chore: release v0.10.0

chore: add vex semantic-search config
Check in the .vex.toml that enables semantic embeddings, call-graph, BM25, and auto-update for the vex code-search index.
2026-06-05 21:04:37 +03:00 · 2026-06-05 21:02:04 +03:00 · 2026-06-05 21:01:44 +03:00 · 2026-05-29 14:57:41 +03:00 · 2026-05-28 15:33:00 +03:00 · 2026-05-28 15:26:11 +03:00
245 changed files with 24613 additions and 1363 deletions
@@ -0,0 +1,177 @@
 # Feature Backlog
 Curated feature ideas, narrowed from a brainstorming pass on 2026-05-13.
 Order is **rough sequencing preference**, not strict priority — adjust as we go.
 ---
 ## 1. Quiet Hours — close the gaps in the existing system
 **Reality check (verified 2026-05-13).** Quiet hours are already shipped under
 the "deferred dispatch" name in v0.8.0. The pipeline lives at
 `packages/server/src/notify_bridge_server/services/deferred_dispatch.py` with
 helpers in `dispatch_helpers.py` and tests in
 `tests/test_deferred_dispatch.py`. What exists:
 - Per-tracking-config window: `tracking_config.quiet_hours_enabled`,
  `quiet_hours_start`, `quiet_hours_end`.
 - Per-link override: `notification_tracker_target.quiet_hours_start`,
  `quiet_hours_end`.
 - Smart coalescing (asset add + asset remove during a window cancels each
  other out, set-union merge for repeated adds).
 - Post-window drain via APScheduler one-shot date jobs.
 - Wall-clock event types (`scheduled_message`) drop instead of deferring.
 - Frontend status surface: `deferred`, `deferred_then_dropped`,
  `deferred_then_failed`, with `deferred_until` and `deferred_for_seconds`
  fields exposed in the event log.
 **What's NOT there (the actual gaps):**
 | Gap | Sketch |
 | --- | --- |
 | **Target-level windows** | Today, hours bind to the *watcher* (tracking config / link). Users naturally think of DND at the *destination* ("don't ping my phone at night, regardless of source"). New column on `notification_target` + dispatcher gate. |
 | **Multiple windows per row** | Today is a single HH:MM range. Real schedules want weekday-evening + weekend-all-day. JSON list of windows. |
 | **Days-of-week** | Same window every day. Need `days: ["mon", "tue", ...]` filter per window. |
 | **Per-window timezone** | Uses the global app TZ. Multi-traveller / multi-target setups want per-window TZ. |
 | **Silent mode** | Modes today are defer-or-drop. Telegram `disable_notification=true` ("send but don't ring") is a third useful mode. |
 | **Per-receiver windows** | One bot → multiple chats, each potentially with its own DND. Today it's all-or-nothing per target. |
 **Recommended cut for v1 of "extend quiet hours":**
 - Add target-level quiet hours (new column `notification_target.quiet_hours_json`
  = list of `{days, start, end, mode, tz}`).
 - Modes: `drop`, `defer`, `silent`. `defer` reuses the existing
  deferred-dispatch pipeline (just changes who decides). `silent` maps to
  `disable_notification=true` for Telegram; other targets fall through to
  normal send (or we treat `silent` as `defer` for non-Telegram targets — TBD).
 - Dispatcher precedence: target window wins over link/tracking-config window
  when both are configured. Document this explicitly.
 - Frontend: new "Quiet hours" fieldset in the target editor (Aurora cassette
  style). Reuses Timezone picker; new day-picker chip row.
 - Skip days-of-week + multi-window in v1 if scope grows — ship the target-level
  cut first, then iterate.
 **Open questions.**
 - How exactly do target / link / tracking-config windows combine? Proposal:
  any window covering "now" wins (drop > defer > silent precedence).
 - Should `silent` for non-Telegram targets degrade to normal send or to
  defer? Defer is the safer default.
 - Does the event log need a new status (`silenced` / `dropped_by_target_qh`)
  to make precedence visible?
 ---
 ## 2. Immich Smart Actions (expand beyond Auto-Organize)
 **What.** Extend the existing Smart Actions pattern (currently:
 **Immich Auto-Organize**) with more rule-driven actions against the Immich API.
 **Why.** Auto-Organize already proves the descriptor → rule editor → executor
 pipeline. Adding actions is mostly authoring new executors + small UI rule
 shapes, not new infra.
 **Candidates (pick in this order).**
 1. **Auto-favorite by person** — when an asset is detected containing person
   X (or any of a set), mark it favorite.
 2. **Auto-archive by age / album** — assets older than N days in a given
   album get archived. Pair with a "dry-run shows count" UX like
   Auto-Organize already has.
 3. **Duplicate cluster nudge** — periodically run Immich's duplicate API and
   send a digest notification with inline buttons ("review", "ignore for 30d").
   Depends on inline-button work (see backlog item 4 dependencies).
 4. **Share-link rotation** — for an album, regenerate the share link every N
   days; notify with the new URL.
 5. **Pending-delete review** — push a weekly digest of trash contents before
   Immich's auto-purge fires.
 **Shape.**
 - Reuse the existing **action descriptor** layer
  (`packages/core/src/notify_bridge_core/providers/actions.py`,
  `action_executor.py`) and the frontend rule editor used by Auto-Organize.
 - Each new action = (a) executor in core, (b) rule schema in the descriptor,
  (c) frontend descriptor extension for the rule editor fields.
 - Persist as `provider_actions` rows (already exists for Auto-Organize) with
  a discriminator + JSON config.
 **Open questions.**
 - Does "auto-favorite by person" need a confirmation queue or run silently?
  Default to silent + event_log entry.
 - How do we surface "this action moved/changed X assets" in the dashboard?
  Probably a per-action stat tile on the provider detail page.
 ---
 ## 3. Home Assistant Provider
 **Full plan:** [feature-home-assistant.md](feature-home-assistant.md).
 **One-line summary.** New WebSocket-based service provider with a 3-phase
 ship: subscribe + dispatch (Phase 1), bot commands (Phase 2), HA service
 calls as Smart Actions (Phase 3). Chosen over webhook ingest because
 Phases 2 + 3 force a long-lived API connection anyway; consolidating on WS
 avoids a refactor.
 **Status:** planned, not started.
 ---
 ## 4. Block-Based Template Builder
 **What.** A visual, drag-and-drop builder for notification and command
 templates that compiles down to Jinja2. Lives alongside (not instead of) the
 current `JinjaEditor`. Author can flip between views.
 **Why.** The current Jinja editor is powerful but unforgiving. A block UI
 lowers the floor for new users and provides a discovery surface for the
 variables documented in `template_configs.py`.
 **Shape.**
 - Frontend-only feature for v1 — compiles to the same Jinja strings the
  backend already accepts.
 - Blocks: `Text`, `Variable`, `If`, `For`, `Link`, `Image`, `Icon`, `Caption`,
  `Group` (HTML span/group). Each block knows its serialized Jinja
  representation.
 - Round-trip: variables, simple `{% if %}` / `{% for %}` blocks, and string
  literals parse back to blocks; arbitrary Jinja stays in a "Raw" block that
  the user can edit as text.
 - Variable picker reads `get_template_variables(provider_type, slot)`. This is
  the same data already shown in the template-help panel.
 - Preview pane unchanged — reuses `services/sample_context.py` server
  rendering.
 - Toggle in the template editor: **Visual / Code**.
 **Open questions.**
 - Round-tripping arbitrary Jinja is hard. v1: parseable subset → blocks,
  anything else → single Raw block. Show a banner explaining.
 - Locale handling: same compiled Jinja, just authored per locale tab.
 - Do we want a marketplace of pre-built block compositions? Out of scope for
  v1 — bundle import/export is a separate backlog item.
 ---
 ## Recommended Sequencing
 1. **Quiet Hours per Target** — small, isolated, immediate user value.
 2. **Immich Smart Actions** — incremental on existing pattern; ship one
   action at a time (start with auto-favorite by person).
 3. **Home Assistant Provider** — multi-file, follows new-provider checklist;
   biggest user-base expansion.
 4. **Block-Based Template Builder** — largest frontend lift; benefits from
   the variable-doc work that the other features will exercise.
 Dependencies are loose — 1 and 2 are independent of 3 and 4. The block
 builder pairs nicely with Home Assistant because HA's rich context surfaces
 the value of an easier authoring UX.
 ---
 ## Decision log
 - **2026-05-13** — Backlog seeded with these four items selected from a
  broader brainstorm. Not started.
@@ -0,0 +1,284 @@
 # Home Assistant Provider — Implementation Plan
 > Status: **planned, not started**. Sequencing: third item on the backlog
 > (see [feature-backlog.md](feature-backlog.md)).
 > Last updated: 2026-05-13.
 ## Decision: WebSocket subscription, not webhook
 We considered three ingest modes (webhook automation, WebSocket subscription,
 hybrid). The WebSocket route is chosen as the architectural foundation because
 the medium-term roadmap forces it anyway:
 | Phase | Capability | Needs API access? |
 | --- | --- | --- |
 | 1 | Subscribe to events, emit notifications | Read (event stream) |
 | 2 | Bot commands (`/state`, `/entities`, `/areas`) | Read (REST or WS get_states) |
 | 3 | Smart Actions (`light.turn_on`, scene activation) | Write (call_service) |
 A webhook-only Phase 1 would still need a REST client by Phase 2 and a write
 path by Phase 3 — net result is two client implementations + one event
 pipeline refactor. WebSocket consolidates all three phases on one connection.
 **Tradeoff (be honest):** WebSocket introduces a long-lived-connection pattern
 this codebase does not have yet. Reconnect logic, missed-events-on-restart
 gap, and a new shape on the `ServiceProvider` ABC are real costs. Phase 1 is
 **not** shippable in one short session — plan for a multi-session build.
 ## Provider abstraction extension
 The current `ServiceProvider` ABC
 ([packages/core/src/notify_bridge_core/providers/base.py](../../packages/core/src/notify_bridge_core/providers/base.py))
 is poll-oriented: every provider implements `poll(collection_ids, state) →
 (events, new_state)`. Webhook providers (Gitea, Planka, Webhook) satisfy this
 by no-op'ing `poll` and shoving events in via `api/webhooks.py` instead.
 Home Assistant fits neither cleanly. The plan:
 1. Add an **optional** `async subscribe(emit) → None` method on the base ABC.
   Default implementation raises `NotImplementedError`. Polling providers do
   not override it. The scheduler / lifecycle layer (currently `services/watcher.py`)
   gains a "subscription manager" branch that, for any provider whose class
   overrides `subscribe`, starts a long-lived task instead of registering
   a polling job.
 2. `emit` is a callback `(event: ServiceEvent) → None` provided by the
   subscription manager — it routes events to the dispatcher exactly like the
   webhook handler does today. Keeping the dispatch path unchanged is the
   point of this design.
 3. Reconnect lives **inside** `subscribe`: the method is expected to be a
   `while not cancelled: try connect; on drop, sleep with backoff, retry`
   loop. The manager cancels the task on shutdown via the cooperative cancel
   token used elsewhere.
 This is a small, additive change to one ABC. No existing provider is
 modified.
 ## Phase 1 — Subscribe + Dispatch (MVP)
 ### Scope
 - Long-lived WebSocket connection to HA, authenticated with a long-lived
  access token.
 - Subscribe to the event bus with optional `event_type` filter (defaults to
  `state_changed`).
 - Translate HA events into `ServiceEvent` and dispatch via the existing
  pipeline. Notifications go out exactly as they do today for any other
  provider.
 - Filter UI: entity-id glob list, domain allowlist (e.g. `light.*`,
  `binary_sensor.*`), event-type allowlist. **Hard-required** to avoid the HA
  firehose drowning the bridge.
 - Connection test + entity listing via WS `get_states` (no REST client yet —
  WS gives us both subscribe and read).
 ### Out of scope for Phase 1
 - Bot commands → Phase 2.
 - Service calls → Phase 3.
 - Replay of events missed during disconnect (HA does not support this; we
  document the gap and surface "reconnected after N seconds" in the event
  log).
 - Webhook-style ingestion (path-embedded token webhook receiver). If a user
  prefers webhooks, we add it later as a second ingestion mode on the same
  provider — out of scope for v1.
 ### Event types (v1)
 | HA event | ServiceEvent type | Notification slot |
 | --- | --- | --- |
 | `state_changed` | `ha_state_changed` | `message_state_changed` |
 | `automation_triggered` | `ha_automation_triggered` | `message_automation_triggered` |
 | `call_service` | `ha_service_called` | `message_service_called` |
 | (custom event types) | `ha_event_fired` | `message_event_fired` |
 Default tracking config enables `state_changed` only — the others are loud
 and opt-in.
 ### Context variables exposed to templates
 Pulled directly from HA's `state_changed` payload, normalized:
 - `entity_id` — `light.kitchen`
 - `friendly_name` — `attributes.friendly_name` or fallback to `entity_id`
 - `domain` — derived from `entity_id` before the dot
 - `old_state` — `from_state.state`
 - `new_state` — `to_state.state`
 - `attributes` — dict of new-state attributes (raw)
 - `device_class` — `attributes.device_class` if present
 - `area` — `attributes.area_id` if present (best effort; only set if HA
  exposes it via the area registry, which costs a `get_registry` WS call —
  see "Open questions")
 - `last_changed`, `last_updated` — ISO timestamps
 - For non-`state_changed` events: `event_type`, `event_data` (full dict)
 ### File touch map (Phase 1)
 **Core** (`packages/core/src/notify_bridge_core/`)
 | Path | Action | Notes |
 | --- | --- | --- |
 | `providers/base.py` | Modify | Add optional `subscribe(emit)` ABC method (default `NotImplementedError`); add `HOME_ASSISTANT = "home_assistant"` to `ServiceProviderType` |
 | `providers/capabilities.py` | Modify | Add `HOME_ASSISTANT_CAPABILITIES` + register |
 | `providers/home_assistant/__init__.py` | Create | Export + register template variables |
 | `providers/home_assistant/client.py` | Create | WebSocket client (auth, subscribe, get_states, call_service stub) |
 | `providers/home_assistant/event_parser.py` | Create | HA event dict → `ServiceEvent` |
 | `providers/home_assistant/provider.py` | Create | Class with `connect`, `disconnect`, `subscribe`, `list_collections` (entity list), `get_available_variables`, `get_provider_config_schema`, `test_connection`. `poll` raises NotImplementedError. |
 | `templates/defaults/en/home_assistant_*.jinja2` | Create | 4 slot templates |
 | `templates/defaults/ru/home_assistant_*.jinja2` | Create | 4 slot templates |
 | `templates/defaults/loader.py` | Modify | Add to `PROVIDER_SLOT_FILE_MAP` |
 | `templates/command_defaults/loader.py` | Modify | Stub entry — empty commands list for now |
 | `templates/context.py` | Modify | HA context builder |
 | `templates/validator.py` | Modify | Whitelist HA variable names |
 **Server** (`packages/server/src/notify_bridge_server/`)
 | Path | Action | Notes |
 | --- | --- | --- |
 | `services/watcher.py` *(or scheduler / lifecycle module that hosts polling)* | Modify | Add subscription-manager branch — for providers whose class overrides `subscribe`, start/stop long-running task instead of polling |
 | `services/scheduler.py` | Verify | Confirm we cancel HA subscription on shutdown (graceful_shutdown_seconds path) |
 | `api/template_configs.py` | Modify | `get_template_variables()` entry |
 | `api/command_template_configs.py` | Modify | Sample ctx (minimal for Phase 1 — no commands) |
 | `services/sample_context.py` | Modify | `_SAMPLE_CONTEXT["home_assistant"]` |
 | `database/seeds.py` | Modify | Seed notification templates + default tracking config |
 **Frontend** (`frontend/src/`)
 | Path | Action | Notes |
 | --- | --- | --- |
 | `lib/providers/home-assistant.ts` | Create | Descriptor per CLAUDE.md rule 11 |
 | `lib/providers/index.ts` | Modify | Register descriptor |
 | `lib/locales/en.json` | Modify | `providers.typeHomeAssistant`, `gridDesc.providerHomeAssistant` |
 | `lib/locales/ru.json` | Modify | Same |
 **Tests**
 | Path | Action |
 | --- | --- |
 | `packages/core/tests/providers/test_home_assistant_parser.py` | Create — HA payload → `ServiceEvent` |
 | `packages/core/tests/providers/test_home_assistant_client.py` | Create — WS auth, subscribe, reconnect (use a fake server) |
 | `packages/server/tests/test_home_assistant_subscription.py` | Create — subscription manager lifecycle, event flows through dispatcher |
 ### Frontend descriptor essentials
 ```text
 type: "home_assistant"
 defaultName: "Home Assistant"
 icon: "home" (consider Lucide icon; HA logo if a custom asset exists)
 hasUrl: true            // base URL of HA (used to derive WS URL)
 configFields:
  - url:                http(s)://homeassistant.local:8123
  - access_token:       long-lived access token (required)
  - allowed_event_types: comma-separated, defaults to "state_changed"
 eventFields: 4 checkboxes (state_changed, automation_triggered,
                           call_service, event_fired)
 extraTrackingFields:
  - entity_glob: tag input ("light.*", "binary_sensor.*_motion")
  - domain_allowlist: tag input
 collectionMeta: { label: "Entities", icon: "..." }
 webhookBased: false     // we are NOT webhook based
 ```
 WS URL is derived: `wss://{host}/api/websocket` (or `ws://` for plain http
 HA). Document this in the UI hint.
 ### Auth model
 - **Long-lived access token** from HA (Profile → Long-Lived Access Tokens).
 - Stored encrypted at rest via the same path the other providers use for
  secrets (the bridge already has a secret-encryption helper — verify the
  exact module name during implementation).
 - WS auth handshake: connect → server sends `auth_required` → client sends
  `{type: "auth", access_token: "..."}` → server replies `auth_ok` or
  `auth_invalid`.
 ### Risks / open questions (Phase 1)
 1. **Reconnect strategy.** Exponential backoff capped at 60s, jittered.
   On reconnect, log a `connection_restored_after` event so the UI can
   surface the gap. Document that HA does not support event replay.
 2. **Area registry.** Pulling `area_id` for entities requires a separate
   `config/area_registry/list` WS call. Decision needed: fetch once on
   connect and cache, refetch on `area_registry_updated` event, or skip
   `area` from the context entirely in v1. Recommendation: fetch on
   connect, refetch on `area_registry_updated`, skip if it fails (best-effort).
 3. **TLS verification for self-signed HA.** Homelab users often have
   self-signed certs. Need a `verify_tls: bool` config field (default true)
   and a clear warning when disabled. Same pattern as
   `NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS` for the SSRF case.
 4. **Backpressure.** HA's `state_changed` can fire hundreds of events per
   minute in a busy install. The subscription manager must drop or coalesce
   if the dispatcher backlog grows beyond a threshold. Cheapest cut: a
   bounded `asyncio.Queue` between WS receiver and dispatch — `put_nowait`
   with overflow counter visible in the event log.
 5. **Entity filter precedence.** Tracking-config has `collection_ids`
   (entity_id list) and we want `entity_glob` + `domain_allowlist`. Decision:
   if both `collection_ids` and globs are set, union them (any match passes).
   Documented prominently in the tracker UI.
 6. **Library choice.** `hass-client` is a Python WS client maintained by the
   HA community; alternative is rolling our own with `websockets`. The
   latter is ~150 LOC and has no external dependency surface. Recommendation:
   roll our own. Re-evaluate if Phase 3 needs registry-aware service calls.
 ## Phase 2 — Bot Commands
 Adds Telegram bot commands for HA tracking configs.
 - `/status` — connection status, subscribed event count
 - `/entities <glob>` — list matching entities + current state
 - `/state <entity_id>` — full state + attributes for one entity
 - `/areas` — area registry summary
 - `/help`
 These use the existing WS connection (no new client) via WS commands
 `get_states`, `config/area_registry/list`. Template slots and command
 template configs follow the same pattern as Gitea/Planka — see
 [CLAUDE.md](../../CLAUDE.md) rule 7 / rule 11 for the full set of locations
 that must be updated.
 Out-of-scope for Phase 2: any command that mutates HA state.
 ## Phase 3 — Smart Actions (Service Calls)
 A new action descriptor in the existing Smart Actions framework
 ([packages/core/src/notify_bridge_core/providers/actions.py](../../packages/core/src/notify_bridge_core/providers/actions.py)).
 - Action type: `ha_call_service`
 - Rule: trigger event → service call (e.g. "on motion event in
  `binary_sensor.front_door` → call `light.turn_on` on `light.porch`")
 - Executor uses the existing WS connection to send `call_service`.
 This phase is gated behind explicit per-target authorization in the UI — HA
 service calls can do anything the access token allows, including unlocking
 doors. Default state: **disabled**, with a clear consent flow when enabling.
 ## Rough effort estimates
 These are rough — sub-task discovery during Phase 1 will refine them.
 | Phase | Estimate (focused work) |
 | --- | --- |
 | Phase 1 (subscribe + dispatch) | 2–3 sessions |
 | Phase 2 (bot commands) | 1 session |
 | Phase 3 (smart actions) | 1–2 sessions |
 ## When to start
 Phase 1 work order, once you green-light it:
 1. ABC extension (`base.py`) + tests for the new `subscribe` shape on a fake
   provider.
 2. WS client + parser + unit tests against recorded HA fixtures (no live HA
   needed for these).
 3. Subscription manager in `services/watcher.py` — integration test with the
   fake provider from step 1.
 4. Templates (en + ru), capabilities entry, validator whitelist.
 5. Server: seeds, sample context, template_configs entry.
 6. Frontend: descriptor, locale keys, i18n.
 7. End-to-end smoke test against a real HA instance (homelab).
 Backend restart cadence per the project rule: after **every** change in
 `packages/server/` or `packages/core/`.
 ## Decision log
 - **2026-05-13** — Plan drafted. Ingest mode = WebSocket (chosen over
  webhook for future-proofing toward Phases 2 + 3). Not started.
@@ -0,0 +1,435 @@
 # Functional Review — Telegram, Immich, Logging (2026-05-28)
 Snapshot review of three subsystems, with prioritised improvement candidates.
 Pairs with [feature-backlog.md](feature-backlog.md) — items here are
 infrastructure that unlocks several backlog features.
 All citations are from the working tree at commit `85a8f1e` (master). Two
 files (`packages/core/src/notify_bridge_core/notifications/telegram/client.py`,
 `media.py`) had uncommitted changes at review time — see Telegram §
 "In-flight work".
 ---
 ## 1. Telegram infrastructure
 ### Telegram — what works well
 - Single chokepoint `TelegramClient`
  ([packages/core/src/notify_bridge_core/notifications/telegram/client.py](../../packages/core/src/notify_bridge_core/notifications/telegram/client.py))
  covers text/photo/video/document/media-group, with 429-aware retry,
  parse-error retry, file_id cache, multi-bot per-token instances,
  polling + webhook modes, and bot-command registration.
 - CLAUDE.md rule #6 satisfied for the production paths.
 - Caption length, group sizing, parse-mode fallback all enforced.
 ### In-flight work
 Byte-budget sub-chunking for media groups
 (`TELEGRAM_MAX_GROUP_TOTAL_BYTES` in
 [media.py](../../packages/core/src/notify_bridge_core/notifications/telegram/media.py))
 with per-item fallback inside `_send_media_group`. Logic is coherent;
 before commit, verify `_build_media_items` callers still match the new
 signature (caption no longer injected at fetch time).
 ### Gaps, ranked by user-visible value
 1. **No inline keyboards / `callback_query` handlers** — zero infra for
   "Favorite / Archive / Dismiss" buttons on Immich notifications.
   Biggest UX unlock; prerequisite for several Immich smart actions.
 2. **No edit-in-place** (`editMessageText` not wrapped). Pairs naturally
   with deferred dispatch / quiet hours coalescing — 5 separate
   "asset added" messages become 1 edited message.
 3. **`disable_notification` (silent send) not exposed** — already a
   Telegram primitive; slots into the quiet-hours `silent` mode the
   backlog already mentions.
 4. **`message_thread_id` (forum topics)** — single field per receiver;
   unblocks supergroup-with-topics users.
 5. **Direct `TelegramClient(...)` constructions** in
   [api/telegram_bots.py:314,394,404,412](../../packages/server/src/notify_bridge_server/api/telegram_bots.py)
   bypass `get_telegram_client()` — violates CLAUDE.md rule #6 and
   skips the shared file_id cache.
 6. **Per-command authorization** — `commands_enabled` is all-or-nothing
   per chat; no per-command allowlist or admin gate.
 7. **Long-message splitting** — `send_message` silently truncates at
   4096 ([client.py:492](../../packages/core/src/notify_bridge_core/notifications/telegram/client.py)).
 8. **No parse-mode per target** — HTML hardcoded.
 ---
 ## 2. Immich
 ### Immich — what works well
 - Mature polling pipeline: incremental delta-fetch via `updatedAfter`,
  pending-asset tracking, fingerprint fast-path skip, fallback to full
  fetch on count-decrease
  ([providers/immich/provider.py](../../packages/core/src/notify_bridge_core/providers/immich/provider.py)).
 - Rich bot commands (status / albums / events / people / search / latest
  / random / favorites / summary / memory) with full asset context
  (CLAUDE.md rule #10 satisfied).
 - `auto_organize` action is well-shaped: AND person + smart-query union,
  exclusions, type/date/favorite filters, 500-asset batched add,
  idempotent diff against album asset_ids, dry-run, `ActionExecution`
  log.
 - Three scheduled features wired: periodic summaries, scheduled-asset
  delivery, Memory/On-This-Day (with native Immich memory API + fallback).
 ### Highest-leverage candidates
 1. **Webhook ingestion** — `webhook_based=False` at
   [capabilities.py:46](../../packages/core/src/notify_bridge_core/providers/capabilities.py).
   Sub-second latency vs the current 5-min poll. New
   `/api/webhooks/immich/{secret}` route + parser + capability flip.
 2. **Share-link expiry monitoring + auto-rotate action** — links
   silently break today; data is already fetched per event
   ([provider.py:541-569](../../packages/core/src/notify_bridge_core/providers/immich/provider.py)).
 3. **Duplicate cluster digest** — Immich >= 1.100 `/api/duplicates` is
   unused; pairs with inline buttons for "merge / ignore 30d".
 4. **Auto-favorite by person** (already in backlog) — smallest delta on
   the existing `auto_organize` executor.
 5. **Per-person notification subscription** — tracker-config filter,
   reuses existing `asset.people` data.
 6. **Album auto-curation from Inbox** — date-based target album name,
   move (not copy); needs the Immich move endpoint (currently we only
   `add_assets_to_album`).
 7. **Storage / job-queue alerts** — `/api/server/stats` and `/api/jobs`
   unused; lightweight poll + threshold = "disk full" / "transcoding
   stalled" notifications.
 8. **Smart-action infra polish** — descriptors are reusable, but the
   rule editor is JSON-shaped, action-run statistics aren't aggregated,
   and dry-run shows counts not the asset list. Address before adding 5
   more action types.
 ---
 ## 3. Logging
 ### What's already in place
 In [logging_setup.py](../../packages/server/src/notify_bridge_server/logging_setup.py):
 - `dictConfig` with `JsonFormatter` (line-delimited JSON) toggleable via
  `NOTIFY_BRIDGE_LOG_FORMAT=json`.
 - `SecretMaskingFilter` redacts Telegram bot tokens + Authorization /
  api_key / password / refresh_token across `msg`, `exc_text`,
  `stack_info`.
 - ContextVar-driven record factory injects `request_id`, `command`,
  `chat_id`, `bot_id`, `dispatch_id` on every record. Text format:
  `[req=- cmd=- bot=- chat=- disp=-]`.
 - Per-module overrides via `NOTIFY_BRIDGE_LOG_LEVELS` env or DB
  `AppSetting`. Live runtime patch via `apply_log_levels()` — no
  restart.
 - Noisy libs pre-quieted (sqlalchemy, aiohttp, apscheduler, urllib3,
  asyncio, httpx, httpcore, PIL, uvicorn.access).
 Plus:
 - `EventLog` table with structured rows (event_type, status,
  assets_count, details JSON, FKs to tracker/provider/action/
  command_tracker/bot), `event_log_retention_days=30` default, daily
  APScheduler cleanup `_cleanup_old_events`
  ([scheduler.py:332](../../packages/server/src/notify_bridge_server/services/scheduler.py)).
 - Prometheus counter `notify_bridge_event_log_total{status,event_type}`.
 - Frontend viewer with filters at
  [api/status.py](../../packages/server/src/notify_bridge_server/api/status.py).
 - `bind_log_context` actually used in: dispatcher (dispatch_id),
  telegram_poller (bot/chat/command/request_id), webhook commands.
 ### Gaps, ordered by debug-pain payoff
 1. **No FastAPI request-ID middleware.** `request_id_var` is set only
   in webhook + Telegram poller paths. Every REST call from the SPA
   logs as `req=-`. Tiny middleware (read `X-Request-Id` or
   `uuid4()`, bind context, echo header) closes this whole-app blind
   spot.
 2. **`dispatch_id` is in log lines but NOT persisted on the `EventLog`
   row.** Means you can find the failed row in the UI but can't grep
   stderr for the matching `disp=...`. Stash it in `details.dispatch_id`
   (no migration needed) — biggest cross-surface correlation win.
 3. **HTTP access log is uvicorn default**
   (`access_log=not _cfg.debug` at
   [main.py:419](../../packages/server/src/notify_bridge_server/main.py)).
   Doesn't include `request_id`, latency, user, status as structured
   fields. Replace with a small `RequestLoggerMiddleware` that emits
   `method`, `path`, `status`, `latency_ms`, `request_id`.
 4. **Telegram media-group failures log richly but aren't linked to the
   resulting `EventLog` row.** The dispatcher result-aggregation work
   in flight is the right place to dump `errors[]` into
   `EventLog.details.errors`.
 5. **In-browser log access is missing.** EventLog rows are visible, but
   raw logger output requires container/SSH access. A bounded
   in-memory ring-buffer endpoint (admin-only, last N lines, filtered
   by context fields) would mean ~90% of triage stays in the UI.
 6. **No "diagnostic mode" UI.** The runtime `apply_log_levels()` is
   great but only reachable through the app-settings JSON editor.
   A "Debug for 15 minutes: `notify_bridge_core.notifications.telegram.client`"
   button with auto-revert is a few-hours job.
 7. **`EventLog.details` is freeform.** Frontend already destructures
   `dispatch_status`, `deferred_until`, `deferred_for_seconds`,
   `original_event_log_id`
   ([types.ts:238-261](../../frontend/src/lib/types.ts)). Define a
   typed `EventLogDetails` per `event_type` (Pydantic at the boundary)
   — prevents drift between providers.
 8. **No log rotation** — `StreamHandler(sys.stderr)` only. Fine in
   containers, brittle on bare-metal. Optional `RotatingFileHandler`
   opt-in via env.
 9. **No slow-query / outbound-HTTP timing logs.**
   `sqlalchemy.engine=WARNING` by default; no per-query duration log.
   Same for outbound calls to Immich / Telegram. A
   "duration_ms >= N" threshold logger would surface "why is this
   dispatch slow" without flipping global DEBUG.
 10. **Action dry-run output is logger-only.** Could be streamed into
    the action editor.
 11. **Poll-result not persisted.** Webhook payloads are logged
    ([api/webhook_logs.py](../../packages/server/src/notify_bridge_server/api/webhook_logs.py)),
    but Immich/Google-Photos poll cycles emit no
    "last poll: 0 changes / 245ms" row. A lightweight
    `provider_poll_log` (small table or ring buffer) would answer
    "is the poller actually running" without reading stderr.
 ---
 ## Recommended sequencing
 | # | Item | Status | Why first |
 | --- | --- | --- | --- |
 | 1 | Request-ID middleware + persist `dispatch_id` on `EventLog` | **SHIPPED 2026-05-28** | Unlocks the rest of the debug story; ~2 hours combined |
 | 2 | Finish in-flight Telegram byte-budget chunking + write `errors[]` into `EventLog.details` | **SHIPPED 2026-05-28** | Already half-done; aligns with #1 |
 | 3 | Telegram inline keyboards + `callback_query` handler | not started | Prereq for several Immich smart actions |
 | 4 | Telegram `disable_notification` + `message_thread_id` per target | **SHIPPED 2026-05-28** | Small, also feeds the open Quiet Hours v1 backlog item |
 | 5 | Immich webhook ingestion | not started | 5-min → sub-second; biggest user-facing latency win |
 | 6 | Immich share-link expiry + auto-rotate (using #3) | not started | Real silent-breakage today |
 | 7 | Diagnostic-mode UI (live log-level toggle with auto-revert) | **SHIPPED 2026-05-28** | Shifts triage to the browser |
 | 8 | Immich duplicate digest + auto-favorite by person | not started | Both ride on #3 |
 Items 1–4 are infrastructure that unlocks 5–8. Items 1, 2, 4 also
 smooth the Quiet Hours v1 / target-level windows that's top of the
 backlog — worth landing before that feature so quiet hours can dispatch
 through edited messages and silent sends from day one.
 ---
 ## Decision log
 - **2026-05-28** — Review completed. Starting work on item #1
  (request-id middleware + persist `dispatch_id` on `EventLog`).
 - **2026-05-28** — Item #1 shipped. Summary of the change:
  - New helpers in
    [packages/core/src/notify_bridge_core/log_context.py](../../packages/core/src/notify_bridge_core/log_context.py):
    `ensure_dispatch_id()` (reuse existing or mint a new
    `disp:<12 hex>`) and `enrich_details_with_correlation(details)`
    (shallow-copy a details dict and merge active `dispatch_id` /
    `request_id` from the ContextVar snapshot).
