refactor: comprehensive codebase review — security, performance, quality, UX

Security:
- Fix NUT protocol command injection (validate names against safe regex)
- Enable Jinja2 autoescape=True to prevent HTML injection via external data
- Add WebhookProviderConfig validation model

Performance:
- Shared aiohttp.ClientSession singleton (replaces 40+ per-request sessions)
- Fix 4 N+1 queries with batch IN loads (poller, scheduler, memory, broadcast)
- asyncio.gather for Gitea commands and notification dispatcher
- Add DB indexes on NotificationTrackerState.tracker_id, CommandTrackerListener
- LRU cache for compiled Jinja2 templates
- Daily EventLog cleanup job (90-day retention)
- 30s HTTP timeout on all external calls
- GROUP BY for target type counts (replaces 7 sequential queries)

Code quality:
- Extract get_owned_entity() helper (replaces 11 duplicate functions)
- Extract slot_helpers.py (load_slots, save_slots, render_template_preview)
- Extract command_utils.py (tracker lookup, last event, collection IDs)
- Extract http_session.py (shared session lifecycle)
- Provider connection validation dedup (3x → 1 helper)
- Command dispatch tables replacing if/elif chains
- Album+links fetch helper (fetch_albums_with_links)
- Provider dispatch polymorphism (list_provider_collections)
- Immutable _enrich_assets (no longer mutates in-place)
- Fix _format_assets return type + handler unpacking

Frontend:
- Fix 18+ hardcoded English strings → t() with new i18n keys (en + ru)
- Mobile "More" nav panel with provider filter and search
- Shared Button.svelte component (4 variants, 2 sizes)
- Shared ErrorBanner.svelte component (8 pages updated)
- SvelteKit goto() replacing window.location.href
- Dashboard grid fixed for 4 cards, paginator opacity consistency

Functionality:
- max_instances=1 on scheduler jobs (prevents duplicate events)
- Webhook provider in watcher (prevents error spam)
- Fix stale SQLModel reference in poller
- Gitea get_repo() direct API call

packages/server/src/notify_bridge_server/commands/command_utils.py

@@ -0,0 +1,67 @@
+"""Shared command handler utilities to reduce boilerplate across providers."""
+
+from __future__ import annotations
+
+import logging
+
+from sqlmodel import select
+from sqlmodel.ext.asyncio.session import AsyncSession
+
+from ..database.engine import get_engine
+from ..database.models import EventLog, NotificationTracker, ServiceProvider
+
+_LOGGER = logging.getLogger(__name__)
+
+
+async def get_trackers_for_provider(provider_id: int) -> list[NotificationTracker]:
+    """Get notification trackers for a single provider."""
+    from .handler import _get_notification_trackers_for_providers
+
+    return await _get_notification_trackers_for_providers({provider_id})
+
+
+async def get_last_event_str(tracker_ids: list[int]) -> str:
+    """Get formatted timestamp of most recent event for given trackers.
+
+    Returns a 'YYYY-MM-DD HH:MM' string, or '-' if no events exist.
+    """
+    if not tracker_ids:
+        return "-"
+    engine = get_engine()
+    async with AsyncSession(engine) as session:
+        result = await session.exec(
+            select(EventLog)
+            .where(EventLog.tracker_id.in_(tracker_ids))
+            .order_by(EventLog.created_at.desc())
+            .limit(1)
+        )
+        last_event = result.first()
+    return last_event.created_at.strftime("%Y-%m-%d %H:%M") if last_event else "-"
+
+
+def get_tracked_collection_ids(
+    provider: ServiceProvider,
+    trackers: list[NotificationTracker],
+    *,
+    max_items: int = 20,
+) -> list[str]:
+    """Get deduplicated collection IDs from trackers for a provider.
+
+    Iterates all trackers belonging to *provider*, collects IDs from both
+    ``collection_ids`` and ``filters.collections``, deduplicates while
+    preserving order, and caps at *max_items*.
+    """
+    seen: set[str] = set()
+    result: list[str] = []
+    for tracker in trackers:
+        if tracker.provider_id != provider.id:
+            continue
+        for cid in tracker.collection_ids or []:
+            if cid not in seen:
+                seen.add(cid)
+                result.append(cid)
+        for cid in (tracker.filters or {}).get("collections", []):
+            if cid not in seen:
+                seen.add(cid)
+                result.append(cid)
+    return result[:max_items]