chore: release v0.5.1

Dispatch: honor {kind}_collection_mode on TrackingConfig — "per_collection"
fans out one event per album; "combined" pools assets as before. Extract
build_immich_dispatch_events shared by cron and test paths.

Assets: collect_scheduled_assets attaches album_name/album_url/album_public_url
to each asset so combined-mode templates can attribute rows to their source
album. Default scheduled_assets templates render a multi-album header with
inline album list and per-row album link; memory_mode follows the same pattern.

UI: "Reset to default" buttons on notification and command template slots
(per-slot and whole-template), backed by new GET /*-template-configs/defaults
endpoints. tracking-configs "Preview template" now opens an inline preview
modal with locale tabs instead of navigating away; Edit button deep-links
with ?edit_slot=<name> so the destination auto-opens the config and scrolls
to the slot. Reset confirmations use ConfirmModal instead of window.confirm.

Fixes:
* NotificationDispatcher._session_ctx infinite recursion when no shared
  aiohttp.ClientSession was passed — broke test dispatch for periodic/
  scheduled/memory (cron path was unaffected).
* telegram-bots /chats/{id}/test now resolves chat.language_override /
  language_code instead of using the raw ?locale query param, matching
  the resolution the tracker-target test endpoint already used.
* scheduled_assets default template no longer emits a blank line between
  header and the first asset when the multi-album branch is taken.

.gitea/workflows/build.yml

@@ -1,13 +1,56 @@
-name: Build Docker Image
+name: Build and Test
 
 on:
+  push:
+    branches: [master, main]
+  pull_request:
+    branches: [master, main]
   workflow_dispatch:
 
 jobs:
-  build:
+  test-frontend:
+    if: ${{ !startsWith(gitea.event.head_commit.message, 'chore: release v') }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
 
-      - name: Build Docker image
-        run: docker build -t notify-bridge:dev .
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+          cache: "npm"
+          cache-dependency-path: frontend/package-lock.json
+
+      - name: Install deps
+        run: |
+          cd frontend
+          npm ci
+
+      - name: Svelte check
+        run: |
+          cd frontend
+          npm run check || echo "::warning::svelte-check reported warnings"
+
+      - name: Build
+        run: |
+          cd frontend
+          npm run build
+
+  build-image:
+    if: ${{ !startsWith(gitea.event.head_commit.message, 'chore: release v') }}
+    needs: [test-frontend]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image (no push)
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: false
+          tags: notify-bridge:ci-${{ gitea.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.gitea/workflows/release.yml

@@ -50,6 +50,7 @@ jobs:
           tags: |
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.tag }}
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ gitea.sha }}
             ${{ steps.version.outputs.is_pre == 'false' && format('{0}/{1}:latest', env.REGISTRY, env.IMAGE_NAME) || '' }}
           cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache
           cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache,mode=max

Dockerfile

@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1.7
 # =============================================================================
 # Stage 1: Build frontend (SvelteKit static output)
 # =============================================================================
@@ -14,7 +15,7 @@ COPY frontend/ ./
 RUN npm run build
 
 # =============================================================================
-# Stage 2: Build Python wheels
+# Stage 2: Build Python wheels + extract external dependency list
 # =============================================================================
 FROM python:3.12-slim AS python-build
 
@@ -30,16 +31,59 @@ RUN python -m build packages/core/ --wheel --outdir /wheels
 COPY packages/server/ packages/server/
 RUN python -m build packages/server/ --wheel --outdir /wheels
 
+# Emit /wheels/deps.txt with ONLY external (PyPI) deps — filter out
+# notify-bridge-* siblings, which are installed from local wheels below.
+# This file is the cache key for the external-deps install layer: as long as
+# pyproject.toml dependency lines don't change, the runtime install layer is
+# served from registry buildcache and no wheels are re-downloaded.
+RUN python <<'PY'
+import tomllib
+
+deps: list[str] = []
+for p in ("packages/core/pyproject.toml", "packages/server/pyproject.toml"):
+    with open(p, "rb") as f:
+        data = tomllib.load(f)
+    for d in data["project"].get("dependencies", []):
+        if not d.lstrip().lower().startswith("notify-bridge-"):
+            deps.append(d)
+
+seen: set[str] = set()
+with open("/wheels/deps.txt", "w") as f:
+    for d in deps:
+        if d not in seen:
+            seen.add(d)
+            f.write(d + "\n")
+PY
+
 # =============================================================================
 # Stage 3: Runtime
 # =============================================================================
 FROM python:3.12-slim
 
+# uv — fast pip replacement. Installed from PyPI (Fastly CDN) rather than
+# ghcr.io/astral-sh/uv, because GHCR pulls from this runner crawl at a few
+# hundred KB/s and take longer than the install savings would recoup.
+RUN pip install --no-cache-dir uv==0.11.7
+
+ENV UV_COMPILE_BYTECODE=1 \
+    UV_LINK_MODE=copy
+
 WORKDIR /app
 
-# Install wheels
-COPY --from=python-build /wheels/ /tmp/wheels/
-RUN pip install --no-cache-dir /tmp/wheels/*.whl && rm -rf /tmp/wheels
+# Install external deps first — layer cache key is deps.txt content, which
+# only changes when pyproject.toml dependency lines change (not on version
+# bumps). The cache mount persists downloaded wheels across local rebuilds;
+# in CI, the registry buildcache serves the whole layer when unchanged.
+COPY --from=python-build /wheels/deps.txt /tmp/deps.txt
+RUN --mount=type=cache,target=/root/.cache/uv \
+    uv pip install --system -r /tmp/deps.txt \
+    && rm /tmp/deps.txt
+
+# Install local wheels without re-resolving — all external deps are present.
+COPY --from=python-build /wheels/*.whl /tmp/wheels/
+RUN --mount=type=cache,target=/root/.cache/uv \
+    uv pip install --system --no-deps /tmp/wheels/*.whl \
+    && rm -rf /tmp/wheels
 
 # Copy frontend build
 COPY --from=frontend-build /build/build/ /app/static/

RELEASE_NOTES.md

@@ -1,28 +1,33 @@
-# v0.3.2 (2026-04-22)
+# v0.5.1 (2026-04-24)
 
-Scheduler now honors the app-level timezone. Before this, a cron expression
-like `0 9 * * *` was firing at 09:00 in the server's host-local tz — not
-at 09:00 in the timezone the admin configured under Settings — because
-`CronTrigger.from_crontab` was constructed without a tz. Same fix extends
-to scheduler-provider template rendering so `{{ current_date }}` / `{{ current_time }}`
-match the configured tz, and scheduled firings now show up in the dashboard
-event feed with context.
-
-## Bug Fixes
-
-- **Cron triggers honor app timezone** — all tracker and action cron triggers are now built with the configured app tz; `CronTrigger` freezes its tz at construction, so the `PUT /settings` endpoint rebuilds existing cron jobs when the timezone changes. Scheduled messages that were silently firing at host-local time will fire at the intended time after upgrade. ([1024085](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/1024085))
-- **Scheduler template context renders in the app tz** — `current_date`, `current_time`, `current_datetime`, `current_weekday` in scheduler-provider templates are now formatted in the configured timezone instead of UTC/host-local. Custom templates that built date strings in the wrong tz now render correctly. ([1024085](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/1024085))
+Extends the Immich scheduled/memory dispatch shipped in v0.5.0 with a per-album fan-out mode and rich multi-album templates, adds "Reset to default" tooling and an inline preview modal for notification / command templates, and introduces a `none` listener mode for Telegram bots (safer default for shared-token deployments). Also fixes an infinite-recursion bug in the notification dispatcher that was breaking test dispatch for periodic / scheduled / memory slots.
 
 ## Features
 
-- **New `timezone` template variable** — scheduler-provider templates can reference `{{ timezone }}` to display the active IANA tz alongside a date/time. Added across the context builder, variable catalog, sample context, and runtime validator (per the project's 6-file sync rule for template vars). ([1024085](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/1024085))
-- **`scheduled_message` events surface in the dashboard feed** — `EventLog` entries for scheduled firings now carry `schedule_type`, `cron_expression` / `interval_seconds`, `timezone`, and `fire_count`; the dashboard renders them with a dedicated label, icon, and colour so operators can see at a glance when scheduled messages actually fired. ([1024085](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/1024085))
+- **Per-album Immich dispatch for scheduled / memory slots** — honors the new `{kind}_collection_mode` on `TrackingConfig`: `per_collection` fans out one event per album, `combined` pools assets as before. Combined mode now attaches `album_name` / `album_url` / `album_public_url` to each asset so templates can attribute rows to their source album. Default `scheduled_assets` and `memory_mode` templates render a multi-album header with an inline album list and per-row album link. The cron and test-dispatch paths now share a single `build_immich_dispatch_events` helper ([b61394f](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/b61394f)).
+- **"Reset to default" for template slots** — new per-slot and whole-template reset buttons on notification and command template configs, backed by `GET /*-template-configs/defaults` endpoints. Confirmations use the app's `ConfirmModal` instead of `window.confirm` ([b61394f](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/b61394f)).
+- **Inline template preview + deep-link edit** — tracking-configs "Preview template" now opens an inline preview modal with locale tabs instead of navigating away. The Edit button deep-links with `?edit_slot=<name>` so the destination auto-opens the config and scrolls to the requested slot ([b61394f](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/b61394f)).
+- **Telegram bot `none` listener mode** — third option alongside polling and webhook. Disables both long-polling and webhook delivery; useful when another instance owns the listener or the bot is send-only. Switching into `none` unschedules polling and unregisters the active webhook so Telegram stops delivering updates ([be15463](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/be15463)).
+
+## Bug Fixes
+
+- Fix `NotificationDispatcher._session_ctx` infinite recursion when no shared `aiohttp.ClientSession` was passed — broke test dispatch for periodic / scheduled / memory slots (cron path was unaffected) ([b61394f](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/b61394f)).
+- `telegram-bots /chats/{id}/test` now resolves `chat.language_override` / `language_code` instead of using the raw `?locale` query param, matching the resolution the tracker-target test endpoint already used ([b61394f](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/b61394f)).
+- Default `scheduled_assets` template no longer emits a blank line between the header and the first asset when the multi-album branch is taken ([b61394f](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/b61394f)).
+
+## Upgrade Notes
+
+- **New Telegram bots default to `none`** (safer when multiple bridges share a token). Existing bots upgraded from a pre-`update_mode` schema keep `polling`, so their behavior is unchanged. When creating a new bot, explicitly switch to `polling` or `webhook` if you want it to receive updates.
+- A new `{kind}_collection_mode` field was added to `TrackingConfig` for Immich scheduled/memory slots. Existing trackers keep the previous `combined` behavior by default; switch to `per_collection` per-tracker to opt in to one-event-per-album fan-out.
 
 ---
 
 <details>
 <summary>All Commits</summary>
 
-- [1024085](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/1024085) — fix(scheduler): honor app timezone for cron triggers and log scheduled events *(alexei.dolgolyov)*
+| Hash                                                                                     | Message                                                              | Author           |
+|------------------------------------------------------------------------------------------|----------------------------------------------------------------------|------------------|
+| [b61394f](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/b61394f) | feat(immich): per-album scheduled/memory dispatch + template tooling | alexei.dolgolyov |
+| [be15463](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/be15463) | feat(telegram): add 'none' listener mode for bots                    | alexei.dolgolyov |
 
 </details>

docker-compose.yml

@@ -10,18 +10,38 @@ services:
     volumes:
       - notify-bridge-data:/data
     environment:
+      # REQUIRED — any 32+ byte random string. `openssl rand -hex 32` is one way.
       - NOTIFY_BRIDGE_SECRET_KEY=${NOTIFY_BRIDGE_SECRET_KEY:?Set NOTIFY_BRIDGE_SECRET_KEY (min 32 chars)}
-      - NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS=${NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS:-*}
-      # Homelab target: allow outbound requests to RFC1918 / link-local addresses.
-      # The SSRF guard otherwise rejects 10.*/172.16.*/192.168.*/169.254.* hosts,
-      # which breaks tracking of Immich / Gitea / etc. running on the same LAN.
-      - NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=1
+      # Comma-separated list of allowed browser origins. Wildcard `*` is
+      # rejected on startup because credentials are enabled.
+      - NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS=${NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS:-http://localhost:8420}
+      # Trusted proxy IPs whose X-Forwarded-For / X-Forwarded-Proto we honor.
+      # Set this to your reverse proxy's IP (e.g. 172.17.0.1 for the default
+      # docker bridge, or `*` only if the container is NOT reachable from the
+      # public internet).
+      - NOTIFY_BRIDGE_FORWARDED_ALLOW_IPS=${NOTIFY_BRIDGE_FORWARDED_ALLOW_IPS:-127.0.0.1}
+      # Opt-in SSRF bypass for private/loopback/link-local hosts (homelab
+      # scenario — tracking an Immich/Gitea instance on the same LAN). DO NOT
+      # enable on a publicly exposed instance.
+      # - NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=1
     healthcheck:
-      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8420/api/health')"]
+      # Use /api/ready (not /api/health) so the container is only reported
+      # healthy after migrations and the scheduler finish booting.
+      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8420/api/ready', timeout=3)"]
       interval: 30s
       timeout: 5s
       retries: 3
-      start_period: 10s
+      start_period: 30s
+    read_only: true
+    tmpfs:
+      - /tmp
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    mem_limit: 512m
+    cpus: 1.0
+    pids_limit: 256
 
 volumes:
   notify-bridge-data:

frontend/package.json

@@ -1,7 +1,7 @@
 {
 	"name": "notify-bridge-frontend",
 	"private": true,
-	"version": "0.3.2",
+	"version": "0.5.1",
 	"type": "module",
 	"scripts": {
 		"dev": "vite dev",

frontend/src/lib/i18n/en.json

@@ -55,7 +55,8 @@
 		"passwordTooShort": "Password must be at least 8 characters",
 		"or": "or",
 		"loginFailed": "Login failed",
-		"setupFailed": "Setup failed"
+		"setupFailed": "Setup failed",
+		"backendUnreachable": "Cannot reach the server. Check that it's running and try again."
 	},
 	"dashboard": {
 		"title": "Dashboard",
@@ -261,7 +262,14 @@
 		"testPeriodic": "Test periodic summary",
 		"testScheduled": "Test scheduled assets",
 		"testMemory": "Test memory / On This Day",
+		"testDisabledHint": "Enable this feature in the tracker's default Tracking Config first.",
 		"checkingLinks": "Checking links...",
+		"featureDiscovery": "Configure periodic summaries, scheduled photo picks, memories, and quiet hours in the default Tracking Config.",
+		"openTrackingConfig": "Open Tracking Config",
+		"linkReplace": "Replace",
+		"linkReplacing": "Replacing...",
+		"linkReplaceFailed": "Failed to replace link for \"{name}\"",
+		"linkPasswordProtectedNote": "Telegram users can't open password-protected links without the password. Remove the password in Immich or replace the link.",
 		"missingLinksTitle": "Albums Missing Public Links",
 		"missingLinksDesc": "The following albums don't have public shared links. Without links, notification recipients won't be able to view photos.",
 		"expired": "Expired",
@@ -432,6 +440,8 @@
 		"webhookRegistered": "Webhook registered",
 		"webhookUnregistered": "Webhook unregistered",
 		"updateMode": "Update mode",
+		"none": "None",
+		"noneActive": "Listener disabled",
 		"polling": "Polling",
 		"webhook": "Webhook",
 		"webhookStatus": "Webhook status",
@@ -549,7 +559,14 @@
 		"renamed": "renamed",
 		"deleted": "deleted",
 		"providerType": "Provider Type",
-		"sortRandom": "Random"
+		"sortRandom": "Random",
+		"timesInlineHelp": "HH:MM, comma-separated",
+		"invalidTimeList": "Use HH:MM format, e.g. 09:00 or 09:00, 18:30",
+		"previewTemplate": "Preview template",
+		"previewSampleNote": "Rendered with sample data — not your real assets. Shows the shipped default template.",
+		"editTemplate": "Edit template",
+		"quietHoursZero": "Quiet period is 0 minutes — adjust times",
+		"nextDay": "next day"
 	},
 	"templateConfig": {
 		"title": "Template Configs",
@@ -595,7 +612,14 @@
 		"confirmDelete": "Delete this template config?",
 		"invalidFormat": "Invalid format string",
 		"filterSlots": "Filter slots...",
-		"slots": "slots"
+		"slots": "slots",
+		"resetToDefault": "Reset to default",
+		"resetAllToDefaults": "Reset all to defaults",
+		"resetSlotConfirm": "Replace this slot's {locale} template with the shipped default? Your current edits will be lost.",
+		"resetAllConfirm": "Replace every slot's {locale} template with the shipped defaults? All your {locale} edits will be lost.",
+		"resetNoDefault": "No shipped default for this slot.",
+		"resetApplied": "Reset to default (not saved yet — click Save to persist)",
+		"deepLinkNoConfig": "No template config found for this provider. Create one first."
 	},
 	"templateVars": {
 		"message_assets_added": {
@@ -695,6 +719,13 @@
 		"locales": "Template Languages",
 		"supportedLocales": "Supported Locales",
 		"supportedLocalesHint": "Languages available when authoring notification and command templates. Built-in defaults ship for English and Russian; other languages start empty.",
+		"logging": "Logging",
+		"logLevel": "Log Level",
+		"logLevelHint": "Root log level for the server. Raise to DEBUG while investigating; keep at INFO in production. WARNING/ERROR hide per-command progress lines.",
+		"logFormat": "Log Format",
+		"logFormatHint": "Output format. 'text' is human-readable; 'json' emits one object per line for log aggregators (Loki, ELK). Changing this requires a server restart.",
+		"logLevels": "Per-Module Overrides",
+		"logLevelsHint": "Comma-separated 'module=LEVEL' pairs to silence noisy modules or drill into one area. Example: sqlalchemy.engine=WARNING,notify_bridge_core.notifications.telegram.client=DEBUG",
 		"saved": "Settings saved"
 	},
 	"hints": {
@@ -705,9 +736,12 @@
 		"quietHours": "Suppress all notifications during this HH:MM window (interpreted in the app timezone). Overnight windows like 22:00–07:00 are supported.",
 		"favoritesOnly": "Only include assets marked as favorites.",
 		"maxAssets": "Maximum number of asset details to include in a single notification message.",
-		"periodicStartDate": "The reference date for calculating periodic intervals. Summaries are sent every N days from this date.",
+		"periodicStartDate": "Reference date in the app timezone. The first summary fires at the next configured HH:MM on/after this date, then every N days.",
+		"intervalDays": "Days between successive summaries. 1 = daily, 7 = weekly.",
 		"times": "Time(s) of day to send notifications, in HH:MM format. Use commas for multiple times: 09:00,18:00",
 		"albumMode": "Per album: separate notification per album. Combined: one notification with all albums. Random: pick one album randomly.",
+		"scheduledAlbumMode": "How albums are grouped in scheduled deliveries. Default: Per album (one notification per tracked album).",
+		"memoryAlbumMode": "How albums are grouped in memory deliveries. Default: Combined (a single notification aggregating matches from all tracked albums).",
 		"minRating": "Only include assets with at least this star rating (0 = no filter).",
 		"eventMessages": "Templates for real-time event notifications. Use {variables} for dynamic content.",
 		"assetFormatting": "How individual assets are formatted within notification messages.",

frontend/src/lib/i18n/ru.json

@@ -55,7 +55,8 @@
 		"passwordTooShort": "Пароль должен быть не менее 8 символов",
 		"or": "или",
 		"loginFailed": "Ошибка входа",
-		"setupFailed": "Ошибка настройки"
+		"setupFailed": "Ошибка настройки",
+		"backendUnreachable": "Не удалось подключиться к серверу. Убедитесь, что он запущен, и повторите попытку."
 	},
 	"dashboard": {
 		"title": "Главная",
@@ -261,7 +262,14 @@
 		"testPeriodic": "Тест периодической сводки",
 		"testScheduled": "Тест запланированных фото",
 		"testMemory": "Тест воспоминаний",
+		"testDisabledHint": "Сначала включите эту функцию в привязанной конфигурации отслеживания.",
 		"checkingLinks": "Проверка ссылок...",
+		"featureDiscovery": "Периодические сводки, запланированные подборки, воспоминания и тихие часы настраиваются в привязанной конфигурации отслеживания.",
+		"openTrackingConfig": "Открыть конфигурацию отслеживания",
+		"linkReplace": "Пересоздать",
+		"linkReplacing": "Пересоздание...",
+		"linkReplaceFailed": "Не удалось пересоздать ссылку для «{name}»",
+		"linkPasswordProtectedNote": "Получатели в Telegram не смогут открыть защищённую паролем ссылку без пароля. Снимите пароль в Immich или пересоздайте ссылку.",
 		"missingLinksTitle": "Альбомы без публичных ссылок",
 		"missingLinksDesc": "У следующих альбомов нет публичных ссылок. Без ссылок получатели уведомлений не смогут просматривать фото.",
 		"expired": "Истёк",
@@ -432,6 +440,8 @@
 		"webhookRegistered": "Вебхук зарегистрирован",
 		"webhookUnregistered": "Вебхук удалён",
 		"updateMode": "Режим обновлений",
+		"none": "Откл.",
+		"noneActive": "Приём обновлений отключён",
 		"polling": "Опрос",
 		"webhook": "Вебхук",
 		"webhookStatus": "Статус вебхука",
@@ -549,7 +559,14 @@
 		"renamed": "переименование",
 		"deleted": "удалён",
 		"providerType": "Тип провайдера",
-		"sortRandom": "Случайный"
+		"sortRandom": "Случайный",
+		"timesInlineHelp": "ЧЧ:ММ, через запятую",
+		"invalidTimeList": "Используйте формат ЧЧ:ММ, например 09:00 или 09:00, 18:30",
+		"previewTemplate": "Предпросмотр шаблона",
+		"previewSampleNote": "Отрисовано на демо-данных, не на ваших реальных фото. Показан шаблон по умолчанию.",
+		"editTemplate": "Редактировать шаблон",
+		"quietHoursZero": "Тихий период 0 минут — скорректируйте время",
+		"nextDay": "след. день"
 	},
 	"templateConfig": {
 		"title": "Конфигурации шаблонов",
@@ -595,7 +612,14 @@
 		"confirmDelete": "Удалить эту конфигурацию шаблона?",
 		"invalidFormat": "Некорректная строка формата",
 		"filterSlots": "Фильтр слотов...",
-		"slots": "слотов"
+		"slots": "слотов",
+		"resetToDefault": "Сбросить к умолчанию",
+		"resetAllToDefaults": "Сбросить все к умолчаниям",
+		"resetSlotConfirm": "Заменить шаблон этого слота ({locale}) на исходный по умолчанию? Ваши правки будут потеряны.",
+		"resetAllConfirm": "Заменить шаблоны всех слотов ({locale}) на исходные по умолчанию? Все ваши правки для {locale} будут потеряны.",
+		"resetNoDefault": "Для этого слота нет шаблона по умолчанию.",
+		"resetApplied": "Сброшено к умолчанию (ещё не сохранено — нажмите «Сохранить»)",
+		"deepLinkNoConfig": "Не найдено конфигурации шаблонов для этого провайдера. Сначала создайте её."
 	},
 	"templateVars": {
 		"message_assets_added": {
@@ -695,6 +719,13 @@
 		"locales": "Языки шаблонов",
 		"supportedLocales": "Поддерживаемые локали",
 		"supportedLocalesHint": "Языки, доступные для редактирования шаблонов уведомлений и команд. Встроенные шаблоны поставляются для английского и русского; другие языки начинают с пустых.",
+		"logging": "Логирование",
+		"logLevel": "Уровень логов",
+		"logLevelHint": "Уровень логирования сервера. Поднимайте до DEBUG при отладке; оставляйте INFO в продакшене. WARNING/ERROR скрывают пошаговые строки по командам.",
+		"logFormat": "Формат логов",
+		"logFormatHint": "Формат вывода. 'text' — читаемый человеком; 'json' — по одному объекту в строке для агрегаторов (Loki, ELK). Смена требует перезапуска сервера.",
+		"logLevels": "Переопределения по модулям",
+		"logLevelsHint": "Пары 'модуль=УРОВЕНЬ' через запятую, чтобы приглушить шумные модули или углубиться в один. Пример: sqlalchemy.engine=WARNING,notify_bridge_core.notifications.telegram.client=DEBUG",
 		"saved": "Настройки сохранены"
 	},
 	"hints": {
@@ -705,9 +736,12 @@
 		"quietHours": "Подавляет все уведомления в указанном HH:MM окне (по часовому поясу приложения). Поддерживаются окна через полночь, например 22:00–07:00.",
 		"favoritesOnly": "Включать только ассеты, отмеченные как избранные.",
 		"maxAssets": "Максимальное количество ассетов в одном уведомлении.",
-		"periodicStartDate": "Опорная дата для расчёта интервалов. Сводки отправляются каждые N дней от этой даты.",
+		"periodicStartDate": "Опорная дата в часовом поясе приложения. Первая сводка отправится в ближайшее заданное время ЧЧ:ММ, начиная с этой даты, затем каждые N дней.",
+		"intervalDays": "Период между сводками в днях. 1 = ежедневно, 7 = еженедельно.",
 		"times": "Время отправки уведомлений в формате ЧЧ:ММ. Для нескольких значений через запятую: 09:00,18:00",
 		"albumMode": "По альбому: отдельное уведомление для каждого. Объединённый: одно уведомление со всеми. Случайный: выбирается один альбом.",
+		"scheduledAlbumMode": "Как альбомы группируются в запланированных отправках. По умолчанию: По альбому (одно уведомление на каждый отслеживаемый альбом).",
+		"memoryAlbumMode": "Как альбомы группируются в воспоминаниях. По умолчанию: Объединённый (одно уведомление со всеми совпадениями из всех альбомов).",
 		"minRating": "Включать только ассеты с рейтингом не ниже указанного (0 = без фильтра).",
 		"eventMessages": "Шаблоны уведомлений о событиях в реальном времени. Используйте {переменные} для динамического контента.",
 		"assetFormatting": "Форматирование отдельных ассетов в сообщениях уведомлений.",

frontend/src/lib/providers/immich.ts

@@ -1,5 +1,12 @@
 import type { ProviderDescriptor } from './types';
 
+/**
+ * Today's date in ISO (YYYY-MM-DD) — used as the default for
+ * `periodic_start_date` so new configs anchor to "today" rather than a
+ * hardcoded date that gets further into the past on every release.
+ */
+const todayIso = (): string => new Date().toISOString().slice(0, 10);
+
 export const immichDescriptor: ProviderDescriptor = {
 	type: 'immich',
 	defaultName: 'Immich',
@@ -58,17 +65,17 @@ export const immichDescriptor: ProviderDescriptor = {
 			key: 'periodic', legend: 'trackingConfig.periodicSummary', legendHint: 'hints.periodicSummary',
 			enabledField: 'periodic_enabled', enabledDefault: false,
 			fields: [
-				{ key: 'periodic_interval_days', label: 'trackingConfig.intervalDays', type: 'number', min: 1, defaultValue: 1 },
-				{ key: 'periodic_start_date', label: 'trackingConfig.startDate', type: 'number', defaultValue: '2025-01-01' }, // rendered as date input
-				{ key: 'periodic_times', label: 'trackingConfig.times', type: 'number', defaultValue: '12:00' }, // rendered as text input
+				{ key: 'periodic_interval_days', label: 'trackingConfig.intervalDays', type: 'number', min: 1, defaultValue: 1, hint: 'hints.intervalDays' },
+				{ key: 'periodic_start_date', label: 'trackingConfig.startDate', type: 'date', defaultValue: todayIso, hint: 'hints.periodicStartDate' },
+				{ key: 'periodic_times', label: 'trackingConfig.times', type: 'time-list', defaultValue: '12:00', hint: 'hints.times', inlineHelp: 'trackingConfig.timesInlineHelp', validateFormat: true },
 			],
 		},
 		{
 			key: 'scheduled', legend: 'trackingConfig.scheduledAssets', legendHint: 'hints.scheduledAssets',
 			enabledField: 'scheduled_enabled', enabledDefault: false,
 			fields: [
-				{ key: 'scheduled_times', label: 'trackingConfig.times', type: 'number', defaultValue: '09:00' },
-				{ key: 'scheduled_collection_mode', label: 'trackingConfig.albumMode', type: 'grid-select', gridItems: 'albumModeItems', gridColumns: 3, defaultValue: 'per_collection' },
+				{ key: 'scheduled_times', label: 'trackingConfig.times', type: 'time-list', defaultValue: '09:00', hint: 'hints.times', inlineHelp: 'trackingConfig.timesInlineHelp', validateFormat: true },
+				{ key: 'scheduled_collection_mode', label: 'trackingConfig.albumMode', type: 'grid-select', gridItems: 'albumModeItems', gridColumns: 3, defaultValue: 'per_collection', hint: 'hints.scheduledAlbumMode' },
 				{ key: 'scheduled_limit', label: 'trackingConfig.maxAssets', type: 'number', min: 1, max: 100, defaultValue: 10, hint: 'hints.maxAssets' },
 				{ key: 'scheduled_asset_type', label: 'trackingConfig.assetType', type: 'grid-select', gridItems: 'assetTypeItems', gridColumns: 3, defaultValue: 'all' },
 				{ key: 'scheduled_min_rating', label: 'trackingConfig.minRating', type: 'number', min: 0, max: 5, defaultValue: 0, hint: 'hints.minRating' },
@@ -79,21 +86,21 @@ export const immichDescriptor: ProviderDescriptor = {
 			key: 'memory', legend: 'trackingConfig.memoryMode', legendHint: 'hints.memoryMode',
 			enabledField: 'memory_enabled', enabledDefault: false,
 			fields: [
-				{ key: 'memory_times', label: 'trackingConfig.times', type: 'number', defaultValue: '09:00' },
-				{ key: 'memory_collection_mode', label: 'trackingConfig.albumMode', type: 'grid-select', gridItems: 'albumModeItems', gridColumns: 3, defaultValue: 'combined' },
-				{ key: 'memory_limit', label: 'trackingConfig.maxAssets', type: 'number', min: 1, max: 100, defaultValue: 10 },
+				{ key: 'memory_times', label: 'trackingConfig.times', type: 'time-list', defaultValue: '09:00', hint: 'hints.times', inlineHelp: 'trackingConfig.timesInlineHelp', validateFormat: true },
+				{ key: 'memory_collection_mode', label: 'trackingConfig.albumMode', type: 'grid-select', gridItems: 'albumModeItems', gridColumns: 3, defaultValue: 'combined', hint: 'hints.memoryAlbumMode' },
+				{ key: 'memory_limit', label: 'trackingConfig.maxAssets', type: 'number', min: 1, max: 100, defaultValue: 10, hint: 'hints.maxAssets' },
 				{ key: 'memory_asset_type', label: 'trackingConfig.assetType', type: 'grid-select', gridItems: 'assetTypeItems', gridColumns: 3, defaultValue: 'all' },
-				{ key: 'memory_min_rating', label: 'trackingConfig.minRating', type: 'number', min: 0, max: 5, defaultValue: 0 },
+				{ key: 'memory_min_rating', label: 'trackingConfig.minRating', type: 'number', min: 0, max: 5, defaultValue: 0, hint: 'hints.minRating' },
 				{ key: 'memory_favorite_only', label: 'trackingConfig.favoritesOnly', type: 'toggle', defaultValue: false, hint: 'hints.favoritesOnly' },
-				{ key: 'memory_source', label: 'trackingConfig.memorySource', type: 'grid-select', gridItems: 'memorySourceItems', gridColumns: 2, defaultValue: 'albums' },
+				{ key: 'memory_source', label: 'trackingConfig.memorySource', type: 'grid-select', gridItems: 'memorySourceItems', gridColumns: 2, defaultValue: 'albums', hint: 'hints.memorySource' },
 			],
 		},
 		{
 			key: 'quietHours', legend: 'trackingConfig.quietHours', legendHint: 'hints.quietHours',
 			enabledField: 'quiet_hours_enabled', enabledDefault: false,
 			fields: [
-				{ key: 'quiet_hours_start', label: 'trackingConfig.quietHoursStart', type: 'number', defaultValue: '22:00' },
-				{ key: 'quiet_hours_end', label: 'trackingConfig.quietHoursEnd', type: 'number', defaultValue: '07:00' },
+				{ key: 'quiet_hours_start', label: 'trackingConfig.quietHoursStart', type: 'time', defaultValue: '22:00' },
+				{ key: 'quiet_hours_end', label: 'trackingConfig.quietHoursEnd', type: 'time', defaultValue: '07:00' },
 			],
 		},
 	],
@@ -114,7 +121,9 @@ export const immichDescriptor: ProviderDescriptor = {
 		const warnings: { id: string; name: string; issue: string }[] = [];
 
 		// Run shared-link checks in parallel with a concurrency cap so a large
-		// album set doesn't stall the save button for seconds.
+		// album set doesn't stall the save button for seconds. Cap of 6 keeps
+		// the save dialog responsive for users with 50+ albums while staying
+		// well under typical Immich per-IP rate limits.
 		const CONCURRENCY = 6;
 		async function checkOne(albumId: string): Promise<void> {
 			try {

frontend/src/lib/providers/index.ts

@@ -47,17 +47,20 @@ export function allProviderTypes(): string[] {
  */
 export function buildTrackingFormDefaults(): Record<string, any> {
 	const defaults: Record<string, any> = {};
+	// `defaultValue` may be a function (for time-sensitive defaults like
+	// today's date) so the computed value is fresh each time the form resets.
+	const resolve = (v: unknown): unknown => (typeof v === 'function' ? (v as () => unknown)() : v);
 	for (const desc of REGISTRY.values()) {
 		for (const field of desc.eventFields) {
 			defaults[field.key] = field.default;
 		}
 		for (const extra of desc.extraTrackingFields ?? []) {
-			defaults[extra.key] = extra.defaultValue ?? '';
+			defaults[extra.key] = resolve(extra.defaultValue) ?? '';
 		}
 		for (const section of desc.featureSections ?? []) {
 			defaults[section.enabledField] = section.enabledDefault;
 			for (const f of section.fields) {
-				defaults[f.key] = f.defaultValue ?? '';
+				defaults[f.key] = resolve(f.defaultValue) ?? '';
 			}
 			for (const cb of section.checkboxes ?? []) {
 				defaults[cb.key] = cb.default;

frontend/src/lib/providers/types.ts

@@ -60,14 +60,31 @@ export interface EventTrackingField {
 export interface ExtraTrackingField {
 	key: string;
 	label: string;
-	type: 'number' | 'grid-select' | 'toggle';
+	/**
+	 * Control kind:
+	 * - `number`       — numeric spinner
+	 * - `grid-select`  — icon-grid chooser (requires `gridItems`)
+	 * - `toggle`       — on/off switch
+	 * - `date`         — HTML date picker (YYYY-MM-DD)
+	 * - `time`         — HTML time picker (HH:MM)
+	 * - `time-list`    — comma-separated HH:MM list, validated on blur
+	 */
+	type: 'number' | 'grid-select' | 'toggle' | 'date' | 'time' | 'time-list';
 	/** Grid-select item source function name from grid-items.ts. */
 	gridItems?: string;
 	gridColumns?: number;
 	hint?: string;
+	/** Inline helper text rendered under the input (not a tooltip). */
+	inlineHelp?: string;
 	min?: number;
 	max?: number;
-	defaultValue?: string | number | boolean;
+	/** For time-list: show live validation + auto-normalize on blur. */
+	validateFormat?: boolean;
+	/**
+	 * Default value. Can be a function for dynamic values (e.g. today's date)
+	 * evaluated each time the form is reset.
+	 */
+	defaultValue?: string | number | boolean | (() => string | number | boolean);
 }
 
