P1-24: live dashboard — fleet summary tiles + host table

Server-rendered HTML view backed by:
  - new store.FleetSummary aggregating host counts + repo bytes +
    snapshot total + open alerts + last-24h job rollup in two queries.
  - GET /api/hosts (JSON list of hosts in the dashboard projection).
  - GET /api/fleet/summary (JSON aggregate, same shape as above).

The HTML page (web/templates/pages/dashboard.html) renders the four
summary tiles + host table directly from store data — no separate
fetch. Per-row state colour comes from .host-row.{degraded,failed,
offline} which paint a 3px left edge so problem hosts are scannable
without reading. HTMX is loaded into the base layout so per-row
"Run now" buttons can hx-post to /hosts/{id}/run-backup, a thin
HTML wrapper that funnels into a new dispatchJob helper shared
with the JSON /api/hosts/{id}/jobs endpoint.

Empty state (zero hosts) collapses to the "no hosts yet" prompt
with the + Add host CTA — matches the v1 mockup.

Template helpers (internal/server/ui/funcs.go) added for byte
formatting (412 GB / 3.7 TB), relative time (3m ago / 2d ago), and
comma grouping (1,847). Pure Go, no template-magic dependency.

Browser-verified end-to-end with seeded fixture data: five hosts
across all four states render with correct dots, accents, last-
backup pills, sizes, snapshot counts, alerts, tags, and the right
action button (Run now / Retry / Run first / View → / offline).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/server/http/jobs.go

@@ -1,6 +1,7 @@
 package http
 
 import (
+	"context"
 	"encoding/json"
 	stdhttp "net/http"
 	"time"
@@ -33,65 +34,76 @@ func (s *Server) handleRunNow(w stdhttp.ResponseWriter, r *stdhttp.Request) {
 		writeJSONError(w, stdhttp.StatusUnauthorized, "unauthorized", "")
 		return
 	}
-
 	hostID := chi.URLParam(r, "id")
 	if hostID == "" {
 		writeJSONError(w, stdhttp.StatusBadRequest, "missing_host_id", "")
 		return
 	}
-
 	var req runNowRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		writeJSONError(w, stdhttp.StatusBadRequest, "invalid_json", err.Error())
 		return
 	}
-	if !validJobKind(req.Kind) {
-		writeJSONError(w, stdhttp.StatusBadRequest, "invalid_kind",
-			"kind must be one of backup|forget|prune|check|unlock")
+
+	res, status, code, msg := s.dispatchJob(r.Context(), user, hostID, req.Kind, req.Args)
+	if code != "" {
+		writeJSONError(w, status, code, msg)
 		return
 	}
+	writeJSON(w, stdhttp.StatusAccepted, res)
+}
 
-	host, err := s.deps.Store.GetHost(r.Context(), hostID)
+// dispatchJob is the common path for HTTP-driven job dispatch. It
+// validates the kind, checks the host is online, persists the job
+// row, and ships command.run over the WS. Returns:
+//   - res: the queued-job response (job_id + status)
+//   - status: HTTP status to return on failure (or 0 on success)
+//   - code, msg: error code/message for the wire (empty on success)
+//
+// JSON callers wrap with writeJSONError; HTML callers translate to
+// flash banner + redirect.
+func (s *Server) dispatchJob(ctx context.Context, user *store.User,
+	hostID string, kind api.JobKind, args []string,
+) (res runNowResponse, status int, code, msg string) {
+	if !validJobKind(kind) {
+		return res, stdhttp.StatusBadRequest, "invalid_kind",
+			"kind must be one of backup|forget|prune|check|unlock"
+	}
+	host, err := s.deps.Store.GetHost(ctx, hostID)
 	if err != nil {
-		writeJSONError(w, stdhttp.StatusNotFound, "host_not_found", "")
-		return
+		return res, stdhttp.StatusNotFound, "host_not_found", ""
 	}
-
 	if !s.deps.Hub.Connected(host.ID) {
-		writeJSONError(w, stdhttp.StatusServiceUnavailable, "host_offline",
-			"agent is not currently connected; try again when it reconnects")
-		return
+		return res, stdhttp.StatusServiceUnavailable, "host_offline",
+			"agent is not currently connected; try again when it reconnects"
 	}
 
 	jobID := ulid.Make().String()
 	now := time.Now().UTC()
-	if err := s.deps.Store.CreateJob(r.Context(), store.Job{
+	if err := s.deps.Store.CreateJob(ctx, store.Job{
 		ID:        jobID,
 		HostID:    host.ID,
-		Kind:      string(req.Kind),
+		Kind:      string(kind),
 		ActorKind: "user",
 		ActorID:   &user.ID,
 		CreatedAt: now,
 	}); err != nil {
-		writeJSONError(w, stdhttp.StatusInternalServerError, "internal", "")
-		return
+		return res, stdhttp.StatusInternalServerError, "internal", ""
 	}
 
 	env, err := api.Marshal(api.MsgCommandRun, jobID, api.CommandRunPayload{
 		JobID: jobID,
-		Kind:  req.Kind,
-		Args:  req.Args,
+		Kind:  kind,
+		Args:  args,
 	})
 	if err != nil {
-		writeJSONError(w, stdhttp.StatusInternalServerError, "internal", "")
-		return
+		return res, stdhttp.StatusInternalServerError, "internal", ""
 	}
-	if err := s.deps.Hub.Send(r.Context(), host.ID, env); err != nil {
-		writeJSONError(w, stdhttp.StatusServiceUnavailable, "host_offline", err.Error())
-		return
+	if err := s.deps.Hub.Send(ctx, host.ID, env); err != nil {
+		return res, stdhttp.StatusServiceUnavailable, "host_offline", err.Error()
 	}
 
-	_ = s.deps.Store.AppendAudit(r.Context(), store.AuditEntry{
+	_ = s.deps.Store.AppendAudit(ctx, store.AuditEntry{
 		ID:         ulid.Make().String(),
 		UserID:     &user.ID,
 		Actor:      "user",
@@ -100,11 +112,7 @@ func (s *Server) handleRunNow(w stdhttp.ResponseWriter, r *stdhttp.Request) {
 		TargetID:   &jobID,
 		TS:         now,
 	})
-
-	writeJSON(w, stdhttp.StatusAccepted, runNowResponse{
-		JobID:  jobID,
-		Status: "queued",
-	})
+	return runNowResponse{JobID: jobID, Status: "queued"}, 0, "", ""
 }
 
 // requireUser resolves the session cookie to a user row. Stub of the