From bc04c51b29ceb5be41bd2893dc50137abd4c47c0 Mon Sep 17 00:00:00 2001
From: BadgerOps <github@badgerops.net>
Date: Thu, 11 Jun 2026 18:53:45 -0600
Subject: [PATCH] Polish topology evidence actions

---
 agent/CHANGELOG.md                            |   4 +
 agent/README.md                               |   2 +
 agent/VERSION                                 |   2 +-
 agent/grapheon_agent.py                       |  27 ++-
 agent/tests/test_grapheon_agent.py            |  58 +++++-
 backend/CHANGELOG.md                          |   4 +
 backend/VERSION                               |   2 +-
 backend/network/edges.py                      |  89 ++++++---
 backend/tests/test_agents.py                  |  42 +++++
 docs/agents.md                                |   2 +
 frontend/CHANGELOG.md                         |   5 +
 frontend/package-lock.json                    |   4 +-
 frontend/package.json                         |   2 +-
 .../src/components/CytoscapeNetworkMap.jsx    | 129 ++++++++++++-
 frontend/src/pages/Map.jsx                    | 177 +++++++++++++++++-
 15 files changed, 500 insertions(+), 49 deletions(-)

diff --git a/agent/CHANGELOG.md b/agent/CHANGELOG.md
index 79714d2..96019ea 100644
--- a/agent/CHANGELOG.md
+++ b/agent/CHANGELOG.md
@@ -4,6 +4,10 @@ All notable changes to the Graphēon passive agent will be documented in this fi
 
 The format is based on Keep a Changelog, and this project follows Semantic Versioning.
 
+## 0.17.0 - 2026-06-12
+### Fixed
+- **Passive capture parser hardening**: improved CDP management-address TLV parsing and DHCPv6 delegated-prefix parsing, with additional vendor-shaped LLDP, CDP, DHCPv6, and mDNS fixture coverage.
+
 ## 0.16.0 - 2026-06-11
 ### Added
 - **Richer passive capture parsing**: tcpdump evidence now preserves VLAN IDs, extended LLDP/CDP details, DHCPv4/DHCPv6 options, IPv6 RA prefixes/DNS/MTU hints, DNS PTR/CNAME/SRV/SVCB/HTTPS records, NBNS names, SSDP and WS-Discovery labels, STP/LACP neighbor hints, HSRP/VRRP/CARP gateway hints, OSPF/RIP/EIGRP/BGP map hints, and aggregated optional flow counters.
diff --git a/agent/README.md b/agent/README.md
index 4227db3..fce42a6 100644
--- a/agent/README.md
+++ b/agent/README.md
@@ -105,6 +105,8 @@ The parser preserves VLAN IDs, LLDP/CDP capabilities and platform details, DHCP
 
 Service and discovery display names can contain characters that are not valid in Graphēon's hostname-like `name` field. The agent sends a schema-safe top-level label for those records and preserves the original value in `metadata.raw_name`.
 
+The capture parser has fixture coverage for vendor-shaped LLDP/CDP management-address records, DHCPv6 delegated prefixes, and mDNS service instances with display names. These fixtures are synthetic pcaps and do not require real tcpdump during tests.
+
 Topology evidence records support `l2_neighbor`, `switch_port_attachment`, `mac_ip_binding`, `dhcp_lease`, `dns_name`, `route`, `flow_relationship`, and `network_segment` evidence types. They are map enrichment data, not security alerts or active scans.
 
 Versioned install helpers:
diff --git a/agent/VERSION b/agent/VERSION
index 04a373e..c5523bd 100644
--- a/agent/VERSION
+++ b/agent/VERSION
@@ -1 +1 @@
-0.16.0
+0.17.0
diff --git a/agent/grapheon_agent.py b/agent/grapheon_agent.py
index e901535..4a486c4 100644
--- a/agent/grapheon_agent.py
+++ b/agent/grapheon_agent.py
@@ -932,10 +932,25 @@ def parse_cdp_frame(frame: bytes, interface: Optional[str] = None) -> Optional[d
             metadata["native_vlan"] = vlan_id
         elif tlv_type == 0x000b and value:
             metadata["duplex"] = "full" if value[-1] else "half"
-        elif tlv_type == 0x0002 and len(value) >= 17:
-            protocol_type = value[8] if len(value) > 8 else None
-            if protocol_type == 0xCC and len(value) >= 17:
-                record["management_ip"] = ".".join(str(byte) for byte in value[-4:])
+        elif tlv_type == 0x0002 and len(value) >= 4:
+            address_count = int.from_bytes(value[:4], "big")
+            address_offset = 4
+            for _ in range(address_count):
+                if address_offset + 4 > len(value):
+                    break
+                protocol_type = value[address_offset]
+                protocol_len = value[address_offset + 1]
+                protocol = value[address_offset + 2 : address_offset + 2 + protocol_len]
+                address_offset += 2 + protocol_len
+                if address_offset + 2 > len(value):
+                    break
+                address_len = int.from_bytes(value[address_offset : address_offset + 2], "big")
+                address_offset += 2
+                address = value[address_offset : address_offset + address_len]
+                address_offset += address_len
+                if protocol_type == 1 and protocol == b"\xcc" and address_len == 4 and len(address) == 4:
+                    record["management_ip"] = str(ip_address(address))
+                    break
     merge_metadata(record, **metadata)
     if record.get("system_name") or record.get("port_id") or record.get("management_ip"):
         return {key: value for key, value in record.items() if value is not None}
@@ -1321,8 +1336,8 @@ def parse_dhcpv6_evidence(
                         }
                     )
                 elif sub_code == 26 and len(sub_value) >= 25:
-                    prefix_len = sub_value[24]
-                    prefix_ip = ip_address(sub_value[25:41]) if len(sub_value) >= 41 else None
+                    prefix_len = sub_value[8]
+                    prefix_ip = ip_address(sub_value[9:25])
                     if prefix_ip:
                         prefixes.append(
                             {
diff --git a/agent/tests/test_grapheon_agent.py b/agent/tests/test_grapheon_agent.py
index 4375295..eb4aa01 100644
--- a/agent/tests/test_grapheon_agent.py
+++ b/agent/tests/test_grapheon_agent.py
@@ -186,6 +186,19 @@ def _dns_ptr_response(name: str, target: str) -> bytes:
     return b"\x12\x34\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00" + qname + b"\x00\x0c\x00\x01" + answer
 