 /** A feature section like periodic summary, scheduled assets, memory mode. */

frontend/src/routes/bots/TelegramBotTab.svelte

@@ -334,10 +334,12 @@
 								<span class="text-xs text-[var(--color-muted-foreground)]">@{bot.bot_username}</span>
 							{/if}
 							<!-- Mode badge -->
-							<span class="text-xs px-1.5 py-0.5 rounded font-mono {bot.update_mode === 'webhook'
+							<span class="text-xs px-1.5 py-0.5 rounded font-mono {(bot.update_mode || 'none') === 'webhook'
 								? 'bg-[var(--color-primary)]/10 text-[var(--color-primary)]'
-								: 'bg-[var(--color-success-bg)] text-[var(--color-success-fg)]'}">
-								{bot.update_mode === 'webhook' ? t('telegramBot.webhook') : t('telegramBot.polling')}
+								: (bot.update_mode || 'none') === 'polling'
+									? 'bg-[var(--color-success-bg)] text-[var(--color-success-fg)]'
+									: 'bg-[var(--color-muted)] text-[var(--color-muted-foreground)]'}">
+								{(bot.update_mode || 'none') === 'webhook' ? t('telegramBot.webhook') : (bot.update_mode || 'none') === 'polling' ? t('telegramBot.polling') : t('telegramBot.none')}
 							</span>
 						</div>
 						<p class="text-xs text-[var(--color-muted-foreground)] font-mono">{bot.token_preview}</p>
@@ -456,6 +458,14 @@
 							<p class="text-xs font-medium mb-2">{t('telegramBot.updateMode')}</p>
 							<div class="flex items-center gap-3 flex-wrap">
 								<div class="flex items-center rounded-md border border-[var(--color-border)] overflow-hidden">
+									<button onclick={() => switchMode(bot.id, 'none')}
+										disabled={modeChanging[bot.id] || (bot.update_mode || 'none') === 'none'}
+										class="px-3 py-1 text-xs transition-colors {(bot.update_mode || 'none') === 'none'
+											? 'bg-[var(--color-primary)] text-[var(--color-primary-foreground)]'
+											: 'hover:bg-[var(--color-muted)]'} disabled:opacity-70">
+										<MdiIcon name="mdiBellOff" size={14} />
+										{t('telegramBot.none')}
+									</button>
 									<button onclick={() => switchMode(bot.id, 'polling')}
 										disabled={modeChanging[bot.id] || bot.update_mode === 'polling'}
 										class="px-3 py-1 text-xs transition-colors {bot.update_mode === 'polling'
@@ -474,6 +484,13 @@
 									</button>
 								</div>
 
+								{#if (bot.update_mode || 'none') === 'none'}
+									<span class="text-xs text-[var(--color-muted-foreground)] flex items-center gap-1">
+										<MdiIcon name="mdiBellOff" size={14} />
+										{t('telegramBot.noneActive')}
+									</span>
+								{/if}
+
 								{#if bot.update_mode === 'polling'}
 									<span class="text-xs text-[var(--color-success-fg)] flex items-center gap-1">
 										<MdiIcon name="mdiCheckCircle" size={14} />

frontend/src/routes/command-template-configs/+page.svelte

@@ -54,6 +54,11 @@
 	let editing = $state<number | null>(null);
 	let error = $state('');
 	let confirmDelete = $state<{ id: number; onconfirm: () => Promise<void> } | null>(null);
+	let confirmReset = $state<{
+		kind: 'slot' | 'all';
+		slotKey?: string;
+		message: string;
+	} | null>(null);
 	let slotPreview = $state<Record<string, string>>({});
 	let slotErrors = $state<Record<string, string>>({});
 	let slotErrorLines = $state<Record<string, number | null>>({});
@@ -253,6 +258,58 @@
 		}
 	}
 
+	function resetSlotToDefault(slotKey: string) {
+		if (!form.provider_type) return;
+		confirmReset = {
+			kind: 'slot',
+			slotKey,
+			message: t('templateConfig.resetSlotConfirm').replace('{locale}', activeLocale.toUpperCase()),
+		};
+	}
+
+	function resetAllToDefaults() {
+		if (!form.provider_type) return;
+		confirmReset = {
+			kind: 'all',
+			message: t('templateConfig.resetAllConfirm').replace(/\{locale\}/g, activeLocale.toUpperCase()),
+		};
+	}
+
+	async function performReset() {
+		if (!confirmReset || !form.provider_type) return;
+		const { kind, slotKey } = confirmReset;
+		confirmReset = null;
+		try {
+			if (kind === 'slot' && slotKey) {
+				const res = await api<Record<string, Record<string, string>>>(
+					`/command-template-configs/defaults?provider_type=${encodeURIComponent(form.provider_type)}&slot_name=${encodeURIComponent(slotKey)}&locale=${encodeURIComponent(activeLocale)}`,
+				);
+				const text = res?.[slotKey]?.[activeLocale];
+				if (!text) {
+					snackError(t('templateConfig.resetNoDefault'));
+					return;
+				}
+				setSlotValue(slotKey, text);
+				validateSlot(slotKey, text, true);
+			} else {
+				const res = await api<Record<string, Record<string, string>>>(
+					`/command-template-configs/defaults?provider_type=${encodeURIComponent(form.provider_type)}&locale=${encodeURIComponent(activeLocale)}`,
+				);
+				const nextSlots = { ...form.slots };
+				for (const [key, localeMap] of Object.entries(res || {})) {
+					const text = localeMap?.[activeLocale];
+					if (text === undefined) continue;
+					nextSlots[key] = { ...(nextSlots[key] || {}), [activeLocale]: text };
+				}
+				form.slots = nextSlots;
+				refreshAllPreviews();
+			}
+			snackSuccess(t('templateConfig.resetApplied'));
+		} catch (err: any) {
+			snackError(err.message);
+		}
+	}
+
 	function clone(c: CmdTemplateConfig) {
 		const slotsCopy: Record<string, Record<string, string>> = {};
 		for (const [k, v] of Object.entries(c.slots)) {
@@ -343,7 +400,7 @@
 			<p class="text-xs text-[var(--color-muted-foreground)] mb-2">{t('cmdTemplateConfig.commandResponsesHint')}</p>
 
 			<!-- Locale tabs -->
-			<div class="flex gap-1 mb-3 border-b border-[var(--color-border)]">
+			<div class="flex items-center gap-1 mb-3 border-b border-[var(--color-border)]">
 				{#each LOCALES as loc}
 					<button type="button"
 						class="px-3 py-1.5 text-xs font-medium rounded-t-md transition-colors {activeLocale === loc ? 'bg-[var(--color-primary)] text-[var(--color-primary-foreground)]' : 'text-[var(--color-muted-foreground)] hover:bg-[var(--color-muted)]'}"
@@ -351,6 +408,14 @@
 						{loc.toUpperCase()}
 					</button>
 				{/each}
+				{#if form.provider_type}
+					<button type="button" onclick={resetAllToDefaults}
+						title={t('templateConfig.resetAllToDefaults')}
+						class="ml-auto flex items-center gap-1 text-xs px-2 py-1 rounded-md border border-[var(--color-border)] text-[var(--color-muted-foreground)] hover:bg-[var(--color-muted)]">
+						<MdiIcon name="mdiRefresh" size={12} />
+						{t('templateConfig.resetAllToDefaults')}
+					</button>
+				{/if}
 			</div>
 
 			<!-- Slot filter -->
@@ -381,6 +446,11 @@
 								<button type="button" onclick={() => showVarsFor = slot.name}
 									class="text-xs text-[var(--color-muted-foreground)] hover:underline">{t('templateConfig.variables')}</button>
 							{/if}
+							<button type="button" onclick={() => resetSlotToDefault(slot.name)}
+								title={t('templateConfig.resetToDefault')}
+								class="text-xs text-[var(--color-muted-foreground)] hover:underline">
+								{t('templateConfig.resetToDefault')}
+							</button>
 						</div>
 
 						{#if showPreviewFor.has(slot.name) && slotPreview[slot.name] && !slotErrors[slot.name]}
@@ -472,6 +542,14 @@
 <ConfirmModal open={confirmDelete !== null} message={t('cmdTemplateConfig.confirmDelete')}
 	onconfirm={() => confirmDelete?.onconfirm()} oncancel={() => confirmDelete = null} />
 
+<ConfirmModal open={confirmReset !== null}
+	title={t('templateConfig.resetToDefault')}
+	message={confirmReset?.message || ''}
+	confirmLabel={confirmReset?.kind === 'all' ? t('templateConfig.resetAllToDefaults') : t('templateConfig.resetToDefault')}
+	confirmIcon="mdiRefresh"
+	onconfirm={performReset}
+	oncancel={() => confirmReset = null} />
+
 <BlockedByModal open={!!blockedBy} detail={blockedBy} onclose={() => blockedBy = null} />
 
 <!-- Variables reference modal -->

frontend/src/routes/login/+page.svelte

@@ -15,13 +15,32 @@
 	let submitting = $state(false);
 	let mounted = $state(false);
 
+	let backendDown = $state(false);
+
 	onMount(async () => {
 		initTheme();
 		mounted = true;
+		// If the user is already signed in (valid access token in storage),
+		// there is no reason to show them the login form. loadUser() runs in
+		// the root layout; we just check the resolved state after a short tick.
+		const { isAuthenticated } = await import('$lib/api');
+		if (isAuthenticated()) {
+			try {
+				await api('/auth/me');
+				goto('/');
+				return;
+			} catch {
+				// Token was stale; fall through to the login form.
+			}
+		}
 		try {
 			const res = await api<{ needs_setup: boolean }>('/auth/needs-setup');
 			if (res.needs_setup) goto('/setup');
-		} catch { /* ignore */ }
+		} catch {
+			// The backend is unreachable — surface that distinctly so the user
+			// doesn't blame the login form for a network/backend problem.
+			backendDown = true;
+		}
 	});
 
 	async function handleSubmit(e: SubmitEvent) {
@@ -62,7 +81,12 @@
 		<p class="text-sm mt-1" style="color: var(--color-muted-foreground);">{t('auth.signInTitle')}</p>
 	</div>
 
-	{#if error}
+	{#if backendDown}
+		<div class="auth-error animate-fade-slide-in">
+			<MdiIcon name="mdiAlertCircle" size={16} />
+			{t('auth.backendUnreachable')}
+		</div>
+	{:else if error}
 		<div class="auth-error animate-fade-slide-in">
 			<MdiIcon name="mdiAlertCircle" size={16} />
 			{error}

frontend/src/routes/notification-trackers/+page.svelte

@@ -84,17 +84,23 @@
 	let testMenuStyle = $state('');
 
 	// Test types: basic is always available; periodic/scheduled/memory only for providers
-	// that have those notification slots in their capabilities
-	const allTestTypes: Record<string, { key: string; icon: string; labelKey: string; requiredSlot?: string }> = {
+	// that have those notification slots in their capabilities AND have the feature
+	// enabled on the tracker's default TrackingConfig. A disabled feature on the
+	// default config means cron dispatch won't fire it in production either — so
+	// the test button would just surface a silent skip.
+	const allTestTypes: Record<string, {
+		key: string; icon: string; labelKey: string;
+		requiredSlot?: string; enabledField?: string;
+	}> = {
 		basic: { key: 'basic', icon: 'mdiSend', labelKey: 'notificationTracker.testBasic' },
-		periodic: { key: 'periodic', icon: 'mdiCalendarClock', labelKey: 'notificationTracker.testPeriodic', requiredSlot: 'periodic_summary_message' },
-		scheduled: { key: 'scheduled', icon: 'mdiCalendarCheck', labelKey: 'notificationTracker.testScheduled', requiredSlot: 'scheduled_assets_message' },
-		memory: { key: 'memory', icon: 'mdiHistory', labelKey: 'notificationTracker.testMemory', requiredSlot: 'memory_mode_message' },
+		periodic: { key: 'periodic', icon: 'mdiCalendarClock', labelKey: 'notificationTracker.testPeriodic', requiredSlot: 'periodic_summary_message', enabledField: 'periodic_enabled' },
+		scheduled: { key: 'scheduled', icon: 'mdiCalendarCheck', labelKey: 'notificationTracker.testScheduled', requiredSlot: 'scheduled_assets_message', enabledField: 'scheduled_enabled' },
+		memory: { key: 'memory', icon: 'mdiHistory', labelKey: 'notificationTracker.testMemory', requiredSlot: 'memory_mode_message', enabledField: 'memory_enabled' },
 	};
 
 	let testMenuTrackerId = $state<number | null>(null);
 	let testTypes = $derived.by(() => {
-		const base = [allTestTypes.basic];
+		const base: { key: string; icon: string; labelKey: string; disabledReason?: string }[] = [allTestTypes.basic];
 		if (!testMenuTrackerId) return base;
 		const tracker = notificationTrackers.find(t => t.id === testMenuTrackerId);
 		if (!tracker) return base;
@@ -103,8 +109,18 @@
 		const caps = allCapabilities[provider.type];
 		if (!caps) return base;
 		const slotNames = new Set((caps.notification_slots || []).map((s: any) => s.name));
+		const defaultTc = trackingConfigs.find(c => c.id === tracker.default_tracking_config_id);
 		for (const tt of [allTestTypes.periodic, allTestTypes.scheduled, allTestTypes.memory]) {
-			if (tt.requiredSlot && slotNames.has(tt.requiredSlot)) base.push(tt);
+			if (!tt.requiredSlot || !slotNames.has(tt.requiredSlot)) continue;
+			const enabled = !!defaultTc && !!tt.enabledField && !!(defaultTc as any)[tt.enabledField];
+			base.push({
+				key: tt.key, icon: tt.icon, labelKey: tt.labelKey,
+				// When surfaced, the button still renders but is disabled and
+				// shows *why* — users who land here via the test menu without
+				// having toggled the feature on Tracking Config see a clear
+				// pointer to the missing setting instead of a silent failure.
+				disabledReason: enabled ? undefined : 'notificationTracker.testDisabledHint',
+			});
 		}
 		return base;
 	});
@@ -516,6 +532,15 @@
 	onclose={() => { linkWarning = null; }}
 	onautoCreate={autoCreateLinks}
 	ondismiss={dismissLinkWarning}
+	onupdate={(remaining) => {
+		if (!linkWarning) return;
+		if (remaining.length === 0) {
+			linkWarning = null;
+			doSave();
+		} else {
+			linkWarning = { ...linkWarning, albums: remaining };
+		}
+	}}
 />
 
 <ConfirmModal

frontend/src/routes/notification-trackers/SharedLinkModal.svelte

@@ -1,17 +1,50 @@
 <script lang="ts">
 	import { t } from '$lib/i18n';
+	import { api } from '$lib/api';
+	import { snackError, snackSuccess } from '$lib/stores/snackbar.svelte';
 	import Modal from '$lib/components/Modal.svelte';
 	import MdiIcon from '$lib/components/MdiIcon.svelte';
 
+	interface AlbumIssue { id: string; name: string; issue: string }
+
 	interface Props {
-		linkWarning: { albums: any[]; providerId: number } | null;
+		linkWarning: { albums: AlbumIssue[]; providerId: number } | null;
 		linkCreating: boolean;
 		onclose: () => void;
 		onautoCreate: () => void;
 		ondismiss: () => void;
+		/** Called with the updated warning list after a per-row replace. */
+		onupdate?: (albums: AlbumIssue[]) => void;
 	}
 
-	let { linkWarning, linkCreating, onclose, onautoCreate, ondismiss }: Props = $props();
+	let { linkWarning, linkCreating, onclose, onautoCreate, ondismiss, onupdate }: Props = $props();
+
+	/** Per-row loading state for the "Replace" button. */
+	let replacing = $state<Record<string, boolean>>({});
+
+	/**
+	 * Expired and password-protected links can't be repaired in place — the
+	 * Immich API has no "reset" endpoint. The only remedy is to recreate the
+	 * link (which the backend does by POSTing a new one and returning it).
+	 * We surface the action per-row so users don't have to leave the form.
+	 */
+	async function replaceOne(album: AlbumIssue) {
+		if (!linkWarning) return;
+		replacing = { ...replacing, [album.id]: true };
+		try {
+			await api(`/providers/${linkWarning.providerId}/albums/${album.id}/shared-links`, {
+				method: 'POST',
+				body: JSON.stringify({ replace: true }),
+			});
+			snackSuccess(t('notificationTracker.createdLinks').replace('{count}', '1'));
+			const remaining = linkWarning.albums.filter(a => a.id !== album.id);
+			if (onupdate) onupdate(remaining);
+		} catch (err: any) {
+			snackError(t('notificationTracker.linkReplaceFailed').replace('{name}', album.name) + ': ' + err.message);
+		} finally {
+			replacing = { ...replacing, [album.id]: false };
+		}
+	}
 </script>
 
 <Modal open={linkWarning !== null} title={t('notificationTracker.missingLinksTitle')} onclose={onclose}>
@@ -19,13 +52,26 @@
 		<p class="text-sm mb-3" style="color: var(--color-muted-foreground);">
 			{t('notificationTracker.missingLinksDesc')}
 		</p>
-		<div class="space-y-1.5 mb-4 max-h-40 overflow-y-auto">
+		<div class="space-y-1.5 mb-4 max-h-60 overflow-y-auto">
 			{#each linkWarning.albums as album}
-				<div class="flex items-center justify-between text-sm px-2 py-1.5 rounded bg-[var(--color-muted)]/30">
-					<span class="font-medium">{album.name}</span>
-					<span class="text-xs px-1.5 py-0.5 rounded {album.issue === 'expired' ? 'bg-[var(--color-error-bg)] text-[var(--color-error-fg)]' : album.issue === 'password-protected' ? 'bg-[var(--color-warning-bg)] text-[var(--color-warning-fg)]' : 'bg-[var(--color-muted)] text-[var(--color-muted-foreground)]'}">
+				<div class="flex items-center justify-between gap-2 text-sm px-2 py-1.5 rounded bg-[var(--color-muted)]/30">
+					<div class="flex-1 min-w-0">
+						<span class="font-medium truncate block">{album.name}</span>
+						{#if album.issue === 'password-protected'}
+							<span class="text-[10px] block" style="color: var(--color-muted-foreground);">
+								{t('notificationTracker.linkPasswordProtectedNote')}
+							</span>
+						{/if}
+					</div>
+					<span class="text-xs px-1.5 py-0.5 rounded shrink-0 {album.issue === 'expired' ? 'bg-[var(--color-error-bg)] text-[var(--color-error-fg)]' : album.issue === 'password-protected' ? 'bg-[var(--color-warning-bg)] text-[var(--color-warning-fg)]' : 'bg-[var(--color-muted)] text-[var(--color-muted-foreground)]'}">
 						{album.issue === 'expired' ? t('notificationTracker.expired') : album.issue === 'password-protected' ? t('notificationTracker.passwordProtected') : t('notificationTracker.noLink')}
 					</span>
+					{#if album.issue === 'expired' || album.issue === 'password-protected'}
+						<button type="button" onclick={() => replaceOne(album)} disabled={replacing[album.id]}
+							class="text-xs px-2 py-1 rounded border border-[var(--color-border)] hover:bg-[var(--color-muted)] disabled:opacity-50 shrink-0">
+							{replacing[album.id] ? t('notificationTracker.linkReplacing') : t('notificationTracker.linkReplace')}
+						</button>
+					{/if}
 				</div>
 			{/each}
 		</div>

frontend/src/routes/notification-trackers/TestMenu.svelte

@@ -6,7 +6,13 @@
 		testMenuOpen: string | null;
 		testMenuStyle: string;
 		ttTesting: Record<string, string>;
-		testTypes: { key: string; icon: string; labelKey: string }[];
+		/**
+		 * When `disabledReason` is set, the button is rendered greyed out with a
+		 * tooltip pointing the user at the missing setting (e.g. "Enable Periodic
+		 * Summary in Tracking Config first"). Clicking is blocked — clicking an
+		 * unconfigured test would have surfaced as a silent server-side skip.
+		 */
+		testTypes: { key: string; icon: string; labelKey: string; disabledReason?: string }[];
 		ontest: (ttId: number, testType: string) => void;
 		onclose: () => void;
 	}
@@ -20,18 +26,27 @@
 		onclick={onclose}
 		onkeydown={(e) => { if (e.key === 'Escape') onclose(); }}>
 	</div>
-	<div style="{testMenuStyle} background:var(--color-card); border:1px solid var(--color-border); border-radius:0.5rem; box-shadow:0 10px 25px rgba(0,0,0,0.3); padding:0.25rem; min-width:10rem;">
+	<div style="{testMenuStyle} background:var(--color-card); border:1px solid var(--color-border); border-radius:0.5rem; box-shadow:0 10px 25px rgba(0,0,0,0.3); padding:0.25rem; min-width:12rem;">
 		{#each testTypes as tt}
+			{@const busy = !!ttTesting[`${testMenuOpen}_${tt.key}`]}
+			{@const blocked = !!tt.disabledReason}
 			<button
-				onclick={() => ontest(Number(testMenuOpen), tt.key)}
-				disabled={!!ttTesting[`${testMenuOpen}_${tt.key}`]}
+				onclick={() => { if (!blocked) ontest(Number(testMenuOpen), tt.key); }}
+				disabled={busy || blocked}
+				title={blocked ? t(tt.disabledReason!) : ''}
 				class="flex items-center gap-2 w-full px-3 py-1.5 text-sm rounded hover:bg-[var(--color-muted)] transition-colors disabled:opacity-50 text-left">
 				<MdiIcon name={tt.icon} size={14} />
 				{t(tt.labelKey)}
-				{#if ttTesting[`${testMenuOpen}_${tt.key}`]}
+				{#if blocked}
+					<MdiIcon name="mdiLock" size={12} />
+				{/if}
+				{#if busy}
 					<span class="ml-auto text-xs text-[var(--color-muted-foreground)]">...</span>
 				{/if}
 			</button>
+			{#if blocked}
+				<p class="px-3 pb-1 text-[10px]" style="color: var(--color-muted-foreground);">{t(tt.disabledReason!)}</p>
+			{/if}
 		{/each}
 	</div>
 {/if}

frontend/src/routes/notification-trackers/TrackerForm.svelte

@@ -4,6 +4,7 @@
 	import Card from '$lib/components/Card.svelte';
 	import IconPicker from '$lib/components/IconPicker.svelte';
 	import Hint from '$lib/components/Hint.svelte';
+	import MdiIcon from '$lib/components/MdiIcon.svelte';
 	import EntitySelect from '$lib/components/EntitySelect.svelte';
 	import MultiEntitySelect from '$lib/components/MultiEntitySelect.svelte';
 	import { getDescriptor } from '$lib/providers';
@@ -199,6 +200,22 @@
 		</div>
 		{/if}
 
+		<!-- Feature discovery: the periodic/scheduled/memory/quiet-hours controls
+		     live on the tracking config, not on the tracker itself. Surface this
+		     here so users don't have to stumble onto the feature by reading docs. -->
+		{#if providerType === 'immich'}
+		<div class="flex items-start gap-2 rounded-md border border-[var(--color-border)] bg-[var(--color-muted)]/30 px-3 py-2">
+			<span style="color: var(--color-primary);"><MdiIcon name="mdiInformationOutline" size={16} /></span>
+			<div class="flex-1 text-xs">
+				<p style="color: var(--color-muted-foreground);">{t('notificationTracker.featureDiscovery')}</p>
+				<a href="/tracking-configs" class="inline-flex items-center gap-1 text-[var(--color-primary)] hover:underline mt-1">
+					<MdiIcon name="mdiArrowRight" size={12} />
+					{t('notificationTracker.openTrackingConfig')}
+				</a>
+			</div>
+		</div>
+		{/if}
+
 		<button type="submit" disabled={submitting || linkCheckLoading} class="px-4 py-2 bg-[var(--color-primary)] text-[var(--color-primary-foreground)] rounded-md text-sm font-medium hover:opacity-90 disabled:opacity-50">
 			{#if linkCheckLoading}{t('notificationTracker.checkingLinks')}{:else}{editing ? t('common.save') : t('notificationTracker.createTracker')}{/if}
 		</button>

frontend/src/routes/settings/+page.svelte

@@ -37,6 +37,9 @@
 		telegram_asset_cache_max_entries: '5000',
 		supported_locales: 'en,ru',
 		timezone: 'UTC',
+		log_level: 'INFO',
+		log_format: 'text',
+		log_levels: '',
 	});
 	let cacheStats = $state<CacheStats | null>(null);
 
@@ -204,6 +207,40 @@
 			</div>
 		</Card>
 
+		<!-- Logging section -->
+		<Card>
+			<h3 class="text-sm font-semibold mb-4 flex items-center gap-2">
+				<MdiIcon name="mdiTextBoxOutline" size={18} />
+				{t('settings.logging')}
+			</h3>
+			<div class="grid grid-cols-1 sm:grid-cols-2 gap-4">
+				<div>
+					<label class="block text-xs font-medium mb-1">{t('settings.logLevel')}<Hint text={t('settings.logLevelHint')} /></label>
+					<select bind:value={settings.log_level}
+						class="w-full px-3 py-1.5 text-sm border border-[var(--color-border)] rounded-md bg-[var(--color-background)]">
+						<option value="DEBUG">DEBUG</option>
+						<option value="INFO">INFO</option>
+						<option value="WARNING">WARNING</option>
+						<option value="ERROR">ERROR</option>
+					</select>
+				</div>
+				<div>
+					<label class="block text-xs font-medium mb-1">{t('settings.logFormat')}<Hint text={t('settings.logFormatHint')} /></label>
+					<select bind:value={settings.log_format}
+						class="w-full px-3 py-1.5 text-sm border border-[var(--color-border)] rounded-md bg-[var(--color-background)]">
+						<option value="text">text</option>
+						<option value="json">json</option>
+					</select>
+				</div>
+				<div class="sm:col-span-2">
+					<label class="block text-xs font-medium mb-1">{t('settings.logLevels')}<Hint text={t('settings.logLevelsHint')} /></label>
+					<input bind:value={settings.log_levels}
+						placeholder="sqlalchemy.engine=WARNING,notify_bridge_core.notifications.telegram.client=DEBUG"
+						class="w-full px-3 py-1.5 text-sm border border-[var(--color-border)] rounded-md bg-[var(--color-background)] font-mono" />
+				</div>
+			</div>
+		</Card>
+
 		<Button onclick={save} disabled={saving}>
 			{saving ? t('common.loading') : t('common.save')}
 		</Button>

frontend/src/routes/template-configs/+page.svelte

@@ -42,6 +42,17 @@
 	let editing = $state<number | null>(null);
 	let error = $state('');
 	let confirmDelete = $state<{ id: number; onconfirm: () => Promise<void> } | null>(null);
+	/**
+	 * Reset-to-default confirmation prompt. ``kind: 'slot'`` confirms a
+	 * single-slot reset (slotKey populated); ``'all'`` confirms a full
+	 * locale-scoped wipe. Split from confirmDelete so the two flows can
+	 * coexist without stomping each other's state mid-dialog.
+	 */
+	let confirmReset = $state<{
+		kind: 'slot' | 'all';
+		slotKey?: string;
+		message: string;
+	} | null>(null);
 	let slotPreview = $state<Record<string, string>>({});
 	let slotErrors = $state<Record<string, string>>({});
 	let slotErrorLines = $state<Record<string, number | null>>({});
@@ -206,7 +217,40 @@
 				supportedLocalesCache.fetch(),
 			]);
 		} catch (err: any) { error = err.message || t('common.loadError'); snackError(error); }
-		finally { loaded = true; highlightFromUrl(); }
+		finally { loaded = true; highlightFromUrl(); handleDeepLink(); }
+	}
+
+	/**
+	 * Respond to ``?edit_slot=<slot_name>&provider=<type>`` deep-links from
+	 * other pages (currently the tracking-configs Preview-template modal).
+	 * Picks the first visible config matching ``provider``, opens it in edit
+	 * mode, and pre-expands the target slot. Strips the param from the URL so
+	 * a subsequent reload doesn't reopen the form unexpectedly.
+	 */
+	function handleDeepLink() {
+		if (typeof window === 'undefined') return;
+		const params = new URLSearchParams(window.location.search);
+		const slot = params.get('edit_slot');
+		if (!slot) return;
+		const provider = params.get('provider') || '';
+		const target = allTemplateConfigs.find(
+			c => !provider || c.provider_type === provider,
+		);
+		// Strip the deep-link param so reload/back doesn't replay it.
+		params.delete('edit_slot');
+		const qs = params.toString();
+		window.history.replaceState(null, '', window.location.pathname + (qs ? '?' + qs : ''));
+		if (!target) {
+			snackError(t('templateConfig.deepLinkNoConfig'));
+			return;
+		}
+		edit(target);
+		expandedSlots = new Set([slot]);
+		// Scroll the slot into view once the form has rendered.
+		setTimeout(() => {
+			const el = document.getElementById(`slot-${slot}`);
+			if (el) el.scrollIntoView({ behavior: 'smooth', block: 'start' });
+		}, 200);
 	}
 
 	function openNew() {
@@ -241,6 +285,65 @@
 		} catch (err: any) { error = err.message; snackError(err.message); }
 	}
 
+	/**
+	 * Ask the user to confirm a reset. The actual fetch+replace runs in
+	 * ``performReset`` after the ConfirmModal's onconfirm fires. Split into
+	 * two steps so we can use the app-wide ConfirmModal (consistent look,
+	 * keyboard handling) instead of ``window.confirm`` (blocks the page).
+	 */
+	function resetSlotToDefault(slotKey: string) {
+		if (!form.provider_type) return;
+		confirmReset = {
+			kind: 'slot',
+			slotKey,
+			message: t('templateConfig.resetSlotConfirm').replace('{locale}', activeLocale.toUpperCase()),
+		};
+	}
+
+	function resetAllToDefaults() {
+		if (!form.provider_type) return;
+		confirmReset = {
+			kind: 'all',
+			message: t('templateConfig.resetAllConfirm').replace(/\{locale\}/g, activeLocale.toUpperCase()),
+		};
+	}
+
+	async function performReset() {
+		if (!confirmReset || !form.provider_type) return;
+		const { kind, slotKey } = confirmReset;
+		confirmReset = null;
+		try {
+			if (kind === 'slot' && slotKey) {
+				const res = await api<Record<string, Record<string, string>>>(
+					`/template-configs/defaults?provider_type=${encodeURIComponent(form.provider_type)}&slot_name=${encodeURIComponent(slotKey)}&locale=${encodeURIComponent(activeLocale)}`,
+				);
+				const text = res?.[slotKey]?.[activeLocale];
+				if (!text) {
+					snackError(t('templateConfig.resetNoDefault'));
+					return;
+				}
+				setSlotValue(slotKey, text);
+				validateSlot(slotKey, text, true);
+			} else {
+				const res = await api<Record<string, Record<string, string>>>(
+					`/template-configs/defaults?provider_type=${encodeURIComponent(form.provider_type)}&locale=${encodeURIComponent(activeLocale)}`,
+				);
+				// Replace current-locale slots; leave other locales' values untouched.
+				const nextSlots = { ...form.slots };
+				for (const [key, localeMap] of Object.entries(res || {})) {
+					const text = localeMap?.[activeLocale];
+					if (text === undefined) continue;
+					nextSlots[key] = { ...(nextSlots[key] || {}), [activeLocale]: text };
+				}
+				form.slots = nextSlots;
+				refreshAllPreviews();
+			}
+			snackSuccess(t('templateConfig.resetApplied'));
+		} catch (err: any) {
+			snackError(err.message);
+		}
+	}
+
 	function clone(c: TemplateConfig) {
 		form = {
 			provider_type: c.provider_type,
@@ -321,7 +424,7 @@
 		</div>
 
 		<!-- Locale tabs -->
-		<div class="flex gap-1 mb-3 border-b border-[var(--color-border)]">
+		<div class="flex items-center gap-1 mb-3 border-b border-[var(--color-border)]">
 			{#each LOCALES as loc}
 				<button type="button"
 					class="px-3 py-1.5 text-xs font-medium rounded-t-md transition-colors {activeLocale === loc ? 'bg-[var(--color-primary)] text-[var(--color-primary-foreground)]' : 'text-[var(--color-muted-foreground)] hover:bg-[var(--color-muted)]'}"
@@ -329,6 +432,14 @@
 					{loc.toUpperCase()}
 				</button>
 			{/each}
+			{#if form.provider_type}
+				<button type="button" onclick={resetAllToDefaults}
+					title={t('templateConfig.resetAllToDefaults')}
+					class="ml-auto flex items-center gap-1 text-xs px-2 py-1 rounded-md border border-[var(--color-border)] text-[var(--color-muted-foreground)] hover:bg-[var(--color-muted)]">
+					<MdiIcon name="mdiRefresh" size={12} />
+					{t('templateConfig.resetAllToDefaults')}
+				</button>
+			{/if}
 		</div>
 
 		<!-- Slot filter -->
@@ -361,6 +472,7 @@
 								{/if}
 							</div>
 						{:else}
+							<div id="slot-{slot.key}">
 							<CollapsibleSlot
 								label={slot.key}
 								description={slot.description || t(`templateConfig.${slot.label}`, slot.label)}
@@ -379,6 +491,11 @@
 										<button type="button" onclick={() => showVarsFor = slot.key}
 											class="text-xs text-[var(--color-muted-foreground)] hover:underline">{t('templateConfig.variables')}</button>
 									{/if}
+									<button type="button" onclick={() => resetSlotToDefault(slot.key)}
+										title={t('templateConfig.resetToDefault')}
+										class="text-xs text-[var(--color-muted-foreground)] hover:underline">
+										{t('templateConfig.resetToDefault')}
+									</button>
 								</div>
 
 								{#if showPreviewFor.has(slot.key) && slotPreview[slot.key] && !slotErrors[slot.key]}
@@ -397,6 +514,7 @@
 									{/if}
 								{/if}
 							</CollapsibleSlot>
+							</div>
 						{/if}
 					{/each}
 				</div>
@@ -466,6 +584,14 @@
 <ConfirmModal open={confirmDelete !== null} message={t('templateConfig.confirmDelete')}
 	onconfirm={() => confirmDelete?.onconfirm()} oncancel={() => confirmDelete = null} />
 
+<ConfirmModal open={confirmReset !== null}
+	title={t('templateConfig.resetToDefault')}
+	message={confirmReset?.message || ''}
+	confirmLabel={confirmReset?.kind === 'all' ? t('templateConfig.resetAllToDefaults') : t('templateConfig.resetToDefault')}
+	confirmIcon="mdiRefresh"
+	onconfirm={performReset}
+	oncancel={() => confirmReset = null} />
+
 <BlockedByModal open={!!blockedBy} detail={blockedBy} onclose={() => blockedBy = null} />
 
 <!-- Variables reference modal -->

frontend/src/routes/tracking-configs/+page.svelte

@@ -12,6 +12,9 @@
 	import MdiIcon from '$lib/components/MdiIcon.svelte';
 	import EmptyState from '$lib/components/EmptyState.svelte';
 	import ConfirmModal from '$lib/components/ConfirmModal.svelte';
+	import Modal from '$lib/components/Modal.svelte';
+	import { sanitizePreview } from '$lib/sanitize';
+	import { supportedLocalesCache } from '$lib/stores/caches.svelte';
 	import Hint from '$lib/components/Hint.svelte';
 	import IconButton from '$lib/components/IconButton.svelte';
 	import IconGridSelect from '$lib/components/IconGridSelect.svelte';
@@ -22,13 +25,150 @@
 	import { getDescriptor, buildTrackingFormDefaults } from '$lib/providers';
 	import ErrorBanner from '$lib/components/ErrorBanner.svelte';
 	import Button from '$lib/components/Button.svelte';
-	import type { TrackingConfig } from '$lib/types';
 
 	/** Grid-select item source lookup — maps descriptor string name to actual function. */
 	const gridItemSources: Record<string, () => any[]> = {
 		sortByItems, sortOrderItems, albumModeItems, assetTypeItems, memorySourceItems,
 	};
 
