Add fail2ban log viewer and service health to Config page

Task 2: adds a new Log tab to the Configuration page.

Backend:
- New Pydantic models: Fail2BanLogResponse, ServiceStatusResponse
  (backend/app/models/config.py)
- New service methods in config_service.py:
    read_fail2ban_log() — queries socket for log target/level, validates the
    resolved path against a safe-prefix allowlist (/var/log) to prevent
    path traversal, then reads the tail of the file via the existing
    _read_tail_lines() helper; optional substring filter applied server-side.
    get_service_status() — delegates to health_service.probe() and appends
    log level/target from the socket.
- New endpoints in routers/config.py:
    GET /api/config/fail2ban-log?lines=200&filter=...
    GET /api/config/service-status
  Both require authentication; log endpoint returns 400 for non-file log
  targets or path-traversal attempts, 502 when fail2ban is unreachable.

Frontend:
- New LogTab.tsx component:
    Service Health panel (Running/Offline badge, version, jail count, bans,
    failures, log level/target, offline warning banner).
    Log viewer with color-coded lines (error=red, warning=yellow,
    debug=grey), toolbar (filter input + debounce, lines selector, manual
    refresh, auto-refresh with interval selector), truncation notice, and
    auto-scroll to bottom on data updates.
  fetchData uses Promise.allSettled so a log-read failure never hides the
  service-health panel.
- Types: Fail2BanLogResponse, ServiceStatusResponse (types/config.ts)
- API functions: fetchFail2BanLog, fetchServiceStatus (api/config.ts)
- Endpoint constants (api/endpoints.ts)
- ConfigPage.tsx: Log tab added after existing tabs

Tests:
- Backend service tests: TestReadFail2BanLog (6), TestGetServiceStatus (2)
- Backend router tests: TestGetFail2BanLog (8), TestGetServiceStatus (3)
- Frontend: LogTab.test.tsx (8 tests)

Docs:
- Features.md: Log section added under Configuration View
- Architekture.md: config.py router and config_service.py descriptions updated
- Tasks.md: Task 2 marked done

backend/tests/test_routers/test_config.py

@@ -13,12 +13,14 @@ from app.config import Settings
 from app.db import init_db
 from app.main import create_app
 from app.models.config import (
+    Fail2BanLogResponse,
     FilterConfig,
     GlobalConfigResponse,
     JailConfig,
     JailConfigListResponse,
     JailConfigResponse,
     RegexTestResponse,
+    ServiceStatusResponse,
 )
 
 # ---------------------------------------------------------------------------
@@ -1711,3 +1713,164 @@ class TestRemoveActionFromJailRouter:
         ).delete("/api/config/jails/sshd/action/iptables")
         assert resp.status_code == 401
 