  - New `RequestContextMiddleware` in
    [packages/server/src/notify_bridge_server/main.py](../../packages/server/src/notify_bridge_server/main.py)
    that reads inbound `X-Request-Id` (charset/length validated, `:`
    excluded so a client can't masquerade as a server-minted id),
    falls back to `req:<12 hex>`, binds the value via
    `bind_log_context`, and echoes it back as the response header.
    Added LAST so it's the outermost middleware.
  - Outer entry points now bind a `dispatch_id` via a thin wrapper
    function (`check_tracker`, `dispatch_provider_event`,
    `dispatch_scheduled_for_tracker`, `_process_row`, `run_action`).
    All 10 `EventLog(...)` creation sites wrap their `details=`
    payload in `enrich_details_with_correlation(...)`.
  - Switched `NotificationDispatcher.dispatch` to use
    `ensure_dispatch_id()` instead of inline `uuid.uuid4()`.
  - New tests in
    [packages/server/tests/test_request_correlation.py](../../packages/server/tests/test_request_correlation.py)
    (12 tests) covering header echo, charset validation, prefix-
    masquerade rejection, helper merge semantics. All 239 server
    tests green.
  - Reviewed by `python-reviewer` subagent (no CRITICAL/HIGH; 3 MEDIUM
    and 1 LOW addressed: PEP 8 imports moved to top of main.py;
    `RequestResponseEndpoint` type added to `dispatch`; `:` dropped
    from the request-id charset; shallow-copy caveat documented).
  - Live smoke verified: generated id `req:a9b9821f5aab` on plain
    request; safe inbound `my-trace-abc123` echoed unchanged;
    `disp:fake12345678` correctly replaced; watcher tick log lines now
    show distinct `disp=disp:<hex>` per tracker check.
 - **2026-05-28** — Item #2 shipped. Summary of the change:
  - Confirmed the in-flight Telegram byte-budget media-group chunking
    in
    [telegram/client.py](../../packages/core/src/notify_bridge_core/notifications/telegram/client.py)
    is complete (15/15 media-group tests pass). Deleted the now-unused
    `split_media_by_upload_size()` from
    [telegram/media.py](../../packages/core/src/notify_bridge_core/notifications/telegram/media.py).
  - New module
    [services/dispatch_summary.py](../../packages/server/src/notify_bridge_server/services/dispatch_summary.py)
    with `summarize_dispatch_results()` (aggregator),
    `attach_summary_in_place()` (in-session) and
    `record_dispatch_summary_async()` (post-commit). Captures
    `targets_attempted/succeeded/failed`, per-target `errors`,
    media-group `media{delivered,skipped,failed}` counts and
    `media_errors[]` from the new
    `TelegramClient._send_media_group` partial-failure path.
    Bounded: 20 errors / 20 media errors / 500-char message cap with
    explicit `…[truncated]` marker.
  - Wired at 4 dispatch sites:
    - `event_dispatch.py`: accumulates per-target results across all
      tracking-config groups, attaches summary in-session before
      commit.
    - `deferred_dispatch.py`: inlines summary into the new EventLog
      row's `details` for both `delivered_after_quiet_hours` and
      `deferred_then_failed` paths.
    - `scheduled_dispatch.py`: inlines summary into the cron-fire
      EventLog row's `details`.
    - `watcher.py`: follow-up `record_dispatch_summary_async` in a
      fresh session because the EventLog row was committed before
      dispatch.
  - Frontend type drift fixed:
    [types.ts](../../frontend/src/lib/types.ts) gets new
    `DispatchSummary`, `DispatchSummaryError`,
    `DispatchSummaryMediaError` interfaces plus `dispatch_id` /
    `request_id` / `dispatch_summary` keys on `EventLog.details`.
  - New tests in
    [tests/test_dispatch_summary.py](../../packages/server/tests/test_dispatch_summary.py)
    (10 tests): empty/all-success/mixed/media-counts/sub-errors/
    truncation/long-message-trim/in-place attach/no-results no-op/
    malformed sub-error. All 249 server tests green.
  - Reviewed by `python-reviewer` subagent (no CRITICAL; 2 HIGH + 3
    MEDIUM addressed: `asyncio.CancelledError` re-raise in the
    best-effort catch; late `from .dispatch_summary import …` calls
    hoisted to top of each file; empty-results contract changed from
    "zero-count summary attached" to "no key written"; truncation
    marker upgraded to `…[truncated]` for operator clarity;
    `flag_modified` comment tightened).
  - Live smoke: backend restarts cleanly, watcher tick log lines
    continue showing `disp=disp:<hex>` correlation, no startup
    errors.
 - **2026-05-28** — Item #4 shipped. Summary of the change:
  - `TelegramReceiver` dataclass in
    [receiver.py](../../packages/core/src/notify_bridge_core/notifications/receiver.py)
    gains `disable_notification: bool = False` and
    `message_thread_id: int | None = None`. New
    `_coerce_telegram_thread_id` helper collapses Telegram's "general
    topic" sentinels (`0`, negatives, blanks, bools) to `None` so the
    Bot API just omits the field — matches the frontend's `<= 0 → unset`
    behaviour.
  - `TelegramClient`
    ([client.py](../../packages/core/src/notify_bridge_core/notifications/telegram/client.py))
    gets a frozen `_SendOptions` + `_send_options_var` `ContextVar`
    pattern for the deep media paths (`_upload_media`,
    `_post_media_group`, `_send_from_cache`) that can't easily plumb
    kwargs through. `send_notification` binds the var; the 3 deep
    builders read it via `_apply_send_opts_to_payload` /
    `_apply_send_opts_to_form`. `send_message` is a leaf and just
    inlines its kwargs into the JSON body directly (no ContextVar
    needed there).
  - Dispatcher
    ([dispatcher.py](../../packages/core/src/notify_bridge_core/notifications/dispatcher.py))
    passes `receiver.disable_notification` / `receiver.message_thread_id`
    into `client.send_message(...)` and `client.send_notification(...)`.
  - Frontend: new inline per-Telegram-receiver options panel in
    [ReceiverSection.svelte](../../frontend/src/routes/targets/ReceiverSection.svelte)
    triggered by a cog icon. Silent + thread-id indicators (bell-off
    icon, `#N` badge) on the row when set. `+page.svelte` handlers
    PUT the merged config to `/api/targets/{id}/receivers/{rid}`.
    5 new i18n keys in `en.json` / `ru.json`.
  - New tests in
    [test_telegram_per_send_options.py](../../packages/server/tests/test_telegram_per_send_options.py)
    — 19 tests: factory + thread-id coercion table (including bool
    rejection and `0`/negative collapse), payload/form helper merge
    semantics, bind/reset under exceptions, concurrent-task isolation
    via `asyncio.gather`, end-to-end `send_message` payload assertions.
    All 270 server tests green.
  - Reviewed by `python-reviewer` subagent (no CRITICAL; 2 HIGH + 1
    MEDIUM + 1 LOW addressed: dead ContextVar bind in `send_message`
    removed in favor of inline kwarg injection; re-entrant bind from
    `send_notification → send_message` auto-resolved by the same fix;
    `message_thread_id=0` collapse aligns backend with frontend;
    `_coerce_telegram_thread_id` rejects `bool` input).
  - Live smoke: backend restarts cleanly, no errors in startup log.
 - **2026-05-28** — Holistic `code-reviewer` pass over the full session
  diff (Features 1+2+4+7) caught a real HIGH that the per-feature
  Python-narrow reviews missed: ``summarize_dispatch_results`` in
  Feature 2 was reading the wrong dict shape. The dispatcher's
  ``_aggregate_results`` wraps per-receiver dicts under
  ``result["results"]`` and renames the Telegram media counts to
  ``media_delivered_count`` / ``media_skipped_count`` /
  ``media_failed_count``. The summarizer was reading the top-level
  ``delivered_count``, which is always absent in production aggregated
  output — meaning the ``dispatch_summary.media`` block was silently
  zero / missing for every real dispatch, and the ``media_errors``
  list never populated. The unit tests passed because they
  hand-constructed leaf-shaped dicts that masked the wrong-shape
  read. Fixed in
  [dispatch_summary.py](../../packages/server/src/notify_bridge_server/services/dispatch_summary.py)
  by drilling into ``result["results"]`` per-receiver leaves and
  preferring ``media_*_count`` field names with fallback to the
  top-level names. Receiver index added to ``media_errors`` entries
  when drilling. New integration tests in
  [test_dispatch_summary.py](../../packages/server/tests/test_dispatch_summary.py)
  use the real dispatcher envelope so a future shape regression fails
  loudly. Also addressed MEDIUM findings: ``attach_summary_in_place``
  / ``record_dispatch_summary_async`` now skip when a caller has
  pre-set ``dispatch_summary`` (mirrors the "caller wins" rule in
  ``enrich_details_with_correlation``); ``ReceiverSection.svelte``
  props for the Telegram options panel are now optional + gated
  internally so the component stays portable; TS type for
  ``editingReceiverOptions.message_thread_id`` is ``number | ''``
  with proper coercion in ``openEditReceiver``. 294/294 server tests
  green; backend restarts clean.
 - **2026-05-28** — Item #5 NOT shipped. Reason: Immich has no
  outbound webhook feature. The closest thing is `POST /sync/stream`
  (a server-streaming sync API designed for first-party Immich
  clients), and adopting it would (a) take 1-2 days of new
  subscription-manager infrastructure, (b) couple us to an API with no
  third-party stability contract, and (c) deliver 5-min → sub-second
  latency on photo notifications which is rarely critical. If
  someone later actually needs lower latency, dropping the default
  ``scan_interval`` is a 5-minute alternative that gets 80% of the
  win for 1% of the cost. Skipped in favour of #7.
 - **2026-05-28** — Item #7 shipped. Summary of the change:
  - New service module
    [services/diagnostic_mode.py](../../packages/server/src/notify_bridge_server/services/diagnostic_mode.py)
    with `set_diagnostic` / `revert_diagnostic` / `revert_all` /
    `list_active`. State is in-memory only — restart wipes overrides
    (`setup_logging` re-applies the DB baseline at boot). Modules go
    through an allowlist (`notify_bridge_*`, `sqlalchemy`, `aiohttp`,
    `apscheduler`, `urllib3`, `httpx`, `httpcore`, `asyncio`, `PIL`,
    `uvicorn`, `starlette`, `fastapi`) so a button press can't flip
    root. Duration clamped to `[1, 240]` minutes. Baseline derivation
    walks the dotted parents so
    `sqlalchemy.engine.Engine` correctly inherits `sqlalchemy.engine`
    → WARNING rather than falling through to root.
  - 3 new admin-only endpoints under `/api/settings/diagnostic-mode`
    in
    [api/app_settings.py](../../packages/server/src/notify_bridge_server/api/app_settings.py):
    `GET` (list active), `POST` (activate, 400 on invalid input),
    `DELETE /{module:path}` (manual revert, 404 if not active).
  - Auto-revert uses APScheduler's date trigger with `misfire_grace_time=60`,
    falling back to a strongly-referenced asyncio task (stored in a
    module-level set with `add_done_callback(discard)`) when the
    scheduler isn't running. `_expire_callback` re-reads `log_levels`
    from the DB at fire time, so an admin who edits overrides mid-window
    sees the new baseline restored — not a stale snapshot.
  - `revert_all` is wired into the FastAPI lifespan shutdown in
    [main.py](../../packages/server/src/notify_bridge_server/main.py)
    so a clean stop / hot-reload leaves the world tidy.
  - New frontend
    [DiagnosticsCassette.svelte](../../frontend/src/routes/settings/DiagnosticsCassette.svelte)
    sits below `LoggingCassette` in the settings page. Quick-pick
    module dropdown + custom-text fallback, duration chip group (5m /
    15m / 30m / 1h / 2h), Activate button. Active list with countdown
    updated by a 1s ticker; resyncs from the backend every 30s based
    on elapsed time (not modulo-of-now, which the prior version had
    wrong). Manual revert via undo-icon button on each row.
  - 15 new i18n keys in `en.json` / `ru.json`.
  - 20 new tests in
    [test_diagnostic_mode.py](../../packages/server/tests/test_diagnostic_mode.py)
    — service-module unit tests + 4 FastAPI smoke tests via
    `dependency_overrides[require_admin]` exercising the router /
    path converter / HTTPException paths. All 290 server tests green.
  - Reviewed by `python-reviewer` subagent (no CRITICAL; 3 HIGH +
    3 MEDIUM addressed: fallback task retention in a module-level set
    to prevent GC; prefix-walk for `_baseline_for` so sub-loggers
    inherit parent defaults; `revert_all` wired into lifespan
    shutdown; `list_active` now sweeps expired entries; DB
    `log_levels` re-read at revert time instead of snapshot at
    activation; frontend resync uses elapsed time. LOW items
    addressed: scheduler-unavailable paths log at DEBUG instead of
    silently passing; test cleanup of dead `_MIN_DURATION_MINUTES`
    mutation).
  - Live smoke: backend restarts cleanly, no errors in startup log.
@@ -0,0 +1,89 @@
 # Production-Readiness Review — service-to-notification-bridge v0.8.1
 **Date:** 2026-05-22  **Scope:** entire codebase (~70k LOC, 312 files)
 **Branch:** master @ a20635a  **Reviewers:** 6 parallel specialised agents
 ## Verdict
 **Ship-readiness: nearly there.** The product is in materially better shape than a typical pre-1.0 — every security baseline is in place (sandboxed Jinja2, bcrypt+JWT, SSRF guard with DNS-rebinding mitigation, secret masking, signed webhooks, non-root Docker, owner-scoped queries) and the feature set is mature (deferred dispatch, quiet hours, fan-out caps, 429 backoff, Prometheus metrics). No CRITICAL security findings exist.
 The work that *should* block shipping to wider users is concentrated in **three buckets**: (1) a handful of correctness defects that surface only under load or restart (duplicate-send class), (2) two secret-handling gaps (HA token returned cleartext, bot tokens/SMTP passwords unencrypted at rest), and (3) the schema-management story (`create_all` on boot + 1880-line hand-rolled migration script with no Alembic).
 ## Reports
 | Axis | File | Findings | Top hit |
 |---|---|---|---|
 | Backend (Python) | [backend-review.md](backend-review.md) | 5C / 15H / 18M / 10L | `asyncio.create_task` GC in HA status logger |
 | Frontend (TS/Svelte) | [frontend-review.md](frontend-review.md) | 2C / 10H / 19M / 7L | JWT access+refresh in `localStorage` |
 | Security | [security-review.md](security-review.md) | 0C / 2H / multiple M | HA `access_token` not masked on `GET /providers/{id}` |
 | Performance + DB | [performance-db-review.md](performance-db-review.md) | 3C / 7H / 10M / 10L | `SQLModel.metadata.create_all` on every boot |
 | Bugs + features | [bugs-features-review.md](bugs-features-review.md) | 3C / 13H / 12M / 3L  + 25 features | Webhook redelivery has no idempotency |
 | UI/UX | [ui-ux-review.md](ui-ux-review.md) | ~33 across 13 axes | Five overlapping glass-card abstractions |
 ## Ship blockers (must fix before wider rollout)
 Cross-cutting top 12 — verified across all six reviews:
 1. **HA `access_token` returned in plaintext** on `GET /api/providers/{id}` — not in mask list. *(Security H-1, [providers.py:399-405](packages/server/src/notify_bridge_server/api/providers.py#L399))*
 2. **Secrets unencrypted at rest** — Telegram bot tokens, SMTP passwords, HA tokens, webhook secrets stored as plain text in SQLite. Disk/snapshot/backup theft = full credential set. *(Security H-2)*
 3. **Frontend JWT access + refresh in `localStorage`** — any future XSS exfiltrates the session in one call. Move to httpOnly cookie. *(Frontend C-1)*
 4. **`asyncio.create_task` fire-and-forget** in `ha_subscription._on_status_change` — task may be GC'd before completion. *(Backend C-1, [ha_subscription.py:249](packages/server/src/notify_bridge_server/services/ha_subscription.py#L249))*
 5. **Pre-auth 1 MiB body read** on Gitea + generic webhooks — DoS amplifier. Verify `X-Hub-Signature` before reading body. *(Backend C-3, [webhooks.py:167](packages/server/src/notify_bridge_server/api/webhooks.py#L167) + 449)*
 6. **No webhook idempotency** — Gitea/Planka/generic don't dedupe by `X-Gitea-Delivery` / equivalent. Replays = duplicate sends. *(Bugs C-1)*
 7. **Deferred-dispatch crash window** — `dispatch()` returns before `session.commit()`; restart re-fires. Wrap in idempotent "claim → send → ack" with a unique constraint. *(Bugs C-2)*
 8. **Telegram `_last_update_id` in-memory only** — restart can replay or skip commands. Persist watermark. *(Bugs C-3)*
 9. **`init_db` calls `SQLModel.metadata.create_all` on every boot** — causes schema drift between fresh and upgraded installs. Adopt Alembic. *(Perf C-1)*
 10. **Template-preview endpoints bypass sandbox timeout** — authenticated user can wedge a worker with `{% for i in range(10**8) %}`. *(Security M-1)*
 11. **Telegram webhook handler missing `session.rollback()`** in catch-all — leaves uncommitted writes. *(Backend C-2, [commands/webhook.py:162](packages/server/src/notify_bridge_server/commands/webhook.py#L162))*
 12. **CLAUDE.md rule-8 violation** — `if (provider.type !== 'immich')` in `RuleEditor.svelte` silently disables people/album picker for other providers. *(Frontend C-2, [RuleEditor.svelte:57](frontend/src/routes/actions/RuleEditor.svelte#L57))*
 ## Next-tier priorities (HIGH — fix in the same release where practical)
 13. Audit `backup_schema.PROVIDER_SECRET_FIELDS` so `webhook_secret`, `password`, `client_secret`, `refresh_token` are scrubbed on export. *(Backend C-5)*
 14. Add `asyncio.Lock` around `bridge_self` failure-counter dicts. *(Backend C-4)*
 15. Login rate-limit is per-IP only — slow rotated-source brute force succeeds. Add per-account lockout + raise password floor. *(Security M-2)*
 16. Three frontend CRUD pages copy cache items into local `$state`, breaking the shared-cache invariant and forcing a full refetch per mutation. *(Frontend H-1/H-2)*
 17. Uncancelled `setTimeout` chain in backup restart flow can `window.location.reload()` after navigation. *(Frontend H-5)*
 18. Refresh-token race against `logout()` produces spurious "Unauthorized" toasts. *(Frontend H-6/H-7)*
 19. Dashboard per-provider GROUP-BY aggregate runs unbounded on every refresh, no caching, no covering index. *(Perf H-1/H-2)*
 20. Truncation/parse-mode escaping for Telegram (HTML-aware truncate, `_extract_retry_after` fractional seconds, forum `message_thread_id` routing, 403 "bot blocked" auto-disable). *(Bugs H-various)*
 21. Five overlapping glass-card abstractions + radius drift (22/18/14/12 px) + ~71 legacy `rounded-md text-sm bg-…` form inputs that bypass the global Aurora `input{}` rule. *(UI/UX H-CONSIST-01..04)*
 22. Hardcoded hex colors (`#059669`, `#ef4444`) in Snackbar/ConfirmModal/actions — bypasses theming. *(UI/UX H-CONSIST-03)*
 23. Snackbar has no `aria-live`; nav lacks `aria-current="page"` — invisible to screen readers. *(UI/UX H-NAV-01, A11y)*
 24. DST handling in overnight quiet-hours windows. *(Bugs H)*
 ## What's working well — keep doing this
 - **Sandboxed Jinja2 everywhere** (security agent verified every `Environment()` instantiation is `SandboxedEnvironment`).
 - **`PinnedResolver` SSRF defence** — handles CGNAT, IPv4-mapped IPv6, DNS rebinding.
 - **JWT with `token_version` revocation** — bcrypt offloaded to worker thread, constant-time username probe.
 - **Hardened Docker** — non-root, read-only root FS, `cap_drop: ALL`.
 - **Aurora/Glass design identity** — distinctive (conic-gradient orb, Newsreader italic display serif, lavender/orchid palette, "signal stream"/"on watch"/"wires"/"pulse" editorial labels). Not generic AI admin work.
 - **Frontend type discipline** — `svelte-check` clean, EN/RU exactly 1466 keys each, no `eval`/`innerHTML`/`var`/`==` anywhere.
 - **Most SQL hot paths already batched** — `load_link_data` is fully fan-in/fan-out; partial unique indexes on deferred-dispatch are thoughtful.
 - **Most v0.8.1 production-readiness items shipped** — fan-out caps, 429 backoff, parse_mode fallback, scheduler misfire grace, Prometheus, deep healthcheck, per-receiver render cache.
 ## Top missing features worth adding next
 Pulled from the bugs-features report — full pitches in [bugs-features-review.md](bugs-features-review.md):
 - **Template playground** — "send test against last event" + dry-run with sample payload.
 - **Template versioning + rollback** with audit log.
 - **Bulk operations** on targets/templates (currently row-by-row).
 - **User-side snooze/mute via bot command** ("/mute 2h", "/snooze tonight").
 - **Auto-disable receiver on Telegram 403 ("bot blocked")** with admin notification.
 - **Rate-limit per target** (separate from global fan-out cap).
 - **Weekly digest + per-target stats + per-provider error rate**.
 - **Generic webhook provider** and **email / Discord / ntfy.sh / Matrix** channels.
 - **Message dedup window** (kills duplicate sends from redelivery and scheduler misfires).
 - **First-run "Getting Started" checklist** on empty dashboard (UI/UX).
 ## How to consume this review
 Each report has clickable `file:line` markdown links. Recommended sequence:
 1. Read this `README.md`.
 2. Skim each report's Executive Summary (top 5-7 bullets).
 3. Triage the **Ship blockers (1-12)** above into the next release branch as individual issues.
 4. Schedule the **HIGH list (13-24)** for the release after.
 5. Treat the feature ideas as a refresh of `.claude/docs/feature-backlog.md`.
@@ -0,0 +1,342 @@
 # Backend Production-Readiness Review
 Scope: packages/server/src/notify_bridge_server/ and packages/core/src/notify_bridge_core/ (~44k LOC, Python 3.11, FastAPI + SQLModel async + APScheduler + aiohttp).
 ## Executive Summary
 - **Overall quality is high.** The Jinja2 sandbox is consistently applied (every Environment instantiation is SandboxedEnvironment), JWT auth uses bcrypt offloaded to a worker thread, SSRF guard exists with DNS-rebinding mitigation, secrets are masked in logs via a dedicated filter, and most async/SQL patterns show production-aware design (per-tracker sessions, batched IN-queries, partial unique indexes).
 - **Top correctness risk: a fire-and-forget asyncio.create_task in ha_subscription._on_status_change** (no reference stored, GC can drop the task) plus thread-unsafe in-memory counters in bridge_self. Both bite on chatty HA installs.
 - **Module-level dict caches shared across the event loop have small read-modify-write windows** in services/scheduler.py (adaptive state), services/bridge_self.py (failure counters), commands/handler.py (TTLCache rate limits), and command_sync._dirty_bots. Currently functional under low concurrency; risky under load.
 - **Very large hot-path functions** — services/watcher.py:check_tracker (381 lines), services/dispatch_helpers.py:load_link_data (208 lines), the 1880-line database/migrations.py, and the 1365-line services/scheduler.py — concentrate too much logic in one place.
 - **Provider-type hardcoding** persists in api/providers.py, services/__init__.py, services/action_runner.py, and services/manual_dispatch.py (if provider.type == immich chains). The watchers _POLL_FACTORIES registry is the right model — extend it.
 - **Webhook handlers read the request body BEFORE authenticating** in the Gitea and generic-webhook routes. The Planka route gets it right. Net impact: a peer that knows the URL but not the secret can drive a 1 MiB read per request.
 - **autoescape is inconsistent**: True for runtime templates (renderer.py, commands/handler.py), False for preview / sample-context renders in api/template_configs.py, api/slot_helpers.py, and services/notifier.send_test_template_notification. Lower risk (admin-authored input) but mismatch invites surprise.
 ---
 ## CRITICAL
 ### [C-1] _on_status_change schedules an unstored task (GC + drop risk)
 File: [packages/server/src/notify_bridge_server/services/ha_subscription.py:240-260](../../packages/server/src/notify_bridge_server/services/ha_subscription.py#L240)
 The task created by asyncio.create_task(_record_ha_status(...)) at line 249 is not held anywhere. Python may garbage-collect a task whose only reference is the create_task return value before it completes (Python docs explicitly warn: save a reference to the result). Result: an HA disconnect/reconnect EventLog row silently disappears under memory pressure.
 **Fix:** Module-level set[asyncio.Task], add the new task, remove via task.add_done_callback. ha_subscription.start_all already does this correctly (line 315-320); the pattern is already in-house.
 ### [C-2] Telegram-webhook handler returns 200 OK on uncommitted writes
 File: [packages/server/src/notify_bridge_server/commands/webhook.py:130-169](../../packages/server/src/notify_bridge_server/commands/webhook.py#L130)
 The catch-all at line 162 swallows handle_command exceptions and returns OK to Telegram. The request already called await session.commit() at line 96 (after save_chat_from_webhook), and any subsequent writes via the dispatcher use NEW sessions inside the command path. If a downstream session inside handle_command partially commits before raising, the dependency get_session does NOT roll back automatically — the context manager only closes.
 **Fix:** Either explicitly session.rollback() in the except block, or wrap the per-request mutations in async with session.begin(): so the implicit transaction guarantees rollback on exception.
 ### [C-3] Gitea/generic webhook reads body BEFORE verifying secret is configured
 File: [packages/server/src/notify_bridge_server/api/webhooks.py:167-178](../../packages/server/src/notify_bridge_server/api/webhooks.py#L167) and line 449-454
 The sequence is: read 1 MiB raw_body, then check if webhook_secret is empty. A peer that learned the URL but has no secret drives a 1 MiB body read per request. Plankas handler at line 232+ validates the bearer token BEFORE the body read — that is the correct pattern.
 **Fix:** Hoist the "if not webhook_secret" (Gitea) and "if auth_mode == none" short-circuit (generic) above _read_bounded_body. Gitea HMAC still needs the body — but bailing on a missing-config-side error first costs nothing.
 ### [C-4] bridge_self in-memory counters are not async-safe
 File: [packages/server/src/notify_bridge_server/services/bridge_self.py:186-230](../../packages/server/src/notify_bridge_server/services/bridge_self.py#L186)
 record_poll_failure does _poll_failure_counts[tracker_id] = _poll_failure_counts.get(tracker_id, 0) + 1. These dicts are accessed concurrently from poll loop, HA push, webhook ingest, and dispatcher target-failure recording. Individual dict ops are atomic, but get + 1 + set is not when interleaved with another coroutine that touches the same key. Symptoms: missed threshold crossings, occasional double-emission. Same pattern in _target_failure_counts and _backlog_above_threshold.
 **Fix:** Wrap mutating ops in an asyncio.Lock. The reset-and-re-arm semantics already assume serial access — make it explicit.
 ### [C-5] PROVIDER_SECRET_FIELDS audit needed for backup exports
 File: [packages/server/src/notify_bridge_server/api/providers.py:617-625](../../packages/server/src/notify_bridge_server/api/providers.py#L617) and [services/backup_service.py:84-93](../../packages/server/src/notify_bridge_server/services/backup_service.py#L84)
 _apply_secrets_provider redacts only fields named in PROVIDER_SECRET_FIELDS. The webhook flow uses a field called webhook_secret (Gitea, Planka, generic) — verify this is in PROVIDER_SECRET_FIELDS (defined in backup_schema.py). A backup export with secrets_mode=INCLUDE that misses webhook_secret leaks a token that grants webhook-forgery rights.
 **Action:** Audit PROVIDER_SECRET_FIELDS. Specifically check it includes: api_key, api_token, access_token, webhook_secret, password, client_secret, refresh_token. The _provider_response mask list at api/providers.py:620 is a good cross-reference — both should be the same constant.
 ---
 ## HIGH
 ### [H-1] _compile_template lru_cache competes across tenants
 File: [packages/server/src/notify_bridge_server/commands/handler.py:99-103](../../packages/server/src/notify_bridge_server/commands/handler.py#L99)
 lru_cache(maxsize=256) keyed by raw template string. Edited templates remain cached. On a multi-tenant install one tenants 256 distinct templates can evict anothers. No invalidation on template-edit.
 **Fix:** Drop the cache (Jinja compile is sub-ms) OR add an invalidation call from the template-edit endpoints. The notification renderer (renderer.py:31) uses 512 slots — same problem; consistent fix.
 ### [H-2] check_tracker is 381 lines with deep coupling
 File: [packages/server/src/notify_bridge_server/services/watcher.py:263-644](../../packages/server/src/notify_bridge_server/services/watcher.py#L263)
 Loads tracker, polls, writes state, persists EventLog, evaluates gates, defers, dispatches, records bridge_self — all in one function. Refactor candidates: _poll_phase, _persist_state_and_events, _dispatch_phase. This is the watchers hot path; bugs here affect every tracker tick.
 ### [H-3] load_link_data returns untyped dict[str, Any]
 File: [packages/server/src/notify_bridge_server/services/dispatch_helpers.py:539-747](../../packages/server/src/notify_bridge_server/services/dispatch_helpers.py#L539)
 Five call sites consume ld["target_type"], ld.get("link_id"), etc. — no static guarantee against key typos.
 **Fix:** Introduce a frozen @dataclass class LinkData. Same for per-receiver entries.
 ### [H-4] N+1 in _resolve_command_context template-slot loop
 File: [packages/server/src/notify_bridge_server/commands/handler.py:200-215](../../packages/server/src/notify_bridge_server/commands/handler.py#L200)
 One SELECT per distinct command_template_config_id. Already batched for trackers/configs/providers — finish the job. Single WHERE config_id IN (...) query + Python pivot.
 ### [H-5] N+1 in backup_service.export_backup receiver loop
 File: [packages/server/src/notify_bridge_server/services/backup_service.py:187-189](../../packages/server/src/notify_bridge_server/services/backup_service.py#L187)
 50 targets = 51 SELECTs. Batch with WHERE target_id IN (...). Audit other sections of this 941-line file for the same pattern (templates -> slots, command configs -> slots).
 ### [H-6] _dirty_bots mutated from request and scheduler without a lock
 File: [packages/server/src/notify_bridge_server/services/command_sync.py:25-95](../../packages/server/src/notify_bridge_server/services/command_sync.py#L25)
 mark_bot_dirty runs in request handlers, _flush_dirty_bots on the scheduler executor. Currently safe (snapshot via ready = [...]) but fragile.
 **Fix:** Snapshot under lock, or move to a thread-safe primitive.
 ### [H-7] HA reconnect cycle has no way for CRUD to short-circuit a stale supervisor
 File: [packages/server/src/notify_bridge_server/services/ha_subscription.py:163-175](../../packages/server/src/notify_bridge_server/services/ha_subscription.py#L163)
 Reload-on-reconnect means a disabled HA provider keeps trying to reconnect at the 30s/300s cadence until next reconnect attempt. CRUD endpoints should call reload_provider (defined at line 339) — verify wiring.
 ### [H-8] Cached expunged ORM instances are footguns
 File: [packages/server/src/notify_bridge_server/services/event_dispatch.py:75-107](../../packages/server/src/notify_bridge_server/services/event_dispatch.py#L75)
 _load_trackers_cached returns expunged NotificationTracker rows. Future maintainer calling session.add(tracker) on a stale cached instance triggers DetachedInstance or silent re-INSERT. Document this strongly, ideally convert to a typed projection.
 ### [H-9] Pending-restore at startup has no timeout
 File: [packages/server/src/notify_bridge_server/main.py:142-143](../../packages/server/src/notify_bridge_server/main.py#L142)
 apply_pending_restore_if_any runs in lifespan; a partially-corrupt restore could block startup indefinitely. Container liveness probes then fail after grace.
 **Fix:** asyncio.wait_for with a generous timeout, or kick off as background task while app starts.
 ### [H-10] Jinja2 render watchdog uses daemon thread that can pin a CPU forever
 File: [packages/core/src/notify_bridge_core/templates/renderer.py:48-73](../../packages/core/src/notify_bridge_core/templates/renderer.py#L48)
 Comment acknowledges the trade-off. Multiple concurrent runaway renders can exhaust CPU cores while callers think they timed out. Add a process-level BoundedSemaphore capping concurrent in-flight renders.
 ### [H-11] _aggregate drops all but the first error
 File: [packages/server/src/notify_bridge_server/services/notifier.py:326-335](../../packages/server/src/notify_bridge_server/services/notifier.py#L326)
 When all sends fail, only results[0] is returned. Distinct subsequent errors are lost.
 **Fix:** Aggregate all errors into a details field.
 ### [H-12] Generic-webhook header dict materialised twice
 File: [packages/server/src/notify_bridge_server/api/webhooks.py:456](../../packages/server/src/notify_bridge_server/api/webhooks.py#L456) and line 475
 dict(request.headers) materialises full headers map, then _filter_headers and _redact_sensitive_body walk the payload. With a malicious peer sending many headers (Starlette default 100), bounded but wasteful.
 ### [H-13] SSRF redirect-walk has no aggregate wall-clock budget
 File: [packages/core/src/notify_bridge_core/notifications/telegram/client.py:232-268](../../packages/core/src/notify_bridge_core/notifications/telegram/client.py#L232)
 max_redirects = 3, each with 120s _DOWNLOAD_TIMEOUT. Worst case per request: 480s. _TARGET_TIMEOUT_S = 120s in the dispatcher caps the top-level case, but per-asset preloads inside media groups dont all share that cap.