 
+def _dns_srv_response(name: str, target: str, port: int) -> bytes:
+    qname = _dns_name(name)
+    rdata = b"\x00\x00\x00\x05" + port.to_bytes(2, "big") + _dns_name(target)
+    answer = (
+        b"\xc0\x0c"
+        + b"\x00\x21\x00\x01"
+        + b"\x00\x00\x00\x3c"
+        + len(rdata).to_bytes(2, "big")
+        + rdata
+    )
+    return b"\x12\x36\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00" + qname + b"\x00\x21\x00\x01" + answer
+
+
 def _dns_misc_response() -> bytes:
     qname = _dns_name("2.0.0.10.in-addr.arpa")
     ptr = (
@@ -276,10 +289,13 @@ def _dhcpv6_reply() -> bytes:
     duid = b"\x00\x03\x00\x01" + bytes.fromhex("aabbccddee03")
     iaaddr = ipaddress.ip_address("2001:db8::50").packed + b"\x00\x00\x0e\x10\x00\x00\x1c\x20"
     ia_na = b"\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00" + b"\x00\x05" + len(iaaddr).to_bytes(2, "big") + iaaddr
+    iaprefix = b"\x00\x00\x0e\x10\x00\x00\x1c\x20\x38" + ipaddress.ip_address("2001:db8:1200::").packed
+    ia_pd = b"\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00" + b"\x00\x1a" + len(iaprefix).to_bytes(2, "big") + iaprefix
     return (
         b"\x07\x12\x34\x56"
         + b"\x00\x01" + len(duid).to_bytes(2, "big") + duid
         + b"\x00\x03" + len(ia_na).to_bytes(2, "big") + ia_na
+        + b"\x00\x19" + len(ia_pd).to_bytes(2, "big") + ia_pd
         + b"\x00\x17\x00\x10" + ipaddress.ip_address("2001:db8::53").packed
         + b"\x00\x18" + len(_dns_name("example.local")).to_bytes(2, "big") + _dns_name("example.local")
         + b"\x00\x27\x00\x0b\x00lease-host"
@@ -516,6 +532,8 @@ def test_parse_dns_evidence_sanitizes_service_instance_names():
 
 
 def test_parse_pcap_topology_evidence_extracts_lldp_and_cdp(tmp_path):
+    import ipaddress
+
     lldp_payload = b"".join(
         [
             _lldp_tlv(1, b"\x04\x00\x11\x22\x33\x44\x55"),
@@ -529,9 +547,25 @@ def test_parse_pcap_topology_evidence_extracts_lldp_and_cdp(tmp_path):
             _lldp_tlv(0, b""),
         ]
     )
+    lldp_ipv6_payload = b"".join(
+        [
+            _lldp_tlv(1, b"\x04\x00\x11\x22\x33\x44\x66"),
+            _lldp_tlv(2, b"\x05Te1/0/49"),
+            _lldp_tlv(5, b"switch-ipv6"),
+            _lldp_tlv(8, b"\x11\x02" + ipaddress.ip_address("2001:db8::2").packed + b"\x02\x00\x00"),
+            _lldp_tlv(0, b""),
+        ]
+    )
+    cdp_address = (
+        b"\x00\x00\x00\x01"
+        + b"\x01\x01\xcc"
+        + b"\x00\x04"
+        + bytes([10, 0, 0, 254])
+    )
     cdp_payload = (
         bytes.fromhex("01000000")
         + _cdp_tlv(0x0001, b"router01")
+        + _cdp_tlv(0x0002, cdp_address)
         + _cdp_tlv(0x0003, b"Eth1/1")
         + _cdp_tlv(0x0004, b"\x00\x00\x00\x09")
         + _cdp_tlv(0x0005, b"IOS-XE")
@@ -553,6 +587,11 @@ def test_parse_pcap_topology_evidence_extracts_lldp_and_cdp(tmp_path):
             ether_type=0x88CC,
             dst=bytes.fromhex("0180c200000e"),
         ),
+        _ether(
+            lldp_ipv6_payload,
+            ether_type=0x88CC,
+            dst=bytes.fromhex("0180c200000e"),
+        ),
         cdp_frame,
     )
 
@@ -573,6 +612,7 @@ def test_parse_pcap_topology_evidence_extracts_lldp_and_cdp(tmp_path):
         item["evidence_type"] == "l2_neighbor"
         and item["source"] == "cdp"
         and item["system_name"] == "router01"
+        and item["management_ip"] == "10.0.0.254"
         and item["port_id"] == "Eth1/1"
         and item["vlan_id"] == 20
         and item["metadata"]["platform"] == "C9300"
@@ -580,12 +620,20 @@ def test_parse_pcap_topology_evidence_extracts_lldp_and_cdp(tmp_path):
         and item["metadata"]["duplex"] == "full"
         for item in evidence
     )
+    assert any(
+        item["evidence_type"] == "l2_neighbor"
+        and item["source"] == "lldp"
+        and item["system_name"] == "switch-ipv6"
+        and item["management_ip"] == "2001:db8::2"
+        for item in evidence
+    )
 
