feat: security hardening — SSRF guard, template sandbox timeout, webhook log prune, auth & backup polish

- Add outbound URL validation (SSRF) for webhook/Discord/Slack/ntfy/Matrix dispatch
- Template renderer: input/output caps and thread-based render timeout
- Webhook log filter: strip Authorization/signature/token-like headers; atomic prune
- Auth/JWT/backup/config tightening; misc frontend UX fixes

README.md

@@ -22,7 +22,49 @@ packages/
 frontend/     — SvelteKit dashboard (Svelte 5, Tailwind CSS v4)
 ```
 
-## Quick Start
+## Quick Docker Deploy
+
+```bash
+docker run -d \
+  --name notify-bridge \
+  --restart unless-stopped \
+  -p 8420:8420 \
+  -v notify-bridge-data:/data \
+  -e NOTIFY_BRIDGE_SECRET_KEY=$(openssl rand -hex 32) \
+  git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge:latest
+```
+
+Then open `http://localhost:8420` in your browser.
+
+### Environment Variables
+
+| Variable | Required | Default | Description |
+| -------- | -------- | ------- | ----------- |
+| `NOTIFY_BRIDGE_SECRET_KEY` | Yes | — | Secret key for JWT tokens (min 32 chars) |
+| `NOTIFY_BRIDGE_PORT` | No | `8420` | Server listen port |
+| `NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS` | No | `*` | Comma-separated allowed CORS origins |
+| `NOTIFY_BRIDGE_DEBUG` | No | `false` | Enable debug logging |
+
+### Docker Compose
+
+```yaml
+services:
+  notify-bridge:
+    image: git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge:latest
+    container_name: notify-bridge
+    restart: unless-stopped
+    ports:
+      - "8420:8420"
+    volumes:
+      - notify-bridge-data:/data
+    environment:
+      - NOTIFY_BRIDGE_SECRET_KEY=your-secret-key-min-32-characters
+
+volumes:
+  notify-bridge-data:
+```
+
+## Quick Start (Development)
 
 ```bash
 # Backend