 ### [H-14] Backlog recovery logic flips latch for in-flight users
 File: [packages/server/src/notify_bridge_server/services/bridge_self.py:544-551](../../packages/server/src/notify_bridge_server/services/bridge_self.py#L544)
 Recovery loop iterates all known users and flips to False for any not in counts_by_user. If a user transiently has no user_id set on deferred rows (legacy / orphaned), theyre excluded from the GROUP BY and incorrectly marked recovered.
 ### [H-15] quiet_hours_status silently returns None on start == end
 File: [packages/server/src/notify_bridge_server/services/dispatch_helpers.py:110-111](../../packages/server/src/notify_bridge_server/services/dispatch_helpers.py#L110)
 The comment notes this is almost always a user mistake. Silent return means the user wonders why their notifications still arrive at all hours. Surface via WARNING log + UI hint.
 ---
 ## MEDIUM
 ### [M-1] register_commands_with_telegram chat overrides loop is sequential
 File: [packages/server/src/notify_bridge_server/commands/handler.py:723-776](../../packages/server/src/notify_bridge_server/commands/handler.py#L723)
 50 chats with overrides = 50 sequential Telegram round-trips. Use asyncio.gather with a semaphore as in _refresh_telegram_chat_titles.
 ### [M-2] _run_provider exception backoff has no escalation
 File: [packages/server/src/notify_bridge_server/services/ha_subscription.py:278-283](../../packages/server/src/notify_bridge_server/services/ha_subscription.py#L278)
 Persistent bug in _emit reconnects every 30s forever. Add exponential backoff with cap and bridge_self alert after N failures.
 ### [M-3] database/migrations.py is 1880 lines
 File: [packages/server/src/notify_bridge_server/database/migrations.py](../../packages/server/src/notify_bridge_server/database/migrations.py)
 Past the 800-line guideline. Split per-migration into database/migrations/<name>.py, list in main.py.
 ### [M-4] Locale-resolution logic duplicated
 File: [packages/server/src/notify_bridge_server/services/dispatch_helpers.py:484-491](../../packages/server/src/notify_bridge_server/services/dispatch_helpers.py#L484) and [services/notifier.py:46](../../packages/server/src/notify_bridge_server/services/notifier.py#L46)
 Two implementations of locale priority. One source of truth.
 ### [M-5] _normalize_locale duplicated across modules
 File: [packages/server/src/notify_bridge_server/commands/handler.py:632](../../packages/server/src/notify_bridge_server/commands/handler.py#L632)
 Five-line copy; move to commands/command_utils.py.
 ### [M-6] Provider-type if-chain in _test_provider_connection
 File: [packages/server/src/notify_bridge_server/api/providers.py:203-250](../../packages/server/src/notify_bridge_server/api/providers.py#L203)
 Same chain in services/__init__.py:_make_collection_provider. Both candidates for a single registry.
 ### [M-7] Secret masking exposes last 4 chars unconditionally
 File: [packages/server/src/notify_bridge_server/api/providers.py:624](../../packages/server/src/notify_bridge_server/api/providers.py#L624) and [services/backup_service.py:81](../../packages/server/src/notify_bridge_server/services/backup_service.py#L81)
 Fine for 32-char Immich keys. Returns half the value for short secrets. Use plain "***" for len(value) < 16.
 ### [M-8] Deprecated validate_outbound_url still imported
 File: [packages/core/src/notify_bridge_core/providers/immich/client.py:14](../../packages/core/src/notify_bridge_core/providers/immich/client.py#L14)
 The sync version uses blocking socket.getaddrinfo on the event loop. Migrate to avalidate_outbound_url.
 ### [M-9] Lazy cache init has confusing DCL comment
 File: [packages/server/src/notify_bridge_server/services/watcher.py:81-113](../../packages/server/src/notify_bridge_server/services/watcher.py#L81)
 Comment about Double-check after acquiring lock implies classic DCL — under asyncio, the unlocked first check is safe because theres no thread context switch, but rename to clarify.
 ### [M-10] Dispatcher concurrency cap is per-dispatch, not process-wide
 File: [packages/core/src/notify_bridge_core/notifications/dispatcher.py:58](../../packages/core/src/notify_bridge_core/notifications/dispatcher.py#L58)
 _DISPATCH_CONCURRENCY = 16 is INSIDE dispatch(). HA storm = N events x min(M, 16) sends with no outer cap. Add a process-level semaphore in event_dispatch.py.
 ### [M-11] success=True returned for partial failures
 File: [packages/server/src/notify_bridge_server/services/notifier.py:329-335](../../packages/server/src/notify_bridge_server/services/notifier.py#L329)
 A test that fails on 1 of 3 receivers returns success=True with a partial_failures count. Introduce a status: "ok"|"partial"|"fail" field.
 ### [M-12] Telegram command registration not retried on 429
 File: [packages/server/src/notify_bridge_server/commands/handler.py:671-693](../../packages/server/src/notify_bridge_server/commands/handler.py#L671)
 set_my_commands/delete_my_commands arent retried. Adopt the retry-after handling that _upload_media has.
 ### [M-13] event_log_id_by_event keyed on id(event)
 File: [packages/server/src/notify_bridge_server/services/watcher.py:417-464](../../packages/server/src/notify_bridge_server/services/watcher.py#L417)
 CPython object-address as key works because events are held alive in scope, but a typed key would be safer.
 ### [M-14] Bcrypt-length error wording could be clearer
 File: [packages/server/src/notify_bridge_server/auth/routes.py:69-81](../../packages/server/src/notify_bridge_server/auth/routes.py#L69)
 User typing 70 ASCII + emoji gets rejected and doesnt understand why. Clarify the byte-count language.
 ### [M-15] CSP allows unsafe-inline for script-src
 File: [packages/server/src/notify_bridge_server/main.py:186-201](../../packages/server/src/notify_bridge_server/main.py#L186)
 Acknowledged. SvelteKit --csp build flag emits hashes; switching unblocks dropping unsafe-inline.
 ### [M-16] Telegram-webhook body size not capped
 File: [packages/server/src/notify_bridge_server/commands/webhook.py:71](../../packages/server/src/notify_bridge_server/commands/webhook.py#L71)
 update = await request.json() reads with no cap. Add _read_bounded_body pattern.
 ### [M-17] _log_command_event swallows DB failures invisibly
 File: [packages/server/src/notify_bridge_server/commands/handler.py:353-357](../../packages/server/src/notify_bridge_server/commands/handler.py#L353)
 Hard DB failure here is invisible. Add a metrics counter.
 ### [M-18] apply_tracking_display_filters is a 60-line if-branched function
 File: [packages/server/src/notify_bridge_server/services/dispatch_helpers.py:350-405](../../packages/server/src/notify_bridge_server/services/dispatch_helpers.py#L350)
 Split into _filter_favorites, _apply_order_and_limit, _strip_details_and_tags.
 ---
 ## LOW
 ### [L-1] from .database.models import * in main.py
 File: [packages/server/src/notify_bridge_server/main.py:26](../../packages/server/src/notify_bridge_server/main.py#L26)
 Comment is honest about purpose, but explicit imports or a single module import is clearer.
 ### [L-2] None comparisons
 All comparisons verified to use is None via grep — no findings.
 ### [L-3] Magic numbers
 Constants are well-named throughout (_TG_429_MAX_ATTEMPTS, _MAX_PENDING_PER_TRACKER, DEBOUNCE_SECONDS, etc.). Only nit: seconds=30 literal in scheduler.schedule_bot_polling could be promoted.
 ### [L-4] noqa E712 repeated 8+ times for SQLModel boolean comparisons
 Switch to .is_(True) for SQLAlchemy idiom, or add E712 to project ruff config.
 ### [L-5] _check_same_origin is best-effort by design
 Acceptable.
 ### [L-6] _normalize_host strips IPv6 zone IDs silently
 File: [packages/core/src/notify_bridge_core/notifications/ssrf.py:105-106](../../packages/core/src/notify_bridge_core/notifications/ssrf.py#L105)
 Debug log when stripping changes the host would help diagnose.
 ### [L-7] _compute_jitter cap of 30s might be tight on hourly polls
 File: [packages/server/src/notify_bridge_server/services/scheduler.py:91-105](../../packages/server/src/notify_bridge_server/services/scheduler.py#L91)
 Revisit if jitter-collision becomes a real-world issue.
 ### [L-8] SmtpConfig repr may leak password
 File: [packages/server/src/notify_bridge_server/services/notifier.py:205-213](../../packages/server/src/notify_bridge_server/services/notifier.py#L205)
 If SmtpConfig is a vanilla dataclass, repr() will leak the password. Verify in notify_bridge_core.notifications.email.client — add field(repr=False) or a custom __repr__.
 ### [L-9] noqa BLE001 count is high
 49 occurrences across 26 files. Each defensible; consider narrowing where possible.
 ### [L-10] _normalize_for_json does not handle UUID/Decimal
 File: [packages/server/src/notify_bridge_server/services/deferred_dispatch.py:124-133](../../packages/server/src/notify_bridge_server/services/deferred_dispatch.py#L124)
 No current consumer emits these, but a fallback str() for unknown types would prevent future breakage.
 ---
 ## Approval Verdict
 **Block** — CRITICAL findings (C-1 unstored task, C-2 missing rollback, C-3 unauthenticated body read, C-4 racy counters, C-5 secret-mask audit) must be fixed before declaring production-ready. Once those are addressed, the HIGH findings can land in a follow-up.
 ## Quick Wins (low effort, high value)
 1. **Wrap every fire-and-forget asyncio.create_task in a module-level set** — search for asyncio.create_task( with no assignment. Definite hit: ha_subscription.py:249.
 2. **Move webhook-secret check before _read_bounded_body** in Gitea + generic webhook handlers — 5-line move per endpoint, eliminates pre-auth resource exhaustion.
 3. **Add an asyncio.Lock around _poll_failure_counts and _target_failure_counts** mutations — eliminates C-4.
 4. **Split migrations.py** — mechanical refactor, ~1 hour, improves blame/review.
 5. **Batch the receiver query in backup_service.export_backup** — single IN (...) query, ~10x faster.
 6. **Replace from .database.models import \*** with explicit imports — small clarity win.
@@ -0,0 +1,714 @@
 # Bugs + Missing Features — Production-Readiness Review
 Repo: `c:\Users\Alexei\Documents\service-to-notification-bridge` (v0.8.1 baseline)
 Date: 2026-05-22
 Scope: full repo (backend Python/FastAPI, Svelte 5 frontend, providers + dispatchers + bot commands)
 ---
 ## Executive summary
 - **The code is in much better shape than typical pre-1.0 code.** Quiet-hours,
  SSRF, JWT, secret redaction, rate-limit fan-out caps, partition-by-media-kind,
  parse_mode retry, scheduler misfire-grace, Prometheus metrics, deep
  healthcheck, and per-receiver render cache are all already implemented and
  well-tested.
 - **The single biggest shipping risk is webhook idempotency.** Gitea, Planka,
  and the generic webhook endpoint all dispatch on every POST regardless of
  redelivery — there is no `X-Gitea-Delivery` / `X-Hub-Delivery` dedup table.
  An upstream retry storm sends the same notification N times.
 - **The deferred-dispatch drain has a duplicate-send window** if the process
  dies between `dispatcher.dispatch()` returning and `session.commit()` —
  the row stays `pending` and the periodic catch-up scan re-drains it.
 - **Telegram update offset (`_last_update_id`) is in-memory only** — on
  restart, the bot replays already-handled updates or skips ones Telegram
  has discarded. Combined with no per-update idempotency, this is a
  duplicate-command surface.
 - **Several Telegram features are silently unsupported**: forum threads
  (`message_thread_id`), bot-blocked-by-user detection (403 → keep retrying
  forever), and inline-button callback queries. None blocks shipping today
  but each is a near-term ask from any real user.
 - **No template versioning / dry-run / playground** — every template edit is
  immediately live. There is no way to validate a new template against a
  sample payload before flipping the switch, and no rollback path.
 - **Frontend lacks bulk operations and import/export of templates+targets.**
  An operator with 30 trackers cannot bulk-toggle, bulk-edit, or move a
  template across users.
 ---
 ## Part A — Bugs and reliability issues
 Severity legend: **CRITICAL** = data loss / duplicate user-visible messages /
 silent stop-shipping; **HIGH** = wrong behavior under realistic conditions;
 **MEDIUM** = degrades UX or operability; **LOW** = polish.
 ### CRITICAL
 #### A1. Webhook redelivery causes duplicate notifications (no idempotency)
 **Location**: `packages/server/src/notify_bridge_server/api/webhooks.py:156`
 (`gitea_webhook`), `:225` (`planka_webhook`), `:427` (`generic_webhook`).
 **Scenario**: Gitea retries a webhook after 30s if the bridge returns 5xx,
 times out under load, or if the operator clicks "Test Delivery" twice. Every
 retry produces a fresh notification because the handlers never check
 `X-Gitea-Delivery` (Gitea's per-delivery UUID), nor do they record any
 event_id/hash for `parse_generic_webhook` events.
 **Fix**: Add a `webhook_delivery` table with `(provider_id, delivery_id)`
 unique constraint and `created_at`. Insert before dispatch (`INSERT OR IGNORE`
 on SQLite, `ON CONFLICT DO NOTHING` on Postgres); if the insert is a no-op,
 return `{"ok": true, "skipped": "duplicate"}`. For Gitea use the
 `X-Gitea-Delivery` header; for Planka use a hash of `event_type +
 payload.id + payload.createdAt`; for generic webhooks use a configurable
 JSONPath expression to derive an idempotency key, falling back to a SHA256 of
 the raw body. TTL prune older than 7 days.
 #### A2. Deferred-dispatch drain can double-send on process crash
 **Location**: `packages/server/src/notify_bridge_server/services/deferred_dispatch.py:721-758`.
 **Scenario**: Inside `_process_row`, `dispatcher.dispatch()` actually
 delivers the Telegram message (HTTP 200 returned, user phone buzzes).
 The function then sets `row.status = "fired"` (line 734) but the surrounding
 `session.commit()` (line 577) hasn't run yet. Process is killed (OOM,
 SIGTERM during deploy, host reboot). On restart, `_run_deferred_drain_catchup`
 re-fetches the still-`pending` row and dispatches it again — **the user gets
 the same album twice**.
 **Fix**: Either (a) record an outbound dedup key per-row before dispatch
 (`row.dispatch_id = uuid4(); session.commit()` first), then ask the channel
 client to send-or-no-op based on that ID; or (b) flip the row to a
 `"in_flight"` state with a short timeout in a pre-dispatch transaction so a
 restart sees it as poisoned and aborts. Option (a) is more correct but
 needs per-channel cooperation; option (b) is the cheap fix.
 #### A3. Telegram update offset is in-memory only — restart replays or loses commands
 **Location**: `packages/server/src/notify_bridge_server/services/telegram_poller.py:31`
 (`_last_update_id: dict[int, int] = {}`).
 **Scenario**: A user types `/random Family`. Telegram delivers update_id=4711.
 The bridge processes the command, sends back the media, and crashes before
 APScheduler ticks again. On restart, `_last_update_id` is empty, so we call
 `getUpdates(offset=None)` → Telegram returns 4711 again → we send the user
 the same album a second time. Conversely, if Telegram's 24-hour retention
 expired during a long outage, we silently skip pending updates.
 **Fix**: Persist last_update_id in DB (`telegram_bot.last_update_id` column).
 Combine with A2-style command idempotency by inserting
 `(bot_id, update_id)` into a dedup table before processing.
 ### HIGH
 #### A4. Telegram "bot blocked by user" / "chat not found" never short-circuits
 **Location**: `packages/core/src/notify_bridge_core/notifications/telegram/client.py`
 (`send_message`, `_upload_media`, etc.). Errors with
 `error_code == 403` (Forbidden, "Bot was blocked by the user") and 400
 "chat not found" / "user is deactivated" are returned as failures but
 never recorded so the receiver gets removed/disabled.
 **Scenario**: A user blocks the bot. Every scheduled "Good morning memory"
 fires a sendMessage that Telegram instantly 403s. Bridge logs an error,
 moves on, repeats forever. The bridge_self target-failure counter eventually
 fires but the underlying receiver is never disabled. With many such chats
 the operator has no easy cleanup path.
 **Fix**: In the dispatcher, on `error_code in (403, 400 with description
 matching "chat not found"/"user is deactivated")`, automatically set
 `TelegramChat.commands_enabled = False` and either flag the receiver as
 `disabled` with reason `blocked_by_user` or surface it via a new
 `/admin/blocked-chats` view. Also stop further retries that round.
 #### A5. Telegram forum-thread (topic) routing not supported
 **Location**: telegram client never accepts/sends `message_thread_id`.
 **Scenario**: Operator points the bridge at a group's "Releases" forum
 topic. Today every message lands in the General topic instead — there is
 no way to specify the topic. This is a hard requirement for any non-trivial
 group install. Currently `reply_parameters` is the only thread-adjacent
 field used; `message_thread_id` is silently absent.
 **Fix**: Add an optional `message_thread_id` per-receiver (or per-target)
 config, pass through `send_message`, `_upload_media`, and `_post_media_group`.
 Auto-extract from incoming command updates' `message.message_thread_id` so
 the bot can reply into the same topic.
 #### A6. `bot.token` read after commit without refresh in webhook flow
 **Location**: `packages/server/src/notify_bridge_server/commands/webhook.py:92-97`.
 **Scenario**: The comment acknowledges "AsyncSession expires instances on
 commit" and snapshots `bot_id`/`bot_token` before commit, but `await
 session.refresh(bot)` is also called after the commit. If `session.refresh`
 fails (e.g. row was deleted by an admin concurrently — bot rotation), the
 exception is caught as a warning and the rest of the handler still runs
 using the stale local `bot_id`/`bot_token`. The window is small but real.
 **Fix**: Remove the `session.refresh(bot)` since the snapshot already
 covers everything the handler needs. The refresh adds risk for no gain.
 #### A7. Deferred-dispatch coalescing has a JSON-mutation bug under concurrent defers
 **Location**: `packages/server/src/notify_bridge_server/services/deferred_dispatch.py:307`
 (`_find_pending_asset_rows`).
 **Scenario**: Two near-simultaneous `assets_added` events for the same
 `(link_id, collection_id)` from two upstream pollers (HA chat-bus +
 periodic Immich). Both call `defer_event` concurrently. The two transactions
 both see "no pending row", both `session.add(new_row)`, and SQLite cheerfully
 inserts two rows. The drain then fires both, sending the same combined media
 twice. Note that the partial UNIQUE index from v0.8.1 protects only the
 `bridge_self` provider row, not the deferred queue.
 **Fix**: Add a partial UNIQUE index `UNIQUE(link_id, collection_id, event_type)
 WHERE status = 'pending'` on `deferred_dispatch`, then convert `defer_event`
 to `INSERT ... ON CONFLICT (link_id, collection_id, event_type) DO UPDATE`
 and merge `event_payload` inside the SQL or in a re-read+retry loop.
 #### A8. Quiet-hours overnight window + DST transition can produce wrong fire_at
 **Location**: `packages/server/src/notify_bridge_server/services/dispatch_helpers.py:121-128`.
 **Scenario**: User in `Europe/Minsk` (UTC+3, no DST anymore) sets quiet
 hours 22:00-06:00. For a user in a DST-observing zone (e.g.
 `America/New_York`), on the "spring forward" night where 2:00 → 3:00, an
 event arriving at 02:30 local time gets `end_today = now_local.replace(hour=6,
 minute=0)`. But `.replace()` ignores DST adjustments — the resulting
 `datetime` may sit in the skipped hour or have ambiguous DST status. Two
 hours later, the dispatcher sees the quiet window as "still active" or "30
 min ago" depending on the system.
 **Fix**: After `.replace(hour=t_end.hour, minute=t_end.minute, ...)`, pass
 through `tz.localize` (zoneinfo's behavior: re-walk via `astimezone`) and
 explicitly handle the `fold=` parameter. Add tests using
 `zoneinfo.ZoneInfo("America/New_York")` and known DST transition dates.
 #### A9. Quiet-hours `start == end` returns None — silently no quiet hours
 **Location**: `packages/server/src/notify_bridge_server/services/dispatch_helpers.py:110-111`.
 **Scenario**: User UI submits `quiet_hours_start = "00:00"` and
 `quiet_hours_end = "00:00"`, thinking "all day quiet". The function returns
 `None` (no quiet window) — the user gets pinged at 3am even though the UI
 says "quiet hours enabled". Same code path eats malformed times silently.
 **Fix**: Bubble up `ValueError`/`malformed input` to the API validator on
 write so the user gets a 422 with a specific error message rather than
 silently broken behavior. Define `00:00-00:00` as "always quiet" or reject
 it explicitly with a clear error.
 #### A10. Telegram `_truncate` cuts mid-HTML-tag → parse_mode fallback then loses formatting
 **Location**: `packages/core/src/notify_bridge_core/notifications/telegram/client.py:144-149`
 (`_truncate`).
 **Scenario**: A template renders to 4090 chars and an
 `<a href="https://...">...</a>` straddles the 4096-byte boundary. The
 truncate function takes a flat string slice, so the final character may be
 inside a tag → Telegram returns 400 "can't parse entities" → the retry
 strips parse_mode → the user sees `<a href="...">` literally in their chat.
 **Fix**: Make `_truncate` HTML-aware: scan from the right and abandon
 truncation at the start of any tag boundary, OR strip incomplete tags after
 truncating. A simpler intermediate fix: pop any unclosed `<a>` /`<b>`/`<i>`
 detected by a regex over the truncated string.
 #### A11. JSON-payload depth/size hardened in backup, not in webhooks
 **Location**: `packages/server/src/notify_bridge_server/api/webhooks.py:43-71`
 (`_read_bounded_body` only caps total bytes).
 **Scenario**: Generic webhook accepts a 999KB payload (under the 1MB cap)
 but with 50 levels of nesting. `json.loads` succeeds, then
 `parse_generic_webhook` evaluates JSONPath expressions in a loop and the CPU
 spends seconds chasing pointers. Multiple concurrent malicious requests can
 peg the event loop.
 **Fix**: Reuse the depth/node guards from
 `packages/server/src/notify_bridge_server/services/backup_service.py`
 (JSON depth cap 10, node count cap 100k). Either share the helper or
 re-implement around `json.loads(object_pairs_hook=...)`.
 #### A12. Generic-webhook `auth_mode="none"` with `acknowledge_unauthenticated` is per-provider, not per-user
 **Location**: `packages/server/src/notify_bridge_server/api/webhooks.py:294-323`.
 **Scenario**: v0.8.1 added the `acknowledge_unauthenticated=true` opt-in,
 but it's only stored in `provider.config` JSON. A multi-user install where
 one user accepts unauthenticated and another doesn't would suffice. But
 because anyone with the webhook URL can also infer the token (URLs are not
 secret in real deployments — they end up in upstream config files, logs,
 build artifacts), `auth_mode="none"` is dangerous beyond "explicit opt-in":
 an attacker who guesses the path can DoS the rate limiter by burning the
 60/min budget.
 **Fix**: Refuse to even create a `webhook` provider with `auth_mode="none"`
 in production unless a separate environment guard
 `NOTIFY_BRIDGE_ALLOW_UNAUTHENTICATED_WEBHOOKS` is set; AND drop the rate
 limit to 10/min for `auth_mode="none"` providers.
 #### A13. `_extract_retry_after` returns int but Telegram `retry_after` is fractional
 **Location**: `packages/core/src/notify_bridge_core/notifications/telegram/client.py:59-78`.
 **Scenario**: Modern Telegram sometimes returns `retry_after` as a float
 (e.g. `1.5`). The current code does `int(group(1))` and `isinstance(ra,
 (int, float))`. Regex `\d+` only matches integers. So a `1.5s` retry-after
 becomes "no retry-after found" → fallback 1s sleep → retry too early → second
 429 → eventually the bounded retry budget runs out.
 **Fix**: Loosen the regex to `\d+(?:\.\d+)?` and `float(m.group(1))`,
 preserve fractional via `await asyncio.sleep(retry_after + 1)` with float.
 #### A14. APScheduler date-job collision when two windows end at the exact same second
 **Location**: `packages/server/src/notify_bridge_server/services/scheduler.py:1127-1132`
 (`_drain_job_id_for`). The job id is keyed on `YYYYMMDDHHMMSS`. Comment in
 code acknowledges "two trackers... seconds different ... would collide", but
 two windows ending at the exact same second still collide on a single job id
 — `replace_existing=True` silently drops the second.
 **Scenario**: 30 users with quiet_hours_end=`07:00`. All 30 windows end at
 the same wall-clock second. Only one drain job is scheduled. That single
 job fires `drain_deferred_due()` which scans all rows globally so all 30
 get drained — actually fine. **But** if the global drain function ever
 filters by user/tracker (a likely near-term change for multi-tenant), the
 collision becomes silent data loss.
 **Fix**: Either keep the global drain (and document the assumption) or
 add a tracker_id segment to the job_id and let APScheduler dedup naturally.
 #### A15. `_handle_webhook_conflict` reclaim races against a parallel admin action
 **Location**: `packages/server/src/notify_bridge_server/services/telegram_poller.py:163-218`.
 **Scenario**: Admin clicks "Switch to webhook mode" in the UI, which sets
 `update_mode=webhook` and calls `set_webhook(...)`. Concurrently, the next
 poll tick for the same bot hits the conflict, calls `delete_webhook` → the
 admin's webhook is wiped 1s after they set it. The poll tick checks
 `bot.update_mode != "polling"` *before* the conflict reclaim, but the
 reload is best-effort and the conflict reclaim path runs unconditionally
 once entered.
 **Fix**: Re-check `bot.update_mode == "polling"` inside
 `_handle_webhook_conflict` before calling `delete_webhook`; or take an
 advisory lock on the bot row for the duration of the mode flip.
 #### A16. Discord 2000-char split breaks on Unicode codepoint boundaries
 **Location**: `packages/core/src/notify_bridge_core/notifications/discord/client.py:60-80`
 (`_split_message`).
 **Scenario**: A template renders to 2050 chars with emoji at position
 1998-1999 (each emoji is 2 surrogates / multi-byte UTF-8). The split uses
 `text.rfind("\n", 0, limit)` and falls back to character index `limit`,
 which is a Python str index → that part is OK in CPython 3, but if the
 content contains a grapheme cluster (emoji + zero-width-joiner + skin tone),
 slicing at `limit` mid-cluster renders as the broken emoji "□" in Discord.
 **Fix**: Use a grapheme-cluster boundary library (e.g. `regex` module with
 `\X`) or at minimum back off to the previous whitespace if `limit` is
 inside a likely cluster.
 ### MEDIUM
 #### A17. Per-target failure counter does not distinguish receivers within a target
 **Location**: `packages/server/src/notify_bridge_server/services/event_dispatch.py:311-333`.
 **Scenario**: A target has 10 receivers. 1 chat is blocked, 9 work. Today
 `maybe_emit_target_failure` is called for the target — but the success
 counter (`record_target_success`) is also called for the same target on the
 other 9. Net counter behavior depends on call order. With the
 default-threshold 5, this oscillates.
 **Fix**: Track success/failure per receiver, not per target; or only call
 `maybe_emit_target_failure` when `all` receivers failed for the target.
 #### A18. `_cleanup_old_events` does not delete cancelled `DeferredDispatch` rows
 **Location**: `packages/server/src/notify_bridge_server/services/scheduler.py:332-364`.
 **Scenario**: The daily cleanup deletes `EventLog`, `WebhookPayloadLog`,
 `ActionExecution`. Cancelled / fired / dropped `DeferredDispatch` rows live
 forever in the DB. Active install with chatty providers accumulates millions
 of rows; eventually the `_load_pending_drain_jobs` query, `_trim_queue_if_needed`,
 and the catch-up scan all degrade.
 **Fix**: Add `delete(DeferredDispatch).where(status.in_(["fired", "dropped",
 "cancelled"]), fired_at < cutoff)` to the cleanup.
 #### A19. `random.shuffle(shuffled)` in `_sort_assets` uses non-deterministic seed
 **Location**: `packages/server/src/notify_bridge_server/services/dispatch_helpers.py:317-320`.
 **Scenario**: Two identical events arriving in close succession (deferred-
 dispatch merge, then drain re-renders) shuffle into different orders. With
 the deferred-dispatch coalescing logic, this produces a visual "they're not
 the same album" surprise in the chat history.
 **Fix**: Seed `random` with a stable per-event hash
 (`hash(event.event_type.value + event.collection_id + event.timestamp.isoformat())`).
 #### A20. `_poll_tracker` swallows exception, drops it at `_LOGGER.error` not `exception`
 **Location**: `packages/server/src/notify_bridge_server/services/scheduler.py:657-666`.
 **Scenario**: An exception in `check_tracker` is logged as `_LOGGER.error("Error
 polling tracker %d: %s", tracker_id, e)` — no traceback. Production debugging
 of "why is tracker 42 silently broken since yesterday" requires the stack.
 **Fix**: Change to `_LOGGER.exception("Error polling tracker %d", tracker_id)`.
 #### A21. Long bot commands → `/help` reply > 4096 chars truncates without warning
 **Location**: `packages/server/src/notify_bridge_server/commands/handler.py:521-532`,
 combined with `send_reply` → `send_telegram_message` → `_truncate` to 4096.
 **Scenario**: A user with 20 enabled commands runs `/help`. Each command +
 description (RU) crosses 250 chars → 5000 chars total → truncated mid-command.
 The user sees a half-list that suggests we forgot half the commands.
 **Fix**: Split `/help` over multiple messages by command category (provider).
 #### A22. `parse_command` truncates to 512 chars — long search queries lost
 **Location**: `packages/server/src/notify_bridge_server/commands/parser.py:15`.
 **Scenario**: `/search a very long query containing emoji 🎉 and more text that
 the user really meant to send because they pasted a long string from somewhere…`
 gets clipped to 512 chars silently. The trailing count parser then operates
 on the truncated text, possibly extracting a count from mid-query.
 **Fix**: Either reject `>512` with `parse_command` returning a sentinel
 "too_long" tuple, or just stop truncating — the Telegram limit is already
 4096 and we already truncate the response side.
 #### A23. Periodic catch-up scan can dispatch a stale event payload
 **Location**: `packages/server/src/notify_bridge_server/services/deferred_dispatch.py:628`
 (`_process_row`).
 **Scenario**: An `assets_added` event is deferred at 22:00. At 06:00 the
 quiet window ends, drain re-fetches `link_data`. The assets in `event_payload`
 include URLs and asset metadata. But the user has since deleted those photos
 from Immich. The dispatcher tries to download → 404. Notification shows
 "5 photos added to Album X" but the actual media fails to attach.
 **Fix**: For `assets_added`, re-validate asset existence against the
 provider before dispatch (one batched `getAssets` call). Drop missing IDs
 from the event, mark with "delivered_after_quiet_hours" + extra hint
 `"missing_count": N` in details. For deferred windows >12h this is the
 right behavior; for shorter windows the lookup is wasted work, so gate on
 `(now - deferred_at).hours >= 6`.
 #### A24. Watcher / scheduler restart can lose adaptive polling state
 **Location**: `packages/server/src/notify_bridge_server/services/scheduler.py:67-88`
 (`_adaptive_state: dict`).
 **Scenario**: Module-level dict resets on restart. A tracker that had ramped
 up to 1-in-4 ticks goes back to every-tick polling. Over a fleet of 50
 trackers in steady-state idle, this triggers a thundering herd of every-tick
 polls right after deploy. Combined with no DB-level rate limiting on the
 upstream Immich/Gitea API, it can rate-limit the operator out of their own
 services for ~5min.
 **Fix**: Either persist the adaptive state in `notification_tracker_state`
 (cheap on shutdown via `atexit`) or stagger the initial ticks via
 APScheduler's `next_run_time` instead of relying on the existing jitter.
 #### A25. `defer_event` `return "cancelled"` logic is incorrect in some merge paths
 **Location**: `packages/server/src/notify_bridge_server/services/deferred_dispatch.py:444`.
 **Scenario**: The `cancelled` return branch checks `upd_added is None or
 upd_added.status == "cancelled"` AND same for `upd_removed`. But if both
 `upd_added` and `upd_removed` are `None` (i.e. there were no pending rows
 to begin with), `fully_cancelled` is `False` → returns "merged". That's
 fine. But the more subtle issue: an "insert" action with one of the rows
 being cancelled returns "merged" — should be "inserted". The dashboard
 "merged" status confuses the operator looking at why no defer row exists.
 **Fix**: Rewrite as a clearer state machine: distinguish "inserted",
 "merged_into_existing", "fully_cancelled".
 #### A26. `_fetch_bytes` and `_safe_get` honor only 3 redirects with no Retry-After awareness
 **Location**: `packages/core/src/notify_bridge_core/notifications/telegram/client.py:217-268`.
 **Scenario**: Immich behind a CDN can chain `302 → 302 → 200`. With 4 hops
 it falls through to "Too many redirects". A user complains "old photos
 suddenly missing in notifications".
 **Fix**: Bump to 5 redirects and surface the chain in the error string for
 easier debugging.
 #### A27. No structured event log filter UI for "show me all drops in the last hour"
 **Location**: `packages/server/src/notify_bridge_server/api/status.py` —
 `event_log` rows have `details.dispatch_status` field but no API filter
 exposes it. The frontend can fetch only via global filter on `event_type`.
 **Scenario**: An operator sees "messages are missing today". They want to
 filter event_log to `dispatch_status in (dropped_quiet_hours_nondeferrable,
 deferred_then_dropped, deferred_then_failed)`. Today they can't.
 **Fix**: Add `dispatch_status` and `dispatched=true|false` as first-class
 event_log columns (denormalized from `details`), plus API + UI filter.
 #### A28. `_render_cmd_template` falls back to `"[No template: X]"` user-visible text
 **Location**: `packages/server/src/notify_bridge_server/commands/handler.py:111-115`.
 **Scenario**: An operator removes a template slot by mistake. The next user
 who runs `/random` sees `[No template: response_random]` in chat. Not just
 ugly — it leaks internal slot names.
