fix(security,perf): harden restore, CSRF, token_version + perf pass

Security
- Sign pending_restore.json (SHA256 stored in AppSetting, verified on
  startup apply) + refuse path outside data_dir, tighten to 0600.
- Require same-origin Origin/Referer on POST /api/backup/apply-restart —
  Bearer-in-localStorage is CSRF-reachable from any XSS'd admin tab.
- Bump token_version on role/username change and admin password reset so
  demoted admins lose admin in already-issued JWTs.  Guard last-admin
  TOCTOU via COUNT + post-commit re-check that rolls back a race.
- SSRF guard (validate_outbound_url) in ImmichClient.__init__ and the
  external_domain setter — admin-mutable URLs were bypassing the check
  that webhook/slack/discord paths already used.  Dev restart script now
  sets NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=1 so homelab Immich still works.
- Redact + cap Immich error bodies to ~120 chars before they flow into
  ActionExecution.error / EventLog.details (both UI-visible).
- Deny-list sensitive keys (api_key / token / secret / password /
  authorization / cookie / ...) in template-context merges so a rogue
  template can't exfiltrate provider creds via {{ api_key }}.
- Cap user-controlled Immich search params (query ≤256, person_ids ≤50,
  size ≤100) so a Telegram listener can't DoS upstream.
- Stream upload reads with running byte counter + content-length precheck
  instead of buffering the full body and then rejecting.
- Log Telegram parse_mode fallbacks instead of swallowing silently;
  template escape bugs now surface in server logs.
- Rollback partial imports on pending-restore failure (error recorded on
  a fresh session).

Performance
- Fix N+1 in _refresh_telegram_chat_titles: single IN query instead of
  session.get per chat.
- Parallelize album + shared-link fetches in test_dispatch (asyncio.gather)
  and per-receiver Telegram test sends in notifier (semaphore 5).
- Early-exit collect_scheduled_assets(limit=0) so the periodic-summary
  test path skips full per-album filter/sample (was O(album_assets)).
- Emit explicit CREATE INDEX IF NOT EXISTS for event_log user_id /
  action_id / provider_id so the first boot after upgrade isn't left
  unindexed for the dashboard query.
- Add AbortController timeout (120s) to fetchAuth so uploads/downloads
  don't hang indefinitely.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

packages/server/src/notify_bridge_server/database/migrations.py

@@ -92,6 +92,21 @@ async def migrate_schema(engine: AsyncEngine) -> None:
                     await conn.execute(text(sql))
                     logger.info("Added %s column to event_log table", col)
 
+            # Explicit indexes on the dashboard-query columns. SQLModel's
+            # ``index=True`` is emitted by ``create_all`` on *new* installs,
+            # but ALTER TABLE ADD COLUMN doesn't create them on upgrades —
+            # so the first boot after upgrade would leave these unindexed
+            # and status.py ``WHERE user_id=...`` would table-scan. The
+            # indexes are redundant-but-safe once create_all also runs.
+            for idx_name, col in [
+                ("ix_event_log_user_id", "user_id"),
+                ("ix_event_log_action_id", "action_id"),
+                ("ix_event_log_provider_id", "provider_id"),
+            ]:
+                await conn.execute(
+                    text(f"CREATE INDEX IF NOT EXISTS {idx_name} ON event_log ({col})")
+                )
+
             # Backfill user_id from notification_tracker for legacy rows.
             # Safe to run repeatedly: only touches rows where user_id is still NULL.
             await conn.execute(text("""
@@ -250,6 +265,21 @@ async def migrate_schema(engine: AsyncEngine) -> None:
                 )
                 logger.info("Added track_webhook_received column to tracking_config table")
 
+        # Add quiet hours to tracking_config if missing.
+        # Start/end are nullable HH:MM strings; quiet_hours_enabled gates them.
+        if await _has_table(conn, "tracking_config"):
+            if not await _has_column(conn, "tracking_config", "quiet_hours_enabled"):
+                await conn.execute(
+                    text("ALTER TABLE tracking_config ADD COLUMN quiet_hours_enabled INTEGER DEFAULT 0")
+                )
+                logger.info("Added quiet_hours_enabled column to tracking_config table")
+            for col_name in ("quiet_hours_start", "quiet_hours_end"):
+                if not await _has_column(conn, "tracking_config", col_name):
+                    await conn.execute(
+                        text(f"ALTER TABLE tracking_config ADD COLUMN {col_name} TEXT")
+                    )
+                    logger.info("Added %s column to tracking_config table", col_name)
+
         # Drop legacy template content columns from template_config
         # (template content moved to template_slot child rows)
         if await _has_table(conn, "template_config"):