 
 def test_parse_pcap_topology_evidence_enriches_dns_nbns_and_discovery(tmp_path):
     pcap_path = _write_pcap(
         tmp_path,
         _ether(_ipv4_udp("10.0.0.53", "10.0.0.2", 53, 53000, _dns_misc_response())),
+        _ether(_ipv4_udp("10.0.0.20", "224.0.0.251", 5353, 5353, _dns_srv_response("EPSON ET-16600 Series._smb._tcp.local", "epson.local", 445))),
         _ether(_ipv4_udp("10.0.0.10", "10.0.0.255", 137, 137, _nbns_response("WORKSTATION", "10.0.0.10"))),
         _ether(_ipv4_udp("10.0.0.20", "239.255.255.250", 1900, 1900, b"NOTIFY * HTTP/1.1\r\nUSN: uuid:device-1\r\nLOCATION: http://10.0.0.20/root.xml\r\nST: upnp:rootdevice\r\n\r\n")),
         _ether(_ipv4_udp("10.0.0.30", "239.255.255.250", 3702, 3702, b"<Envelope><ProbeMatch><a:Address>urn:uuid:printer-1</a:Address><d:Types>dn:Printer</d:Types><d:XAddrs>http://10.0.0.30/wsd</d:XAddrs></ProbeMatch></Envelope>")),
@@ -596,6 +644,13 @@ def test_parse_pcap_topology_evidence_enriches_dns_nbns_and_discovery(tmp_path):
     assert any(item["source"] == "dns" and item["name"] == "host.local" and item["ip_address"] == "10.0.0.2" for item in evidence)
     assert any(item["source"] == "dns" and item["name"] == "_printer._tcp.local" and item["metadata"]["service_port"] == 9100 for item in evidence)
     assert any(item["source"] == "dns" and item["metadata"].get("record_kind") == "https" for item in evidence)
+    assert any(
+        item["source"] == "mdns"
+        and item["name"] == "EPSON_ET-16600_Series._smb._tcp.local"
+        and item["metadata"]["raw_name"] == "EPSON ET-16600 Series._smb._tcp.local"
+        and item["metadata"]["service_port"] == 445
+        for item in evidence
+    )
     assert any(item["source"] == "nbns" and item["name"] == "WORKSTATION" and item["ip_address"] == "10.0.0.10" for item in evidence)
     assert any(item["source"] == "ssdp" and item["metadata"]["location"] == "http://10.0.0.20/root.xml" for item in evidence)
     assert any(item["source"] == "wsd" and item["metadata"]["types"] == "dn:Printer" for item in evidence)
@@ -617,7 +672,8 @@ def test_parse_pcap_topology_evidence_enriches_dhcpv4_dhcpv6_and_ra(tmp_path):
     assert dhcpv4["metadata"]["dns_servers"] == ["10.0.0.53", "10.0.0.54"]
     assert dhcpv4["metadata"]["lease_time_seconds"] == 3600
 
-    assert any(item["source"] == "dhcpv6" and item["ip_address"] == "2001:db8::50" and item["hostname"] == "lease-host" for item in evidence)
+    assert any(item["source"] == "dhcpv6" and item.get("ip_address") == "2001:db8::50" and item["hostname"] == "lease-host" for item in evidence)
+    assert any(item["source"] == "dhcpv6" and item.get("network") == "2001:db8:1200::/56" for item in evidence)
     assert any(item["evidence_type"] == "network_segment" and item["network"] == "2001:db8:1::/64" for item in evidence)
     ra_route = next(item for item in evidence if item["evidence_type"] == "route" and item["gateway"] == "fe80::1")
     assert ra_route["metadata"]["mtu"] == 1500
diff --git a/backend/CHANGELOG.md b/backend/CHANGELOG.md
index 27fe994..4eac4d7 100644
--- a/backend/CHANGELOG.md
+++ b/backend/CHANGELOG.md
@@ -6,6 +6,10 @@ The format is based on Keep a Changelog, and this project follows Semantic Versi
 
 Versioning policy: do not use `Unreleased` changelog sections. Every behavior change, bug fix, hardening change, or notable test addition must be recorded under a concrete SemVer version. Bump patch versions for bug fixes and minor versions for new behavior or API/UI changes.
 
+## 0.19.0 - 2026-06-12
+### Added
+- **Historical topology evidence metadata**: Network Map relationship evidence now includes current/stale state, stale and removed timestamps, observation IDs, raw payload summaries, and host endpoint hints so the UI can expose history and promotion actions.
+
 ## 0.18.0 - 2026-06-11
 ### Added
 - **Passive topology evidence ingest**: agent check-ins now accept normalized `topology_evidence` records for L2 neighbors, switch-port attachments, MAC/IP bindings, DHCP leases, DNS names, routes, flow relationships, and network segments.
diff --git a/backend/VERSION b/backend/VERSION
index 6633391..1cf0537 100644
--- a/backend/VERSION
+++ b/backend/VERSION
@@ -1 +1 @@
-0.18.0
+0.19.0
diff --git a/backend/network/edges.py b/backend/network/edges.py
index 2cf8df7..c4a614f 100644
--- a/backend/network/edges.py
+++ b/backend/network/edges.py
@@ -524,6 +524,43 @@ def add_agent_topology_edges(
                 }
             )
 
