feat: daemon health panel, brand-rail status chips, user timezone selector

- Health API now surfaces Docker /info + /version (version, platform,
  kernel, container/image counts, storage driver, memory, latency) and
  NPM aggregates (proxy host total, managed-by-Tinyforge count, access
  lists, certificates, endpoint URL).
- Docker/NPM indicators moved out of the sidebar footer and into a
  compact mono-styled rail directly under the Tinyforge brand title,
  with pulse/fault animations and click-to-expand error hints.
- New SystemDaemonsCard on the dashboard: two terminal-styled panels
  (Docker Engine + Proxy) with a running/paused/stopped stacked bar,
  key-value diagnostics, and a total-vs-managed proportion meter on
  the proxy-hosts tile.
- Shared health store so the sidebar and dashboard share a single
  30 s poll instead of duplicating traffic.
- User-facing timezone preference with auto-detect fallback; all
  dates across projects, sites, stacks, settings, backup, event log
  and stale containers now render through \$fmt.date / \$fmt.datetime.
- en/ru translations for both features.

internal/api/health.go

@@ -4,11 +4,19 @@ import (
 	"context"
 	"net/http"
 	"time"
+
+	"github.com/alexei/tinyforge/internal/proxy"
 )
 
 // getHealth handles GET /api/health.
+//
+// Returns the connectivity state and (when connected) rich diagnostics for the
+// Docker daemon and the active proxy provider. This endpoint is polled by the
+// UI every 30 seconds — keep the calls cheap. The expensive NPM list calls
+// are only issued when the initial ping succeeds, so a down proxy never
+// amplifies latency.
 func (s *Server) getHealth(w http.ResponseWriter, r *http.Request) {
-	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	ctx, cancel := context.WithTimeout(r.Context(), 8*time.Second)
 	defer cancel()
 
 	now := time.Now().UTC().Format(time.RFC3339)
@@ -16,37 +24,176 @@ func (s *Server) getHealth(w http.ResponseWriter, r *http.Request) {
 		"checked_at": now,
 	}
 
-	// Check database connectivity.
+	// ── Database ─────────────────────────────────────────────────────
 	if err := s.store.DB().PingContext(ctx); err != nil {
 		result["database"] = map[string]any{"connected": false, "error": "database unreachable"}
 	} else {
 		result["database"] = map[string]any{"connected": true}
 	}
 
-	// Check Docker connectivity.
-	if s.docker == nil {
-		result["docker"] = map[string]any{
-			"connected": false,
-			"error":     "docker client not initialized",
-		}
-	} else if err := s.docker.Ping(ctx); err != nil {
-		result["docker"] = map[string]any{
-			"connected": false,
-			"error":     err.Error(),
-		}
-	} else {
-		result["docker"] = map[string]any{"connected": true}
-	}
+	// ── Docker daemon ────────────────────────────────────────────────
+	result["docker"] = s.dockerHealth(ctx)
 
-	// Check proxy provider connectivity.
+	// ── Proxy provider ───────────────────────────────────────────────
 	if s.proxyProvider != nil {
-		providerName := s.proxyProvider.Name()
-		if err := s.proxyProvider.Ping(ctx); err != nil {
-			result["proxy"] = map[string]any{"provider": providerName, "connected": false, "error": providerName + " unreachable"}
-		} else {
-			result["proxy"] = map[string]any{"provider": providerName, "connected": true}
-		}
+		result["proxy"] = s.proxyHealth(ctx)
 	}
 
