refactor: comprehensive codebase review — security, performance, quality, UX

Security:
- Fix NUT protocol command injection (validate names against safe regex)
- Enable Jinja2 autoescape=True to prevent HTML injection via external data
- Add WebhookProviderConfig validation model

Performance:
- Shared aiohttp.ClientSession singleton (replaces 40+ per-request sessions)
- Fix 4 N+1 queries with batch IN loads (poller, scheduler, memory, broadcast)
- asyncio.gather for Gitea commands and notification dispatcher
- Add DB indexes on NotificationTrackerState.tracker_id, CommandTrackerListener
- LRU cache for compiled Jinja2 templates
- Daily EventLog cleanup job (90-day retention)
- 30s HTTP timeout on all external calls
- GROUP BY for target type counts (replaces 7 sequential queries)

Code quality:
- Extract get_owned_entity() helper (replaces 11 duplicate functions)
- Extract slot_helpers.py (load_slots, save_slots, render_template_preview)
- Extract command_utils.py (tracker lookup, last event, collection IDs)
- Extract http_session.py (shared session lifecycle)
- Provider connection validation dedup (3x → 1 helper)
- Command dispatch tables replacing if/elif chains
- Album+links fetch helper (fetch_albums_with_links)
- Provider dispatch polymorphism (list_provider_collections)
- Immutable _enrich_assets (no longer mutates in-place)
- Fix _format_assets return type + handler unpacking

Frontend:
- Fix 18+ hardcoded English strings → t() with new i18n keys (en + ru)
- Mobile "More" nav panel with provider filter and search
- Shared Button.svelte component (4 variants, 2 sizes)
- Shared ErrorBanner.svelte component (8 pages updated)
- SvelteKit goto() replacing window.location.href
- Dashboard grid fixed for 4 cards, paginator opacity consistency

Functionality:
- max_instances=1 on scheduler jobs (prevents duplicate events)
- Webhook provider in watcher (prevents error spam)
- Fix stale SQLModel reference in poller
- Gitea get_repo() direct API call

packages/server/src/notify_bridge_server/api/target_receivers.py

@@ -12,6 +12,7 @@ from ..auth.dependencies import get_current_user
 from ..database.engine import get_session
 from ..database.models import NotificationTarget, TargetReceiver, User
 from ..services.notifier import send_to_receiver
+from .helpers import get_owned_entity
 
 _LOGGER = logging.getLogger(__name__)
 
@@ -170,7 +171,7 @@ def _response(r: TargetReceiver) -> dict:
 
 
 async def _get_user_target(session: AsyncSession, target_id: int, user_id: int) -> NotificationTarget:
-    target = await session.get(NotificationTarget, target_id)
-    if not target or target.user_id != user_id:
-        raise HTTPException(status_code=404, detail="Target not found")
-    return target
+    return await get_owned_entity(
+        session, NotificationTarget, target_id, user_id,
+        not_found_msg="Target not found",
+    )