Split search into local/web, add admin log/env pages, instrument Brave API

[Copilot]

Brave API errors were silently swallowed with no visibility, /search conflated free local search with paid web search, and there was no admin tooling to inspect system state.

Search separation

• /search — local data index only, free, no auth required (sidebar form unchanged)
• /web — Brave-powered web search, auth + wallet quota required
• Quota only consumed on successful Brave responses (not on error/timeout)

Brave API observability

searchBrave() now calls app.RecordAPICall() on every outcome — errors, non-200 responses, and successes all appear in /admin/api with status code, duration, and response body.

body, readErr := io.ReadAll(resp.Body)
if readErr != nil {
    app.RecordAPICall("brave", "GET", reqURL, resp.StatusCode, duration, readErr, "", "")
    return nil, readErr
}
if resp.StatusCode != http.StatusOK {
    callErr := fmt.Errorf("brave search API error: %s: %s", resp.Status, string(body))
    app.RecordAPICall("brave", "GET", reqURL, resp.StatusCode, duration, callErr, "", string(body))
    return nil, callErr
}

New admin pages (all require admin auth)

• /admin/log — in-memory ring buffer (500 entries) of all app.Log() output, newest first
• /admin/env — shows which known env vars are set with character count; values never exposed

Supporting changes

• app/syslog.go: ring buffer wired into app.Log() via appendSysLog()
• video/video.go: fixed latent go vet violation — app.Log call passing err arg with no format verb

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.