feat: large polish pass — UX fixes, per-chat scope, restore/backup, action events

Backend
- Per-chat album scope for Immich commands (search/latest/memory/...): new
  allowed_album_ids on CommandTrackerListener, threaded listener/page kwargs
  through ProviderCommandHandler.handle; PATCH listener-scope endpoint.
- /search and /find accept a trailing page number; Immich client search_smart
  / search_metadata take a page param.
- Immich person-asset lookup switched from removed GET /api/people/{id}/assets
  to POST /api/search/metadata with personIds (fixes /person command and
  auto_organize rules silently returning zero candidates on Immich 1.106+).
- Auto_organize rule now sets the target album's thumbnail to the first added
  image when missing (falls back to any asset type); failures do not fail the
  rule. add_assets_to_album surfaces the Immich error body on non-2xx.
- EventLog.user_id / action_id / action_name columns with defensive migration
  + backfill. Status query filters by user_id directly; Immich/webhook paths
  emit user_id explicitly. action_runner writes an action_success/partial/
  failed event on each non-dry-run.
- Dashboard DELETE /api/status/events (scoped to user_id) + rendering live
  tracker/provider/action names via FK join with snapshot fallback.
- PATCH /api/users/{id} for username/role change with last-admin guard.
- Deletion protection returns structured {message, entity, blocked_by}
  (ApiError carries .blockedBy; frontend opens BlockedByModal).
- Backup prepare-restore → AppSetting markers + atomic write of
  pending_restore.json; lifespan hook applies on next startup and archives
  under data/applied_restores/. apply-restart sends SIGTERM so the lifespan
  shutdown runs; NOTIFY_BRIDGE_SUPERVISED env override gates the button.
  Manual POST /api/backup/files (same format as scheduled).
- New periodic-summary test path reuses shared collect_scheduled_assets
  (limit=0) so test and future production code go through one primitive.
- Per-receiver locale for Telegram test messages (resolves
  TelegramChat.language_override per chat instead of applying the first
  receiver's locale to everyone).
- Bounded concurrency (semaphores) in NotificationDispatcher._preload_asset_data
  and _refresh_telegram_chat_titles; chat title sweep extended to 24h since
  save_chat_from_webhook covers active chats opportunistically.
- Telegram poller detects the \"webhook is active\" 409 and auto-calls
  deleteWebhook for bots whose DB update_mode is polling (throttled per bot).
- TelegramClient.get_chat added (CLAUDE.md rule 6); set_album_thumbnail added.
- Seeds: rename \"Default Commands\" → \"Default Immich Commands\";
  track_assets_removed default False.

Frontend
- Global provider selector visible when there is only one provider.
- Clear-events button + i18n + ConfirmModal on the dashboard; new icons/
  labels/filters/colors for action_success / action_partial / action_failed.
- Auto-select first available tracking/template/command/config + bot on
  create forms (trackers, command-trackers, targets, template/command
  configs).
- Telegram target disable_url_preview defaults to true.
- BlockedByModal wired into 8 deletion flows; fetchAuth helper for
  multipart/binary calls (reuses api()'s refresh + ApiError mapping).
- Immich tracker 'Checking links' parallelised (concurrency cap 6).
- Backup page: pending-restore banner + Apply-now / Apply-later modal,
  restarting overlay polling /api/health, manual 'Create backup' button.
- Command-trackers listener row gets an 'Edit album scope' modal with
  inherit/explicit multiselect.
- Users page: Edit user modal (username + role).
- parseDate helper for consistent UTC date rendering.

Migrations / schema
- event_log: + user_id, action_id, action_name (+ backfill user_id from
  notification_tracker).
- command_tracker_listener: + allowed_album_ids.

packages/server/src/notify_bridge_server/api/backup.py

@@ -1,10 +1,13 @@
 """Configuration backup/restore API (admin only)."""
 
+import asyncio
 import json
 import logging
+import os
+import signal
 from datetime import datetime, timezone
 
-from fastapi import APIRouter, Depends, HTTPException, UploadFile, File, Query
+from fastapi import APIRouter, BackgroundTasks, Depends, HTTPException, UploadFile, File, Query
 from fastapi.responses import JSONResponse
 from sqlmodel.ext.asyncio.session import AsyncSession
 
@@ -16,10 +19,24 @@ from ..services.backup_schema import (
     ALL_CATEGORIES, BackupCategory, BackupFile, ConflictMode, SecretsMode,
 )
 from ..services.backup_service import (
-    cleanup_old_backups, export_backup, import_backup, list_backup_files,
-    validate_backup,
+    cleanup_old_backups, export_backup, export_backup_to_file, import_backup,
+    list_backup_files, validate_backup,
 )
 
