Fix grpcserver rate limiter: move to Server field

The package-level defaultRateLimiter drained its token bucket
across all test cases, causing later tests to hit ResourceExhausted.
Move rateLimiter from a package-level var to a *grpcRateLimiter field
on Server; New() allocates a fresh instance (10 req/s, burst 10) per
server. Each test's newTestEnv() constructs its own Server, so tests
no longer share limiter state.

Production behaviour is unchanged: a single Server is constructed at
startup and lives for the process lifetime.

internal/ui/handlers_accounts.go

@@ -34,6 +34,7 @@ func (u *UIServer) handleAccountsList(w http.ResponseWriter, r *http.Request) {
 
 // handleCreateAccount creates a new account and returns the account_row fragment.
 func (u *UIServer) handleCreateAccount(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxFormBytes)
 	if err := r.ParseForm(); err != nil {
 		u.renderError(w, r, http.StatusBadRequest, "invalid form")
 		return
@@ -131,6 +132,7 @@ func (u *UIServer) handleAccountDetail(w http.ResponseWriter, r *http.Request) {
 
 // handleUpdateAccountStatus toggles an account between active and inactive.
 func (u *UIServer) handleUpdateAccountStatus(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxFormBytes)
 	if err := r.ParseForm(); err != nil {
 		u.renderError(w, r, http.StatusBadRequest, "invalid form")
 		return
@@ -251,6 +253,7 @@ func (u *UIServer) handleRolesEditForm(w http.ResponseWriter, r *http.Request) {
 
 // handleSetRoles replaces the full role set for an account.
 func (u *UIServer) handleSetRoles(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxFormBytes)
 	if err := r.ParseForm(); err != nil {
 		u.renderError(w, r, http.StatusBadRequest, "invalid form")
 		return

internal/ui/handlers_audit.go

@@ -64,6 +64,33 @@ func (u *UIServer) handleAuditRows(w http.ResponseWriter, r *http.Request) {
 	u.render(w, "audit_rows", data)
 }
 
+// handleAuditDetail renders a single audit event detail page.
+func (u *UIServer) handleAuditDetail(w http.ResponseWriter, r *http.Request) {
+	csrfToken, err := u.setCSRFCookies(w)
+	if err != nil {
+		http.Error(w, "internal error", http.StatusInternalServerError)
+		return
+	}
+
+	idStr := r.PathValue("id")
+	id, err := strconv.ParseInt(idStr, 10, 64)
+	if err != nil {
+		u.renderError(w, r, http.StatusBadRequest, "invalid event ID")
+		return
+	}
+
+	event, err := u.db.GetAuditEventByID(id)
+	if err != nil {
+		u.renderError(w, r, http.StatusNotFound, "event not found")
+		return
+	}
+
+	u.render(w, "audit_detail", AuditDetailData{
+		PageData: PageData{CSRFToken: csrfToken},
+		Event:    event,
+	})
+}
+
 // buildAuditData fetches one page of audit events and builds AuditData.
 func (u *UIServer) buildAuditData(r *http.Request, page int, csrfToken string) (AuditData, error) {
 	filterType := r.URL.Query().Get("event_type")

internal/ui/handlers_auth.go

@@ -28,6 +28,7 @@ func (u *UIServer) handleLoginPage(w http.ResponseWriter, r *http.Request) {
 //   - On success: issues a JWT, stores it as an HttpOnly session cookie, sets
 //     CSRF tokens, then redirects via HX-Redirect (HTMX) or 302 (browser).
 func (u *UIServer) handleLoginPost(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxFormBytes)
 	if err := r.ParseForm(); err != nil {
 		u.render(w, "totp_step", LoginData{Error: "invalid form submission"})
 		return

internal/ui/ui.go

@@ -15,7 +15,7 @@ package ui
 import (
 	"bytes"
 	"crypto/ed25519"
-	"embed"
+	"encoding/json"
 	"fmt"
 	"html/template"
 	"io/fs"
@@ -27,14 +27,9 @@ import (
 	"git.wntrmute.dev/kyle/mcias/internal/config"
 	"git.wntrmute.dev/kyle/mcias/internal/db"
 	"git.wntrmute.dev/kyle/mcias/internal/model"
+	"git.wntrmute.dev/kyle/mcias/web"
 )
 