+
+# ---------------------------------------------------------------------------
+# GET /api/config/fail2ban-log
+# ---------------------------------------------------------------------------
+
+
+class TestGetFail2BanLog:
+    """Tests for ``GET /api/config/fail2ban-log``."""
+
+    def _mock_log_response(self) -> Fail2BanLogResponse:
+        return Fail2BanLogResponse(
+            log_path="/var/log/fail2ban.log",
+            lines=["2025-01-01 INFO sshd Found 1.2.3.4", "2025-01-01 ERROR oops"],
+            total_lines=100,
+            log_level="INFO",
+            log_target="/var/log/fail2ban.log",
+        )
+
+    async def test_200_returns_log_response(self, config_client: AsyncClient) -> None:
+        """GET /api/config/fail2ban-log returns 200 with Fail2BanLogResponse."""
+        with patch(
+            "app.routers.config.config_service.read_fail2ban_log",
+            AsyncMock(return_value=self._mock_log_response()),
+        ):
+            resp = await config_client.get("/api/config/fail2ban-log")
+
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["log_path"] == "/var/log/fail2ban.log"
+        assert isinstance(data["lines"], list)
+        assert data["total_lines"] == 100
+        assert data["log_level"] == "INFO"
+
+    async def test_200_passes_lines_query_param(self, config_client: AsyncClient) -> None:
+        """GET /api/config/fail2ban-log passes the lines query param to the service."""
+        with patch(
+            "app.routers.config.config_service.read_fail2ban_log",
+            AsyncMock(return_value=self._mock_log_response()),
+        ) as mock_fn:
+            resp = await config_client.get("/api/config/fail2ban-log?lines=500")
+
+        assert resp.status_code == 200
+        _socket, lines_arg, _filter = mock_fn.call_args.args
+        assert lines_arg == 500
+
+    async def test_200_passes_filter_query_param(self, config_client: AsyncClient) -> None:
+        """GET /api/config/fail2ban-log passes the filter query param to the service."""
+        with patch(
+            "app.routers.config.config_service.read_fail2ban_log",
+            AsyncMock(return_value=self._mock_log_response()),
+        ) as mock_fn:
+            resp = await config_client.get("/api/config/fail2ban-log?filter=ERROR")
+
+        assert resp.status_code == 200
+        _socket, _lines, filter_arg = mock_fn.call_args.args
+        assert filter_arg == "ERROR"
+
+    async def test_400_when_non_file_target(self, config_client: AsyncClient) -> None:
+        """GET /api/config/fail2ban-log returns 400 when log target is not a file."""
+        from app.services.config_service import ConfigOperationError
+
+        with patch(
+            "app.routers.config.config_service.read_fail2ban_log",
+            AsyncMock(side_effect=ConfigOperationError("fail2ban is logging to 'STDOUT'")),
+        ):
+            resp = await config_client.get("/api/config/fail2ban-log")
+
+        assert resp.status_code == 400
+
+    async def test_400_when_path_traversal_detected(self, config_client: AsyncClient) -> None:
+        """GET /api/config/fail2ban-log returns 400 when the path is outside safe dirs."""
+        from app.services.config_service import ConfigOperationError
+
+        with patch(
+            "app.routers.config.config_service.read_fail2ban_log",
+            AsyncMock(side_effect=ConfigOperationError("outside the allowed directory")),
+        ):
+            resp = await config_client.get("/api/config/fail2ban-log")
+
+        assert resp.status_code == 400
+
+    async def test_502_when_fail2ban_unreachable(self, config_client: AsyncClient) -> None:
+        """GET /api/config/fail2ban-log returns 502 when fail2ban is down."""
+        from app.utils.fail2ban_client import Fail2BanConnectionError
+
+        with patch(
+            "app.routers.config.config_service.read_fail2ban_log",
+            AsyncMock(side_effect=Fail2BanConnectionError("socket error", "/tmp/f.sock")),
+        ):
+            resp = await config_client.get("/api/config/fail2ban-log")
+
+        assert resp.status_code == 502
+
+    async def test_422_for_lines_exceeding_max(self, config_client: AsyncClient) -> None:
+        """GET /api/config/fail2ban-log returns 422 for lines > 2000."""
+        resp = await config_client.get("/api/config/fail2ban-log?lines=9999")
+        assert resp.status_code == 422
+
+    async def test_401_when_unauthenticated(self, config_client: AsyncClient) -> None:
+        """GET /api/config/fail2ban-log requires authentication."""
+        resp = await AsyncClient(
+            transport=ASGITransport(app=config_client._transport.app),  # type: ignore[attr-defined]
+            base_url="http://test",
+        ).get("/api/config/fail2ban-log")
+        assert resp.status_code == 401
+
+
+# ---------------------------------------------------------------------------
+# GET /api/config/service-status
+# ---------------------------------------------------------------------------
+
+
+class TestGetServiceStatus:
+    """Tests for ``GET /api/config/service-status``."""
+
+    def _mock_status(self, online: bool = True) -> ServiceStatusResponse:
+        return ServiceStatusResponse(
+            online=online,
+            version="1.0.0" if online else None,
+            jail_count=2 if online else 0,
+            total_bans=10 if online else 0,
+            total_failures=3 if online else 0,
+            log_level="INFO" if online else "UNKNOWN",
+            log_target="/var/log/fail2ban.log" if online else "UNKNOWN",
+        )
+
+    async def test_200_when_online(self, config_client: AsyncClient) -> None:
+        """GET /api/config/service-status returns 200 with full status when online."""
+        with patch(
+            "app.routers.config.config_service.get_service_status",
+            AsyncMock(return_value=self._mock_status(online=True)),
+        ):
+            resp = await config_client.get("/api/config/service-status")
+
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["online"] is True
+        assert data["jail_count"] == 2
+        assert data["log_level"] == "INFO"
+
+    async def test_200_when_offline(self, config_client: AsyncClient) -> None:
+        """GET /api/config/service-status returns 200 with offline=False when daemon is down."""
+        with patch(
+            "app.routers.config.config_service.get_service_status",
+            AsyncMock(return_value=self._mock_status(online=False)),
+        ):
+            resp = await config_client.get("/api/config/service-status")
+
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["online"] is False
+        assert data["log_level"] == "UNKNOWN"
+
+    async def test_401_when_unauthenticated(self, config_client: AsyncClient) -> None:
+        """GET /api/config/service-status requires authentication."""
+        resp = await AsyncClient(
+            transport=ASGITransport(app=config_client._transport.app),  # type: ignore[attr-defined]
+            base_url="http://test",
+        ).get("/api/config/service-status")
+        assert resp.status_code == 401
+