Add admin config page and runtime-tunable upload/rate-limit settings

templates/admin.html

@@ -113,6 +113,7 @@
         </div>
         <div class="flex flex-col items-end gap-2">
             <a href="/" class="nav-link">← BACK_TO_UPLOADER</a>
+            <a href="/config" class="nav-link">CONFIG_MODULE</a>
             <a href="/logout" class="nav-link text-red-600">LOGOUT_SESSION</a>
         </div>
     </header>

templates/config.html

@@ -0,0 +1,109 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Config</title>
+  <link rel="stylesheet" href="/static/style.css" />
+  <style>
+    body { font-family: system-ui, -apple-system, Segoe UI, Roboto, sans-serif; padding: 24px; max-width: 920px; margin: 0 auto; }
+    .nav { display: flex; gap: 12px; margin-bottom: 18px; }
+    .nav a { text-decoration: none; color: #2b6cb0; }
+    .card { border: 1px solid #e2e8f0; border-radius: 10px; padding: 16px; margin: 16px 0; }
+    .card h2 { margin: 0 0 10px 0; font-size: 18px; }
+    .row { display: grid; grid-template-columns: 260px 1fr; gap: 12px; align-items: center; margin: 10px 0; }
+    .row label { font-weight: 600; }
+    input[type="number"] { width: 100%; padding: 8px 10px; border: 1px solid #cbd5e0; border-radius: 8px; }
+    .hint { color: #4a5568; font-size: 13px; margin-top: 4px; }
+    .actions { display:flex; gap: 12px; margin-top: 14px; }
+    button { background: #2b6cb0; color: white; border: 0; padding: 10px 14px; border-radius: 8px; cursor: pointer; }
+    .ok { color: #22543d; background: #c6f6d5; border: 1px solid #9ae6b4; padding: 10px 12px; border-radius: 8px; }
+    .err { color: #742a2a; background: #fed7d7; border: 1px solid #feb2b2; padding: 10px 12px; border-radius: 8px; }
+  </style>
+</head>
+<body>
+  <div class="nav">
+    <a href="/admin">Admin</a>
+    <a href="/config">Config</a>
+    <a href="/logout">Logout</a>
+  </div>
+
+  <h1>Config</h1>
+
+  {{if .Success}}
+    <div class="ok">Saved.</div>
+  {{end}}
+  {{if .Error}}
+    <div class="err">{{.Error}}</div>
+  {{end}}
+
+  <form method="POST" action="/config">
+
+    <div class="card">
+      <h2>Uploads</h2>
+
+      <div class="row">
+        <label for="upload_max_file_size_mb">Max file size (MB)</label>
+        <div>
+          <input type="number" min="1" step="1" id="upload_max_file_size_mb" name="upload_max_file_size_mb" value="{{.UploadMaxFileSizeMB}}" />
+          <div class="hint">Hard limit enforced by the upload endpoints. (This is separate from reverse proxy limits.)</div>
+        </div>
+      </div>
+
+      <div class="row">
+        <label for="upload_multi_max_files">Max files in multi upload</label>
+        <div>
+          <input type="number" min="1" step="1" id="upload_multi_max_files" name="upload_multi_max_files" value="{{.UploadMultiMaxFiles}}" />
+          <div class="hint">Limits how many files can be sent to /api/files/upload-multi in one request.</div>
+        </div>
+      </div>
+
+      <div class="row">
+        <label for="upload_max_hours">Max expiry duration (hours)</label>
+        <div>
+          <input type="number" min="1" step="1" id="upload_max_hours" name="upload_max_hours" value="{{.UploadMaxHours}}" />
+          <div class="hint">User-chosen duration is clamped to this maximum.</div>
+        </div>
+      </div>
+
+    </div>
+
+    <div class="card">
+      <h2>Rate limiting (display only)</h2>
+      <div class="hint">Right now rate limits are wired at startup; changing these values won’t take effect until the server restarts (unless we refactor it to be dynamic).</div>
+
+      <div class="row">
+        <label for="ratelimit_login_per_minute">Login max per minute</label>
+        <div>
+          <input type="number" min="1" step="1" id="ratelimit_login_per_minute" name="ratelimit_login_per_minute" value="{{.RateLimitLoginPerMinute}}" />
+        </div>
+      </div>
+
+      <div class="row">
+        <label for="ratelimit_login_burst">Login burst</label>
+        <div>
+          <input type="number" min="1" step="1" id="ratelimit_login_burst" name="ratelimit_login_burst" value="{{.RateLimitLoginBurst}}" />
+        </div>
+      </div>
+
+      <div class="row">
+        <label for="ratelimit_api_per_minute">API max per minute</label>
+        <div>
+          <input type="number" min="1" step="1" id="ratelimit_api_per_minute" name="ratelimit_api_per_minute" value="{{.RateLimitApiPerMinute}}" />
+        </div>
+      </div>
+
+      <div class="row">
+        <label for="ratelimit_api_burst">API burst</label>
+        <div>
+          <input type="number" min="1" step="1" id="ratelimit_api_burst" name="ratelimit_api_burst" value="{{.RateLimitApiBurst}}" />
+        </div>
+      </div>
+    </div>
+
+    <div class="actions">
+      <button type="submit">Save config</button>
+    </div>
+  </form>
+</body>
+</html>