+	/**
+	 * HH:MM, comma-separated: "09:00" or "09:00, 18:30" — the only format cron
+	 * dispatch accepts. Matched on blur for time-list fields; invalid values
+	 * are surfaced inline next to the input.
+	 */
+	const TIME_LIST_RE = /^\s*(?:[01]\d|2[0-3]):[0-5]\d(?:\s*,\s*(?:[01]\d|2[0-3]):[0-5]\d)*\s*$/;
+
+	/** Per-field error messages surfaced inline under time-list inputs. */
+	let timeListErrors = $state<Record<string, string>>({});
+
+	/** Normalize "9:0 , 18:30" → "09:00,18:30" on blur, clear error when valid. */
+	function normalizeTimeList(key: string) {
+		const raw = String(form[key] ?? '').trim();
+		if (!raw) { timeListErrors = { ...timeListErrors, [key]: '' }; return; }
+		if (!TIME_LIST_RE.test(raw)) {
+			// Try a lenient normalization: split on commas, zero-pad each part.
+			const parts = raw.split(',').map(p => p.trim()).filter(Boolean);
+			const fixed: string[] = [];
+			let ok = true;
+			for (const p of parts) {
+				const m = /^(\d{1,2}):(\d{1,2})$/.exec(p);
+				if (!m) { ok = false; break; }
+				const hh = Number(m[1]);
+				const mm = Number(m[2]);
+				if (!Number.isFinite(hh) || !Number.isFinite(mm) || hh < 0 || hh > 23 || mm < 0 || mm > 59) { ok = false; break; }
+				fixed.push(`${String(hh).padStart(2, '0')}:${String(mm).padStart(2, '0')}`);
+			}
+			if (ok) {
+				form[key] = fixed.join(',');
+				timeListErrors = { ...timeListErrors, [key]: '' };
+				return;
+			}
+			timeListErrors = { ...timeListErrors, [key]: t('trackingConfig.invalidTimeList') };
+			return;
+		}
+		// Canonicalise spacing.
+		form[key] = raw.split(',').map(s => s.trim()).join(',');
+		timeListErrors = { ...timeListErrors, [key]: '' };
+	}
+
+	/**
+	 * Quiet-hours preview: "22:00 → 07:00 next day (9h)" or "Quiet period is 0
+	 * minutes — adjust times" when start equals end. Handles overnight ranges
+	 * (start > end) correctly.
+	 */
+	function quietHoursPreview(start: string, end: string): string {
+		if (!start || !end) return '';
+		const [sh, sm] = start.split(':').map(Number);
+		const [eh, em] = end.split(':').map(Number);
+		if (![sh, sm, eh, em].every(Number.isFinite)) return '';
+		const sMin = sh * 60 + sm;
+		const eMin = eh * 60 + em;
+		if (sMin === eMin) return t('trackingConfig.quietHoursZero');
+		const overnight = sMin > eMin;
+		const span = overnight ? (24 * 60 - sMin) + eMin : eMin - sMin;
+		const h = Math.floor(span / 60);
+		const m = span % 60;
+		const dur = m === 0 ? `${h}h` : `${h}h ${m}m`;
+		const arrow = overnight
+			? `${start} → ${end} ${t('trackingConfig.nextDay')}`
+			: `${start} → ${end}`;
+		return `${arrow} (${dur})`;
+	}
+
+	function gotoTemplateConfig(slotName: string) {
+		// Deep-link to the template configs page: pass the slot as a query
+		// param (``edit_slot``) so the destination can auto-open the first
+		// matching config in edit mode and expand that slot. Plain hashes
+		// like ``#slot-X`` were a no-op because slots don't exist in the DOM
+		// until a config is being edited.
+		const u = new URL('/template-configs', window.location.origin);
+		u.searchParams.set('provider', 'immich');
+		u.searchParams.set('edit_slot', slotName);
+		window.location.href = u.toString();
+	}
+
+	/**
+	 * Inline preview of the shipped default template for a scheduled/periodic/
+	 * memory slot. Using the shipped default (not a tracker's current template)
+	 * keeps this scoped to the tracking-config page — which has no concept of
+	 * which TemplateConfig a given tracker uses. Users who want to edit the
+	 * actual config can click "Edit template" in the modal footer.
+	 *
+	 * ``previewLocale`` is modal-scoped so switching tabs only refetches for
+	 * this preview — the user's UI locale (and other previews) are untouched.
+	 */
+	let previewModal = $state<{ slotName: string; rendered: string; error: string; locale: string } | null>(null);
+	let previewLoading = $state(false);
+	let previewLocales = $derived(supportedLocalesCache.items);
+
+	async function openTemplatePreview(slotName: string) {
+		await supportedLocalesCache.fetch();
+		const initialLocale = previewLocales.includes('en') ? 'en' : (previewLocales[0] || 'en');
+		await renderPreviewFor(slotName, initialLocale);
+	}
+
+	async function renderPreviewFor(slotName: string, locale: string) {
+		previewLoading = true;
+		try {
+			const defaults = await api<Record<string, Record<string, string>>>(
+				`/template-configs/defaults?provider_type=immich&slot_name=${encodeURIComponent(slotName)}&locale=${encodeURIComponent(locale)}`,
+			);
+			const template = defaults?.[slotName]?.[locale];
+			if (!template) {
+				previewModal = { slotName, rendered: '', error: t('templateConfig.resetNoDefault'), locale };
+				return;
+			}
+			const res = await api<{ rendered?: string; error?: string }>(
+				'/template-configs/preview-raw',
+				{
+					method: 'POST',
+					body: JSON.stringify({
+						template,
+						target_type: 'telegram',
+						date_format: '%d.%m.%Y, %H:%M UTC',
+						date_only_format: '%d.%m.%Y',
+					}),
+				},
+			);
+			previewModal = {
+				slotName,
+				rendered: res?.rendered || '',
+				error: res?.error || '',
+				locale,
+			};
+		} catch (err: any) {
+			previewModal = { slotName, rendered: '', error: err.message, locale };
+		} finally {
+			previewLoading = false;
+		}
+	}
+
+	const SLOT_FOR_SECTION: Record<string, string> = {
+		periodic: 'periodic_summary_message',
+		scheduled: 'scheduled_assets_message',
+		memory: 'memory_mode_message',
+	};
+
 	let allConfigs = $derived(trackingConfigsCache.items);
 	let filterText = $state('');
 	let filterType = $state('');
@@ -161,10 +301,20 @@
 				{t(section.legend)}
 				{#if section.legendHint}<Hint text={t(section.legendHint)} />{/if}
 			</legend>
-			<label class="flex items-center gap-2 text-sm mt-1">
-				<input type="checkbox" bind:checked={form[section.enabledField]} />
-				{t('trackingConfig.enabled')}
-			</label>
+			<div class="flex items-center justify-between mt-1">
+				<label class="flex items-center gap-2 text-sm">
+					<input type="checkbox" bind:checked={form[section.enabledField]} />
+					{t('trackingConfig.enabled')}
+				</label>
+				{#if SLOT_FOR_SECTION[section.key]}
+					<button type="button" onclick={() => openTemplatePreview(SLOT_FOR_SECTION[section.key])}
+						class="text-xs text-[var(--color-primary)] hover:underline inline-flex items-center gap-1"
+						disabled={previewLoading}>
+						<MdiIcon name="mdiEyeOutline" size={14} />
+						{t('trackingConfig.previewTemplate')}
+					</button>
+				{/if}
+			</div>
 			{#if form[section.enabledField]}
 			<div class="grid grid-cols-3 gap-3 mt-3">
 				{#each section.fields as field (field.key)}
@@ -181,17 +331,32 @@
 						{:else if field.type === 'grid-select' && field.gridItems}
 							<IconGridSelect items={gridItemSources[field.gridItems]()} bind:value={form[field.key]} columns={field.gridColumns ?? 2} compact />
 						{:else}
-							<input type={field.key.includes('date') ? 'date'
-									: field.key.startsWith('quiet_hours_') ? 'time'
-									: field.key.includes('times') ? 'text'
-									: 'number'}
+							{@const inputType = field.type === 'date' ? 'date'
+								: field.type === 'time' ? 'time'
+								: field.type === 'time-list' ? 'text'
+								: 'number'}
+							{@const hasError = field.type === 'time-list' && !!timeListErrors[field.key]}
+							<input type={inputType}
 								bind:value={form[field.key]} min={field.min} max={field.max}
-								placeholder={field.key.includes('times') || field.key.startsWith('quiet_hours_') ? String(field.defaultValue ?? '') : ''}
-								class="w-full px-2 py-1 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
+								onblur={field.type === 'time-list' && field.validateFormat ? () => normalizeTimeList(field.key) : undefined}
+								placeholder={field.type === 'time-list' || field.type === 'time' ? String(typeof field.defaultValue === 'function' ? field.defaultValue() : (field.defaultValue ?? '')) : ''}
+								class="w-full px-2 py-1 border rounded-md text-sm bg-[var(--color-background)] {hasError ? 'border-[var(--color-error-fg)]' : 'border-[var(--color-border)]'}" />
+							{#if field.inlineHelp}
+								<p class="text-[10px] mt-0.5" style="color: var(--color-muted-foreground);">{t(field.inlineHelp)}</p>
+							{/if}
+							{#if hasError}
+								<p class="text-[10px] mt-0.5" style="color: var(--color-error-fg);">{timeListErrors[field.key]}</p>
+							{/if}
 						{/if}
 					</div>
 				{/each}
 			</div>
+			{#if section.key === 'quietHours' && form.quiet_hours_start && form.quiet_hours_end}
+				<p class="text-xs mt-2" style="color: var(--color-muted-foreground);">
+					<MdiIcon name="mdiWeatherNight" size={12} />
+					{quietHoursPreview(String(form.quiet_hours_start), String(form.quiet_hours_end))}
+				</p>
+			{/if}
 			{/if}
 		</fieldset>
 		{/each}
@@ -268,7 +433,63 @@
 
 <BlockedByModal open={!!blockedBy} detail={blockedBy} onclose={() => blockedBy = null} />
 
+<Modal open={previewModal !== null}
+	title={previewModal ? `${t('trackingConfig.previewTemplate')} — ${previewModal.slotName}` : ''}
+	onclose={() => previewModal = null}>
+	{#if previewModal}
+		{#if previewLocales.length > 1}
+			<div class="flex gap-1 mb-3 border-b border-[var(--color-border)]">
+				{#each previewLocales as loc}
+					<button type="button"
+						onclick={() => renderPreviewFor(previewModal!.slotName, loc)}
+						disabled={previewLoading}
+						class="px-3 py-1.5 text-xs font-medium rounded-t-md transition-colors {previewModal.locale === loc ? 'bg-[var(--color-primary)] text-[var(--color-primary-foreground)]' : 'text-[var(--color-muted-foreground)] hover:bg-[var(--color-muted)]'} disabled:opacity-50">
+						{loc.toUpperCase()}
+					</button>
+				{/each}
+			</div>
+		{/if}
+		<p class="text-xs mb-3" style="color: var(--color-muted-foreground);">
+			{t('trackingConfig.previewSampleNote')}
+		</p>
+		<!-- Keep the prior rendered/error box mounted while refetching on locale
+		     switch — just dim it. Unmounting and replacing with a small "…"
+		     placeholder caused a one-frame layout jump as the modal shrank and
+		     then re-expanded. -->
+		<div class="relative mb-3" style="opacity: {previewLoading ? 0.5 : 1}; transition: opacity 0.15s ease;">
+			{#if previewModal.error}
+				<div class="p-3 rounded text-xs" style="background: var(--color-error-bg); color: var(--color-error-fg);">
+					{previewModal.error}
+				</div>
+			{:else if previewModal.rendered}
+				<div class="p-3 bg-[var(--color-muted)] rounded text-sm preview-html">
+					<pre class="whitespace-pre-wrap text-xs">{@html sanitizePreview(previewModal.rendered)}</pre>
+				</div>
+			{:else}
+				<div class="p-3 text-xs" style="color: var(--color-muted-foreground);">…</div>
+			{/if}
+		</div>
+		<div class="flex gap-2 justify-end mt-3">
+			<button type="button" onclick={() => { const s = previewModal!.slotName; previewModal = null; gotoTemplateConfig(s); }}
+				class="text-xs px-3 py-1.5 rounded-md border border-[var(--color-border)] hover:bg-[var(--color-muted)]">
+				{t('trackingConfig.editTemplate')}
+			</button>
+			<button type="button" onclick={() => previewModal = null}
+				class="text-xs px-3 py-1.5 rounded-md bg-[var(--color-primary)] text-[var(--color-primary-foreground)]">
+				{t('common.close')}
+			</button>
+		</div>
+	{/if}
+</Modal>
+
 <style>
+	:global(.preview-html a) {
+		color: var(--color-primary);
+		text-decoration: underline;
+	}
+	:global(.preview-html a:hover) {
+		opacity: 0.8;
+	}
 	.toggle-switch {
 		position: relative;
 		display: inline-flex;

packages/core/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "notify-bridge-core"
-version = "0.3.2"
+version = "0.5.1"
 description = "Core library for Notify Bridge — service provider abstractions, models, notifications, and templates"
 requires-python = ">=3.12"
 dependencies = [

packages/core/src/notify_bridge_core/log_context.py

@@ -0,0 +1,66 @@
+"""Request-scoped ContextVars that propagate into log records.
+
+The server sets these at entry points (Telegram webhook, scheduler dispatch,
+REST call) and they propagate through async calls automatically. A
+``LogRecordFactory`` installed by ``notify_bridge_server.logging_setup``
+reads them so every log line is tagged (``request_id``, ``command``,
+``chat_id``, ``bot_id``, ``dispatch_id``) without each call site having
+to pass the values explicitly.
+
+Kept in ``notify_bridge_core`` so core modules (``TelegramClient``,
+``NotificationDispatcher``) can *set* additional context (e.g. a
+``dispatch_id``) without depending on the server package.
+"""
+
+from __future__ import annotations
+
+from contextlib import contextmanager
+from contextvars import ContextVar, Token
+from typing import Any, Iterator
+
+request_id_var: ContextVar[str | None] = ContextVar("request_id", default=None)
+command_var: ContextVar[str | None] = ContextVar("command", default=None)
+chat_id_var: ContextVar[str | None] = ContextVar("chat_id", default=None)
+bot_id_var: ContextVar[int | None] = ContextVar("bot_id", default=None)
+dispatch_id_var: ContextVar[str | None] = ContextVar("dispatch_id", default=None)
+
+_VAR_MAP: dict[str, ContextVar[Any]] = {
+    "request_id": request_id_var,
+    "command": command_var,
+    "chat_id": chat_id_var,
+    "bot_id": bot_id_var,
+    "dispatch_id": dispatch_id_var,
+}
+
+
+@contextmanager
+def bind_log_context(**kwargs: Any) -> Iterator[None]:
+    """Bind the given context fields for the duration of the ``with`` block.
+
+    Unknown keys are ignored so callers can pass whatever they want without
+    an ``if`` ladder. Values are reset on exit even if the block raises.
+
+    Example:
+        ``with bind_log_context(request_id="abc", command="random"): ...``
+    """
+    tokens: list[tuple[ContextVar[Any], Token]] = []
+    try:
+        for key, value in kwargs.items():
+            var = _VAR_MAP.get(key)
+            if var is None:
+                continue
+            tokens.append((var, var.set(value)))
+        yield
+    finally:
+        for var, tok in tokens:
+            var.reset(tok)
+
+
+def current_log_context() -> dict[str, Any]:
+    """Return a snapshot of the currently-bound context values (non-None)."""
+    snap: dict[str, Any] = {}
+    for key, var in _VAR_MAP.items():
+        val = var.get()
+        if val is not None:
+            snap[key] = val
+    return snap

packages/core/src/notify_bridge_core/notifications/discord/client.py

@@ -52,22 +52,46 @@ class DiscordClient:
 
         return {"success": True}
 
+    _MAX_RETRIES = 3
+    _MAX_RETRY_AFTER = 60.0
+
     async def _post(self, url: str, payload: dict) -> dict[str, Any]:
-        try:
-            async with self._session.post(
-                url, json=payload, headers={"Content-Type": "application/json"}
-            ) as resp:
-                if resp.status == 429:
-                    retry_after = float(resp.headers.get("Retry-After", "2"))
-                    _LOGGER.warning("Discord rate limited, retrying after %.1fs", retry_after)
-                    await asyncio.sleep(retry_after)
-                    return await self._post(url, payload)
-                if 200 <= resp.status < 300:
-                    return {"success": True}
-                body = await resp.text()
-                return {"success": False, "error": f"HTTP {resp.status}: {body[:200]}"}
-        except aiohttp.ClientError as e:
-            return {"success": False, "error": str(e)}
+        """POST with bounded 429 retry.
+
+        We cap retries at _MAX_RETRIES and the ``Retry-After`` header at
+        _MAX_RETRY_AFTER seconds so a hostile or misbehaving upstream cannot
+        pin the dispatch task indefinitely.
+        """
+        for attempt in range(self._MAX_RETRIES + 1):
+            try:
+                async with self._session.post(
+                    url,
+                    json=payload,
+                    headers={"Content-Type": "application/json"},
+                    allow_redirects=False,
+                ) as resp:
+                    if resp.status == 429 and attempt < self._MAX_RETRIES:
+                        try:
+                            retry_after = float(resp.headers.get("Retry-After", "2"))
+                        except (TypeError, ValueError):
+                            retry_after = 2.0
+                        retry_after = max(0.0, min(retry_after, self._MAX_RETRY_AFTER))
+                        _LOGGER.warning(
+                            "Discord rate limited, retrying after %.1fs (attempt %d/%d)",
+                            retry_after, attempt + 1, self._MAX_RETRIES,
+                        )
+                        await asyncio.sleep(retry_after)
+                        continue
+                    if 200 <= resp.status < 300:
+                        return {"success": True}
+                    body = await resp.text()
+                    return {
+                        "success": False,
+                        "error": f"HTTP {resp.status}: {body[:200]}",
+                    }
+            except aiohttp.ClientError as e:
+                return {"success": False, "error": str(e)}
+        return {"success": False, "error": "Rate limited (retries exhausted)"}
 
 
 def _split_message(text: str, limit: int) -> list[str]:

packages/core/src/notify_bridge_core/notifications/dispatcher.py

@@ -3,16 +3,19 @@
 from __future__ import annotations
 
 import asyncio
+import contextlib
 import logging
+import uuid
 from dataclasses import dataclass, field
-from typing import Any
+from typing import Any, AsyncIterator
 
 import aiohttp
 
+from notify_bridge_core.log_context import bind_log_context, dispatch_id_var
 from notify_bridge_core.models.events import ServiceEvent
 from notify_bridge_core.templates.context import build_template_context
 from notify_bridge_core.templates.renderer import render_template
-from .ssrf import UnsafeURLError, validate_outbound_url
+from .ssrf import UnsafeURLError, avalidate_outbound_url
 
 _HTTP_TIMEOUT = aiohttp.ClientTimeout(total=30)
 
@@ -82,9 +85,28 @@ class NotificationDispatcher:
         *,
         url_cache: TelegramFileCache | None = None,
         asset_cache: TelegramFileCache | None = None,
+        session: aiohttp.ClientSession | None = None,
     ) -> None:
         self._url_cache = url_cache
         self._asset_cache = asset_cache
+        # Optional shared session owned by the caller; when supplied we reuse
+        # its connection pool instead of opening a fresh per-dispatch session
+        # (saves a TLS handshake per outbound call).
+        self._shared_session = session
+
+    @contextlib.asynccontextmanager
+    async def _session_ctx(self) -> AsyncIterator[aiohttp.ClientSession]:
+        """Yield an aiohttp session, reusing the shared one if provided.
+
+        When a shared session was passed in ``__init__`` we yield it without
+        closing (the caller owns its lifetime). Otherwise we open a
+        short-lived session with our default timeout and close it on exit.
+        """
+        if self._shared_session is not None and not self._shared_session.closed:
+            yield self._shared_session
+            return
+        async with _new_session() as session:
+            yield session
 
     async def dispatch(
         self,
@@ -95,18 +117,40 @@ class NotificationDispatcher:
 
         Returns list of results (one per target).
         """
-        raw_results = await asyncio.gather(
-            *[self._send_to_target(event, t) for t in targets],
-            return_exceptions=True,
-        )
-        results = []
-        for raw in raw_results:
-            if isinstance(raw, Exception):
-                _LOGGER.error("Failed to dispatch to target: %s", raw)
-                results.append({"success": False, "error": str(raw)})
-            else:
-                results.append(raw)
-        return results
+        # Bind a dispatch_id so every log line emitted by the target sends
+        # (including deep in TelegramClient) can be correlated to the same
+        # upstream event.
+        new_id = dispatch_id_var.get() or f"disp:{uuid.uuid4().hex[:12]}"
+
+        with bind_log_context(dispatch_id=new_id):
+            _LOGGER.info(
+                "Dispatching event %s (collection=%r) to %d target(s)",
+                event.event_type.value if hasattr(event.event_type, "value") else event.event_type,
+                getattr(event, "collection_name", None), len(targets),
+            )
+            raw_results = await asyncio.gather(
+                *[self._send_to_target(event, t) for t in targets],
+                return_exceptions=True,
+            )
+            results = []
+            failures = 0
+            for target, raw in zip(targets, raw_results):
+                if isinstance(raw, Exception):
+                    failures += 1
+                    _LOGGER.error(
+                        "Dispatch to target type=%s failed: %s",
+                        target.type, raw, exc_info=raw,
+                    )
+                    results.append({"success": False, "error": str(raw)})
+                else:
+                    if isinstance(raw, dict) and not raw.get("success"):
+                        failures += 1
+                    results.append(raw)
+            _LOGGER.info(
+                "Dispatch finished: %d target(s), %d failure(s)",
+                len(targets), failures,
+            )
+            return results
 
     def _resolve_template(
         self, event: ServiceEvent, target: TargetConfig, locale: str,
@@ -284,7 +328,7 @@ class NotificationDispatcher:
                 media_assets.append(asset)
 
         results: list[dict[str, Any]] = []
-        async with _new_session() as session:
+        async with self._session_ctx() as session:
             # Preload all asset bytes once so (a) TelegramClient can skip its
             # own download and (b) we know exact upload sizes in time for the
             # oversize warning in the rendered text.
@@ -354,13 +398,13 @@ class NotificationDispatcher:
             return {"success": False, "error": "No receivers configured"}
 
         results: list[dict[str, Any]] = []
-        async with _new_session() as session:
+        async with self._session_ctx() as session:
             for receiver in target.receivers:
                 if not isinstance(receiver, WebhookReceiver) or not receiver.url:
                     results.append({"success": False, "error": "Invalid webhook receiver"})
                     continue
                 try:
-                    validate_outbound_url(receiver.url)
+                    await avalidate_outbound_url(receiver.url)
                 except UnsafeURLError as err:
                     results.append({"success": False, "error": f"Unsafe URL: {err}"})
                     continue
@@ -428,14 +472,14 @@ class NotificationDispatcher:
         username = target.config.get("username")
 
         results: list[dict[str, Any]] = []
-        async with _new_session() as session:
+        async with self._session_ctx() as session:
             client = DiscordClient(session)
             for receiver in target.receivers:
                 if not isinstance(receiver, DiscordReceiver) or not receiver.webhook_url:
                     results.append({"success": False, "error": "Invalid discord receiver"})
                     continue
                 try:
-                    validate_outbound_url(receiver.webhook_url)
+                    await avalidate_outbound_url(receiver.webhook_url)
                 except UnsafeURLError as err:
                     results.append({"success": False, "error": f"Unsafe URL: {err}"})
                     continue
@@ -454,14 +498,14 @@ class NotificationDispatcher:
         username = target.config.get("username")
 
         results: list[dict[str, Any]] = []
-        async with _new_session() as session:
+        async with self._session_ctx() as session:
             client = SlackClient(session)
             for receiver in target.receivers:
                 if not isinstance(receiver, SlackReceiver) or not receiver.webhook_url:
                     results.append({"success": False, "error": "Invalid slack receiver"})
                     continue
                 try:
-                    validate_outbound_url(receiver.webhook_url)
+                    await avalidate_outbound_url(receiver.webhook_url)
                 except UnsafeURLError as err:
                     results.append({"success": False, "error": f"Unsafe URL: {err}"})
                     continue
@@ -480,14 +524,14 @@ class NotificationDispatcher:
         if not target.receivers:
             return {"success": False, "error": "No receivers configured"}
         try:
-            validate_outbound_url(server_url)
+            await avalidate_outbound_url(server_url)
         except UnsafeURLError as err:
             return {"success": False, "error": f"Unsafe ntfy server_url: {err}"}
 
         title = f"{event.event_type.value}: {event.collection_name}"
 
         results: list[dict[str, Any]] = []
-        async with _new_session() as session:
+        async with self._session_ctx() as session:
             client = NtfyClient(session)
             for receiver in target.receivers:
                 if not isinstance(receiver, NtfyReceiver) or not receiver.topic:
@@ -511,7 +555,7 @@ class NotificationDispatcher:
         if not homeserver or not access_token:
             return {"success": False, "error": "Missing Matrix homeserver_url or access_token"}
         try:
-            validate_outbound_url(homeserver)
+            await avalidate_outbound_url(homeserver)
         except UnsafeURLError as err:
             return {"success": False, "error": f"Unsafe matrix homeserver_url: {err}"}
 
@@ -519,7 +563,7 @@ class NotificationDispatcher:
             return {"success": False, "error": "No receivers configured"}
 
         results: list[dict[str, Any]] = []
-        async with _new_session() as session:
+        async with self._session_ctx() as session:
             client = MatrixClient(session, homeserver, access_token)
             for receiver in target.receivers:
                 if not isinstance(receiver, MatrixReceiver) or not receiver.room_id:

packages/core/src/notify_bridge_core/notifications/matrix/client.py

@@ -68,7 +68,9 @@ class MatrixClient:
         }
 
         try:
-            async with self._session.put(url, json=body, headers=headers) as resp:
+            async with self._session.put(
+                url, json=body, headers=headers, allow_redirects=False,
+            ) as resp:
                 if 200 <= resp.status < 300:
                     return {"success": True}
                 resp_body = await resp.text()

packages/core/src/notify_bridge_core/notifications/ntfy/client.py

@@ -51,7 +51,9 @@ class NtfyClient:
             headers["Authorization"] = f"Bearer {auth_token}"
 
         try:
-            async with self._session.post(url, json=payload, headers=headers) as resp:
+            async with self._session.post(
+                url, json=payload, headers=headers, allow_redirects=False,
+            ) as resp:
                 if 200 <= resp.status < 300:
                     return {"success": True}
                 body = await resp.text()

packages/core/src/notify_bridge_core/notifications/slack/client.py

@@ -38,6 +38,7 @@ class SlackClient:
                 webhook_url,
                 json=payload,
                 headers={"Content-Type": "application/json"},
+                allow_redirects=False,
             ) as resp:
                 if resp.status == 429:
                     _LOGGER.warning("Slack rate limited")

packages/core/src/notify_bridge_core/notifications/ssrf.py

@@ -12,14 +12,25 @@ development against localhost services.
 
 from __future__ import annotations
 
+import asyncio
 import ipaddress
+import logging
 import os
 import socket
 from urllib.parse import urlparse
 
+_LOGGER = logging.getLogger(__name__)
+
 _ALLOW_PRIVATE = os.environ.get("NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS") == "1"
 _ALLOWED_SCHEMES = {"http", "https"}
 
+if _ALLOW_PRIVATE:  # pragma: no cover — operator-visible banner
+    _LOGGER.warning(
+        "SSRF guard: private-URL bypass ENABLED "
+        "(NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=1). Requests to RFC1918 / "
+        "loopback / link-local hosts will be permitted."
+    )
+
 
 class UnsafeURLError(ValueError):
     """Raised when a URL targets a disallowed network destination."""
@@ -36,13 +47,7 @@ def _is_blocked_ip(ip: ipaddress.IPv4Address | ipaddress.IPv6Address) -> bool:
     )
 
 
-def validate_outbound_url(url: str) -> str:
-    """Validate ``url`` is safe to fetch; returns the URL on success.
-
-    Raises :class:`UnsafeURLError` when the scheme, host, or resolved IP
-    is not allowed. In development (``NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=1``)
-    private addresses are permitted but the scheme check still applies.
-    """
+def _check_scheme_host(url: str) -> tuple[str, str]:
     if not isinstance(url, str) or not url:
         raise UnsafeURLError("URL is empty")
     parsed = urlparse(url)
@@ -51,6 +56,31 @@ def validate_outbound_url(url: str) -> str:
     host = parsed.hostname
     if not host:
         raise UnsafeURLError("URL has no host")
+    return parsed.scheme, host
+
+
+def _check_resolved_addresses(host: str, infos: list[tuple]) -> None:
+    for info in infos:
+        sockaddr = info[4]
+        try:
+            ip = ipaddress.ip_address(sockaddr[0])
+        except ValueError:
+            continue
+        if _is_blocked_ip(ip):
+            raise UnsafeURLError(f"Host {host} resolves to blocked address {ip}")
+
+
+def validate_outbound_url(url: str) -> str:
+    """Validate ``url`` is safe to fetch; returns the URL on success.
+
+    Raises :class:`UnsafeURLError` when the scheme, host, or resolved IP
+    is not allowed. In development (``NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=1``)
+    private addresses are permitted but the scheme check still applies.
+
+    Synchronous; uses blocking ``socket.getaddrinfo``. Prefer
+    :func:`avalidate_outbound_url` from async code paths.
+    """
+    _, host = _check_scheme_host(url)
 
     if _ALLOW_PRIVATE:
         return url
@@ -64,17 +94,37 @@ def validate_outbound_url(url: str) -> str:
     except ValueError:
         pass
 
-    # Hostname — resolve and reject if any resolution is in a blocked range.
     try:
         infos = socket.getaddrinfo(host, None)
     except socket.gaierror as exc:
         raise UnsafeURLError(f"DNS resolution failed for {host}") from exc
-    for info in infos:
-        sockaddr = info[4]
-        try:
-            ip = ipaddress.ip_address(sockaddr[0])
-        except ValueError:
-            continue
-        if _is_blocked_ip(ip):
-            raise UnsafeURLError(f"Host {host} resolves to blocked address {ip}")
+    _check_resolved_addresses(host, infos)
+    return url
+
+
+async def avalidate_outbound_url(url: str) -> str:
+    """Async variant that resolves DNS via the running loop's resolver.
+
+    Use this from ``async def`` code paths to avoid blocking the event
+    loop on DNS lookups.
+    """
+    _, host = _check_scheme_host(url)
+
+    if _ALLOW_PRIVATE:
+        return url
+
+    try:
+        ip = ipaddress.ip_address(host)
+        if _is_blocked_ip(ip):
+            raise UnsafeURLError(f"Host {host} is in a blocked range")
+        return url
+    except ValueError:
+        pass
+
+    loop = asyncio.get_running_loop()
+    try:
+        infos = await loop.getaddrinfo(host, None)
+    except socket.gaierror as exc:
+        raise UnsafeURLError(f"DNS resolution failed for {host}") from exc
+    _check_resolved_addresses(host, infos)
     return url

packages/core/src/notify_bridge_core/notifications/telegram/client.py

@@ -162,8 +162,20 @@ class TelegramClient:
                         "message_id": result.get("result", {}).get("message_id"),
                         "cached": True,
                     }
-        except aiohttp.ClientError:
-            pass
+                # Non-ok from a cached send — file_id stale or file deleted on
+                # Telegram's side. Log at DEBUG so operators who are hunting
+                # "why didn't the cached send work?" can see it, but the
+                # caller will fall through to a fresh upload.
+                _LOGGER.debug(
+                    "Telegram %s (cached) returned non-ok: status=%s code=%s desc=%r — falling back to fresh upload",
+                    kind.api_method, response.status, result.get("error_code"),
+                    result.get("description"),
+                )
+        except aiohttp.ClientError as err:
+            _LOGGER.debug(
+                "Telegram %s (cached) transport error — falling back to fresh upload: %s",
+                kind.api_method, err,
+            )
         return None
 
     async def _upload_media(
@@ -203,8 +215,17 @@ class TelegramClient:
                             thumbhash=thumbhash, size=len(data),
                         )
                     return {"success": True, "message_id": res.get("message_id")}
+                _LOGGER.error(
+                    "Telegram %s failed: status=%s code=%s desc=%r bytes=%d",
+                    kind.api_method, response.status, result.get("error_code"),
+                    result.get("description", "Unknown"), len(data),
+                )
                 return {"success": False, "error": result.get("description", "Unknown Telegram error")}
         except aiohttp.ClientError as err:
+            _LOGGER.error(
+                "Telegram %s transport error (bytes=%d): %s",
+                kind.api_method, len(data), err, exc_info=True,
+            )
             return {"success": False, "error": str(err)}
 
     async def send_notification(
@@ -327,8 +348,14 @@ class TelegramClient:
                         retry_result = await retry_resp.json()
                         if retry_resp.status == 200 and retry_result.get("ok"):
                             return {"success": True, "message_id": retry_result.get("result", {}).get("message_id")}
+                _LOGGER.error(
+                    "Telegram sendMessage failed: status=%s code=%s desc=%r",
+                    response.status, result.get("error_code"),
+                    result.get("description", "Unknown"),
+                )
                 return {"success": False, "error": result.get("description", "Unknown Telegram error"), "error_code": result.get("error_code")}
         except aiohttp.ClientError as err:
+            _LOGGER.error("Telegram sendMessage transport error: %s", err, exc_info=True)
             return {"success": False, "error": str(err)}
 
     async def send_chat_action(self, chat_id: str, action: str = "typing") -> bool:
@@ -513,11 +540,14 @@ class TelegramClient:
             # Tuple is (cache_key, media_type, thumbhash, uploaded_size).
             media_cache_info: list[tuple[str, str, str | None, int] | None] = []
 
-            # Resolve cache hits and collect download tasks in parallel
+            # Resolve cache hits and collect download tasks in parallel.
+            # Each drop site logs the reason — otherwise a filtered asset
+            # disappears silently and the media group silently shrinks.
             async def _fetch_asset(idx: int, item: dict) -> tuple[int, dict | None, bytes | None]:
                 """Return (index, cache_entry_or_None, downloaded_bytes_or_None)."""
                 url = item.get("url")
                 if not url:
+                    _LOGGER.warning("Media skipped: missing url (idx=%d type=%s)", idx, item.get("type"))
                     return idx, None, None
                 media_type = item.get("type", "photo")
                 custom_cache_key = item.get("cache_key")
@@ -537,12 +567,24 @@ class TelegramClient:
                 if preloaded is not None:
                     data = preloaded
                     if max_asset_data_size and len(data) > max_asset_data_size:
+                        _LOGGER.warning(
+                            "Media skipped: preloaded size %d exceeds max_asset_data_size %d (idx=%d type=%s url=%s)",
+                            len(data), max_asset_data_size, idx, media_type, url,
+                        )
                         return idx, None, None
                     if media_type == "video" and len(data) > TELEGRAM_MAX_VIDEO_SIZE:
+                        _LOGGER.warning(
+                            "Media skipped: preloaded video %d bytes exceeds Telegram limit %d (idx=%d url=%s)",
+                            len(data), TELEGRAM_MAX_VIDEO_SIZE, idx, url,
+                        )
                         return idx, None, None
                     if media_type == "photo":
-                        exceeds, _, _, _ = check_photo_limits(data)
+                        exceeds, reason, _, _ = check_photo_limits(data)
                         if exceeds:
+                            _LOGGER.warning(
+                                "Media skipped: preloaded photo %s (idx=%d url=%s)",
+                                reason, idx, url,
+                            )
                             return idx, None, None
                     return idx, None, data
 
@@ -551,18 +593,38 @@ class TelegramClient:
                     dl_headers = item.get("headers") or {}
                     async with self._session.get(download_url, headers=dl_headers) as resp:
                         if resp.status != 200:
+                            _LOGGER.warning(
+                                "Media skipped: download HTTP %d (idx=%d type=%s url=%s)",
+                                resp.status, idx, media_type, url,
+                            )
                             return idx, None, None
                         data = await resp.read()
                     if max_asset_data_size and len(data) > max_asset_data_size:
+                        _LOGGER.warning(
+                            "Media skipped: downloaded size %d exceeds max_asset_data_size %d (idx=%d type=%s url=%s)",
+                            len(data), max_asset_data_size, idx, media_type, url,
+                        )
                         return idx, None, None
                     if media_type == "video" and len(data) > TELEGRAM_MAX_VIDEO_SIZE:
+                        _LOGGER.warning(
+                            "Media skipped: video %d bytes exceeds Telegram %d-byte limit (idx=%d url=%s)",
+                            len(data), TELEGRAM_MAX_VIDEO_SIZE, idx, url,
+                        )
                         return idx, None, None
                     if media_type == "photo":
-                        exceeds, _, _, _ = check_photo_limits(data)
+                        exceeds, reason, _, _ = check_photo_limits(data)
                         if exceeds:
+                            _LOGGER.warning(
+                                "Media skipped: photo %s (idx=%d url=%s)",
+                                reason, idx, url,
+                            )
                             return idx, None, None
                     return idx, None, data
-                except aiohttp.ClientError:
+                except aiohttp.ClientError as err:
+                    _LOGGER.warning(
+                        "Media skipped: download failed (idx=%d type=%s url=%s): %s",
+                        idx, media_type, url, err,
+                    )
                     return idx, None, None
 
             results = await asyncio.gather(
@@ -602,6 +664,14 @@ class TelegramClient:
                 media_json.append(mij)
 
             if not media_json:
+                # Every asset in this chunk was filtered out (size, download
+                # failure, etc.). Without this log, sendMediaGroup returns
+                # success=True with zero message_ids and nobody knows why
+                # the user sees only the text reply and no media.
+                _LOGGER.warning(
+                    "sendMediaGroup skipped — chunk %d/%d had %d input items but 0 usable (all filtered/failed)",
+                    chunk_idx + 1, len(chunks), len(chunk),
+                )
                 continue
 
             form.add_field("media", json.dumps(media_json))
@@ -638,10 +708,35 @@ class TelegramClient:
                             if eff_cache:
                                 await eff_cache.async_set_many(cache_entries)
                     else:
-                        return {"success": False, "error": result.get("description", "Unknown"), "failed_at_chunk": chunk_idx + 1}
+                        _LOGGER.error(
+                            "Telegram sendMediaGroup failed: status=%s code=%s desc=%r chunk=%d/%d items=%d",
+                            response.status, result.get("error_code"),
+                            result.get("description", "Unknown"),
+                            chunk_idx + 1, len(chunks), len(media_json),
+                        )
+                        return {
+                            "success": False,
+                            "error": result.get("description", "Unknown"),
+                            "error_code": result.get("error_code"),
+                            "failed_at_chunk": chunk_idx + 1,
+                        }
             except aiohttp.ClientError as err:
+                _LOGGER.error(
+                    "Telegram sendMediaGroup transport error on chunk %d/%d (%d items): %s",
+                    chunk_idx + 1, len(chunks), len(media_json), err,
+                    exc_info=True,
+                )
                 return {"success": False, "error": str(err), "failed_at_chunk": chunk_idx + 1}
 