+# Pending-restore marker keys (single source of truth consumed at startup)
+PENDING_RESTORE_PATH_KEY = "pending_restore_path"
+PENDING_RESTORE_CONFLICT_KEY = "pending_restore_conflict_mode"
+PENDING_RESTORE_UPLOADED_AT_KEY = "pending_restore_uploaded_at"
+PENDING_RESTORE_UPLOADED_BY_KEY = "pending_restore_uploaded_by"
+
+
+def _pending_restore_path():
+    return app_config.data_dir / "pending_restore.json"
+
+
+def _applied_restores_dir():
+    return app_config.data_dir / "applied_restores"
+
 _LOGGER = logging.getLogger(__name__)
 
 router = APIRouter(prefix="/api/backup", tags=["backup"])
@@ -131,6 +148,188 @@ async def import_config(
     return result.model_dump()
 
 
+# ---------------------------------------------------------------------------
+# Pending restore (prepare → apply on next restart)
+# ---------------------------------------------------------------------------
+
+async def _set_app_setting(session: AsyncSession, key: str, value: str) -> None:
+    row = await session.get(AppSetting, key)
+    if row:
+        row.value = value
+    else:
+        row = AppSetting(key=key, value=value)
+    session.add(row)
+
+
+async def _clear_pending_restore_markers(session: AsyncSession) -> None:
+    for key in (
+        PENDING_RESTORE_PATH_KEY,
+        PENDING_RESTORE_CONFLICT_KEY,
+        PENDING_RESTORE_UPLOADED_AT_KEY,
+        PENDING_RESTORE_UPLOADED_BY_KEY,
+    ):
+        row = await session.get(AppSetting, key)
+        if row:
+            await session.delete(row)
+
+
+@router.post("/prepare-restore")
+async def prepare_restore(
+    file: UploadFile = File(...),
+    conflict_mode: ConflictMode = Query(default=ConflictMode.SKIP),
+    user: User = Depends(require_admin),
+    session: AsyncSession = Depends(get_session),
+):
+    """Stage a backup for restore on next backend restart.
+
+    Validates the uploaded file, writes it to ``data/pending_restore.json``,
+    and persists marker settings so startup will apply it atomically.
+    """
+    content = await file.read()
+    if len(content) > MAX_UPLOAD_SIZE:
+        raise HTTPException(status_code=400, detail="File too large (max 10 MB)")
+
+    try:
+        raw = json.loads(content)
+    except json.JSONDecodeError as e:
+        raise HTTPException(status_code=400, detail=f"Invalid JSON: {e}")
+
+    validation = validate_backup(raw)
+    if not validation.valid:
+        raise HTTPException(
+            status_code=400,
+            detail=f"Invalid backup: {'; '.join(validation.errors)}",
+        )
+
+    pending_path = _pending_restore_path()
+    pending_path.parent.mkdir(parents=True, exist_ok=True)
+    # Atomic write: write to tmp then rename, so a crash mid-write never
+    # leaves a truncated pending_restore.json that would break startup apply.
+    tmp_path = pending_path.with_suffix(pending_path.suffix + ".tmp")
+    tmp_path.write_text(json.dumps(raw), encoding="utf-8")
+    os.replace(tmp_path, pending_path)
+
+    now_iso = datetime.now(timezone.utc).isoformat()
+    await _set_app_setting(session, PENDING_RESTORE_PATH_KEY, str(pending_path))
+    await _set_app_setting(session, PENDING_RESTORE_CONFLICT_KEY, conflict_mode.value)
+    await _set_app_setting(session, PENDING_RESTORE_UPLOADED_AT_KEY, now_iso)
+    await _set_app_setting(session, PENDING_RESTORE_UPLOADED_BY_KEY, user.username)
+    await session.commit()
+
+    return {
+        "pending": True,
+        "uploaded_at": now_iso,
+        "uploaded_by": user.username,
+        "conflict_mode": conflict_mode.value,
+        "validation": validation.model_dump(),
+        "supervised": _is_supervised(),
+    }
+
+
+@router.get("/pending-restore")
+async def get_pending_restore(
+    user: User = Depends(require_admin),
+    session: AsyncSession = Depends(get_session),
+):
+    """Return current pending-restore state, or null if none."""
+    path_row = await session.get(AppSetting, PENDING_RESTORE_PATH_KEY)
+    if not path_row or not path_row.value:
+        return {"pending": False, "supervised": _is_supervised()}
+
+    conflict_row = await session.get(AppSetting, PENDING_RESTORE_CONFLICT_KEY)
+    uploaded_at_row = await session.get(AppSetting, PENDING_RESTORE_UPLOADED_AT_KEY)
+    uploaded_by_row = await session.get(AppSetting, PENDING_RESTORE_UPLOADED_BY_KEY)
+    return {
+        "pending": True,
+        "uploaded_at": uploaded_at_row.value if uploaded_at_row else None,
+        "uploaded_by": uploaded_by_row.value if uploaded_by_row else None,
+        "conflict_mode": (conflict_row.value if conflict_row else ConflictMode.SKIP.value),
+        "supervised": _is_supervised(),
+    }
+
+
+@router.delete("/pending-restore")
+async def cancel_pending_restore(
+    user: User = Depends(require_admin),
+    session: AsyncSession = Depends(get_session),
+):
+    """Cancel a pending restore."""
+    pending_path = _pending_restore_path()
+    if pending_path.exists():
+        pending_path.unlink()
+    await _clear_pending_restore_markers(session)
+    await session.commit()
+    return {"cancelled": True}
+
+
+def _is_supervised() -> bool:
+    """Heuristic: is this process managed by something that will respawn it?
+
+    Priority order:
+    1. Explicit operator override: ``NOTIFY_BRIDGE_SUPERVISED`` env var or
+       the ``supervised`` AppSetting (values: ``true``/``false``/``auto``).
+       ``auto`` (or unset) falls through to the detection heuristic.
+    2. Heuristic: look at common container/service-manager env vars.
+
+    Used by the frontend to decide whether to offer "Restart now" — a bad
+    guess here is a foot-gun (process exits, stays dead), so err on the side
+    of false when unsure.
+    """
+    override = os.environ.get("NOTIFY_BRIDGE_SUPERVISED", "").strip().lower()
+    if override in ("true", "1", "yes", "on"):
+        return True
+    if override in ("false", "0", "no", "off"):
+        return False
+
+    for var in ("CONTAINER", "DOCKER_CONTAINER", "KUBERNETES_SERVICE_HOST",
+                "INVOCATION_ID", "PM2_HOME"):
+        if os.environ.get(var):
+            return True
+    if os.path.exists("/.dockerenv"):
+        return True
+    return False
+
+
+@router.post("/apply-restart")
+async def apply_and_restart(
+    background_tasks: BackgroundTasks,
+    user: User = Depends(require_admin),
+    session: AsyncSession = Depends(get_session),
+):
+    """Trigger a graceful exit so the supervisor respawns and applies the pending restore.
+
+    Only allowed when a pending restore is staged AND the process is supervised.
+    """
+    path_row = await session.get(AppSetting, PENDING_RESTORE_PATH_KEY)
+    if not path_row or not path_row.value:
+        raise HTTPException(status_code=409, detail="No pending restore to apply")
+    if not _is_supervised():
+        raise HTTPException(
+            status_code=409,
+            detail=(
+                "This process is not supervised. Restart the backend manually to apply "
+                "the pending restore, or use the Cancel button."
+            ),
+        )
+
+    async def _shutdown_soon() -> None:
+        # Small delay so the HTTP response flushes before the signal fires.
+        await asyncio.sleep(0.5)
+        _LOGGER.warning("Admin triggered restart to apply pending restore")
+        # SIGTERM lets uvicorn run its normal graceful shutdown:
+        # drain in-flight requests, fire the lifespan shutdown hooks
+        # (close_http_session, scheduler.shutdown), then exit. The
+        # supervisor respawns, and startup applies the pending restore.
+        try:
+            os.kill(os.getpid(), signal.SIGTERM)
+        except Exception:  # noqa: BLE001 — last-resort fallback on platforms that reject SIGTERM
+            _LOGGER.exception("SIGTERM delivery failed; falling back to os._exit")
+            os._exit(0)
+
+    background_tasks.add_task(_shutdown_soon)
+    return {"restart_requested": True}
+
+
 # ---------------------------------------------------------------------------
 # Scheduled backup settings
 # ---------------------------------------------------------------------------
@@ -205,6 +404,37 @@ async def get_backup_files(
     return list_backup_files(_backup_dir())
 