+    def evidence_record(
+        observation: Any,
+        *,
+        source_host_id: int | None = None,
+        target_host_id: int | None = None,
+    ) -> dict[str, Any]:
+        payload = observation.payload or {}
+        record = {
+            "source": payload.get("source") or "agent",
+            "observer": payload.get("observer"),
+            "observer_agent_id": observation.agent_id,
+            "confidence": observation.confidence,
+            "first_seen": observation.first_seen_at.isoformat()
+            if observation.first_seen_at
+            else None,
+            "last_seen": observation.last_seen_at.isoformat()
+            if observation.last_seen_at
+            else None,
+            "stale_at": observation.stale_at.isoformat()
+            if observation.stale_at
+            else None,
+            "removed_at": observation.removed_at.isoformat()
+            if observation.removed_at
+            else None,
+            "is_current": observation.is_current,
+            "evidence_type": observation.relationship_type,
+            "summary": _topology_edge_summary(payload),
+            "raw_ref": payload.get("raw_ref"),
+            "agent_observation_id": observation.id,
+            "payload": payload,
+        }
+        if source_host_id is not None:
+            record["source_host_id"] = source_host_id
+        if target_host_id is not None:
+            record["target_host_id"] = target_host_id
+        return record
+
     def add_edge(
         source: str,
         target: str,
@@ -537,6 +574,8 @@ def add_edge(
         if edge_id in edge_ids:
             return
         edge_ids.add(edge_id)
+        source_host_id = int(source) if str(source).isdigit() else None
+        target_host_id = int(target) if str(target).isdigit() else None
         edges.append(
             {
                 "data": {
@@ -558,22 +597,20 @@ def add_edge(
                     "last_seen_at": observation.last_seen_at.isoformat()
                     if observation.last_seen_at
                     else None,
+                    "stale_at": observation.stale_at.isoformat()
+                    if observation.stale_at
+                    else None,
+                    "removed_at": observation.removed_at.isoformat()
+                    if observation.removed_at
+                    else None,
+                    "is_current": observation.is_current,
                     "relationship_key": observation.relationship_key,
                     "topology_evidence": [
-                        {
-                            "source": (observation.payload or {}).get("source") or "agent",
-                            "observer": (observation.payload or {}).get("observer"),
-                            "confidence": observation.confidence,
-                            "first_seen": observation.first_seen_at.isoformat()
-                            if observation.first_seen_at
-                            else None,
-                            "last_seen": observation.last_seen_at.isoformat()
-                            if observation.last_seen_at
-                            else None,
-                            "evidence_type": observation.relationship_type,
-                            "summary": _topology_edge_summary(observation.payload or {}),
-                            "raw_ref": (observation.payload or {}).get("raw_ref"),
-                        }
+                        evidence_record(
+                            observation,
+                            source_host_id=source_host_id,
+                            target_host_id=target_host_id,
+                        )
                     ],
                     "tooltip": tooltip,
                 }
@@ -610,22 +647,14 @@ def ensure_evidence_node(
                     "source_type": payload.get("source") or "agent",
                     "observer_agent_id": observation.agent_id,
                     "agent_observation_id": observation.id,
-                    "topology_evidence": [
-                        {
-                            "source": payload.get("source") or "agent",
-                            "observer": payload.get("observer"),
-                            "confidence": observation.confidence,
-                            "first_seen": observation.first_seen_at.isoformat()
-                            if observation.first_seen_at
-                            else None,
-                            "last_seen": observation.last_seen_at.isoformat()
-                            if observation.last_seen_at
-                            else None,
-                            "evidence_type": observation.relationship_type,
-                            "summary": _topology_edge_summary(payload),
-                            "raw_ref": payload.get("raw_ref"),
-                        }
-                    ],
+                    "is_current": observation.is_current,
+                    "stale_at": observation.stale_at.isoformat()
+                    if observation.stale_at
+                    else None,
+                    "removed_at": observation.removed_at.isoformat()
+                    if observation.removed_at
+                    else None,
+                    "topology_evidence": [evidence_record(observation)],
                     "tooltip": tooltip_from_payload(payload, label),
                 }
             }
diff --git a/backend/tests/test_agents.py b/backend/tests/test_agents.py
index 9666dda..e8a1382 100644
--- a/backend/tests/test_agents.py
+++ b/backend/tests/test_agents.py
@@ -873,6 +873,48 @@ async def test_topology_evidence_checkin_feeds_evidence_api_and_map_layers(
             for edge in map_data["elements"]["edges"]
             if edge["data"].get("relationship_type") == "dns_name"
         )
+        dns_edge = next(
+            edge
+            for edge in map_data["elements"]["edges"]
+            if edge["data"].get("relationship_type") == "dns_name"
+        )
+        dns_evidence = dns_edge["data"]["topology_evidence"][0]
+        assert dns_evidence["is_current"] is True
+        assert dns_evidence["agent_observation_id"] == dns_edge["data"]["agent_observation_id"]
+        assert dns_evidence["source_host_id"] or dns_evidence["target_host_id"]
+        assert dns_evidence["payload"]["name"] == "printer-40.example.test"
+
+        stale_payload = _checkin_payload(
+            "agent-topology-evidence-001",
+            observed_at="2026-03-22T22:10:00Z",
+        )
+        stale_payload["sequence_number"] = 2
+        stale_payload["addresses"] = payload["addresses"]
+        stale_payload["topology_evidence"] = []
+        stale_response = await _post_checkin(async_client, api_key, stale_payload)
+        assert stale_response.status_code == 200
+        assert stale_response.json()["summary"]["observations_stale"] == 8
+
+        historical_map_response = await async_client.get(
+            "/api/network/map",
+            params=[
+                ("observed_by_agent_id", str(agent_id)),
+                ("relationship_types", "dns_name"),
+                ("include_historical_evidence", "true"),
+            ],
+            headers=admin_headers,
+        )
+        assert historical_map_response.status_code == 200
+        historical_edges = [
+            edge
+            for edge in historical_map_response.json()["elements"]["edges"]
+            if edge["data"].get("relationship_type") == "dns_name"
+        ]
+        assert historical_edges
+        assert historical_edges[0]["data"]["is_current"] is False
+        assert historical_edges[0]["data"]["stale_at"] is not None
+        assert historical_edges[0]["data"]["topology_evidence"][0]["is_current"] is False
+        assert historical_edges[0]["data"]["topology_evidence"][0]["stale_at"] is not None
 
     @pytest.mark.asyncio
     async def test_on_demand_collection_request_is_polled_and_fulfilled(
diff --git a/docs/agents.md b/docs/agents.md
index 8b0a077..1df898c 100644
--- a/docs/agents.md
+++ b/docs/agents.md
@@ -114,6 +114,8 @@ On-demand requests can include `passive_capture` options with `enabled`, `durati
 
 The passive tcpdump parser is map-focused. It extracts VLAN IDs, LLDP/CDP metadata, DHCPv4/DHCPv6 lease and option hints, IPv6 router-advertisement prefixes and DNS options, DNS/mDNS/LLMNR/NBNS names, SSDP and WS-Discovery service labels, STP/LACP L2 hints, HSRP/VRRP/CARP gateway hints, visible OSPF/RIP/EIGRP/BGP routing hints, and aggregated optional flow headers. It does not parse TLS SNI, HTTP Host, QUIC SNI, Kerberos, LDAP, or SMB names.
 
