feat: add server-sent events for logging and activity tracking

- Implemented a custom tracing layer (`AppLogLayer`) to capture log events and broadcast them to SSE clients.
- Created admin routes for streaming server logs and listing recent activity logs.
- Added an activity log repository interface and SQLite implementation for persisting activity events.
- Integrated activity logging into user authentication and channel CRUD operations.
- Developed frontend components for displaying server logs and activity logs in the admin panel.
- Enhanced the video player with a stats overlay for monitoring streaming metrics.

k-tv-backend/api/src/routes/admin.rs

@@ -0,0 +1,95 @@
+//! Admin routes: SSE log stream + activity log.
+
+use axum::{
+    Json,
+    extract::State,
+    response::{
+        IntoResponse,
+        sse::{Event, KeepAlive, Sse},
+    },
+};
+use tokio_stream::{StreamExt, wrappers::BroadcastStream};
+
+use crate::{
+    dto::ActivityEventResponse,
+    error::ApiError,
+    extractors::OptionalCurrentUser,
+    state::AppState,
+};
+
+use axum::Router;
+use axum::routing::get;
+
+pub fn router() -> Router<AppState> {
+    Router::new()
+        .route("/logs", get(stream_logs))
+        .route("/activity", get(list_activity))
+}
+
+/// Stream server log lines as Server-Sent Events.
+///
+/// Auth: requires a valid JWT passed as `?token=<jwt>` (EventSource cannot set headers).
+/// On connect: flushes the recent history ring buffer, then streams live events.
+pub async fn stream_logs(
+    State(state): State<AppState>,
+    OptionalCurrentUser(user): OptionalCurrentUser,
+) -> Result<impl IntoResponse, ApiError> {
+    if user.is_none() {
+        return Err(ApiError::Unauthorized(
+            "Authentication required for log stream".to_string(),
+        ));
+    }
+
+    // Snapshot history and subscribe before releasing the lock so we don't miss events.
+    let rx = state.log_tx.subscribe();
+    let history: Vec<_> = state
+        .log_history
+        .lock()
+        .map(|h| h.iter().cloned().collect())
+        .unwrap_or_default();
+
+    let history_stream = tokio_stream::iter(history).map(|line| {
+        let data = serde_json::to_string(&line).unwrap_or_default();
+        Ok::<Event, String>(Event::default().data(data))
+    });
+
+    let live_stream = BroadcastStream::new(rx).filter_map(|result| match result {
+        Ok(line) => {
+            let data = serde_json::to_string(&line).unwrap_or_default();
+            Some(Ok::<Event, String>(Event::default().data(data)))
+        }
+        Err(tokio_stream::wrappers::errors::BroadcastStreamRecvError::Lagged(n)) => {
+            let data = format!(
+                r#"{{"level":"WARN","target":"sse","message":"[{n} log lines dropped — buffer overrun]","timestamp":""}}"#
+            );
+            Some(Ok(Event::default().data(data)))
+        }
+    });
+
+    let combined = history_stream.chain(live_stream);
+
+    Ok(Sse::new(combined).keep_alive(KeepAlive::default()))
+}
+
+/// Return recent activity log entries.
+///
+/// Auth: requires a valid JWT (Authorization: Bearer or ?token=).
+pub async fn list_activity(
+    State(state): State<AppState>,
+    OptionalCurrentUser(user): OptionalCurrentUser,
+) -> Result<impl IntoResponse, ApiError> {
+    if user.is_none() {
+        return Err(ApiError::Unauthorized(
+            "Authentication required".to_string(),
+        ));
+    }
+
+    let events = state
+        .activity_log_repo
+        .recent(50)
+        .await
+        .map_err(ApiError::from)?;
+
+    let response: Vec<ActivityEventResponse> = events.into_iter().map(Into::into).collect();
+    Ok(Json(response))
+}

k-tv-backend/api/src/routes/auth/local.rs

@@ -35,6 +35,7 @@ pub(super) async fn login(
     }
 
     let token = create_jwt(&user, &state)?;
+    let _ = state.activity_log_repo.log("user_login", user.email.as_ref(), None).await;
 
     Ok((
         StatusCode::OK,

k-tv-backend/api/src/routes/channels/crud.rs

@@ -69,6 +69,7 @@ pub(super) async fn create_channel(
     }
 
     let _ = state.event_tx.send(domain::DomainEvent::ChannelCreated { channel: channel.clone() });
+    let _ = state.activity_log_repo.log("channel_created", &channel.name, Some(channel.id)).await;
     Ok((StatusCode::CREATED, Json(ChannelResponse::from(channel))))
 }
 
@@ -144,6 +145,7 @@ pub(super) async fn update_channel(
 
     let channel = state.channel_service.update(channel).await?;
     let _ = state.event_tx.send(domain::DomainEvent::ChannelUpdated { channel: channel.clone() });
+    let _ = state.activity_log_repo.log("channel_updated", &channel.name, Some(channel.id)).await;
     Ok(Json(ChannelResponse::from(channel)))
 }
 
@@ -155,5 +157,6 @@ pub(super) async fn delete_channel(
     // ChannelService::delete enforces ownership internally
     state.channel_service.delete(channel_id, user.id).await?;
     let _ = state.event_tx.send(domain::DomainEvent::ChannelDeleted { channel_id });
+    let _ = state.activity_log_repo.log("channel_deleted", &channel_id.to_string(), Some(channel_id)).await;
     Ok(StatusCode::NO_CONTENT)
 }

k-tv-backend/api/src/routes/channels/schedule.rs

@@ -37,6 +37,8 @@ pub(super) async fn generate_schedule(
         channel_id,
         schedule: schedule.clone(),
     });
+    let detail = format!("{} slots", schedule.slots.len());
+    let _ = state.activity_log_repo.log("schedule_generated", &detail, Some(channel_id)).await;
     Ok((StatusCode::CREATED, Json(ScheduleResponse::from(schedule))))
 }
 

k-tv-backend/api/src/routes/mod.rs

@@ -5,6 +5,7 @@
 use crate::state::AppState;
 use axum::Router;
 
+pub mod admin;
 pub mod auth;
 pub mod channels;
 pub mod config;
@@ -15,6 +16,7 @@ pub mod library;
 /// Construct the API v1 router
 pub fn api_v1_router() -> Router<AppState> {
     Router::new()
+        .nest("/admin", admin::router())
         .nest("/auth", auth::router())
         .nest("/channels", channels::router())
         .nest("/config", config::router())