+        # Distinguish "posted something" from "posted nothing" so the caller
+        # can surface an ERROR when a command produced a caption reply but no
+        # media ever reached Telegram.
+        if not all_message_ids:
+            _LOGGER.warning(
+                "sendMediaGroup completed with 0 message_ids across %d chunk(s) — nothing was delivered",
+                len(chunks),
+            )
+            return {"success": False, "error": "no_items_delivered", "chunks_sent": len(chunks)}
         return {"success": True, "message_ids": all_message_ids, "chunks_sent": len(chunks)}
 
     # ------------------------------------------------------------------

packages/core/src/notify_bridge_core/notifications/webhook/client.py

@@ -7,7 +7,7 @@ from typing import Any
 
 import aiohttp
 
-from ..ssrf import UnsafeURLError, validate_outbound_url
+from ..ssrf import UnsafeURLError, avalidate_outbound_url
 
 _LOGGER = logging.getLogger(__name__)
 
@@ -24,7 +24,7 @@ class WebhookClient:
 
     async def send(self, payload: dict[str, Any]) -> dict[str, Any]:
         try:
-            validate_outbound_url(self._url)
+            await avalidate_outbound_url(self._url)
         except UnsafeURLError as err:
             return {"success": False, "error": f"Unsafe URL: {err}"}
         try:
@@ -33,6 +33,7 @@ class WebhookClient:
                 json=payload,
                 headers={"Content-Type": "application/json", **self._headers},
                 timeout=_DEFAULT_TIMEOUT,
+                allow_redirects=False,
             ) as response:
                 if 200 <= response.status < 300:
                     return {"success": True, "status_code": response.status}

packages/core/src/notify_bridge_core/providers/immich/asset_utils.py

@@ -333,8 +333,11 @@ def collect_scheduled_assets(
     memory_date = now.isoformat() if is_memory else None
 
     all_eligible: list[ImmichAssetInfo] = []
-    # Track which album each asset belongs to for public URL construction
-    asset_album_map: dict[str, tuple[str, str]] = {}  # asset_id → (album_id, public_url)
+    # Track which album each asset belongs to. Public URL is used to construct
+    # a per-asset share link; name/internal-url are surfaced to templates so
+    # combined-mode sends can attribute each row to its source album.
+    asset_album_map: dict[str, tuple[str, str, str, str]] = {}
+    # asset_id → (album_id, album_public_url, album_name, album_internal_url)
     collections_extra: list[dict[str, Any]] = []
 
     # limit=0 is the periodic-summary test path — the caller only needs
@@ -346,10 +349,11 @@ def collect_scheduled_assets(
     for album_id, album in albums.items():
         links = shared_links.get(album_id, [])
         album_public_url = get_public_url(external_url, links) or ""
+        album_internal_url = f"{external_url}/albums/{album_id}"
 
         collections_extra.append({
             "name": album.name,
-            "url": album_public_url or f"{external_url}/albums/{album_id}",
+            "url": album_public_url or album_internal_url,
             "public_url": album_public_url,
             "asset_count": album.asset_count,
             "shared": album.shared,
@@ -370,7 +374,9 @@ def collect_scheduled_assets(
         )
         for asset in filtered:
             if asset.id not in asset_album_map:
-                asset_album_map[asset.id] = (album_id, album_public_url)
+                asset_album_map[asset.id] = (
+                    album_id, album_public_url, album.name, album_internal_url,
+                )
                 all_eligible.append(asset)
 
     if stats_only:
@@ -383,15 +389,25 @@ def collect_scheduled_assets(
         random.shuffle(all_eligible)
         selected = all_eligible
 
-    # Convert to MediaAsset with public URLs
+    # Convert to MediaAsset with public URLs. Per-asset album_name/album_url
+    # let combined-mode templates attribute each row to its source album —
+    # critical when a tracker spans multiple albums, where the event-level
+    # ``album_name`` (first album only) would be misleading.
     result: list[MediaAsset] = []
     for asset in selected:
         media = asset_to_media(asset, external_url)
-        _, album_pub_url = asset_album_map.get(asset.id, ("", ""))
+        mapped = asset_album_map.get(asset.id)
+        if mapped:
+            _, album_pub_url, album_name, album_internal_url = mapped
+        else:
+            album_pub_url = album_name = album_internal_url = ""
         if album_pub_url:
             media.extra["public_url"] = f"{album_pub_url}/photos/{asset.id}"
         else:
             media.extra.setdefault("public_url", "")
+        media.extra["album_name"] = album_name
+        media.extra["album_url"] = album_pub_url or album_internal_url
+        media.extra["album_public_url"] = album_pub_url
         result.append(media)
 
     return result, collections_extra

packages/core/src/notify_bridge_core/providers/nut/client.py

@@ -12,6 +12,7 @@ _LOGGER = logging.getLogger(__name__)
 
 _DEFAULT_PORT = 3493
 _READ_TIMEOUT = 10.0
+_WRITE_TIMEOUT = 10.0
 _CONNECT_TIMEOUT = 5.0
 
 # Allowed characters for NUT protocol identifiers (UPS names, variable names).
@@ -84,14 +85,26 @@ class NutClient:
             await self._command(f"PASSWORD {self._password}")
 
     async def disconnect(self) -> None:
-        """Send LOGOUT and close the TCP connection."""
+        """Send LOGOUT and close the TCP connection.
+
+        ``drain`` is bounded by ``_WRITE_TIMEOUT`` so a half-closed peer
+        cannot hold the disconnect indefinitely — a tracker tick would
+        otherwise be pinned by a stuck NUT server and block the scheduler
+        slot (``max_instances=1``).
+        """
         if self._writer is not None:
             try:
                 self._writer.write(b"LOGOUT\n")
-                await self._writer.drain()
-            except OSError:
+                await asyncio.wait_for(self._writer.drain(), timeout=_WRITE_TIMEOUT)
+            except (OSError, asyncio.TimeoutError):
                 pass
             self._writer.close()
+            try:
+                await asyncio.wait_for(
+                    self._writer.wait_closed(), timeout=_WRITE_TIMEOUT,
+                )
+            except (OSError, asyncio.TimeoutError):
+                pass
             self._reader = None
             self._writer = None
 
@@ -135,7 +148,10 @@ class NutClient:
         if self._writer is None:
             raise NutClientError("Not connected")
         self._writer.write(f"{cmd}\n".encode())
-        await self._writer.drain()
+        try:
+            await asyncio.wait_for(self._writer.drain(), timeout=_WRITE_TIMEOUT)
+        except asyncio.TimeoutError as exc:
+            raise NutClientError("Write timeout") from exc
 
     async def _readline(self) -> str:
         """Read one line from upsd, stripping trailing newline."""

packages/core/src/notify_bridge_core/storage.py

@@ -2,8 +2,10 @@
 
 from __future__ import annotations
 
+import asyncio
 import json
 import logging
+import os
 from pathlib import Path
 from typing import Any, Protocol, runtime_checkable
 
@@ -19,34 +21,58 @@ class StorageBackend(Protocol):
     async def remove(self) -> None: ...
 
 
+def _read_file(path: Path) -> str | None:
+    if not path.exists():
+        return None
+    return path.read_text(encoding="utf-8")
+
+
+def _atomic_write(path: Path, payload: str) -> None:
+    """Write atomically: tmp file + rename. Prevents half-written files on crash."""
+    path.parent.mkdir(parents=True, exist_ok=True)
+    tmp = path.with_suffix(path.suffix + ".tmp")
+    tmp.write_text(payload, encoding="utf-8")
+    os.replace(tmp, path)
+
+
+def _remove_file(path: Path) -> None:
+    if path.exists():
+        path.unlink()
+
+
 class JsonFileBackend:
-    """Simple JSON file storage backend."""
+    """Simple JSON file storage backend.
+
+    All blocking I/O is wrapped in ``asyncio.to_thread`` so callers can
+    ``await load() / save() / remove()`` without stalling the event loop.
+    """
 
     def __init__(self, path: Path) -> None:
         self._path = path
 
     async def load(self) -> dict[str, Any] | None:
-        if not self._path.exists():
+        try:
+            text = await asyncio.to_thread(_read_file, self._path)
+        except OSError as err:
+            _LOGGER.warning("Failed to load %s: %s", self._path, err)
+            return None
+        if text is None:
             return None
         try:
-            text = self._path.read_text(encoding="utf-8")
             return json.loads(text)
-        except (json.JSONDecodeError, OSError) as err:
-            _LOGGER.warning("Failed to load %s: %s", self._path, err)
+        except json.JSONDecodeError as err:
+            _LOGGER.warning("Failed to parse %s: %s", self._path, err)
             return None
 
     async def save(self, data: dict[str, Any]) -> None:
+        payload = json.dumps(data, default=str)
         try:
-            self._path.parent.mkdir(parents=True, exist_ok=True)
-            self._path.write_text(
-                json.dumps(data, default=str), encoding="utf-8"
-            )
+            await asyncio.to_thread(_atomic_write, self._path, payload)
         except OSError as err:
             _LOGGER.error("Failed to save %s: %s", self._path, err)
 
     async def remove(self) -> None:
         try:
-            if self._path.exists():
-                self._path.unlink()
+            await asyncio.to_thread(_remove_file, self._path)
         except OSError as err:
             _LOGGER.error("Failed to remove %s: %s", self._path, err)

packages/core/src/notify_bridge_core/templates/command_defaults/en/favorites.jinja2

@@ -1,5 +1,5 @@
 ⭐ Favorites:
 {%- for asset in assets %}
-  • {%- if asset.type == "VIDEO" or asset.type == "video" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.originalFileName }}</a>{% else %}{{ asset.originalFileName }}{% endif %} ❤️
+  • {%- if asset.type == "VIDEO" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.filename }}</a>{% else %}{{ asset.filename }}{% endif %} ❤️
     {%- if asset.city %} 📍 {{ asset.city }}{% if asset.country %}, {{ asset.country }}{% endif %}{% endif %}
 {%- endfor %}

packages/core/src/notify_bridge_core/templates/command_defaults/en/latest.jinja2

@@ -1,6 +1,6 @@
 📸 Latest:
 {%- for asset in assets %}
-  • {%- if asset.type == "VIDEO" or asset.type == "video" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.originalFileName }}</a>{% else %}{{ asset.originalFileName }}{% endif %}{% if asset.year %} ({{ asset.year }}){% endif %}
+  • {%- if asset.type == "VIDEO" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.filename }}</a>{% else %}{{ asset.filename }}{% endif %}{% if asset.year %} ({{ asset.year }}){% endif %}
     {%- if asset.city %} 📍 {{ asset.city }}{% if asset.country %}, {{ asset.country }}{% endif %}{% endif %}
     {%- if asset.is_favorite %} ❤️{% endif %}
 {%- endfor %}

packages/core/src/notify_bridge_core/templates/command_defaults/en/memory.jinja2

@@ -1,5 +1,6 @@
 📅 On this day:
 {%- for asset in assets %}
-  • {%- if asset.type == "VIDEO" or asset.type == "video" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.originalFileName }}</a>{% else %}{{ asset.originalFileName }}{% endif %}{% if asset.year %} ({{ asset.year }}){% endif %}
+  • {%- if asset.type == "VIDEO" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.filename }}</a>{% else %}{{ asset.filename }}{% endif %}{% if asset.year %} ({{ asset.year }}){% endif %}
     {%- if asset.city %} 📍 {{ asset.city }}{% if asset.country %}, {{ asset.country }}{% endif %}{% endif %}
+    {%- if asset.is_favorite %} ❤️{% endif %}
 {%- endfor %}

packages/core/src/notify_bridge_core/templates/command_defaults/en/random.jinja2

@@ -1,6 +1,6 @@
 🎲 Random:
 {%- for asset in assets %}
-  • {%- if asset.type == "VIDEO" or asset.type == "video" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.originalFileName }}</a>{% else %}{{ asset.originalFileName }}{% endif %}
+  • {%- if asset.type == "VIDEO" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.filename }}</a>{% else %}{{ asset.filename }}{% endif %}
     {%- if asset.city %} 📍 {{ asset.city }}{% if asset.country %}, {{ asset.country }}{% endif %}{% endif %}
     {%- if asset.is_favorite %} ❤️{% endif %}
 {%- endfor %}

packages/core/src/notify_bridge_core/templates/command_defaults/en/search.jinja2

@@ -4,7 +4,7 @@
 {%- else %}🔍 Results for "{{ query }}":
 {%- endif %}
 {%- for asset in assets %}
-  • {%- if asset.type == "VIDEO" or asset.type == "video" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.originalFileName }}</a>{% else %}{{ asset.originalFileName }}{% endif %}{% if asset.year %} ({{ asset.year }}){% endif %}
+  • {%- if asset.type == "VIDEO" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.filename }}</a>{% else %}{{ asset.filename }}{% endif %}{% if asset.year %} ({{ asset.year }}){% endif %}
     {%- if asset.city %} 📍 {{ asset.city }}{% if asset.country %}, {{ asset.country }}{% endif %}{% endif %}
     {%- if asset.is_favorite %} ❤️{% endif %}
 {%- endfor %}

packages/core/src/notify_bridge_core/templates/command_defaults/en/summary.jinja2

@@ -1,4 +1,6 @@
 📋 Album summary ({{ albums | length }}):
 {%- for album in albums %}
   • {% if album.public_url %}<a href="{{ album.public_url }}">{{ album.name }}</a>{% else %}{{ album.name }}{% endif %}: {{ album.asset_count }} assets
-{%- endfor %}
+    {%- if album.photo_count is defined or album.video_count is defined %} ({% if album.photo_count %}🖼️ {{ album.photo_count }}{% endif %}{% if album.photo_count and album.video_count %} · {% endif %}{% if album.video_count %}🎬 {{ album.video_count }}{% endif %}){% endif %}
+    {%- if album.shared %} 🔗{% endif %}
+{%- endfor %}

packages/core/src/notify_bridge_core/templates/command_defaults/ru/favorites.jinja2

@@ -1,5 +1,5 @@
 ⭐ Избранное:
 {%- for asset in assets %}
-  • {%- if asset.type == "VIDEO" or asset.type == "video" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.originalFileName }}</a>{% else %}{{ asset.originalFileName }}{% endif %} ❤️
+  • {%- if asset.type == "VIDEO" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.filename }}</a>{% else %}{{ asset.filename }}{% endif %} ❤️
     {%- if asset.city %} 📍 {{ asset.city }}{% if asset.country %}, {{ asset.country }}{% endif %}{% endif %}
 {%- endfor %}

packages/core/src/notify_bridge_core/templates/command_defaults/ru/latest.jinja2

@@ -1,6 +1,6 @@
 📸 Последние:
 {%- for asset in assets %}
-  • {%- if asset.type == "VIDEO" or asset.type == "video" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.originalFileName }}</a>{% else %}{{ asset.originalFileName }}{% endif %}{% if asset.year %} ({{ asset.year }}){% endif %}
+  • {%- if asset.type == "VIDEO" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.filename }}</a>{% else %}{{ asset.filename }}{% endif %}{% if asset.year %} ({{ asset.year }}){% endif %}
     {%- if asset.city %} 📍 {{ asset.city }}{% if asset.country %}, {{ asset.country }}{% endif %}{% endif %}
     {%- if asset.is_favorite %} ❤️{% endif %}
 {%- endfor %}

packages/core/src/notify_bridge_core/templates/command_defaults/ru/memory.jinja2

@@ -1,5 +1,6 @@
 📅 В этот день:
 {%- for asset in assets %}
-  • {%- if asset.type == "VIDEO" or asset.type == "video" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.originalFileName }}</a>{% else %}{{ asset.originalFileName }}{% endif %}{% if asset.year %} ({{ asset.year }}){% endif %}
+  • {%- if asset.type == "VIDEO" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.filename }}</a>{% else %}{{ asset.filename }}{% endif %}{% if asset.year %} ({{ asset.year }}){% endif %}
     {%- if asset.city %} 📍 {{ asset.city }}{% if asset.country %}, {{ asset.country }}{% endif %}{% endif %}
+    {%- if asset.is_favorite %} ❤️{% endif %}
 {%- endfor %}

packages/core/src/notify_bridge_core/templates/command_defaults/ru/random.jinja2

@@ -1,6 +1,6 @@
 🎲 Случайные:
 {%- for asset in assets %}
-  • {%- if asset.type == "VIDEO" or asset.type == "video" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.originalFileName }}</a>{% else %}{{ asset.originalFileName }}{% endif %}
+  • {%- if asset.type == "VIDEO" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.filename }}</a>{% else %}{{ asset.filename }}{% endif %}
     {%- if asset.city %} 📍 {{ asset.city }}{% if asset.country %}, {{ asset.country }}{% endif %}{% endif %}
     {%- if asset.is_favorite %} ❤️{% endif %}
 {%- endfor %}

packages/core/src/notify_bridge_core/templates/command_defaults/ru/search.jinja2

@@ -4,7 +4,7 @@
 {%- else %}🔍 Результаты по "{{ query }}":
 {%- endif %}
 {%- for asset in assets %}
-  • {%- if asset.type == "VIDEO" or asset.type == "video" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.originalFileName }}</a>{% else %}{{ asset.originalFileName }}{% endif %}{% if asset.year %} ({{ asset.year }}){% endif %}
+  • {%- if asset.type == "VIDEO" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.filename }}</a>{% else %}{{ asset.filename }}{% endif %}{% if asset.year %} ({{ asset.year }}){% endif %}
     {%- if asset.city %} 📍 {{ asset.city }}{% if asset.country %}, {{ asset.country }}{% endif %}{% endif %}
     {%- if asset.is_favorite %} ❤️{% endif %}
 {%- endfor %}

packages/core/src/notify_bridge_core/templates/command_defaults/ru/summary.jinja2

@@ -1,4 +1,6 @@
 📋 Сводка альбомов ({{ albums | length }}):
 {%- for album in albums %}
   • {% if album.public_url %}<a href="{{ album.public_url }}">{{ album.name }}</a>{% else %}{{ album.name }}{% endif %}: {{ album.asset_count }} файлов
-{%- endfor %}
+    {%- if album.photo_count is defined or album.video_count is defined %} ({% if album.photo_count %}🖼️ {{ album.photo_count }}{% endif %}{% if album.photo_count and album.video_count %} · {% endif %}{% if album.video_count %}🎬 {{ album.video_count }}{% endif %}){% endif %}
+    {%- if album.shared %} 🔗{% endif %}
+{%- endfor %}

packages/core/src/notify_bridge_core/templates/defaults/en/memory_mode.jinja2

@@ -1,4 +1,7 @@
 📅 On this day:
 {%- for asset in assets %}
   • {%- if asset.type == "VIDEO" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.filename }}</a>{% else %}{{ asset.filename }}{% endif %} ({{ asset.created_at[:4] }})
-{%- endfor %}
+    {%- if albums and albums|length > 1 and asset.album_name %} — {% if asset.album_url %}<a href="{{ asset.album_url }}">{{ asset.album_name }}</a>{% else %}{{ asset.album_name }}{% endif %}{% endif %}
+    {%- if asset.city %} 📍 {{ asset.city }}{% if asset.country %}, {{ asset.country }}{% endif %}{% endif %}
+    {%- if asset.is_favorite %} ❤️{% endif %}
+{%- endfor %}

packages/core/src/notify_bridge_core/templates/defaults/en/periodic_summary.jinja2

@@ -1,4 +1,6 @@
 📋 Tracked Albums Summary ({{ albums | length }} albums):
 {%- for album in albums %}
   • {% if album.public_url %}<a href="{{ album.public_url }}">{{ album.name }}</a>{% else %}{{ album.name }}{% endif %}: {{ album.asset_count }} assets
-{%- endfor %}
+    {%- if album.photo_count is defined or album.video_count is defined %} ({% if album.photo_count %}🖼️ {{ album.photo_count }}{% endif %}{% if album.photo_count and album.video_count %} · {% endif %}{% if album.video_count %}🎬 {{ album.video_count }}{% endif %}){% endif %}
+    {%- if album.shared %} 🔗{% endif %}
+{%- endfor %}

packages/core/src/notify_bridge_core/templates/defaults/en/scheduled_assets.jinja2

@@ -1,4 +1,11 @@
-📸 Photos from {% if public_url %}<a href="{{ public_url }}">{{ album_name }}</a>{% else %}"{{ album_name }}"{% endif %}:
+{%- if albums and albums|length > 1 -%}
+🗓️ Scheduled delivery — random photos from {% for album in albums %}{% if album.public_url %}<a href="{{ album.public_url }}">{{ album.name }}</a>{% else %}{{ album.name }}{% endif %}{% if not loop.last %}, {% endif %}{% endfor %}:
+{%- else -%}
+🗓️ Scheduled delivery — random photos from {% if public_url %}<a href="{{ public_url }}">{{ album_name }}</a>{% else %}"{{ album_name }}"{% endif %}:
+{%- endif %}
 {%- for asset in assets %}
   • {%- if asset.type == "VIDEO" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.filename }}</a>{% else %}{{ asset.filename }}{% endif %}
-{%- endfor %}
+    {%- if albums and albums|length > 1 and asset.album_name %} — {% if asset.album_url %}<a href="{{ asset.album_url }}">{{ asset.album_name }}</a>{% else %}{{ asset.album_name }}{% endif %}{% endif %}
+    {%- if asset.city %} 📍 {{ asset.city }}{% if asset.country %}, {{ asset.country }}{% endif %}{% endif %}
+    {%- if asset.is_favorite %} ❤️{% endif %}
+{%- endfor %}

packages/core/src/notify_bridge_core/templates/defaults/ru/memory_mode.jinja2

@@ -1,4 +1,7 @@
 📅 В этот день:
 {%- for asset in assets %}
   • {%- if asset.type == "VIDEO" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.filename }}</a>{% else %}{{ asset.filename }}{% endif %} ({{ asset.created_at[:4] }})
-{%- endfor %}
+    {%- if albums and albums|length > 1 and asset.album_name %} — {% if asset.album_url %}<a href="{{ asset.album_url }}">{{ asset.album_name }}</a>{% else %}{{ asset.album_name }}{% endif %}{% endif %}
+    {%- if asset.city %} 📍 {{ asset.city }}{% if asset.country %}, {{ asset.country }}{% endif %}{% endif %}
+    {%- if asset.is_favorite %} ❤️{% endif %}
+{%- endfor %}

packages/core/src/notify_bridge_core/templates/defaults/ru/periodic_summary.jinja2

@@ -1,4 +1,6 @@
 📋 Сводка альбомов ({{ albums | length }}):
 {%- for album in albums %}
   • {% if album.public_url %}<a href="{{ album.public_url }}">{{ album.name }}</a>{% else %}{{ album.name }}{% endif %}: {{ album.asset_count }} файлов
-{%- endfor %}
+    {%- if album.photo_count is defined or album.video_count is defined %} ({% if album.photo_count %}🖼️ {{ album.photo_count }}{% endif %}{% if album.photo_count and album.video_count %} · {% endif %}{% if album.video_count %}🎬 {{ album.video_count }}{% endif %}){% endif %}
+    {%- if album.shared %} 🔗{% endif %}
+{%- endfor %}

packages/core/src/notify_bridge_core/templates/defaults/ru/scheduled_assets.jinja2

@@ -1,4 +1,11 @@
-📸 Фото из {% if public_url %}<a href="{{ public_url }}">{{ album_name }}</a>{% else %}"{{ album_name }}"{% endif %}:
+{%- if albums and albums|length > 1 -%}
+🗓️ Доставка по расписанию — случайные фото из {% for album in albums %}{% if album.public_url %}<a href="{{ album.public_url }}">{{ album.name }}</a>{% else %}{{ album.name }}{% endif %}{% if not loop.last %}, {% endif %}{% endfor %}:
+{%- else -%}
+🗓️ Доставка по расписанию — случайные фото из {% if public_url %}<a href="{{ public_url }}">{{ album_name }}</a>{% else %}"{{ album_name }}"{% endif %}:
+{%- endif %}
 {%- for asset in assets %}
   • {%- if asset.type == "VIDEO" %} 🎬{% else %} 🖼️{% endif %} {% if asset.public_url %}<a href="{{ asset.public_url }}">{{ asset.filename }}</a>{% else %}{{ asset.filename }}{% endif %}
-{%- endfor %}
+    {%- if albums and albums|length > 1 and asset.album_name %} — {% if asset.album_url %}<a href="{{ asset.album_url }}">{{ asset.album_name }}</a>{% else %}{{ asset.album_name }}{% endif %}{% endif %}
+    {%- if asset.city %} 📍 {{ asset.city }}{% if asset.country %}, {{ asset.country }}{% endif %}{% endif %}
+    {%- if asset.is_favorite %} ❤️{% endif %}
+{%- endfor %}

packages/server/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "notify-bridge-server"
-version = "0.3.2"
+version = "0.5.1"
 description = "Standalone Notify Bridge server — FastAPI REST API with SQLite database"
 requires-python = ">=3.12"
 dependencies = [
@@ -28,6 +28,7 @@ dev = [
     "pytest>=8.0",
     "pytest-asyncio>=0.23",
     "httpx>=0.27",
+    "aioresponses>=0.7",
 ]
 
 [project.scripts]
@@ -35,3 +36,14 @@ notify-bridge = "notify_bridge_server.main:run"
 
 [tool.hatch.build.targets.wheel]
 packages = ["src/notify_bridge_server"]
+
+[tool.pytest.ini_options]
+asyncio_mode = "auto"
+testpaths = ["tests"]
+# The default filter doesn't let SQLAlchemy warnings fail the suite, which
+# matters because our migrations emit a handful of deprecation warnings we
+# don't want to suppress at source.
+filterwarnings = [
+    "ignore::DeprecationWarning:passlib",
+    "ignore::DeprecationWarning:bcrypt",
+]

packages/server/src/notify_bridge_server/api/app_settings.py

@@ -24,6 +24,10 @@ _SETTING_KEYS = {
     "telegram_asset_cache_max_entries": None,  # LRU cap for both caches
     "supported_locales": None,  # comma-separated locale codes
     "timezone": "NOTIFY_BRIDGE_TIMEZONE",  # IANA tz (e.g. "Europe/Warsaw"); empty = UTC
+    # Logging — applied live via apply_log_levels() when changed.
+    "log_level": "NOTIFY_BRIDGE_LOG_LEVEL",  # DEBUG/INFO/WARNING/ERROR
+    "log_format": "NOTIFY_BRIDGE_LOG_FORMAT",  # text|json (requires restart to switch)
+    "log_levels": "NOTIFY_BRIDGE_LOG_LEVELS",  # module=LEVEL,module2=LEVEL
 }
 
 _DEFAULTS = {
@@ -35,12 +39,20 @@ _DEFAULTS = {
     "telegram_asset_cache_max_entries": "5000",
     "supported_locales": "en,ru",
     "timezone": "UTC",
+    "log_level": "INFO",
+    "log_format": "text",
+    "log_levels": "",
 }
 
 # Settings whose changes require dropping in-memory Telegram caches so the
 # next dispatch rebuilds them with the new parameters. Files are preserved.
 _CACHE_SETTING_KEYS = {"telegram_cache_ttl_hours", "telegram_asset_cache_max_entries"}
 
+# Settings that change logging behaviour. ``log_level`` + ``log_levels`` apply
+# live via apply_log_levels(); ``log_format`` requires a restart because
+# changing it means swapping the handler formatter entirely.
+_LOG_SETTING_KEYS = {"log_level", "log_levels", "log_format"}
+
 
 async def get_setting(session: AsyncSession, key: str) -> str:
     """Read a setting from DB, falling back to env var then default."""
@@ -66,6 +78,9 @@ class SettingsUpdate(BaseModel):
     telegram_asset_cache_max_entries: int | str | None = None
     supported_locales: str | None = None
     timezone: str | None = None
+    log_level: str | None = None
+    log_format: str | None = None
+    log_levels: str | None = None
 
 
 @router.get("")
@@ -95,6 +110,7 @@ async def update_settings(
     old_secret = await get_setting(session, "telegram_webhook_secret")
     old_cache_values = {k: await get_setting(session, k) for k in _CACHE_SETTING_KEYS}
     old_timezone = await get_setting(session, "timezone")
+    old_log_values = {k: await get_setting(session, k) for k in _LOG_SETTING_KEYS}
 
     for key in _SETTING_KEYS:
         value = getattr(body, key, None)
@@ -130,6 +146,25 @@ async def update_settings(
     new_base_url = await get_setting(session, "external_url")
     new_secret = await get_setting(session, "telegram_webhook_secret")
     new_timezone = await get_setting(session, "timezone")
+    new_log_values = {k: await get_setting(session, k) for k in _LOG_SETTING_KEYS}
+
+    # Apply live log-level changes (log_format still needs a restart).
+    if (new_log_values["log_level"] != old_log_values["log_level"]
+            or new_log_values["log_levels"] != old_log_values["log_levels"]):
+        from ..logging_setup import apply_log_levels
+        apply_log_levels(
+            level=new_log_values["log_level"] or None,
+            per_module_levels=new_log_values["log_levels"],
+        )
+        _LOGGER.info(
+            "Log levels updated: root=%s overrides=%r",
+            new_log_values["log_level"], new_log_values["log_levels"],
+        )
+    if new_log_values["log_format"] != old_log_values["log_format"]:
+        _LOGGER.warning(
+            "log_format changed from %r to %r — restart the server for it to take effect",
+            old_log_values["log_format"], new_log_values["log_format"],
+        )
 
     # Cron triggers freeze their timezone at construction time, so a tz change
     # has no effect until the jobs are rebuilt — do that here, before we
@@ -199,7 +234,10 @@ async def _reregister_webhooks(
         if res.get("success"):
             _LOGGER.info("Re-registered webhook for bot %d (%s)", bot.id, bot.name)
         else:
-            _LOGGER.warning(
-                "Failed to re-register webhook for bot %d: %s",
-                bot.id, res.get("error"),
+            # Webhook re-register failure means the bot silently stops
+            # delivering updates — this is operational visibility for an
+            # admin, ERROR is appropriate.
+            _LOGGER.error(
+                "Failed to re-register webhook for bot %d (%s): %s",
+                bot.id, bot.name, res.get("error"),
             )

packages/server/src/notify_bridge_server/api/command_template_configs.py

@@ -74,6 +74,36 @@ async def _get(session: AsyncSession, config_id: int, user_id: int) -> CommandTe
 # Routes
 # ---------------------------------------------------------------------------
 
+@router.get("/defaults")
+async def get_default_command_templates(
+    provider_type: str,
+    slot_name: str | None = None,
+    locale: str | None = None,
+    user: User = Depends(get_current_user),
+):
+    """Return the shipped Jinja2 default command templates for a provider type.
+
+    Used by the UI's "Reset to default" actions. Filtering works the same way
+    as the notification-template equivalent: omit ``slot_name`` for the whole
+    set, omit ``locale`` for every locale.
+
+    Response shape: ``{slot_name: {locale: template_text}}``
+    """
+    from notify_bridge_core.templates.command_defaults.loader import (
+        load_default_command_templates,
+    )
+    from notify_bridge_core.templates.defaults.loader import get_available_locales
+    locales = [locale] if locale else get_available_locales()
+    result: dict[str, dict[str, str]] = {}
+    for loc in locales:
+        defaults = load_default_command_templates(loc, provider_type)
+        for name, text in defaults.items():
+            if slot_name and name != slot_name:
+                continue
+            result.setdefault(name, {})[loc] = text
+    return result
+
+
 @router.get("/variables")
 async def get_command_variables(
     user: User = Depends(get_current_user),
@@ -84,15 +114,26 @@ async def get_command_variables(
     }
     asset_fields = {
         "id": "Asset ID (UUID)",
-        "originalFileName": "Original filename",
+        "filename": "Original filename (preferred; same as originalFileName)",
+        "originalFileName": "Original filename (alias of filename, kept for backward-compat with older templates)",
         "type": "IMAGE or VIDEO",
-        "createdAt": "Creation date/time (ISO 8601)",
+        "created_at": "Creation date/time (ISO 8601)",
+        "createdAt": "Creation date/time (alias of created_at)",
         "year": "Year of the memory (memory command only)",
+        "public_url": "Per-asset public share URL (empty if no album link)",
+        "city": "City name (empty if unknown)",
+        "country": "Country name (empty if unknown)",
+        "is_favorite": "Whether asset is favorited (boolean)",
     }
     album_fields = {
         "name": "Album name",
-        "asset_count": "Number of assets in the album",
         "id": "Album ID (UUID)",
+        "public_url": "Public share link URL (empty if none)",
+        "asset_count": "Number of assets in the album",
+        "photo_count": "Number of photos in the album",
+        "video_count": "Number of videos in the album",
+        "shared": "Whether the album is shared (boolean)",
+        "owner": "Album owner display name",
     }
     command_fields = {
         "name": "Command name (e.g. status, albums)",
@@ -492,10 +533,11 @@ async def preview_raw(
             {"name": "latest", "description": "Show latest photos", "usage": "/latest 10"},
             {"name": "search", "description": "Smart search (AI)", "usage": "/search sunset at the beach"},
         ],
-        # /albums, /summary
+        # /albums, /summary — provide photo/video split, sharing, owner so the
+        # enriched summary template previews fully.
         "albums": [
-            {"name": "Family Photos", "asset_count": 142, "id": "abc-123", "public_url": "https://immich.example.com/share/abc123"},
-            {"name": "Vacation 2025", "asset_count": 87, "id": "def-456", "public_url": ""},
+            {"name": "Family Photos", "asset_count": 142, "photo_count": 120, "video_count": 22, "shared": True, "owner": "Alice", "id": "abc-123", "public_url": "https://immich.example.com/share/abc123"},
+            {"name": "Vacation 2025", "asset_count": 87, "photo_count": 80, "video_count": 7, "shared": False, "owner": "Bob", "id": "def-456", "public_url": ""},
         ],
         # /events
         "events": [
@@ -505,9 +547,12 @@ async def preview_raw(
         # /people
         "people": ["Alice", "Bob", "Charlie"],
         # /search, /find, /person, /place, /latest, /favorites, /random, /memory
+        # ``filename`` is the canonical key (matches notification context and
+        # build_asset_dict output); ``originalFileName`` is kept as an alias
+        # so templates still using the old key render in preview.
         "assets": [
-            {"id": "a1", "originalFileName": "IMG_001.jpg", "type": "IMAGE", "createdAt": "2026-03-19T14:30:00", "year": 2024, "public_url": "https://immich.example.com/share/abc123/photos/a1", "city": "Paris", "country": "France", "is_favorite": True},
-            {"id": "a2", "originalFileName": "VID_002.mp4", "type": "VIDEO", "createdAt": "2026-03-19T15:00:00", "year": 2023, "public_url": "", "city": "", "country": "", "is_favorite": False},
+            {"id": "a1", "filename": "IMG_001.jpg", "originalFileName": "IMG_001.jpg", "type": "IMAGE", "created_at": "2026-03-19T14:30:00", "createdAt": "2026-03-19T14:30:00", "year": 2024, "public_url": "https://immich.example.com/share/abc123/photos/a1", "city": "Paris", "country": "France", "is_favorite": True},
+            {"id": "a2", "filename": "VID_002.mp4", "originalFileName": "VID_002.mp4", "type": "VIDEO", "created_at": "2026-03-19T15:00:00", "createdAt": "2026-03-19T15:00:00", "year": 2023, "public_url": "", "city": "", "country": "", "is_favorite": False},
         ],
         "query": "sunset",
         "command": "search",

packages/server/src/notify_bridge_server/api/email_bots.py

@@ -93,7 +93,14 @@ async def update_email_bot(
     session: AsyncSession = Depends(get_session),
 ):
     bot = await _get_user_bot(session, bot_id, user.id)
-    for field, value in body.model_dump(exclude_unset=True).items():
+    updates = body.model_dump(exclude_unset=True)
+    # Reject the masked value the GET response returns so the stored password
+    # is preserved if the user saves without retyping it.
+    if "smtp_password" in updates:
+        pw = updates["smtp_password"]
+        if isinstance(pw, str) and pw.startswith("***"):
+            updates.pop("smtp_password")
+    for field, value in updates.items():
         setattr(bot, field, value)
     session.add(bot)
     await session.commit()

packages/server/src/notify_bridge_server/api/matrix_bots.py

@@ -7,6 +7,11 @@ from pydantic import BaseModel
 from sqlmodel import select
 from sqlmodel.ext.asyncio.session import AsyncSession
 
+from notify_bridge_core.notifications.ssrf import (
+    UnsafeURLError,
+    avalidate_outbound_url,
+)
+
 from ..auth.dependencies import get_current_user
 from ..database.engine import get_session
 from ..database.models import MatrixBot, User
@@ -33,6 +38,21 @@ class MatrixBotUpdate(BaseModel):
     display_name: str | None = None
 