 **Fix**: Show a friendly "Sorry, something went wrong on our side" + log at
 error level. Better: refuse to disable the slot if it's referenced.
 ### LOW
 #### A29. `_truncate`'s ellipsis can land inside a multi-byte char
 The marker `"…"` is one Unicode codepoint (3 bytes UTF-8) but the truncate
 counts characters, not bytes. Telegram counts UTF-16 code units, so for a
 4090-char message ending in emoji, the calculation is off by a small constant.
 Won't break sends but messages may end up slightly longer than `TELEGRAM_MAX_TEXT_LENGTH`
 allows. Re-measure in UTF-16 code units (`len(s.encode('utf-16-le')) // 2`).
 #### A30. `NotificationDispatcher._render_cache` set to fresh dict on every dispatch — comment says "reuse"
 The instance attribute `self._render_cache` is reset to `{}` at the start
 of every `_send_to_target` (line 245). The cache only helps across receivers
 within one target, not across targets. The comment at line 111-115 implies
 broader reuse. Either align comment with reality or actually share across
 targets within one `dispatch()` call.
 #### A31. Frontend `entity-cache.svelte.ts` doesn't propagate stale-cache errors
 The shared `$state`-based caches return stale data silently if the underlying
 fetch fails after a successful initial load. A user sees old target list
 during an outage and is confused why edits aren't sticking.
 ---
 ## Part B — Missing functionality and "cool feature" gaps
 Tier legend: **must-have** = blocks prod for any non-trivial install;
 **nice-to-have** = clear value, ship in next minor; **aspirational** = ship
 when v1.0+ slows down.
 Effort: **S** ≈ 1-2 days; **M** ≈ 1 week; **L** ≈ 2+ weeks.
 ### Already in the backlog (post-v0.8.1 status check)
 #### B1. Target-level quiet hours (per-target DND, multi-window, days-of-week, silent mode)
 **Status**: Still missing in v0.8.1. The backlog item proposed a v1 cut
 (target-level windows + `silent` mode for Telegram = `disable_notification=True`).
 None of the proposed code paths exist:
 - `notification_target.quiet_hours_json` column — not present.
 - `disable_notification=True` plumbing through `TelegramClient.send_message`
  — not present.
 - Days-of-week filter — not present.
 **Pitch**: Quiet hours bind to the *watcher* (tracking config); users want
 DND at the *destination*. "Don't ping my phone at night, regardless of
 which provider".
 **Who benefits**: Every user. Today they have to recreate per-link windows.
 **Effort**: **M** (1 week — backend dispatcher gate + frontend Aurora-style fieldset).
 **Tier**: **must-have for prod**.
 #### B2. Immich Smart Actions expansion (auto-favorite by person, auto-archive, share-link rotation)
 **Status**: Auto-Organize exists; no other action descriptors are shipped.
 **Pitch**: Reuse the existing action descriptor pipeline. Auto-favorite-by-person
 is the smallest cut.
 **Effort**: **M** per action (a few days each).
 **Tier**: nice-to-have.
 #### B3. Block-based template builder
 **Status**: Not started. `JinjaEditor` is unchanged.
 **Effort**: **L** — frontend-only but big.
 **Tier**: aspirational.
 ### Newly identified — must-have for prod
 #### B4. Webhook delivery dedup table + "Test Delivery" replay
 **Pitch**: Add the dedup table from A1, plus a `/api/webhooks/{provider_id}/replay/{delivery_id}`
 endpoint that admin can hit to re-dispatch a stored payload without the upstream
 provider needing to resend. Combined with the existing `WebhookPayloadLog`,
 this is "click to retest" in the UI.
 **Who benefits**: Every webhook provider. Replay is invaluable for debugging
 template edits.
 **Effort**: **M**.
 **Tier**: **must-have for prod**.
 #### B5. "Send test message" / template playground
 **Pitch**: From the template editor, click "Try this template against the
 last received event" → render preview, optionally send to a sandbox chat.
 Bypass dispatch but exercise the full Jinja pipeline.
 **Who benefits**: Every template edit today is a leap of faith — the operator
 modifies the template, waits for the next real event, hopes nothing breaks.
 **Effort**: **S-M**. The preview infrastructure already exists
 (`services/sample_context.py`); add a "send to chat X" button.
 **Tier**: **must-have for prod**.
 #### B6. Template versioning + rollback
 **Pitch**: Auto-snapshot each template on save (last 10 revisions). UI shows
 diff between version N and N-1, "Restore" button. Same for command templates.
 **Who benefits**: An operator who tweaks a template at midnight and goofs
 the syntax needs an undo button.
 **Effort**: **M**. New `template_revision` table; new endpoints; UI button.
 **Tier**: **must-have for prod**.
 #### B7. Bulk operations on trackers / targets / links
 **Pitch**: Multi-select in lists → "disable selected", "delete selected",
 "export selected templates as JSON bundle", "move to user X".
 **Who benefits**: Operators with >10 trackers. A common pain point: deploying
 the bridge for a new family member requires N clicks per tracker.
 **Effort**: **M** (frontend-heavy).
 **Tier**: **must-have for prod**.
 #### B8. Bot blocked / chat-not-found auto-disable + dashboard
 **Pitch**: Detect Telegram 403 / 400 chat-related errors. Mark the receiver
 or `TelegramChat` as `disabled_by_remote`. Surface in a "Stale receivers"
 admin view with a "Try resending invite" / "Delete chat" button.
 **Who benefits**: Every Telegram user. Today the bridge silently sprays
 errors until a human looks.
 **Effort**: **S**.
 **Tier**: **must-have for prod**.
 #### B9. Forum-thread (topic) routing for Telegram
 **Pitch**: Per-receiver `message_thread_id` field, auto-detected from incoming
 command messages. UI: when adding a chat that's a forum, show a topic
 selector populated via `getForumTopicIconStickers` + `getChat`'s `is_forum`.
 **Who benefits**: Any group install where the user wants notifications in a
 dedicated topic.
 **Effort**: **M**.
 **Tier**: **must-have for prod**.
 #### B10. Telegram inline buttons + callback queries
 **Pitch**: Templates can declare `{% buttons %}` with action descriptors.
 Bridge listens for `callback_query` updates, dispatches to a registered
 action (e.g. "Mark album as favorite", "Snooze this tracker for 1h", "Run
 HA service light.turn_off").
 **Who benefits**: Power users. Foundation for several other features
 (Immich duplicate-cluster review, HA action button → service call, snooze).
 **Effort**: **L**.
 **Tier**: nice-to-have but unlocks the next 3 items.
 #### B11. User snooze / mute via bot command
 **Pitch**: `/snooze 1h` mutes the bot's outbound chat for 1h.
 `/mute provider gitea` mutes a whole provider for that chat. `/wake` undoes.
 Implemented as a per-receiver `snoozed_until` column.
 **Effort**: **S-M**.
 **Tier**: **must-have for prod** (user-side relief valve).
 ### Newly identified — nice-to-have
 #### B12. Per-target / per-user rate limit (send-side)
 **Pitch**: Cap outbound messages per minute per receiver. Existing 429
 backoff handles Telegram's limit, but a runaway template / event-storm
 provider can still spray the user's phone with 200 messages.
 **Effort**: **S**. Token bucket per chat_id in `_send_telegram`.
 **Tier**: nice-to-have.
 #### B13. Message dedup window (idempotency key per outbound message)
 **Pitch**: SHA256 of `(target_id, receiver_id, rendered_message,
 event_collection_id)`. If the same key was sent in the last 5min, skip.
 **Effort**: **S**.
 **Tier**: nice-to-have (lots of overlap with A1+A2 but addresses the
 end-of-pipeline dedup, after all coalescing).
 #### B14. Weekly digest / per-target stats / per-provider error rate
 **Pitch**: Cron-based weekly summary email/Telegram. "Top 5 noisy trackers",
 "Receivers with >X% failure rate", "Top 5 days of the week with the most
 activity". Operator preventive maintenance.
 **Effort**: **M**.
 **Tier**: nice-to-have.
 #### B15. Mobile-friendly minimal mode for the SPA
 **Pitch**: The Aurora redesign is a lot for mobile. A "manage from phone"
 minimal layout — list of trackers, click to toggle, click to mute. Stops
 operators from needing a desktop to silence a chatty tracker at 1am.
 **Effort**: **M**.
 **Tier**: nice-to-have.
 #### B16. Audit log of admin actions
 **Pitch**: New `audit_log` table. Every create/update/delete on
 `NotificationTracker`, `NotificationTarget`, `TemplateConfig`, `ServiceProvider`,
 `TelegramBot`, `User`, etc. writes a row with `(user_id, action,
 entity_type, entity_id, before_json, after_json, ip, ua)`. Admin UI tab.
 **Effort**: **M**. SQLAlchemy event listeners on the affected models.
 **Tier**: nice-to-have for multi-admin installs; must-have if any
 compliance requirement.
 #### B17. Health → not just /ready, but per-component status page
 **Pitch**: `/api/health/components` returns `{providers: [{id, last_ok_at,
 last_error}], targets: [{id, last_ok_at, last_error}], scheduler:
 {job_count, next_fires}}`. Frontend "Status" tab.
 **Effort**: **S-M**. The data is already in `EventLog` / scheduler API.
 **Tier**: nice-to-have.
 #### B18. Provider unreachable backoff + escalation
 **Pitch**: Today `bridge_self` emits `bridge_self_poll_failures` after N
 consecutive fails. Add (a) exponential backoff on the polling interval after
 M failures so we don't hammer a down host, and (b) recovery notification
 when the provider comes back.
 **Effort**: **S**.
 **Tier**: nice-to-have.
 #### B19. RSS provider
 **Pitch**: Generic RSS/Atom feed poller. One more provider, reuses event_dispatch.
 Long-tail value (operator wants "notify me when a blog publishes").
 **Effort**: **M**.
 **Tier**: nice-to-have.
 #### B20. Mobile push / FCM channel
 **Pitch**: A dedicated FCM "Receiver" type so the user can ship their own
 companion app. Today Telegram is the only realtime channel; email is too
 slow; webhook out is for plumbing.
 **Effort**: **L**.
 **Tier**: aspirational.
 ### Newly identified — aspirational
 #### B21. Conversation threading per source (one notification thread per album / repo)
 **Pitch**: Use Telegram `reply_parameters` to chain all notifications about
 "Album X" as a single thread that grows over time. Today every notification
 is a top-level message. Threading turns the chat into a navigable history.
 **Effort**: **M**. Store `last_message_id` per `(target_id, collection_id)`,
 pass as `reply_to_message_id`.
 **Tier**: aspirational but a clear differentiator.
 #### B22. A/B test variants for templates
 **Pitch**: A template config can carry 2 variants. The dispatcher
 hash-routes receivers to A or B; the dashboard shows "variant A's response
 time / click rate / receiver mute rate".
 **Effort**: **L**.
 **Tier**: aspirational.
 #### B23. Dark-launch a new template before enabling it
 **Pitch**: "Send-to-sandbox-chat-only" toggle on a template config. The new
 template renders against real events but only goes to one operator's chat
 for 1 week. Then promote to production.
 **Effort**: **M**. Builds on template versioning (B6).
 **Tier**: aspirational.
 #### B24. Scheduled template changes
 **Pitch**: "On 2026-12-25 at 09:00, switch template_config X to draft Y".
 Useful for holiday-themed greetings or batch migrations.
 **Effort**: **M**.
 **Tier**: aspirational.
 #### B25. HA service-call from a Telegram inline button
 **Pitch**: Building on B10. A template renders `{% button hass:light.turn_off
 target=living_room %}`. User clicks → bridge calls HA `light.turn_off`.
 **Effort**: **M** (after B10).
 **Tier**: aspirational.
 ---
 ## Ship-blocker checklist (do not widen user audience without)
 Order is rough priority (top first). Most are also called out in Part A.
 1. **A1** — Webhook idempotency table (Gitea/Planka/generic). Without this,
   one upstream retry storm can double-/quadruple-spray every user.
 2. **A2** — Deferred-dispatch crash window. A redeploy mid-drain duplicates
   every queued notification. Implement either the `dispatch_id`
   pre-commit OR the `in_flight` state machine.
 3. **A3** — Persist Telegram update offset. Same root cause class as A1/A2;
   matters less if A1+A2 are fixed but should land together.
 4. **A4 / B8** — Bot blocked / chat-not-found auto-disable. A user blocking
   the bot must not generate infinite errors.
 5. **A11** — Webhook JSON depth/node cap (mirror the backup guard).
 6. **A9** — Quiet-hours `start == end` confirmation; either accept "always
   quiet" semantics or reject in the API validator.
 7. **A8** — DST handling in quiet-hours overnight window. Verify with
   tests that include known transition timestamps.
 8. **B5** — "Send test message" / template playground. Without this, every
   template edit is a flying blind change against a live system.
 9. **B6** — Template versioning + rollback. Pair with B5.
 10. **A5 / B9** — Forum-thread (topic) routing. Any non-trivial Telegram
    group install needs this.
 11. **B11** — User snooze / mute via bot command. Relief valve when the
    bridge gets too chatty.
 12. **B7** — Bulk operations on trackers / targets / links. Operability
    floor for any install with >10 trackers.
 Everything else in Part B is upside, not a blocker.
@@ -0,0 +1,682 @@
 # Frontend Production-Readiness Review
 Scope: `frontend/src/**` (~26k lines, Svelte 5 runes + SvelteKit). `npm run check`
 passes with exit code 0. The codebase is in good shape overall - i18n EN/RU keys
 are 1:1 in sync (1466 each), Modal/Snackbar overlays follow the `position:fixed`
 + `z-index:9999` convention, no `eval`, no `innerHTML`, no string-interpolated
 `setTimeout`, and the sanitizer (`lib/sanitize.ts`) is a sound DOMParser-based
 allowlist. The issues below are real production risks layered on top of an
 otherwise clean architecture.
 ## Executive Summary
 - **Auth tokens live in `localStorage`** (`lib/api.ts`). Any XSS that bypasses
  the (good) `sanitizePreview` allowlist - or sneaks past it via a future code
  path - exfiltrates both access and refresh tokens. There is no httpOnly-cookie
  alternative, no token rotation on refresh failure, and `redirectToLogin` only
  fires once per session (a leaked refresh token can outlive that flag).
 - **One real provider-hardcoding violation** (`routes/actions/RuleEditor.svelte`)
  breaks the "descriptors only" rule in CLAUDE.md item 8 and silently disables
  the people/album picker for any non-Immich provider - every other page is
  clean.
 - **Caches duplicated into local `$state`** on `notification-trackers`,
  `command-trackers`, and `command-template-configs` pages - the cache is
  populated but the page never re-reads it, so cross-page mutations (search
  palette pre-warming) won't update the list and cache `invalidate()` becomes
  useless. Convention #4 says "always use cache".
 - **Three CRUD pages refetch all entities after every mutation** (full
  `await load()` after upsert/delete) instead of using `cache.upsert()`/
  `remove()` - defeats the optimistic-cache design and produces visible flicker
  on slow connections.
 - **Floating async work + N+1 patterns**: `providers/+page.svelte` fires N
  parallel health checks without an AbortController (state writes continue
  after navigation); `bots/TelegramBotTab.svelte` does a sequential
  `for (const trk of trackers) { await api('/listeners') }` loop.
 - **`backup/+page.svelte` post-restart health poll** keeps recursing for up to
  120s with no unmount guard - if the user navigates away mid-restart, the
  recursive `setTimeout` chain keeps calling `fetch('/api/health')` until it
  reloads the page out from under whatever route they're on.
 - **`api()` 30s timeout is per-request, hard-coded, with no observability** -
  long-running provider operations (Immich bulk fetch, full backup export) hit
  it silently and surface as `AbortError` with no telemetry.
 ---
 ## CRITICAL
 ### C1. JWT tokens stored in `localStorage` - XSS-exfiltratable
 [lib/api.ts:78-91](frontend/src/lib/api.ts#L78-L91)
 ```ts
 function getToken(): string | null {
    return localStorage.getItem('access_token');
 }
 export function setTokens(access: string, refresh: string) {
    localStorage.setItem('access_token', access);
    localStorage.setItem('refresh_token', refresh);
 }
 ```
 Both the short-lived access token and the long-lived refresh token sit in
 `localStorage`. Any successful XSS - including a future template-preview path
 that escapes `sanitizePreview`, a vulnerable third-party CodeMirror extension,
 or a Telegram bot username that ends up unescaped somewhere - reads both with a
 single `localStorage.getItem` call.
 **Fix:** Move to httpOnly + Secure + SameSite=Strict cookies set by the backend.
 If a cookie-based session is infeasible for the deployment model, at minimum
 move the refresh token to an httpOnly cookie and keep only the short-lived
 access token in memory (a module-level `let accessToken` is XSS-readable but
 not persistent across reloads, which limits the exfiltration window).
 ### C2. Provider type hardcoded in `RuleEditor.svelte` (convention violation)
 [routes/actions/RuleEditor.svelte:55-67](frontend/src/routes/actions/RuleEditor.svelte#L55-L67)
 ```ts
 async function loadProviderData() {
    if (actionType !== 'auto_organize') return;
    const provider = providersCache.items.find((p: any) => p.id === providerId);
    if (!provider || provider.type !== 'immich') return;
    ...
 ```
 CLAUDE.md item 8 explicitly forbids `if (type === 'immich')` in components -
 this is the canonical example. As written, adding a second provider with
 auto-organize support (Google Photos, future SmugMug, etc.) is a silent no-op:
 the form renders with empty people/album lists and gives no error.
 **Fix:** Add an `actionTypes` / `peopleFilter` capability flag to
 `ProviderDescriptor`, or add a `supportsAutoOrganize: boolean` discriminator,
 then check `getDescriptor(provider.type)?.supportsAutoOrganize` instead of the
 literal string.
 ---
 ## HIGH
 ### H1. Caches imported but copied into local `$state` - invalidation no-op
 [routes/notification-trackers/+page.svelte:33](frontend/src/routes/notification-trackers/+page.svelte#L33)
 [routes/command-trackers/+page.svelte:27](frontend/src/routes/command-trackers/+page.svelte#L27)
 [routes/command-template-configs/+page.svelte:51](frontend/src/routes/command-template-configs/+page.svelte#L51)
 ```ts
 // notification-trackers - line 33
 let allNotificationTrackers = $state<Tracker[]>([]);
 // ...
 [allNotificationTrackers] = await Promise.all([
    api<Tracker[]>('/notification-trackers'),
    ...
 ]);
 ```
 The cache modules expose `notificationTrackersCache`, `commandTrackersCache`,
 and `commandTemplateConfigsCache` - populated by `+layout.svelte` on mount and
 by the search palette - but these three pages don't read from them. They each
 issue their own `api(...)` call and store the result locally. Side effects:
 1. The cache shows stale data on every other page that reads it (dashboard nav
   counts, search palette).
 2. `commandTemplateConfigsCache.fetch(true)` is called on `command-template-configs`
   `load()` but the result is then re-assigned from the function return value
   into `allCmdTplConfigs` - the cache itself is updated, but the page has no
   reactive link to it.
 3. `cache.upsert()` / `cache.remove()` after mutations would short-circuit a
   full refetch - but with the local-state copy, every save triggers a full
   `await load()` (see H2).
 **Fix:** Replace `let allX = $state([])` with `let allX = $derived(cache.items)`
 (see how `targets/+page.svelte:147` does it correctly) and remove the parallel
 `api()` call.
 ### H2. Full refetch after every mutation - cache.upsert/remove not used
 [routes/providers/+page.svelte:238-250](frontend/src/routes/providers/+page.svelte#L238-L250)
 [routes/actions/+page.svelte:139](frontend/src/routes/actions/+page.svelte#L139)
 [routes/notification-trackers/+page.svelte:291](frontend/src/routes/notification-trackers/+page.svelte#L291)
 [routes/targets/+page.svelte:476](frontend/src/routes/targets/+page.svelte#L476)
 Every save/delete/toggle on these pages calls `cache.invalidate(); await load()`,
 which re-fetches the entire list from the server. The cache exposes
 `upsert(entity)` and `remove(id)` for exactly this case - the server already
 returned the new entity (or 204), so the round-trip is wasted bandwidth and
 produces a visible "list redraws" flash on slow links.
 **Fix:** On POST/PUT response, `cache.upsert(savedEntity)`. On DELETE,
 `cache.remove(id)`. Reserve `invalidate()` + `fetch()` for cases where the
 mutation may have changed *other* entities (e.g. broadcast target updates
 affect children).
 ### H3. Provider health checks fire-and-forget - leak past navigation
 [routes/providers/+page.svelte:175-181](frontend/src/routes/providers/+page.svelte#L175-L181)
 ```ts
 for (const p of allProviders) {
    health = { ...health, [p.id]: null };
    api(`/providers/${p.id}/test`, { method: 'POST' })
        .then((r: any) => { health = { ...health, [p.id]: r.ok }; })
        .catch(() => { health = { ...health, [p.id]: false }; });
 }
 ```
 No `AbortController`, no unmount guard. If the user navigates away while N
 slow Immich/Gitea probes are inflight, every probe still resolves and tries to
 write to the (now-detached) `health` `$state`. With Svelte 5 runes this won't
 crash, but it does waste backend connections (Immich health checks call the
 real API) and may trigger duplicate probes on quick back/forward navigation.
 **Fix:** Pass `{ signal: controller.signal }` to `api()` (already supported -
 see `lib/api.ts:150`), abort in `onDestroy`. Or use `cache.probeAll()` driven
 from a single store so revisiting the page reuses the previous result.
 ### H4. Sequential awaits for independent fetches - N+1 in TelegramBotTab
 [routes/bots/TelegramBotTab.svelte:215-223](frontend/src/routes/bots/TelegramBotTab.svelte#L215-L223)
 ```ts
 const trackers = await api<CommandTrackerSummary[]>('/command-trackers');
 const matched: CommandTrackerSummary[] = [];
 for (const trk of trackers) {
    try {
        const listeners = await api<ListenerEntry[]>(`/command-trackers/${trk.id}/listeners`);
        const hasBot = listeners.some(...);
        if (hasBot) matched.push(trk);
    } catch (e) { console.warn(...); }
 }
 ```
 For a deployment with 20 command trackers, opening the listener section on a
 bot triggers 20 serial `GET /command-trackers/{id}/listeners` requests -
 visibly slow over a high-latency link.
 **Fix:** Either expose a single backend endpoint
 (`GET /command-trackers/listeners?bot_id=X`) or run the loop through
 `Promise.all(trackers.map(trk => api(...).catch(() => null)))` and filter
 afterwards.
 ### H5. Post-restart health poll keeps running after unmount
 [routes/settings/backup/+page.svelte:117-139](frontend/src/routes/settings/backup/+page.svelte#L117-L139)
 ```ts
 async function applyAndRestart(): Promise<void> {
    await api('/backup/apply-restart', { method: 'POST' });
    restartingOverlay = true;
    const startedAt = Date.now();
    let attempts = 0;
    const poll = async (): Promise<void> => {
        attempts += 1;
        try {
            const res = await fetch('/api/health');
            if (res.ok && Date.now() - startedAt > 2000) {
                window.location.reload();
                return;
            }
        } catch { /* still down */ }
        if (attempts < 120) setTimeout(poll, 1000);
    };
    setTimeout(poll, 1500);
 }
 ```
 The recursive `setTimeout(poll, 1000)` chain has no cancellation. If the user
 navigates to another route between `apply-restart` and the next health probe,
 the chain keeps firing for up to 120s and eventually calls
 `window.location.reload()` from a route the user has since moved away from.
 Side effects:
 1. Unauthenticated `fetch('/api/health')` calls keep going while the user is
   on `/login`.
 2. A user who hit "restart later" on a different tab will still get reloaded
   from the original tab's poll.
 **Fix:** Capture `controller = new AbortController()` and pass to `fetch`,
 `onDestroy(() => controller.abort())`. Also store the timeout handle and
 `clearTimeout` it on destroy.
 ### H6. Token refresh races with logout in a sneaky edge
 [lib/api.ts:97-127](frontend/src/lib/api.ts#L97-L127)
 The dedupe via `refreshPromise` is correct *for the refresh itself*, but the
 outer `api()` reads `getToken()` before awaiting `refreshAccessToken()`. Three
 concurrent requests that all 401 will all queue on the same refresh promise,
 then *all* retry - fine. But if the refresh succeeds and an unrelated
 `clearTokens()` (from `logout()`) fires between the refresh resolving and the
 retry running, the retry uses an empty `Authorization: Bearer ` header. The
 result is "ApiError: HTTP 401" surfaced via snackbar even though the redirect
 to `/login` already happened.
 **Fix:** Either re-check `isAuthenticated()` immediately before the retry, or
 make `clearTokens()` cancel an inflight `refreshPromise`.
 ### H7. `AuthRedirectError` is thrown but not consistently caught
 [lib/api.ts:165-170](frontend/src/lib/api.ts#L165-L170)
 Most pages use the pattern `catch (err: unknown) { snackError(errMsg(err)); }` -
 which catches `AuthRedirectError` too and shows "Unauthorized - redirecting
 to login" in a snackbar that the user sees *as* the route changes. The error
 class exists specifically to be distinguished, but only one or two call sites
 actually check `instanceof AuthRedirectError` before showing a snackbar.
 **Fix:** Make `errMsg()` (or a new helper) return `null` for `AuthRedirectError`
 and have snackbar helpers ignore null messages. Or filter in the snackbar
 store.
 ### H8. `api()` JSON-decode failure path swallowed silently
 [lib/api.ts:189](frontend/src/lib/api.ts#L189)
 ```ts
 return res.json();
 ```
 When the backend returns a `200 OK` with a non-JSON body (proxy error page,
 HTML 502 from a misconfigured reverse proxy in front), `res.json()` rejects
 with a `SyntaxError: Unexpected token < in JSON at position 0`. The page
 shows the raw parser message in a snackbar, which is confusing UX.
 **Fix:** Wrap `res.json()` in try/catch and throw a typed `ApiError("Backend
 returned non-JSON response", 502)` so the UI can show a clean message.
 ### H9. Email/Matrix bot tabs strip secrets via `as any`
 [routes/bots/EmailBotTab.svelte:84](frontend/src/routes/bots/EmailBotTab.svelte#L84)
 [routes/bots/MatrixBotTab.svelte:79](frontend/src/routes/bots/MatrixBotTab.svelte#L79)
 ```ts
 if (!body.smtp_password) delete (body as any).smtp_password;
 if (editingMatrix && !body.access_token) delete (body as any).access_token;
 ```
 The `as any` bypass exists because the body type doesn't allow `delete` on a
 required field. The intent - "don't send a blank secret which would overwrite
 the stored one" - is correct, but the cast hides a real risk: if the field
 name ever changes (`smtp_password` -> `smtpPassword`), the `delete` is a no-op
 and the blank field is sent.
 **Fix:** Build `body` as `Partial<...>` from the start and only conditionally
 include the secret field.
 ### H10. `template-configs` hardcodes a slot name
 [routes/template-configs/+page.svelte:228](frontend/src/routes/template-configs/+page.svelte#L228)
 ```ts
 .map(s => ({ key: s.name, label: ..., rows: s.name === 'message_assets_added' ? 10 : 3, isDateFormat: false }))
 ```
 Special-casing one Immich slot name inside a provider-agnostic component is
 the same pattern CLAUDE.md item 8 forbids for components, scoped to template
 configs. Other providers' "large" slots (Gitea PR descriptions, Planka card
 content) would render in 3-row editors that the author probably didn't intend.
 **Fix:** Add a `rows?: number` field to the backend slot definition and read
 it via `notification_slots[].rows`.
 ---
 ## MEDIUM
 ### M1. Three placeholder strings hardcoded English in shared components
 [lib/components/EntitySelect.svelte:18](frontend/src/lib/components/EntitySelect.svelte#L18)
 [lib/components/IconGridSelect.svelte:16](frontend/src/lib/components/IconGridSelect.svelte#L16)
 [lib/components/MultiEntitySelect.svelte:16](frontend/src/lib/components/MultiEntitySelect.svelte#L16)
 ```ts
 placeholder = 'Select...',
 ```
 These defaults render `Select...` in RU locale when a caller doesn't pass an
 explicit placeholder. The convention (CLAUDE.md item 5) prescribes plain text
 selectors but says nothing about translation - these still need to flow through
 `t()`.
 **Fix:** Move the default into the template: `placeholder = $props().placeholder
 ?? t('common.selectPlaceholder')`, with `common.selectPlaceholder` added to
 both locales.
 ### M2. `EntitySelect.noneLabel` defaults to a decorative em-dash literal
 [lib/components/EntitySelect.svelte:20](frontend/src/lib/components/EntitySelect.svelte#L20)
 ```
 noneLabel = (em-dash literal),
 ```
 CLAUDE.md item 5 calls out decorative dashes specifically. `LinkedTargetsSection`
 already overrides this with `t('common.noneDefault')` (good), but other
 consumers that do not override get the bare em-dash. It also fails the
 localizable smell test.
 **Fix:** Default to `t('common.none')`.
 ### M3. `lib/auth.svelte.ts` logout does a full page reload, losing UX continuity
 [lib/auth.svelte.ts:54-61](frontend/src/lib/auth.svelte.ts#L54-L61)
 ```ts
 export function logout() {
    clearTokens();
    clearAllCaches();
    user = null;
    if (typeof window !== 'undefined') {
        window.location.href = '/login';
    }
 }
 ```
 `window.location.href` triggers a hard reload - the SvelteKit router exists
 specifically to avoid this. Side effects: any inflight requests get cancelled
 without proper cleanup, the splash-loader flashes between the two pages, and
 the search-palette / overlays do not get a chance to close gracefully.
 **Fix:** `goto('/login', { invalidateAll: true, replaceState: true })`.
 ### M4. `+layout.svelte` auto-expand `$effect` writes during read
 [routes/+layout.svelte:336-342](frontend/src/routes/+layout.svelte#L336-L342)
 The effect reads `expandedGroups` (via `expandedGroups[entry.key]`) and writes
 to `expandedGroups`. Svelte 5 dedupes the write back to the same set of keys,
 but the pattern is fragile - adding any side effect that re-derives from
 `expandedGroups` here would loop. It also persists to localStorage in
 `toggleGroup` but not from this effect - so auto-expansion stays in memory only.
 **Fix:** Compute the next state in a single pass and write once; either
 include the localStorage save, or move the auto-expand into the initial
 hydration block.
 ### M5. `commandTemplateConfigsCache.fetch(true)` result discarded; cache populated but unused
 [routes/command-template-configs/+page.svelte:208](frontend/src/routes/command-template-configs/+page.svelte#L208)
 The `Promise.all` destructures `cfgs` from `commandTemplateConfigsCache.fetch(true)`
 but then writes `allCmdTplConfigs = cfgs` instead of $derived-reading the cache.
 The cache is updated (good) but this page never reads it (bad - see H1).
 **Fix:** Same fix as H1 - use `$derived(commandTemplateConfigsCache.items)`.
 ### M6. Dashboard search debounce timeout not cleared on filter change
 [routes/+page.svelte:268-272](frontend/src/routes/+page.svelte#L268-L272)
 If the user changes the type/provider filter (`applyFilters` runs synchronously
 from the `$effect` at line 249) while a search debounce is pending, the pending
 timeout still fires 300ms later and triggers an identical request. Not a leak,
 just a wasted call.
 **Fix:** Clear `searchTimeout` from `applyFilters()` as well.
 ### M7. Dashboard `Promise.all` destructure uses empty middle slot
 [routes/+page.svelte:283-287](frontend/src/routes/+page.svelte#L283-L287)
 ```ts
 const [statusRes, , chartRes] = await Promise.all([
    api<DashboardStatus>(`/status?limit=${eventsLimit}`),
    providersCache.fetch(),
    api<{ days: ... }>('/status/chart'),
 ]);
 ```
 The empty middle slot is brittle - anyone reordering for readability silently
 swaps `statusRes` and `chartRes`. Trivially avoided.
 **Fix:** Either await `providersCache.fetch()` separately (it caches anyway),
 or `const [statusRes, _providers, chartRes] = ...` with an explicit `_providers`
 local.
 ### M8. `actions/+page.svelte` derives `actionTypes` from a function-in-derived
 [routes/actions/+page.svelte:78-81](frontend/src/routes/actions/+page.svelte#L78-L81)
 ```ts
 let actionTypes = $derived((() => {
    const caps = capabilitiesCache.items[selectedProviderType];
    return caps?.action_types || [];
 })());
 ```
 The IIFE is unnecessary; `$derived` already runs the expression on every
 dependency change. Reads as a refactor leftover.
 **Fix:** `let actionTypes = $derived(capabilitiesCache.items[selectedProviderType]?.action_types ?? []);`
 ### M9. `RuleEditor.svelte` mutates rule object in `toggleRule` then sends to API
 [routes/actions/RuleEditor.svelte:105-108](frontend/src/routes/actions/RuleEditor.svelte#L105-L108)
 ```ts
 async function toggleRule(rule: ActionRule) {
    rule.enabled = !rule.enabled;
    await updateRule(rule);
 }
 ```
 Direct mutation of the prop violates the immutability rule (coding-style.md).
 If the API call fails, the local state is already flipped - the UI shows the
 new value even though the server still has the old one.
 **Fix:** `await updateRule({ ...rule, enabled: !rule.enabled })`. After
 successful response, `await loadRules()` (already happens) re-syncs.
