feat: security hardening — SSRF guard, template sandbox timeout, webhook log prune, auth & backup polish

- Add outbound URL validation (SSRF) for webhook/Discord/Slack/ntfy/Matrix dispatch
- Template renderer: input/output caps and thread-based render timeout
- Webhook log filter: strip Authorization/signature/token-like headers; atomic prune
- Auth/JWT/backup/config tightening; misc frontend UX fixes

frontend/src/routes/command-trackers/+page.svelte

@@ -35,9 +35,6 @@
 	const providerItems = $derived(providers
 		.filter(p => !globalProviderFilter.providerType || p.type === globalProviderFilter.providerType)
 		.map(p => ({ value: p.id, label: p.name, icon: providerDefaultIcon(p), desc: p.type })));
-	const configItems = $derived(filteredConfigs()
-		.filter((c: any) => !globalProviderFilter.providerType || c.provider_type === globalProviderFilter.providerType)
-		.map((c: any) => ({ value: c.id, label: c.name, icon: c.icon || 'mdiCog', desc: c.provider_type })));
 	const botItems = $derived(telegramBots.map(b => ({ value: b.id, label: b.name, icon: b.icon || 'mdiRobot', desc: b.bot_username ? `@${b.bot_username}` : '' })));
 	let loaded = $state(false);
 	let showForm = $state(false);
@@ -64,12 +61,15 @@
 	let form = $state(defaultForm());
 
 	// Filter command configs by selected provider's type
-	let filteredConfigs = $derived(() => {
+	let filteredConfigs = $derived.by(() => {
 		if (!form.provider_id) return commandConfigs;
 		const provider = providers.find(p => p.id === form.provider_id);
 		if (!provider) return commandConfigs;
 		return commandConfigs.filter(c => c.provider_type === provider.type);
 	});
+	const configItems = $derived(filteredConfigs
+		.filter((c: any) => !globalProviderFilter.providerType || c.provider_type === globalProviderFilter.providerType)
+		.map((c: any) => ({ value: c.id, label: c.name, icon: c.icon || 'mdiCog', desc: c.provider_type })));
 
 	onMount(load);
 	async function load() {