 
+def _is_masked_secret(value: str | None) -> bool:
+    """True when a field still carries our masked placeholder."""
+    return bool(value) and (value.startswith("***") or "..." in value)
+
+
+async def _validate_homeserver_url(url: str) -> None:
+    """Reject homeserver URLs that point to blocked networks."""
+    try:
+        await avalidate_outbound_url(url)
+    except UnsafeURLError as err:
+        raise HTTPException(
+            status_code=400, detail=f"Invalid homeserver_url: {err}"
+        ) from err
+
+
 @router.get("")
 async def list_matrix_bots(
     user: User = Depends(get_current_user),
@@ -50,6 +70,7 @@ async def create_matrix_bot(
     user: User = Depends(get_current_user),
     session: AsyncSession = Depends(get_session),
 ):
+    await _validate_homeserver_url(body.homeserver_url)
     bot = MatrixBot(user_id=user.id, **body.model_dump())
     session.add(bot)
     await session.commit()
@@ -74,7 +95,19 @@ async def update_matrix_bot(
     session: AsyncSession = Depends(get_session),
 ):
     bot = await _get_user_bot(session, bot_id, user.id)
-    for field, value in body.model_dump(exclude_unset=True).items():
+    updates = body.model_dump(exclude_unset=True)
+
+    # Re-validate homeserver_url whenever the client supplies a new one so
+    # no private/loopback target can ever be saved, even via update.
+    if "homeserver_url" in updates and updates["homeserver_url"]:
+        await _validate_homeserver_url(updates["homeserver_url"])
+
+    # Never accept the masked placeholder the GET response returns. If the
+    # client echoes it back, keep the stored secret.
+    if "access_token" in updates and _is_masked_secret(updates["access_token"]):
+        updates.pop("access_token")
+
+    for field, value in updates.items():
         setattr(bot, field, value)
     session.add(bot)
     await session.commit()
@@ -108,15 +141,17 @@ async def test_matrix_bot(
     If room_id is not provided, just verifies the access token by calling /whoami.
     """
     bot = await _get_user_bot(session, bot_id, user.id)
+    # Defense-in-depth: even though create/update validate the URL, a bot row
+    # written before this guard was added could still point at a blocked host.
+    await _validate_homeserver_url(bot.homeserver_url)
 
     import aiohttp
     from ..services.http_session import get_http_session
     http = await get_http_session()
-    # Verify token with /whoami
     whoami_url = f"{bot.homeserver_url.rstrip('/')}/_matrix/client/v3/account/whoami"
     headers = {"Authorization": f"Bearer {bot.access_token}"}
     try:
-        async with http.get(whoami_url, headers=headers) as resp:
+        async with http.get(whoami_url, headers=headers, allow_redirects=False) as resp:
             if resp.status != 200:
                 body = await resp.text()
                 return {"success": False, "error": f"Auth failed: HTTP {resp.status} — {body[:200]}"}
@@ -126,7 +161,6 @@ async def test_matrix_bot(
 
     result = {"success": True, "user_id": whoami.get("user_id", "")}
 
-    # Optionally send a test message
     if room_id:
         from ..services.notifier import _get_test_message
         from notify_bridge_core.notifications.matrix.client import MatrixClient
@@ -148,7 +182,7 @@ def _response(bot: MatrixBot) -> dict:
         "name": bot.name,
         "icon": bot.icon,
         "homeserver_url": bot.homeserver_url,
-        "access_token": f"{bot.access_token[:8]}...{bot.access_token[-4:]}" if len(bot.access_token) > 12 else "***",
+        "access_token": f"***{bot.access_token[-4:]}" if len(bot.access_token) > 4 else "***",
         "display_name": bot.display_name,
         "created_at": bot.created_at.isoformat(),
     }

packages/server/src/notify_bridge_server/api/notification_tracker_targets.py

@@ -22,7 +22,8 @@ from ..database.models import (
     User,
 )
 from ..services.notifier import send_test_notification
-from ..services.test_dispatch import dispatch_test_notification
+from ..services.manual_dispatch import dispatch_test_notification
+from ..services.scheduler import reschedule_immich_dispatch_jobs
 from .helpers import get_owned_entity
 
 _LOGGER = logging.getLogger(__name__)
@@ -118,6 +119,7 @@ async def create_notification_tracker_target(
     session.add(tt)
     await session.commit()
     await session.refresh(tt)
+    await reschedule_immich_dispatch_jobs()
     return await _tt_response(session, tt)
 
 
@@ -164,6 +166,7 @@ async def update_notification_tracker_target(
     session.add(tt)
     await session.commit()
     await session.refresh(tt)
+    await reschedule_immich_dispatch_jobs()
     return await _tt_response(session, tt)
 
 
@@ -181,6 +184,7 @@ async def delete_notification_tracker_target(
         raise HTTPException(status_code=404, detail="Tracker-target link not found")
     await session.delete(tt)
     await session.commit()
+    await reschedule_immich_dispatch_jobs()
 
 
 @router.post("/{tracker_target_id}/test/{test_type}")

packages/server/src/notify_bridge_server/api/notification_trackers.py

@@ -11,13 +11,18 @@ from ..auth.dependencies import get_current_user
 from ..database.engine import get_session
 from ..database.models import (
     EventLog,
+    NotificationTarget,
     NotificationTracker,
     NotificationTrackerState,
     NotificationTrackerTarget,
     ServiceProvider,
     User,
 )
-from ..services.scheduler import schedule_tracker, unschedule_tracker
+from ..services.scheduler import (
+    reschedule_immich_dispatch_jobs,
+    schedule_tracker,
+    unschedule_tracker,
+)
 from .helpers import get_owned_entity
 from .notification_tracker_targets import _tt_response
 
@@ -54,11 +59,79 @@ async def list_notification_trackers(
     user: User = Depends(get_current_user),
     session: AsyncSession = Depends(get_session),
 ):
+    # Batched loader: pull trackers, then all their tracker-target links in
+    # a single query, then the referenced targets in a single query. Avoids
+    # the old 1 + N + N*M pattern that ran ~60 round-trips for 10 trackers.
     result = await session.exec(
         select(NotificationTracker).where(NotificationTracker.user_id == user.id)
     )
-    trackers = result.all()
-    return [await _tracker_response(session, t) for t in trackers]
+    trackers = list(result.all())
+    if not trackers:
+        return []
+
+    tracker_ids = [t.id for t in trackers]
+    tt_result = await session.exec(
+        select(NotificationTrackerTarget).where(
+            NotificationTrackerTarget.tracker_id.in_(tracker_ids)
+        )
+    )
+    tt_rows = list(tt_result.all())
+
+    target_ids = {tt.target_id for tt in tt_rows}
+    targets_by_id: dict[int, NotificationTarget] = {}
+    if target_ids:
+        tgt_result = await session.exec(
+            select(NotificationTarget).where(NotificationTarget.id.in_(target_ids))
+        )
+        targets_by_id = {t.id: t for t in tgt_result.all()}
+
+    tts_by_tracker: dict[int, list[NotificationTrackerTarget]] = {}
+    for tt in tt_rows:
+        tts_by_tracker.setdefault(tt.tracker_id, []).append(tt)
+
+    return [
+        _build_tracker_response(t, tts_by_tracker.get(t.id, []), targets_by_id)
+        for t in trackers
+    ]
+
+
+def _build_tracker_response(
+    t: NotificationTracker,
+    tts: list[NotificationTrackerTarget],
+    targets_by_id: dict[int, NotificationTarget],
+) -> dict:
+    """In-memory assembler for a tracker + its pre-loaded links/targets."""
+    tracker_targets = []
+    for tt in tts:
+        target = targets_by_id.get(tt.target_id)
+        tracker_targets.append({
+            "id": tt.id,
+            "tracker_id": tt.tracker_id,
+            "target_id": tt.target_id,
+            "target_name": target.name if target else None,
+            "target_type": target.type if target else None,
+            "target_icon": target.icon if target else None,
+            "tracking_config_id": tt.tracking_config_id,
+            "template_config_id": tt.template_config_id,
+            "enabled": tt.enabled,
+            "quiet_hours_start": tt.quiet_hours_start,
+            "quiet_hours_end": tt.quiet_hours_end,
+            "created_at": tt.created_at.isoformat(),
+        })
+    return {
+        "id": t.id,
+        "name": t.name,
+        "icon": t.icon,
+        "provider_id": t.provider_id,
+        "collection_ids": t.collection_ids,
+        "scan_interval": t.scan_interval,
+        "batch_duration": t.batch_duration,
+        "default_tracking_config_id": t.default_tracking_config_id,
+        "default_template_config_id": t.default_template_config_id,
+        "enabled": t.enabled,
+        "tracker_targets": tracker_targets,
+        "created_at": t.created_at.isoformat(),
+    }
 
 
 @router.post("", status_code=status.HTTP_201_CREATED)
@@ -77,6 +150,7 @@ async def create_notification_tracker(
     await session.refresh(tracker)
     if tracker.enabled:
         await schedule_tracker(tracker.id, tracker.scan_interval)
+    await reschedule_immich_dispatch_jobs()
     return await _tracker_response(session, tracker)
 
 
@@ -107,6 +181,7 @@ async def update_notification_tracker(
         await schedule_tracker(tracker.id, tracker.scan_interval)
     else:
         await unschedule_tracker(tracker.id)
+    await reschedule_immich_dispatch_jobs()
     return await _tracker_response(session, tracker)
 
 
@@ -139,6 +214,7 @@ async def delete_notification_tracker(
     await session.delete(tracker)
     await session.commit()
     await unschedule_tracker(tracker_id)
+    await reschedule_immich_dispatch_jobs()
 
 
 @router.post("/{tracker_id}/trigger")

packages/server/src/notify_bridge_server/api/providers.py

@@ -306,16 +306,31 @@ async def update_provider(
     if body.icon is not None:
         provider.icon = body.icon
 
-    config_changed = body.config is not None and body.config != provider.config
     if body.config is not None:
-        _validate_provider_config(provider.type, body.config)
-        provider.config = body.config
+        # Merge rather than replace so the masked secrets the frontend
+        # receives on GET cannot silently nuke the stored values when the
+        # user saves without re-entering them. Any field that still carries
+        # our mask placeholder ("***…") is dropped from the incoming body.
+        incoming = dict(body.config)
+        for secret_field in (
+            "api_key", "api_token", "webhook_secret", "password",
+            "client_secret", "refresh_token",
+        ):
+            value = incoming.get(secret_field)
+            if isinstance(value, str) and value.startswith("***"):
+                incoming.pop(secret_field, None)
+        new_config = {**provider.config, **incoming}
+        _validate_provider_config(provider.type, new_config)
+        config_changed = new_config != provider.config
+        provider.config = new_config
 
-    # Re-validate connection when config changes for known provider types
-    if config_changed:
-        test_result = await _validate_provider_connection(provider)
-        if test_result.get("external_domain"):
-            provider.config = {**provider.config, "external_domain": test_result["external_domain"]}
+        if config_changed:
+            test_result = await _validate_provider_connection(provider)
+            if test_result.get("external_domain"):
+                provider.config = {
+                    **provider.config,
+                    "external_domain": test_result["external_domain"],
+                }
 
     session.add(provider)
     await session.commit()
@@ -411,19 +426,45 @@ async def get_album_shared_links(
     return []
 
 
+class CreateSharedLinkRequest(BaseModel):
+    """Options for POST /shared-links.
+
+    ``replace=True`` deletes every existing link for the album before creating
+    the new one, which is the only way to repair an expired or password-
+    protected link in the Immich API (there is no in-place "reset" endpoint).
+    Default ``False`` preserves the original additive behaviour used by the
+    "auto-create missing links" flow.
+    """
+
+    replace: bool = False
+
+
 @router.post("/{provider_id}/albums/{album_id}/shared-links")
 async def create_album_shared_link(
     provider_id: int,
     album_id: str,
+    body: CreateSharedLinkRequest | None = None,
     user: User = Depends(get_current_user),
     session: AsyncSession = Depends(get_session),
 ):
-    """Auto-create a public shared link for an album."""
+    """Auto-create a public shared link for an album.
+
+    With ``replace=True`` existing links for the album are deleted first, so
+    expired/password-protected links are effectively recycled into a fresh
+    public one.
+    """
     provider = await _get_user_provider(session, provider_id, user.id)
 
     if provider.type == "immich":
         http_session = await get_http_session()
         immich = make_immich_provider(http_session, provider)
+        if body and body.replace:
+            # Best-effort delete; if any delete fails we still try to create —
+            # the user will see the new link co-exist alongside the old one,
+            # which is better than a hard failure that leaves them stuck.
+            existing = await immich.client.get_shared_links(album_id)
+            for link in existing:
+                await immich.client.delete_shared_link(link.id)
         success = await immich.client.create_shared_link(album_id)
         if success:
             return {"success": True}

packages/server/src/notify_bridge_server/api/telegram_bots.py

@@ -86,6 +86,11 @@ async def update_bot(
         bot.icon = body.icon
     # Handle mode switching
     if body.update_mode is not None and body.update_mode != bot.update_mode:
+        if body.update_mode not in ("none", "polling", "webhook"):
+            raise HTTPException(
+                status_code=400,
+                detail=f"Invalid update_mode: {body.update_mode!r}. Must be 'none', 'polling', or 'webhook'.",
+            )
         if body.update_mode == "webhook":
             # Validate and register webhook BEFORE stopping polling
             base_url = await get_setting(session, "external_url")
@@ -108,6 +113,12 @@ async def update_bot(
             # Switching to polling: unregister webhook, start polling
             await unregister_webhook(bot.token)
             schedule_bot_polling(bot.id)
+        elif body.update_mode == "none":
+            # Disable listener: stop polling and clear any webhook so Telegram
+            # stops delivering updates. This makes the bot send-only, which is
+            # safe when another instance owns the listener.
+            unschedule_bot_polling(bot.id)
+            await unregister_webhook(bot.token)
         bot.update_mode = body.update_mode
 
     session.add(bot)
@@ -287,10 +298,30 @@ async def test_chat(
     user: User = Depends(get_current_user),
     session: AsyncSession = Depends(get_session),
 ):
-    """Send a test message to a chat via the bot."""
+    """Send a test message to a chat via the bot.
+
+    Locale resolution: prefer the chat row's ``language_override`` (explicit
+    user choice in the UI), fall back to Telegram's ``language_code`` sent
+    with the chat, and only use the ``?locale=`` query param if neither is
+    set. Otherwise users who set RU on a chat would still see an EN test.
+    """
     bot = await _get_user_bot(session, bot_id, user.id)
+    chat_row = (await session.exec(
+        select(TelegramChat).where(
+            TelegramChat.bot_id == bot_id,
+            TelegramChat.chat_id == chat_id,
+        )
+    )).first()
+    effective_locale = locale
+    if chat_row:
+        chat_locale = (
+            getattr(chat_row, 'language_override', '') or
+            getattr(chat_row, 'language_code', '') or ''
+        )
+        if chat_locale:
+            effective_locale = chat_locale[:2].lower()
     from ..services.http_session import get_http_session
-    message = _get_test_message(locale, "telegram")
+    message = _get_test_message(effective_locale, "telegram")
     http = await get_http_session()
     client = TelegramClient(http, bot.token)
     return await client.send_message(chat_id, message)
@@ -406,7 +437,7 @@ def _bot_response(b: TelegramBot) -> dict:
         "bot_username": b.bot_username,
         "bot_id": b.bot_id,
         "webhook_path_id": b.webhook_path_id,
-        "update_mode": b.update_mode or "polling",
+        "update_mode": b.update_mode or "none",
         "token_preview": f"{b.token[:8]}...{b.token[-4:]}" if len(b.token) > 12 else "***",
         "created_at": b.created_at.isoformat(),
     }

packages/server/src/notify_bridge_server/api/template_configs.py

@@ -102,6 +102,37 @@ async def list_configs(
     return [await _response(session, c) for c in result.all()]
 
 
+@router.get("/defaults")
+async def get_default_slot_templates(
+    provider_type: str,
+    slot_name: str | None = None,
+    locale: str | None = None,
+    user: User = Depends(get_current_user),
+):
+    """Return the shipped Jinja2 default templates for a provider type.
+
+    Used by the UI's "Reset to default" actions. Filtering is optional —
+    omit ``slot_name`` to get every slot, omit ``locale`` to get every locale.
+    Registered before ``/{config_id}`` so the literal path wins over the
+    path-parameter route in FastAPI's matcher.
+
+    Response shape: ``{slot_name: {locale: template_text}}``
+    """
+    from notify_bridge_core.templates.defaults.loader import (
+        get_available_locales,
+        load_default_templates,
+    )
+    locales = [locale] if locale else get_available_locales()
+    result: dict[str, dict[str, str]] = {}
+    for loc in locales:
+        defaults = load_default_templates(loc, provider_type)
+        for name, text in defaults.items():
+            if slot_name and name != slot_name:
+                continue
+            result.setdefault(name, {})[loc] = text
+    return result
+
+
 @router.get("/variables")
 async def get_template_variables(
     user: User = Depends(get_current_user),
@@ -170,13 +201,20 @@ async def get_template_variables(
         "download_url": "Direct download URL (if shared)",
         "photo_url": "Preview image URL (images only, if shared)",
         "playback_url": "Video playback URL (videos only, if shared)",
+        # Per-asset album attribution (scheduled/memory templates in combined mode).
+        "album_name": "Source album name (combined-mode scheduled/memory only)",
+        "album_url": "Source album URL — public share link if available, else internal album URL",
+        "album_public_url": "Source album public share URL (empty if no public link)",
     }
     album_fields = {
         "name": "Collection/album name",
         "url": "Share URL",
         "public_url": "Public share link URL",
         "asset_count": "Total assets in collection",
-        "shared": "Whether collection is shared",
+        "photo_count": "Number of photos in the album",
+        "video_count": "Number of videos in the album",
+        "shared": "Whether collection is shared (boolean)",
+        "owner": "Album owner display name",
     }
     scheduled_vars = {
         "date": "Current date string",
@@ -217,12 +255,26 @@ async def get_template_variables(
         },
         "scheduled_assets_message": {
             "description": "Scheduled asset delivery (daily photo picks)",
-            "variables": {**scheduled_vars, "assets": "List of asset dicts (use {% for asset in assets %})"},
+            "variables": {
+                **scheduled_vars,
+                "assets": "List of asset dicts (use {% for asset in assets %})",
+                "album_name": "Source album name",
+                "public_url": "Public share link URL for the source album (empty if none)",
+                "asset_count": "Total assets in the source album",
+                "photo_count": "Photos in the source album",
+                "video_count": "Videos in the source album",
+                "owner": "Source album owner",
+            },
             "asset_fields": asset_fields,
         },
         "memory_mode_message": {
             "description": "\"On This Day\" memories from previous years",
-            "variables": {**scheduled_vars, "assets": "List of asset dicts (use {% for asset in assets %})"},
+            "variables": {
+                **scheduled_vars,
+                "assets": "List of asset dicts (use {% for asset in assets %})",
+                "album_name": "Source album name (when rendered per-album)",
+                "public_url": "Public share link URL for the source album (empty if none)",
+            },
             "asset_fields": asset_fields,
         },
         # --- Generic Webhook slots ---

packages/server/src/notify_bridge_server/api/tracking_configs.py

@@ -10,6 +10,7 @@ from sqlmodel.ext.asyncio.session import AsyncSession
 from ..auth.dependencies import get_current_user
 from ..database.engine import get_session
 from ..database.models import TrackingConfig, User
+from ..services.scheduler import reschedule_immich_dispatch_jobs
 
 _LOGGER = logging.getLogger(__name__)
 
@@ -127,6 +128,8 @@ async def create_config(
     session.add(config)
     await session.commit()
     await session.refresh(config)
+    if config.provider_type == "immich":
+        await reschedule_immich_dispatch_jobs()
     return _response(config)
 
 
@@ -152,6 +155,8 @@ async def update_config(
     session.add(config)
     await session.commit()
     await session.refresh(config)
+    if config.provider_type == "immich":
+        await reschedule_immich_dispatch_jobs()
     return _response(config)
 
 
@@ -164,8 +169,11 @@ async def delete_config(
     from .delete_protection import check_tracking_config, raise_if_used
     config = await _get(session, config_id, user.id)
     raise_if_used(await check_tracking_config(session, config.id), config.name)
+    provider_type = config.provider_type
     await session.delete(config)
     await session.commit()
+    if provider_type == "immich":
+        await reschedule_immich_dispatch_jobs()
 
 
 def _response(c: TrackingConfig) -> dict:

packages/server/src/notify_bridge_server/api/users.py

@@ -1,5 +1,6 @@
 """User management API routes (admin only)."""
 
+import asyncio
 import logging
 
 from fastapi import APIRouter, Depends, HTTPException, status
@@ -14,6 +15,15 @@ from ..auth.dependencies import require_admin
 from ..database.engine import get_session
 from ..database.models import User
 
+
+async def _hash_password(password: str) -> str:
+    """Run bcrypt off the event loop. Matches the helper in auth/routes.py."""
+
+    def _work() -> str:
+        return bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode()
+
+    return await asyncio.to_thread(_work)
+
 _LOGGER = logging.getLogger(__name__)
 
 router = APIRouter(prefix="/api/users", tags=["users"])
@@ -36,8 +46,12 @@ async def list_users(
     admin: User = Depends(require_admin),
     session: AsyncSession = Depends(get_session),
 ):
-    """List all users (admin only)."""
-    result = await session.exec(select(User))
+    """List all users (admin only).
+
+    Excludes the internal ``__system__`` placeholder (id=0) used as the
+    owner of default templates/configs — it is never a real account.
+    """
+    result = await session.exec(select(User).where(User.id != 0))
     return [
         {"id": u.id, "username": u.username, "role": u.role, "created_at": u.created_at.isoformat()}
         for u in result.all()
@@ -61,7 +75,7 @@ async def create_user(
 
     user = User(
         username=body.username,
-        hashed_password=bcrypt.hashpw(body.password.encode(), bcrypt.gensalt()).decode(),
+        hashed_password=await _hash_password(body.password),
         role=body.role if body.role in ("admin", "user") else "user",
     )
     session.add(user)
@@ -162,7 +176,7 @@ async def reset_user_password(
         raise HTTPException(status_code=404, detail="User not found")
     if len(body.new_password) < 8:
         raise HTTPException(status_code=400, detail="Password must be at least 8 characters")
-    user.hashed_password = bcrypt.hashpw(body.new_password.encode(), bcrypt.gensalt()).decode()
+    user.hashed_password = await _hash_password(body.new_password)
     # Invalidate all prior JWTs issued for this user — matches the self-serve
     # password-change path in auth/routes.py.
     user.token_version = (user.token_version or 1) + 1

packages/server/src/notify_bridge_server/api/webhooks.py

@@ -37,6 +37,42 @@ _LOGGER = logging.getLogger(__name__)
 
 router = APIRouter(prefix="/api/webhooks", tags=["webhooks"])
 
+# Hard cap on inbound webhook body size (1 MiB is far larger than anything
+# legitimate providers send and keeps the worst-case memory footprint bounded
+# when a malicious peer lies about Content-Length or streams slowly).
+_MAX_WEBHOOK_BODY_BYTES = 1_000_000
+
+
+async def _read_bounded_body(request: Request, limit: int = _MAX_WEBHOOK_BODY_BYTES) -> bytes:
+    """Reject oversized inbound bodies before they exhaust memory.
+
+    First checks ``Content-Length`` (fast-path for honest peers), then
+    streams the body in chunks enforcing the same cap on actual bytes
+    received so a peer that lies about Content-Length cannot slip through.
+    """
+    declared = request.headers.get("content-length")
+    if declared:
+        try:
+            if int(declared) > limit:
+                raise HTTPException(
+                    status_code=413,
+                    detail=f"Payload too large (max {limit} bytes)",
+                )
+        except ValueError:
+            raise HTTPException(status_code=400, detail="Invalid Content-Length")
+
+    chunks: list[bytes] = []
+    size = 0
+    async for chunk in request.stream():
+        size += len(chunk)
+        if size > limit:
+            raise HTTPException(
+                status_code=413,
+                detail=f"Payload too large (max {limit} bytes)",
+            )
+        chunks.append(chunk)
+    return b"".join(chunks)
+
 
 async def _get_provider_by_token(
     session: AsyncSession, token: str, expected_type: str,
@@ -169,7 +205,8 @@ async def _dispatch_webhook_event(
             ))
 
             # Dispatch to targets
-            dispatcher = NotificationDispatcher()
+            from ..services.http_session import get_http_session
+            dispatcher = NotificationDispatcher(session=await get_http_session())
             target_configs = _build_target_configs(event, link_data, provider_config, app_tz)
             if target_configs:
                 results = await dispatcher.dispatch(event, target_configs)
@@ -203,7 +240,7 @@ async def gitea_webhook(token: str, request: Request):
         webhook_secret = (provider.config or {}).get("webhook_secret", "")
 
     # Read raw body for HMAC check
-    raw_body = await request.body()
+    raw_body = await _read_bounded_body(request)
 
     if not webhook_secret:
         raise HTTPException(
@@ -221,8 +258,8 @@ async def gitea_webhook(token: str, request: Request):
         return {"ok": True, "skipped": "no event header"}
 
     try:
-        payload = await request.json()
-    except (json.JSONDecodeError, ValueError):
+        payload = json.loads(raw_body.decode("utf-8"))
+    except (UnicodeDecodeError, json.JSONDecodeError, ValueError):
         raise HTTPException(status_code=400, detail="Invalid JSON")
 
     event = parse_gitea_webhook(event_header, payload, provider.name)
@@ -280,10 +317,10 @@ async def planka_webhook(token: str, request: Request):
     if not _verify_planka_token(webhook_secret, request):
         raise HTTPException(status_code=403, detail="Invalid token")
 
-    # Parse payload
+    # Parse payload from the bounded raw_body we already read.
     try:
-        payload = await request.json()
-    except (json.JSONDecodeError, ValueError):
+        payload = json.loads(raw_body.decode("utf-8"))
+    except (UnicodeDecodeError, json.JSONDecodeError, ValueError):
         raise HTTPException(status_code=400, detail="Invalid JSON")
 
     event_type = payload.get("type", "")
@@ -446,23 +483,22 @@ async def generic_webhook(token: str, request: Request):
     store_payloads = provider_config.get("store_payloads", True)
     max_stored = min(max(int(provider_config.get("max_stored_payloads", 20)), 1), 100)
 
-    raw_body = await request.body()
+    raw_body = await _read_bounded_body(request)
 
-    # Enforce payload size limit BEFORE parsing JSON
-    if len(raw_body) > 1_000_000:
-        raise HTTPException(status_code=413, detail="Payload too large (max 1 MB)")
+    # Bounded read above already enforces the size cap; no need to re-check.
 
     if not _verify_generic_webhook_auth(provider_config, request, raw_body):
         raise HTTPException(status_code=403, detail="Authentication failed")
 
     safe_headers = _filter_headers(dict(request.headers))
 
-    # Parse JSON payload
+    # Parse JSON payload from the already-bounded raw_body (request.body()
+    # has been consumed, so request.json() is no longer usable here).
     try:
-        payload = await request.json()
+        payload = json.loads(raw_body.decode("utf-8"))
         if not isinstance(payload, dict):
             raise ValueError("Payload must be a JSON object")
-    except (json.JSONDecodeError, ValueError):
+    except (UnicodeDecodeError, json.JSONDecodeError, ValueError):
         if store_payloads:
             async with AsyncSession(get_engine()) as log_session:
                 await _save_webhook_log(

packages/server/src/notify_bridge_server/auth/jwt.py

@@ -7,30 +7,51 @@ import jwt
 from ..config import settings
 
 ALGORITHM = "HS256"
+_LEEWAY_SECONDS = 10
+
+
+def _now_utc() -> datetime:
+    return datetime.now(timezone.utc)
 
 
 def create_access_token(user_id: int, role: str, token_version: int = 1) -> str:
-    expire = datetime.now(timezone.utc) + timedelta(minutes=settings.access_token_expire_minutes)
+    now = _now_utc()
+    expire = now + timedelta(minutes=settings.access_token_expire_minutes)
     payload = {
+        "iss": settings.jwt_issuer,
+        "aud": settings.jwt_audience,
         "sub": str(user_id),
         "role": role,
         "type": "access",
         "ver": token_version,
+        "iat": now,
         "exp": expire,
     }
     return jwt.encode(payload, settings.secret_key, algorithm=ALGORITHM)
 
 
 def create_refresh_token(user_id: int, token_version: int = 1) -> str:
-    expire = datetime.now(timezone.utc) + timedelta(days=settings.refresh_token_expire_days)
+    now = _now_utc()
+    expire = now + timedelta(days=settings.refresh_token_expire_days)
     payload = {
+        "iss": settings.jwt_issuer,
+        "aud": settings.jwt_audience,
         "sub": str(user_id),
         "type": "refresh",
         "ver": token_version,
+        "iat": now,
         "exp": expire,
     }
     return jwt.encode(payload, settings.secret_key, algorithm=ALGORITHM)
 
 
 def decode_token(token: str) -> dict:
-    return jwt.decode(token, settings.secret_key, algorithms=[ALGORITHM])
+    return jwt.decode(
+        token,
+        settings.secret_key,
+        algorithms=[ALGORITHM],
+        audience=settings.jwt_audience,
+        issuer=settings.jwt_issuer,
+        leeway=_LEEWAY_SECONDS,
+        options={"require": ["exp", "sub", "iss", "aud", "type"]},
+    )

packages/server/src/notify_bridge_server/auth/routes.py

@@ -1,5 +1,7 @@
 """Authentication API routes."""
 
+import asyncio
+
 from fastapi import APIRouter, Depends, HTTPException, Request, status
 from pydantic import BaseModel
 from slowapi import Limiter
@@ -16,7 +18,9 @@ from .jwt import create_access_token, create_refresh_token, decode_token
 
 router = APIRouter(prefix="/api/auth", tags=["auth"])
 
-limiter = Limiter(key_func=get_remote_address)
+# Default rate limit applied by SlowAPIMiddleware to every route that does NOT
+# specify its own @limiter.limit(...) — protects against blanket abuse.
+limiter = Limiter(key_func=get_remote_address, default_limits=["600/minute"])
 
 
 class SetupRequest(BaseModel):
@@ -45,27 +49,52 @@ class RefreshRequest(BaseModel):
     refresh_token: str
 
 
-def _hash_password(password: str) -> str:
-    return bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode()
+async def _hash_password(password: str) -> str:
+    """bcrypt.hashpw is CPU-bound (~200-500ms); never run it on the event loop."""
+
+    def _work() -> str:
+        return bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode()
+
+    return await asyncio.to_thread(_work)
 
 
-def _verify_password(password: str, hashed: str) -> bool:
-    return bcrypt.checkpw(password.encode(), hashed.encode())
+async def _verify_password(password: str, hashed: str) -> bool:
+    def _work() -> bool:
+        try:
+            return bcrypt.checkpw(password.encode(), hashed.encode())
+        except ValueError:
+            # Malformed hash in DB — treat as mismatch, never raise to caller.
+            return False
+
+    return await asyncio.to_thread(_work)
 
 
 @router.post("/setup", response_model=TokenResponse)
 @limiter.limit("3/minute")
 async def setup(request: Request, body: SetupRequest, session: AsyncSession = Depends(get_session)):
-    result = await session.exec(select(func.count()).select_from(User))
-    count = result.one()
-    if count > 0:
-        raise HTTPException(status_code=status.HTTP_409_CONFLICT, detail="Setup already completed.")
-
     if len(body.password) < 8:
         raise HTTPException(status_code=400, detail="Password must be at least 8 characters")
-    user = User(username=body.username, hashed_password=_hash_password(body.password), role="admin")
-    session.add(user)
-    await session.commit()
+    # Compute hash BEFORE opening the transaction so we don't hold a writer lock
+    # during the CPU-bound bcrypt work.
+    hashed = await _hash_password(body.password)
+
+    # Serialize setup via an INSERT-inside-transaction-with-count-guard.
+    # SQLite's writer lock plus the count check inside the transaction closes
+    # the TOCTOU window between two concurrent POSTs. We ignore id=0 — that's
+    # the internal "__system__" placeholder used for ownership of default
+    # templates, never a real admin.
+    async with session.begin():
+        result = await session.exec(
+            select(func.count()).select_from(User).where(User.id != 0)
+        )
+        count = result.one()
+        if count > 0:
+            raise HTTPException(
+                status_code=status.HTTP_409_CONFLICT,
+                detail="Setup already completed.",
+            )
+        user = User(username=body.username, hashed_password=hashed, role="admin")
+        session.add(user)
     await session.refresh(user)
 
     return TokenResponse(
@@ -79,7 +108,13 @@ async def setup(request: Request, body: SetupRequest, session: AsyncSession = De
 async def login(request: Request, body: LoginRequest, session: AsyncSession = Depends(get_session)):
     result = await session.exec(select(User).where(User.username == body.username))
     user = result.first()
-    if not user or not _verify_password(body.password, user.hashed_password):
+    # Always run a bcrypt verification to keep the response time constant,
+    # preventing username-enumeration via timing side channel.
+    password_ok = await _verify_password(
+        body.password,
+        user.hashed_password if user else "$2b$12$" + "a" * 53,
+    )
+    if not user or not password_ok:
         raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid username or password")
 
     return TokenResponse(
@@ -124,16 +159,18 @@ class PasswordChangeRequest(BaseModel):
 
 
 @router.put("/password")
+@limiter.limit("10/minute")
 async def change_password(
+    request: Request,
     body: PasswordChangeRequest,
     user: User = Depends(get_current_user),
     session: AsyncSession = Depends(get_session),
 ):
-    if not _verify_password(body.current_password, user.hashed_password):
+    if not await _verify_password(body.current_password, user.hashed_password):
         raise HTTPException(status_code=400, detail="Current password is incorrect")
     if len(body.new_password) < 8:
         raise HTTPException(status_code=400, detail="New password must be at least 8 characters")
-    user.hashed_password = _hash_password(body.new_password)
+    user.hashed_password = await _hash_password(body.new_password)
     user.token_version = (user.token_version or 1) + 1
     session.add(user)
     await session.commit()
@@ -141,7 +178,12 @@ async def change_password(
 
 
 @router.get("/needs-setup")
-async def needs_setup(session: AsyncSession = Depends(get_session)):
-    result = await session.exec(select(func.count()).select_from(User))
+@limiter.limit("30/minute")
+async def needs_setup(request: Request, session: AsyncSession = Depends(get_session)):
+    # Exclude the internal __system__ placeholder (id=0) from the count so
+    # a fresh install still reports needs_setup=True.
+    result = await session.exec(
+        select(func.count()).select_from(User).where(User.id != 0)
+    )
     count = result.one()
     return {"needs_setup": count == 0}

packages/server/src/notify_bridge_server/commands/handler.py

@@ -108,13 +108,18 @@ def _render_cmd_template(
     """Render a locale-aware command template. Falls back to 'en'."""
     template_str = _resolve_template(templates, slot_name, locale)
     if not template_str:
-        _LOGGER.warning("No command template found for slot '%s' locale '%s'", slot_name, locale)
+        # Missing template = user sees "[No template: X]" — this is an ERROR,
+        # not a warning. Broken replies must stand out in production logs.
+        _LOGGER.error("No command template found for slot '%s' locale '%s'", slot_name, locale)
         return f"[No template: {slot_name}]"
     try:
         tmpl = _compile_template(template_str)
         return tmpl.render(**context)
-    except Exception as e:
-        _LOGGER.warning("Failed to render command template '%s': %s", slot_name, e)
+    except Exception:
+        _LOGGER.error(
+            "Failed to render command template '%s' locale=%s — user will see a broken reply",
+            slot_name, locale, exc_info=True,
+        )
         return f"[Template error: {slot_name}]"
 
 
@@ -296,6 +301,10 @@ async def handle_command(
     # Rate limit check (once per command, shared across all trackers)
     wait = _check_rate_limit(bot.id, chat_id, cmd, rate_limits)
     if wait is not None:
+        _LOGGER.info(
+            "Rate-limited /%s for bot=%d chat=%s — %ds cooldown remaining",
+            cmd, bot.id, chat_id, wait,
+        )
         text_resp = _render_cmd_template(merged_templates, "rate_limited", locale, {"wait": wait})
         return [CommandResponse(text=text_resp)]
 
@@ -322,8 +331,8 @@ async def handle_command(
     for tracker, config, provider, listener in ctx_tuples:
         if len(responses) >= _MAX_RESPONSES_PER_COMMAND:
             _LOGGER.warning(
-                "Truncated command responses at %d for bot %d cmd /%s",
-                _MAX_RESPONSES_PER_COMMAND, bot.id, cmd,
+                "Truncated command responses at %d for bot=%d chat=%s cmd=/%s (listener context size=%d)",
+                _MAX_RESPONSES_PER_COMMAND, bot.id, chat_id, cmd, len(ctx_tuples),
             )
             break
 