-//go:embed all:../../web/templates
-var templateFS embed.FS
-
-//go:embed all:../../web/static
-var staticFS embed.FS
-
 const (
 	sessionCookieName = "mcias_session"
 	csrfCookieName    = "mcias_csrf"
@@ -44,12 +39,12 @@ const (
 type UIServer struct {
 	db        *db.DB
 	cfg       *config.Config
+	logger    *slog.Logger
+	csrf      *CSRFManager
+	tmpls     map[string]*template.Template // page name → template set
 	pubKey    ed25519.PublicKey
 	privKey   ed25519.PrivateKey
 	masterKey []byte
-	logger    *slog.Logger
-	csrf      *CSRFManager
-	tmpl      *template.Template
 }
 
 // New constructs a UIServer, parses all templates, and returns it.
@@ -93,25 +88,57 @@ func New(database *db.DB, cfg *config.Config, priv ed25519.PrivateKey, pub ed255
 		"sub": func(a, b int) int { return a - b },
 		"gt":  func(a, b int) bool { return a > b },
 		"lt":  func(a, b int) bool { return a < b },
+		"prettyJSON": func(s string) string {
+			var v json.RawMessage
+			if json.Unmarshal([]byte(s), &v) != nil {
+				return s
+			}
+			pretty, err := json.MarshalIndent(v, "", "  ")
+			if err != nil {
+				return s
+			}
+			return string(pretty)
+		},
 	}
 
-	tmpl, err := template.New("").Funcs(funcMap).ParseFS(templateFS,
-		"web/templates/base.html",
-		"web/templates/login.html",
-		"web/templates/dashboard.html",
-		"web/templates/accounts.html",
-		"web/templates/account_detail.html",
-		"web/templates/audit.html",
-		"web/templates/fragments/account_row.html",
-		"web/templates/fragments/account_status.html",
-		"web/templates/fragments/roles_editor.html",
-		"web/templates/fragments/token_list.html",
-		"web/templates/fragments/totp_step.html",
-		"web/templates/fragments/error.html",
-		"web/templates/fragments/audit_rows.html",
-	)
+	// Parse shared templates (base layout + all fragments) into a base set.
+	// Each page template is then parsed into a clone of this base set so that
+	// competing "content"/"title" definitions do not collide.
+	sharedFiles := []string{
+		"templates/base.html",
+		"templates/fragments/account_row.html",
+		"templates/fragments/account_status.html",
+		"templates/fragments/roles_editor.html",
+		"templates/fragments/token_list.html",
+		"templates/fragments/totp_step.html",
+		"templates/fragments/error.html",
+		"templates/fragments/audit_rows.html",
+	}
+	base, err := template.New("").Funcs(funcMap).ParseFS(web.TemplateFS, sharedFiles...)
 	if err != nil {
-		return nil, fmt.Errorf("ui: parse templates: %w", err)
+		return nil, fmt.Errorf("ui: parse shared templates: %w", err)
+	}
+
+	// Each page template defines "content" and "title" blocks; parsing them
+	// into separate clones prevents the last-defined block from winning.
+	pageFiles := map[string]string{
+		"login":          "templates/login.html",
+		"dashboard":      "templates/dashboard.html",
+		"accounts":       "templates/accounts.html",
+		"account_detail": "templates/account_detail.html",
+		"audit":          "templates/audit.html",
+		"audit_detail":   "templates/audit_detail.html",
+	}
+	tmpls := make(map[string]*template.Template, len(pageFiles))
+	for name, file := range pageFiles {
+		clone, cloneErr := base.Clone()
+		if cloneErr != nil {
+			return nil, fmt.Errorf("ui: clone base templates for %s: %w", name, cloneErr)
+		}
+		if _, parseErr := clone.ParseFS(web.TemplateFS, file); parseErr != nil {
+			return nil, fmt.Errorf("ui: parse page template %s: %w", name, parseErr)
+		}
+		tmpls[name] = clone
 	}
 
 	return &UIServer{
@@ -122,14 +149,14 @@ func New(database *db.DB, cfg *config.Config, priv ed25519.PrivateKey, pub ed255
 		masterKey: masterKey,
 		logger:    logger,
 		csrf:      csrf,
-		tmpl:      tmpl,
+		tmpls:     tmpls,
 	}, nil
 }
 