 ### M10. `+layout.svelte` filter functions use `as any[]` four times
 [routes/+layout.svelte:145-151](frontend/src/routes/+layout.svelte#L145-L151)
 ```ts
 notification_trackers: filterById(notificationTrackersCache.items as any[]).length,
 ```
 The cast exists because `filterById<T extends { provider_id?: number }>` is
 narrower than the cache item types. The proper fix is a single base interface
 `{ provider_id?: number }` on the relevant types so the cast goes away.
 ### M11. `setLocale` does not update `<html lang>` attr
 [lib/i18n/index.svelte.ts:31-36](frontend/src/lib/i18n/index.svelte.ts#L31-L36)
 Screen readers and browser translation extensions rely on `<html lang="en">`.
 The app never sets it, so switching to RU leaves accessibility tooling thinking
 the page is still English.
 **Fix:** `document.documentElement.lang = locale` in `setLocale`.
 ### M12. `Modal.svelte` focus restore does not verify element still in DOM
 [lib/components/Modal.svelte:43-45](frontend/src/lib/components/Modal.svelte#L43-L45)
 If the previously focused element has been removed from the DOM between modal
 open and close (common with optimistic UI updates that rerender the source
 button), `.focus()` is a silent no-op on a detached node. Focus ends up on
 `<body>` and the next Tab restarts from the top of the page.
 **Fix:** `if (... && document.contains(previouslyFocused)) previouslyFocused.focus()`,
 else focus a sensible fallback (the trigger that opened the page).
 ### M13. TimezoneSelector ticks at 1s - wakes the event loop forever
 [lib/components/TimezoneSelector.svelte:33-37](frontend/src/lib/components/TimezoneSelector.svelte#L33-L37)
 ```ts
 let tickHandle: ReturnType<typeof setInterval> | null = null;
 onMount(() => {
    tickHandle = setInterval(() => { now = new Date(); }, 1000);
 });
 ```
 A 1Hz tick is fine for visible UI; the issue is it keeps running even when
 the selector dropdown is closed (the time display is only visible when the
 dropdown is open). Battery impact is non-trivial on mobile for what is
 essentially a hidden component.
 **Fix:** Start/stop the interval based on `open` state, or use
 `requestAnimationFrame` driven by `IntersectionObserver`.
 ### M14. Backup file download builds blob from JSON without size guard
 [routes/settings/backup/+page.svelte:269-281](frontend/src/routes/settings/backup/+page.svelte#L269-L281)
 ```ts
 const data = await api(`/backup/files/${filename}`);
 const blob = new Blob([JSON.stringify(data, null, 2)], { type: 'application/json' });
 ```
 For a deployment with hundreds of providers/trackers, the JSON serialization
 of the entire backup happens in-memory in a single string before the Blob
 constructor - wasted memory peak and a frozen tab on slow machines. Worse,
 `api()` parses the JSON and then `JSON.stringify` re-serializes it.
 **Fix:** Use `fetchAuth()` for the download path and pipe the response stream
 straight into a Blob (`new Blob([await res.arrayBuffer()])`).
 ### M15. Modal focus-trap query selector includes disabled inputs
 [lib/components/Modal.svelte:62-67](frontend/src/lib/components/Modal.svelte#L62-L67)
 Re-querying the DOM on every Tab keystroke is OK but means disabled inputs
 (common in long forms with submit-in-progress) are included in the trap and
 focus can land on them. The selector should add `:not([disabled])`.
 ### M16. i18n resolve uses any for the recursion accumulator
 [lib/i18n/index.svelte.ts:55-62](frontend/src/lib/i18n/index.svelte.ts#L55-L62)
 ```ts
 function resolve(obj: any, path: string): string | undefined {
 ```
 `obj: unknown` plus a runtime check would let TS narrow `current` properly and
 catch the case where someone accidentally passes a `string` (returns undefined
 silently today).
 ### M17. Tracker name auto-set string concat - English-only
 [routes/notification-trackers/+page.svelte:82-84](frontend/src/routes/notification-trackers/+page.svelte#L82-L84)
 [routes/command-trackers/+page.svelte:69-71](frontend/src/routes/command-trackers/+page.svelte#L69-L71)
 ```ts
 form.name = provider ? `${provider.name} Tracker` : 'Tracker';
 form.name = provider ? `${provider.name} Commands` : 'Commands';
 ```
 Defaults the tracker name to "Provider Name Tracker" / "Provider Name Commands"
 - only English. Russian users get an English suffix on the auto-generated
 name. Inconsistent with the rest of the i18n discipline.
 **Fix:** Use `t('notificationTracker.defaultName').replace('{name}', provider.name)`.
 ### M18. topbar-action store not cleared on auth state change
 [routes/providers/+page.svelte:160-167](frontend/src/routes/providers/+page.svelte#L160)
 Each page sets a topbar CTA in `onMount` and clears it in `onDestroy`. If
 `logout()` is called from inside the page (via the search palette, etc.), the
 page never destroys cleanly and the topbar action sticks into the login screen.
 Defensive `topbarAction.clear()` in `logout()` would plug this.
 ### M19. Many `: any` and `as any` types in critical paths
 [routes/users/+page.svelte:62](frontend/src/routes/users/+page.svelte#L62)
 [routes/command-trackers/+page.svelte:27](frontend/src/routes/command-trackers/+page.svelte#L27)
 [routes/providers/+page.svelte:179](frontend/src/routes/providers/+page.svelte#L179)
 [lib/providers/types.ts:120](frontend/src/lib/providers/types.ts#L120)
 64 occurrences of `: any` / `as any` across 20 files. None are in
 security-sensitive paths, but they remove type safety in exactly the call
 sites that shape API requests (`body: any = { ... }`). Recommended cleanup
 task, not a blocker.
 ---
 ## LOW
 ### L1. +page.svelte event types hardcoded in three parallel maps
 [routes/+page.svelte:475-512](frontend/src/routes/+page.svelte#L475-L512)
 `eventLabels`, `eventIcons`, and `eventGradients` are three parallel dicts
 keyed by the same set of strings. Adding a new event type requires editing
 three places (plus i18n). A single `EVENT_META` object would be more
 maintainable.
 ### L2. TestMenu.svelte uses z-index 9998 instead of 9999
 [routes/notification-trackers/TestMenu.svelte:25](frontend/src/routes/notification-trackers/TestMenu.svelte#L25)
 ```svelte
 <div style="position:fixed; top:0; left:0; right:0; bottom:0; z-index:9998;"
 ```
 The convention says 9999 for overlays. Using 9998 was probably intentional
 (so the menu sits above the backdrop), but the cleaner pattern is to give the
 backdrop a slightly lower stacking context inside the same parent.
 ### L3. console.warn left in production-bound code
 14 `console.warn`/`console.error` occurrences. Most are guarded by a
 "failed to load" + UI fallback - legitimate debug noise. Recommend wiring to
 a structured logger before public release; current state is acceptable for an
 internal tool but spam-prone in DevTools.
 ### L4. Dashboard setTimeout(animateCount, 200) is uncancelled
 [routes/+page.svelte:290-299](frontend/src/routes/+page.svelte#L290-L299)
 The 200ms delay before triggering count animations is uncancelled. Navigating
 away during the first 200ms means the count animation `requestAnimationFrame`
 chain still runs against a stale `status` reference. Cosmetic only.
 ### L5. app.html inline theme bootstrap reads localStorage without try/catch
 [src/app.html:12](frontend/src/app.html#L12)
 Theme is hydrated synchronously in `<head>` to avoid FOUC - fine - but if
 localStorage is blocked (Safari private mode, some enterprise policies) the
 inline script throws and the rest of the head bootstrap may be skipped.
 ### L6. EventChart computes activeTypes and hasData from same loop twice
 [lib/components/EventChart.svelte:46-49](frontend/src/lib/components/EventChart.svelte#L46-L49)
 `hasData` and `activeTypes` traverse the same data twice. Single-pass
 derivation would be cheaper for the rare "many days of events" case.
 ### L7. Single-letter t shadowing in +layout.svelte
 `+layout.svelte:140` uses `for (const t of targets)` inside `navCounts`, which
 shadows the imported i18n function `t`. Svelte 5 does not flag it (inner scope
 wins), but it confuses search/grep and breaks IDE go-to-definition. Several
 other pages use single-letter `t` as iteration var (`actions/+page.svelte`,
 `command-trackers/+page.svelte`, `targets/+page.svelte`). Recommend `target` /
 `tracker` for legibility.
 ---
 ## Notes & non-findings
 - **Modal overlay convention** (CLAUDE.md #2): Modal.svelte, Snackbar,
  IconPicker, IconGridSelect, MultiEntitySelect, EntitySelect, TimezoneSelector,
  EventChart, Hint, SearchPalette, and TestMenu all use `position:fixed` with
  `z-index: 9999` (or 9998 for the TestMenu backdrop - see L2). Convention
  upheld.
 - **@html usage** - only three call sites, all pipe through `sanitizePreview`,
  which is a DOMParser-based allowlist limited to `B`, `I`, `CODE`, `PRE`, `A`,
  `BR` with `https?://` href validation. Safe.
 - **i18n parity**: EN and RU JSON have the exact same 1466 keys - no orphans.
 - **Selector placeholders**: `LinkedTargetsSection` correctly uses
  `t('common.noneDefault')`, no em-dash leaks in user-facing flows (only
  defaults inside shared components - see M1/M2).
 - **svelte-check passes** (exit 0) - no type errors at the strict level the
  project compiles with.
 - **No eval, new Function, or string-setTimeout**: dynamic code execution
  surface is clean.
 - **No var declarations**, no `==` (loose equality) outside generated CSS.
 - **AbortController usage**: present in `lib/api.ts` for the canonical fetch
  wrapper - the rest of the codebase could lean on it more (see H3, H5).
@@ -0,0 +1,436 @@
 # Performance & Database Review — `service-to-notification-bridge`
 **Scope:** entire repo at `c:\Users\Alexei\Documents\service-to-notification-bridge`
 **Backend:** FastAPI + SQLAlchemy async + SQLModel on SQLite (Postgres-compatible URL, but only SQLite branch is exercised in code).
 **Frontend:** SvelteKit 5 (runes) static build served by the same FastAPI process.
 **Reviewer:** Claude Opus 4.7 (1M context)
 ---
 ## Executive summary
 1. **Indexing is in good shape.** FK columns and the dashboard/webhook hot paths have explicit composite indexes (`ix_event_log_user_created`, `ix_event_log_user_event_type_created`, `ix_deferred_dispatch_status_fire_at`, partial `ux_deferred_dispatch_pending`). The bulk of the "missing index" risk is already mitigated.
 2. **No real migration tool.** The project runs a hand-rolled, 1880-line, idempotent migration script on every boot. It works, but it's brittle, slow on cold start, has no down-migrations, and the table-rebuild branches lose indexes silently. Move to Alembic before the next major schema change.
 3. **`create_all` is still the source-of-truth for new schemas** (engine.py:63). That's an anti-pattern next to migration tooling: schema drift can silently appear between fresh installs and upgraded installs.
 4. **Two real N+1 risks remain.** `_tracker_response` (notification_trackers.py:286-291) calls `_tt_response` per link, and `_refresh_telegram_chat_titles` (scheduler.py:229) issues per-chat `getChat` calls without bot-level batching guards. The big one in `load_link_data` was already fixed (good).
 5. **SQLite PRAGMAs are mostly right but pool sizing is wrong.** WAL, `synchronous=NORMAL`, FK enforcement, busy_timeout, temp_store=MEMORY are all set. Missing: `cache_size`, `mmap_size`. The async engine uses SQLAlchemy's default pool with multiple writer connections — under WAL that still serializes, but it raises spurious BUSY pressure on long transactions (see #M3).
 6. **Event-log retention exists and is correct** (30-day default, cron at 03:00 UTC), but `retention_days=0` disables it silently and there is no archival, no per-tenant cap, no row-count metric exposed to operators.
 7. **Memory leak risk: `_dirty_bots`, `_last_update_id`, `_last_webhook_reclaim_at`, `_adaptive_state`, `_adaptive_max_skip`** in command_sync.py, telegram_poller.py, scheduler.py are unbounded module-level dicts. In a long-running process they grow without ever shrinking when entities are deleted.
 8. **Frontend has no virtualization on long lists** — dashboard event stream, tracker history, target list. On a tenant with thousands of events the dashboard `{#each status.recent_events}` (with `(event.id)` key) still renders the whole page-set into DOM and re-runs derivations on every refresh.
 ---
 ## CRITICAL
 ### C1. `create_all` is the schema-of-record for new installs ([engine.py:60](packages/server/src/notify_bridge_server/database/engine.py))
 ```python
 async def init_db() -> None:
    engine = get_engine()
    async with engine.begin() as conn:
        await conn.run_sync(SQLModel.metadata.create_all)
 ```
 **What's wrong:** `init_db()` runs unconditionally on every boot before the migration script. New installs get the *current* model's CREATE TABLE statements — including FK declarations like `ondelete=SET NULL` — while upgraded installs only get what the (one-way) `migrate_*` scripts manage to inject via `ALTER TABLE`. Several migrations explicitly admit "this only takes effect on freshly created tables" (e.g. `migrate_eventlog_provider_fk` is a documented no-op). That means **the schema drift between a fresh install and a 6-month-old install is real and undocumented.**
 **Impact:** stability — subtle bugs that reproduce only on upgraded installs (FK enforcement, cascade behavior, partial UNIQUE indexes); ops — restoring a backup from a fresh install onto an upgraded box, or vice-versa, can change observable behaviour.
 **Fix:**
 1. Adopt Alembic with autogenerate-from-models, lock the baseline migration to the current `SQLModel.metadata`, and stop calling `create_all` in production startup.
 2. Keep the hand-rolled `migrate_*` chain as legacy data-migrations only (idempotent, runs once, then removed).
 3. Add a CI check: spin up empty DB → run migrations → diff against `SQLModel.metadata` → fail if non-empty.
 ---
 ### C2. `migrate_schema` runs ~30+ idempotent `PRAGMA table_info` + ALTER probes on every cold start ([migrations.py:67-427](packages/server/src/notify_bridge_server/database/migrations.py))
 `_has_column` issues a `PRAGMA table_info('<table>')` per check; `migrate_schema` calls it dozens of times serially inside one transaction. On a cold start this is the dominant boot latency. Worse, it forces a write txn on every boot even when nothing changes (because each migration opens `engine.begin()`).
 **Impact:** startup cost — visible on Raspberry-Pi / NAS deployments; SQLite WAL checkpoint pressure on every boot when nothing changed; readiness probe grace window must accommodate this.
 **Fix:**
 1. Wire `schema_version` (already exists, `CURRENT_SCHEMA_VERSION=1`) as a real short-circuit — at the top of every `migrate_*`, return immediately if `schema_version >= N` for that migration.
 2. Cache `PRAGMA table_info` results within a single migration run.
 3. Better long-term: replace with Alembic; you already have the version table.
 ---
 ### C3. `_install_sqlite_pragmas` only fires on engine-pool `connect`, not when SQLAlchemy reuses pooled connections from a different event loop ([engine.py:18-38](packages/server/src/notify_bridge_server/database/engine.py))
 The `@event.listens_for(engine.sync_engine, "connect")` hook only runs at connection creation. The default `aiosqlite` pool reuses connections — that's fine — but `connect_args["timeout"]=30` clashes with the in-PRAGMA `busy_timeout=10000` (10 s). Two different timeout settings is confusing and the lower wins.
 **Impact:** stability under contention — under sustained writer contention you get `SQLITE_BUSY` *much* sooner than expected. The 30-s connect_args timeout is for connection *open*, the 10-s busy_timeout is what governs lock contention; users see "database is locked" errors after 10 s, not 30.
 **Fix:** standardize on busy_timeout (raise to 30 s to match `connect_args`, or drop one and keep the other). Document the chosen value in a constant. Also add:
 ```python
 cur.execute("PRAGMA cache_size=-65536")   # 64 MiB negative = kibibytes
 cur.execute("PRAGMA mmap_size=268435456") # 256 MiB
 cur.execute("PRAGMA wal_autocheckpoint=1000")
 ```
 The 100k-asset album write pattern (`asset_ids` JSON blob) benefits significantly from a larger page cache and mmap; current defaults force a lot of SQLite-internal I/O.
 ---
 ## HIGH
 ### H1. Frontend dashboard event-stream lacks virtualization & double-fetches on filter changes ([+page.svelte:739](frontend/src/routes/+page.svelte))
 `{#each status.recent_events as event, i (event.id)}` is keyed (good), but the page renders every event row with rich nested components (`EventDetailModal`, `MdiIcon`, etc.) for every paginate-back/forward. There's no row virtualization and the same data fetches re-run on every filter mutation (search input has a 300 ms debounce in `onSearchInput`, but `filterEventType`, `filterProviderId`, `filterSort`, `refreshSeconds` do not).
 **Impact:** UX — choppy on tenants with 50+ events/page, perceptible filter-flicker; CPU — derivation cost on every status refresh.
 **Fix:**
 1. Wrap the events list in a tiny windowing component (svelte-virtual or a simple offset/limit windowed view — the API already supports it).
 2. Debounce the entire filter-change branch, not just the search input (`$effect(() => { if (settled) { reload() }})` with a 100 ms guard).
 3. The provider count map (`provider_event_counts`) is computed server-side for *all* matching events on every page request; cache it for `(user_id, filters)` in a 30-s in-memory dict server-side (see also #M2).
 ---
 ### H2. `provider_event_counts` aggregate query runs unbounded GROUP BY on every dashboard request ([status.py:84-103](packages/server/src/notify_bridge_server/api/status.py))
 ```python
 provider_counts_query = (
    select(
        EventLog.provider_id,
        EventLog.provider_name,
        func.sum(func.coalesce(EventLog.assets_count, 1)).label("total"),
    )
    .where(EventLog.user_id == user.id)
    .group_by(EventLog.provider_id, EventLog.provider_name)
 )
 ```
 Every dashboard load (every 10–60 s by default — see `refreshIntervalItems`) runs `GROUP BY provider_id, provider_name` over *every* event the user ever owned. At 90 days × ~1 event/min/tracker this is hundreds of thousands of rows scanned per refresh per logged-in user.
 **Impact:** latency — SQLite forces a full table scan + sort here because the only composite index is `(user_id, event_type, created_at DESC)`; cost — burns CPU on the bridge box for a metric that changes very slowly.
 **Fix:**
 1. Add `ix_event_log_user_provider (user_id, provider_id)` so the GROUP BY can be index-only.
 2. Cache the result for `(user_id, filter_signature)` for 30 s in the same in-memory cache as #H1.
 3. Long-term: materialize per-provider counts into an `event_counter` table maintained by triggers or an APScheduler job. The dashboard then reads at most a dozen rows.
 ---
 ### H3. `_tracker_response` issues one query per tracker-target link ([notification_trackers.py:286-291](packages/server/src/notify_bridge_server/api/notification_trackers.py))
 ```python
 async def _tracker_response(session: AsyncSession, t: NotificationTracker) -> dict:
    result = await session.exec(
        select(NotificationTrackerTarget).where(NotificationTrackerTarget.tracker_id == t.id)
    )
    tracker_targets = [await _tt_response(session, tt) for tt in result.all()]
 ```
 `_tt_response` (in notification_tracker_targets.py:12 — has 12 distinct `select`/`session.get` references) issues per-link follow-up SELECTs. Called from `create`, `update`, `delete` and `trigger` for a single tracker, so the practical N is small — but `_tt_response` is also called inside the bulk `list_notification_trackers` loop's downstream consumers, and any future bulk endpoint will multiply this badly.
 **Impact:** latency on POST/PATCH responses; future regression risk.
 **Fix:** rewrite `_tt_response` to accept pre-fetched maps (mirror the pattern in `dispatch_helpers.load_link_data`). Or, simpler: write a single eager-load helper using `selectinload(NotificationTrackerTarget.target)` once `relationship()` mappers are declared on the models.
 ---
 ### H4. `load_link_data` does not eagerly load target.config related entities — relies on `dict(target.config)` snapshotting ([dispatch_helpers.py:539-747](packages/server/src/notify_bridge_server/services/dispatch_helpers.py))
 The function batch-loads receivers, telegram_chats, email_bots, matrix_bots up-front, but the broadcast-expansion branch in the active_links loop still issues `_resolve_target` per child target (line 715). That `_resolve_target` is called with all the pre-fetched maps, so it doesn't *query* per call — but it does build a fresh `target_config` dict per child. With a broadcast target containing 50 children fanning out 100 events/min this is constant garbage collection pressure.
 **Impact:** GC pressure under load; not a correctness problem.
 **Fix:** none required short-term. Long-term, add `selectinload` declarations on the relationship model so SQLAlchemy can co-fetch the chain. The code path is already well-batched.
 ---
 ### H5. `aiohttp.ClientSession` is constructed per-call inside `NotificationDispatcher._session_ctx` when no shared session is provided ([dispatcher.py:117-123](packages/core/src/notify_bridge_core/notifications/dispatcher.py))
 ```python
@contextlib.asynccontextmanager
 async def _session_ctx(self) -> AsyncIterator[aiohttp.ClientSession]:
    if self._shared_session is not None and not self._shared_session.closed:
        yield self._shared_session
        return
    async with _new_session() as session:
        yield session
 ```
 In server-side code paths (watcher, event_dispatch, deferred_dispatch) a shared session is always passed in, so this is harmless. But unit tests, the CLI, and any direct library user that instantiates `NotificationDispatcher` without a session pays the cost. Worse, the per-dispatch session creates a fresh TCP pool, fresh DNS resolver — defeating connection reuse to Telegram / Discord webhook hosts.
 **Impact:** test slowness; correctness if a non-server consumer ever ships.
 **Fix:** require the `session` parameter (`session: aiohttp.ClientSession` not `| None`). Or have the dispatcher lazily attach to a module-level `_default_session` cached by event loop id.
 ---
 ### H6. `WebhookPayloadLog` is pruned per-insert via a sub-select but the prune query has no UNIQUE/partial protection against duplicate inserts ([webhooks.py:404-418](packages/server/src/notify_bridge_server/api/webhooks.py))
 The "keep newest `max_count` per provider, delete the rest" pattern uses `select(...).order_by(created_at DESC).limit(max_count)` as a subquery. Under SQLite this materializes the top-N then negates it — fine when max_count is 20. But this runs on every inbound webhook. For a busy Gitea/HA installation that's 60+ writes/min, each with a delete-by-sub-select. The `ix_webhook_payload_log_provider_created` index makes the read cheap, but the DELETE still rewrites pages.
 **Impact:** write amplification on busy webhook tenants.
 **Fix:** keep the prune but make it probabilistic — only run with `random.random() < 0.1` (10% chance per insert). The cap still holds in steady state, but the per-write cost drops 10×.
 ---
 ### H7. No retention/archival for `notification_tracker_state` and `deferred_dispatch` "fired"/"dropped" rows ([scheduler.py:332-364](packages/server/src/notify_bridge_server/services/scheduler.py))
 `_cleanup_old_events` deletes `event_log`, `webhook_payload_log`, `action_execution` older than retention days. `deferred_dispatch` rows with `status IN ('fired', 'dropped')` are never deleted. `notification_tracker_state.asset_ids` for an immich tracker watching a deleted collection is also never reaped.
 **Impact:** unbounded growth on long-running installs; `asset_ids` JSON blobs can be megabytes per collection.
 **Fix:** extend `_cleanup_old_events` to also delete `DeferredDispatch.status != 'pending' AND fired_at < cutoff`. Add a separate housekeeping job that prunes `NotificationTrackerState` rows whose `collection_id` is no longer in `NotificationTracker.collection_ids`.
 ---
 ## MEDIUM
 ### M1. Sentinel value `bot_id=0` is a footgun ([models.py:69-73](packages/server/src/notify_bridge_server/database/models.py))
 ```python
 # bot_id=0 is a sentinel meaning "Telegram has not yet returned a numeric
 # ID for this bot" (i.e. token never validated). Multiple unverified bots
 # may legitimately carry 0, so we only enforce uniqueness for non-sentinel
 # values via a partial index added in migrate_uniqueness_constraints.
 bot_id: int = Field(default=0, index=True)
 ```
 Sentinel values on indexed columns hurt index selectivity (every unvalidated bot is the same row from the planner's perspective) and create maintenance burden. Worse, every code path that looks up by `bot_id` must remember to filter `bot_id != 0`.
 **Impact:** maintainability; latent bug surface (one missed `!= 0` filter and an unverified bot is silently re-used).
 **Fix:** change `bot_id: int | None` defaulting to None, drop the sentinel.
 ---
 ### M2. No request-scoped cache for `user.id` lookups inside one request ([api/*.py, throughout](packages/server/src/notify_bridge_server/api/))
 The same `get_current_user` dependency runs JWT validation + a `session.get(User, id)` on every request. Many endpoints then do their *own* `user.id`-filtered SELECTs. There is no per-request memoization of the User row.
 **Impact:** one extra SELECT per request, mostly noise — but it's free to fix.
 **Fix:** in `get_current_user`, cache the User on `request.state.user`. Routes that take `user: User = Depends(...)` are unchanged.
 ---
 ### M3. SQLAlchemy async pool defaults serialize SQLite writers but the engine allows multiple connections ([engine.py:41-57](packages/server/src/notify_bridge_server/database/engine.py))
 `create_async_engine` for SQLite defaults to a `StaticPool` of size 1 in newer SQLAlchemy versions, but older versions / different `aiosqlite` versions can default to `NullPool` (one connection per request) or a small QueuePool. The code does not pin this explicitly. Under WAL, multiple readers are fine but only one writer can hold the txn at a time — so a slow writer just makes other connections block on `busy_timeout`.
 **Impact:** unpredictable behaviour across SQLAlchemy versions; sporadic `SQLITE_BUSY` under load.
 **Fix:** explicitly configure the pool:
 ```python
 from sqlalchemy.pool import StaticPool, AsyncAdaptedQueuePool
 _engine = create_async_engine(
    url,
    echo=settings.debug,
    pool_pre_ping=True,
    connect_args=connect_args,
    poolclass=AsyncAdaptedQueuePool,
    pool_size=5,
    max_overflow=10,
    pool_recycle=3600,
 )
 ```
 For Postgres compatibility leave these as-is; for SQLite the right value is `StaticPool` + `connect_args={"check_same_thread": False}` to share one connection across the event loop (this is the supabase/pgbouncer pattern adapted for sqlite-async).
 ---
 ### M4. `_refresh_telegram_chat_titles` issues per-chat HTTP without per-bot bucketing ([scheduler.py:229-329](packages/server/src/notify_bridge_server/services/scheduler.py))
 The job builds `tasks` as a flat list across all bots and runs them under a global `Semaphore(10)`. A bot with 50 chats and a slow Telegram response (rare but happens) can monopolize all 10 slots, starving every other bot. The semaphore should be per-bot.
 **Impact:** the daily refresh can take much longer than intended on a multi-bot install with one degraded bot.
 **Fix:** create one semaphore per bot:
 ```python
 sems = {bot_id: asyncio.Semaphore(_CHAT_SYNC_CONCURRENCY) for bot_id in bot_tokens}
 ```
 ---
 ### M5. `event_log.collection_name.contains(search)` triggers full table scan on filter ([status.py:69-75](packages/server/src/notify_bridge_server/api/status.py))
 The dashboard search input runs four `.contains(search)` clauses ORed together — these become `LIKE '%search%'` and cannot use a regular B-tree index. With 100k+ event_log rows the dashboard search becomes a multi-second operation.
 **Impact:** UX — search feels broken on large installs; CPU on the bridge box.
 **Fix:**
 1. Limit the search to the most recent N days (e.g. retention/3) — most users only search recent events.
 2. Add a SQLite FTS5 virtual table mirroring event_log's text columns, sync via triggers. Searches use `MATCH 'foo'` which is sub-millisecond on million-row tables.
 ---
 ### M6. `DeferredDispatch.event_payload` JSON blob can grow unbounded per row ([models.py:639-659](packages/server/src/notify_bridge_server/database/models.py), [deferred_dispatch.py:188-298](packages/server/src/notify_bridge_server/services/deferred_dispatch.py))
 The asset-coalescing union path appends every new asset's full dict (filename, urls, tags, extra metadata) into `event_payload["added_assets"]`. A mass-import that adds 50k photos during a quiet window means one DeferredDispatch row with 50k asset entries.
 **Impact:** memory blow-up at drain time (the whole JSON is parsed via `deserialize_event` into a Python list of `MediaAsset` dataclasses); could trip the drain timeout (`_DRAIN_DISPATCH_TIMEOUT_SECONDS=120`) on legitimate workloads.
 **Fix:** cap the union at e.g. 500 assets per row; when crossed, emit a "more_truncated" sentinel into `payload["extra"]` so the rendered template can show "+45000 more". The `apply_tracking_display_filters` `max_assets_to_show` does cap it for delivery, but the *stored* payload is uncapped.
 ---
 ### M7. Per-tick `await get_app_timezone(session)` reads from the DB on every dispatch ([dispatch_helpers.py:146-150](packages/server/src/notify_bridge_server/services/dispatch_helpers.py))
 Each tracker tick, each webhook, each defer evaluation calls `get_app_timezone` which calls `get_setting(session, "timezone")` which is a SELECT. The timezone setting rarely changes (manual setting), but the SELECT runs constantly.
 **Impact:** noise on otherwise good caching.
 **Fix:** cache the timezone in a module-level `(value, expires_at)` tuple with 60-s TTL, invalidated by `reschedule_cron_jobs_for_timezone_change`.
 ---
 ### M8. Unbounded in-memory dictionaries with no TTL or capacity ([scheduler.py:67-72](packages/server/src/notify_bridge_server/services/scheduler.py), [telegram_poller.py:31-35](packages/server/src/notify_bridge_server/services/telegram_poller.py), [command_sync.py:25](packages/server/src/notify_bridge_server/services/command_sync.py))
 ```python
 _adaptive_state: dict[int, dict[str, int]] = {}
 _adaptive_max_skip: dict[int, int] = {}
 _last_update_id: dict[int, int] = {}
 _last_webhook_reclaim_at: dict[int, float] = {}
 _dirty_bots: dict[int, float] = {}
 ```
 Each is keyed by tracker_id / bot_id. When a tracker or bot is deleted, the cleanup paths (`unschedule_tracker`, etc.) do remove some entries — but not all. `_last_update_id`, `_last_webhook_reclaim_at` are never cleared on bot deletion.
 **Impact:** slow memory leak in long-running processes that create+delete trackers/bots frequently (e.g. test environments).
 **Fix:** on tracker/bot deletion, explicitly clear all module dicts that key by that id. Or, simpler, switch each to `weakref.WeakValueDictionary` once the entity has a Python object representation, or to a TTLCache.
 ---
 ### M9. Bulk insert pattern in migrations uses one-statement-per-row ([migrations.py:566-588](packages/server/src/notify_bridge_server/database/migrations.py))
 `migrate_tracker_targets` issues `INSERT INTO ... VALUES (...)` per row in a Python for-loop. On a tenant with 10k+ legacy rows this is slow even inside a single transaction.
 **Impact:** one-shot, but rough on upgrade for big tenants.
 **Fix:** use `executemany` / batch INSERTs:
 ```python
 await conn.execute(text("INSERT INTO ... VALUES (...)"), batch_params)
 ```
 This is mostly historical (the migration is idempotent and skipped on subsequent runs), but worth fixing if you're touching the file.
 ---
 ### M10. Missing index on `notification_tracker_state(notification_tracker_id, collection_id)` ([models.py:454-478](packages/server/src/notify_bridge_server/database/models.py))
 `check_tracker` reads state per tracker; the existing `ix_notification_tracker_state.notification_tracker_id` index (declared via `index=True`) supports that. But every state read is `WHERE tracker_id = ? AND collection_id = ?` (implicitly via the resulting dict). A composite would help; SQLite can do index-only scans here.
 **Impact:** small. SQLite's index intersection plus the fact that one tracker typically has <20 collections makes this a minor win.
 **Fix:** add `(notification_tracker_id, collection_id)` composite index to the `_INDEXES` list.
 ---
 ## LOW
 ### L1. `SELECT *` semantics from `select(Model)` ORM is unavoidable but verbose ([throughout services/, api/])
 SQLModel's `select(ModelClass)` is effectively `SELECT all columns`. For wide rows like `TrackingConfig` (~70 columns of boolean flags) that's a lot of bytes per dispatch evaluation. There are no API list endpoints that return `TrackingConfig` from a hot path, so this is mostly cosmetic — but for pages that only need a handful of columns (e.g. `status.py`'s `tracker_id, name` map) the explicit-column form is already used. Continue that pattern.
 ---
 ### L2. `EventLog.details` JSON dict is reconstructed on every dashboard read ([status.py:258](packages/server/src/notify_bridge_server/api/status.py))
 `details: e.details or {}` serializes the JSON every time. SQLite returns this as a parsed Python dict already (JSON column), so the cost is low; just a note that this is a hot path.
 ---
 ### L3. `event_log.collection_id` and `details` have no indexes; some webhook commands filter on them ([commands/immich/events.py:43](packages/server/src/notify_bridge_server/commands/immich/events.py))
 The history-by-tracker endpoint uses the composite `ix_event_log_user_event_type_created` plus a hit on `notification_tracker_id` — fine. But `events.py`'s "last assets_added for this collection" queries (`event_type='assets_added' AND collection_id=?`) cannot use any current index optimally.
 **Fix:** add `(event_type, collection_id, created_at DESC)` if these queries are called by users frequently (Telegram `/assets <album>` etc.).
 ---
 ### L4. JSON column types not declared with `JSONB` semantics ([models.py: many](packages/server/src/notify_bridge_server/database/models.py))
 SQLite has only `JSON` (text storage with `json_valid` checks). On Postgres you'd want `JSONB`. The codebase uses `Column(JSON)` from SQLModel which maps to native `JSONB` on Postgres — that's correct. No action needed.
