feat: Google Photos provider backend + API hardening

- Add Google Photos provider: client, models, change detector, capabilities
- Add notification templates (en/ru) for all GP event slots
- Add command templates (en/ru) for GP bot commands
- Register GP in slot/command loaders, capabilities, and seeds
- Harden provider API: validate OAuth credentials on create/update
- Add internal URL rewriting for asset fetches (LAN optimization)
- Fix template renderer to handle missing variables gracefully
- Improve webhook command routing for multi-provider support
- Add provider health check endpoint and watcher improvements

packages/server/src/notify_bridge_server/commands/webhook.py

@@ -2,6 +2,7 @@
 
 from __future__ import annotations
 
+import hmac
 import logging
 from typing import Any
 
@@ -40,7 +41,7 @@ async def telegram_webhook(
     """Handle incoming Telegram messages — route commands to handlers."""
     # Validate webhook secret if configured
     if _webhook_secret:
-        if x_telegram_bot_api_secret_token != _webhook_secret:
+        if not hmac.compare_digest(x_telegram_bot_api_secret_token or "", _webhook_secret):
             raise HTTPException(status_code=403, detail="Invalid webhook secret")
 
     # Find bot by opaque webhook path ID (not by token — token must not appear in URLs)