 	respondJSON(w, http.StatusOK, result)
 }
+
+// dockerHealth probes the Docker daemon and, if reachable, attaches a full
+// DaemonInfo snapshot. The caller does not need to error-check the Info()
+// call — if it fails, the connected flag remains true (ping succeeded) but
+// the detail fields are simply omitted.
+func (s *Server) dockerHealth(ctx context.Context) map[string]any {
+	if s.docker == nil {
+		return map[string]any{
+			"connected": false,
+			"error":     "docker client not initialized",
+		}
+	}
+
+	start := time.Now()
+	if err := s.docker.Ping(ctx); err != nil {
+		return map[string]any{
+			"connected":  false,
+			"error":      err.Error(),
+			"latency_ms": time.Since(start).Milliseconds(),
+		}
+	}
+
+	out := map[string]any{
+		"connected":  true,
+		"latency_ms": time.Since(start).Milliseconds(),
+	}
+
+	// Info enriches the payload; failures are non-fatal.
+	info, err := s.docker.Info(ctx)
+	if err == nil {
+		if info.Version != "" {
+			out["version"] = info.Version
+		}
+		if info.APIVersion != "" {
+			out["api_version"] = info.APIVersion
+		}
+		if info.OS != "" {
+			out["os"] = info.OS
+		}
+		if info.Arch != "" {
+			out["arch"] = info.Arch
+		}
+		if info.Kernel != "" {
+			out["kernel"] = info.Kernel
+		}
+		if info.OperatingSystem != "" {
+			out["operating_system"] = info.OperatingSystem
+		}
+		if info.StorageDriver != "" {
+			out["storage_driver"] = info.StorageDriver
+		}
+		if info.RootDir != "" {
+			out["root_dir"] = info.RootDir
+		}
+		if info.Name != "" {
+			out["name"] = info.Name
+		}
+		if info.NCPU > 0 {
+			out["ncpu"] = info.NCPU
+		}
+		if info.MemoryTotal > 0 {
+			out["memory_total"] = info.MemoryTotal
+		}
+		out["containers"] = info.Containers
+		out["running"] = info.Running
+		out["paused"] = info.Paused
+		out["stopped"] = info.Stopped
+		out["images"] = info.Images
+	}
+
+	return out
+}
+
+// proxyHealth probes the configured proxy provider. For NPM, attaches
+// aggregate counts (proxy hosts, access lists, certificates) which the
+// dashboard surfaces alongside the connection indicator.
+func (s *Server) proxyHealth(ctx context.Context) map[string]any {
+	providerName := s.proxyProvider.Name()
+
+	start := time.Now()
+	err := s.proxyProvider.Ping(ctx)
+	latency := time.Since(start).Milliseconds()
+
+	if err != nil {
+		return map[string]any{
+			"provider":   providerName,
+			"connected":  false,
+			"error":      providerName + " unreachable: " + err.Error(),
+			"latency_ms": latency,
+		}
+	}
+
+	out := map[string]any{
+		"provider":   providerName,
+		"connected":  true,
+		"latency_ms": latency,
+	}
+
+	// Attach configured URL from settings for both NPM and Traefik.
+	if settings, serr := s.store.GetSettings(); serr == nil {
+		switch providerName {
+		case "npm":
+			if settings.NpmURL != "" {
+				out["url"] = settings.NpmURL
+			}
+		case "traefik":
+			if settings.TraefikAPIURL != "" {
+				out["url"] = settings.TraefikAPIURL
+			}
+		}
+	}
+
+	// NPM-specific aggregates — a quick glance at route/list/cert counts.
+	// These calls require an authenticated NPM session, so we trigger the
+	// provider's auth step first (it's cheap: cached JWT is reused for 1h).
+	if providerName == "npm" && s.npm != nil {
+		if np, ok := s.proxyProvider.(*proxy.NpmProvider); ok {
+			if err := np.Authenticate(ctx); err == nil {
+				if hosts, herr := s.npm.ListProxyHosts(ctx); herr == nil {
+					out["proxy_hosts"] = len(hosts)
+				}
+				if lists, lerr := s.npm.ListAccessLists(ctx); lerr == nil {
+					out["access_lists"] = len(lists)
+				}
+				if certs, cerr := s.npm.ListCertificates(ctx); cerr == nil {
+					out["certificates"] = len(certs)
+				}
+			}
+		}
+	}
+
+	// Managed-route count — how many of the proxy's routes were deployed
+	// by Tinyforge itself, counting both Docker instances and static sites.
+	// This works for every provider (NPM, Traefik, …) because it reads from
+	// our own store, not the external proxy API.
+	if managed, merr := s.managedRouteCount(); merr == nil {
+		out["proxy_hosts_managed"] = managed
+	}
+
+	return out
+}
+
+// managedRouteCount returns the number of proxy routes Tinyforge manages
+// (Docker instances + static sites combined). The domain argument doesn't
+// affect the count so we pass an empty string to skip FQDN rendering.
+func (s *Server) managedRouteCount() (int, error) {
+	instanceRoutes, err := s.store.ListProxyRoutes("")
+	if err != nil {
+		return 0, err
+	}
+	siteRoutes, err := s.store.ListStaticSiteProxyRoutes("")
+	if err != nil {
+		return 0, err
+	}
+	return len(instanceRoutes) + len(siteRoutes), nil
+}

