feat: production-readiness hardening across security, async, DB, ops

Security
- SSRF: async DNS resolver; allow_redirects=False on all outbound clients;
  matrix homeserver_url validated on create/update/test; update_provider
  and email_bot merge incoming config and reject ***-masked secrets.
- Auth: bcrypt offloaded to asyncio.to_thread; JWT now carries iss/aud +
  leeway and rejects missing claims; setup TOCTOU closed inside a
  transaction; rate limits extended (default 600/min, 10/min on password
  change, 30/min on needs-setup); constant-time login to prevent username
  enumeration.
- Config: rejects known dev secret keys; validates CORS origin schemes,
  port range, token lifetimes.
- Webhook handlers stream-read body with a 1 MiB cap; Discord 429 retries
  bounded (3 attempts, Retry-After capped at 60 s).
- CSP + HSTS added to SecurityHeadersMiddleware.

Async / runtime
- SQLite engine: WAL, synchronous=NORMAL, foreign_keys=ON, busy_timeout,
  pool_pre_ping, dispose on shutdown.
- Lifespan shutdown now stops scheduler before closing HTTP session and
  disposing the engine.
- Shared aiohttp session locked against concurrent first-caller races;
  core NotificationDispatcher accepts and reuses it.
- Storage and scheduled backup writes wrapped in asyncio.to_thread.
- NUT client writes bounded by asyncio.wait_for.
- Telegram poller switched from 3 s short-poll to 30 s interval + 25 s
  long-poll (~10x fewer API calls).

Database
- New performance-indexes migration covers every FK/owner column and
  hot-path composite (notification_tracker(provider_id, enabled);
  event_log(user_id, created_at DESC); webhook_payload_log(provider_id,
  created_at DESC); action_execution(action_id, started_at DESC)).
- New schema_version table for future upgrade gating.
- __system__ placeholder user (id=0) seeded so user_id=0 system defaults
  satisfy the newly enforced FK; filtered out of /auth/needs-setup,
  /api/users, and setup.
- list_notification_trackers rewritten to batched loads (was 1+N+N*M).
- Retention job extended to event_log, webhook_payload_log, and
  action_execution; retention days exposed as a setting.

Scheduler
- AsyncIOScheduler job_defaults: coalesce, misfire_grace_time=300,
  max_instances=1.

Ops
- uvicorn runs with proxy_headers, forwarded_allow_ips,
  timeout_graceful_shutdown; access log suppressed in non-debug.
- FastAPI version string now reads from importlib.metadata.
- New /api/ready endpoint separate from /api/health.
- docker-compose drops the ALLOW_PRIVATE_URLS=1 default, adds mem/cpu/pid
  limits, read_only + tmpfs, cap_drop:ALL, no-new-privileges; healthcheck
  targets /api/ready.
- CI now runs on push/PR with backend pytest, frontend svelte-check +
  build, and a non-push image build; release workflow gated on tests,
  publishes immutable sha-<commit> image tag, adds Trivy scan.

Tests
- New packages/server/tests/ with 29 passing tests: config validation,
  JWT round-trip + aud/alg=none rejection, SSRF scheme and private-range
  enforcement (sync + async), Discord bounded retry, and a lifespan-level
  /api/health + /api/ready smoke check.
- Renamed the misnamed services/test_dispatch.py to manual_dispatch.py so
  pytest never auto-collects production code.

Frontend
- /login now redirects already-authenticated users to /, shows a distinct
  'backend unreachable' banner (en/ru) when /auth/needs-setup fails.

packages/server/tests/conftest.py

@@ -0,0 +1,33 @@
+"""Shared pytest fixtures.
+
+We set the required env vars before any ``notify_bridge_server`` module is
+imported so ``Settings()`` passes its startup validation and opens the DB
+in a writable temp directory instead of the production ``/data`` default.
+"""
+
+from __future__ import annotations
+
+import os
+import tempfile
+from pathlib import Path
+
+import pytest
+
+# Provision a writable temp data dir BEFORE the server package is imported —
+# Settings() materializes at import time, so env-var overrides have to land
+# here (conftest.py) to be effective.
+_TMP = Path(tempfile.mkdtemp(prefix="notify-bridge-tests-"))
+os.environ["NOTIFY_BRIDGE_DATA_DIR"] = str(_TMP)
+
+os.environ.setdefault(
+    "NOTIFY_BRIDGE_SECRET_KEY",
+    "pytest-secret-key-" + "x" * 40,
+)
+os.environ.setdefault("NOTIFY_BRIDGE_DEBUG", "false")
+os.environ.setdefault("NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS", "http://localhost:8420")
+
+
+@pytest.fixture(scope="session")
+def tmp_data_dir() -> Path:
+    """Expose the already-provisioned temp dir to tests that want the path."""
+    return _TMP

