hub: unified customer page, blocked status, dashboard merge

- Replace separate config detail and report detail pages with unified
  /customers/{id} page showing both config info and live report data
- Add "blocked" status for customers (hidden from dashboard, notifications
  suppressed, still accepts reports)
- Dashboard now shows config-only customers as "PENDING" status
- Customers list: all rows link to /customers/{id}, show BLOCKED badge
- New actions: block/unblock, push config to controller, auto-create
  config from report data
- /configs/{id} now redirects to /customers/{id}
- Add config-badge CSS classes for MANAGED/MANUAL/BLOCKED badges

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

hub/internal/web/configs.go

@@ -3,6 +3,7 @@ package web
 import (
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 	"regexp"
 	"sort"
@@ -21,7 +22,8 @@ type customerListEntry struct {
 	CustomerName      string
 	Domain            string
 	HasConfig         bool
-	OverallStatus     string // ok, warn, down, disabled, "" if no reports
+	IsBlocked         bool
+	OverallStatus     string // ok, warn, down, disabled, pending, "" if no reports
 	ControllerVersion string
 	TimeSinceReport   time.Duration
 	ConfigCreatedAt   time.Time
@@ -52,6 +54,7 @@ func (s *Server) handleConfigList(w http.ResponseWriter, r *http.Request) {
 			CustomerName:    cfg.CustomerName,
 			Domain:          cfg.Domain,
 			HasConfig:       true,
+			IsBlocked:       cfg.Status == "blocked",
 			ConfigCreatedAt: cfg.CreatedAt,
 		}
 	}
@@ -109,6 +112,167 @@ func (s *Server) handleConfigList(w http.ResponseWriter, r *http.Request) {
 	s.templates.ExecuteTemplate(w, "configs.html", data)
 }
 
