fix(quality): clear SonarCloud Quality Gate on main (#73)

Three-part cleanup to clear the 21 security hotspots blocking the
SonarCloud Quality Gate on main after the design-system + storage
rebalance merges.

Changes
  * internal/ui/ui.go: drop the embedded HTML template machinery.
    The four base.html/header.html templates were embedded and parsed
    at startup but never executed — the React SPA in dist/ owns every
    route. Removing the dead code eliminates 4 LOW Web:S5725 hotspots
    (external CDN script/font tags violating rules/build.md). Removed
    fields, the html/template import, and the orphaned fmtNum helper.
  * internal/ui/templates/: deleted (base.html, header.html and the
    two unused partials). Pure dead code surviving the design-system
    migration.
  * internal/storage/retention.go: drop fmt.Sprintf for the per-table
    VACUUM ANALYZE / OPTIMIZE TABLE statements. The table names were
    already a hardcoded literal slice but the format pattern triggers
    the go:S2077 SQL-injection sniffer. Replaced with a struct slice
    holding literal SQL strings — same behavior, no taint flow for
    static analysis to follow.

Not changed in this PR (separately marked Safe in SonarCloud)
  * 16 MEDIUM go:S2245 hits on test/*/main.go — math/rand calls inside
    chaos simulator services. Non-cryptographic context (latency
    jitter, failure-mode selection); not a real security finding.

Verification
  * go vet ./... clean
  * go test ./... — 516 pass / 27 packages
  * go build ./... clean

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: aksOps

internal/storage/retention.go

@@ -400,26 +400,44 @@ func (r *RetentionScheduler) runMaintenance(ctx context.Context) {
 		}
 	}
 
+	// Maintenance commands use literal SQL per table — no fmt.Sprintf — so static
+	// analyzers don't have to taint-track that the table names are hardcoded.
+	type maintCmd struct {
+		table string
+		sql   string
+	}
 	switch driver {
 	case "postgres", "postgresql":
-		for _, t := range []string{"logs", "spans", "traces", "metric_buckets"} {
+		cmds := []maintCmd{
+			{"logs", "VACUUM ANALYZE logs"},
+			{"spans", "VACUUM ANALYZE spans"},
+			{"traces", "VACUUM ANALYZE traces"},
+			{"metric_buckets", "VACUUM ANALYZE metric_buckets"},
+		}
+		for _, c := range cmds {
 			start := time.Now()
-			if _, err := sqlDB.ExecContext(ctx, fmt.Sprintf("VACUUM ANALYZE %s", t)); err != nil {
-				slog.Error("retention: VACUUM ANALYZE failed", "table", t, "error", err)
+			if _, err := sqlDB.ExecContext(ctx, c.sql); err != nil {
+				slog.Error("retention: VACUUM ANALYZE failed", "table", c.table, "error", err)
 				maintFailed = true
 			}
-			observe(t, time.Since(start))
+			observe(c.table, time.Since(start))
 		}
 	case "mysql":
 		// OPTIMIZE TABLE can run through the gorm handle (no tx restriction).
 		db := r.repo.db.WithContext(ctx)
-		for _, t := range []string{"logs", "spans", "traces", "metric_buckets"} {
+		cmds := []maintCmd{
+			{"logs", "OPTIMIZE TABLE logs"},
+			{"spans", "OPTIMIZE TABLE spans"},
+			{"traces", "OPTIMIZE TABLE traces"},
+			{"metric_buckets", "OPTIMIZE TABLE metric_buckets"},
+		}
+		for _, c := range cmds {
 			start := time.Now()
-			if err := db.Exec(fmt.Sprintf("OPTIMIZE TABLE %s", t)).Error; err != nil {
-				slog.Error("retention: OPTIMIZE TABLE failed", "table", t, "error", err)
+			if err := db.Exec(c.sql).Error; err != nil {
+				slog.Error("retention: OPTIMIZE TABLE failed", "table", c.table, "error", err)
 				maintFailed = true
 			}
-			observe(t, time.Since(start))
+			observe(c.table, time.Since(start))
 		}
 	case "sqlite":
 		start := time.Now()