packages/server/tests/test_config.py

@@ -0,0 +1,64 @@
+"""Unit tests for the Settings validator."""
+
+from __future__ import annotations
+
+import pytest
+
+from notify_bridge_server.config import Settings, _FORBIDDEN_SECRETS
+
+
+_GOOD = "a" * 40
+
+
+def _make(**kwargs) -> Settings:
+    defaults = dict(secret_key=_GOOD, cors_allowed_origins="http://localhost:8420")
+    defaults.update(kwargs)
+    return Settings(**defaults)
+
+
+class TestSecretKey:
+    def test_accepts_long_random_key(self) -> None:
+        _make()
+
+    def test_rejects_default(self) -> None:
+        with pytest.raises(ValueError, match="SECURITY"):
+            _make(secret_key="change-me-in-production")
+
+    def test_rejects_known_dev_keys(self) -> None:
+        for bad in _FORBIDDEN_SECRETS:
+            with pytest.raises(ValueError):
+                _make(secret_key=bad)
+
+    def test_rejects_short_key(self) -> None:
+        with pytest.raises(ValueError, match="32 characters"):
+            _make(secret_key="short")
+
+
+class TestCors:
+    def test_rejects_wildcard(self) -> None:
+        with pytest.raises(ValueError, match="wildcard"):
+            _make(cors_allowed_origins="*")
+
+    def test_rejects_missing_scheme(self) -> None:
+        with pytest.raises(ValueError, match="scheme"):
+            _make(cors_allowed_origins="example.com")
+
+    def test_accepts_multiple(self) -> None:
+        cfg = _make(cors_allowed_origins="http://localhost:8420,https://example.com")
+        assert "http://localhost:8420" in cfg.cors_allowed_origins
+
+
+class TestNumericValidation:
+    def test_rejects_zero_access_token_expiry(self) -> None:
+        with pytest.raises(ValueError):
+            _make(access_token_expire_minutes=0)
+
+    def test_rejects_invalid_port(self) -> None:
+        with pytest.raises(ValueError):
+            _make(port=0)
+        with pytest.raises(ValueError):
+            _make(port=70000)
+
+    def test_rejects_negative_retention(self) -> None:
+        with pytest.raises(ValueError):
+            _make(event_log_retention_days=-1)

packages/server/tests/test_discord_retry.py

@@ -0,0 +1,46 @@
+"""Discord client 429-retry bounding."""
+
+from __future__ import annotations
+
+import pytest
+from aioresponses import aioresponses
+
+import aiohttp
+
+from notify_bridge_core.notifications.discord.client import DiscordClient
+
+
+WEBHOOK = "https://discord.com/api/webhooks/123/abc"
+
+
+@pytest.mark.asyncio
+async def test_bounded_retries_on_persistent_429() -> None:
+    """If every response is 429, the client gives up after _MAX_RETRIES."""
+    with aioresponses() as mocked:
+        mocked.post(WEBHOOK, status=429, headers={"Retry-After": "0.001"}, repeat=True)
+
+        async with aiohttp.ClientSession() as sess:
+            client = DiscordClient(sess)
+            result = await client.send(WEBHOOK, "hello")
+
+    assert result["success"] is False
+    # Either the custom "Rate limited" message or the bare HTTP 429 from the
+    # final attempt — both indicate bounded retries without infinite recursion.
+    assert "429" in result["error"] or "Rate limited" in result["error"]
+
+
+@pytest.mark.asyncio
+async def test_caps_retry_after() -> None:
+    """A malicious Retry-After: 99999 must not pin the task for hours."""
+    with aioresponses() as mocked:
+        # First call: absurd Retry-After. Second call: success.
+        mocked.post(WEBHOOK, status=429, headers={"Retry-After": "99999"})
+        mocked.post(WEBHOOK, status=204)
+
+        async with aiohttp.ClientSession() as sess:
+            client = DiscordClient(sess)
+            # Override the cap to something trivial so the test completes fast.
+            client._MAX_RETRY_AFTER = 0.001  # type: ignore[attr-defined]
+            result = await client.send(WEBHOOK, "hello")
+
+    assert result["success"] is True

packages/server/tests/test_health.py

@@ -0,0 +1,39 @@
+"""Smoke test: app imports, /api/health returns 200, version string present."""
+
+from __future__ import annotations
+
+import pytest
+from fastapi.testclient import TestClient
+
+
+def test_health_endpoint(tmp_data_dir) -> None:  # noqa: ARG001 — fixture applies env
+    from notify_bridge_server.main import app
+
+    # TestClient runs the lifespan on enter/exit, so migrations run once
+    # against the temp data dir — a genuine integration smoke check.
+    with TestClient(app) as client:
+        resp = client.get("/api/health")
+        assert resp.status_code == 200
+        body = resp.json()
+        assert body["status"] == "ok"
+        assert body["version"] != "0.0.0+unknown"
+        assert "." in body["version"]  # looks like a real version
+
+
+def test_ready_endpoint(tmp_data_dir) -> None:  # noqa: ARG001
+    from notify_bridge_server.main import app
+
+    with TestClient(app) as client:
+        resp = client.get("/api/ready")
+        # By the time TestClient yields, lifespan startup has completed.
+        assert resp.status_code == 200
+        assert resp.json()["status"] == "ready"
+
+
+def test_health_is_anonymous(tmp_data_dir) -> None:  # noqa: ARG001
+    """/api/health must not require auth — the Docker healthcheck depends on it."""
+    from notify_bridge_server.main import app
+
+    with TestClient(app) as client:
+        resp = client.get("/api/health")
+        assert resp.status_code == 200