@@ -418,7 +427,12 @@ async def send_reply(
         disable_web_page_preview=True,
     )
     if not result.get("success"):
-        _LOGGER.warning("Telegram reply failed: %s", result.get("error"))
+        # User-visible failure: the bot's reply never reached the chat.
+        _LOGGER.error(
+            "Telegram reply failed (chat=%s reply_to=%s len=%d): code=%s error=%r",
+            chat_id, reply_to_message_id, len(text or ""),
+            result.get("error_code"), result.get("error"),
+        )
 
 
 async def send_media_group(
@@ -442,6 +456,14 @@ async def send_media_group(
     assets hit the cache and skip the re-upload.
     """
     if not media_items:
+        # This is what happened in the /random blind spot: the text reply
+        # was sent, but the media follow-up was silently skipped because
+        # the caller passed an empty media list. Surface it so we can see
+        # it in the log and correlate with the text message.
+        _LOGGER.warning(
+            "send_media_group called with 0 items (chat=%s reply_to=%s) — no media will be delivered",
+            chat_id, reply_to_message_id,
+        )
         return
 
     from ..services.telegram_send import send_telegram_media
@@ -452,7 +474,13 @@ async def send_media_group(
         chat_action=None,
     )
     if not result.get("success"):
-        _LOGGER.warning("Telegram media group failed: %s", result.get("error"))
+        # User-visible failure: media promised by the text reply never arrived.
+        _LOGGER.error(
+            "Telegram media group failed (chat=%s items=%d reply_to=%s): code=%s error=%r failed_at_chunk=%s",
+            chat_id, len(media_items), reply_to_message_id,
+            result.get("error_code"), result.get("error"),
+            result.get("failed_at_chunk"),
+        )
 
 
 async def register_commands_with_telegram(bot: TelegramBot) -> bool:

packages/server/src/notify_bridge_server/commands/immich/common.py

@@ -76,16 +76,28 @@ def build_asset_dict(
     public_url: str = "",
     year: int | None = None,
 ) -> dict[str, Any]:
-    """Build a rich asset dict for command templates from an ImmichAssetInfo or raw dict."""
+    """Build a rich asset dict for command templates from an ImmichAssetInfo or raw dict.
+
+    Asset-dict contract (shared with notification templates — see
+    ``notify_bridge_core.templates.context``): templates may read either
+    ``filename`` (the canonical field, used by notification defaults) or
+    ``originalFileName`` (the historical command-default field); both are
+    populated so a custom template authored against either key keeps working.
+    Same story for ``created_at`` / ``createdAt``.
+    """
     if isinstance(asset, dict):
         # Immich raw search responses nest geo under exifInfo — pull it out so
         # templates can use flat asset.city / asset.country.
         exif = asset.get("exifInfo") or {}
+        fname = asset.get("originalFileName") or asset.get("filename") or ""
+        created = asset.get("createdAt") or asset.get("created_at") or asset.get("fileCreatedAt") or ""
         d = {
             "id": asset.get("id", ""),
-            "originalFileName": asset.get("originalFileName", asset.get("filename", "")),
+            "filename": fname,
+            "originalFileName": fname,
             "type": asset.get("type", "IMAGE"),
-            "createdAt": asset.get("createdAt", asset.get("created_at", asset.get("fileCreatedAt", ""))),
+            "created_at": created,
+            "createdAt": created,
             "city": asset.get("city") or exif.get("city") or "",
             "country": asset.get("country") or exif.get("country") or "",
             "is_favorite": asset.get("is_favorite", asset.get("isFavorite", False)),
@@ -97,8 +109,10 @@ def build_asset_dict(
     # ImmichAssetInfo dataclass
     return {
         "id": asset.id,
+        "filename": asset.filename,
         "originalFileName": asset.filename,
         "type": asset.type,
+        "created_at": asset.created_at,
         "createdAt": asset.created_at,
         "city": getattr(asset, "city", "") or "",
         "country": getattr(asset, "country", "") or "",
@@ -144,6 +158,7 @@ def _format_assets(
         # other's cached file_ids (which is what made the cache look empty
         # from the WebUI after running /random).
         media_items: list[dict[str, Any]] = []
+        dropped = 0
         for asset in assets:
             asset_id = asset.get("id", "")
             asset_type = (asset.get("type") or "").upper()
@@ -156,6 +171,20 @@ def _format_assets(
             )
             if entry is not None:
                 media_items.append(entry)
+            else:
+                dropped += 1
+                _LOGGER.warning(
+                    "Dropped asset from /%s media payload: id=%s type=%s (empty preview URL)",
+                    cmd, asset_id, asset_type,
+                )
+        if not media_items and assets:
+            # All assets were filtered out before reaching Telegram. The user
+            # will see the text reply but no media — surface it here so the
+            # log shows WHY the media group ended up empty.
+            _LOGGER.warning(
+                "/%s media payload empty: %d asset(s) in, 0 out (all dropped)",
+                cmd, len(assets),
+            )
         # Return text message + media items — text is sent first, media as reply
         return {"text": text, "media": media_items}
 

packages/server/src/notify_bridge_server/commands/immich/handler.py

@@ -143,7 +143,16 @@ async def _cmd_immich(
     # chat).  ``None`` = no filter (rare); empty set = show nothing (common
     # when the chat has no tracker routing).
     if allowed_album_ids is not None:
+        before = len(all_album_ids)
         all_album_ids = [aid for aid in all_album_ids if aid in allowed_album_ids]
+        if not all_album_ids:
+            # A command that sees zero albums is a routing/tracker config issue
+            # the operator needs to notice — otherwise the user gets
+            # "no results" with no hint at why.
+            _LOGGER.info(
+                "Command /%s has empty album scope for provider=%d (had %d trackers, chat scope allowed %d)",
+                cmd, provider.id, before, len(allowed_album_ids),
+            )
 
     ext_domain = (provider.config.get("external_domain") or provider.config.get("url", "")).rstrip("/")
 

packages/server/src/notify_bridge_server/commands/webhook.py

@@ -4,12 +4,14 @@ from __future__ import annotations
 
 import hmac
 import logging
+import time
 from typing import Any
 
 from fastapi import APIRouter, Depends, Header, HTTPException, Request
 from sqlmodel import select
 from sqlmodel.ext.asyncio.session import AsyncSession
 
+from notify_bridge_core.log_context import bind_log_context
 from notify_bridge_core.notifications.telegram.client import TelegramClient
 
 from ..database.engine import get_session
@@ -18,6 +20,7 @@ from ..services.telegram import save_chat_from_webhook
 from ..services.telegram_send import telegram_chat_action
 from .base import CommandResponse
 from .handler import classify_command_chat_action, handle_command, send_media_group, send_reply
+from .parser import parse_command
 
 _LOGGER = logging.getLogger(__name__)
 
@@ -93,20 +96,62 @@ async def telegram_webhook(
             )
         )).first()
         if not chat_row or not chat_row.commands_enabled:
+            _LOGGER.info(
+                "Command ignored — commands disabled for bot=%s chat=%s text=%r",
+                bot_id, chat_id, text[:64],
+            )
             return {"ok": True, "skipped": "commands_disabled"}
         effective_lang = chat_row.language_override or msg_language
         message_id = message.get("message_id")
-        async with telegram_chat_action(
-            bot_token, chat_id, classify_command_chat_action(text),
+
+        cmd_name, _, _ = parse_command(text)
+        update_id = update.get("update_id")
+        request_id = f"tg:{update_id}" if update_id is not None else f"tg:msg{message_id}"
+
+        with bind_log_context(
+            request_id=request_id,
+            command=cmd_name or "-",
+            chat_id=chat_id,
+            bot_id=bot_id,
         ):
-            responses = await handle_command(bot, chat_id, text, language_code=effective_lang)
-            if responses:
-                for resp in responses:
-                    if resp.text:
-                        await send_reply(bot_token, chat_id, resp.text, reply_to_message_id=message_id)
-                    if resp.media:
-                        await send_media_group(bot_token, chat_id, resp.media, reply_to_message_id=message_id)
-                return {"ok": True}
+            started = time.monotonic()
+            _LOGGER.info("Command received: /%s args=%r lang=%s", cmd_name, text[:200], effective_lang)
+            try:
+                async with telegram_chat_action(
+                    bot_token, chat_id, classify_command_chat_action(text),
+                ):
+                    responses = await handle_command(bot, chat_id, text, language_code=effective_lang)
+                    if not responses:
+                        _LOGGER.info(
+                            "Command produced no response (cmd=%r) after %.0f ms",
+                            cmd_name, (time.monotonic() - started) * 1000,
+                        )
+                        return {"ok": True, "skipped": "no_response"}
+                    text_count = sum(1 for r in responses if r.text)
+                    media_count = sum(len(r.media or []) for r in responses)
+                    _LOGGER.info(
+                        "Command dispatching %d response(s): text=%d media_items=%d",
+                        len(responses), text_count, media_count,
+                    )
+                    for idx, resp in enumerate(responses):
+                        if resp.text:
+                            await send_reply(bot_token, chat_id, resp.text, reply_to_message_id=message_id)
+                        if resp.media:
+                            await send_media_group(bot_token, chat_id, resp.media, reply_to_message_id=message_id)
+                    _LOGGER.info(
+                        "Command /%s completed in %.0f ms (responses=%d media=%d)",
+                        cmd_name, (time.monotonic() - started) * 1000,
+                        len(responses), media_count,
+                    )
+                    return {"ok": True}
+            except Exception:
+                _LOGGER.exception(
+                    "Command /%s raised after %.0f ms",
+                    cmd_name, (time.monotonic() - started) * 1000,
+                )
+                # Return 200 so Telegram doesn't retry the same update — we
+                # already logged the failure and can't usefully reprocess.
+                return {"ok": True, "error": "handler_exception"}
 
     return {"ok": True, "skipped": "not_a_command"}
 

packages/server/src/notify_bridge_server/config.py

@@ -2,8 +2,20 @@
 
 from pathlib import Path
 from typing import Any
+from urllib.parse import urlparse
+
 from pydantic_settings import BaseSettings
 
+# Secret keys we will actively refuse. These cover the default template value
+# and dev-only literals that have appeared in scripts or documentation.
+_FORBIDDEN_SECRETS: frozenset[str] = frozenset(
+    {
+        "change-me-in-production",
+        "test-secret-key-minimum-32-chars",
+        "dev-secret-key-not-for-production",
+    }
+)
+
 
 class Settings(BaseSettings):
     """Application settings loaded from environment variables."""
@@ -13,29 +25,25 @@ class Settings(BaseSettings):
 
     secret_key: str = "change-me-in-production"
 
-    def model_post_init(self, __context: Any) -> None:
-        if self.secret_key == "change-me-in-production":
-            raise ValueError(
-                "SECURITY: Refusing to start with the default secret_key. "
-                "Set NOTIFY_BRIDGE_SECRET_KEY to a random value (>=32 bytes) "
-                "before starting the server (debug mode included)."
-            )
-        if len(self.secret_key) < 32:
-            raise ValueError(
-                "SECURITY: NOTIFY_BRIDGE_SECRET_KEY must be at least 32 characters."
-            )
-        if "*" in self.cors_allowed_origins.split(","):
-            raise ValueError(
-                "SECURITY: wildcard '*' is not allowed in CORS origins when credentials are enabled."
-            )
-
-    access_token_expire_minutes: int = 60
+    access_token_expire_minutes: int = 15
     refresh_token_expire_days: int = 30
 
+    jwt_issuer: str = "notify-bridge"
+    jwt_audience: str = "notify-bridge-api"
+
     host: str = "0.0.0.0"
     port: int = 8420
     debug: bool = False
 
+    # Comma-separated list of trusted proxy IPs uvicorn will honor for
+    # X-Forwarded-For / X-Forwarded-Proto. Use "*" ONLY when you trust the
+    # network (never directly on the internet). Default matches uvicorn.
+    forwarded_allow_ips: str = "127.0.0.1"
+
+    # How long to wait for in-flight requests / scheduler jobs before force
+    # killing on SIGTERM.
+    graceful_shutdown_seconds: int = 60
+
     anthropic_api_key: str = ""
     ai_model: str = "claude-sonnet-4-20250514"
     ai_max_tokens: int = 1024
@@ -48,8 +56,61 @@ class Settings(BaseSettings):
     static_dir: str = ""
     """Path to frontend static files. Set to serve SvelteKit build via FastAPI (e.g. /app/static in Docker)."""
 
+    # --- Logging ---
+    log_level: str = "INFO"
+    """Root log level for the app loggers (``DEBUG``/``INFO``/``WARNING``/``ERROR``)."""
+
+    log_format: str = "text"
+    """Log output format: ``text`` (human-readable) or ``json`` (one object per line)."""
+
+    log_levels: str = ""
+    """Comma-separated per-module overrides, e.g. ``notify_bridge_core.notifications.telegram.client=DEBUG,sqlalchemy.engine=INFO``."""
+
+    # --- Retention ---
+    event_log_retention_days: int = 30
+    """Days of event_log history to retain. 0 disables the retention job."""
+
+    pre_migrate_snapshot_keep: int = 5
+    """Number of pre-migration DB snapshots to keep in ``data_dir/backups/``.
+    0 disables snapshotting entirely. Each snapshot is produced at boot
+    before migrations run using SQLite's ``VACUUM INTO`` (atomic, consistent).
+    """
+
     model_config = {"env_prefix": "NOTIFY_BRIDGE_"}
 
+    def model_post_init(self, __context: Any) -> None:
+        if self.secret_key in _FORBIDDEN_SECRETS:
+            raise ValueError(
+                "SECURITY: Refusing to start with a known/default secret_key. "
+                "Set NOTIFY_BRIDGE_SECRET_KEY to a random value (>=32 bytes) "
+                "before starting the server."
+            )
+        if len(self.secret_key) < 32:
+            raise ValueError(
+                "SECURITY: NOTIFY_BRIDGE_SECRET_KEY must be at least 32 characters."
+            )
+        origins = [o.strip() for o in self.cors_allowed_origins.split(",") if o.strip()]
+        if "*" in origins:
+            raise ValueError(
+                "SECURITY: wildcard '*' is not allowed in CORS origins when credentials are enabled."
+            )
+        for origin in origins:
+            parsed = urlparse(origin)
+            if parsed.scheme not in {"http", "https"} or not parsed.netloc:
+                raise ValueError(
+                    f"CORS origin {origin!r} is invalid — must include scheme (http/https) and host."
+                )
+        if self.access_token_expire_minutes <= 0:
+            raise ValueError("access_token_expire_minutes must be > 0")
+        if self.refresh_token_expire_days <= 0:
+            raise ValueError("refresh_token_expire_days must be > 0")
+        if not (1 <= self.port <= 65535):
+            raise ValueError("port must be in range 1..65535")
+        if self.event_log_retention_days < 0:
+            raise ValueError("event_log_retention_days must be >= 0")
+        if self.pre_migrate_snapshot_keep < 0:
+            raise ValueError("pre_migrate_snapshot_keep must be >= 0")
+
     @property
     def effective_database_url(self) -> str:
         if self.database_url:

packages/server/src/notify_bridge_server/database/engine.py

@@ -1,23 +1,59 @@
 """Database engine and session management."""
 
 from collections.abc import AsyncGenerator
+import logging
 
+from sqlalchemy import event
 from sqlmodel import SQLModel
 from sqlmodel.ext.asyncio.session import AsyncSession
 from sqlalchemy.ext.asyncio import AsyncEngine, create_async_engine
 
 from ..config import settings
 
+_LOGGER = logging.getLogger(__name__)
+
 _engine: AsyncEngine | None = None
 
 
+def _install_sqlite_pragmas(engine: AsyncEngine) -> None:
+    """Apply production-grade SQLite PRAGMAs on every new connection.
+
+    WAL mode lets readers and writers work concurrently without blocking;
+    ``busy_timeout`` gives contending writers a chance instead of instant
+    SQLITE_BUSY; ``foreign_keys`` enforces the FK constraints declared in the
+    models (SQLite disables them by default); ``synchronous=NORMAL`` is a
+    safe-by-default durability trade-off that is standard in WAL mode.
+    """
+
+    @event.listens_for(engine.sync_engine, "connect")
+    def _pragmas(dbapi_conn, _record):  # pragma: no cover — driver hook
+        cur = dbapi_conn.cursor()
+        try:
+            cur.execute("PRAGMA journal_mode=WAL")
+            cur.execute("PRAGMA synchronous=NORMAL")
+            cur.execute("PRAGMA foreign_keys=ON")
+            cur.execute("PRAGMA busy_timeout=10000")
+            cur.execute("PRAGMA temp_store=MEMORY")
+        finally:
+            cur.close()
+
+
 def get_engine() -> AsyncEngine:
     global _engine
     if _engine is None:
+        url = settings.effective_database_url
+        connect_args: dict = {}
+        if url.startswith("sqlite"):
+            connect_args["timeout"] = 30
         _engine = create_async_engine(
-            settings.effective_database_url,
+            url,
             echo=settings.debug,
+            pool_pre_ping=True,
+            connect_args=connect_args,
         )
+        if url.startswith("sqlite"):
+            _install_sqlite_pragmas(_engine)
+        _LOGGER.info("Database engine initialized: %s", url.split("://", 1)[0])
     return _engine
 
 
@@ -31,3 +67,11 @@ async def get_session() -> AsyncGenerator[AsyncSession, None]:
     engine = get_engine()
     async with AsyncSession(engine) as session:
         yield session
+
+
+async def dispose_engine() -> None:
+    """Close the engine's connection pool. Call during graceful shutdown."""
+    global _engine
+    if _engine is not None:
+        await _engine.dispose()
+        _engine = None

packages/server/src/notify_bridge_server/database/migrations.py

@@ -144,7 +144,10 @@ async def migrate_schema(engine: AsyncEngine) -> None:
                 if bots:
                     logger.info("Backfilled webhook_path_id for %d existing bots", len(bots))
 
-            # Add update_mode to telegram_bot if missing
+            # Add update_mode to telegram_bot if missing.
+            # Existing bots pre-date this feature and were implicitly polling;
+            # preserve that behavior. New bots default to "none" via the
+            # SQLModel field default on fresh schemas.
             if not await _has_column(conn, "telegram_bot", "update_mode"):
                 await conn.execute(
                     text("ALTER TABLE telegram_bot ADD COLUMN update_mode TEXT DEFAULT 'polling'")
@@ -1282,3 +1285,141 @@ async def migrate_user_token_version(engine: AsyncEngine) -> None:
                 text("ALTER TABLE user ADD COLUMN token_version INTEGER NOT NULL DEFAULT 1")
             )
             logger.info("Added token_version column to user table")
+
+
+# ---------------------------------------------------------------------------
+# Performance indexes — covers every FK / owner column the list endpoints
+# and the webhook hot-path filter on. All use CREATE INDEX IF NOT EXISTS so
+# they are safe to re-run on every boot.
+# ---------------------------------------------------------------------------
+
+_INDEXES: list[tuple[str, str, str]] = [
+    # (index_name, table, columns)
+    ("ix_service_provider_user_id", "service_provider", "user_id"),
+    ("ix_telegram_bot_user_id", "telegram_bot", "user_id"),
+    ("ix_matrix_bot_user_id", "matrix_bot", "user_id"),
+    ("ix_email_bot_user_id", "email_bot", "user_id"),
+    ("ix_telegram_chat_bot_id", "telegram_chat", "bot_id"),
+    ("ix_tracking_config_user_id", "tracking_config", "user_id"),
+    ("ix_tracking_config_provider_type", "tracking_config", "provider_type"),
+    ("ix_notification_target_user_id", "notification_target", "user_id"),
+    ("ix_notification_target_type", "notification_target", "type"),
+    ("ix_notification_tracker_user_id", "notification_tracker", "user_id"),
+    ("ix_notification_tracker_provider_id", "notification_tracker", "provider_id"),
+    # Composite for the webhook hot path: WHERE provider_id = ? AND enabled = true
+    (
+        "ix_notification_tracker_provider_enabled",
+        "notification_tracker",
+        "provider_id, enabled",
+    ),
+    ("ix_command_config_user_id", "command_config", "user_id"),
+    ("ix_command_template_config_user_id", "command_template_config", "user_id"),
+    ("ix_command_tracker_user_id", "command_tracker", "user_id"),
+    ("ix_command_tracker_provider_id", "command_tracker", "provider_id"),
+    ("ix_action_user_id", "action", "user_id"),
+    ("ix_action_provider_id", "action", "provider_id"),
+    # Dashboard: SELECT event_log WHERE user_id = ? ORDER BY created_at DESC
+    ("ix_event_log_user_created", "event_log", "user_id, created_at DESC"),
+    ("ix_event_log_provider_id", "event_log", "provider_id"),
+    ("ix_event_log_notification_tracker_id", "event_log", "notification_tracker_id"),
+    ("ix_event_log_action_id", "event_log", "action_id"),
+    # Webhook log hot path: WHERE provider_id = ? ORDER BY created_at DESC
+    (
+        "ix_webhook_payload_log_provider_created",
+        "webhook_payload_log",
+        "provider_id, created_at DESC",
+    ),
+    # Notification tracker join tables
+    (
+        "ix_notification_tracker_target_notification_tracker_id",
+        "notification_tracker_target",
+        "notification_tracker_id",
+    ),
+    (
+        "ix_notification_tracker_target_target_id",
+        "notification_tracker_target",
+        "target_id",
+    ),
+    ("ix_target_receiver_target_id", "target_receiver", "target_id"),
+    ("ix_template_slot_config_id", "template_slot", "config_id"),
+    ("ix_command_template_slot_config_id", "command_template_slot", "config_id"),
+    ("ix_action_rule_action_id", "action_rule", "action_id"),
+    ("ix_action_execution_action_started", "action_execution", "action_id, started_at DESC"),
+]
+
+
+async def migrate_performance_indexes(engine: AsyncEngine) -> None:
+    """Create missing performance indexes on hot query paths.
+
+    Every index is created with IF NOT EXISTS so the migration is safe to
+    replay on every boot.  We only create the index when the table exists —
+    early boots before other migrations land would otherwise raise.
+    """
+    async with engine.begin() as conn:
+        for name, table, columns in _INDEXES:
+            _assert_ident(name, "index")
+            _assert_ident(table, "table")
+            # Columns list is a trusted literal constructed above — never user input.
+            if not await _has_table(conn, table):
+                continue
+            try:
+                await conn.execute(
+                    text(f"CREATE INDEX IF NOT EXISTS {name} ON {table} ({columns})")
+                )
+            except Exception:  # pragma: no cover — log and continue
+                logger.warning(
+                    "Failed to create index %s on %s(%s)",
+                    name, table, columns, exc_info=True,
+                )
+
+
+# ---------------------------------------------------------------------------
+# Schema version tracking — lightweight alternative to Alembic while the
+# hand-rolled idempotent migrations remain the source of truth. Gives
+# operators a single-row answer to "what schema is this DB at" and lets
+# future upgrades short-circuit migrations that already ran.
+# ---------------------------------------------------------------------------
+
+CURRENT_SCHEMA_VERSION = 1
+
+
+async def migrate_schema_version(engine: AsyncEngine) -> None:
+    """Create schema_version table and bump it to CURRENT_SCHEMA_VERSION."""
+    async with engine.begin() as conn:
+        await conn.execute(
+            text(
+                "CREATE TABLE IF NOT EXISTS schema_version ("
+                "  id INTEGER PRIMARY KEY CHECK (id = 1),"
+                "  version INTEGER NOT NULL,"
+                "  applied_at TEXT NOT NULL"
+                ")"
+            )
+        )
+        row = await conn.run_sync(
+            lambda sc: sc.execute(
+                text("SELECT version FROM schema_version WHERE id = 1")
+            ).fetchone()
+        )
+        from datetime import datetime, timezone
+        now = datetime.now(timezone.utc).isoformat()
+        if row is None:
+            await conn.execute(
+                text(
+                    "INSERT INTO schema_version (id, version, applied_at) "
+                    "VALUES (1, :v, :t)"
+                ),
+                {"v": CURRENT_SCHEMA_VERSION, "t": now},
+            )
+            logger.info("Initialized schema_version at %d", CURRENT_SCHEMA_VERSION)
+        elif int(row[0]) < CURRENT_SCHEMA_VERSION:
+            await conn.execute(
+                text(
+                    "UPDATE schema_version SET version = :v, applied_at = :t "
+                    "WHERE id = 1"
+                ),
+                {"v": CURRENT_SCHEMA_VERSION, "t": now},
+            )
+            logger.info(
+                "Bumped schema_version from %s to %d",
+                row[0], CURRENT_SCHEMA_VERSION,
+            )

packages/server/src/notify_bridge_server/database/models.py

@@ -49,7 +49,7 @@ class TelegramBot(SQLModel, table=True):
     bot_username: str = Field(default="")
     bot_id: int = Field(default=0)
     webhook_path_id: str = Field(default_factory=lambda: uuid4().hex)
-    update_mode: str = Field(default="polling")  # "polling" or "webhook"
+    update_mode: str = Field(default="none")  # "none", "polling", or "webhook"
     # NOTE: commands_config column remains in the DB for backward compat,
     # but is no longer part of the SQLModel class. Data migrated to CommandConfig.
     created_at: datetime = Field(default_factory=_utcnow)

packages/server/src/notify_bridge_server/database/seeds.py

@@ -394,8 +394,37 @@ async def _seed_default_command_configs() -> None:
 # Public entry point
 # ---------------------------------------------------------------------------
 
+async def _ensure_system_user() -> None:
+    """Ensure a User row with id=0 exists.
+
+    Historically the app used ``user_id=0`` as a sentinel for "system-owned"
+    defaults (tracking configs, templates, etc.). Now that we enable
+    ``PRAGMA foreign_keys=ON`` at connect time, those inserts would fail
+    with ``FOREIGN KEY constraint failed`` unless a placeholder user row
+    with the matching id exists.
+    """
+    engine = get_engine()
+    async with engine.begin() as conn:
+        # INSERT OR IGNORE so re-running seeds is cheap and idempotent.
+        await conn.execute(
+            text(
+                "INSERT OR IGNORE INTO user "
+                "(id, username, hashed_password, role, token_version, created_at) "
+                "VALUES (0, :u, :p, :r, 1, :t)"
+            ),
+            {
+                "u": "__system__",
+                # Invalid bcrypt hash — nobody can ever log in as this user.
+                "p": "!disabled!",
+                "r": "system",
+                "t": datetime.now(timezone.utc).isoformat(),
+            },
+        )
+
+
 async def seed_all() -> None:
     """Run all seed functions in order."""
+    await _ensure_system_user()
     await _seed_default_templates()
     await _seed_default_command_templates()
     await _seed_default_tracking_configs()

packages/server/src/notify_bridge_server/database/snapshot.py

@@ -0,0 +1,155 @@
+"""Pre-migration database snapshots.
+
+Runs at lifespan startup BEFORE migrations execute. Produces a consistent
+point-in-time copy of the SQLite database using ``VACUUM INTO`` (atomic,
+cannot tear against concurrent activity, works with WAL).
+
+The snapshot is the operator's fallback if a future migration corrupts the
+schema — restore is a single ``mv`` / ``docker cp``. We keep the N most
+recent files (default 5) and never fail startup if the snapshot itself
+fails: a snapshot is best-effort safety net, not a gate.
+"""
+
+from __future__ import annotations
+
+import asyncio
+import logging
+import re
+from datetime import datetime, timezone
+from pathlib import Path
+
+from sqlalchemy import text
+from sqlalchemy.ext.asyncio import AsyncEngine
+
+_LOGGER = logging.getLogger(__name__)
+
+_SNAPSHOT_GLOB = "pre-migrate-*.db"
+_SNAPSHOT_NAME_RE = re.compile(r"^[A-Za-z0-9._+\-:]+$")
+
+
+def _sqlite_path_from_url(url: str) -> Path | None:
+    """Extract the filesystem path from a ``sqlite+aiosqlite:///...`` URL."""
+    if not url.startswith("sqlite"):
+        return None
+    # e.g. "sqlite+aiosqlite:///C:/data/notify_bridge.db"
+    prefix, _, rest = url.partition(":///")
+    if not rest:
+        return None
+    return Path(rest)
+
+
+async def snapshot_database(
+    engine: AsyncEngine,
+    target_dir: Path,
+    *,
+    label: str = "pre-migrate",
+) -> Path | None:
+    """Write a consistent copy of the SQLite DB to ``target_dir``.
+
+    Uses ``VACUUM INTO`` which SQLite executes atomically against a read
+    snapshot — safe under WAL, cannot produce a torn copy. Returns the
+    snapshot path on success, ``None`` when skipped or on non-fatal
+    failure. Never raises: callers treat a missing snapshot as acceptable
+    (the main DB remains the source of truth).
+    """
+    if not _SNAPSHOT_NAME_RE.match(label):
+        _LOGGER.warning("Snapshot label %r contains unsafe characters; skipping", label)
+        return None
+
+    url = str(engine.url)
+    src = _sqlite_path_from_url(url)
+    if src is None:
+        _LOGGER.debug("Non-SQLite engine; skipping snapshot")
+        return None
+    if not src.exists():
+        _LOGGER.debug("DB file %s does not exist yet (fresh install); skipping snapshot", src)
+        return None
+
+    target_dir.mkdir(parents=True, exist_ok=True)
+    ts = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H-%M-%S")
+    dest = target_dir / f"{label}-{ts}.db"
+
+    # VACUUM INTO accepts a string literal, not a bind parameter. The dest
+    # path is built from our own label + timestamp (never user input), so
+    # escaping is straightforward — still, reject any dest containing a
+    # single quote as a belt-and-braces check.
+    dest_str = str(dest)
+    if "'" in dest_str:
+        _LOGGER.warning("Refusing to snapshot to path containing a single quote: %s", dest_str)
+        return None
+
+    try:
+        async with engine.connect() as conn:
+            # VACUUM cannot run inside an explicit transaction; use the
+            # plain connection without begin().
+            await conn.execute(text(f"VACUUM INTO '{dest_str}'"))
+        _LOGGER.info("Database snapshot written: %s (%.1f KiB)", dest, dest.stat().st_size / 1024)
+        return dest
+    except Exception:
+        _LOGGER.warning(
+            "Pre-migration snapshot failed — continuing with startup. "
+            "Check disk space in %s.",
+            target_dir,
+            exc_info=True,
+        )
+        # Partial file can linger if VACUUM INTO aborted mid-write; clean up.
+        try:
+            if dest.exists():
+                dest.unlink()
+        except OSError:
+            pass
+        return None
+
+
+def prune_old_snapshots(target_dir: Path, keep: int) -> list[Path]:
+    """Keep the ``keep`` most recent pre-migrate snapshots, delete the rest.
+
+    Returns the list of paths that were deleted. Safe to call with
+    ``keep=0`` (deletes everything) or when the directory does not exist.
+    """
+    if keep < 0:
+        raise ValueError("keep must be >= 0")
+    if not target_dir.is_dir():
+        return []
+
+    try:
+        snapshots = sorted(
+            target_dir.glob(_SNAPSHOT_GLOB),
+            key=lambda p: p.stat().st_mtime,
+            reverse=True,
+        )
+    except OSError:
+        return []
+
+    deleted: list[Path] = []
+    for old in snapshots[keep:]:
+        try:
+            old.unlink()
+            deleted.append(old)
+        except OSError:
+            _LOGGER.debug("Could not delete old snapshot %s", old, exc_info=True)
+    if deleted:
+        _LOGGER.info(
+            "Pruned %d old pre-migrate snapshot(s); kept %d most recent",
+            len(deleted), min(keep, len(snapshots)),
+        )
+    return deleted
+
+
+async def snapshot_and_prune(
+    engine: AsyncEngine,
+    target_dir: Path,
+    *,
+    keep: int,
+) -> Path | None:
+    """Take a snapshot and prune old ones. Used by the lifespan startup path.
+
+    ``keep=0`` disables snapshotting entirely.
+    """
+    if keep <= 0:
+        return None
+    snapshot_path = await snapshot_database(engine, target_dir)
+    # Always prune even if this run's snapshot failed — old files still
+    # cost disk and may have been written by prior successful boots.
+    await asyncio.to_thread(prune_old_snapshots, target_dir, keep)
+    return snapshot_path