 ---
 ### L5. The `setup` lifespan runs migrations *inside* the FastAPI lifespan synchronously ([main.py:62-122](packages/server/src/notify_bridge_server/main.py))
 The migrations + seeds + scheduler boot all run before `_READY = True`. On a cold start with a big DB this can take 10+ s during which `/api/ready` returns 503. That's correct, but `/api/health` is also un-reachable because uvicorn hasn't started the workers yet (lifespan blocks startup). For orchestrators that probe `/api/health`, this means startup-grace must be tuned.
 **Fix:** start the HTTP listener first, run migrations as a background task, expose readiness flag through `/api/ready` only.
 ---
 ### L6. `ServiceProvider.config`, `NotificationTarget.config`, `Tracker.filters` JSON columns store secrets unencrypted ([models.py:42, 349, 399](packages/server/src/notify_bridge_server/database/models.py))
 API keys, refresh tokens, webhook secrets, SMTP passwords all live in `config` JSON. Visible to anyone with DB read access. This is a known design trade-off (`backup_secrets_mode` controls export behaviour) but worth flagging.
 **Fix:** out of scope for this review; consider an at-rest encryption layer keyed off `secret_key` (Fernet) for `config["api_key"]`, `config["password"]`, `access_token`, etc. — but only if your threat model justifies the operational cost.
 ---
 ### L7. Frontend `caches.svelte.ts` has 30-s TTL but no cross-tab invalidation ([entity-cache.svelte.ts:14](frontend/src/lib/stores/entity-cache.svelte.ts))
 Two browser tabs editing the same entity will see stale data for up to 30 s in the other tab. No `BroadcastChannel` listener.
 **Fix:** add a `BroadcastChannel('notify-bridge-cache')` that calls `cache.invalidate()` on receipt. ~15 lines.
 ---
 ### L8. `providersCache.invalidate(); await load()` is two-step ([providers/+page.svelte:238, 250](frontend/src/routes/providers/+page.svelte))
 `invalidate()` + immediate `fetch(true)` race against any in-flight request; the deduplication map handles it, but the explicit `await load()` is essentially `fetch(true)` directly. Simpler:
 ```typescript
 providersCache.set(updatedList);  // or fetch(true)
 ```
 Cosmetic.
 ---
 ### L9. `details["dispatch_status"]` is a string enum but not declared as one ([deferred_dispatch.py:619-624](packages/server/src/notify_bridge_server/services/deferred_dispatch.py))
 `dispatch_status` takes values `"deferred"`, `"deferred_then_dropped"`, `"deferred_then_failed"`, `"delivered_after_quiet_hours"`, `"dropped_quiet_hours_nondeferrable"`. They're scattered as string literals. The dashboard renders them.
 **Fix:** declare an `Enum` once and import from both server and frontend types.
 ---
 ### L10. No DB connection used by `/api/health` ([main.py:270-274](packages/server/src/notify_bridge_server/main.py))
 `/api/health` returns instantly without checking the DB. That's correct for a liveness probe but the comment doesn't match common practice ("liveness = process up"). Pair this with #L5: orchestrators using `/api/health` for warm-up will mark the pod ready while migrations are still running.
 **Fix:** keep liveness lightweight, document the readiness probe as the warm-up gate.
 ---
 ## Notes on what's already good
 - Performance indexes (`_INDEXES` list) cover all the right hot paths.
 - Composite `(status, fire_at)` index on `deferred_dispatch` plus partial unique `(link_id, collection_id, event_type) WHERE status='pending'` prevents the worst races.
 - `load_link_data` is fully batched — the most complex hot path in the codebase looks clean.
 - Shared `aiohttp.ClientSession` with DNS-rebinding-safe `PinnedResolver` is production-grade.
 - Pre-migration `VACUUM INTO` snapshot is the right safety net for a hand-rolled migration chain.
 - APScheduler defaults (`coalesce=True`, `misfire_grace_time=300`, `max_instances=1`) are correct production settings.
 - Adaptive polling (skip-N-of-K when idle) with jitter is a thoughtful 4-tier scheduling design.
 - Tracker cache (5-s TTL with explicit invalidation) and rendered-message per-locale cache are good fan-out optimizations.
 - Migration idempotency is genuinely well-handled despite the rough tooling.
 - Frontend `entity-cache` deduplication of in-flight requests is the right pattern.
 ---
 ## Priority recommendations (next 30 days)
 1. **Adopt Alembic** (C1, C2) — eliminate `create_all` from prod, baseline the current schema, lock down new schema changes through autogenerate.
 2. **Fix the dashboard aggregate query** (H1, H2, M5) — add the missing composite index, server-side cache the per-provider aggregate, virtualize the event list. This is the single biggest user-visible perf win.
 3. **Cap `DeferredDispatch.event_payload` size + add retention for fired/dropped rows** (M6, H7) — closes off the worst-case memory and growth scenarios.
 4. **Cleanup module-level dicts on entity deletion** (M8) — small fix, prevents a slow leak.
 5. **Standardize SQLite PRAGMAs and pool config** (C3, M3) — predictable behaviour, fewer spurious BUSY errors.
 ---
 *Reviewed against codebase at HEAD (`a20635a`).*
@@ -0,0 +1,312 @@
 # Security Review — notify-bridge v0.8.1
 Reviewer: security-reviewer (Opus 4.7) — 2026-05-22
 Branch: master @ a20635a
 Scope: `packages/server`, `packages/core`, `frontend/src`, `Dockerfile`, `docker-compose.yml`, `.gitea/workflows/`, env handling.
 ---
 ## Executive Summary
 - **Overall posture is strong.** The project applies many non-obvious controls correctly: Jinja2 `SandboxedEnvironment` on every render path; `bcrypt` with a 72-byte length guard and constant-time login (dummy hash on missing user); JWT with `token_version` revocation; SSRF guard with CGNAT, IPv4-mapped-IPv6 unwrapping, and a `PinnedResolver` that defeats DNS rebinding; secret-masking log filter; path-traversal-safe backup file resolver; security headers + CSP; non-root Docker user; required `SECRET_KEY` >= 32 chars with a rejection list; non-default Telegram webhook secret enforced; HMAC signature checks on Gitea/Generic webhooks; provider-config secret masking on GET; ownership checks (`get_owned_entity`) on every parameterised route I sampled.
 - **HIGH — Home Assistant `access_token` is not masked.** It is stored in `provider.config`, never added to the mask list in `_provider_response`, never added to the placeholder-drop list in `update_provider`. Any logged-in user can `GET /api/providers/{id}` and read their HA token in cleartext, and a partial save will wipe it. Trivial fix.
 - **HIGH — Secrets at rest are plaintext.** Telegram bot tokens (`telegram_bot.token`), provider configs containing `api_key`/`api_token`/`webhook_secret`/`access_token`/SMTP passwords, and email-bot SMTP passwords are stored unencrypted in SQLite. Disk theft, an unrelated read primitive, or any backup leak exposes all credentials. The masking on the API is good UX, but the DB itself has no encryption-at-rest. The exported JSON backup respects a `secrets_mode` flag (good) but the live DB does not.
 - **MEDIUM — Template-preview endpoints bypass the timeout/size watchdog.** `template_configs.preview_config`, `template_configs.preview_raw`, `command_template_configs.preview_raw`, and `notifier.send_test_template_notification` construct fresh `SandboxedEnvironment(autoescape=False)` instances and call `.render(...)` directly. The hardened helper `render_template()` (timeout, source cap, output cap, autoescape) is bypassed. A logged-in user can wedge a worker thread with `{% for i in range(10**8) %}x{% endfor %}`. Single-tenant deployment limits the blast radius, but the renderer should be the single chokepoint.
 - **MEDIUM — Login rate limit is per-IP only.** `POST /api/auth/login @ 5/min` keys on `get_remote_address`. An attacker behind a proxy / NAT, or one that rotates source IPs (cheap on residential / cloud), trivially bypasses it. There is no per-username lockout, no exponential backoff, no captcha. Combined with no MFA, this leaves the admin account vulnerable to a slow online dictionary attack from a single password (8-char minimum, no complexity requirement).
 - **LOW / INFO — Several smaller findings**: webhook payload logs persist source payload (now with key-level redaction, but the redactor is name-based and will miss high-entropy secret values in non-obvious keys); no replay protection on inbound webhooks (no nonce/timestamp window); the `/api/auth/setup` 3/min limit + JWT issuance race window is hardened with a transaction count guard (good), but the dummy bcrypt hash literal used for timing-equalisation is malformed and `bcrypt.checkpw` returns `False` via `ValueError` — the swallowed exception still equalises timing, but a maintainer could regress this; CSP allows `script-src 'unsafe-inline'` (necessary for SvelteKit hydration, acceptable risk acknowledged in code).
 ---
 ## Findings
 ### CRITICAL
 _None found._
 ---
 ### HIGH
 #### H-1. Home Assistant access_token leaked in provider GET responses
 - CWE: CWE-522 (Insufficiently Protected Credentials), CWE-200 (Exposure of Sensitive Information)
 - Files:
  - [`packages/server/src/notify_bridge_server/api/providers.py:616-624`](../../packages/server/src/notify_bridge_server/api/providers.py) — `_provider_response` masks `("api_key", "api_token", "webhook_secret", "password", "client_secret", "refresh_token")` but **not** `access_token`.
  - [`packages/server/src/notify_bridge_server/api/providers.py:399-405`](../../packages/server/src/notify_bridge_server/api/providers.py) — `update_provider` also omits `access_token` from the placeholder-drop list, so the response masking is consistent here, but if you fix one you must fix the other.
 - Scenario: Any user authenticated to the bridge (any role) calls `GET /api/providers/{id}` for an HA provider they own and the response includes `config.access_token` in cleartext. The HA long-lived token grants full control of the user's Home Assistant instance (lights, locks, cameras, scripts, devices). In a multi-user deployment, even within the same admin account, a stolen JWT exfiltrates the HA token; in a single-user deployment, any read primitive (XSS via a future template feature, an MITM on an HTTPS misconfiguration) gives the same result.
 - Remediation: Add `access_token` to both lists.
 ```python
 # providers.py:_provider_response
 for secret_field in (
    "api_key", "api_token", "webhook_secret", "password",
    "client_secret", "refresh_token", "access_token",  # <-- add
 ):
    ...
 # providers.py:update_provider
 for secret_field in (
    "api_key", "api_token", "webhook_secret", "password",
    "client_secret", "refresh_token", "access_token",  # <-- add
 ):
    value = incoming.get(secret_field)
    if isinstance(value, str) and value.startswith("***"):
        incoming.pop(secret_field, None)
 ```
 Better still: replace the hand-maintained tuple with a single module-level constant `_PROVIDER_SECRET_FIELDS` referenced from both call sites, plus a unit test that asserts every field declared on the per-provider Pydantic configs whose name appears in a denylist (`token`, `secret`, `password`, `key`, `credential`) is in the set. That prevents the next provider type from re-introducing the same gap.
 #### H-2. Secrets stored in plaintext at rest
 - CWE: CWE-312 (Cleartext Storage of Sensitive Information), CWE-256 (Plaintext Storage of a Password)
 - Files:
  - [`packages/server/src/notify_bridge_server/database/models.py:54-84`](../../packages/server/src/notify_bridge_server/database/models.py) — `TelegramBot.token: str`
  - [`packages/server/src/notify_bridge_server/database/models.py:87-100`](../../packages/server/src/notify_bridge_server/database/models.py) — `MatrixBot` (access_token in config)
  - `ServiceProvider.config: dict[str, Any]` (JSON column) holds Immich `api_key`, Gitea `webhook_secret` + `api_token`, Google Photos `client_secret` + `refresh_token`, HA `access_token`, etc.
  - `EmailBot.smtp_password: str` (per [`api/email_bots.py:142`](../../packages/server/src/notify_bridge_server/api/email_bots.py))
 - Scenario: An attacker who can read the SQLite file (compromised host, mis-permissioned backup volume, snapshot artifact in `data_dir/backups/`, leaked debug dump) gets every credential the bridge speaks: Telegram bot tokens (full bot control), Immich/Gitea/Planka API keys (read all photos / repos), Google Photos refresh tokens (long-lived, hard to revoke at scale), HA long-lived tokens (smart-home), SMTP passwords. The pre-migrate VACUUM-INTO snapshots (`packages/server/src/notify_bridge_server/database/snapshot.py`) inherit the same plaintext exposure and live alongside the active DB.
 - Remediation options, in order of effort:
  1. **Short term**: document the threat in `OPERATIONS.md`, enforce file-system permissions on `/data` (the Dockerfile chowns to appuser already, but the host bind-mount must be `chmod 700`), and ensure backups are encrypted at the storage layer (S3 SSE / Borg / restic).
  2. **Better**: column-level encryption with a key derived from `NOTIFY_BRIDGE_SECRET_KEY` (or a separate `NOTIFY_BRIDGE_DB_ENCRYPTION_KEY`). Use the `cryptography` library's `Fernet` for each sensitive column; envelope the secret JSON keys, not the whole row, so `WHERE` clauses and existing migrations keep working. Add a one-shot migration that re-encrypts existing rows.
  3. **Best**: encrypt with a KMS-backed key (HashiCorp Vault Transit, AWS KMS) and rotate per-secret data keys. This is overkill for a homelab homeserver-style deployment but mandatory if the bridge is ever multi-tenant.
 - Skeleton for option 2:
 ```python
 # new file packages/server/src/notify_bridge_server/security/secretbox.py
 from cryptography.fernet import Fernet, InvalidToken
 from .config import settings
 def _key() -> bytes:
    # Derive a deterministic Fernet key from secret_key. Anyone with secret_key
    # can decrypt — same threat model as JWT signing — but anyone with the DB
    # alone cannot.
    import base64, hashlib
    h = hashlib.sha256(settings.secret_key.encode()).digest()
    return base64.urlsafe_b64encode(h)
 _fernet = Fernet(_key())
 def encrypt_secret(plaintext: str) -> str:
    return _fernet.encrypt(plaintext.encode()).decode()
 def decrypt_secret(ciphertext: str) -> str:
    return _fernet.decrypt(ciphertext.encode()).decode()
 ```
 Apply at write time in `update_provider` / `create_provider`, decrypt at read time inside `make_immich_provider`, `make_gitea_provider`, the Telegram client constructor, etc. Add a migration that scans every `ServiceProvider.config` JSON and re-encrypts the listed keys in place.
 ---
 ### MEDIUM
 #### M-1. Template preview endpoints skip the renderer watchdog
 - CWE: CWE-400 (Uncontrolled Resource Consumption), CWE-1333 (Inefficient Regular Expression Complexity — analogous)
 - Files:
  - [`packages/server/src/notify_bridge_server/api/template_configs.py:608-613`](../../packages/server/src/notify_bridge_server/api/template_configs.py) — `preview_config` calls `SandboxedEnvironment(autoescape=False).from_string(template_body).render(...)` directly.
  - [`packages/server/src/notify_bridge_server/api/slot_helpers.py:72-90`](../../packages/server/src/notify_bridge_server/api/slot_helpers.py) — `render_template_preview` (used by `/preview-raw` for both notification and command templates).
  - [`packages/server/src/notify_bridge_server/services/notifier.py:494-499`](../../packages/server/src/notify_bridge_server/services/notifier.py) — `send_test_template_notification`.
  - The hardened helper [`packages/core/src/notify_bridge_core/templates/renderer.py:48-108`](../../packages/core/src/notify_bridge_core/templates/renderer.py) (with timeout, length caps, output cap) is **not** used here.
 - Scenario: An authenticated admin submits `{% for i in range(10**8) %}x{% endfor %}` to `POST /api/template-configs/preview-raw`. Jinja2 has no built-in timeout. The sandbox blocks attribute access but not CPU. The request blocks the FastAPI event loop's executor thread until the worker oomkills or the client times out. Repeat to DoS the API.
 - Remediation: Route every render through a single, hardened helper.
 ```python
 # Use the existing core helper consistently
 from notify_bridge_core.templates.renderer import render_template
 rendered = render_template(template_str, context)  # already has timeout + caps
 ```
 For the strict-undefined two-pass validation in `render_template_preview`, fold the watchdog into the helper itself rather than skipping it.
 #### M-2. Login rate limit is per-IP only
 - CWE: CWE-307 (Improper Restriction of Excessive Authentication Attempts)
 - Files: [`packages/server/src/notify_bridge_server/auth/routes.py:140-157`](../../packages/server/src/notify_bridge_server/auth/routes.py).
 - Scenario: `@limiter.limit("5/minute")` keyed on `get_remote_address` gives 5 attempts per source IP per minute = ~7,200/day per IP. An attacker rotating across 10 IPs (cheap cloud, residential proxies, even a Tor exit pool) gets 72,000/day. With the 8-character minimum password and no complexity requirement, a 7-char-and-common password is reachable in days, not centuries. There is no per-username lockout, no captcha, no MFA.
 - Remediation:
  1. Add a per-username sliding-window limiter on top of the per-IP one. Use a second `Limiter` whose `key_func` returns the lower-cased username from the body. Re-check after parsing the body.
  2. Add an exponential lockout: after N consecutive failures for a username, require a cooldown (record in a `LoginFailure` table or in-memory TTLCache).
  3. Document and recommend deploying behind a reverse proxy that adds CAPTCHA / WAF rate-limiting for login (Cloudflare Turnstile is cheap).
  4. Track and log failed logins (auth-event audit trail) with src IP + username + timestamp.
 ```python
 # Sketch — a second limiter that keys by username from the parsed body.
 async def _check_username_quota(username: str) -> None:
    # In-memory TTLCache: 10 attempts per username per 15 minutes
    if _username_attempts[username] >= 10:
        raise HTTPException(429, "Too many attempts for this account")
    _username_attempts[username] += 1
 ```
 #### M-3. Webhook payload log redactor is keyword-based, misses value-based secrets
 - CWE: CWE-532 (Insertion of Sensitive Information into Log File)
 - Files: [`packages/server/src/notify_bridge_server/api/webhooks.py:326-358`](../../packages/server/src/notify_bridge_server/api/webhooks.py).
 - Scenario: `_redact_sensitive_body` walks the JSON and redacts values whose **keys** contain `token`, `auth`, `key`, `secret`, etc. A webhook provider that ships secrets under an innocent key (e.g. `"oauth_state": "ya29.a0..."`, `"continuation": "ABCDE..."`, `"x_state": "..."`) leaves the secret in the persisted payload log. The log row is admin-readable and exported in backups.
 - Remediation: Layer a high-entropy value detector on top of the key matcher (e.g. anything matching `[A-Za-z0-9_\-+/=]{32,}` and high Shannon entropy ≥ 3.5). Lower bound: also redact known prefixes (`ya29.`, `xoxb-`, `ghp_`, `glpat_`, `sk-`, `Bearer `).
 #### M-4. Webhook ingestion has no replay protection
 - CWE: CWE-294 (Authentication Bypass by Capture-replay)
 - Files: [`packages/server/src/notify_bridge_server/api/webhooks.py`](../../packages/server/src/notify_bridge_server/api/webhooks.py) — Gitea/Planka/Generic.
 - Scenario: An attacker who once intercepts a signed Gitea push event (network downgrade, log leak from a proxy, exfil from the Gitea side) can replay it indefinitely. The HMAC stays valid; the bridge has no nonce / timestamp window / delivery-ID cache. With a webhook that fires `assets_added` it's just noise. With a webhook that triggers an action (planka card-created → `/api/actions/{id}/execute` chained logic), it could be more.
 - Remediation: For Gitea, store the last N `X-Gitea-Delivery` UUIDs per provider and reject duplicates; cap with a partial unique index. For the generic webhook, add an optional `replay_window_seconds` + a timestamp-extracting JSONPath in the provider config. Constant-time string compare.
 #### M-5. `bcrypt.checkpw` dummy-hash literal is malformed
 - CWE: CWE-208 (Observable Timing Discrepancy) — partial.
 - Files: [`packages/server/src/notify_bridge_server/auth/routes.py:147-152`](../../packages/server/src/notify_bridge_server/auth/routes.py).
 - Scenario: When the username doesn't exist, the code calls `_verify_password(body.password, "$2b$12$" + "a" * 53)`. That hash is not a real bcrypt hash; `bcrypt.checkpw` raises `ValueError` which `_verify_password` swallows and returns `False`. The exception path is *faster* than a real bcrypt verify (no key schedule), so timing of "user does not exist" differs from "user exists, wrong password" — a maintainer changing the swallow behaviour later could regress this entirely.
 - Remediation: Cache one valid dummy bcrypt hash at module load time so the verify path actually runs the KDF.
 ```python
 _DUMMY_BCRYPT_HASH = bcrypt.hashpw(b"x", bcrypt.gensalt()).decode()  # module load
 ...
 password_ok = await _verify_password(
    body.password,
    user.hashed_password if user else _DUMMY_BCRYPT_HASH,
 )
 ```
 #### M-6. Setup endpoint relies on `User.id != 0` filter — robust but a single typo breaks it
 - CWE: CWE-302 (Authentication Bypass) — defence-in-depth.
 - Files: [`packages/server/src/notify_bridge_server/auth/routes.py:97-119`](../../packages/server/src/notify_bridge_server/auth/routes.py).
 - Scenario: `POST /api/auth/setup` is gated by "no users with id != 0". The `__system__` sentinel is id=0. If a future migration changes the sentinel id, or the `WHERE` clause is dropped during a refactor, setup re-opens silently and an internet-reachable bridge would let an attacker claim the admin account.
 - Remediation: Add a defence-in-depth flag `AppSetting.setup_completed=true` set during the first successful setup, and require it to be unset (in addition to the count check). This bakes the invariant into a single boolean that's easier to audit.
 #### M-7. Anonymous Prometheus metrics endpoint leaks operational data
 - CWE: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
 - Files: [`packages/server/src/notify_bridge_server/api/metrics.py:138-159`](../../packages/server/src/notify_bridge_server/api/metrics.py).
 - Notes: This is **documented and gated** by `NOTIFY_BRIDGE_METRICS_ENABLED`, and the comment explicitly says scrapers don't authenticate. Acceptable when the API port is firewalled to the scraper. Surface it here as informational so an operator who exposes the API directly to the internet (e.g. via reverse-proxy without an ACL) doesn't accidentally expose dispatch rates, provider names, queue depths.
 - Remediation: keep the env flag, but additionally allow `metrics_basic_auth_user` / `metrics_basic_auth_password` as a soft credential check on the endpoint so a "default enabled, default protected" mode is possible. Document the threat in `OPERATIONS.md` next to the env var.
 ---
 ### LOW
 #### L-1. CSP allows `'unsafe-inline'` for scripts
 - CWE: CWE-1021 (Improper Restriction of Rendered UI Layers or Frames) — adjacent.
 - File: [`packages/server/src/notify_bridge_server/main.py:186-201`](../../packages/server/src/notify_bridge_server/main.py).
 - Notes: Comment explicitly justifies it — SvelteKit static adapter emits an inline bootstrap. Acceptable, but `'strict-dynamic'` with a per-page nonce (or moving the bootstrap into a hashed external module) eliminates the gap entirely. Track as INFO unless future XSS-injection paths emerge.
 #### L-2. CSP `style-src 'unsafe-inline'` allows inline-style XSS payloads
 - CWE: CWE-79 (Cross-site Scripting) — defence-in-depth.
 - Same file as L-1. Inline styles are not directly executable, but they are a known vector for click-jacking and data-exfil via CSS selectors. Same remediation path: nonce-based CSP.
 #### L-3. `frame-ancestors 'none'` but no `X-Frame-Options: DENY` collision (false — it is set)
 - INFO only. Both `X-Frame-Options: DENY` and `frame-ancestors 'none'` are set; modern browsers honour CSP, legacy ones honour XFO. Good.
 #### L-4. Webhook `_filter_headers` allowlist accepts unknown `X-*` headers
 - CWE: CWE-532
 - File: [`packages/server/src/notify_bridge_server/api/webhooks.py:361-374`](../../packages/server/src/notify_bridge_server/api/webhooks.py).
 - Notes: The filter strips known sensitive headers, then accepts any `X-*`. A custom auth header like `X-Custom-Authentication: <token>` would slip past the substring check if the name doesn't contain `auth`/`token`/`key`/`secret`/etc. Low risk because the well-known providers we support don't ship such headers, but a misconfigured generic webhook will leave a credential in the log row.
 - Remediation: invert the policy — explicit allowlist for known-safe `X-*` headers (e.g. `X-Forwarded-For` is also borderline since it can carry PII).
 #### L-5. `external_url` setting is not validated against an allow-list
 - CWE: CWE-918 (SSRF), CWE-79 (XSS in the rendered Telegram webhook URL).
 - File: [`packages/server/src/notify_bridge_server/api/app_settings.py:329-339`](../../packages/server/src/notify_bridge_server/api/app_settings.py) reads, [`packages/server/src/notify_bridge_server/api/telegram_bots.py:247`](../../packages/server/src/notify_bridge_server/api/telegram_bots.py) writes it into the registered Telegram webhook URL.
 - Notes: An admin can set `external_url` to anything. The value is used to build the URL passed to Telegram in `setWebhook`. Telegram itself enforces an HTTPS-only allow-list, so the actual risk is bounded. Still — validate scheme + host + that it doesn't include credentials or fragments.
 #### L-6. Bot token GET endpoint is intentional but worth auditing
 - File: [`packages/server/src/notify_bridge_server/api/telegram_bots.py:148-156`](../../packages/server/src/notify_bridge_server/api/telegram_bots.py).
 - Notes: `GET /api/telegram-bots/{bot_id}/token` returns the full Telegram bot token to the owner. Used by the frontend to construct webhook URLs. Limiting to a single short-lived nonce per `register_bot_webhook` flow would be safer than exposing the token directly. Currently INFO; revisit if a multi-user role model lands.
 #### L-7. SQLite journal mode + backup snapshot file permissions
 - File: [`packages/server/src/notify_bridge_server/database/snapshot.py:60-95`](../../packages/server/src/notify_bridge_server/database/snapshot.py).
 - Notes: Snapshots are written via `VACUUM INTO 'path'`. They land in `data_dir/backups/` with default umask permissions. In the Docker image the dir is owned by `appuser` and only that user runs the process, so this is fine. On a host bind-mount, an operator who forgets to lock down `/data` exposes every credential in every snapshot to anyone with shell access. Document this in `OPERATIONS.md`.
 #### L-8. No CSRF token on state-changing endpoints
 - CWE: CWE-352
 - Notes: The API uses `Authorization: Bearer <jwt>` exclusively (no cookies). Browsers don't auto-attach `Authorization` headers cross-origin, so this is **not** classical CSRF-exploitable. Combined with strict CORS (`allow_credentials=True`, explicit origin allowlist, wildcard rejected on startup) and the `Origin`/`Referer` same-host check on the backup endpoints, the practical risk is essentially zero. INFO only.
 ---
 ### INFO / NEEDS VERIFICATION
 #### N-1. Jinja2 `SandboxedEnvironment` is the standard sandbox — confirm it covers your threat model
 - The sandbox blocks `__class__`, `__mro__`, etc., but it is well-known that Jinja2's sandbox is not a security boundary against a determined attacker who can author templates. The threat model here is "templates are admin-authored, so we trust them but use the sandbox as defence-in-depth"; that is reasonable. Document explicitly in `OPERATIONS.md` that anyone with template-edit permission has effective RCE on the worker thread (`{{ foo.__init__.__globals__... }}` style escapes have been published in the past; new ones surface periodically).
 - Verification: run `bandit -r packages/` and `safety check` against pinned versions of `jinja2>=3.1`. Latest CVEs against Jinja2 sandbox: track `CVE-2024-34064` and any 2025+ disclosures. As of the review date there is no known unpatched sandbox-escape in `jinja2>=3.1.4`.
 #### N-2. `apscheduler<4`
 - Notes: The pin `apscheduler>=3.10,<4` keeps the bridge on the 3.x line, which is in maintenance. No known CVEs as of this review. Track when 4.x stabilises and migrate.
 #### N-3. `python-multipart>=0.0.9`
 - Notes: This package had high-severity bugs prior to 0.0.6. The minimum here is 0.0.9 — good.
 #### N-4. No signed-image / SBOM on the container
 - Notes: The `release.yml` workflow builds and pushes a multi-tag image but does not sign with cosign or emit an SBOM. For an internet-facing deployment, consider adding `cosign sign` against the image digest, and `syft packages` to emit an SBOM at release time. INFO only.
 #### N-5. Frontend dependencies are pinned via caret (`^`) ranges
 - Notes: `package.json` uses `^x.y.z`. CI builds `npm ci` from `package-lock.json`, so reproducibility is fine at build time. There is no `npm audit` step in `.gitea/workflows/build.yml`. Add `npm audit --audit-level=high` to the frontend build job.
 #### N-6. `NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=1` is a footgun
 - File: [`packages/core/src/notify_bridge_core/notifications/ssrf.py:39-52`](../../packages/core/src/notify_bridge_core/notifications/ssrf.py).
 - Notes: When set, the SSRF guard becomes a no-op. The warning at boot is the only mitigation. Acceptable for the documented homelab use-case; document that the env flag must NEVER be set on an internet-reachable instance, and consider refusing to enable it when `cors_allowed_origins` resolves to a non-loopback host (defence-in-depth interlock).
 #### N-7. Verify the auth flow at the WebSocket boundary
 - File: [`packages/core/src/notify_bridge_core/providers/home_assistant/client.py:54-83`](../../packages/core/src/notify_bridge_core/providers/home_assistant/client.py).
 - The `_ws_url_from_base` correctly strips userinfo before connecting and `_redact` defangs error messages — verify that `wss://` URLs go through SSRF validation (currently the HA URL is validated by `AnyHttpUrl` at config time but I did not find a call to `avalidate_outbound_url_full` on the HA WS connect path; the resolver would not pin a host the validator never saw).
 - Action: confirm by reading `ha_subscription.py` for explicit validation, or add a check that calls `avalidate_outbound_url_full` against the derived `ws_url` (treating `ws`/`wss` like `http`/`https` for the block-range check) before `ws_connect`.
 ---
 ## Prioritised Fix List (Top 10)
 1. **HIGH H-1** — Add `access_token` to the secret-mask list in `providers._provider_response` and the placeholder-drop list in `providers.update_provider`. Add a regression test that GETs an HA provider and asserts the response does not contain the cleartext token.
 2. **HIGH H-2** — Implement column-level encryption for `TelegramBot.token`, `MatrixBot` access tokens, `EmailBot.smtp_password`, and the sensitive keys inside `ServiceProvider.config`. Use Fernet with a key derived from `SECRET_KEY`. Write a one-shot migration.
 3. **MEDIUM M-1** — Replace the ad-hoc `SandboxedEnvironment(...).render()` calls in the four preview/test paths with the single hardened `render_template()` helper that already has timeout + size caps.
 4. **MEDIUM M-2** — Add per-username login lockout (TTL cache or DB-backed) on top of the per-IP `5/minute`. Log failed login attempts.
 5. **MEDIUM M-5** — Replace the malformed dummy bcrypt literal in `login()` with a real bcrypt hash computed once at module load so the timing-equalisation actually runs the KDF.
 6. **MEDIUM M-3** — Strengthen `_redact_sensitive_body` with a value-entropy heuristic and well-known token-prefix matching.
 7. **MEDIUM M-4** — Add replay protection on Gitea webhooks via the `X-Gitea-Delivery` header (small table + partial unique index).
 8. **MEDIUM M-7** — Make the metrics endpoint require either a flag or a Basic Auth credential; document in `OPERATIONS.md` that the API port should not be internet-exposed when metrics are on.
 9. **MEDIUM M-6** — Add a defence-in-depth `setup_completed` boolean in `app_setting` and check it in `/api/auth/setup` in addition to the count.
 10. **N-5** — Add `npm audit --audit-level=high` to the frontend build job in `.gitea/workflows/build.yml` so dependency CVEs land in CI.
 ---
 ## What was confirmed safe (worth keeping)
 - JWT design: HS256 with `iss`/`aud`/`exp`/`type`/`sub`/`ver`; refresh/access split; `token_version` revocation on role change, username change, and password change.
 - bcrypt with 72-byte length guard; CPU-bound work run in a thread.
 - SSRF guard with: scheme allowlist, IPv6-mapped-v4 unwrap, CGNAT block, IDN normalisation, async resolver, `PinnedResolver` to defeat DNS rebinding.
 - SQL access goes through SQLModel/SQLAlchemy with bind parameters; the only `f"..."` SQL is in DDL (column adds, index creates, `VACUUM INTO`) using server-controlled identifiers — sampled and clean.
 - Sandbox is `SandboxedEnvironment` everywhere a user-controllable template is rendered (six locations checked).
 - Frontend `{@html}` is wrapped in `sanitizePreview()` everywhere (`tracking-configs`, `template-configs`, `command-template-configs`).
 - Provider config secrets are masked on GET (except H-1).
 - `_resolve_backup_file` rejects `..`, NUL, separators, and enforces `relative_to(base)`.
 - CORS rejects wildcard with credentials at startup; secret_key default values are rejected with a clear error.
 - Docker: non-root user, `read_only: true`, `tmpfs: /tmp`, `no-new-privileges`, `cap_drop: ALL`, resource limits, healthcheck on `/api/ready`.
 - Logging: `SecretMaskingFilter` masks Telegram bot tokens, `Authorization`, `x-api-key`, `password`, `secret`, `access_token`, `refresh_token` from formatted messages, exception text, and stack traces.
 - Telegram webhook: secret token mandatory, refused on missing config, opaque `webhook_path_id` separate from bot token.
 - Inbound generic webhook: refuses `auth_mode="none"` unless an explicit acknowledgment field is set; auto-generates a strong secret if missing for `bearer_token`/`hmac_sha256`.