 
+@router.post("/files")
+async def create_manual_backup(
+    secrets_mode: SecretsMode = Query(default=SecretsMode.EXCLUDE),
+    user: User = Depends(require_admin),
+    session: AsyncSession = Depends(get_session),
+):
+    """Create a backup file in the backups directory (manual checkpoint).
+
+    Produces the same JSON format as scheduled backups, saved under
+    ``data/backups/backup-<timestamp>.json``. Retention is managed by the
+    existing scheduled-backup settings (``backup_retention_count``).
+    """
+    backup_dir = _backup_dir()
+    filepath = await export_backup_to_file(session, user.id, backup_dir, secrets_mode)
+    # Apply the same retention as scheduled backups if configured.
+    retention_row = await session.get(AppSetting, "backup_retention_count")
+    if retention_row and retention_row.value:
+        try:
+            retention = int(retention_row.value)
+            if retention > 0:
+                cleanup_old_backups(backup_dir, keep=retention)
+        except ValueError:
+            pass
+    stat = filepath.stat()
+    return {
+        "filename": filepath.name,
+        "size": stat.st_size,
+        "created_at": datetime.fromtimestamp(stat.st_mtime, tz=timezone.utc).isoformat(),
+    }
+
+
 @router.get("/files/{filename}")
 async def download_backup_file(
     filename: str,