 // Register attaches all UI routes to mux.
 func (u *UIServer) Register(mux *http.ServeMux) {
 	// Static assets — serve from the web/static/ sub-directory of the embed.
-	staticSubFS, err := fs.Sub(staticFS, "web/static")
+	staticSubFS, err := fs.Sub(web.StaticFS, "static")
 	if err != nil {
 		panic(fmt.Sprintf("ui: static sub-FS: %v", err))
 	}
@@ -170,6 +197,7 @@ func (u *UIServer) Register(mux *http.ServeMux) {
 	mux.Handle("POST /accounts/{id}/token", admin(u.handleIssueSystemToken))
 	mux.Handle("GET /audit", adminGet(u.handleAuditPage))
 	mux.Handle("GET /audit/rows", adminGet(u.handleAuditRows))
+	mux.Handle("GET /audit/{id}", adminGet(u.handleAuditDetail))
 }
 
 // ---- Middleware ----
@@ -218,6 +246,8 @@ func (u *UIServer) requireCSRF(next http.Handler) http.Handler {
 		formVal := r.Header.Get("X-CSRF-Token")
 		if formVal == "" {
 			// Fallback: parse form and read _csrf field.
+			// Security: limit body size to prevent memory exhaustion (gosec G120).
+			r.Body = http.MaxBytesReader(w, r.Body, maxFormBytes)
 			if parseErr := r.ParseForm(); parseErr == nil {
 				formVal = r.FormValue("_csrf")
 			}
@@ -283,9 +313,17 @@ func (u *UIServer) setCSRFCookies(w http.ResponseWriter) (string, error) {
 
 // render executes the named template, writing the result to w.
 // Renders to a buffer first so partial template failures don't corrupt output.
+// For page templates (dashboard, accounts, etc.) the page-specific template set
+// is used; for fragment templates the name is looked up across all sets.
 func (u *UIServer) render(w http.ResponseWriter, name string, data interface{}) {
+	tmpl := u.templateFor(name)
+	if tmpl == nil {
+		u.logger.Error("template not found", "template", name)
+		http.Error(w, "internal server error", http.StatusInternalServerError)
+		return
+	}
 	var buf bytes.Buffer
-	if err := u.tmpl.ExecuteTemplate(&buf, name, data); err != nil {
+	if err := tmpl.ExecuteTemplate(&buf, name, data); err != nil {
 		u.logger.Error("template render error", "template", name, "error", err)
 		http.Error(w, "internal server error", http.StatusInternalServerError)
 		return
@@ -294,6 +332,21 @@ func (u *UIServer) render(w http.ResponseWriter, name string, data interface{})
 	_, _ = w.Write(buf.Bytes())
 }
 
+// templateFor returns the template set that contains the named template.
+// Page templates have a dedicated set; fragment templates exist in every set.
+func (u *UIServer) templateFor(name string) *template.Template {
+	if t, ok := u.tmpls[name]; ok {
+		return t
+	}
+	// Fragment — available in any page set; pick the first one.
+	for _, t := range u.tmpls {
+		if t.Lookup(name) != nil {
+			return t
+		}
+	}
+	return nil
+}
+
 // renderError returns an error response appropriate for the request type.
 func (u *UIServer) renderError(w http.ResponseWriter, r *http.Request, status int, msg string) {
 	if isHTMX(r) {
@@ -305,6 +358,10 @@ func (u *UIServer) renderError(w http.ResponseWriter, r *http.Request, status in
 	http.Error(w, msg, status)
 }
 
+// maxFormBytes limits the size of UI form submissions (1 MiB).
+// Security: prevents memory exhaustion from oversized POST bodies (gosec G120).
+const maxFormBytes = 1 << 20
+
 // clientIP extracts the client IP from RemoteAddr (best effort).
 func clientIP(r *http.Request) string {
 	addr := r.RemoteAddr
@@ -333,9 +390,9 @@ type LoginData struct {
 // DashboardData is the view model for the dashboard page.
 type DashboardData struct {
 	PageData
+	RecentEvents   []*db.AuditEventView
 	TotalAccounts  int
 	ActiveAccounts int
-	RecentEvents   []*db.AuditEventView
 }
 
 // AccountsData is the view model for the accounts list page.
@@ -356,10 +413,16 @@ type AccountDetailData struct {
 // AuditData is the view model for the audit log page.
 type AuditData struct {
 	PageData
+	FilterType string
 	Events     []*db.AuditEventView
 	EventTypes []string
-	FilterType string
 	Total      int64
-	Page       int
 	TotalPages int
+	Page       int
+}
+
+// AuditDetailData is the view model for a single audit event detail page.
+type AuditDetailData struct {
+	Event *db.AuditEventView
+	PageData
 }