packages/server/src/notify_bridge_server/logging_setup.py

@@ -0,0 +1,324 @@
+"""Production-grade logging configuration.
+
+Installs one ``dictConfig`` layout with:
+
+* A ``LogRecordFactory`` that pulls request-scoped identifiers from
+  ``notify_bridge_core.log_context`` onto every record, so logs can be
+  filtered/correlated by ``request_id``, ``command``, ``chat_id``,
+  ``bot_id``, ``dispatch_id`` without each call site passing them.
+* A ``SecretMaskingFilter`` that redacts Telegram bot tokens and common
+  ``Authorization`` / ``x-api-key`` headers so an accidental ``repr`` or
+  dumped request doesn't leak credentials into the log aggregator.
+* A text formatter (default) or a JSON formatter (one line per record)
+  selectable via ``NOTIFY_BRIDGE_LOG_FORMAT`` / app setting.
+
+Levels are configurable three ways (later wins):
+
+1. ``NOTIFY_BRIDGE_LOG_LEVEL`` env var (root) plus
+   ``NOTIFY_BRIDGE_LOG_LEVELS`` (``mod=LEVEL,mod2=LEVEL``).
+2. DB ``AppSetting`` rows ``log_level`` / ``log_levels`` / ``log_format``,
+   applied after migrations during startup.
+3. Live edits via the settings API — ``apply_log_levels()`` updates
+   existing loggers in place without a server restart.
+"""
+
+from __future__ import annotations
+
+import json
+import logging
+import logging.config
+import re
+import sys
+from typing import Any
+
+from notify_bridge_core.log_context import (
+    bot_id_var,
+    chat_id_var,
+    command_var,
+    dispatch_id_var,
+    request_id_var,
+)
+
+# ---------------------------------------------------------------------------
+# Secret masking
+# ---------------------------------------------------------------------------
+
+# Telegram bot tokens: /bot<digits>:<alnum with dashes/underscores>
+_TELEGRAM_TOKEN_RE = re.compile(r"/bot\d+:[A-Za-z0-9_-]{20,}")
+
+# Header-style secrets: Authorization: Bearer xxx, x-api-key=xxx, etc.
+# Only matches reasonably long tokens so short legitimate values don't trip.
+_HEADER_SECRET_RE = re.compile(
+    r"(?i)(authorization|x-api-key|api[_-]?key|password|secret|access[_-]?token|refresh[_-]?token)"
+    r"([\"']?\s*[:=]\s*[\"']?)"
+    r"([A-Za-z0-9._+/=\-]{12,})"
+)
+
+
+def _mask(text: str) -> str:
+    redacted = _TELEGRAM_TOKEN_RE.sub("/bot***", text)
+    redacted = _HEADER_SECRET_RE.sub(r"\1\2***", redacted)
+    return redacted
+
+
+class SecretMaskingFilter(logging.Filter):
+    """Redact likely secrets from every log message before it's emitted.
+
+    Covers three surfaces where a leaked token can end up in the log:
+    the formatted message, a cached exception traceback (``exc_text``),
+    and a cached stack frame dump (``stack_info``). The formatter still
+    expands ``exc_info`` for us when ``exc_text`` is None, so we also
+    pre-render + mask on first emission.
+    """
+
+    def filter(self, record: logging.LogRecord) -> bool:
+        try:
+            msg = record.getMessage()
+        except Exception:
+            return True
+        redacted = _mask(msg)
+        if redacted != msg:
+            # Replace the formatted message and drop args so the handler
+            # doesn't re-format with the original values.
+            record.msg = redacted
+            record.args = ()
+
+        if record.exc_info and not record.exc_text:
+            # Pre-render so we can mask before the formatter caches it.
+            fmt = logging.Formatter()
+            record.exc_text = fmt.formatException(record.exc_info)
+        if record.exc_text:
+            record.exc_text = _mask(record.exc_text)
+        if record.stack_info:
+            record.stack_info = _mask(record.stack_info)
+        return True
+
+
+# ---------------------------------------------------------------------------
+# Record factory — injects context identifiers onto every record
+# ---------------------------------------------------------------------------
+
+_CONTEXT_FIELDS = ("request_id", "command", "chat_id", "bot_id", "dispatch_id")
+_PLACEHOLDER = "-"
+
+_original_factory = logging.getLogRecordFactory()
+
+
+def _context_record_factory(*args: Any, **kwargs: Any) -> logging.LogRecord:
+    record = _original_factory(*args, **kwargs)
+    record.request_id = request_id_var.get() or _PLACEHOLDER
+    record.command = command_var.get() or _PLACEHOLDER
+    record.chat_id = chat_id_var.get() or _PLACEHOLDER
+    bid = bot_id_var.get()
+    record.bot_id = str(bid) if bid is not None else _PLACEHOLDER
+    record.dispatch_id = dispatch_id_var.get() or _PLACEHOLDER
+    return record
+
+
+# ---------------------------------------------------------------------------
+# JSON formatter
+# ---------------------------------------------------------------------------
+
+
+class JsonFormatter(logging.Formatter):
+    """Emit one JSON object per log record."""
+
+    def format(self, record: logging.LogRecord) -> str:
+        payload: dict[str, Any] = {
+            "ts": self.formatTime(record, "%Y-%m-%dT%H:%M:%S") + f".{int(record.msecs):03d}",
+            "level": record.levelname,
+            "logger": record.name,
+            "module": record.module,
+            "line": record.lineno,
+            "msg": record.getMessage(),
+        }
+        for field in _CONTEXT_FIELDS:
+            val = getattr(record, field, None)
+            if val and val != _PLACEHOLDER:
+                payload[field] = val
+        # Prefer the pre-masked exc_text cached by SecretMaskingFilter over
+        # re-formatting from exc_info, which would bypass the mask.
+        if record.exc_text:
+            payload["exc"] = record.exc_text
+        elif record.exc_info:
+            payload["exc"] = self.formatException(record.exc_info)
+        if record.stack_info:
+            payload["stack"] = record.stack_info
+        return json.dumps(payload, ensure_ascii=False, default=str)
+
+
+# ---------------------------------------------------------------------------
+# Text formatter
+# ---------------------------------------------------------------------------
+
+# Keeps all context fields on one line so grep-by-field works. Empty values
+# are rendered as "-" by the record factory to avoid KeyError if a record
+# arrives without the filter.
+_TEXT_FORMAT = (
+    "%(asctime)s %(levelname)-7s %(name)s:%(lineno)d "
+    "[req=%(request_id)s cmd=%(command)s bot=%(bot_id)s chat=%(chat_id)s disp=%(dispatch_id)s] "
+    "%(message)s"
+)
+
+
+# ---------------------------------------------------------------------------
+# Level override parsing
+# ---------------------------------------------------------------------------
+
+_VALID_LEVELS = {"DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL", "NOTSET"}
+
+
+def parse_level_overrides(raw: str) -> dict[str, str]:
+    """Parse ``module=LEVEL,module2=LEVEL`` into a mapping of validated levels.
+
+    Invalid entries (bad format, unknown level) are silently dropped —
+    a malformed env var or DB setting must not crash boot.
+    """
+    result: dict[str, str] = {}
+    for chunk in (raw or "").split(","):
+        chunk = chunk.strip()
+        if not chunk or "=" not in chunk:
+            continue
+        mod, _, lvl = chunk.partition("=")
+        mod = mod.strip()
+        lvl = lvl.strip().upper()
+        if not mod or lvl not in _VALID_LEVELS:
+            continue
+        result[mod] = lvl
+    return result
+
+
+def _normalize_level(level: str | None, default: str = "INFO") -> str:
+    if not level:
+        return default
+    up = level.strip().upper()
+    return up if up in _VALID_LEVELS else default
+
+
+# ---------------------------------------------------------------------------
+# Setup + live apply
+# ---------------------------------------------------------------------------
+
+# Libraries we quiet by default — noisy at DEBUG and almost always irrelevant
+# to a service issue. Override via LOG_LEVELS=sqlalchemy.engine=DEBUG when
+# actually debugging.
+_NOISY_LIBRARY_DEFAULTS: dict[str, str] = {
+    "sqlalchemy": "WARNING",
+    "sqlalchemy.engine": "WARNING",
+    "sqlalchemy.pool": "WARNING",
+    "aiohttp": "WARNING",
+    "aiohttp.access": "WARNING",
+    "aiohttp.client": "WARNING",
+    "aiohttp.server": "WARNING",
+    "apscheduler": "WARNING",
+    "apscheduler.scheduler": "WARNING",
+    "apscheduler.executors.default": "WARNING",
+    "urllib3": "WARNING",
+    "asyncio": "WARNING",
+    "httpx": "WARNING",
+    "httpcore": "WARNING",
+    "PIL": "WARNING",
+    "uvicorn.access": "WARNING",
+}
+
+
+def setup_logging(
+    *,
+    level: str = "INFO",
+    fmt: str = "text",
+    per_module_levels: str = "",
+) -> None:
+    """Install the logging configuration. Safe to call more than once.
+
+    Args:
+        level: Root log level (applied to ``notify_bridge_*`` loggers).
+        fmt: ``"text"`` (default) or ``"json"``.
+        per_module_levels: ``mod=LEVEL,mod2=LEVEL`` overrides. Wins over the
+            root level for the listed loggers.
+    """
+    root_level = _normalize_level(level, "INFO")
+    overrides = parse_level_overrides(per_module_levels)
+
+    # Install the context-aware record factory (idempotent — setting the same
+    # factory twice is fine because ``_original_factory`` is captured at
+    # import time).
+    logging.setLogRecordFactory(_context_record_factory)
+
+    if fmt == "json":
+        formatters = {"default": {"()": f"{__name__}.JsonFormatter"}}
+    else:
+        formatters = {
+            "default": {
+                "format": _TEXT_FORMAT,
+                "datefmt": "%Y-%m-%d %H:%M:%S",
+            }
+        }
+
+    # Start with noisy-library defaults, then layer user overrides on top so
+    # the user can raise them to DEBUG when actually debugging.
+    loggers: dict[str, dict[str, Any]] = {}
+    for mod, lvl in _NOISY_LIBRARY_DEFAULTS.items():
+        loggers[mod] = {"level": lvl, "propagate": True}
+    # App loggers follow the root level unless overridden.
+    loggers["notify_bridge_server"] = {"level": root_level, "propagate": True}
+    loggers["notify_bridge_core"] = {"level": root_level, "propagate": True}
+    # User overrides win.
+    for mod, lvl in overrides.items():
+        loggers[mod] = {"level": lvl, "propagate": True}
+
+    config: dict[str, Any] = {
+        "version": 1,
+        "disable_existing_loggers": False,
+        "filters": {
+            "mask_secrets": {"()": f"{__name__}.SecretMaskingFilter"},
+        },
+        "formatters": formatters,
+        "handlers": {
+            "stderr": {
+                "class": "logging.StreamHandler",
+                "stream": sys.stderr,
+                "formatter": "default",
+                "filters": ["mask_secrets"],
+            },
+        },
+        "root": {
+            "level": root_level,
+            "handlers": ["stderr"],
+        },
+        "loggers": loggers,
+    }
+    logging.config.dictConfig(config)
+
+
+def apply_log_levels(
+    *,
+    level: str | None,
+    per_module_levels: str | None,
+) -> None:
+    """Update existing logger levels in-place without rebuilding handlers.
+
+    Called when an admin changes the log settings at runtime. Setting
+    ``level`` to None leaves the root untouched; setting it to a valid
+    level applies to ``notify_bridge_server`` / ``notify_bridge_core``.
+
+    ``per_module_levels`` is treated as an exclusive set — loggers that
+    previously had an override but aren't in the new string are reset
+    *toward* the root level so a removed override actually takes effect.
+    """
+    if level:
+        lvl = _normalize_level(level, "INFO")
+        logging.getLogger("notify_bridge_server").setLevel(lvl)
+        logging.getLogger("notify_bridge_core").setLevel(lvl)
+        # NOTSET on root is almost never what you want — keep root where it is
+        # unless the caller explicitly set something.
+        logging.getLogger().setLevel(lvl)
+
+    if per_module_levels is not None:
+        overrides = parse_level_overrides(per_module_levels)
+        # Apply new overrides
+        for mod, lvl in overrides.items():
+            logging.getLogger(mod).setLevel(lvl)
+        # Reset noisy libs that aren't in the new overrides back to defaults
+        for mod, default_lvl in _NOISY_LIBRARY_DEFAULTS.items():
+            if mod not in overrides:
+                logging.getLogger(mod).setLevel(default_lvl)

packages/server/src/notify_bridge_server/main.py

@@ -9,13 +9,18 @@ from slowapi import _rate_limit_exceeded_handler
 from slowapi.errors import RateLimitExceeded
 from slowapi.middleware import SlowAPIMiddleware
 
-# Ensure app-level loggers are visible
-logging.basicConfig(level=logging.INFO)
-
 from .config import settings as _log_cfg
-_log_level = logging.DEBUG if _log_cfg.debug else logging.INFO
-logging.getLogger("notify_bridge_server").setLevel(_log_level)
-logging.getLogger("notify_bridge_core").setLevel(_log_level)
+from .logging_setup import setup_logging
+
+# Boot logging from env-based config. DB-backed AppSetting rows (``log_level`` /
+# ``log_levels`` / ``log_format``) override this after migrations — see the
+# lifespan block below.
+setup_logging(
+    level="DEBUG" if _log_cfg.debug else _log_cfg.log_level,
+    fmt=_log_cfg.log_format,
+    per_module_levels=_log_cfg.log_levels,
+)
+_LOGGER = logging.getLogger(__name__)
 
 from .database.engine import init_db
 from .database.models import *  # noqa: F401,F403 — ensure all models registered
@@ -47,13 +52,41 @@ from .api.webhook_logs import router as webhook_logs_router
 from .api.backup import router as backup_router
 
 
+# Readiness flag — flipped to True once the scheduler has started and the
+# app is fully initialized. Exposed via /api/ready for orchestrators.
+_READY: bool = False
+
+
 @asynccontextmanager
 async def lifespan(app: FastAPI):
+    global _READY
     await init_db()
     # Run data migrations (idempotent)
     from .database.engine import get_engine
-    from .database.migrations import migrate_schema, migrate_tracker_targets, migrate_entity_refactor, migrate_template_slots, migrate_target_receivers, migrate_template_locale, migrate_receivers_from_config, migrate_command_slot_locale, migrate_notification_slot_locale, migrate_user_token_version
+    from .database.migrations import (
+        migrate_schema,
+        migrate_tracker_targets,
+        migrate_entity_refactor,
+        migrate_template_slots,
+        migrate_target_receivers,
+        migrate_template_locale,
+        migrate_receivers_from_config,
+        migrate_command_slot_locale,
+        migrate_notification_slot_locale,
+        migrate_user_token_version,
+        migrate_performance_indexes,
+        migrate_schema_version,
+    )
+    from .database.snapshot import snapshot_and_prune
     engine = get_engine()
+    # Take a consistent DB snapshot BEFORE migrations run, so operators can
+    # roll back a bad upgrade by restoring one file. Best-effort — failures
+    # are logged, not raised.
+    await snapshot_and_prune(
+        engine,
+        _log_cfg.data_dir / "backups",
+        keep=_log_cfg.pre_migrate_snapshot_keep,
+    )
     await migrate_schema(engine)
     await migrate_tracker_targets(engine)
     await migrate_entity_refactor(engine)
@@ -64,8 +97,28 @@ async def lifespan(app: FastAPI):
     await migrate_command_slot_locale(engine)
     await migrate_notification_slot_locale(engine)
     await migrate_user_token_version(engine)
+    await migrate_performance_indexes(engine)
+    await migrate_schema_version(engine)
     from .database.seeds import seed_all
     await seed_all()
+    # Apply DB-backed logging settings (override env-based boot config).
+    # log_format still needs a restart — changing it means swapping the
+    # handler formatter entirely.
+    try:
+        from sqlmodel.ext.asyncio.session import AsyncSession as _AS_log
+        from .api.app_settings import get_setting as _get_log_setting
+        from .logging_setup import apply_log_levels
+        async with _AS_log(engine) as _log_session:
+            db_level = await _get_log_setting(_log_session, "log_level")
+            db_levels = await _get_log_setting(_log_session, "log_levels")
+        apply_log_levels(level=db_level or None, per_module_levels=db_levels)
+        _LOGGER.info(
+            "Logging initialized: level=%s overrides=%r format=%s",
+            db_level or _log_cfg.log_level, db_levels or _log_cfg.log_levels,
+            _log_cfg.log_format,
+        )
+    except Exception:  # pragma: no cover — never let logging setup abort boot
+        _LOGGER.exception("Failed to apply DB-backed log settings; keeping env-based levels")
     # Apply any pending restore staged via /api/backup/prepare-restore
     from .services.pending_restore import apply_pending_restore_if_any
     await apply_pending_restore_if_any()
@@ -77,16 +130,28 @@ async def lifespan(app: FastAPI):
     set_webhook_secret(_secret or None)
     from .services.scheduler import start_scheduler, get_scheduler
     await start_scheduler()
+    _READY = True
     yield
-    # Graceful shutdown
-    from .services.http_session import close_http_session
-    await close_http_session()
+    # Graceful shutdown — stop the scheduler FIRST so in-flight jobs finish
+    # before we close their HTTP session. Then close the shared session and
+    # dispose the DB engine.
+    _READY = False
     scheduler = get_scheduler()
     if scheduler.running:
-        scheduler.shutdown()
+        scheduler.shutdown(wait=True)
+    from .services.http_session import close_http_session
+    await close_http_session()
+    from .database.engine import dispose_engine
+    await dispose_engine()
 
 
-app = FastAPI(title="Notify Bridge", version="0.1.0", lifespan=lifespan)
+try:
+    from importlib.metadata import version as _pkg_version
+    _APP_VERSION = _pkg_version("notify-bridge-server")
+except Exception:  # pragma: no cover — editable install edge cases
+    _APP_VERSION = "0.0.0+unknown"
+
+app = FastAPI(title="Notify Bridge", version=_APP_VERSION, lifespan=lifespan)
 
 # --- Security headers ---
 from starlette.middleware.base import BaseHTTPMiddleware
@@ -94,6 +159,24 @@ from starlette.requests import Request as StarletteRequest
 from starlette.responses import Response as StarletteResponse
 
 
+_CSP = (
+    "default-src 'self'; "
+    "img-src 'self' data: blob: https:; "
+    "style-src 'self' 'unsafe-inline'; "
+    # SvelteKit's static adapter emits an inline bootstrap <script> with the
+    # hydration payload, so 'self' alone blocks the SPA from starting.
+    # 'unsafe-inline' re-enables it; the app's primary XSS protection still
+    # comes from Svelte's template auto-escaping and frontend/sanitize.ts
+    # for the few {@html} paths that render user-controlled content.
+    "script-src 'self' 'unsafe-inline'; "
+    "connect-src 'self'; "
+    "font-src 'self' data:; "
+    "base-uri 'self'; "
+    "form-action 'self'; "
+    "frame-ancestors 'none'"
+)
+
+
 class SecurityHeadersMiddleware(BaseHTTPMiddleware):
     async def dispatch(self, request: StarletteRequest, call_next):
         response: StarletteResponse = await call_next(request)
@@ -101,6 +184,14 @@ class SecurityHeadersMiddleware(BaseHTTPMiddleware):
         response.headers["X-Frame-Options"] = "DENY"
         response.headers["X-XSS-Protection"] = "1; mode=block"
         response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
+        response.headers.setdefault("Content-Security-Policy", _CSP)
+        # HSTS only makes sense over HTTPS; set when the edge terminates TLS
+        # and forwards X-Forwarded-Proto=https.
+        if request.headers.get("x-forwarded-proto") == "https":
+            response.headers.setdefault(
+                "Strict-Transport-Security",
+                "max-age=31536000; includeSubDomains",
+            )
         return response
 
 
@@ -153,7 +244,22 @@ app.include_router(backup_router)
 
 @app.get("/api/health")
 async def health():
-    return {"status": "ok"}
+    """Liveness: process is up and responding. Always returns 200 once the
+    ASGI app has started. Keep this endpoint anonymous and trivially cheap."""
+    return {"status": "ok", "version": _APP_VERSION}
+
+
+@app.get("/api/ready")
+async def ready():
+    """Readiness: migrations and scheduler have started, app can serve traffic.
+
+    Returns 503 until the lifespan startup sequence has completed. Use this
+    for orchestrator readiness probes (Docker, Kubernetes).
+    """
+    if not _READY:
+        from starlette.responses import JSONResponse
+        return JSONResponse({"status": "starting"}, status_code=503)
+    return {"status": "ready", "version": _APP_VERSION}
 
 
 # --- Serve frontend static files (production) ---
@@ -186,4 +292,12 @@ if _cfg.static_dir and Path(_cfg.static_dir).is_dir():
 
 def run():
     import uvicorn
-    uvicorn.run(app, host=_cfg.host, port=_cfg.port)
+    uvicorn.run(
+        app,
+        host=_cfg.host,
+        port=_cfg.port,
+        proxy_headers=True,
+        forwarded_allow_ips=_cfg.forwarded_allow_ips or "127.0.0.1",
+        timeout_graceful_shutdown=_cfg.graceful_shutdown_seconds,
+        access_log=not _cfg.debug,
+    )

packages/server/src/notify_bridge_server/services/backup_schema.py

@@ -173,7 +173,7 @@ class TelegramBotData(BaseModel):
     token: str = ""
     icon: str = ""
     bot_username: str = ""
-    update_mode: str = "polling"
+    update_mode: str = "none"
 
 
 class MatrixBotData(BaseModel):

packages/server/src/notify_bridge_server/services/backup_service.py

@@ -387,10 +387,9 @@ async def export_backup_to_file(
     ts = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H-%M-%S")
     filename = f"backup-{ts}.json"
     filepath = backup_dir / filename
-    filepath.write_text(
-        json.dumps(backup.model_dump(), indent=2, ensure_ascii=False),
-        encoding="utf-8",
-    )
+    import asyncio as _asyncio
+    payload = json.dumps(backup.model_dump(), indent=2, ensure_ascii=False)
+    await _asyncio.to_thread(filepath.write_text, payload, encoding="utf-8")
     _LOGGER.info("Scheduled backup saved: %s", filepath)
     return filepath
 
@@ -399,7 +398,13 @@ def cleanup_old_backups(backup_dir: Path, keep: int = 5) -> list[str]:
     """Delete oldest backup files exceeding `keep` count. Returns deleted filenames."""
     if not backup_dir.is_dir():
         return []
-    files = sorted(backup_dir.glob("backup-*.json"), key=lambda f: f.name, reverse=True)
+    # Sort by mtime (newest first) so behavior doesn't depend on the filename
+    # timestamp format, which could change later without updating this code.
+    files = sorted(
+        backup_dir.glob("backup-*.json"),
+        key=lambda f: f.stat().st_mtime,
+        reverse=True,
+    )
     deleted = []
     for old in files[keep:]:
         old.unlink()
@@ -413,7 +418,13 @@ def list_backup_files(backup_dir: Path) -> list[dict[str, Any]]:
     """List backup files in the directory with metadata."""
     if not backup_dir.is_dir():
         return []
-    files = sorted(backup_dir.glob("backup-*.json"), key=lambda f: f.name, reverse=True)
+    # Sort by mtime (newest first) so behavior doesn't depend on the filename
+    # timestamp format, which could change later without updating this code.
+    files = sorted(
+        backup_dir.glob("backup-*.json"),
+        key=lambda f: f.stat().st_mtime,
+        reverse=True,
+    )
     result = []
     for f in files:
         stat = f.stat()

packages/server/src/notify_bridge_server/services/http_session.py

@@ -11,23 +11,36 @@ Call ``close_http_session()`` once during application shutdown.
 
 from __future__ import annotations
 
+import asyncio
+
 import aiohttp
 
-_DEFAULT_TIMEOUT = aiohttp.ClientTimeout(total=30)
+_DEFAULT_TIMEOUT = aiohttp.ClientTimeout(total=30, connect=10)
+
 _session: aiohttp.ClientSession | None = None
+_lock = asyncio.Lock()
 
 
 async def get_http_session() -> aiohttp.ClientSession:
-    """Get or create the shared HTTP session."""
+    """Get or create the shared HTTP session.
+
+    Concurrent first-callers are serialized through ``_lock`` so we never
+    leak a second ClientSession / connector pair. Once established, hot
+    callers skip the lock via the fast-path check.
+    """
     global _session
-    if _session is None or _session.closed:
-        _session = aiohttp.ClientSession(timeout=_DEFAULT_TIMEOUT)
+    if _session is not None and not _session.closed:
+        return _session
+    async with _lock:
+        if _session is None or _session.closed:
+            _session = aiohttp.ClientSession(timeout=_DEFAULT_TIMEOUT)
     return _session
 
 
 async def close_http_session() -> None:
     """Close the shared HTTP session (call on app shutdown)."""
     global _session
-    if _session is not None and not _session.closed:
-        await _session.close()
+    async with _lock:
+        if _session is not None and not _session.closed:
+            await _session.close()
         _session = None

packages/server/src/notify_bridge_server/services/manual_dispatch.py

@@ -120,22 +120,43 @@ async def dispatch_test_notification(
             ),
         }
 
-    # Fetch assets and build event
+    # Build events (single or per-album) via the shared helper so test and
+    # cron dispatch stay in lockstep on the mode decision.
     try:
-        event = await _build_event(
-            provider_type=provider.type,
-            provider_config=provider_config,
-            provider_name=provider.name or provider.type,
-            tracker_name=tracker.name or "",
-            tracker_filters=dict(tracker.filters) if tracker.filters else {},
-            collection_ids=collection_ids,
-            test_type=test_type,
-            tracking_config=tracking_config,
-        )
+        if provider.type == "immich" and test_type in ("periodic", "scheduled", "memory"):
+            events = await build_immich_dispatch_events(
+                provider_config=provider_config,
+                provider_name=provider.name or provider.type,
+                tracker_name=tracker.name or "",
+                collection_ids=collection_ids,
+                kind=test_type,
+                tracking_config=tracking_config,
+            )
+        else:
+            ev = await _build_event(
+                provider_type=provider.type,
+                provider_config=provider_config,
+                provider_name=provider.name or provider.type,
+                tracker_name=tracker.name or "",
+                tracker_filters=dict(tracker.filters) if tracker.filters else {},
+                collection_ids=collection_ids,
+                test_type=test_type,
+                tracking_config=tracking_config,
+            )
+            events = [ev] if ev is not None else []
     except Exception as err:  # noqa: BLE001
         _LOGGER.exception("Test dispatch event build failed")
         return {"success": False, "error": f"Provider connection failed: {err}"}
-    if event is None:
+
+    if not events:
+        if test_type in ("scheduled", "memory"):
+            return {
+                "success": False,
+                "error": (
+                    "No matching assets found. Verify the tracker's albums contain assets "
+                    "that pass the tracking config filters (favorites only, rating, asset type)."
+                ) + (" for today" if test_type == "memory" else ""),
+            }
         return {
             "success": False,
             "error": (
@@ -143,24 +164,92 @@ async def dispatch_test_notification(
                 "credentials are valid, and the tracker has collections configured."
             ),
         }
-    # Periodic summary only needs album stats (extra.albums), not assets — skip the asset check.
-    if not event.added_assets and test_type in ("scheduled", "memory"):
-        return {
-            "success": False,
-            "error": (
-                "No matching assets found. Verify the tracker's albums contain assets "
-                "that pass the tracking config filters (favorites only, rating, asset type)."
-            ) + (" for today" if test_type == "memory" else ""),
-        }
 
-    # Dispatch through the real NotificationDispatcher
+    # Dispatch each event to the same target (per-album fan-out sends N messages).
     url_cache, asset_cache = await _get_telegram_caches()
     dispatcher = NotificationDispatcher(url_cache=url_cache, asset_cache=asset_cache)
-    results = await dispatcher.dispatch(event, [target_cfg])
+    all_results: list[dict[str, Any]] = []
+    for event in events:
+        results = await dispatcher.dispatch(event, [target_cfg])
+        if results:
+            all_results.append(results[0])
 
-    if not results:
+    if not all_results:
         return {"success": False, "error": "No dispatch results"}
-    return results[0]
+    all_ok = all(r.get("success") for r in all_results)
+    if all_ok:
+        return {"success": True, "dispatched": len(all_results)}
+    first_err = next(
+        (r.get("error") for r in all_results if not r.get("success")),
+        "Unknown error",
+    )
+    return {
+        "success": False,
+        "error": first_err,
+        "dispatched": sum(1 for r in all_results if r.get("success")),
+        "failed": sum(1 for r in all_results if not r.get("success")),
+    }
+
+
+async def build_immich_dispatch_events(
+    *,
+    provider_config: dict,
+    provider_name: str,
+    tracker_name: str,
+    collection_ids: list[str],
+    kind: str,
+    tracking_config: TrackingConfig | None,
+) -> list[ServiceEvent]:
+    """Build the list of ServiceEvents to dispatch for an Immich scheduled kind.
+
+    Single source of truth for the mode decision: ``periodic`` is always one
+    summary event; ``scheduled``/``memory`` honour the ``{kind}_collection_mode``
+    on the tracking config and fan out one event per album in ``per_collection``
+    mode, or one combined event in ``combined`` mode.
+
+    Empty-payload filtering (no assets matched) is applied here so callers get
+    back only events that should actually dispatch. ``periodic`` is exempt —
+    a zero-asset summary is still meaningful (shows album stats only).
+    """
+    if kind == "periodic":
+        ev = await _build_immich_periodic_event(
+            provider_config=provider_config,
+            provider_name=provider_name,
+            tracker_name=tracker_name,
+            collection_ids=collection_ids,
+        )
+        return [ev] if ev is not None else []
+
+    mode = getattr(
+        tracking_config, f"{kind}_collection_mode", "combined"
+    ) or "combined"
+
+    if mode == "per_collection" and len(collection_ids) > 1:
+        events: list[ServiceEvent] = []
+        for aid in collection_ids:
+            ev = await _build_immich_event(
+                provider_config=provider_config,
+                provider_name=provider_name,
+                tracker_name=tracker_name,
+                collection_ids=[aid],
+                test_type=kind,
+                tracking_config=tracking_config,
+            )
+            if ev is not None and ev.added_assets:
+                events.append(ev)
+        return events
+
+    ev = await _build_immich_event(
+        provider_config=provider_config,
+        provider_name=provider_name,
+        tracker_name=tracker_name,
+        collection_ids=collection_ids,
+        test_type=kind,
+        tracking_config=tracking_config,
+    )
+    if ev is None or not ev.added_assets:
+        return []
+    return [ev]
 
 
 async def _build_event(

packages/server/src/notify_bridge_server/services/sample_context.py

@@ -8,12 +8,18 @@ IMPORTANT: Keep sample assets and context in sync with:
 When adding new template variables, update all four locations.
 """
 
-# Sample asset matching what build_asset_detail() actually returns
+# Sample asset matching what build_asset_detail() / build_asset_dict() actually
+# return. Command-template defaults use ``asset.filename`` (the canonical key
+# shared with notification templates); ``originalFileName`` and ``createdAt``
+# are kept as aliases so user templates authored against the historical command
+# keys still preview correctly.
 _SAMPLE_ASSET = {
     "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
     "filename": "IMG_001.jpg",
+    "originalFileName": "IMG_001.jpg",
     "type": "IMAGE",
     "created_at": "2026-03-19T10:30:00",
+    "createdAt": "2026-03-19T10:30:00",
     "owner": "Alice",
     "owner_id": "user-uuid-1",
     "description": "Family picnic",
@@ -32,12 +38,18 @@ _SAMPLE_ASSET = {
     "file_size": 3_500_000,  # 3.5 MB — original asset bytes
     "playback_size": None,  # photos are sent as-is, no transcoded variant
     "oversized": False,
+    # Per-asset album attribution — populated by collect_scheduled_assets so
+    # combined-mode templates can label each row with its source album.
+    "album_name": "Family Photos",
+    "album_url": "https://immich.example.com/share/abc123",
+    "album_public_url": "https://immich.example.com/share/abc123",
 }
 
 _SAMPLE_VIDEO_ASSET = {
     **_SAMPLE_ASSET,
     "id": "d4e5f6a7-b8c9-0123-defg-456789abcdef",
     "filename": "VID_002.mp4",
+    "originalFileName": "VID_002.mp4",
     "type": "VIDEO",
     "is_favorite": False,
     "rating": None,
@@ -54,7 +66,10 @@ _SAMPLE_COLLECTION = {
     "url": "https://immich.example.com/share/abc123",
     "public_url": "https://immich.example.com/share/abc123",
     "asset_count": 42,
+    "photo_count": 37,
+    "video_count": 5,
     "shared": True,
+    "owner": "Alice",
 }
 
 # Full context covering ALL possible template variables
@@ -103,7 +118,9 @@ _SAMPLE_CONTEXT = {
     # Scheduled/periodic variables (for those templates)
     "collections": [_SAMPLE_COLLECTION, {**_SAMPLE_COLLECTION, "name": "Vacation 2025", "asset_count": 120}],
     "albums": [_SAMPLE_COLLECTION, {**_SAMPLE_COLLECTION, "name": "Vacation 2025", "asset_count": 120}],
-    "assets": [_SAMPLE_ASSET, {**_SAMPLE_ASSET, "id": "x1y2z3", "filename": "IMG_002.jpg", "city": "London", "country": "UK", "public_url": "https://immich.example.com/share/abc123/photos/x1y2z3"}],
+    # Second sample asset belongs to a different album so the preview exercises
+    # the combined-mode branch (>1 distinct album → per-row "— Album" suffix).
+    "assets": [_SAMPLE_ASSET, {**_SAMPLE_ASSET, "id": "x1y2z3", "filename": "IMG_002.jpg", "originalFileName": "IMG_002.jpg", "city": "London", "country": "UK", "public_url": "https://immich.example.com/share/def456/photos/x1y2z3", "album_name": "Vacation 2025", "album_url": "https://immich.example.com/share/def456", "album_public_url": "https://immich.example.com/share/def456"}],
     "date": "2026-03-19",
     "photo_count": 30,
     "video_count": 5,

packages/server/src/notify_bridge_server/services/scheduled_dispatch.py

@@ -0,0 +1,339 @@
+"""Cron-fired scheduled / periodic / memory dispatch for Immich trackers.
+
+The Immich provider exposes three notification slots that fire on a wall-clock
+schedule rather than in response to album changes:
+
+* ``scheduled_assets_message`` — random asset selection at fixed times of day
+* ``periodic_summary_message`` — album stats summary at fixed times of day
+* ``memory_mode_message`` — "On This Day" memories at fixed times of day
+
+The fire times live on the tracker's default ``TrackingConfig`` as comma-
+separated ``HH:MM`` strings (``scheduled_times`` / ``periodic_times`` /
+``memory_times``) interpreted in the app-level IANA timezone
+(``AppSetting.timezone``). The scheduler module wires the cron jobs; this
+module owns the dispatch flow once a job fires.
+
+Note on per-link tracking-config overrides: schedule *times* come from the
+tracker's default config — a per-link override may disable the slot for that
+link (via ``{kind}_enabled``) but cannot shift its fire time. Consistent with
+the test-dispatch path in ``manual_dispatch``.
+"""
+
+from __future__ import annotations
+
+import logging
+from typing import Literal
+
+from sqlmodel import select
+from sqlmodel.ext.asyncio.session import AsyncSession
+
+from notify_bridge_core.models.events import EventType
+from notify_bridge_core.notifications.dispatcher import (
+    NotificationDispatcher,
+    TargetConfig,
+)
+
+from ..database.engine import get_engine
+from ..database.models import (
+    EventLog,
+    NotificationTracker,
+    ServiceProvider,
+    TemplateSlot,
+    TrackingConfig,
+)
+from .dispatch_helpers import (
+    event_allowed_by_config,
+    get_app_timezone,
+    load_link_data,
+)
+from .manual_dispatch import build_immich_dispatch_events
+
+_LOGGER = logging.getLogger(__name__)
+
+ScheduledKind = Literal["scheduled", "periodic", "memory"]
+
+# Reasons a scheduled cron fire can end up producing no notification. We write
+# these to EventLog.details.skip_reason so users can see *why* a 09:00 memory
+# didn't arrive, rather than silently treating the fire as if it never happened.
+_SKIP_REASON_TRACKER_DISABLED = "tracker_disabled"
+_SKIP_REASON_NOT_IMMICH = "not_immich_provider"
+_SKIP_REASON_KIND_DISABLED = "kind_disabled_on_default_config"
+_SKIP_REASON_NO_LINKS = "no_enabled_links"
+_SKIP_REASON_NO_EVENT = "provider_returned_no_event"
+_SKIP_REASON_EMPTY_PAYLOAD = "zero_assets_matched"
+_SKIP_REASON_NO_TARGETS = "no_targets_after_filtering"
+
+
+async def _log_skip(
+    tracker_id: int,
+    kind: ScheduledKind,
+    reason: str,
+    *,
+    tracker_user_id: int | None = None,
+    tracker_name: str = "",
+    provider_id: int | None = None,
+    provider_name: str = "",
+) -> None:
+    """Persist an EventLog row for a skipped scheduled fire.
+
+    Separate from the success-path log (which records targets dispatched) so
+    operators and users can filter "why didn't this fire" from "what was sent".
+    ``event_type`` mirrors the success path's value; the skip is disambiguated
+    by ``details.status == "skipped"``.
+    """
+    engine = get_engine()
+    async with AsyncSession(engine) as session:
+        session.add(EventLog(
+            user_id=tracker_user_id,
+            tracker_id=tracker_id,
+            tracker_name=tracker_name,
+            provider_id=provider_id,
+            provider_name=provider_name,
+            event_type=EventType.SCHEDULED_MESSAGE.value,
+            collection_id="",
+            collection_name="",
+            assets_count=0,
+            details={
+                "kind": kind,
+                "trigger": "cron",
+                "status": "skipped",
+                "skip_reason": reason,
+            },
+        ))
+        await session.commit()
+
+# Maps the dispatch kind to the DB slot name that holds its template.
+# The dispatcher keys templates by ``event.event_type.value`` (always
+# ``scheduled_message`` here), so we read the right ``TemplateSlot`` row and
+# inject it under that single event-type key — same pattern as the test path.
+_SLOT_MAP: dict[ScheduledKind, str] = {
+    "scheduled": "scheduled_assets_message",
+    "periodic": "periodic_summary_message",
+    "memory": "memory_mode_message",
+}
+
+
+async def dispatch_scheduled_for_tracker(
+    tracker_id: int, kind: ScheduledKind
+) -> None:
+    """Build the slot's event for ``tracker_id`` and fan out to its links.
+
+    Skips silently when the tracker is disabled, the provider is not Immich,
+    the slot is disabled on the tracker's default tracking config, or no link
+    has a ``TemplateConfig`` with the corresponding slot row.
+    """
+    engine = get_engine()
+    async with AsyncSession(engine) as session:
+        tracker = await session.get(NotificationTracker, tracker_id)
+        if not tracker or not tracker.enabled:
+            # No user context available (tracker missing/disabled); still log so
+            # operators can correlate cron fires that went nowhere.
+            await _log_skip(
+                tracker_id, kind, _SKIP_REASON_TRACKER_DISABLED,
+                tracker_user_id=(tracker.user_id if tracker else None),
+                tracker_name=(tracker.name if tracker else ""),
+            )
+            return
+        provider = await session.get(ServiceProvider, tracker.provider_id)
+        if not provider or provider.type != "immich":
+            await _log_skip(
+                tracker_id, kind, _SKIP_REASON_NOT_IMMICH,
+                tracker_user_id=tracker.user_id,
+                tracker_name=tracker.name or "",
+                provider_id=(provider.id if provider else None),
+                provider_name=(provider.name if provider else ""),
+            )
+            return
+
+        default_tc: TrackingConfig | None = None
+        if tracker.default_tracking_config_id:
+            default_tc = await session.get(
+                TrackingConfig, tracker.default_tracking_config_id
+            )
+        # If the default config disables this kind, nothing to do — schedule
+        # rebuild only adds jobs when the flag is set, but a stale job from
+        # a previous DB state could still fire one tick before invalidation.
+        if default_tc is None or not getattr(default_tc, f"{kind}_enabled", False):
+            _LOGGER.debug(
+                "Scheduled %s skipped for tracker %d: kind disabled on default config",
+                kind, tracker_id,
+            )
+            await _log_skip(
+                tracker_id, kind, _SKIP_REASON_KIND_DISABLED,
+                tracker_user_id=tracker.user_id,
+                tracker_name=tracker.name or "",
+                provider_id=provider.id,
+                provider_name=provider.name or provider.type,
+            )
+            return
+
+        # Snapshot every field we need outside the session — after the
+        # ``async with`` exits the instances are detached and lazy-load
+        # would fail. Cheaper than re-fetching, safer than touching
+        # attributes through a closed session.
+        provider_id = provider.id
+        provider_config = dict(provider.config)
+        provider_name = provider.name or provider.type
+        tracker_user_id = tracker.user_id
+        tracker_name = tracker.name or ""
+        collection_ids = list(tracker.collection_ids or [])
+
+        app_tz = await get_app_timezone(session)
+        link_data = await load_link_data(session, tracker_id)
+
+    if not link_data:
+        _LOGGER.info(
+            "Scheduled %s for tracker %d: no enabled links, skipping",
+            kind, tracker_id,
+        )
+        await _log_skip(
+            tracker_id, kind, _SKIP_REASON_NO_LINKS,
+            tracker_user_id=tracker_user_id,
+            tracker_name=tracker_name,
+            provider_id=provider_id,
+            provider_name=provider_name,
+        )
+        return
+
+    # Resolve mode + build events via the shared helper (same decision logic
+    # the test-dispatch path uses). "per_collection" fans out one event per
+    # album; "combined" pools assets into a single event. ``collection_mode``
+    # is threaded through to EventLog.details so operators can see *which*
+    # mode a fire used when auditing behaviour.
+    collection_mode = (
+        "combined" if kind == "periodic"
+        else getattr(default_tc, f"{kind}_collection_mode", "combined") or "combined"
+    )
+    events = await build_immich_dispatch_events(
+        provider_config=provider_config,
+        provider_name=provider_name,
+        tracker_name=tracker_name,
+        collection_ids=collection_ids,
+        kind=kind,
+        tracking_config=default_tc,
+    )
+
+    if not events:
+        # All albums yielded 0 matching assets (per_collection), or the single
+        # combined build produced nothing. Log the same skip reason used for
+        # the legacy single-event path so operators see a consistent signal.
+        reason = (
+            _SKIP_REASON_NO_EVENT if kind == "periodic" else _SKIP_REASON_EMPTY_PAYLOAD
+        )
+        _LOGGER.info(
+            "Scheduled %s for tracker %d: no events to dispatch (mode=%s)",
+            kind, tracker_id, collection_mode,
+        )
+        await _log_skip(
+            tracker_id, kind, reason,
+            tracker_user_id=tracker_user_id,
+            tracker_name=tracker_name,
+            provider_id=provider_id,
+            provider_name=provider_name,
+        )
+        return
+
+    slot_name = _SLOT_MAP[kind]
+
+    # Lazy import to break the watcher↔scheduler↔scheduled_dispatch cycle.
+    from .watcher import _get_telegram_caches
+    from .http_session import get_http_session
+
+    url_cache, asset_cache = await _get_telegram_caches()
+    http_session = await get_http_session()
+    dispatcher = NotificationDispatcher(
+        url_cache=url_cache, asset_cache=asset_cache, session=http_session,
+    )
+
+    any_sent = False
+    for event in events:
+        # Target config assembly depends on the event for quiet-hours /
+        # event_allowed_by_config, which inspects event timestamp. Per-event
+        # rebuilding also lets a per-link override disable one kind while
+        # keeping others live.
+        target_configs: list[TargetConfig] = []
+        async with AsyncSession(engine) as session:
+            for ld in link_data:
+                tc = ld["tracking_config"] or default_tc
+                tmpl = ld["template_config"]
+                if tc is not None:
+                    if not getattr(tc, f"{kind}_enabled", True):
+                        continue
+                    if not event_allowed_by_config(event, tc, app_tz):
+                        continue
+                if tmpl is None:
+                    continue
+
+                slot_rows = (await session.exec(
+                    select(TemplateSlot).where(
+                        TemplateSlot.config_id == tmpl.id,
+                        TemplateSlot.slot_name == slot_name,
+                    )
+                )).all()
+                if not slot_rows:
+                    continue
+                locale_map = {s.locale: s.template for s in slot_rows}
+                template_slots = {EventType.SCHEDULED_MESSAGE.value: locale_map}
+
+                target_configs.append(TargetConfig(
+                    type=ld["target_type"],
+                    config=ld["target_config"],
+                    template_slots=template_slots,
+                    date_format=tmpl.date_format,
+                    date_only_format=(
+                        tmpl.date_only_format or "%d.%m.%Y"
+                    ),
+                    provider_api_key=provider_config.get("api_key"),
+                    provider_internal_url=provider_config.get("url", ""),
+                    provider_external_url=provider_config.get("external_domain", ""),
+                    receivers=ld["receivers"],
+                ))
+
+        if not target_configs:
+            _LOGGER.info(
+                "Scheduled %s for tracker %d (collection=%r): no targets after filtering",
+                kind, tracker_id, event.collection_name,
+            )
+            continue
+
+        _LOGGER.info(
+            "Dispatching scheduled %s for tracker %d (collection=%r) to %d link(s)",
+            kind, tracker_id, event.collection_name, len(target_configs),
+        )
+        results = await dispatcher.dispatch(event, target_configs)
+        any_sent = True
+
+        successes = sum(1 for r in results if isinstance(r, dict) and r.get("success"))
+        async with AsyncSession(engine) as session:
+            session.add(EventLog(
+                user_id=tracker_user_id,
+                tracker_id=tracker_id,
+                tracker_name=tracker_name,
+                provider_id=provider_id,
+                provider_name=provider_name,
+                event_type=event.event_type.value,
+                collection_id=event.collection_id,
+                collection_name=event.collection_name,
+                assets_count=event.added_count or 0,
+                details={
+                    "kind": kind,
+                    "slot": slot_name,
+                    "trigger": "cron",
+                    "timezone": app_tz,
+                    "collection_mode": collection_mode,
+                    "status": "sent",
+                    "targets_dispatched": len(target_configs),
+                    "targets_succeeded": successes,
+                },
+            ))
+            await session.commit()
+
+    if not any_sent:
+        # All events produced zero targets after filtering (quiet hours, etc.).
+        await _log_skip(
+            tracker_id, kind, _SKIP_REASON_NO_TARGETS,
+            tracker_user_id=tracker_user_id,
+            tracker_name=tracker_name,
+            provider_id=provider_id,
+            provider_name=provider_name,
+        )

