Fix enrichment: run web-check before AI analysis so data is available

Web-check (ports, DNS, blocklists) now runs as step 3, AI analysis
as step 4. AI prompt includes open ports and blocklist status for
richer threat verdicts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

llm_team_ui.py

@@ -4056,7 +4056,19 @@ def admin_enrich_ip():
     except Exception:
         pass
 
-    # Step 3: AI threat analysis with full context (including web-check data)
+    # Step 3: Web-Check deep scan (ports, DNS, blocklists)
+    WEB_CHECK_BASE = "http://localhost:3000/api"
+    webcheck = {}
+    for endpoint in ["ports", "dns", "block-lists"]:
+        try:
+            wc_resp = requests.get(f"{WEB_CHECK_BASE}/{endpoint}?url={ip}", timeout=15)
+            if wc_resp.status_code == 200:
+                webcheck[endpoint.replace("-", "_")] = wc_resp.json()
+        except Exception:
+            pass
+    result["webcheck"] = webcheck
+
+    # Step 4: AI threat analysis with full context (including web-check data)
     try:
         geo_ctx = ""
         if result["geo"] and not result["geo"].get("error"):
@@ -4117,17 +4129,6 @@ def admin_enrich_ip():
     except Exception as e:
         result["ai_analysis"] = {"error": str(e)}
 
-    # Step 4: Web-Check deep scan (ports, DNS, blocklists)
-    WEB_CHECK_BASE = "http://localhost:3000/api"
-    webcheck = {}
-    for endpoint in ["ports", "dns", "block-lists"]:
-        try:
-            wc_resp = requests.get(f"{WEB_CHECK_BASE}/{endpoint}?url={ip}", timeout=15)
-            if wc_resp.status_code == 200:
-                webcheck[endpoint.replace("-", "_")] = wc_resp.json()
-        except Exception:
-            pass
-    result["webcheck"] = webcheck
     result["log_count"] = len(ip_logs)
     return jsonify(result)