feat: Add audit logging, magic bytes validation, per-user quotas, and admin API

New features in v3.3.0:
- audit.go: Security audit logging with JSON/text format, log rotation
- validation.go: Magic bytes content validation with wildcard patterns
- quota.go: Per-user storage quotas with Redis/memory tracking
- admin.go: Admin API for stats, file management, user quotas, bans

Integration:
- Updated main.go with feature initialization and handler integration
- Added audit logging for auth success/failure, uploads, downloads
- Added quota checking before upload, tracking after successful upload
- Added content validation with magic bytes detection

Config:
- New template: config-enhanced-features.toml with all new options
- Updated README.md with feature documentation

templates/config-enhanced-features.toml

@@ -0,0 +1,162 @@
+# HMAC File Server 3.3.0 "Nexus Infinitum" Configuration
+# Enhanced Features Template: Audit Logging, Content Validation, Quotas, Admin API
+# Generated on: January 2025
+
+[server]
+listen_address = "8080"
+storage_path = "/opt/hmac-file-server/data/uploads"
+metrics_enabled = true
+metrics_port = "9090"
+pid_file = "/opt/hmac-file-server/data/hmac-file-server.pid"
+max_upload_size = "10GB"
+deduplication_enabled = true
+min_free_bytes = "1GB"
+file_naming = "original"
+enable_dynamic_workers = true
+
+[security]
+secret = "CHANGE-THIS-SECRET-KEY-MINIMUM-32-CHARACTERS"
+enablejwt = false
+
+[uploads]
+allowedextensions = [".txt", ".pdf", ".jpg", ".jpeg", ".png", ".gif", ".webp", ".zip", ".tar", ".gz", ".7z", ".mp4", ".webm", ".ogg", ".mp3", ".wav", ".flac", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".odt", ".ods", ".odp"]
+maxfilesize = "100MB"
+chunkeduploadsenabled = true
+chunksize = "10MB"
+networkevents = true
+
+[downloads]
+chunkeddownloadsenabled = true
+chunksize = "10MB"
+
+[logging]
+level = "INFO"
+file = "/opt/hmac-file-server/data/logs/hmac-file-server.log"
+max_size = 100
+max_backups = 3
+max_age = 30
+compress = true
+
+[workers]
+numworkers = 10
+uploadqueuesize = 1000
+autoscaling = true
+
+[timeouts]
+readtimeout = "30s"
+writetimeout = "30s"
+idletimeout = "120s"
+shutdown = "30s"
+
+[clamav]
+enabled = false
+
+[redis]
+enabled = true
+address = "127.0.0.1:6379"
+db = 0
+
+# ============================================
+# NEW ENHANCED FEATURES (v3.3.0)
+# ============================================
+
+# Security Audit Logging
+# Records security-relevant events for compliance and forensics
+[audit]
+enabled = true
+output = "file"                         # "file" or "stdout"
+path = "/var/log/hmac-audit.log"       # Log file path (when output = "file")
+format = "json"                         # "json" or "text"
+max_size = 100                          # Max size in MB before rotation
+max_age = 30                            # Max age in days
+events = [
+    "upload",                           # Log all file uploads
+    "download",                         # Log all file downloads
+    "delete",                           # Log file deletions
+    "auth_success",                     # Log successful authentications
+    "auth_failure",                     # Log failed authentications
+    "rate_limited",                     # Log rate limiting events
+    "banned",                           # Log ban events
+    "quota_exceeded",                   # Log quota exceeded events
+    "validation_failure"                # Log content validation failures
+]
+
+# Magic Bytes Content Validation
+# Validates uploaded file content types using magic bytes detection
+[validation]
+check_magic_bytes = true               # Enable magic bytes validation
+strict_mode = false                    # Strict mode rejects mismatched types
+max_peek_size = 65536                  # Bytes to read for detection (64KB)
+
+# Allowed content types (supports wildcards like "image/*")
+# If empty, all types are allowed (except blocked)
+allowed_types = [
+    "image/*",                          # All image types
+    "video/*",                          # All video types
+    "audio/*",                          # All audio types
+    "text/plain",                       # Plain text
+    "application/pdf",                  # PDF documents
+    "application/zip",                  # ZIP archives
+    "application/gzip",                 # GZIP archives
+    "application/x-tar",                # TAR archives
+    "application/x-7z-compressed",      # 7-Zip archives
+    "application/vnd.openxmlformats-officedocument.*",  # MS Office docs
+    "application/vnd.oasis.opendocument.*"              # LibreOffice docs
+]
+
+# Blocked content types (takes precedence over allowed)
+blocked_types = [
+    "application/x-executable",         # Executable files
+    "application/x-msdos-program",      # DOS executables
+    "application/x-msdownload",         # Windows executables
+    "application/x-elf",                # ELF binaries
+    "application/x-shellscript",        # Shell scripts
+    "application/javascript",           # JavaScript files
+    "text/html",                        # HTML files (potential XSS)
+    "application/x-php"                 # PHP files
+]
+
+# Per-User Storage Quotas
+# Track and enforce storage limits per XMPP JID
+[quotas]
+enabled = true                         # Enable quota enforcement
+default = "100MB"                      # Default quota for all users
+tracking = "redis"                     # "redis" or "memory"
+
+# Custom quotas per user (JID -> quota)
+[quotas.custom]
+"admin@example.com" = "10GB"           # Admin gets 10GB
+"premium@example.com" = "1GB"          # Premium user gets 1GB
+"vip@example.com" = "5GB"              # VIP user gets 5GB
+
+# Admin API for Operations and Monitoring
+# Protected endpoints for system management
+[admin]
+enabled = true                         # Enable admin API
+path_prefix = "/admin"                 # URL prefix for admin endpoints
+
+# Available endpoints (when enabled):
+# GET  /admin/stats         - Server statistics and metrics
+# GET  /admin/files         - List all uploaded files
+# GET  /admin/files/:id     - Get file details
+# DEL  /admin/files/:id     - Delete a file
+# GET  /admin/users         - List users and quota usage
+# GET  /admin/users/:jid    - Get user details and quota
+# POST /admin/users/:jid/quota - Set user quota
+# GET  /admin/bans          - List banned IPs/users
+# POST /admin/bans          - Ban an IP or user
+# DEL  /admin/bans/:id      - Unban
+
+# Admin authentication
+[admin.auth]
+type = "bearer"                        # "bearer" or "basic"
+token = "${ADMIN_TOKEN}"               # Bearer token (from environment variable)
+# For basic auth:
+# type = "basic"
+# username = "admin"
+# password_hash = "$2a$12$..."         # bcrypt hash
+
+# Rate limiting for admin endpoints
+[admin.rate_limit]
+enabled = true
+requests_per_minute = 60               # Max requests per minute per IP