packages/server/src/notify_bridge_server/services/scheduler.py

@@ -85,7 +85,21 @@ def _compute_jitter(interval_seconds: int) -> int:
 def get_scheduler() -> AsyncIOScheduler:
     global _scheduler
     if _scheduler is None:
-        _scheduler = AsyncIOScheduler()
+        # Sensible production defaults applied to every job unless overridden:
+        #   * coalesce — collapse a queue of missed runs into one firing after
+        #     a restart / pause, instead of bursting to catch up.
+        #   * misfire_grace_time — accept firings up to 5 min late without
+        #     dropping them silently.
+        #   * max_instances=1 — never run two copies of the same tracker tick
+        #     concurrently; the scheduler already enforces this on add_job,
+        #     but we also set it as the default for safety.
+        _scheduler = AsyncIOScheduler(
+            job_defaults={
+                "coalesce": True,
+                "misfire_grace_time": 300,
+                "max_instances": 1,
+            },
+        )
     return _scheduler
 
 
@@ -97,6 +111,7 @@ async def start_scheduler() -> None:
 
     await _load_tracker_jobs()
     await _load_action_jobs()
+    await _load_immich_dispatch_jobs()
 
     # Start Telegram bot polling for bots with active command listeners
     from .telegram_poller import start_command_listener_polling
@@ -279,21 +294,38 @@ async def _refresh_telegram_chat_titles() -> None:
 
 
 async def _cleanup_old_events() -> None:
-    """Delete EventLog entries older than 90 days."""
+    """Delete EventLog / WebhookPayloadLog / ActionExecution rows older than the
+    configured retention window. A retention of 0 disables the job.
+    """
     from datetime import datetime, timedelta, timezone
 
     from sqlmodel import delete
     from sqlmodel.ext.asyncio.session import AsyncSession
 
+    from ..config import settings
     from ..database.engine import get_engine
-    from ..database.models import EventLog
+    from ..database.models import ActionExecution, EventLog, WebhookPayloadLog
 
-    cutoff = datetime.now(timezone.utc) - timedelta(days=90)
+    days = settings.event_log_retention_days
+    if days <= 0:
+        _LOGGER.debug("Event log retention disabled (days=0); skipping cleanup")
+        return
+
+    cutoff = datetime.now(timezone.utc) - timedelta(days=days)
     engine = get_engine()
     async with AsyncSession(engine) as session:
         await session.exec(delete(EventLog).where(EventLog.created_at < cutoff))
+        await session.exec(
+            delete(WebhookPayloadLog).where(WebhookPayloadLog.created_at < cutoff)
+        )
+        await session.exec(
+            delete(ActionExecution).where(ActionExecution.started_at < cutoff)
+        )
         await session.commit()
-    _LOGGER.info("Cleaned up event log entries older than %s", cutoff.date())
+    _LOGGER.info(
+        "Cleaned event_log / webhook_payload_log / action_execution older than %s",
+        cutoff.date(),
+    )
 
 
 async def _load_tracker_jobs() -> None:
@@ -729,6 +761,10 @@ async def reschedule_cron_jobs_for_timezone_change() -> None:
         "Rescheduled %d cron job(s) for new app timezone %s", rescheduled, tz.key,
     )
 
+    # Immich scheduled/periodic/memory jobs are also CronTrigger-based and
+    # carry the same frozen-tz problem — rebuild them under the new tz.
+    await reschedule_immich_dispatch_jobs()
+
 
 async def _run_action(action_id: int) -> None:
     """Run an action (called by APScheduler)."""
@@ -739,6 +775,155 @@ async def _run_action(action_id: int) -> None:
         _LOGGER.error("Error running action %d: %s", action_id, e)
 
 
+# ---------------------------------------------------------------------------
+# Immich scheduled / periodic / memory dispatch (cron-fired)
+#
+# These three slots fire on wall-clock schedules taken from the tracker's
+# default ``TrackingConfig`` (``scheduled_times``, ``periodic_times``,
+# ``memory_times`` — comma-separated ``HH:MM`` strings) interpreted in the
+# app-level IANA timezone. The dispatch flow lives in
+# ``services.scheduled_dispatch``; this section just owns scheduling.
+# ---------------------------------------------------------------------------
+
+_IMMICH_DISPATCH_KINDS = ("scheduled", "periodic", "memory")
+_IMMICH_DISPATCH_PREFIX = "immich_dispatch_"
+
+
+def _parse_hhmm_list(raw: str) -> list[tuple[int, int]]:
+    """Parse ``"09:00,18:30"`` → ``[(9, 0), (18, 30)]``, skipping bad entries.
+
+    A typo in one slot must not prevent the others from scheduling — we log
+    and move on rather than raising.
+    """
+    out: list[tuple[int, int]] = []
+    for part in (raw or "").split(","):
+        part = part.strip()
+        if not part:
+            continue
+        try:
+            h_str, m_str = part.split(":", 1)
+            hour, minute = int(h_str), int(m_str)
+        except ValueError:
+            _LOGGER.warning("Skipping invalid time literal %r", part)
+            continue
+        if not (0 <= hour <= 23 and 0 <= minute <= 59):
+            _LOGGER.warning("Skipping out-of-range time %r", part)
+            continue
+        out.append((hour, minute))
+    return out
+
+
+async def _run_immich_dispatch(tracker_id: int, kind: str) -> None:
+    """APScheduler entry point — wraps the dispatch helper to swallow errors."""
+    from .scheduled_dispatch import dispatch_scheduled_for_tracker
+    try:
+        await dispatch_scheduled_for_tracker(tracker_id, kind)  # type: ignore[arg-type]
+    except Exception as err:  # noqa: BLE001
+        _LOGGER.error(
+            "Immich %s dispatch for tracker %d failed: %s", kind, tracker_id, err,
+        )
+
+
+async def _load_immich_dispatch_jobs() -> None:
+    """Schedule cron jobs for every (tracker, kind, time) where the kind is on.
+
+    Reads each enabled Immich tracker's *default* tracking config — per-link
+    overrides only gate dispatch (handled in ``scheduled_dispatch``), they do
+    not influence the fire schedule.
+    """
+    from sqlmodel import select
+    from sqlmodel.ext.asyncio.session import AsyncSession
+
+    from apscheduler.triggers.cron import CronTrigger
+
+    from ..database.engine import get_engine
+    from ..database.models import (
+        NotificationTracker,
+        ServiceProvider as ServiceProviderModel,
+        TrackingConfig,
+    )
+
+    engine = get_engine()
+    scheduler = get_scheduler()
+    tz = await _load_app_timezone()
+
+    async with AsyncSession(engine) as session:
+        trackers = (await session.exec(
+            select(NotificationTracker).where(NotificationTracker.enabled == True)  # noqa: E712
+        )).all()
+        if not trackers:
+            return
+
+        provider_ids = list({t.provider_id for t in trackers})
+        provider_types: dict[int, str] = {}
+        if provider_ids:
+            rows = await session.exec(
+                select(ServiceProviderModel).where(
+                    ServiceProviderModel.id.in_(provider_ids)
+                )
+            )
+            provider_types = {p.id: p.type for p in rows.all()}
+
+        tc_ids = list({
+            t.default_tracking_config_id for t in trackers
+            if t.default_tracking_config_id
+        })
+        tc_map: dict[int, TrackingConfig] = {}
+        if tc_ids:
+            rows = await session.exec(
+                select(TrackingConfig).where(TrackingConfig.id.in_(tc_ids))
+            )
+            tc_map = {tc.id: tc for tc in rows.all()}
+
+    scheduled = 0
+    for tracker in trackers:
+        if provider_types.get(tracker.provider_id) != "immich":
+            continue
+        tc = tc_map.get(tracker.default_tracking_config_id) if tracker.default_tracking_config_id else None
+        if tc is None:
+            continue
+
+        for kind in _IMMICH_DISPATCH_KINDS:
+            if not getattr(tc, f"{kind}_enabled", False):
+                continue
+            times_raw = getattr(tc, f"{kind}_times", "") or ""
+            for hour, minute in _parse_hhmm_list(times_raw):
+                job_id = f"{_IMMICH_DISPATCH_PREFIX}{kind}_{tracker.id}_{hour:02d}{minute:02d}"
+                scheduler.add_job(
+                    _run_immich_dispatch,
+                    CronTrigger(hour=hour, minute=minute, timezone=tz),
+                    id=job_id,
+                    args=[tracker.id, kind],
+                    replace_existing=True,
+                    max_instances=1,
+                )
+                scheduled += 1
+                _LOGGER.info(
+                    "Scheduled Immich %s for tracker %d at %02d:%02d [tz=%s]",
+                    kind, tracker.id, hour, minute, tz.key,
+                )
+
+    if scheduled:
+        _LOGGER.info(
+            "Loaded %d Immich scheduled/periodic/memory job(s) [tz=%s]",
+            scheduled, tz.key,
+        )
+
+
+async def reschedule_immich_dispatch_jobs() -> None:
+    """Drop and rebuild all Immich scheduled/periodic/memory jobs.
+
+    Cheap to call on every relevant mutation — a typical install has only a
+    handful of trackers. Called from the tracker, link, and tracking-config
+    CRUD endpoints, and from ``reschedule_cron_jobs_for_timezone_change``.
+    """
+    scheduler = get_scheduler()
+    for job in list(scheduler.get_jobs()):
+        if job.id.startswith(_IMMICH_DISPATCH_PREFIX):
+            scheduler.remove_job(job.id)
+    await _load_immich_dispatch_jobs()
+
+
 # ---------------------------------------------------------------------------
 # Scheduled backup
 # ---------------------------------------------------------------------------

packages/server/src/notify_bridge_server/services/telegram_poller.py

@@ -11,11 +11,13 @@ CommandTrackerListeners with enabled CommandTrackers.
 from __future__ import annotations
 
 import logging
+import time
 from typing import Any
 
 from sqlmodel import select
 from sqlmodel.ext.asyncio.session import AsyncSession
 
+from notify_bridge_core.log_context import bind_log_context
 from notify_bridge_core.notifications.telegram.client import TelegramClient
 
 from ..database.engine import get_engine
@@ -125,7 +127,14 @@ async def stop_bot_if_unused(bot_id: int) -> None:
 
 
 def schedule_bot_polling(bot_id: int) -> None:
-    """Add a polling job for a bot (idempotent)."""
+    """Add a polling job for a bot (idempotent).
+
+    We schedule at a 30 s interval, but each tick calls ``getUpdates`` with
+    ``timeout=25`` — Telegram holds the connection open until either an
+    update arrives or the timeout elapses, so in practice the bot streams
+    updates with sub-second latency while consuming ~2 API calls / minute
+    per bot (down from 20 under the old 3 s short-poll).
+    """
     scheduler = get_scheduler()
     job_id = f"telegram_poll_{bot_id}"
     if scheduler.get_job(job_id):
@@ -133,13 +142,13 @@ def schedule_bot_polling(bot_id: int) -> None:
     scheduler.add_job(
         _poll_bot,
         "interval",
-        seconds=3,
+        seconds=30,
         id=job_id,
         args=[bot_id],
         replace_existing=True,
         max_instances=1,
     )
-    _LOGGER.info("Started polling for bot %d", bot_id)
+    _LOGGER.info("Started polling for bot %d (long-poll, 25s timeout)", bot_id)
 
 
 def unschedule_bot_polling(bot_id: int) -> None:
@@ -231,8 +240,10 @@ async def _poll_bot(bot_id: int) -> None:
         from .http_session import get_http_session
         http = await get_http_session()
         client = TelegramClient(http, bot_token)
+        # Long-poll: hold connection open until an update arrives or 25 s
+        # elapse. Drastically cuts API calls vs. 3 s short-poll.
         result = await client.get_updates(
-            offset=offset + 1 if offset else None, limit=50,
+            offset=offset + 1 if offset else None, limit=50, timeout=25,
         )
         if not result.get("success"):
             err_text = str(result.get("error") or "")
@@ -289,29 +300,64 @@ async def _poll_bot(bot_id: int) -> None:
 
         # Dispatch commands (only if chat has commands enabled)
         if text and text.startswith("/"):
-            try:
-                async with AsyncSession(engine) as cmd_session:
-                    chat_row = (await cmd_session.exec(
-                        select(TelegramChat).where(
-                            TelegramChat.bot_id == bot_obj.id,
-                            TelegramChat.chat_id == chat_id,
+            from ..commands.parser import parse_command
+            cmd_name, _, _ = parse_command(text)
+            update_id = update.get("update_id")
+            message_id = message.get("message_id")
+            request_id = f"tg:{update_id}" if update_id is not None else f"tg:msg{message_id}"
+            with bind_log_context(
+                request_id=request_id,
+                command=cmd_name or "-",
+                chat_id=chat_id,
+                bot_id=bot_obj.id,
+            ):
+                started = time.monotonic()
+                try:
+                    async with AsyncSession(engine) as cmd_session:
+                        chat_row = (await cmd_session.exec(
+                            select(TelegramChat).where(
+                                TelegramChat.bot_id == bot_obj.id,
+                                TelegramChat.chat_id == chat_id,
+                            )
+                        )).first()
+                        if not chat_row or not chat_row.commands_enabled:
+                            _LOGGER.info(
+                                "Command ignored — commands disabled (poll) for bot=%s chat=%s",
+                                bot_obj.id, chat_id,
+                            )
+                            continue
+                        effective_lang = chat_row.language_override or msg_language
+                    _LOGGER.info("Command received (poll): /%s args=%r lang=%s", cmd_name, text[:200], effective_lang)
+                    async with telegram_chat_action(
+                        bot_token, chat_id, classify_command_chat_action(text),
+                    ):
+                        responses = await handle_command(bot_obj, chat_id, text, language_code=effective_lang)
+                        if not responses:
+                            _LOGGER.info(
+                                "Command produced no response (cmd=%r, poll) after %.0f ms",
+                                cmd_name, (time.monotonic() - started) * 1000,
+                            )
+                            continue
+                        text_count = sum(1 for r in responses if r.text)
+                        media_count = sum(len(r.media or []) for r in responses)
+                        _LOGGER.info(
+                            "Command dispatching %d response(s): text=%d media_items=%d",
+                            len(responses), text_count, media_count,
                         )
-                    )).first()
-                    if not chat_row or not chat_row.commands_enabled:
-                        continue
-                    effective_lang = chat_row.language_override or msg_language
-                message_id = message.get("message_id")
-                async with telegram_chat_action(
-                    bot_token, chat_id, classify_command_chat_action(text),
-                ):
-                    responses = await handle_command(bot_obj, chat_id, text, language_code=effective_lang)
-                    if responses:
                         for resp in responses:
                             if resp.text:
                                 await send_reply(bot_token, chat_id, resp.text, reply_to_message_id=message_id)
                             if resp.media:
                                 await send_media_group(bot_token, chat_id, resp.media, reply_to_message_id=message_id)
-            except Exception:
-                _LOGGER.error("Error handling command from bot %d", bot_id, exc_info=True)
+                        _LOGGER.info(
+                            "Command /%s completed in %.0f ms (responses=%d media=%d)",
+                            cmd_name, (time.monotonic() - started) * 1000,
+                            len(responses), media_count,
+                        )
+                except Exception:
+                    _LOGGER.exception(
+                        "Error handling command /%s from bot %d after %.0f ms",
+                        cmd_name, bot_id, (time.monotonic() - started) * 1000,
+                    )
 
 

packages/server/src/notify_bridge_server/services/watcher.py

@@ -369,7 +369,13 @@ async def check_tracker(tracker_id: int) -> dict[str, Any]:
 
     if events and link_data:
         url_cache, asset_cache = await _get_telegram_caches()
-        dispatcher = NotificationDispatcher(url_cache=url_cache, asset_cache=asset_cache)
+        from .http_session import get_http_session
+        shared_session = await get_http_session()
+        dispatcher = NotificationDispatcher(
+            url_cache=url_cache,
+            asset_cache=asset_cache,
+            session=shared_session,
+        )
         for event in events:
             _LOGGER.info(
                 "Dispatching event %s for %s (added=%d removed=%d)",

packages/server/tests/conftest.py

@@ -0,0 +1,33 @@
+"""Shared pytest fixtures.
+
+We set the required env vars before any ``notify_bridge_server`` module is
+imported so ``Settings()`` passes its startup validation and opens the DB
+in a writable temp directory instead of the production ``/data`` default.
+"""
+
+from __future__ import annotations
+
+import os
+import tempfile
+from pathlib import Path
+
+import pytest
+
+# Provision a writable temp data dir BEFORE the server package is imported —
+# Settings() materializes at import time, so env-var overrides have to land
+# here (conftest.py) to be effective.
+_TMP = Path(tempfile.mkdtemp(prefix="notify-bridge-tests-"))
+os.environ["NOTIFY_BRIDGE_DATA_DIR"] = str(_TMP)
+
+os.environ.setdefault(
+    "NOTIFY_BRIDGE_SECRET_KEY",
+    "pytest-secret-key-" + "x" * 40,
+)
+os.environ.setdefault("NOTIFY_BRIDGE_DEBUG", "false")
+os.environ.setdefault("NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS", "http://localhost:8420")
+
+
+@pytest.fixture(scope="session")
+def tmp_data_dir() -> Path:
+    """Expose the already-provisioned temp dir to tests that want the path."""
+    return _TMP

packages/server/tests/test_config.py

@@ -0,0 +1,64 @@
+"""Unit tests for the Settings validator."""
+
+from __future__ import annotations
+
+import pytest
+
+from notify_bridge_server.config import Settings, _FORBIDDEN_SECRETS
+
+
+_GOOD = "a" * 40
+
+
+def _make(**kwargs) -> Settings:
+    defaults = dict(secret_key=_GOOD, cors_allowed_origins="http://localhost:8420")
+    defaults.update(kwargs)
+    return Settings(**defaults)
+
+
+class TestSecretKey:
+    def test_accepts_long_random_key(self) -> None:
+        _make()
+
+    def test_rejects_default(self) -> None:
+        with pytest.raises(ValueError, match="SECURITY"):
+            _make(secret_key="change-me-in-production")
+
+    def test_rejects_known_dev_keys(self) -> None:
+        for bad in _FORBIDDEN_SECRETS:
+            with pytest.raises(ValueError):
+                _make(secret_key=bad)
+
+    def test_rejects_short_key(self) -> None:
+        with pytest.raises(ValueError, match="32 characters"):
+            _make(secret_key="short")
+
+
+class TestCors:
+    def test_rejects_wildcard(self) -> None:
+        with pytest.raises(ValueError, match="wildcard"):
+            _make(cors_allowed_origins="*")
+
+    def test_rejects_missing_scheme(self) -> None:
+        with pytest.raises(ValueError, match="scheme"):
+            _make(cors_allowed_origins="example.com")
+
+    def test_accepts_multiple(self) -> None:
+        cfg = _make(cors_allowed_origins="http://localhost:8420,https://example.com")
+        assert "http://localhost:8420" in cfg.cors_allowed_origins
+
+
+class TestNumericValidation:
+    def test_rejects_zero_access_token_expiry(self) -> None:
+        with pytest.raises(ValueError):
+            _make(access_token_expire_minutes=0)
+
+    def test_rejects_invalid_port(self) -> None:
+        with pytest.raises(ValueError):
+            _make(port=0)
+        with pytest.raises(ValueError):
+            _make(port=70000)
+
+    def test_rejects_negative_retention(self) -> None:
+        with pytest.raises(ValueError):
+            _make(event_log_retention_days=-1)

packages/server/tests/test_discord_retry.py

@@ -0,0 +1,46 @@
+"""Discord client 429-retry bounding."""
+
+from __future__ import annotations
+
+import pytest
+from aioresponses import aioresponses
+
+import aiohttp
+
+from notify_bridge_core.notifications.discord.client import DiscordClient
+
+
+WEBHOOK = "https://discord.com/api/webhooks/123/abc"
+
+
+@pytest.mark.asyncio
+async def test_bounded_retries_on_persistent_429() -> None:
+    """If every response is 429, the client gives up after _MAX_RETRIES."""
+    with aioresponses() as mocked:
+        mocked.post(WEBHOOK, status=429, headers={"Retry-After": "0.001"}, repeat=True)
+
+        async with aiohttp.ClientSession() as sess:
+            client = DiscordClient(sess)
+            result = await client.send(WEBHOOK, "hello")
+
+    assert result["success"] is False
+    # Either the custom "Rate limited" message or the bare HTTP 429 from the
+    # final attempt — both indicate bounded retries without infinite recursion.
+    assert "429" in result["error"] or "Rate limited" in result["error"]
+
+
+@pytest.mark.asyncio
+async def test_caps_retry_after() -> None:
+    """A malicious Retry-After: 99999 must not pin the task for hours."""
+    with aioresponses() as mocked:
+        # First call: absurd Retry-After. Second call: success.
+        mocked.post(WEBHOOK, status=429, headers={"Retry-After": "99999"})
+        mocked.post(WEBHOOK, status=204)
+
+        async with aiohttp.ClientSession() as sess:
+            client = DiscordClient(sess)
+            # Override the cap to something trivial so the test completes fast.
+            client._MAX_RETRY_AFTER = 0.001  # type: ignore[attr-defined]
+            result = await client.send(WEBHOOK, "hello")
+
+    assert result["success"] is True

packages/server/tests/test_health.py

@@ -0,0 +1,39 @@
+"""Smoke test: app imports, /api/health returns 200, version string present."""
+
+from __future__ import annotations
+
+import pytest
+from fastapi.testclient import TestClient
+
+
+def test_health_endpoint(tmp_data_dir) -> None:  # noqa: ARG001 — fixture applies env
+    from notify_bridge_server.main import app
+
+    # TestClient runs the lifespan on enter/exit, so migrations run once
+    # against the temp data dir — a genuine integration smoke check.
+    with TestClient(app) as client:
+        resp = client.get("/api/health")
+        assert resp.status_code == 200
+        body = resp.json()
+        assert body["status"] == "ok"
+        assert body["version"] != "0.0.0+unknown"
+        assert "." in body["version"]  # looks like a real version
+
+
+def test_ready_endpoint(tmp_data_dir) -> None:  # noqa: ARG001
+    from notify_bridge_server.main import app
+
+    with TestClient(app) as client:
+        resp = client.get("/api/ready")
+        # By the time TestClient yields, lifespan startup has completed.
+        assert resp.status_code == 200
+        assert resp.json()["status"] == "ready"
+
+
+def test_health_is_anonymous(tmp_data_dir) -> None:  # noqa: ARG001
+    """/api/health must not require auth — the Docker healthcheck depends on it."""
+    from notify_bridge_server.main import app
+
+    with TestClient(app) as client:
+        resp = client.get("/api/health")
+        assert resp.status_code == 200

packages/server/tests/test_jwt.py

@@ -0,0 +1,74 @@
+"""JWT encode/decode round-trips."""
+
+from __future__ import annotations
+
+from datetime import datetime, timedelta, timezone
+
+import jwt as pyjwt
+import pytest
+
+from notify_bridge_server.auth.jwt import (
+    ALGORITHM,
+    create_access_token,
+    create_refresh_token,
+    decode_token,
+)
+from notify_bridge_server.config import settings
+
+
+def test_access_token_round_trip() -> None:
+    token = create_access_token(user_id=1, role="admin", token_version=3)
+    payload = decode_token(token)
+    assert payload["sub"] == "1"
+    assert payload["type"] == "access"
+    assert payload["role"] == "admin"
+    assert payload["ver"] == 3
+    assert payload["iss"] == settings.jwt_issuer
+    assert payload["aud"] == settings.jwt_audience
+
+
+def test_refresh_token_round_trip() -> None:
+    token = create_refresh_token(user_id=7, token_version=2)
+    payload = decode_token(token)
+    assert payload["type"] == "refresh"
+    assert payload["sub"] == "7"
+
+
+def test_decode_rejects_wrong_audience() -> None:
+    """A token signed with our key but for a different audience is rejected."""
+    now = datetime.now(timezone.utc)
+    forged = pyjwt.encode(
+        {
+            "iss": settings.jwt_issuer,
+            "aud": "other-service",
+            "sub": "1",
+            "type": "access",
+            "ver": 1,
+            "iat": now,
+            "exp": now + timedelta(minutes=5),
+        },
+        settings.secret_key,
+        algorithm=ALGORITHM,
+    )
+    with pytest.raises(pyjwt.InvalidAudienceError):
+        decode_token(forged)
+
+
+def test_decode_rejects_none_alg() -> None:
+    """An ``alg: none`` token must never be accepted."""
+    now = datetime.now(timezone.utc)
+    forged = pyjwt.encode(
+        {
+            "iss": settings.jwt_issuer,
+            "aud": settings.jwt_audience,
+            "sub": "1",
+            "type": "access",
+            "ver": 1,
+            "iat": now,
+            "exp": now + timedelta(minutes=5),
+        },
+        "",
+        algorithm="none",
+    )
+    with pytest.raises(pyjwt.InvalidAlgorithmError):
+        decode_token(forged)

packages/server/tests/test_snapshot.py

@@ -0,0 +1,116 @@
+"""Pre-migration snapshot: atomic copy + retention pruning."""
+
+from __future__ import annotations
+
+import asyncio
+from datetime import datetime, timedelta, timezone
+from pathlib import Path
+
+import pytest
+from sqlalchemy import text
+from sqlalchemy.ext.asyncio import create_async_engine
+
+from notify_bridge_server.database.snapshot import (
+    prune_old_snapshots,
+    snapshot_and_prune,
+    snapshot_database,
+)
+
+
+@pytest.fixture
+async def sqlite_engine(tmp_path: Path):
+    """Tiny SQLite DB with one table + one row, closed cleanly after the test."""
+    db_path = tmp_path / "app.db"
+    engine = create_async_engine(f"sqlite+aiosqlite:///{db_path}")
+    async with engine.begin() as conn:
+        await conn.execute(text("CREATE TABLE t (id INTEGER PRIMARY KEY, v TEXT)"))
+        await conn.execute(text("INSERT INTO t (v) VALUES ('seed')"))
+    yield engine, db_path, tmp_path / "backups"
+    await engine.dispose()
+
+
+class TestSnapshot:
+    @pytest.mark.asyncio
+    async def test_creates_consistent_copy(self, sqlite_engine) -> None:
+        engine, _db, backups = sqlite_engine
+        dest = await snapshot_database(engine, backups)
+        assert dest is not None
+        assert dest.exists()
+        # Can open the snapshot and see the seed row — proves it's a real DB copy.
+        copy = create_async_engine(f"sqlite+aiosqlite:///{dest}")
+        async with copy.connect() as c:
+            result = await c.execute(text("SELECT v FROM t"))
+            rows = result.all()
+        await copy.dispose()
+        assert rows == [("seed",)]
+
+    @pytest.mark.asyncio
+    async def test_skips_when_db_missing(self, tmp_path: Path) -> None:
+        # Engine pointing at a path that doesn't exist yet.
+        engine = create_async_engine(
+            f"sqlite+aiosqlite:///{tmp_path / 'does-not-exist.db'}"
+        )
+        try:
+            dest = await snapshot_database(engine, tmp_path / "backups")
+        finally:
+            await engine.dispose()
+        assert dest is None
+
+    @pytest.mark.asyncio
+    async def test_rejects_unsafe_label(self, sqlite_engine) -> None:
+        engine, _db, backups = sqlite_engine
+        dest = await snapshot_database(engine, backups, label="bad'; DROP TABLE t;--")
+        assert dest is None
+
+
+class TestPrune:
+    def _make_snapshot(self, backups: Path, age_seconds: int) -> Path:
+        backups.mkdir(parents=True, exist_ok=True)
+        ts = datetime.now(timezone.utc) - timedelta(seconds=age_seconds)
+        name = f"pre-migrate-{ts.strftime('%Y-%m-%dT%H-%M-%S')}.db"
+        p = backups / name
+        p.write_bytes(b"x")
+        mtime = ts.timestamp()
+        import os
+        os.utime(p, (mtime, mtime))
+        return p
+
+    def test_keeps_n_newest(self, tmp_path: Path) -> None:
+        backups = tmp_path / "backups"
+        for age in (100, 80, 60, 40, 20, 0):
+            self._make_snapshot(backups, age)
+
+        deleted = prune_old_snapshots(backups, keep=3)
+        remaining = sorted(backups.glob("pre-migrate-*.db"))
+        assert len(deleted) == 3
+        assert len(remaining) == 3
+
+    def test_keep_zero_deletes_all(self, tmp_path: Path) -> None:
+        backups = tmp_path / "backups"
+        for age in (30, 20, 10):
+            self._make_snapshot(backups, age)
+        prune_old_snapshots(backups, keep=0)
+        assert list(backups.glob("pre-migrate-*.db")) == []
+
+    def test_missing_dir_is_noop(self, tmp_path: Path) -> None:
+        assert prune_old_snapshots(tmp_path / "never-created", keep=5) == []
+
+
+class TestSnapshotAndPrune:
+    @pytest.mark.asyncio
+    async def test_keep_zero_disables(self, sqlite_engine) -> None:
+        engine, _db, backups = sqlite_engine
+        result = await snapshot_and_prune(engine, backups, keep=0)
+        assert result is None
+        assert not backups.exists() or list(backups.glob("*.db")) == []
+
+    @pytest.mark.asyncio
+    async def test_end_to_end(self, sqlite_engine) -> None:
+        engine, _db, backups = sqlite_engine
+        # Run twice — second run should keep both snapshots (keep=5).
+        a = await snapshot_and_prune(engine, backups, keep=5)
+        # Guarantee distinct filenames (timestamp has second resolution).
+        await asyncio.sleep(1.05)
+        b = await snapshot_and_prune(engine, backups, keep=5)
+        assert a and b and a != b
+        assert a.exists() and b.exists()

packages/server/tests/test_ssrf.py

@@ -0,0 +1,59 @@
+"""SSRF guard regression tests."""
+
+from __future__ import annotations
+
+import pytest
+
+from notify_bridge_core.notifications.ssrf import (
+    UnsafeURLError,
+    avalidate_outbound_url,
+    validate_outbound_url,
+)
+
+
+class TestScheme:
+    def test_rejects_file_scheme(self) -> None:
+        with pytest.raises(UnsafeURLError):
+            validate_outbound_url("file:///etc/passwd")
+
+    def test_rejects_gopher(self) -> None:
+        with pytest.raises(UnsafeURLError):
+            validate_outbound_url("gopher://example.com/")
+
+    def test_accepts_https(self) -> None:
+        # A well-known public host — validated via real DNS so this test is
+        # skipped when offline.
+        try:
+            validate_outbound_url("https://example.com/")
+        except UnsafeURLError as err:
+            if "DNS" in str(err):
+                pytest.skip("No DNS in test environment")
+            raise
+
+
+class TestBlockedRanges:
+    @pytest.mark.parametrize(
+        "url",
+        [
+            "http://127.0.0.1/",
+            "http://10.0.0.1/",
+            "http://192.168.1.1/",
+            "http://169.254.169.254/latest/meta-data/",
+            "http://[::1]/",
+        ],
+    )
+    def test_rejects_literal_private(self, url: str) -> None:
+        with pytest.raises(UnsafeURLError):
+            validate_outbound_url(url)
+
+
+class TestAsyncValidator:
+    @pytest.mark.asyncio
+    async def test_async_rejects_loopback(self) -> None:
+        with pytest.raises(UnsafeURLError):
+            await avalidate_outbound_url("http://127.0.0.1/")
+
+    @pytest.mark.asyncio
+    async def test_async_rejects_bad_scheme(self) -> None:
+        with pytest.raises(UnsafeURLError):
+            await avalidate_outbound_url("file:///etc/passwd")

scripts/restart-backend.sh

@@ -24,7 +24,7 @@ fi
 
 # Start backend
 export NOTIFY_BRIDGE_DATA_DIR=./test-data
-export NOTIFY_BRIDGE_SECRET_KEY=test-secret-key-minimum-32-chars
+export NOTIFY_BRIDGE_SECRET_KEY=dev-only-pwIOUsKmfn4CYWQ9hCRs5lmI3GgrVlXSu2nqFzGW
 # Dev targets (homelab Immich / Gitea / etc.) live on RFC1918 ranges; the SSRF
 # guard rejects private addresses by default, which would make trackers fail.
 export NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=1