refactor: comprehensive codebase review — security, performance, quality, UX

Security:
- Fix NUT protocol command injection (validate names against safe regex)
- Enable Jinja2 autoescape=True to prevent HTML injection via external data
- Add WebhookProviderConfig validation model

Performance:
- Shared aiohttp.ClientSession singleton (replaces 40+ per-request sessions)
- Fix 4 N+1 queries with batch IN loads (poller, scheduler, memory, broadcast)
- asyncio.gather for Gitea commands and notification dispatcher
- Add DB indexes on NotificationTrackerState.tracker_id, CommandTrackerListener
- LRU cache for compiled Jinja2 templates
- Daily EventLog cleanup job (90-day retention)
- 30s HTTP timeout on all external calls
- GROUP BY for target type counts (replaces 7 sequential queries)

Code quality:
- Extract get_owned_entity() helper (replaces 11 duplicate functions)
- Extract slot_helpers.py (load_slots, save_slots, render_template_preview)
- Extract command_utils.py (tracker lookup, last event, collection IDs)
- Extract http_session.py (shared session lifecycle)
- Provider connection validation dedup (3x → 1 helper)
- Command dispatch tables replacing if/elif chains
- Album+links fetch helper (fetch_albums_with_links)
- Provider dispatch polymorphism (list_provider_collections)
- Immutable _enrich_assets (no longer mutates in-place)
- Fix _format_assets return type + handler unpacking

Frontend:
- Fix 18+ hardcoded English strings → t() with new i18n keys (en + ru)
- Mobile "More" nav panel with provider filter and search
- Shared Button.svelte component (4 variants, 2 sizes)
- Shared ErrorBanner.svelte component (8 pages updated)
- SvelteKit goto() replacing window.location.href
- Dashboard grid fixed for 4 cards, paginator opacity consistency

Functionality:
- max_instances=1 on scheduler jobs (prevents duplicate events)
- Webhook provider in watcher (prevents error spam)
- Fix stale SQLModel reference in poller
- Gitea get_repo() direct API call

frontend/src/lib/components/Button.svelte

@@ -0,0 +1,85 @@
+<script lang="ts">
+	import type { Snippet } from 'svelte';
+
+	let {
+		variant = 'primary',
+		size = 'md',
+		disabled = false,
+		type = 'button',
+		href,
+		onclick,
+		children,
+		class: extraClass = '',
+	}: {
+		variant?: 'primary' | 'secondary' | 'danger' | 'ghost';
+		size?: 'sm' | 'md';
+		disabled?: boolean;
+		type?: 'button' | 'submit';
+		href?: string;
+		onclick?: (e: MouseEvent) => void;
+		children: Snippet;
+		class?: string;
+	} = $props();
+
+	const baseClasses = 'inline-flex items-center justify-center gap-1.5 rounded-md text-sm font-medium transition-colors disabled:opacity-50';
+	const sizeClasses: Record<string, string> = {
+		sm: 'px-2.5 py-1 text-xs',
+		md: 'px-4 py-2',
+	};
+	const variantClasses: Record<string, string> = {
+		primary: 'btn-primary',
+		secondary: 'btn-secondary',
+		danger: 'btn-danger',
+		ghost: 'btn-ghost',
+	};
+
+	const classes = $derived(
+		`${baseClasses} ${sizeClasses[size]} ${variantClasses[variant]} ${extraClass}`.trim()
+	);
+</script>
+
+{#if href && !disabled}
+	<a {href} class={classes} onclick={onclick}>
+		{@render children()}
+	</a>
+{:else}
+	<button {type} {disabled} class={classes} onclick={onclick}>
+		{@render children()}
+	</button>
+{/if}
+
+<style>
+	.btn-primary {
+		background: var(--color-primary);
+		color: var(--color-primary-foreground);
+	}
+	.btn-primary:hover:not(:disabled) {
+		opacity: 0.9;
+	}
+
+	.btn-secondary {
+		background: var(--color-muted);
+		color: var(--color-foreground);
+		border: 1px solid var(--color-border);
+	}
+	.btn-secondary:hover:not(:disabled) {
+		opacity: 0.8;
+	}
+
+	.btn-danger {
+		background: var(--color-error-fg);
+		color: white;
+	}
+	.btn-danger:hover:not(:disabled) {
+		opacity: 0.9;
+	}
+
+	.btn-ghost {
+		background: transparent;
+		color: var(--color-muted-foreground);
+	}
+	.btn-ghost:hover:not(:disabled) {
+		background: var(--color-muted);
+		color: var(--color-foreground);
+	}
+</style>