # allow = 1
   end
 
   def logged?