+Network Map evidence can be inspected as current-only by default or with historical/stale evidence included. Selecting evidence-backed map elements shows the source, observer, confidence, current/stale state, timestamps, and map summary. Operators can promote selected DNS evidence to a hostname, attach a selected host to an existing device identity, mark a selected network segment as expected, or ignore a noisy evidence source/observer for the current map view without deleting stored evidence.
+
 ## Report Model
 
 The ingest endpoint expects a normalized JSON payload. The current host-side runtime converts local command output into that schema and sends gzip-compressed reports.
diff --git a/frontend/CHANGELOG.md b/frontend/CHANGELOG.md
index 0bb0d87..0291707 100644
--- a/frontend/CHANGELOG.md
+++ b/frontend/CHANGELOG.md
@@ -6,6 +6,11 @@ The format is based on Keep a Changelog, and this project follows Semantic Versi
 
 Versioning policy: do not use `Unreleased` changelog sections. Every behavior change, bug fix, hardening change, or notable test addition must be recorded under a concrete SemVer version. Bump patch versions for bug fixes and minor versions for new behavior or API/UI changes.
 
+## 0.18.0 - 2026-06-12
+### Added
+- **Topology evidence promotion actions**: selected evidence can now promote DNS names to hostnames, attach hosts to existing device identities, mark selected segments as expected network groups, and ignore noisy sources or observers for the current map view.
+- **Stale evidence visibility**: Network Map filters now include an opt-in historical evidence toggle, and selected evidence displays current/stale status plus stale/removed timestamps.
+
 ## 0.17.0 - 2026-06-11
 ### Added
 - **Topology evidence layers**: Network Map filters now include Physical/L2, Routes/Gateways, DHCP identity, DNS names, Flow relationships, Agent observer topology, and Manual/saved network group layer controls.
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
index ffec410..cb570ce 100644
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "grapheon-frontend",
-  "version": "0.17.0",
+  "version": "0.18.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "grapheon-frontend",
-      "version": "0.17.0",
+      "version": "0.18.0",
       "dependencies": {
         "@isoflow/isopacks": "^0.0.10",
         "cytoscape": "^3.33.1",
diff --git a/frontend/package.json b/frontend/package.json
index 3c81ab0..bb8a673 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,6 +1,6 @@
 {
   "name": "grapheon-frontend",
-  "version": "0.17.0",
+  "version": "0.18.0",
   "type": "module",
   "scripts": {
     "dev": "vite",
diff --git a/frontend/src/components/CytoscapeNetworkMap.jsx b/frontend/src/components/CytoscapeNetworkMap.jsx
index 9f01494..bd760b4 100644
--- a/frontend/src/components/CytoscapeNetworkMap.jsx
+++ b/frontend/src/components/CytoscapeNetworkMap.jsx
@@ -30,6 +30,12 @@ export default function CytoscapeNetworkMap({
   onNodeClick,
   onCyReady,
   loading = false,
+  deviceIdentities = [],
+  onUseHostname,
+  onAttachToDevice,
+  onIgnoreEvidenceSource,
+  onIgnoreObserver,
+  onMarkExpected,
 }) {
   const containerRef = useRef(null)
   const cyRef = useRef(null)
@@ -42,6 +48,7 @@ export default function CytoscapeNetworkMap({
   const [showLegend, setShowLegend] = useState(true)
   const [isFullscreen, setIsFullscreen] = useState(false)
   const [showExportMenu, setShowExportMenu] = useState(false)
+  const [selectedDeviceId, setSelectedDeviceId] = useState('')
   const exportMenuRef = useRef(null)
 
   // Watch for theme changes
@@ -98,6 +105,7 @@ export default function CytoscapeNetworkMap({
   // Clear selectedNode when elements change
   useEffect(() => {
     setSelectedElement(null)
+    setSelectedDeviceId('')
   }, [elements])
 
   // ── Initialize Cytoscape ──────────────────────────────────────
@@ -273,6 +281,33 @@ export default function CytoscapeNetworkMap({
   const hasElements = (elements.nodes || []).length > 0
   const selectedData = selectedElement?.data
   const selectedEvidence = selectedData?.topology_evidence || []
+  const primaryEvidence = selectedEvidence[0] || null
+  const selectedHostId = (() => {
+    if (!selectedData) return null
+    if (selectedElement?.kind === 'node' && selectedData.type === 'host' && String(selectedData.id || '').match(/^\d+$/)) {
+      return Number(selectedData.id)
+    }
+    const evidenceHostId = primaryEvidence?.source_host_id || primaryEvidence?.target_host_id
+    if (evidenceHostId) return Number(evidenceHostId)
+    if (selectedElement?.kind === 'edge') {
+      if (String(selectedData.source || '').match(/^\d+$/)) return Number(selectedData.source)
+      if (String(selectedData.target || '').match(/^\d+$/)) return Number(selectedData.target)
+    }
+    return null
+  })()
+  const hostnameCandidate = (() => {
+    const payload = primaryEvidence?.payload || {}
+    if ((primaryEvidence?.evidence_type || selectedData?.relationship_type) !== 'dns_name') return ''
+    return payload.name || payload.hostname || payload.fqdn || ''
+  })()
+  const expectedNetworkCandidate = (() => {
+    const payload = primaryEvidence?.payload || {}
+    return payload.network || selectedData?.subnet_cidr || selectedData?.network || ''
+  })()
+  const expectedLabelCandidate = (() => {
+    const payload = primaryEvidence?.payload || {}
+    return payload.label || selectedData?.label || expectedNetworkCandidate
+  })()
 
