feat: security hardening — SSRF guard, template sandbox timeout, webhook log prune, auth & backup polish

- Add outbound URL validation (SSRF) for webhook/Discord/Slack/ntfy/Matrix dispatch
- Template renderer: input/output caps and thread-based render timeout
- Webhook log filter: strip Authorization/signature/token-like headers; atomic prune
- Auth/JWT/backup/config tightening; misc frontend UX fixes

frontend/src/app.css

@@ -12,7 +12,7 @@
 	--color-background: #f8f9fb;
 	--color-foreground: #1a1a2e;
 	--color-muted: #eef0f4;
-	--color-muted-foreground: #6b7280;
+	--color-muted-foreground: #525866;
 	--color-border: #e2e4ea;
 	--color-primary: #0d9488;
 	--color-primary-foreground: #ffffff;
@@ -34,6 +34,15 @@
 	--font-sans: 'DM Sans', ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
 	--font-mono: 'JetBrains Mono', ui-monospace, 'Cascadia Code', 'Consolas', monospace;
 	--radius: 0.625rem;
+	/* Layered z-index scale — refer to these instead of ad-hoc numbers.
+	   Ordered: base < sticky < dropdown < overlay < modal < tooltip < toast */
+	--z-base: 1;
+	--z-sticky: 10;
+	--z-dropdown: 30;
+	--z-overlay: 40;
+	--z-modal: 50;
+	--z-tooltip: 60;
+	--z-toast: 70;
 }
 
 /* Dark theme overrides */