refactor: comprehensive codebase review — security, performance, quality, UX

Security:
- Fix NUT protocol command injection (validate names against safe regex)
- Enable Jinja2 autoescape=True to prevent HTML injection via external data
- Add WebhookProviderConfig validation model

Performance:
- Shared aiohttp.ClientSession singleton (replaces 40+ per-request sessions)
- Fix 4 N+1 queries with batch IN loads (poller, scheduler, memory, broadcast)
- asyncio.gather for Gitea commands and notification dispatcher
- Add DB indexes on NotificationTrackerState.tracker_id, CommandTrackerListener
- LRU cache for compiled Jinja2 templates
- Daily EventLog cleanup job (90-day retention)
- 30s HTTP timeout on all external calls
- GROUP BY for target type counts (replaces 7 sequential queries)

Code quality:
- Extract get_owned_entity() helper (replaces 11 duplicate functions)
- Extract slot_helpers.py (load_slots, save_slots, render_template_preview)
- Extract command_utils.py (tracker lookup, last event, collection IDs)
- Extract http_session.py (shared session lifecycle)
- Provider connection validation dedup (3x → 1 helper)
- Command dispatch tables replacing if/elif chains
- Album+links fetch helper (fetch_albums_with_links)
- Provider dispatch polymorphism (list_provider_collections)
- Immutable _enrich_assets (no longer mutates in-place)
- Fix _format_assets return type + handler unpacking

Frontend:
- Fix 18+ hardcoded English strings → t() with new i18n keys (en + ru)
- Mobile "More" nav panel with provider filter and search
- Shared Button.svelte component (4 variants, 2 sizes)
- Shared ErrorBanner.svelte component (8 pages updated)
- SvelteKit goto() replacing window.location.href
- Dashboard grid fixed for 4 cards, paginator opacity consistency

Functionality:
- max_instances=1 on scheduler jobs (prevents duplicate events)
- Webhook provider in watcher (prevents error spam)
- Fix stale SQLModel reference in poller
- Gitea get_repo() direct API call

packages/server/src/notify_bridge_server/services/scheduler.py

@@ -31,11 +31,50 @@ async def start_scheduler() -> None:
     from .telegram_poller import start_command_listener_polling
     await start_command_listener_polling()
 
+    # Schedule daily cleanup of old event log entries
+    _schedule_event_cleanup()
+
     # Start debounced command auto-sync scheduler
     from .command_sync import start_sync_scheduler
     start_sync_scheduler()
 
 
+def _schedule_event_cleanup() -> None:
+    """Schedule a daily job to delete EventLog entries older than 90 days."""
+    from apscheduler.triggers.cron import CronTrigger
+
+    scheduler = get_scheduler()
+    job_id = "cleanup_old_events"
+    if scheduler.get_job(job_id):
+        return
+    scheduler.add_job(
+        _cleanup_old_events,
+        CronTrigger(hour=3, minute=0),
+        id=job_id,
+        replace_existing=True,
+        max_instances=1,
+    )
+    _LOGGER.info("Scheduled daily event log cleanup at 03:00 UTC")
+
+
+async def _cleanup_old_events() -> None:
+    """Delete EventLog entries older than 90 days."""
+    from datetime import datetime, timedelta, timezone
+
+    from sqlmodel import delete
+    from sqlmodel.ext.asyncio.session import AsyncSession
+
+    from ..database.engine import get_engine
+    from ..database.models import EventLog
+
+    cutoff = datetime.now(timezone.utc) - timedelta(days=90)
+    engine = get_engine()
+    async with AsyncSession(engine) as session:
+        await session.exec(delete(EventLog).where(EventLog.created_at < cutoff))
+        await session.commit()
+    _LOGGER.info("Cleaned up event log entries older than %s", cutoff.date())
+
+
 async def _load_tracker_jobs() -> None:
     """Load enabled trackers and schedule polling jobs."""
     from sqlmodel import select
@@ -50,13 +89,16 @@ async def _load_tracker_jobs() -> None:
         result = await session.exec(select(NotificationTracker).where(NotificationTracker.enabled == True))
         trackers = result.all()
 
-        # Pre-load provider types for scheduler detection
+        # Batch-load provider types for scheduler detection
+        unique_provider_ids = list({t.provider_id for t in trackers})
         provider_types: dict[int, str] = {}
-        for tracker in trackers:
-            if tracker.provider_id not in provider_types:
-                provider = await session.get(ServiceProviderModel, tracker.provider_id)
-                if provider:
-                    provider_types[tracker.provider_id] = provider.type
+        if unique_provider_ids:
+            provider_result = await session.exec(
+                select(ServiceProviderModel).where(
+                    ServiceProviderModel.id.in_(unique_provider_ids)
+                )
+            )
+            provider_types = {p.id: p.type for p in provider_result.all()}
 
     for tracker in trackers:
         job_id = f"tracker_{tracker.id}"
@@ -86,6 +128,7 @@ async def _load_tracker_jobs() -> None:
             id=job_id,
             args=[tracker.id],
             replace_existing=True,
+            max_instances=1,
         )
         _LOGGER.info("Scheduled tracker %d (%s) every %ds", tracker.id, tracker.name, tracker.scan_interval)
 
@@ -106,6 +149,7 @@ def _add_cron_job(
         id=job_id,
         args=[tracker_id],
         replace_existing=True,
+        max_instances=1,
     )
     _LOGGER.info("Scheduled tracker %d (%s) with cron: %s", tracker_id, tracker_name, cron_expression)