 - Inbound payload size capped at 1 MiB with a streaming check that doesn't trust `Content-Length`.
 ---
 ## Methodology
 - Manual code review of every authentication, authorization, webhook ingestion, template rendering, secret-handling, and outbound HTTP path under `packages/`.
 - Cross-checked CORS / CSP / security headers and rate-limiter configuration in `main.py` + `auth/routes.py`.
 - Sampled API routes for ownership enforcement (`get_owned_entity` / `_get_user_provider` / `_get_user_bot`) — all sampled routes apply it; no IDOR found.
 - Grepped for `Environment(` / `jinja2.Environment` / `f"..."` SQL / `{@html}` / `subprocess` / `eval` / `os.system` / known-bad patterns.
 - Reviewed CI workflows for secret leakage in env blocks and image-signing posture.
 - Reviewed Dockerfile + docker-compose for least-privilege and read-only root.
 - No dynamic testing performed; static review only. Run `pytest` (already gated in CI) + `bandit -r packages/` + `npm audit` in CI to backstop this review.
@@ -0,0 +1,408 @@
 # UI / UX Design Review — Notify Bridge frontend
 **Reviewed**: 2026-05-22
 **Scope**: SvelteKit frontend at `frontend/`, "Aurora / Glass" aesthetic, en + ru locales.
 **Reviewer method**: Read `app.css`, `+layout.svelte`, dashboard, login, setup, providers, targets, users, settings (parent), settings/IdentityCassette, notification-trackers, template-configs, actions, bots, plus shared components (Card, Button, Modal, ConfirmModal, AuthLayout, PageHeader, EmptyState, Loading, Snackbar). Cross-cutting Grep passes for inputs, border-radius, ARIA, sort, hex colors.
 ---
 ## Executive summary
 - **Aurora design language is real and distinctive.** Newsreader display serif + Geist variable sans + Geist Mono, conic-gradient brand orb, animated radial-gradient aurora background (`body::before` 28s drift), gradient pill chips, glow-pulse dots, and the lavender/orchid/mint/citrus/coral/sky palette together give the product a clear visual identity. This is **not** generic admin-template AI slop — the dashboard hero, signal-stream rows, provider deck, and the `PageHeader` "subpage-hero" pattern all carry intentional character that the user will remember.
 - **Consistency is the weakest axis.** Five overlapping card container abstractions (`.hero-card`, `.panel`, `.glass`, `Card.svelte`, settings `.cassette`/`.identity`) re-implement the same frosted-glass recipe with diverging radius (22 / 18 / 14 / 12 px) and padding (1.25/1.4 vs 1.3/1.4 vs 2/2.4 rem). A `--radius: 1rem` token is declared but unused. Pick one card module + one radius scale (e.g. `--radius-card: 22px`, `--radius-input: 12px`, `--radius-pill: 999px`).
 - **Forms have not been migrated to Aurora.** ~71 occurrences across 17 files still use the legacy raw class string `border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]` instead of the global `input { ... }` rule already in `app.css` (which uses `--color-input-bg`, `--color-rule-strong`, 0.625rem radius, glow focus ring). Result: rounded-md (6px) fields next to rounded-2xl (22px) cards, solid opaque backgrounds inside frosted-glass cards. Removing the override class would auto-restyle every form to match. **HIGH** priority, mostly mechanical.
 - **Hardcoded hex colors leak through.** Snackbar uses `#059669` / `#ef4444` / `#3b82f6` / `#f59e0b` instead of `--color-mint/coral/sky/citrus`. ConfirmModal uses a raw `rgba(239, 68, 68, 0.3)` glow. Actions page uses `#059669` for the enabled dot. All bypass theming — they will look wrong in light theme.
 - **Snackbar is invisible to screen readers.** No `role="status"` / `aria-live="polite"` / `aria-live="assertive"` on the toast container. Critical confirmations (saved, deleted, error) are never announced. **HIGH** accessibility fix, one-line.
 - **No `aria-current="page"` anywhere in the nav** — active state is conveyed only visually (border-radius bar + glow). Active state has no accessible name.
 - **No sortable columns, no multi-select bulk actions, anywhere in the app.** Lists rely entirely on `IconGridSelect` sort widgets (newest / oldest, etc.) and per-row icon buttons. For a notification routing system that may accumulate dozens of trackers / targets / configs, this scales poorly.
 - **Localization parity is solid string-for-string** (en.json = ru.json = 1577 lines). Russian renders the same characters but several places (hero title, brand row with provider name, stat-card label/value flex) have no length-guard for the longer Russian translations — visible truncation/wrapping likely.
 - **Onboarding is a single screen.** After `/setup` lands you on `/` with `0 providers` and a hero saying "all clear" — the most important first-run moment shows nothing to do. No checklist, no empty-dashboard CTA panel, no tour.
 - **Power-user feature standout**: ⌘K SearchPalette is present and wired through the topbar, global provider filter, and reduced-motion media-query support. These three deserve credit and should be more discoverable (no in-app hint they exist).
 ---
 ## Findings by area
 ### 1. Design quality vs generic AI aesthetic
 #### F-DESIGN-01 — Aurora identity is strong and self-consistent at the macro level [LOW / commendation]
 - **Files**: [`frontend/src/app.css`](frontend/src/app.css), [`frontend/src/routes/+layout.svelte`](frontend/src/routes/+layout.svelte), [`frontend/src/routes/+page.svelte`](frontend/src/routes/+page.svelte)
 - **State**: Newsreader display serif italic with linear-gradient text-clip is used in hero titles, panel titles, modal titles. Conic brand orb is unique. Aurora drift on body::before is a 28s slow loop that's never busy. The "signal" / "wires" / "on watch" / "pulse" / "stream" / "compose" semantic naming on the dashboard is editorial, not generic admin copy.
 - **Verdict**: Keep all of this. Lean *further* into it on the subpages — most list pages currently default back to plain "PageHeader + Card list" without inheriting the dashboard's editorial flavor.
 #### F-DESIGN-02 — Italic-serif emphasis loses impact on smaller subpage titles [LOW]
 - **Files**: [`frontend/src/lib/components/PageHeader.svelte`](frontend/src/lib/components/PageHeader.svelte) (lines 132–147)
 - **State**: `subpage-hero__title` is 2.15rem with italic emphasis on a gradient. At that size the gradient italic word is legible but loses the editorial drama it has at the 3rem dashboard hero. Russian translations (`em` words like *«операторы»*) sometimes look cramped because letter-spacing -0.025em is shared with the much larger dashboard hero.
 - **Suggestion**: Use a separate letter-spacing scale per font size step, or drop italic emphasis on titles below ~2rem and use color-only emphasis there.
 ---
 ### 2. Visual consistency
 #### F-CONSIST-01 — Five overlapping card abstractions [HIGH]
 - **Files**: [`frontend/src/app.css`](frontend/src/app.css) `.glass`, [`frontend/src/lib/components/Card.svelte`](frontend/src/lib/components/Card.svelte), [`frontend/src/lib/components/PageHeader.svelte`](frontend/src/lib/components/PageHeader.svelte) `.subpage-hero`, [`frontend/src/routes/+page.svelte`](frontend/src/routes/+page.svelte) `.hero-card` / `.panel` / `.stat-card`, [`frontend/src/routes/settings/IdentityCassette.svelte`](frontend/src/routes/settings/IdentityCassette.svelte) `.identity` + `.glass`
 - **State**: Six places re-declare the same recipe: `background: var(--color-glass); backdrop-filter: blur(28px) saturate(160%); border: 1px solid var(--color-border); border-radius: 22px; box-shadow: var(--shadow-card);` followed by an `::after` highlight overlay. Card.svelte even has its own 22px radius next to the global `.glass` 22px radius — they would diverge silently if either gets touched.
 - **Suggestion**: Consolidate into one `<GlassPanel>` component (or `.glass-card` utility) with variants `default | hero | panel | cassette` for padding/radius differences. Delete the duplicated `::after` overlays. The pattern is good — it's just *copy-pasted* 5+ times.
 #### F-CONSIST-02 — Border-radius drift, no scale [HIGH]
 - **Files**: [`frontend/src/routes/+layout.svelte`](frontend/src/routes/+layout.svelte), [`frontend/src/routes/+page.svelte`](frontend/src/routes/+page.svelte), [`frontend/src/app.css`](frontend/src/app.css)
 - **State**: Radii used: 22, 18, 14, 12, 11, 10, 9, 8, 7, 6, 3, 2 px + 0.3, 0.5, 0.625, 0.85, 1 rem + 9999px. `--radius: 1rem` is declared in the theme but only re-declared — no component reads it.
 - **Suggestion**: Define and *use* `--radius-card: 22px; --radius-panel: 18px; --radius-pill: 999px; --radius-input: 12px; --radius-chip: 8px; --radius-tile: 6px;`. Refactor in passes — start with `Card.svelte`, `Button.svelte`, `Modal.svelte`, `ConfirmModal.svelte`.
 #### F-CONSIST-03 — Hardcoded hex colors bypass theming [HIGH]
 - **Files**:
  - [`frontend/src/lib/components/Snackbar.svelte`](frontend/src/lib/components/Snackbar.svelte) lines 26–31: `#059669 / #ef4444 / #3b82f6 / #f59e0b`
  - [`frontend/src/lib/components/ConfirmModal.svelte`](frontend/src/lib/components/ConfirmModal.svelte) line 70: `box-shadow: 0 0 16px rgba(239, 68, 68, 0.3)`
  - [`frontend/src/routes/actions/+page.svelte`](frontend/src/routes/actions/+page.svelte) line 379: `style="background: {action.enabled ? '#059669' : 'var(--color-muted-foreground)'}"`
  - 25 files in `frontend/src/routes/**` contain `#xxx` literals
 - **State**: These colors are NOT the Aurora palette — `#059669` is emerald-600, our mint is `#7ee8c4`. In light theme the user sees green-on-green that wasn't intended.
 - **Suggestion**: Replace all status hexes with `--color-mint/coral/sky/citrus/orchid`. Add a stylelint rule `color-no-hex` scoped to `src/**/*.svelte` to prevent regression.
 #### F-CONSIST-04 — Form input styling not migrated to Aurora [HIGH]
 - **Files**: 17 routes, ~71 occurrences. Examples: [`frontend/src/routes/users/+page.svelte`](frontend/src/routes/users/+page.svelte) lines 137, 141, 190, 207; [`frontend/src/routes/providers/+page.svelte`](frontend/src/routes/providers/+page.svelte) lines 303, 309, 323, 333; [`frontend/src/routes/notification-trackers/TrackerForm.svelte`](frontend/src/routes/notification-trackers/TrackerForm.svelte); [`frontend/src/routes/targets/TargetForm.svelte`](frontend/src/routes/targets/TargetForm.svelte).
 - **State**: `class="w-full px-3 py-2 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]"` is repeated 71+ times. This overrides the global `input { ... }` rule that *already* uses Aurora glass styling.
 - **Suggestion**: Delete the class string in all these places. The global rule kicks in and forms instantly look correct. Cross-check that `Tailwind`'s preflight isn't interfering. Spot-check one page (e.g. `users/+page.svelte`), confirm visually, then mass-delete via Grep/Edit.
 #### F-CONSIST-05 — ConfirmModal duplicates Button.svelte logic [MEDIUM]
 - **Files**: [`frontend/src/lib/components/ConfirmModal.svelte`](frontend/src/lib/components/ConfirmModal.svelte)
 - **State**: Its `.confirm-btn-cancel` and `.confirm-btn-delete` re-implement what `Button variant="secondary"` and `Button variant="danger"` already provide. The danger button even uses raw `rgba(239,68,68,...)` instead of `--color-error-fg`.
 - **Suggestion**: `<Button variant="secondary" onclick={oncancel}>{cancel}</Button>` and `<Button variant="danger" onclick={onconfirm}>{confirm}</Button>`. Removes ~35 lines of CSS.
 #### F-CONSIST-06 — AuthLayout uses a different glass recipe [MEDIUM]
 - **Files**: [`frontend/src/lib/components/AuthLayout.svelte`](frontend/src/lib/components/AuthLayout.svelte) (line 68 `.auth-card`)
 - **State**: `border-radius: 1rem`, `padding: 2rem`, `backdrop-filter: blur(8px)` (vs the 28px elsewhere), plus its own auth-bg gradient mesh + 32px-grid background that nothing else in the app uses. Has its own `.auth-input` / `.auth-submit` / `.auth-label` / `.auth-error` design language.
 - **State pt 2**: Login/setup ends up looking *more* like generic SaaS than the dashboard does. The brand orb from the sidebar isn't on the login screen — instead a small lavender mdi-lan icon in a square.
 - **Suggestion**: Reuse the conic brand orb. Use the same glass recipe (28px blur, 22px radius) for `.auth-card`. Either drop the dot-grid `.auth-grid` (it reads as a generic "futuristic SaaS" template) or use it as a deliberate flair on the dashboard hero too.
 ---
 ### 3. Information hierarchy
 #### F-HIER-01 — Stat cards do triple duty (KPI + nav link + filter context) without ranking [MEDIUM]
 - **Files**: [`frontend/src/routes/+page.svelte`](frontend/src/routes/+page.svelte) lines 571–645
 - **State**: All four stat cards have the same visual weight, same accent intensity (`STAT_ACCENTS[idx]`), and rotate accents by index. When the global provider filter is active the first stat card morphs into a "literal value" card showing provider name (1rem font, very different visual). The accent rotation creates a rainbow row that doesn't carry meaning — events `total` has no semantic reason to be orchid vs. providers being lavender.
 - **Suggestion**: Tie accent color to entity type (providers=primary, trackers=mint, targets=sky, throughput=citrus) so the same accent recurs throughout the app for the same concept. Keep the morph behavior but design a distinct "filtered context" stat-card variant — a smaller, narrower chip — so it doesn't compete visually.
 #### F-HIER-02 — Hero title and meter compete for attention at desktop width [LOW]
 - **Files**: [`frontend/src/routes/+page.svelte`](frontend/src/routes/+page.svelte) lines 1047–1068, 1078–1086
 - **State**: Both the `.hero-title` and `.hero-meter-value` are 3rem 500-weight in two different fonts. Side-by-side they create two focal points.
 - **Suggestion**: Shrink `.hero-meter-value` to 2.4rem and use it as a *secondary* read; let the editorial title be the single dominant element.
 #### F-HIER-03 — Pulse chart panel rarely meaningful on first launch [LOW]
 - **Files**: [`frontend/src/routes/+page.svelte`](frontend/src/routes/+page.svelte) lines 909–927
 - **State**: On a fresh install the chart is an empty 0-events grid taking 250-400px vertical space. No empty-state copy inside `EventChart`.
 - **Suggestion**: When `chartDays` has all-zero values, replace with a small "No events recorded in the last 30 days — once a tracker fires, the pulse will appear here" inline empty state.
 ---
 ### 4. Navigation & wayfinding
 #### F-NAV-01 — No `aria-current="page"` on active nav links [HIGH a11y]
 - **Files**: [`frontend/src/routes/+layout.svelte`](frontend/src/routes/+layout.svelte) lines 498–533, 591–597, 632–658
 - **State**: Active state is conveyed via `.active` class + a gradient left-bar div. Screen readers cannot announce it. Grep for `aria-current` across the whole frontend: zero matches.
 - **Suggestion**: Add `aria-current={isActive(child.href) ? 'page' : undefined}` to every nav `<a>`.
 #### F-NAV-02 — No breadcrumb on subpages [MEDIUM]
 - **Files**: [`frontend/src/lib/components/PageHeader.svelte`](frontend/src/lib/components/PageHeader.svelte)
 - **State**: The `crumb` prop only renders a single mono-uppercase tag (e.g. "ROUTING · AUTOMATION") — it's decorative, not navigational. There's no actual breadcrumb chain. For `/template-configs`, `/command-template-configs`, `/tracking-configs`, `/command-configs`, etc., a user landing via deep link has no parent-link to return to.
 - **Suggestion**: Make the crumb a real breadcrumb (≤3 levels: `Notifications → Templates` or `Commands → Configs`). Render the prior level as a clickable `<a>`.
 #### F-NAV-03 — Deep linking via `?type=<targetType>` and `?tab=<botType>` doesn't update page title [LOW]
 - **State**: `/targets?type=email` and `/bots?tab=matrix` change the active sidebar item but the `<PageHeader>` title for those pages is generic ("Targets" / "Bots").
 - **Suggestion**: When `activeType` is set, derive the title from it: "Email targets" / "Matrix bots". Improves browser tab titles and the in-page title.
 #### F-NAV-04 — Collapsed sidebar tooltip wraps for long Russian translations [LOW]
 - **State**: Tooltips for collapsed sidebar nav items use the browser-native `title=` attribute, which gives no glass-style chip. They will use the OS tooltip styling, which clashes with the Aurora aesthetic and clips long ru labels.
 - **Suggestion**: Build a small custom tooltip component (or use existing portal helper) for collapsed-sidebar nav. Keep `title` as fallback for `prefers-reduced-motion` users.
 ---
 ### 5. Form UX
 #### F-FORM-01 — No inline field-level validation, only post-submit error banners [MEDIUM]
 - **Files**: [`frontend/src/routes/providers/+page.svelte`](frontend/src/routes/providers/+page.svelte), [`frontend/src/routes/users/+page.svelte`](frontend/src/routes/users/+page.svelte), [`frontend/src/routes/targets/TargetForm.svelte`](frontend/src/routes/targets/TargetForm.svelte)
 - **State**: Forms rely on HTML5 `required` / `minlength` browser validation plus a single `ErrorBanner` shown after submit failure. Native browser validation tooltips are pale and don't match Aurora.
 - **Suggestion**: Add a per-field `<FieldError>` slot below labels for inline validation (URL syntax, email format, port range). The settings page already has a nice pattern (`url-field-valid` class on `IdentityCassette`) — generalize it.
 #### F-FORM-02 — Save feedback inconsistent across pages [MEDIUM]
 - **Files**: Settings uses a sticky `SaveBar` with dirty tracking ([`frontend/src/routes/settings/+page.svelte`](frontend/src/routes/settings/+page.svelte) lines 77–84, 208–214). Most other forms have inline Save buttons inside the card. Some show snackbar success ("snack.userCreated"), some don't.
 - **Suggestion**: Standardize: (a) inline "Save" inside the card *plus* (b) snackbar success message *plus* (c) optional sticky SaveBar for multi-field admin forms. Document the pattern in `.claude/docs/frontend-architecture.md`.
 #### F-FORM-03 — Forms auto-name from descriptor but offer no way to unlock it back to auto-name [LOW]
 - **Files**: [`frontend/src/routes/providers/+page.svelte`](frontend/src/routes/providers/+page.svelte) lines 136–141 + 303; [`frontend/src/routes/actions/+page.svelte`](frontend/src/routes/actions/+page.svelte) lines 50–56
 - **State**: Once user types in the Name field, `nameManuallyEdited` becomes true and the auto-fill stops permanently — no way to ask "go back to default name".
 - **Suggestion**: Add a tiny "↺ reset" link next to the name input when `nameManuallyEdited && form.name !== descriptor.defaultName`.
 #### F-FORM-04 — No optimistic UI; rows disappear / appear only after server roundtrip [LOW]
 - **State**: After delete/create, pages refetch via `cache.fetch(true)`. Visible 200-400ms blank state.
 - **Suggestion**: Optimistic insert/remove in the cache stores, with snackbar undo for destructive ops.
 #### F-FORM-05 — Login form omits `autofocus` on username [LOW]
 - **Files**: [`frontend/src/routes/login/+page.svelte`](frontend/src/routes/login/+page.svelte) line 99
 - **Suggestion**: Add `autofocus` to the username input. Saves one keystroke on every login.
 ---
 ### 6. Modals & overlays
 #### F-MODAL-01 — Modal.svelte is well-built [LOW / commendation]
 - **Files**: [`frontend/src/lib/components/Modal.svelte`](frontend/src/lib/components/Modal.svelte)
 - **State**: Portal mount, focus trap, focus restoration, Escape, Tab cycling, `aria-modal="true"`, `aria-labelledby`, body scroll containment via `overscroll-behavior: contain`, transition (250ms in/out), 80vh max-height. This is the strongest single component in the codebase.
 - **Verdict**: Reuse as the foundation for every overlay. Currently `BlockedByModal`, `EventDetailModal`, `SharedLinkModal`, `ConfirmModal` all do — good.
 #### F-MODAL-02 — Modal backdrop has `role="button"` [LOW]
 - **Files**: [`frontend/src/lib/components/Modal.svelte`](frontend/src/lib/components/Modal.svelte) line 96
 - **State**: The backdrop is a `<div>` with `role="button"`, `tabindex="-1"`, and an onclick to close. That's a common pattern to silence Svelte's a11y warnings, but a screen reader announces "Close, button" twice (once for backdrop, once for the explicit X button).
 - **Suggestion**: Drop `role="button"` and `aria-label` from the backdrop; the explicit Close button is enough. Or use `<button class="modal-backdrop">` instead of a div.
 #### F-MODAL-03 — Modal panel uses solid `#131520` instead of glass [LOW]
 - **Files**: [`frontend/src/lib/components/Modal.svelte`](frontend/src/lib/components/Modal.svelte) lines 150–151
 - **State**: `--modal-solid-bg: #131520;` is a deliberate choice (probably for readability) but it breaks visual consistency with the rest of the app. The Aurora drift behind it is invisible.
 - **Suggestion**: Use `var(--color-glass-elev)` over the blurred backdrop. Or, if the solid choice was deliberate, document why so the next developer doesn't "fix" it.
 #### F-MODAL-04 — Confirm-modal "delete" hover uses raw rgba [MEDIUM]
 - **Files**: [`frontend/src/lib/components/ConfirmModal.svelte`](frontend/src/lib/components/ConfirmModal.svelte) line 70
 - **State**: `box-shadow: 0 0 16px rgba(239, 68, 68, 0.3);` — not themed.
 - **Suggestion**: Use `box-shadow: 0 0 16px color-mix(in srgb, var(--color-coral) 40%, transparent);`.
 ---
 ### 7. Empty / loading / error states
 #### F-STATE-01 — `Loading.svelte` is a single shimmer pattern [MEDIUM]
 - **Files**: [`frontend/src/lib/components/Loading.svelte`](frontend/src/lib/components/Loading.svelte)
 - **State**: Three or four 4rem shimmer bars. Used as `<Loading />` on virtually every page including hero pages. Doesn't match the actual layout the user will see — looks like a row list even on settings.
 - **Suggestion**: Add layout-aware variants: `<Loading shape="hero" />`, `<Loading shape="grid" cols={4} />`, `<Loading shape="list" rows={5} />`. Reduces layout shift on first paint.
 #### F-STATE-02 — `EmptyState.svelte` is plain and undifferentiated [MEDIUM]
 - **Files**: [`frontend/src/lib/components/EmptyState.svelte`](frontend/src/lib/components/EmptyState.svelte)
 - **State**: 10-line component: dimmed icon + message. No CTA, no illustration, no flavor. The dashboard's inline `.empty-state` (lines 1300–1319 of `+page.svelte`) is richer (has a CTA link) but isn't reused.
 - **Suggestion**: Extend `EmptyState` to accept a `cta` slot and a `tone` (with subtle gradient blob behind the icon). On `/providers` empty: "No providers yet — connect Immich, Nextcloud, or Home Assistant to start tracking events" with an "+ Add provider" CTA.
 #### F-STATE-03 — Many list pages have no error-recovery action [MEDIUM]
 - **Files**: Throughout — most pages have a `loadError` state that renders `<Card><ErrorBanner /></Card>` but no "Retry" button.
 - **Suggestion**: `ErrorBanner` should accept an `onRetry` prop and surface a retry button. Standardize across pages.
 #### F-STATE-04 — `EventChart` no empty state [LOW]
 - See F-HIER-03.
 ---
 ### 8. Accessibility
 #### F-A11Y-01 — Snackbar has no aria-live [HIGH]
 - **Files**: [`frontend/src/lib/components/Snackbar.svelte`](frontend/src/lib/components/Snackbar.svelte) lines 35–63
 - **State**: Snack container is a plain `<div use:portal>`. Success / error toasts never reach screen readers. Three other files have proper aria-live; this critical one doesn't.
 - **Fix**: `<div use:portal class="snackbar-container" role="region" aria-live="polite" aria-label={t('snackbar.region')}>`. Use `aria-live="assertive"` for `snack.type === 'error'`.
 #### F-A11Y-02 — No `aria-current="page"` on nav links [HIGH]
 - See F-NAV-01.
 #### F-A11Y-03 — Custom focus outlines partially overridden [MEDIUM]
 - **Files**: [`frontend/src/app.css`](frontend/src/app.css) lines 237–241 (global `button:focus-visible` outline 2px primary + offset 2px), [`frontend/src/routes/+layout.svelte`](frontend/src/routes/+layout.svelte) line 894 (`.nav-link { border-radius: 12px !important }`), [`frontend/src/routes/+page.svelte`](frontend/src/routes/+page.svelte) lines 1351–1354 (`.signal-row--clickable:focus-visible { outline-offset: -2px }`).
 - **State**: Inverted offset `-2px` makes the focus ring sit *inside* the row, which against the glass-strong hover-bg ends up nearly invisible at certain accent positions.
 - **Suggestion**: Use `outline-offset: 2px` consistently with a `box-shadow: 0 0 0 2px var(--color-glass)` ringer if needed for contrast.
 #### F-A11Y-04 — `prefers-reduced-motion` is honored — commendation [LOW]
 - **Files**: [`frontend/src/app.css`](frontend/src/app.css) lines 484–507, [`frontend/src/routes/+layout.svelte`](frontend/src/routes/+layout.svelte) lines 837–840
 - **State**: Aurora drift, brand-version pulse, stagger entrances, signal-row hover transitions, paginator transitions all gated. Smooth scroll override too. Solid implementation.
 #### F-A11Y-05 — Color contrast risk on glass surfaces [MEDIUM]
 - **State**: `--color-muted-foreground: #b6b2d4` on `--color-glass: rgba(255,255,255,0.04)` over the aurora gradient. In the brightest hot-spot of the aurora background (where the `#b8a7ff` lavender peaks), `#b6b2d4` may fail WCAG AA (4.5:1 for body text). Hasn't been measured.
 - **Suggestion**: Run a contrast pass with `--color-muted-foreground` against the brightest part of the aurora background. Likely need to bump it to ~`#cfcae8` for dark theme.
 #### F-A11Y-06 — Toggle switch has no label association [LOW]
 - **Files**: [`frontend/src/app.css`](frontend/src/app.css) lines 513–556
 - **State**: `.toggle-switch` wraps an `<input type="checkbox">` and a visual `.toggle-track` `<span>`. There's no visible label text or `aria-label` requirement in the global utility. Callers may forget to pass one.
 - **Suggestion**: Lift into a `<Toggle>` component requiring a `label` prop.
 ---
 ### 9. Responsive design
 #### F-RESP-01 — Sidebar collapse breakpoint is fine; mobile bottom nav covers gracefully [LOW / commendation]
 - **Files**: [`frontend/src/routes/+layout.svelte`](frontend/src/routes/+layout.svelte) lines 589–668, 1136–1168
 - **State**: Below 767px the desktop sidebar hides and mobile bottom-nav appears with primary 4 keys + search + more. Mobile "More" panel mirrors the full desktop tree. Solid.
 #### F-RESP-02 — Hero meter wraps awkwardly between 720–880px [LOW]
 - **Files**: [`frontend/src/routes/+page.svelte`](frontend/src/routes/+page.svelte) lines 1119–1130
 - **State**: Below 880px the hero collapses to one column, but the meter row pills wrap to a third row on Russian translations of "providers/targets/armed".
 - **Suggestion**: Add an intermediate breakpoint (`max-width: 1024px`) where pill labels switch from `"5 providers"` to a tooltip-only count.
 #### F-RESP-03 — Stat-card grid drops to 1 column at sm: [MEDIUM]
 - **Files**: [`frontend/src/routes/+page.svelte`](frontend/src/routes/+page.svelte) line 590 `grid-cols-1 sm:grid-cols-2 lg:grid-cols-4`
 - **State**: Between 640–1024px stat cards are 2-wide. At tablet sizes the cards become huge and dilute the dashboard density.
 - **Suggestion**: Cap stat-card max-width at ~300px or switch to `auto-fit, minmax(200px, 1fr)` so they don't grow uncontrollably.
 #### F-RESP-04 — List rows don't gracefully truncate webhook URLs on mobile [LOW]
 - **Files**: [`frontend/src/routes/providers/+page.svelte`](frontend/src/routes/providers/+page.svelte) lines 392–410
 - **State**: Secondary text line shows full webhook URL with `break-all` which on very narrow viewports gives a 4-line wrap.
 - **Suggestion**: Use the `shortenUrl()` helper (already defined for the meta-tile path) on the narrow-screen secondary line too.
 ---
 ### 10. Onboarding
 #### F-ONBOARD-01 — Setup → empty dashboard with no guidance [HIGH]
 - **Files**: [`frontend/src/routes/setup/+page.svelte`](frontend/src/routes/setup/+page.svelte), [`frontend/src/routes/+page.svelte`](frontend/src/routes/+page.svelte)
 - **State**: After `/setup` the user lands on `/` with 0 providers, hero says *"all clear"* (literally "Nothing to do"). Wasted first impression.
 - **Suggestion**: First-run detection (`providersCache.items.length === 0 && targetsCache.items.length === 0`) replaces the dashboard hero with a 3-4 step "Getting started" checklist: (1) Add a provider · (2) Connect a bot · (3) Create a target · (4) Wire your first tracker. Each step is a CTA card. Persist completion to localStorage so it disappears once finished.
 #### F-ONBOARD-02 — No in-app discovery of ⌘K palette [MEDIUM]
 - **Files**: [`frontend/src/routes/+layout.svelte`](frontend/src/routes/+layout.svelte) lines 678–682
 - **State**: Topbar shows `⌘K` / `Ctrl K` chip but only that. No "Press ⌘K to jump to any page" hint anywhere.
 - **Suggestion**: First-visit toast: "Tip: Press ⌘K from anywhere to search providers, trackers, and pages". Dismissible.
 #### F-ONBOARD-03 — Login screen has no help / forgot-password / docs link [LOW]
 - **Files**: [`frontend/src/routes/login/+page.svelte`](frontend/src/routes/login/+page.svelte)
 - **State**: Plain username + password. For self-hosted users who lost the admin password, there's no link to the recovery docs.
 - **Suggestion**: Small "Need help?" link to docs (the `/docs` route exists).
 ---
 ### 11. Microcopy
 #### F-COPY-01 — Dashboard hero copy is editorial — commendation [LOW]
 - "Live · throughput 24h · armed · providers" reads more like a control-room dashboard than CRUD admin. Keep doing this on the rest of the app.
 #### F-COPY-02 — Many subpages use literal entity-name copy [MEDIUM]
 - E.g. "Add provider" / "Add target" / "Add tracker" / "Add user". Editorial would be "Connect a provider" / "Define a target" / "Wire a tracker" / "Invite a user". Lean into verbs that match the dashboard's "wires / signals / on watch" vocabulary.
 #### F-COPY-03 — Russian translations match en line-count but no length QA visible [LOW]
 - File sizes match exactly (1577 lines each). That's just structural parity, not visual parity. Russian tends to be 20-30% longer for the same concept; flagged places likely have layout issues (hero title em, stat-card values, sidebar nav labels).
 - **Suggestion**: Set up a Playwright snapshot test that switches locale=ru and screenshots dashboard + a representative list page to catch overflow visually.
 ---
 ### 12. Localization parity
 #### F-LOCALE-01 — "Notify Bridge" wordmark stays in English [LOW / correct]
 - Brand. Don't translate.
 #### F-LOCALE-02 — Provider type label not localized in list rows [LOW]
 - **Files**: [`frontend/src/routes/providers/+page.svelte`](frontend/src/routes/providers/+page.svelte) line 391
 - **State**: Type pill shows raw `provider.type` value (e.g. "immich", "nextcloud") — not localized.
 - **Suggestion**: Use `getDescriptor(type).defaultName` or `t(\`providers.type${PascalName}\`)` which exists per project conventions.
 #### F-LOCALE-03 — Mixed Cyrillic glitches in source [LOW]
 - **Files**: [`frontend/src/routes/login/+page.svelte`](frontend/src/routes/login/+page.svelte) line 42 (`вЂ”` instead of em-dash in a comment), [`frontend/src/routes/users/+page.svelte`](frontend/src/routes/users/+page.svelte) line 166 (`В·` instead of `·`)
 - **State**: Encoding-corrupt characters in source comments and one user-facing dot. Pre-existing — files were probably edited with the wrong encoding at some point.
 - **Suggestion**: Grep `вЂ` / `В·` across the repo and fix. Add a pre-commit hook that fails on non-UTF8 chars in `.svelte` / `.ts` / `.json`.
 ---
 ### 13. Power-user features
 #### F-POWER-01 — No sortable columns anywhere [MEDIUM]
 - Confirmed by Grep: no `aria-sort` / `sortable` / `onSort` in the codebase. Lists are sorted by `IconGridSelect` widget (newest / oldest / name).
 - **Suggestion**: For long lists (trackers, targets), add column-header sort affordance. Even minimal: clicking the "Name" or "Provider" header re-sorts. Use cache state so sort persists across nav.
 #### F-POWER-02 — No multi-select bulk actions [MEDIUM]
 - Grep for `bulkAction` / `selectAll`: only the locale files contain those strings (likely as i18n keys that are never used). No checkbox UI.
 - **Suggestion**: Add a checkbox column on `targets`, `notification-trackers`, `command-trackers`, `actions` pages. Bulk-enable / bulk-delete are the obvious ones.
 #### F-POWER-03 — ⌘K palette is the strongest power feature, under-promoted [MEDIUM]
 - See F-ONBOARD-02.
