Add DASHBOARD_SKIP_LOGIN + live machine metrics widget

[falkoro]

Skip-login (trust the front door)

New DASHBOARD_SKIP_LOGIN flag. When set, authenticated() returns true and ShellDeck trusts the existing network gate (network_allowed — allowed IPs / Cloudflare headers / Access email) instead of prompting for its own login password. This is for deployments fronted by Cloudflare Access / Zero Trust (or a trusted reverse proxy) that already authenticate who can reach the dashboard.

The shell unlock (second) password is unaffected — shell previews, input, and the live terminal still require it. Default is off; documented in .env.example and the README security section.

Live machine metrics widget

• src/metrics.rs reads, with no extra dependencies:
  • CPU % via a 200ms /proc/stat delta, plus core count
  • load average (/proc/loadavg)
  • RAM / swap (/proc/meminfo, used = total − available)
  • uptime (/proc/uptime)
  • temperatures from /sys/class/hwmon/*/temp*_input with temp*_label (covers AMD k10temp, Intel coretemp, NVMe Composite, wifi, etc.), sorted hottest-first, capped at 8.
• Exposed at GET /api/metrics, login-gated but not behind the shell unlock (not sensitive).
• A sidebar "Machine" panel (frontend/metrics.ts) polls every 5s and renders CPU/RAM meters (green→amber→red), temperature chips, and the load line — styled like the CachyOS system-monitor widget.

Scope & verification

• Backend .rs changes are minimal and in the repo's compact style (no cargo fmt churn): auth.rs +6, config.rs +5, main.rs +1, routes.rs +16, new metrics.rs.
• Frontend stays global-script style; metrics.js loads before events.js.
• cargo build --release clean; bun run check clean; bun run build:frontend reproduces public/*.js.
• Verified live on code.falkinator.org: / returns 200 without the app login (skip-login), and /api/metrics returns real data for the host (logan-laptop: CPU/RAM/load + 6 temp sensors).

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Adds a DASHBOARD_SKIP_LOGIN environment flag that lets ShellDeck trust an external auth layer (Cloudflare Access, reverse proxy) instead of prompting for its own login password, while leaving the shell-unlock (second) password untouched. Also introduces a live host-metrics widget (CPU, RAM, load, temps, uptime) served from a new /api/metrics endpoint and rendered in a sidebar panel.

Changes:

• New DASHBOARD_SKIP_LOGIN flag wired through config.rs and short-circuiting auth::authenticated, gated still by the network checks in guard.
• New src/metrics.rs module reading /proc and /sys/class/hwmon, exposed via api_metrics route behind the standard login guard.
• New frontend/metrics.ts / compiled public/metrics.js polling /api/metrics every 5s, plus matching CSS and dashboard HTML for the sidebar widget.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/auth.rs	Short-circuit authenticated() when skip_login is enabled.
src/config.rs	Parse DASHBOARD_SKIP_LOGIN env var into new skip_login field.
src/main.rs	Register the new metrics module.
src/metrics.rs	New module gathering CPU%, load, mem/swap, uptime, hwmon temps.
src/routes.rs	New /api/metrics handler guarded by the standard login guard.
src/pages.rs	Add metrics sidebar markup and load metrics.js.
frontend/metrics.ts	TypeScript source for the metrics widget poller/renderer.
public/metrics.js	Compiled JS for the metrics widget.
frontend/events.ts, public/events.js	Kick off initial fetch and 5s interval for loadMetrics.
public/app.css	Styles for metric meters and temperature chips.
README.md, .env.example	Document the new flag and the metrics widget.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.