+// handleCustomerUnified shows the unified customer detail page (config + reports).
+func (s *Server) handleCustomerUnified(w http.ResponseWriter, r *http.Request, customerID string) {
+	cfg, _ := s.store.GetCustomerConfig(customerID)
+	customer, _ := s.store.GetCustomer(customerID)
+
+	// 404 if neither config nor reports exist
+	if cfg == nil && customer == nil {
+		http.NotFound(w, r)
+		return
+	}
+
+	// Determine identity fields from best source
+	name := ""
+	domain := ""
+	email := ""
+	if cfg != nil {
+		name = cfg.CustomerName
+		domain = cfg.Domain
+		email = cfg.Email
+	}
+	if name == "" && customer != nil {
+		name = customer.CustomerName
+	}
+
+	// Parse report JSON
+	var report map[string]interface{}
+	if customer != nil {
+		json.Unmarshal([]byte(customer.ReportJSON), &report)
+	}
+
+	// Parse config overrides
+	var overrides map[string]interface{}
+	if cfg != nil {
+		json.Unmarshal([]byte(cfg.ConfigJSON), &overrides)
+	}
+
+	// Overall status
+	overallStatus := "pending"
+	if customer != nil {
+		if customer.HealthStatus == "disabled" {
+			overallStatus = "disabled"
+		} else if customer.TimeSinceReport > time.Hour {
+			overallStatus = "down"
+		} else if customer.TimeSinceReport > 30*time.Minute || customer.HealthStatus == "warn" {
+			overallStatus = "warn"
+		} else if customer.HealthStatus == "fail" {
+			overallStatus = "down"
+		} else {
+			overallStatus = "ok"
+		}
+	}
+	if cfg != nil && cfg.Status == "blocked" {
+		overallStatus = "blocked"
+	}
+
+	// Controller URL
+	controllerURL := ""
+	if customer != nil {
+		controllerURL = customer.ControllerURL
+		if controllerURL == "" {
+			var rpt struct {
+				ControllerURL string `json:"controller_url"`
+			}
+			json.Unmarshal([]byte(customer.ReportJSON), &rpt)
+			controllerURL = rpt.ControllerURL
+		}
+	}
+
+	// Version check
+	var latestVersion string
+	var updateAvailable bool
+	if s.versionChecker != nil && customer != nil {
+		latestVersion = s.versionChecker.LatestVersion()
+		if latestVersion != "" && customer.ControllerVersion != "" {
+			updateAvailable = latestVersion != customer.ControllerVersion && compareVersions(latestVersion, customer.ControllerVersion) > 0
+		}
+	}
+
+	// History, notifications, infra backup
+	var history []store.CustomerSummary
+	var notifPrefs *store.NotificationPrefs
+	var recentNotifs []store.NotificationLogEntry
+	var infraMeta *store.InfraBackupMeta
+	var infraBackupAge string
+
+	if customer != nil {
+		history, _ = s.store.GetCustomerHistory(customerID, 24*time.Hour)
+		notifPrefs, _ = s.store.GetNotificationPrefs(customerID)
+		recentNotifs, _ = s.store.GetRecentNotifications(customerID, 10)
+		infraMeta, _ = s.store.GetInfraBackupMeta(customerID)
+		if infraMeta != nil {
+			infraBackupAge = timeAgo(infraMeta.UpdatedAt)
+		}
+	}
+
+	type pageData struct {
+		CustomerID   string
+		CustomerName string
+		Domain       string
+		Email        string
+
+		HasConfig bool
+		Config    *store.CustomerConfig
+		Overrides map[string]interface{}
+		IsBlocked bool
+
+		HasReports    bool
+		Customer      *store.CustomerSummary
+		Report        map[string]interface{}
+		OverallStatus string
+
+		LatestVersion   string
+		UpdateAvailable bool
+		ControllerURL   string
+
+		InfraBackup         *store.InfraBackupMeta
+		InfraBackupAge      string
+		NotifPrefs          *store.NotificationPrefs
+		RecentNotifications []store.NotificationLogEntry
+		History             []store.CustomerSummary
+
+		Flash     string
+		ActiveNav string
+	}
+
+	data := pageData{
+		CustomerID:   customerID,
+		CustomerName: name,
+		Domain:       domain,
+		Email:        email,
+
+		HasConfig: cfg != nil,
+		Config:    cfg,
+		Overrides: overrides,
+		IsBlocked: cfg != nil && cfg.Status == "blocked",
+
+		HasReports:    customer != nil,
+		Customer:      customer,
+		Report:        report,
+		OverallStatus: overallStatus,
+
+		LatestVersion:   latestVersion,
+		UpdateAvailable: updateAvailable,
+		ControllerURL:   controllerURL,
+
+		InfraBackup:         infraMeta,
+		InfraBackupAge:      infraBackupAge,
+		NotifPrefs:          notifPrefs,
+		RecentNotifications: recentNotifs,
+		History:             history,
+
+		Flash:     r.URL.Query().Get("flash"),
+		ActiveNav: "configs",
+	}
+
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	if err := s.templates.ExecuteTemplate(w, "customer_unified.html", data); err != nil {
+		s.logger.Printf("[ERROR] Template render: %v", err)
+	}
+}
+
 // handleConfigNewForm shows the form to create a new customer config.
 func (s *Server) handleConfigNewForm(w http.ResponseWriter, r *http.Request) {
 	data := struct {
@@ -187,38 +351,7 @@ func (s *Server) handleConfigCreate(w http.ResponseWriter, r *http.Request) {
 	}
 
 	s.logger.Printf("[INFO] Customer config created: %s", customerID)
-	http.Redirect(w, r, "/configs/"+customerID+"?flash=created", http.StatusSeeOther)
-}
-
-// handleConfigDetail shows a customer config with credentials and setup commands.
-func (s *Server) handleConfigDetail(w http.ResponseWriter, r *http.Request, customerID string) {
-	cfg, err := s.store.GetCustomerConfig(customerID)
-	if err != nil {
-		s.logger.Printf("[ERROR] Failed to get config %s: %v", customerID, err)
-		http.Error(w, "Internal error", http.StatusInternalServerError)
-		return
-	}
-	if cfg == nil {
-		http.NotFound(w, r)
-		return
-	}
-
-	// Parse config_json for display
-	var overrides map[string]interface{}
-	json.Unmarshal([]byte(cfg.ConfigJSON), &overrides)
-
-	data := struct {
-		Config    *store.CustomerConfig
-		Overrides map[string]interface{}
-		ActiveNav string
-		Flash     string
-	}{
-		Config:    cfg,
-		Overrides: overrides,
-		ActiveNav: "configs",
-		Flash:     r.URL.Query().Get("flash"),
-	}
-	s.templates.ExecuteTemplate(w, "config_detail.html", data)
+	http.Redirect(w, r, "/customers/"+customerID+"?flash=created", http.StatusSeeOther)
 }
 