packages/server/tests/test_jwt.py

@@ -0,0 +1,74 @@
+"""JWT encode/decode round-trips."""
+
+from __future__ import annotations
+
+from datetime import datetime, timedelta, timezone
+
+import jwt as pyjwt
+import pytest
+
+from notify_bridge_server.auth.jwt import (
+    ALGORITHM,
+    create_access_token,
+    create_refresh_token,
+    decode_token,
+)
+from notify_bridge_server.config import settings
+
+
+def test_access_token_round_trip() -> None:
+    token = create_access_token(user_id=1, role="admin", token_version=3)
+    payload = decode_token(token)
+    assert payload["sub"] == "1"
+    assert payload["type"] == "access"
+    assert payload["role"] == "admin"
+    assert payload["ver"] == 3
+    assert payload["iss"] == settings.jwt_issuer
+    assert payload["aud"] == settings.jwt_audience
+
+
+def test_refresh_token_round_trip() -> None:
+    token = create_refresh_token(user_id=7, token_version=2)
+    payload = decode_token(token)
+    assert payload["type"] == "refresh"
+    assert payload["sub"] == "7"
+
+
+def test_decode_rejects_wrong_audience() -> None:
+    """A token signed with our key but for a different audience is rejected."""
+    now = datetime.now(timezone.utc)
+    forged = pyjwt.encode(
+        {
+            "iss": settings.jwt_issuer,
+            "aud": "other-service",
+            "sub": "1",
+            "type": "access",
+            "ver": 1,
+            "iat": now,
+            "exp": now + timedelta(minutes=5),
+        },
+        settings.secret_key,
+        algorithm=ALGORITHM,
+    )
+    with pytest.raises(pyjwt.InvalidAudienceError):
+        decode_token(forged)
+
+
+def test_decode_rejects_none_alg() -> None:
+    """An ``alg: none`` token must never be accepted."""
+    now = datetime.now(timezone.utc)
+    forged = pyjwt.encode(
+        {
+            "iss": settings.jwt_issuer,
+            "aud": settings.jwt_audience,
+            "sub": "1",
+            "type": "access",
+            "ver": 1,
+            "iat": now,
+            "exp": now + timedelta(minutes=5),
+        },
+        "",
+        algorithm="none",
+    )
+    with pytest.raises(pyjwt.InvalidAlgorithmError):
+        decode_token(forged)

packages/server/tests/test_ssrf.py

@@ -0,0 +1,59 @@
+"""SSRF guard regression tests."""
+
+from __future__ import annotations
+
+import pytest
+
+from notify_bridge_core.notifications.ssrf import (
+    UnsafeURLError,
+    avalidate_outbound_url,
+    validate_outbound_url,
+)
+
+
+class TestScheme:
+    def test_rejects_file_scheme(self) -> None:
+        with pytest.raises(UnsafeURLError):
+            validate_outbound_url("file:///etc/passwd")
+
+    def test_rejects_gopher(self) -> None:
+        with pytest.raises(UnsafeURLError):
+            validate_outbound_url("gopher://example.com/")
+
+    def test_accepts_https(self) -> None:
+        # A well-known public host — validated via real DNS so this test is
+        # skipped when offline.
+        try:
+            validate_outbound_url("https://example.com/")
+        except UnsafeURLError as err:
+            if "DNS" in str(err):
+                pytest.skip("No DNS in test environment")
+            raise
+
+
+class TestBlockedRanges:
+    @pytest.mark.parametrize(
+        "url",
+        [
+            "http://127.0.0.1/",
+            "http://10.0.0.1/",
+            "http://192.168.1.1/",
+            "http://169.254.169.254/latest/meta-data/",
+            "http://[::1]/",
+        ],
+    )
+    def test_rejects_literal_private(self, url: str) -> None:
+        with pytest.raises(UnsafeURLError):
+            validate_outbound_url(url)
+
+
+class TestAsyncValidator:
+    @pytest.mark.asyncio
+    async def test_async_rejects_loopback(self) -> None:
+        with pytest.raises(UnsafeURLError):
+            await avalidate_outbound_url("http://127.0.0.1/")
+
+    @pytest.mark.asyncio
+    async def test_async_rejects_bad_scheme(self) -> None:
+        with pytest.raises(UnsafeURLError):
+            await avalidate_outbound_url("file:///etc/passwd")