Add fail2ban log viewer and service health to Config page

Task 2: adds a new Log tab to the Configuration page.

Backend:
- New Pydantic models: Fail2BanLogResponse, ServiceStatusResponse
  (backend/app/models/config.py)
- New service methods in config_service.py:
    read_fail2ban_log() — queries socket for log target/level, validates the
    resolved path against a safe-prefix allowlist (/var/log) to prevent
    path traversal, then reads the tail of the file via the existing
    _read_tail_lines() helper; optional substring filter applied server-side.
    get_service_status() — delegates to health_service.probe() and appends
    log level/target from the socket.
- New endpoints in routers/config.py:
    GET /api/config/fail2ban-log?lines=200&filter=...
    GET /api/config/service-status
  Both require authentication; log endpoint returns 400 for non-file log
  targets or path-traversal attempts, 502 when fail2ban is unreachable.

Frontend:
- New LogTab.tsx component:
    Service Health panel (Running/Offline badge, version, jail count, bans,
    failures, log level/target, offline warning banner).
    Log viewer with color-coded lines (error=red, warning=yellow,
    debug=grey), toolbar (filter input + debounce, lines selector, manual
    refresh, auto-refresh with interval selector), truncation notice, and
    auto-scroll to bottom on data updates.
  fetchData uses Promise.allSettled so a log-read failure never hides the
  service-health panel.
- Types: Fail2BanLogResponse, ServiceStatusResponse (types/config.ts)
- API functions: fetchFail2BanLog, fetchServiceStatus (api/config.ts)
- Endpoint constants (api/endpoints.ts)
- ConfigPage.tsx: Log tab added after existing tabs

Tests:
- Backend service tests: TestReadFail2BanLog (6), TestGetServiceStatus (2)
- Backend router tests: TestGetFail2BanLog (8), TestGetServiceStatus (3)
- Frontend: LogTab.test.tsx (8 tests)

Docs:
- Features.md: Log section added under Configuration View
- Architekture.md: config.py router and config_service.py descriptions updated
- Tasks.md: Task 2 marked done

backend/app/models/config.py

@@ -860,3 +860,34 @@ class JailActivationResponse(BaseModel):
         description="New activation state: ``True`` after activate, ``False`` after deactivate.",
     )
     message: str = Field(..., description="Human-readable result message.")
+
+
+# ---------------------------------------------------------------------------
+# fail2ban log viewer models
+# ---------------------------------------------------------------------------
+
+
+class Fail2BanLogResponse(BaseModel):
+    """Response for ``GET /api/config/fail2ban-log``."""
+
+    model_config = ConfigDict(strict=True)
+
+    log_path: str = Field(..., description="Resolved absolute path of the log file being read.")
+    lines: list[str] = Field(default_factory=list, description="Log lines returned (tail, optionally filtered).")
+    total_lines: int = Field(..., ge=0, description="Total number of lines in the file before filtering.")
+    log_level: str = Field(..., description="Current fail2ban log level.")
+    log_target: str = Field(..., description="Current fail2ban log target (file path or special value).")
+
+
+class ServiceStatusResponse(BaseModel):
+    """Response for ``GET /api/config/service-status``."""
+
+    model_config = ConfigDict(strict=True)
+
+    online: bool = Field(..., description="Whether fail2ban is reachable via its socket.")
+    version: str | None = Field(default=None, description="fail2ban version string, or None when offline.")
+    jail_count: int = Field(default=0, ge=0, description="Number of currently active jails.")
+    total_bans: int = Field(default=0, ge=0, description="Aggregated current ban count across all jails.")
+    total_failures: int = Field(default=0, ge=0, description="Aggregated current failure count across all jails.")
+    log_level: str = Field(default="UNKNOWN", description="Current fail2ban log level.")
+    log_target: str = Field(default="UNKNOWN", description="Current fail2ban log target.")