   return (
     <div className="relative h-full">
@@ -501,14 +536,32 @@ export default function CytoscapeNetworkMap({
                 <p className="mb-2 text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">Topology Evidence</p>
                 <div className="space-y-2">
                   {selectedEvidence.slice(0, 4).map((evidence, idx) => (
-                    <div key={`${evidence.evidence_type || 'evidence'}-${idx}`} className="rounded border border-gray-200 p-2 text-xs dark:border-gray-700">
-                      <p className="font-medium text-gray-700 dark:text-gray-200">{evidence.evidence_type || 'evidence'}</p>
+                    <div
+                      key={`${evidence.evidence_type || 'evidence'}-${idx}`}
+                      className={`rounded border p-2 text-xs ${
+                        evidence.is_current === false
+                          ? 'border-amber-200 bg-amber-50 text-amber-900 dark:border-amber-800 dark:bg-amber-900/20 dark:text-amber-100'
+                          : 'border-gray-200 dark:border-gray-700'
+                      }`}
+                    >
+                      <div className="flex items-center justify-between gap-2">
+                        <p className="font-medium text-gray-700 dark:text-gray-200">{evidence.evidence_type || 'evidence'}</p>
+                        <span className={`rounded px-1.5 py-0.5 text-[10px] font-semibold uppercase ${
+                          evidence.is_current === false
+                            ? 'bg-amber-100 text-amber-700 dark:bg-amber-800 dark:text-amber-100'
+                            : 'bg-emerald-50 text-emerald-700 dark:bg-emerald-900/30 dark:text-emerald-300'
+                        }`}>
+                          {evidence.is_current === false ? 'Stale' : 'Current'}
+                        </span>
+                      </div>
                       {evidence.summary && <p>{evidence.summary}</p>}
                       <p><span className="text-gray-500">Source:</span> {evidence.source || 'agent'}</p>
                       {evidence.observer && <p><span className="text-gray-500">Observer:</span> {evidence.observer}</p>}
                       <p><span className="text-gray-500">Confidence:</span> {evidence.confidence ?? selectedData.confidence ?? 0}%</p>
                       {evidence.first_seen && <p><span className="text-gray-500">First:</span> {new Date(evidence.first_seen).toLocaleString()}</p>}
                       {evidence.last_seen && <p><span className="text-gray-500">Last:</span> {new Date(evidence.last_seen).toLocaleString()}</p>}
+                      {evidence.stale_at && <p><span className="text-gray-500">Stale:</span> {new Date(evidence.stale_at).toLocaleString()}</p>}
+                      {evidence.removed_at && <p><span className="text-gray-500">Removed:</span> {new Date(evidence.removed_at).toLocaleString()}</p>}
                       {evidence.raw_ref && <p><span className="text-gray-500">Raw:</span> {evidence.raw_ref}</p>}
                     </div>
                   ))}
@@ -516,6 +569,78 @@ export default function CytoscapeNetworkMap({
               </div>
             )}
           </div>
+          {(hostnameCandidate || expectedNetworkCandidate || selectedHostId || primaryEvidence?.source || primaryEvidence?.observer_agent_id) && (
+            <div className="mt-3 border-t border-gray-200 pt-3 dark:border-gray-700">
+              <p className="mb-2 text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">Actions</p>
+              <div className="space-y-2">
+                {selectedHostId && hostnameCandidate && onUseHostname && (
+                  <button
+                    type="button"
+                    onClick={() => onUseHostname({ hostId: selectedHostId, hostname: hostnameCandidate })}
+                    className="w-full rounded bg-blue-600 px-3 py-1.5 text-left text-xs font-medium text-white hover:bg-blue-700"
+                  >
+                    Use as hostname
+                  </button>
+                )}
+                {selectedHostId && onAttachToDevice && (
+                  <div className="grid grid-cols-[1fr_auto] gap-2">
+                    <select
+                      value={selectedDeviceId}
+                      onChange={(event) => setSelectedDeviceId(event.target.value)}
+                      className="rounded border border-gray-300 bg-white px-2 py-1 text-xs text-gray-800 dark:border-gray-600 dark:bg-gray-900 dark:text-gray-100"
+                    >
+                      <option value="">Device identity</option>
+                      {deviceIdentities.map(device => (
+                        <option key={device.id} value={device.id}>
+                          {device.name || `Device ${device.id}`} ({device.host_count || 0})
+                        </option>
+                      ))}
+                    </select>
+                    <button
+                      type="button"
+                      disabled={!selectedDeviceId}
+                      onClick={() => {
+                        onAttachToDevice({ hostId: selectedHostId, deviceId: Number(selectedDeviceId) })
+                        setSelectedDeviceId('')
+                      }}
+                      className="rounded bg-slate-700 px-2.5 py-1 text-xs font-medium text-white hover:bg-slate-800 disabled:cursor-not-allowed disabled:opacity-50"
+                    >
+                      Attach
+                    </button>
+                  </div>
+                )}
+                {expectedNetworkCandidate && onMarkExpected && (
+                  <button
+                    type="button"
+                    onClick={() => onMarkExpected({ cidr: expectedNetworkCandidate, label: expectedLabelCandidate })}
+                    className="w-full rounded bg-emerald-600 px-3 py-1.5 text-left text-xs font-medium text-white hover:bg-emerald-700"
+                  >
+                    Mark as expected
+                  </button>
+                )}
+                <div className="grid grid-cols-2 gap-2">
+                  {primaryEvidence?.source && onIgnoreEvidenceSource && (
+                    <button
+                      type="button"
+                      onClick={() => onIgnoreEvidenceSource(primaryEvidence.source)}
+                      className="rounded bg-amber-50 px-2.5 py-1.5 text-xs font-medium text-amber-700 hover:bg-amber-100 dark:bg-amber-900/20 dark:text-amber-300"
+                    >
+                      Ignore source
+                    </button>
+                  )}
+                  {primaryEvidence?.observer_agent_id && onIgnoreObserver && (
+                    <button
+                      type="button"
+                      onClick={() => onIgnoreObserver(primaryEvidence.observer_agent_id)}
+                      className="rounded bg-amber-50 px-2.5 py-1.5 text-xs font-medium text-amber-700 hover:bg-amber-100 dark:bg-amber-900/20 dark:text-amber-300"
+                    >
+                      Ignore observer
+                    </button>
+                  )}
+                </div>
+              </div>
+            </div>
+          )}
           {selectedElement.kind === 'node' && selectedData.id && !String(selectedData.id).includes('_') && (
             <button
               onClick={() => navigate(`/hosts/${selectedData.id}`)}
diff --git a/frontend/src/pages/Map.jsx b/frontend/src/pages/Map.jsx
index 81c0303..6d2208a 100644
--- a/frontend/src/pages/Map.jsx
+++ b/frontend/src/pages/Map.jsx
@@ -78,6 +78,9 @@ export default function Map() {
   const [relationshipTypes, setRelationshipTypes] = useState(DEFAULT_AGENT_RELATIONSHIPS)
   const [topologyLayers, setTopologyLayers] = useState(DEFAULT_TOPOLOGY_LAYERS)
   const [evidenceSources, setEvidenceSources] = useState([])
+  const [ignoredEvidenceSources, setIgnoredEvidenceSources] = useState([])
+  const [ignoredObserverAgentIds, setIgnoredObserverAgentIds] = useState([])
+  const [includeHistoricalEvidence, setIncludeHistoricalEvidence] = useState(false)
   const [minConfidence, setMinConfidence] = useState(0)
   const [includeCollectorNodes, setIncludeCollectorNodes] = useState(true)
   const [cidrHints, setCidrHints] = useState('')
@@ -90,6 +93,8 @@ export default function Map() {
   const [editingNetworkGroupId, setEditingNetworkGroupId] = useState(null)
   const [networkGroupDraft, setNetworkGroupDraft] = useState(null)
   const [promoteDrafts, setPromoteDrafts] = useState({})
+  const [deviceIdentities, setDeviceIdentities] = useState([])
+  const [mapActionMessage, setMapActionMessage] = useState('')
 
