feat: production-readiness hardening across security, async, DB, ops

Security
- SSRF: async DNS resolver; allow_redirects=False on all outbound clients;
  matrix homeserver_url validated on create/update/test; update_provider
  and email_bot merge incoming config and reject ***-masked secrets.
- Auth: bcrypt offloaded to asyncio.to_thread; JWT now carries iss/aud +
  leeway and rejects missing claims; setup TOCTOU closed inside a
  transaction; rate limits extended (default 600/min, 10/min on password
  change, 30/min on needs-setup); constant-time login to prevent username
  enumeration.
- Config: rejects known dev secret keys; validates CORS origin schemes,
  port range, token lifetimes.
- Webhook handlers stream-read body with a 1 MiB cap; Discord 429 retries
  bounded (3 attempts, Retry-After capped at 60 s).
- CSP + HSTS added to SecurityHeadersMiddleware.

Async / runtime
- SQLite engine: WAL, synchronous=NORMAL, foreign_keys=ON, busy_timeout,
  pool_pre_ping, dispose on shutdown.
- Lifespan shutdown now stops scheduler before closing HTTP session and
  disposing the engine.
- Shared aiohttp session locked against concurrent first-caller races;
  core NotificationDispatcher accepts and reuses it.
- Storage and scheduled backup writes wrapped in asyncio.to_thread.
- NUT client writes bounded by asyncio.wait_for.
- Telegram poller switched from 3 s short-poll to 30 s interval + 25 s
  long-poll (~10x fewer API calls).

Database
- New performance-indexes migration covers every FK/owner column and
  hot-path composite (notification_tracker(provider_id, enabled);
  event_log(user_id, created_at DESC); webhook_payload_log(provider_id,
  created_at DESC); action_execution(action_id, started_at DESC)).
- New schema_version table for future upgrade gating.
- __system__ placeholder user (id=0) seeded so user_id=0 system defaults
  satisfy the newly enforced FK; filtered out of /auth/needs-setup,
  /api/users, and setup.
- list_notification_trackers rewritten to batched loads (was 1+N+N*M).
- Retention job extended to event_log, webhook_payload_log, and
  action_execution; retention days exposed as a setting.

Scheduler
- AsyncIOScheduler job_defaults: coalesce, misfire_grace_time=300,
  max_instances=1.

Ops
- uvicorn runs with proxy_headers, forwarded_allow_ips,
  timeout_graceful_shutdown; access log suppressed in non-debug.
- FastAPI version string now reads from importlib.metadata.
- New /api/ready endpoint separate from /api/health.
- docker-compose drops the ALLOW_PRIVATE_URLS=1 default, adds mem/cpu/pid
  limits, read_only + tmpfs, cap_drop:ALL, no-new-privileges; healthcheck
  targets /api/ready.
- CI now runs on push/PR with backend pytest, frontend svelte-check +
  build, and a non-push image build; release workflow gated on tests,
  publishes immutable sha-<commit> image tag, adds Trivy scan.

Tests
- New packages/server/tests/ with 29 passing tests: config validation,
  JWT round-trip + aud/alg=none rejection, SSRF scheme and private-range
  enforcement (sync + async), Discord bounded retry, and a lifespan-level
  /api/health + /api/ready smoke check.
- Renamed the misnamed services/test_dispatch.py to manual_dispatch.py so
  pytest never auto-collects production code.

Frontend
- /login now redirects already-authenticated users to /, shows a distinct
  'backend unreachable' banner (en/ru) when /auth/needs-setup fails.

packages/server/src/notify_bridge_server/api/notification_trackers.py

@@ -11,6 +11,7 @@ from ..auth.dependencies import get_current_user
 from ..database.engine import get_session
 from ..database.models import (
     EventLog,
+    NotificationTarget,
     NotificationTracker,
     NotificationTrackerState,
     NotificationTrackerTarget,
@@ -54,11 +55,79 @@ async def list_notification_trackers(
     user: User = Depends(get_current_user),
     session: AsyncSession = Depends(get_session),
 ):
+    # Batched loader: pull trackers, then all their tracker-target links in
+    # a single query, then the referenced targets in a single query. Avoids
+    # the old 1 + N + N*M pattern that ran ~60 round-trips for 10 trackers.
     result = await session.exec(
         select(NotificationTracker).where(NotificationTracker.user_id == user.id)
     )
-    trackers = result.all()
-    return [await _tracker_response(session, t) for t in trackers]
+    trackers = list(result.all())
+    if not trackers:
+        return []
+
+    tracker_ids = [t.id for t in trackers]
+    tt_result = await session.exec(
+        select(NotificationTrackerTarget).where(
+            NotificationTrackerTarget.tracker_id.in_(tracker_ids)
+        )
+    )
+    tt_rows = list(tt_result.all())
+
+    target_ids = {tt.target_id for tt in tt_rows}
+    targets_by_id: dict[int, NotificationTarget] = {}
+    if target_ids:
+        tgt_result = await session.exec(
+            select(NotificationTarget).where(NotificationTarget.id.in_(target_ids))
+        )
+        targets_by_id = {t.id: t for t in tgt_result.all()}
+
+    tts_by_tracker: dict[int, list[NotificationTrackerTarget]] = {}
+    for tt in tt_rows:
+        tts_by_tracker.setdefault(tt.tracker_id, []).append(tt)
+
+    return [
+        _build_tracker_response(t, tts_by_tracker.get(t.id, []), targets_by_id)
+        for t in trackers
+    ]
+
+
+def _build_tracker_response(
+    t: NotificationTracker,
+    tts: list[NotificationTrackerTarget],
+    targets_by_id: dict[int, NotificationTarget],
+) -> dict:
+    """In-memory assembler for a tracker + its pre-loaded links/targets."""
+    tracker_targets = []
+    for tt in tts:
+        target = targets_by_id.get(tt.target_id)
+        tracker_targets.append({
+            "id": tt.id,
+            "tracker_id": tt.tracker_id,
+            "target_id": tt.target_id,
+            "target_name": target.name if target else None,
+            "target_type": target.type if target else None,
+            "target_icon": target.icon if target else None,
+            "tracking_config_id": tt.tracking_config_id,
+            "template_config_id": tt.template_config_id,
+            "enabled": tt.enabled,
+            "quiet_hours_start": tt.quiet_hours_start,
+            "quiet_hours_end": tt.quiet_hours_end,
+            "created_at": tt.created_at.isoformat(),
+        })
+    return {
+        "id": t.id,
+        "name": t.name,
+        "icon": t.icon,
+        "provider_id": t.provider_id,
+        "collection_ids": t.collection_ids,
+        "scan_interval": t.scan_interval,
+        "batch_duration": t.batch_duration,
+        "default_tracking_config_id": t.default_tracking_config_id,
+        "default_template_config_id": t.default_template_config_id,
+        "enabled": t.enabled,
+        "tracker_targets": tracker_targets,
+        "created_at": t.created_at.isoformat(),
+    }
 
 
 @router.post("", status_code=status.HTTP_201_CREATED)