internal/docker/client.go

@@ -48,3 +48,67 @@ func (c *Client) Ping(ctx context.Context) error {
 	}
 	return nil
 }
+
+// DaemonInfo captures the subset of Docker daemon info surfaced in the UI.
+// Fields map directly to /info and /version; JSON tags match the wire format
+// consumed by the frontend's DockerHealth type.
+type DaemonInfo struct {
+	Version         string `json:"version,omitempty"`
+	APIVersion      string `json:"api_version,omitempty"`
+	OS              string `json:"os,omitempty"`
+	Arch            string `json:"arch,omitempty"`
+	Kernel          string `json:"kernel,omitempty"`
+	OperatingSystem string `json:"operating_system,omitempty"`
+	StorageDriver   string `json:"storage_driver,omitempty"`
+	RootDir         string `json:"root_dir,omitempty"`
+	Name            string `json:"name,omitempty"`
+	NCPU            int    `json:"ncpu,omitempty"`
+	MemoryTotal     int64  `json:"memory_total,omitempty"`
+	Containers      int    `json:"containers,omitempty"`
+	Running         int    `json:"running,omitempty"`
+	Paused          int    `json:"paused,omitempty"`
+	Stopped         int    `json:"stopped,omitempty"`
+	Images          int    `json:"images,omitempty"`
+}
+
+// Info returns a compact snapshot of daemon health data. Missing pieces
+// (e.g. if ServerVersion fails but Info succeeds) are returned as zero
+// values rather than bubbling up — the endpoint should degrade gracefully.
+func (c *Client) Info(ctx context.Context) (DaemonInfo, error) {
+	info, err := c.api.Info(ctx, client.InfoOptions{})
+	if err != nil {
+		return DaemonInfo{}, fmt.Errorf("docker info: %w", err)
+	}
+	out := DaemonInfo{
+		OperatingSystem: info.Info.OperatingSystem,
+		Kernel:          info.Info.KernelVersion,
+		Arch:            info.Info.Architecture,
+		OS:              info.Info.OSType,
+		StorageDriver:   info.Info.Driver,
+		RootDir:         info.Info.DockerRootDir,
+		Name:            info.Info.Name,
+		NCPU:            info.Info.NCPU,
+		MemoryTotal:     info.Info.MemTotal,
+		Containers:      info.Info.Containers,
+		Running:         info.Info.ContainersRunning,
+		Paused:          info.Info.ContainersPaused,
+		Stopped:         info.Info.ContainersStopped,
+		Images:          info.Info.Images,
+		Version:         info.Info.ServerVersion,
+	}
+
+	if ver, verr := c.api.ServerVersion(ctx, client.ServerVersionOptions{}); verr == nil {
+		if ver.Version != "" {
+			out.Version = ver.Version
+		}
+		out.APIVersion = ver.APIVersion
+		if out.Arch == "" {
+			out.Arch = ver.Arch
+		}
+		if out.OS == "" {
+			out.OS = ver.Os
+		}
+	}
+
+	return out, nil
+}

internal/proxy/npm_provider.go

@@ -121,6 +121,14 @@ func (p *NpmProvider) Ping(ctx context.Context) error {
 	return p.client.Ping(ctx)
 }
 
+// Authenticate is a public wrapper over the internal auth step. It is used by
+// health checks that want to make authenticated list calls without going
+// through the full ConfigureRoute path. Returns an error if credentials are
+// not configured or the NPM API rejects them.
+func (p *NpmProvider) Authenticate(ctx context.Context) error {
+	return p.auth(ctx)
+}
+
 // auth authenticates to NPM if credentials are available.
 func (p *NpmProvider) auth(ctx context.Context) error {
 	if p.email == "" {