   // ── Cytoscape ref ───────────────────────────────────────────────
   const cyRef = useRef(null)
@@ -139,6 +144,9 @@ export default function Map() {
       if (evidenceSources.length > 0) {
         params.evidence_sources = evidenceSources
       }
+      if (includeHistoricalEvidence) {
+        params.include_historical_evidence = true
+      }
       if (minConfidence > 0) {
         params.min_confidence = minConfidence
       }
@@ -165,6 +173,7 @@ export default function Map() {
     observedByAgentId,
     activeRelationshipTypes,
     evidenceSources,
+    includeHistoricalEvidence,
     minConfidence,
     includeCollectorNodes,
     networkCidrHints,
@@ -212,6 +221,16 @@ export default function Map() {
     }
   }
 
+  const fetchDeviceIdentities = async () => {
+    try {
+      const data = await api.getDeviceIdentities({ limit: 1000, active_only: true })
+      setDeviceIdentities(data.items || [])
+    } catch (err) {
+      console.error('Failed to fetch device identities:', err)
+      setWarnings(prev => [...prev.filter(w => w.key !== 'device-identities'), { key: 'device-identities', msg: 'Could not load device identities' }])
+    }
+  }
+
   const fetchRoutes = async () => {
     try {
       const data = await api.getNetworkRoutes()
@@ -229,21 +248,47 @@ export default function Map() {
     fetchSubnets()
     fetchAgents()
     fetchNetworkGroups()
+    fetchDeviceIdentities()
   }, [fetchNetworkMap])
 
   useEffect(() => {
     if (showRoutes) fetchRoutes()
   }, [showRoutes])
 
+  const filteredElements = useMemo(() => {
+    if (ignoredEvidenceSources.length === 0 && ignoredObserverAgentIds.length === 0) {
+      return elements
+    }
+    const ignoredSources = new Set(ignoredEvidenceSources.map(source => source.toLowerCase()))
+    const ignoredObservers = new Set(ignoredObserverAgentIds.map(value => Number(value)))
+    const isIgnored = (item) => {
+      const data = item.data || {}
+      const evidence = data.topology_evidence || []
+      const sourceIgnored = evidence.some(record => ignoredSources.has(String(record.source || '').toLowerCase()))
+        || ignoredSources.has(String(data.source_type || '').toLowerCase())
+      const observerIgnored = evidence.some(record => ignoredObservers.has(Number(record.observer_agent_id)))
+        || ignoredObservers.has(Number(data.observer_agent_id))
+      return sourceIgnored || observerIgnored
+    }
+    const nodes = (elements.nodes || []).filter(node => !isIgnored(node))
+    const nodeIds = new Set(nodes.map(node => node.data?.id))
+    const edges = (elements.edges || []).filter(edge => (
+      !isIgnored(edge)
+      && nodeIds.has(edge.data?.source)
+      && nodeIds.has(edge.data?.target)
+    ))
+    return { nodes, edges }
+  }, [elements, ignoredEvidenceSources, ignoredObserverAgentIds])
+
   // ── Merge route edges into elements ─────────────────────────────
   const mergedElements = useMemo(() => {
     if (!showRoutes || !routeData.path_edges || routeData.path_edges.length === 0) {
-      return elements
+      return filteredElements
     }
 
     // Map IPs to host node IDs
     const ipToId = {}
-    ;(elements.nodes || []).forEach(node => {
+    ;(filteredElements.nodes || []).forEach(node => {
       if (node.data.ip) {
         ipToId[node.data.ip] = node.data.id
       }
@@ -270,10 +315,10 @@ export default function Map() {
       })
 
     return {
-      nodes: elements.nodes,
-      edges: [...(elements.edges || []), ...routeEdges],
+      nodes: filteredElements.nodes,
+      edges: [...(filteredElements.edges || []), ...routeEdges],
     }
-  }, [elements, routeData.path_edges, showRoutes])
+  }, [filteredElements, routeData.path_edges, showRoutes])
 
   // ── Client-side filter handlers ─────────────────────────────────
   const handleSearch = (query) => {
@@ -326,6 +371,9 @@ export default function Map() {
     setRelationshipTypes(DEFAULT_AGENT_RELATIONSHIPS)
     setTopologyLayers(DEFAULT_TOPOLOGY_LAYERS)
     setEvidenceSources([])
+    setIgnoredEvidenceSources([])
+    setIgnoredObserverAgentIds([])
+    setIncludeHistoricalEvidence(false)
     setMinConfidence(0)
     setIncludeCollectorNodes(true)
     setCidrHints('')
@@ -429,6 +477,76 @@ export default function Map() {
     }
   }
 