 // handleConfigEditForm shows the edit form for a customer config.
@@ -272,7 +405,7 @@ func (s *Server) handleConfigUpdate(w http.ResponseWriter, r *http.Request, cust
 	}
 
 	s.logger.Printf("[INFO] Customer config updated: %s", customerID)
-	http.Redirect(w, r, "/configs/"+customerID+"?flash=updated", http.StatusSeeOther)
+	http.Redirect(w, r, "/customers/"+customerID+"?flash=updated", http.StatusSeeOther)
 }
 
 // handleConfigDelete deletes a customer config.
@@ -326,7 +459,152 @@ func (s *Server) handleConfigRegenPassword(w http.ResponseWriter, r *http.Reques
 	}
 
 	s.logger.Printf("[INFO] Retrieval password regenerated for %s", customerID)
-	http.Redirect(w, r, "/configs/"+customerID+"?flash=password_regenerated", http.StatusSeeOther)
+	http.Redirect(w, r, "/customers/"+customerID+"?flash=password_regenerated", http.StatusSeeOther)
+}
+
+// handleBlockCustomer sets a customer's status to "blocked".
+func (s *Server) handleBlockCustomer(w http.ResponseWriter, r *http.Request, customerID string) {
+	cfg, _ := s.store.GetCustomerConfig(customerID)
+	if cfg == nil {
+		http.NotFound(w, r)
+		return
+	}
+	if err := s.store.SetCustomerConfigStatus(customerID, "blocked"); err != nil {
+		s.logger.Printf("[ERROR] Failed to block %s: %v", customerID, err)
+		http.Error(w, "Internal error", http.StatusInternalServerError)
+		return
+	}
+	s.logger.Printf("[INFO] Customer blocked: %s", customerID)
+	http.Redirect(w, r, "/customers/"+customerID+"?flash=blocked", http.StatusSeeOther)
+}
+
+// handleUnblockCustomer sets a customer's status back to "active".
+func (s *Server) handleUnblockCustomer(w http.ResponseWriter, r *http.Request, customerID string) {
+	cfg, _ := s.store.GetCustomerConfig(customerID)
+	if cfg == nil {
+		http.NotFound(w, r)
+		return
+	}
+	if err := s.store.SetCustomerConfigStatus(customerID, "active"); err != nil {
+		s.logger.Printf("[ERROR] Failed to unblock %s: %v", customerID, err)
+		http.Error(w, "Internal error", http.StatusInternalServerError)
+		return
+	}
+	s.logger.Printf("[INFO] Customer unblocked: %s", customerID)
+	http.Redirect(w, r, "/customers/"+customerID+"?flash=unblocked", http.StatusSeeOther)
+}
+
+// handlePushConfig sends the generated YAML config to the controller.
+func (s *Server) handlePushConfig(w http.ResponseWriter, r *http.Request, customerID string) {
+	cfg, err := s.store.GetCustomerConfig(customerID)
+	if err != nil || cfg == nil {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusNotFound)
+		w.Write([]byte(`{"ok":false,"error":"No config found for this customer"}`))
+		return
+	}
+
+	// Get controller URL from latest report
+	customer, _ := s.store.GetCustomer(customerID)
+	controllerURL := ""
+	if customer != nil {
+		controllerURL = customer.ControllerURL
+		if controllerURL == "" {
+			var rpt struct {
+				ControllerURL string `json:"controller_url"`
+			}
+			json.Unmarshal([]byte(customer.ReportJSON), &rpt)
+			controllerURL = rpt.ControllerURL
+		}
+	}
+	if controllerURL == "" {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusBadRequest)
+		w.Write([]byte(`{"ok":false,"error":"Controller URL not available — waiting for first report"}`))
+		return
+	}
+
+	// Generate YAML
+	templateYAML := defaultControllerTemplate
+	if s.templateFetcher != nil {
+		templateYAML = s.templateFetcher.Template()
+	}
