feat: security hardening — SSRF guard, template sandbox timeout, webhook log prune, auth & backup polish

- Add outbound URL validation (SSRF) for webhook/Discord/Slack/ntfy/Matrix dispatch
- Template renderer: input/output caps and thread-based render timeout
- Webhook log filter: strip Authorization/signature/token-like headers; atomic prune
- Auth/JWT/backup/config tightening; misc frontend UX fixes

packages/server/src/notify_bridge_server/config.py

@@ -14,10 +14,19 @@ class Settings(BaseSettings):
     secret_key: str = "change-me-in-production"
 
     def model_post_init(self, __context: Any) -> None:
-        if self.secret_key == "change-me-in-production" and not self.debug:
+        if self.secret_key == "change-me-in-production":
             raise ValueError(
-                "SECURITY: Cannot start with default secret_key in production. "
-                "Set NOTIFY_BRIDGE_SECRET_KEY environment variable."
+                "SECURITY: Refusing to start with the default secret_key. "
+                "Set NOTIFY_BRIDGE_SECRET_KEY to a random value (>=32 bytes) "
+                "before starting the server (debug mode included)."
+            )
+        if len(self.secret_key) < 32:
+            raise ValueError(
+                "SECURITY: NOTIFY_BRIDGE_SECRET_KEY must be at least 32 characters."
+            )
+        if "*" in self.cors_allowed_origins.split(","):
+            raise ValueError(
+                "SECURITY: wildcard '*' is not allowed in CORS origins when credentials are enabled."
             )
 
     access_token_expire_minutes: int = 60