+  const handleUseHostname = async ({ hostId, hostname }) => {
+    if (!hostId || !hostname) return
+    setNetworkGroupError('')
+    setMapActionMessage('')
+    try {
+      await api.updateHost(hostId, {
+        hostname,
+        is_verified: true,
+      })
+      setMapActionMessage(`Saved hostname ${hostname}`)
+      await fetchNetworkMap()
+    } catch (err) {
+      setNetworkGroupError(err.message)
+    }
+  }
+
+  const handleAttachToDevice = async ({ hostId, deviceId }) => {
+    if (!hostId || !deviceId) return
+    setNetworkGroupError('')
+    setMapActionMessage('')
+    try {
+      await api.linkHostsToDevice(deviceId, [hostId])
+      setMapActionMessage('Attached host to device identity')
+      await fetchDeviceIdentities()
+      await fetchNetworkMap()
+    } catch (err) {
+      setNetworkGroupError(err.message)
+    }
+  }
+
+  const handleIgnoreEvidenceSource = (source) => {
+    if (!source) return
+    setIgnoredEvidenceSources(current => current.includes(source) ? current : [...current, source])
+    setMapActionMessage(`Ignored ${source.toUpperCase()} evidence in this view`)
+  }
+
+  const handleIgnoreObserver = (observerAgentId) => {
+    if (!observerAgentId) return
+    setIgnoredObserverAgentIds(current => current.includes(observerAgentId) ? current : [...current, observerAgentId])
+    setMapActionMessage(`Ignored observer ${observerAgentId} in this view`)
+  }
+
+  const handleMarkExpected = async ({ cidr, label }) => {
+    if (!cidr) return
+    setNetworkGroupError('')
+    setMapActionMessage('')
+    try {
+      const existing = networkGroups.find(group => group.cidr === cidr)
+      if (existing) {
+        await api.updateNetworkGroup(existing.id, {
+          is_expected: true,
+          is_hidden: false,
+          label: existing.label || label || null,
+        })
+      } else {
+        await api.createNetworkGroup({
+          cidr,
+          label: label || null,
+          is_expected: true,
+          is_hidden: false,
+        })
+      }
+      setMapActionMessage(`Marked ${cidr} as expected`)
+      await fetchNetworkGroups()
+      await fetchNetworkMap()
+    } catch (err) {
+      setNetworkGroupError(err.message)
+    }
+  }
+
   const handleNodeClick = useCallback(() => {}, [])
 
   const handleCyReady = useCallback((cy) => {
@@ -445,6 +563,9 @@ export default function Map() {
     || relationshipTypes.length !== DEFAULT_AGENT_RELATIONSHIPS.length
     || Object.keys(DEFAULT_TOPOLOGY_LAYERS).some(key => topologyLayers[key] !== DEFAULT_TOPOLOGY_LAYERS[key])
     || evidenceSources.length > 0
+    || ignoredEvidenceSources.length > 0
+    || ignoredObserverAgentIds.length > 0
+    || includeHistoricalEvidence
     || minConfidence > 0
     || !includeCollectorNodes
     || networkCidrHints.length > 0
@@ -693,8 +814,42 @@ export default function Map() {
                     className="input w-20"
                   />
                 </label>
+                <label className="flex items-center gap-2 text-sm text-gray-700 dark:text-gray-300">
+                  <input
+                    type="checkbox"
+                    checked={includeHistoricalEvidence}
+                    onChange={(e) => setIncludeHistoricalEvidence(e.target.checked)}
+                    className="rounded border-gray-300 text-blue-600 focus:ring-blue-500 dark:border-gray-600"
+                  />
+                  Historical
+                </label>
               </div>
             </div>
+            {(ignoredEvidenceSources.length > 0 || ignoredObserverAgentIds.length > 0) && (
+              <div className="mt-3 flex flex-wrap items-center gap-2">
+                <span className="text-xs font-medium uppercase tracking-wide text-gray-500 dark:text-gray-400">Ignored</span>
+                {ignoredEvidenceSources.map(source => (
+                  <button
+                    key={`source-${source}`}
+                    type="button"
+                    onClick={() => setIgnoredEvidenceSources(current => current.filter(item => item !== source))}
+                    className="rounded bg-amber-50 px-2.5 py-1 text-xs font-medium text-amber-700 hover:bg-amber-100 dark:bg-amber-900/20 dark:text-amber-300"
+                  >
+                    {source.toUpperCase()} x
+                  </button>
+                ))}
+                {ignoredObserverAgentIds.map(agentId => (
+                  <button
+                    key={`observer-${agentId}`}
+                    type="button"
+                    onClick={() => setIgnoredObserverAgentIds(current => current.filter(item => item !== agentId))}
+                    className="rounded bg-amber-50 px-2.5 py-1 text-xs font-medium text-amber-700 hover:bg-amber-100 dark:bg-amber-900/20 dark:text-amber-300"
+                  >
+                    Observer {agentId} x
+                  </button>
+                ))}
+              </div>
+            )}
           </div>
           <div className="mt-4 border-t border-gray-200 pt-4 dark:border-gray-700">
             <h3 className="text-sm font-semibold text-gray-700 dark:text-gray-300 mb-3">Topology Evidence Layers</h3>
@@ -916,6 +1071,12 @@ export default function Map() {
         </div>
       )}
 
+      {mapActionMessage && (
+        <div className="mb-4 rounded-lg border border-emerald-200 bg-emerald-50 px-3 py-2 text-sm text-emerald-700 dark:border-emerald-800 dark:bg-emerald-900/20 dark:text-emerald-300">
+          {mapActionMessage}
+        </div>
+      )}
+
       {/* Inline warnings for secondary fetch failures */}
       {warnings.length > 0 && (
         <div className="mb-4 flex flex-wrap gap-2">
@@ -994,6 +1155,12 @@ export default function Map() {
                 onNodeClick={handleNodeClick}
                 onCyReady={handleCyReady}
                 loading={loading}
+                deviceIdentities={deviceIdentities}
+                onUseHostname={handleUseHostname}
+                onAttachToDevice={handleAttachToDevice}
+                onIgnoreEvidenceSource={handleIgnoreEvidenceSource}
+                onIgnoreObserver={handleIgnoreObserver}
+                onMarkExpected={handleMarkExpected}
               />
             ) : (
               <IsoflowNetworkMap