+	yamlOutput, err := configgen.Generate(templateYAML, cfg)
+	if err != nil {
+		s.logger.Printf("[ERROR] Failed to generate config for push to %s: %v", customerID, err)
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusInternalServerError)
+		w.Write([]byte(`{"ok":false,"error":"Failed to generate config"}`))
+		return
+	}
+
+	// POST to controller
+	pushURL := controllerURL + "/api/config/apply"
+	req, err := http.NewRequest("POST", pushURL, strings.NewReader(yamlOutput))
+	if err != nil {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusInternalServerError)
+		w.Write([]byte(`{"ok":false,"error":"Failed to create request"}`))
+		return
+	}
+	req.Header.Set("Authorization", "Bearer "+s.apiKey)
+	req.Header.Set("Content-Type", "text/yaml")
+
+	client := &http.Client{Timeout: 30 * time.Second}
+	resp, err := client.Do(req)
+	if err != nil {
+		s.logger.Printf("[ERROR] Push config to %s failed: %v", pushURL, err)
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusBadGateway)
+		json.NewEncoder(w).Encode(map[string]interface{}{"ok": false, "error": fmt.Sprintf("Controller unreachable: %v", err)})
+		return
+	}
+	defer resp.Body.Close()
+
+	body, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<16))
+	s.logger.Printf("[INFO] Push config to %s — controller responded %d: %s", customerID, resp.StatusCode, string(body))
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(resp.StatusCode)
+	w.Write(body)
+}
+
+// handleCreateConfigFromReport auto-creates a config entry from report data.
+func (s *Server) handleCreateConfigFromReport(w http.ResponseWriter, r *http.Request, customerID string) {
+	// Check if config already exists
+	existing, _ := s.store.GetCustomerConfig(customerID)
+	if existing != nil {
+		http.Redirect(w, r, "/configs/"+customerID+"/edit", http.StatusSeeOther)
+		return
+	}
+
+	// Get report data to pre-fill
+	customer, _ := s.store.GetCustomer(customerID)
+	name := customerID
+	if customer != nil && customer.CustomerName != "" {
+		name = customer.CustomerName
+	}
+
+	// Generate credentials
+	retrievalPassword, _ := configgen.RandomHex(32)
+	apiKey, _ := configgen.RandomHex(32)
+
+	cfg := &store.CustomerConfig{
+		CustomerID:        customerID,
+		CustomerName:      name,
+		RetrievalPassword: retrievalPassword,
+		APIKey:            apiKey,
+		ConfigJSON:        "{}",
+	}
+
+	if err := s.store.SaveCustomerConfig(cfg); err != nil {
+		s.logger.Printf("[ERROR] Failed to create config from report for %s: %v", customerID, err)
+		http.Error(w, "Internal error", http.StatusInternalServerError)
+		return
+	}
+
+	s.logger.Printf("[INFO] Config auto-created from report for %s", customerID)
+	http.Redirect(w, r, "/configs/"+customerID+"/edit", http.StatusSeeOther)
 }
 
 // renderConfigForm is a helper to re-render the form with an error.
@@ -395,19 +673,3 @@ func buildConfigJSON(r *http.Request) string {
 	data, _ := json.Marshal(overrides)
 	return string(data)
 }
-
-// getNestedString is a helper to extract a nested string from a map.
-func getNestedString(m map[string]interface{}, keys ...string) string {
-	var current interface{} = m
-	for _, key := range keys {
-		if cm, ok := current.(map[string]interface{}); ok {
-			current = cm[key]
-		} else {
-			return ""
-		}
-	}
-	if s, ok := current.(string); ok {
-		return s
-	}
-	return ""
-}