feat: security hardening — SSRF guard, template sandbox timeout, webhook log prune, auth & backup polish

- Add outbound URL validation (SSRF) for webhook/Discord/Slack/ntfy/Matrix dispatch
- Template renderer: input/output caps and thread-based render timeout
- Webhook log filter: strip Authorization/signature/token-like headers; atomic prune
- Auth/JWT/backup/config tightening; misc frontend UX fixes

frontend/src/routes/command-template-configs/+page.svelte

@@ -90,6 +90,15 @@
 		return 'empty';
 	}
 
+	const defaultForm = () => ({
+		provider_type: '',
+		name: '',
+		description: '',
+		icon: '',
+		slots: {} as Record<string, Record<string, string>>,
+	});
+	let form = $state(defaultForm());
+
 	// Provider capabilities
 	let allCapabilities = $state<Record<string, any>>({});
 	let providerTypes = $derived(Object.keys(allCapabilities));
@@ -102,15 +111,6 @@
 			: commandSlots
 	);
 
-	const defaultForm = () => ({
-		provider_type: '',
-		name: '',
-		description: '',
-		icon: '',
-		slots: {} as Record<string, Record<string, string>>,
-	});
-	let form = $state(defaultForm());
-
 	/** Get slot template for current locale, with fallback. */
 	function getSlotValue(slotName: string): string {
 		return form.slots[slotName]?.[activeLocale] || '';