testing: bootstrap UI, agent reliability, NS-01..04 + alert username

Smoothes the rough edges that came up exercising a live deployment.

First-run bootstrap UI: /bootstrap renders a username + password form
that uses the in-memory token directly (operator no longer copies it
out of the log); /login redirects there while bootstrap is available.

Agent reliability: failJob synthetic envelopes so command.run early
returns no longer hang the server-side job; runtime probe of restic
restore --help drives --no-ownership instead of version sniffing
(0.18.x had it removed). Server unit re-shaped: ProtectSystem=full
plus ReadWritePaths=/etc/restic-manager, no ProtectHome — restore
can now write anywhere a user might want.

Restore wizard: default target is /root/rm-restore/<job-id>/ with
clearer help text. Re-init confirm input uses .field (was .input,
which doesn't exist — text was invisible).

NS-01 host delete: store DeleteHost, admin-band /hosts/{id}/delete
with hostname-confirm danger zone, audit, FK cascade, live WS close.

NS-02 enrollment-token recovery: outstanding-tokens panel on
/hosts/new, regenerate (preserves attachments) and revoke handlers
+ audit, store-level ListOutstandingEnrollmentTokens and
DeleteEnrollmentToken.

NS-03 repo init / probe surface: migration 0020 adds
hosts.repo_status + repo_status_error; WS handler projects every
init job's outcome onto the host row (idempotent already-initialised
collapses to ready); creds-save resets status and dispatches a fresh
probe; /hosts/{id}/repo/probe retry endpoint with banner.

NS-04 dashboard live + sort + filter: query-string filter
(q/status/repo_status/tag/sort/dir), 5s htmx live poll mirroring the
alerts pattern with a localStorage live toggle, sortable column
headers, filter row + clear.

Alerts page: ack'd-by line resolves user_id ULID to username.

Compose.yaml ignored — host-specific.

internal/server/http/ui_host_delete.go

@@ -0,0 +1,103 @@
+// ui_host_delete.go — admin-band danger-zone host deletion (NS-01).
+//
+// Removes the host row from the store; FK cascades wipe schedules,
+// jobs, snapshots metadata, source groups, alerts, host_credentials,
+// host_repo_maintenance, host_repo_stats, and the schedule junction.
+// Also closes the host's active WS connection so the agent's bearer
+// stops being usable in the same tick (the bearer hash lives on the
+// hosts row itself, so DeleteHost already revokes it for any future
+// auth attempt — closing the live socket is the courtesy that drops
+// the in-flight session).
+//
+// Audit-logged with action="host.deleted" so the trail records who
+// performed the deletion and against which host.
+package http
+
+import (
+	"encoding/json"
+	"errors"
+	"log/slog"
+	stdhttp "net/http"
+	"strings"
+	"time"
+
+	"github.com/oklog/ulid/v2"
+
+	"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
+)
+
+func (s *Server) handleUIHostDelete(w stdhttp.ResponseWriter, r *stdhttp.Request) {
+	u := s.requireUIUser(w, r)
+	if u == nil {
+		return
+	}
+	host, ok := s.loadHostForUI(w, r)
+	if !ok {
+		return
+	}
+	if err := r.ParseForm(); err != nil {
+		stdhttp.Error(w, "bad request", stdhttp.StatusBadRequest)
+		return
+	}
+	confirm := strings.TrimSpace(r.PostForm.Get("confirm_hostname"))
+	if confirm != host.Name {
+		// Mismatch — bounce back to host detail with a flash via the
+		// query string. The detail page doesn't render an error banner
+		// today; rather than thread a new field through the page model
+		// for one site, we rely on the JS confirm() the form already
+		// shows, plus a 303 back to the host page so the operator can
+		// see they're still there. Surfacing as a 400 with a tidy
+		// message keeps the audit trail clean.
+		stdhttp.Error(w,
+			"hostname confirmation did not match — go back and re-type",
+			stdhttp.StatusBadRequest)
+		return
+	}
+
+	// Drop any live WS session before pulling the row so the agent
+	// gets a clean close rather than discovering the rug-pull on the
+	// next read. A nil Conn just means the agent was already offline.
+	if s.deps.Hub != nil {
+		if c := s.deps.Hub.Conn(host.ID); c != nil {
+			_ = c.Close()
+		}
+	}
+
+	if err := s.deps.Store.DeleteHost(r.Context(), host.ID); err != nil {
+		if errors.Is(err, store.ErrNotFound) {
+			// Race: someone else deleted it between loadHostForUI and
+			// here. Treat as success.
+			stdhttp.Redirect(w, r, "/", stdhttp.StatusSeeOther)
+			return
+		}
+		slog.Error("ui host delete: store", "host_id", host.ID, "err", err)
+		stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
+		return
+	}
+
+	uid := u.ID
+	hostID := host.ID
+	// Stash the host name in the audit payload so an operator reading
+	// the trail later sees *which* host was removed even though the
+	// row no longer exists.
+	payload, _ := json.Marshal(struct {
+		Name string `json:"name"`
+	}{Name: host.Name})
+	_ = s.deps.Store.AppendAudit(r.Context(), store.AuditEntry{
+		ID:         ulid.Make().String(),
+		UserID:     &uid,
+		Actor:      "user",
+		Action:     "host.deleted",
+		TargetKind: ptr("host"),
+		TargetID:   &hostID,
+		TS:         time.Now().UTC(),
+		Payload:    payload,
+	})
+
+	if wantsHTML(r) {
+		w.Header().Set("HX-Redirect", "/")
+		w.WriteHeader(stdhttp.StatusNoContent)
+		return
+	}
+	stdhttp.Redirect(w, r, "/", stdhttp.StatusSeeOther)
+}