 #### F-POWER-04 — Sidebar group expand/collapse is persisted but no "expand all / collapse all" [LOW]
 - **Files**: [`frontend/src/routes/+layout.svelte`](frontend/src/routes/+layout.svelte) lines 263–269
 - **Suggestion**: Add a right-click menu on a group header, or a tiny "collapse all" icon at the bottom of the nav rail.
 #### F-POWER-05 — No keyboard shortcuts beyond ⌘K [LOW]
 - **Suggestion**: `n` for new, `g + p` for "go providers", `g + t` for trackers, `?` to show shortcut sheet. Document in the palette.
 ---
 ## Production polish checklist (top 15, prioritized)
 1. **[HIGH]** Add `role="status" aria-live="polite"` to Snackbar container; `assertive` for error toasts. (F-A11Y-01) — one-line fix.
 2. **[HIGH]** Add `aria-current="page"` to every nav link in `+layout.svelte`. (F-NAV-01, F-A11Y-02)
 3. **[HIGH]** Mass-replace the legacy form-input class (`border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]`) with nothing — let the global `input { ... }` style win. 17 files, ~71 occurrences. (F-CONSIST-04)
 4. **[HIGH]** Replace hardcoded hex colors (`#059669`, `#ef4444`, `#3b82f6`, `#f59e0b`, `rgba(239,68,68,...)`) with Aurora palette tokens in `Snackbar.svelte`, `ConfirmModal.svelte`, `actions/+page.svelte`, and any remaining sites. (F-CONSIST-03)
 5. **[HIGH]** First-run onboarding: when `providersCache.items.length === 0`, replace dashboard hero with a 4-step "Getting started" checklist. (F-ONBOARD-01)
 6. **[HIGH]** Consolidate the 5 glass-card abstractions into a single `<GlassPanel variant=...>` component; delete redundant `::after` overlays. (F-CONSIST-01)
 7. **[HIGH]** Introduce a radius scale (`--radius-card / panel / pill / input / chip / tile`) and refactor `Card.svelte`, `Button.svelte`, `Modal.svelte`, `ConfirmModal.svelte` to use it. (F-CONSIST-02)
 8. **[MEDIUM]** Rewrite `ConfirmModal.svelte` to use `<Button variant="secondary">` and `<Button variant="danger">` instead of its own buttons. (F-CONSIST-05)
 9. **[MEDIUM]** Add layout-aware `<Loading shape="hero|grid|list">` variants to reduce first-paint layout shift. (F-STATE-01)
 10. **[MEDIUM]** Extend `<EmptyState>` with `cta` slot and provider-/tracker-/target-specific copy + a contextual CTA. (F-STATE-02)
 11. **[MEDIUM]** Visual length-QA pass for Russian — at least dashboard hero, providers list, settings hero, stat-cards. Playwright screenshot test. (F-COPY-03, F-LOCALE-02)
 12. **[MEDIUM]** Implement column-header sort on `notification-trackers`, `targets`, `actions`. Persist in cache state. (F-POWER-01)
 13. **[MEDIUM]** Add multi-select bulk actions (enable/disable, delete) to `targets`, `notification-trackers`, `command-trackers`. (F-POWER-02)
 14. **[MEDIUM]** Audit contrast: `--color-muted-foreground` over brightest aurora peak; likely bump dark-theme value from `#b6b2d4` to ~`#cfcae8`. (F-A11Y-05)
 15. **[MEDIUM]** Replace inline browser-native `title=` tooltips on the collapsed sidebar with a custom Aurora-styled tooltip (using the existing portal helper). (F-NAV-04)
 ### Quick wins (bonus, under an hour each)
 - Add `autofocus` to the username input on `/login`. (F-FORM-05)
 - Fix `вЂ"` / `В·` Cyrillic encoding glitches in `login/+page.svelte` and `users/+page.svelte`. (F-LOCALE-03)
 - Drop `role="button"` from Modal backdrop. (F-MODAL-02)
 - Replace `provider.type` raw label in provider list rows with localized descriptor name. (F-LOCALE-02)
 - Add inline empty-state copy to `EventChart` when all `chartDays` values are 0. (F-HIER-03)
 ---
 ## What's working — keep doing it
 - The conic-gradient brand orb, animated aurora background, Newsreader italic emphasis, gradient pill chips, glow-pulse dots — distinctive identity.
 - `Modal.svelte` (focus trap, restore, portal, escape, scroll containment).
 - `prefers-reduced-motion` honored across every animation surface.
 - Global ⌘K search palette, global provider filter, persisted sidebar state, persisted nav-group expansion.
 - Editorial copy on dashboard (`signal stream`, `on watch`, `pulse`, `wires`, `compose`).
 - Snackbar with detail-toggle expansion for error context.
 - Mobile "More" panel that mirrors the full desktop nav tree.
 - 6-file template-variable sync rule honored by project conventions.
 - `i18n` parity at 1577 lines for both locales.
 End of review.
@@ -0,0 +1,27 @@
 ---
 name: Debug Issue
 description: Systematically debug issues using graph-powered code navigation
 ---
 ## Debug Issue
 Use the knowledge graph to systematically trace and debug issues.
 ### Steps
 1. Use `semantic_search_nodes` to find code related to the issue.
 2. Use `query_graph` with `callers_of` and `callees_of` to trace call chains.
 3. Use `get_flow` to see full execution paths through suspected areas.
 4. Run `detect_changes` to check if recent changes caused the issue.
 5. Use `get_impact_radius` on suspected files to see what else is affected.
 ### Tips
 - Check both callers and callees to understand the full context.
 - Look at affected flows to find the entry point that triggers the bug.
 - Recent changes are the most common source of new issues.
 ## Token Efficiency Rules
 - ALWAYS start with `get_minimal_context(task="<your task>")` before any other graph tool.
 - Use `detail_level="minimal"` on all calls. Only escalate to "standard" when minimal is insufficient.
 - Target: complete any review/debug/refactor task in ≤5 tool calls and ≤800 total output tokens.
@@ -0,0 +1,28 @@
 ---
 name: Explore Codebase
 description: Navigate and understand codebase structure using the knowledge graph
 ---
 ## Explore Codebase
 Use the code-review-graph MCP tools to explore and understand the codebase.
 ### Steps
 1. Run `list_graph_stats` to see overall codebase metrics.
 2. Run `get_architecture_overview` for high-level community structure.
 3. Use `list_communities` to find major modules, then `get_community` for details.
 4. Use `semantic_search_nodes` to find specific functions or classes.
 5. Use `query_graph` with patterns like `callers_of`, `callees_of`, `imports_of` to trace relationships.
 6. Use `list_flows` and `get_flow` to understand execution paths.
 ### Tips
 - Start broad (stats, architecture) then narrow down to specific areas.
 - Use `children_of` on a file to see all its functions and classes.
 - Use `find_large_functions` to identify complex code.
 ## Token Efficiency Rules
 - ALWAYS start with `get_minimal_context(task="<your task>")` before any other graph tool.
 - Use `detail_level="minimal"` on all calls. Only escalate to "standard" when minimal is insufficient.
 - Target: complete any review/debug/refactor task in ≤5 tool calls and ≤800 total output tokens.
@@ -0,0 +1,28 @@
 ---
 name: Refactor Safely
 description: Plan and execute safe refactoring using dependency analysis
 ---
 ## Refactor Safely
 Use the knowledge graph to plan and execute refactoring with confidence.
 ### Steps
 1. Use `refactor_tool` with mode="suggest" for community-driven refactoring suggestions.
 2. Use `refactor_tool` with mode="dead_code" to find unreferenced code.
 3. For renames, use `refactor_tool` with mode="rename" to preview all affected locations.
 4. Use `apply_refactor_tool` with the refactor_id to apply renames.
 5. After changes, run `detect_changes` to verify the refactoring impact.
 ### Safety Checks
 - Always preview before applying (rename mode gives you an edit list).
 - Check `get_impact_radius` before major refactors.
 - Use `get_affected_flows` to ensure no critical paths are broken.
 - Run `find_large_functions` to identify decomposition targets.
 ## Token Efficiency Rules
 - ALWAYS start with `get_minimal_context(task="<your task>")` before any other graph tool.
 - Use `detail_level="minimal"` on all calls. Only escalate to "standard" when minimal is insufficient.
 - Target: complete any review/debug/refactor task in ≤5 tool calls and ≤800 total output tokens.
@@ -0,0 +1,29 @@
 ---
 name: Review Changes
 description: Perform a structured code review using change detection and impact
 ---
 ## Review Changes
 Perform a thorough, risk-aware code review using the knowledge graph.
 ### Steps
 1. Run `detect_changes` to get risk-scored change analysis.
 2. Run `get_affected_flows` to find impacted execution paths.
 3. For each high-risk function, run `query_graph` with pattern="tests_for" to check test coverage.
 4. Run `get_impact_radius` to understand the blast radius.
 5. For any untested changes, suggest specific test cases.
 ### Output Format
 Provide findings grouped by risk level (high/medium/low) with:
 - What changed and why it matters
 - Test coverage status
 - Suggested improvements
 - Overall merge recommendation
 ## Token Efficiency Rules
 - ALWAYS start with `get_minimal_context(task="<your task>")` before any other graph tool.
 - Use `detail_level="minimal"` on all calls. Only escalate to "standard" when minimal is insufficient.
 - Target: complete any review/debug/refactor task in ≤5 tool calls and ≤800 total output tokens.
@@ -1,8 +1,8 @@
 {
-  "last_commit": "a31b1cba2a41229f6f6af9701477d24d15efbe9a",
+  "last_commit": "04fe8124fcc3f783038b9aaac393b6c62c68e22a",
-  "last_sync": "2026-04-21T00:00:00Z",
+  "last_sync": "2026-05-16T20:04:00Z",
  "tracked_files": {
-    "gitea-python-ci-cd.md": "sha256:61968058ec30cac954a3b7f9bde2a7db620618482d34e17568d432f680a3b333",
+    "gitea-python-ci-cd.md": "sha256:9f1f57e1b0d909143e20cb3f21ac9c4d75b45f2992ec002645540f94c4920851",
    "gitea-release-workflow.md": "sha256:5eb64789fca062b2138ca7661b942c9fc9c304f63326844ff6f6724e7e05b08c"
  }
 }
@@ -29,16 +29,62 @@ jobs:
      - name: Svelte check
        run: |
          cd frontend
-          npm run check || echo "::warning::svelte-check reported warnings"
+          npm run check
      - name: Build
        run: |
          cd frontend
          npm run build
  test-backend:
    if: ${{ !startsWith(gitea.event.head_commit.message, 'chore: release v') }}
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"
      # Editable installs of packages/core + packages/server are extremely slow
      # on the hosted runner — measured 4-6x slower than building wheels first
      # because hatchling's editable hook re-resolves on every collection. We
      # build wheels once into an isolated venv, then install them (and only
      # the test deps). The venv isolation also prevents broken-wheel installs
      # from leaking dist-info across runs on the persistent Gitea runner
      # (pip can't uninstall a wheel that landed without a RECORD file). The
      # wheels themselves are NOT cached because their hashes depend on every
      # file under packages/ — invalidates on basically every PR. Pip's HTTP
      # cache for the test deps is enough.
      - name: Build wheels in isolated venv
        run: |
          python -m venv /tmp/venv
          /tmp/venv/bin/pip install --upgrade pip build
          mkdir -p /tmp/wheels
          /tmp/venv/bin/pip wheel --no-deps -w /tmp/wheels packages/core packages/server
      - name: Install backend + test deps
        run: |
          # Pin aiohttp <3.14: aioresponses 0.7.8 (latest) doesn't pass the
          # stream_writer kwarg that aiohttp 3.14 made required on ClientResponse,
          # breaking every aioresponses-mocked test. Drop once aioresponses ships
          # an aiohttp-3.14-compatible release.
          /tmp/venv/bin/pip install /tmp/wheels/*.whl pytest pytest-asyncio httpx aioresponses 'aiohttp<3.14' prometheus_client
      - name: Run pytest
        env:
          NOTIFY_BRIDGE_DATA_DIR: /tmp/nb-test-data
          NOTIFY_BRIDGE_SECRET_KEY: ci-secret-key-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
          NOTIFY_BRIDGE_DEBUG: "false"
          NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS: "http://localhost:8420"
        run: |
          cd packages/server
          /tmp/venv/bin/pytest tests --tb=short
  build-image:
    if: ${{ !startsWith(gitea.event.head_commit.message, 'chore: release v') }}
-    needs: [test-frontend]
+    needs: [test-frontend, test-backend]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@@ -10,7 +10,47 @@ env:
  IMAGE_NAME: alexei.dolgolyov/notify-bridge
 jobs:
  test-backend:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"
      # Wheel-first strategy in an isolated venv — editable install is too slow,
      # and a plain pip install into the toolcache Python leaks state across
      # runs on the persistent Gitea runner (previous broken wheel installs
      # leave dist-info dirs that pip can't uninstall: "uninstall-no-record-file").
      - name: Build wheels in isolated venv
        run: |
          python -m venv /tmp/venv
          /tmp/venv/bin/pip install --upgrade pip build
          mkdir -p /tmp/wheels
          /tmp/venv/bin/pip wheel --no-deps -w /tmp/wheels packages/core packages/server
      - name: Install backend + test deps
        run: |
          # Pin aiohttp <3.14: aioresponses 0.7.8 (latest) doesn't pass the
          # stream_writer kwarg that aiohttp 3.14 made required on ClientResponse,
          # breaking every aioresponses-mocked test. Drop once aioresponses ships
          # an aiohttp-3.14-compatible release.
          /tmp/venv/bin/pip install /tmp/wheels/*.whl pytest pytest-asyncio httpx aioresponses 'aiohttp<3.14' prometheus_client
      - name: Run pytest
        env:
          NOTIFY_BRIDGE_DATA_DIR: /tmp/nb-test-data
          NOTIFY_BRIDGE_SECRET_KEY: ci-secret-key-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
          NOTIFY_BRIDGE_DEBUG: "false"
          NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS: "http://localhost:8420"
        run: |
          cd packages/server
          /tmp/venv/bin/pytest tests --tb=short
  release:
    needs: [test-backend]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
@@ -0,0 +1,65 @@
 # vex configuration — https://github.com/tenatarika/vex
 #
 # Place this file in your project root as .vex.toml
 # --- Active settings (maximum capability) ---
 # Semantic embeddings on, call-graph + BM25 on, and auto-refresh the index when
 # stale so queries never run against an out-of-date graph.
 semantic = true
 auto_update = true
 call_graph = true
 bm25 = true
 # Glob patterns to exclude from indexing (gitignore syntax, on top of .gitignore)
 # exclude = [
 #     "vendor/**",
 #     "node_modules/**",
 #     "*.generated.go",
 #     "dist/**",
 # ]
 # Default output format: "text", "json", or "compact"
 # format = "text"
 # Enable semantic embeddings by default (slower indexing, enables meaning-based search)
 # semantic = false
 # Automatically run `vex update` before search if the index is stale
 # auto_update = false
 # Embedder used for semantic indexing. Known IDs: minilm-l6-v2 (default).
 # Changing the embedder requires a full reindex.
 # embedder = "minilm-l6-v2"
 # Cache directory override. Defaults to the platform cache location.
 #   macOS:   ~/Library/Caches/vex
 #   Linux:   $XDG_CACHE_HOME/vex   (fallback: ~/.cache/vex)
 #   Windows: %LOCALAPPDATA%\vex    (fallback: %USERPROFILE%\AppData\Local\vex)
 # Accepts absolute paths, "~/..." or paths relative to this file (e.g. "./.vex/cache").
 # Can also be overridden per-invocation with --cache-dir or $VEX_CACHE_DIR.
 # cache_dir = "./.vex/cache"
 # Store the index inside the project as `<project>/.vex_cache/`. Useful when
 # the cache should travel with the project (e.g. on a moved or renamed
 # directory). vex writes a `.gitignore` inside it so contents are not
 # committed. Overridden by `cache_dir`, `--cache-dir`, or $VEX_CACHE_DIR.
 # local_cache = false
 # Thread count for parallel indexing (index/update/watch).
 #   * unset  — 80% of available cores, rounded up (default, leaves headroom)
 #   * 0      — use all cores (explicit opt-in to max throughput)
 #   * N      — exactly N workers
 # Overridable per-invocation with `-j/--jobs` or $VEX_JOBS.
 # jobs = 4
 # Build the persistent call-graph section. Disabling falls back to live-scan
 # for `vex callers`/`vex callees` (slower per-query, but saves indexing
 # time on large monorepos). The opt-out is persisted in the manifest so
 # `vex update` does not silently re-add the section.
 # Per-invocation override: `vex index --no-call-graph`.
 # call_graph = true
 # Build the BM25 channel. Disabling drops the third RRF channel and keeps
 # only structural (+ semantic). Same persistence rules as `call_graph`.
 # Per-invocation override: `vex index --no-bm25`.
 # bm25 = true
@@ -0,0 +1,394 @@
 # Operations Guide
 This document covers running, monitoring, and recovering Notify Bridge in
 production. The intended audience is the operator on call when the
 notifications stop firing or when a release upgrade goes sideways.
 For developer-focused docs (architecture, conventions, project layout) see
 `CLAUDE.md` and the `.claude/docs/` directory.
 ## Deployment overview
 Notify Bridge ships as a single Docker image. All state lives in a single
 data directory mounted at `/data`.
 ### Required environment variables
 | Variable | Default | Notes |
 | --- | --- | --- |
 | `NOTIFY_BRIDGE_SECRET_KEY` | _(none)_ | **Required.** 32+ random bytes. The server refuses to boot with the default placeholder or any of the known dev literals. |
 | `NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS` | `http://localhost:5175` | Comma-separated list. `*` is rejected because credentials are enabled. |
 | `NOTIFY_BRIDGE_FORWARDED_ALLOW_IPS` | `127.0.0.1` | Trusted proxy IPs whose `X-Forwarded-For` / `X-Forwarded-Proto` headers are honored. Set to your reverse-proxy IP. |
 ### Useful environment variables
 | Variable | Default | Notes |
 | --- | --- | --- |
 | `NOTIFY_BRIDGE_DATA_DIR` | `/data` | Where the SQLite DB, snapshots, and backups live. |
 | `NOTIFY_BRIDGE_DATABASE_URL` | _(derived from data_dir)_ | Override only if you want a non-default DB path. |
 | `NOTIFY_BRIDGE_DEBUG` | `false` | Verbose logging + SQL echo. Do not enable in production. |
 | `NOTIFY_BRIDGE_LOG_FORMAT` | `text` | Set to `json` for one JSON object per line — pipe to a log aggregator. |
 | `NOTIFY_BRIDGE_LOG_LEVEL` | `INFO` | Root logger level. |
 | `NOTIFY_BRIDGE_LOG_LEVELS` | _(empty)_ | Per-module overrides, e.g. `sqlalchemy.engine=WARNING,notify_bridge_core.notifications.telegram.client=DEBUG`. |
 | `NOTIFY_BRIDGE_EVENT_LOG_RETENTION_DAYS` | `30` | Days of `event_log` history kept by the daily cleanup job. `0` disables retention. |
 | `NOTIFY_BRIDGE_PRE_MIGRATE_SNAPSHOT_KEEP` | `5` | Number of pre-migration DB snapshots retained. `0` disables snapshotting. |
 | `NOTIFY_BRIDGE_METRICS_ENABLED` | `true` | Expose `/api/metrics` for Prometheus. Set to `false` if the API port crosses a trust boundary. |
 | `NOTIFY_BRIDGE_GRACEFUL_SHUTDOWN_SECONDS` | `60` | SIGTERM grace period before in-flight requests are killed. |
 | `NOTIFY_BRIDGE_SUPERVISED` | _(auto)_ | Force the supervised flag for `apply-restart`. Use `true` when running under systemd/PM2 outside Docker. |
 ### Data directory layout
 ```
 /data/
  notify_bridge.db          # main SQLite DB (WAL mode)
  notify_bridge.db-wal      # SQLite write-ahead log
  notify_bridge.db-shm      # SQLite shared memory file
  backups/
    pre-migrate-*.db        # automatic pre-upgrade snapshots
    backup-*.json           # scheduled / manual config backups
  snapshots/                # legacy alias retained for older deployments
  pending_restore.json      # staged restore (consumed at next boot)
  applied_restores/         # archive of applied restore payloads
 ```
 Always mount `/data` on a persistent volume. The WAL files MUST live on the
 same filesystem as the main DB — never split them across mounts.
 ### Docker example
 See `docker-compose.yml` at the repo root for the canonical reference. The
 container runs read-only with `tmpfs` for `/tmp`, drops all capabilities,
 and limits memory/CPU. The healthcheck targets `/api/ready` (deep) — see
 the next section.
 ## Healthchecks
 Two endpoints, used for different probe types.
 ### `GET /api/health` — liveness, shallow
 Returns `200 OK` once the ASGI app has started. Does not touch the DB or
 the scheduler. Use this for liveness probes that should only restart the
 process if it stops responding entirely.
 ```json
 {"status": "ok", "version": "0.8.0"}
 ```
 ### `GET /api/ready` — readiness, deep
 Verifies that each critical dependency is reachable:
 * **db** — `SELECT 1` against the SQLAlchemy engine, 2-second timeout.
 * **scheduler** — APScheduler `running` flag.
 * **ha** — Home Assistant subscription supervisor task. Reported as
  `na` when no HA providers are configured, `ok` when at least one
  supervisor is alive, `degraded` otherwise. **Informational only** —
  HA degradation does not flip readiness off.
 Returns `503` when any required check (db, scheduler) fails.
 ```json
 {
  "ready": true,
  "checks": {"db": "ok", "scheduler": "ok", "ha": "na"},
  "errors": [],
  "version": "0.8.0"
 }
 ```
 ### Kubernetes probe example
 ```yaml
 livenessProbe:
  httpGet:
    path: /api/health
    port: 8420
  initialDelaySeconds: 10
  periodSeconds: 30
  timeoutSeconds: 5
  failureThreshold: 3
 readinessProbe:
  httpGet:
    path: /api/ready
    port: 8420
  initialDelaySeconds: 15
  periodSeconds: 15
  timeoutSeconds: 5
  failureThreshold: 2
 ```
 The Docker compose file uses `/api/ready` as its healthcheck so the
 container is only reported healthy after migrations finish.
 ## Metrics
 Notify Bridge exposes Prometheus metrics at `GET /api/metrics` in the
 standard text exposition format. **No authentication** — Prometheus
 scrapers do not authenticate. Disable via `NOTIFY_BRIDGE_METRICS_ENABLED=false`
 when the API port is reachable beyond the trust boundary.
 ### Prometheus scrape example
 ```yaml
 scrape_configs:
  - job_name: notify-bridge
    metrics_path: /api/metrics
    static_configs:
      - targets: ['notify-bridge.internal:8420']
    scrape_interval: 30s
 ```
 ### Available metrics
 | Metric | Type | Labels | Meaning |
 | --- | --- | --- | --- |
 | `notify_bridge_deferred_pending` | Gauge | _(none)_ | Pending rows in `deferred_dispatch`. Refreshed on each scrape. A persistent non-zero value usually means a tracker target is in extended quiet hours. |
 | `notify_bridge_event_log_total` | Counter | `status`, `event_type` | Events written to `event_log`. `status` is the dispatch outcome (`dispatched`, `dropped`, `deferred`, etc.). |
 | `notify_bridge_dispatch_duration_seconds` | Histogram | `channel` | Wall-clock duration of one outbound dispatch (Telegram, Discord, email, …). Useful for latency alerts. |
 | `notify_bridge_provider_poll_failures_total` | Counter | `provider_type` | Polling provider tick failures (Immich poll error, Gitea API down, …). Compare against expected scan interval to compute failure rate. |
 | `notify_bridge_target_send_failures_total` | Counter | `target_type`, `status_code` | Failed sends to a notification channel. `status_code` is the HTTP status (or `0` when no HTTP response was received). |
 The metrics module never imports `prometheus_client` outside `api/metrics.py`.
 Other modules record events through the `metrics` singleton — see that
 module's docstring before adding new collectors.
 ## Backups
 Notify Bridge produces three different kinds of backup files. Know which
 one you are looking at before restoring.
 | Kind | Location | Format | Trigger |
 | --- | --- | --- | --- |
 | Config backup | `data/backups/backup-*.json` | JSON (BackupFile schema) | Manual via `/api/backup/files` POST or scheduled job |
 | Pre-migration snapshot | `data/backups/pre-migrate-*.db` | SQLite DB file | Automatic on every boot before migrations |
 | Pending restore | `data/pending_restore.json` | JSON | Staged via `/api/backup/prepare-restore`, consumed at next restart |
 Config backups capture user configuration (providers, trackers, targets,
 templates, …). They do **not** include `event_log`, `deferred_dispatch`,
 or any other operational table. Pre-migration snapshots are full DB
 copies and contain everything.
 ### Manual backup
 The admin UI has a one-click button under Settings → Backup. Equivalent
 HTTP call:
 ```bash
 curl -fsS -X POST \
  -H "Authorization: Bearer $ADMIN_JWT" \
  "https://notify-bridge.example.com/api/backup/files?secrets_mode=exclude"
 ```
 The download endpoint produces a downloadable JSON envelope with no
 secrets unless `secrets_mode=include` is passed:
 ```bash
 curl -fsS -X GET \
  -H "Authorization: Bearer $ADMIN_JWT" \
  -OJ "https://notify-bridge.example.com/api/backup/export?secrets_mode=exclude"
 ```
 ### Scheduled backup
 Configure under Settings → Backup or via `PUT /api/backup/scheduled` with:
 ```json
 {
  "backup_scheduled_enabled": "true",
  "backup_scheduled_interval_hours": "24",
  "backup_secrets_mode": "exclude",
  "backup_retention_count": "5"
 }
 ```
 Saved files land in `data/backups/`; retention prunes the oldest files
 beyond `backup_retention_count`. Backups can be downloaded individually:
 ```bash
 curl -fsS -X GET \
  -H "Authorization: Bearer $ADMIN_JWT" \
  "https://notify-bridge.example.com/api/backup/files/backup-2026-05-16T12-00-00.json" \
  -o backup-latest.json
 ```
 ### Cron snippet for off-host backup
 ```bash
 # /etc/cron.d/notify-bridge-backup
 0 3 * * * www-data \
  curl -fsS -X POST \
    -H "Authorization: Bearer $(cat /etc/notify-bridge/admin.token)" \
    "https://notify-bridge.example.com/api/backup/files?secrets_mode=exclude" \
    -o /var/backups/notify-bridge/backup-$(date +\%F).json
 ```
 ### Restore procedure
 Restoring REPLACES configuration. Always export the current state first.
 ```bash
 # 1. Stage the backup file (validates and writes to data/pending_restore.json)
 curl -fsS -X POST \
  -H "Authorization: Bearer $ADMIN_JWT" \
  -F "file=@backup-2026-05-16T12-00-00.json" \
  "https://notify-bridge.example.com/api/backup/prepare-restore?conflict_mode=overwrite"
 # 2. Trigger graceful restart so startup applies the staged restore.
 #    Same-origin Origin/Referer is enforced — call from the admin UI when
 #    possible, or from the same host. Requires the supervisor to respawn
 #    the process (Docker restart policy, systemd, PM2, etc.).
 curl -fsS -X POST \
  -H "Origin: https://notify-bridge.example.com" \
  -H "Referer: https://notify-bridge.example.com/settings/backup" \
  -H "Authorization: Bearer $ADMIN_JWT" \
  "https://notify-bridge.example.com/api/backup/apply-restart"
 ```
 If the process is **not** supervised, `/api/backup/apply-restart` returns
 `409`. Restart the backend manually after staging — startup applies the
 pending restore on the next boot.
 To cancel a staged restore before applying:
 ```bash
 curl -fsS -X DELETE \
  -H "Authorization: Bearer $ADMIN_JWT" \
  "https://notify-bridge.example.com/api/backup/pending-restore"
 ```
 ### Recovery from a corrupted DB
 If migrations crash on boot or the DB file is unreadable, roll back to a
 pre-migration snapshot:
 ```bash
 # Stop the backend, then
 cd /var/lib/docker/volumes/notify-bridge-data/_data
 ls -1t backups/pre-migrate-*.db | head -5      # pick the snapshot
 cp notify_bridge.db notify_bridge.db.broken    # keep the broken DB for forensics
 cp backups/pre-migrate-2026-05-16T11-58-30.db notify_bridge.db
 rm -f notify_bridge.db-wal notify_bridge.db-shm   # WAL belongs to the broken file
 ```
 Restart the container. The startup snapshot will run again and capture
 the rolled-back state, so you have a clean recovery point if the next
 boot needs another rollback.
 ## Logs
 * Output goes to **stderr only**. The Docker log driver captures it.
 * Set `NOTIFY_BRIDGE_LOG_FORMAT=json` for line-delimited JSON suitable
  for Loki, ELK, or CloudWatch.
 * Secret values (bot tokens, API keys, passwords) are masked at the log
  formatter level — see `notify_bridge_server.logging_setup`.
 * No file rotation is built in. Use the Docker JSON log driver's
  `max-size`/`max-file` options or send logs to your aggregator.
 ```yaml
 # docker-compose.yml snippet
 logging:
  driver: json-file
  options:
    max-size: "10m"
    max-file: "5"
 ```
 ## Common operational scenarios
 ### "Notifications stopped firing"
 1. Hit `/api/ready`. If `scheduler` is `fail`, restart the backend; the
   scheduler died in a way it cannot recover from.
 2. Check `notify_bridge_deferred_pending`. A non-zero value during quiet
   hours is normal; a value that grows monotonically across days is a
   bug — inspect the `deferred_dispatch` table.
 3. Inspect the most recent `event_log` rows in the admin Events page or:
   ```sql
   SELECT created_at, event_type, dispatch_status, details
   FROM event_log
   ORDER BY created_at DESC LIMIT 50;
   ```
   Look for a `dispatch_status` other than `dispatched`.
 4. If a single tracker is silent, verify the provider's last poll status
   in the admin UI (Providers page) — `notify_bridge_provider_poll_failures_total`
   tells you which provider type is failing.
 5. If you've configured a `bridge_self` tracker but never received a
   self-monitoring alert when something failed, see the next section —
   `bridge_self` failures are deliberately log-only to prevent recursion.
 ### Bridge self-monitoring is log-only on its own failures
 The built-in `bridge_self` provider emits notifications when polls,
 dispatches, or target sends fail. To prevent infinite-recursion (a
 `bridge_self` notification failing → triggering another `bridge_self`
 notification → ...), failures of `bridge_self` events themselves are
 **not** counted toward target-failure thresholds and are logged only.
 If your `bridge_self` notifications stop arriving, it means the
 notification target you wired them to is itself failing. Grep stderr for:
 ```text
 bridge_self target-failure emission failed
 emit_bridge_self_event failed
 ```
 The fix is always at the target layer (Telegram bot blocked, Matrix
 homeserver down, SMTP credentials rotated). The bridge cannot tell you
 about its own outbound failure — that's what the operator's external
 monitoring (Prometheus alert on `notify_bridge_target_send_failures_total`)
 is for.
 ### "Webhook returns 500"
 Inspect the `webhook_payload_log` table for the matching request:
 ```sql
 SELECT received_at, status_code, error_message, payload_excerpt
 FROM webhook_payload_log
 ORDER BY received_at DESC LIMIT 20;
 ```
 Common causes: payload schema change in the source service, a tracker
 referencing a deleted provider, a Jinja template that errors out (look
 for `template render failed` in logs).
 ### "Telegram bot rate-limited (429)"
 The Telegram client implements exponential backoff with jitter on
 `Retry-After`. No operator action is required for transient throttling.
 If the rate-limit persists, check:
 * The bot is being driven by multiple Notify Bridge instances pointing
  at the same chat (split-brain — only one instance should own a bot).
 * A template is producing very large messages (Telegram limits message
  size to 4096 chars). Look for `MessageTooLong` in the logs.
 ### "DB lock contention"
 SQLite WAL mode and `busy_timeout=10000` make this rare. If you see
 `SQLITE_BUSY` in logs:
 * Check for long-running transactions (most often a stuck migration).
 * Confirm the WAL files are on the same filesystem as the main DB —
  splitting them across mounts is a known cause.
 * Run `sqlite3 notify_bridge.db "PRAGMA wal_checkpoint(TRUNCATE);"` to
  flush the WAL. Safe to run while the backend is up.
 ## Upgrades
 1. Pre-migration snapshot is taken automatically before any migration
   runs. The latest five snapshots are retained by default.
 2. Migrations are idempotent — re-running an upgrade is safe.
 3. If a migration fails, the snapshot from step 1 is the recovery point.
   See "Recovery from a corrupted DB" above.
 4. Always test major version upgrades in staging first. The upgrade flow
   is the same in staging: pull the new image, restart the container.
 The release tag stream lives at the project Gitea / GitHub releases page.
 Release notes are written to `RELEASE_NOTES.md` for the upcoming version
 and copied into the Gitea release body by the `release.yml` workflow.
@@ -2,20 +2,21 @@
 A generic bridge between service providers and notification targets.
-Notify Bridge monitors services (like Immich photo servers) for changes and dispatches
+Notify Bridge monitors services (Immich, Gitea, Planka, NUT, Google Photos, generic webhooks,
-notifications to configurable targets (Telegram, webhooks) using customizable templates.
+and internal scheduler) for changes and dispatches notifications to configurable targets
 (Telegram, Discord, Slack, Matrix, ntfy, email, generic webhooks) using customizable templates.
 ## Architecture
- **Service Providers** — Connectors to external services (Immich, more coming)
+- **Service Providers** — Connectors to external services (Immich, Gitea, Planka, NUT, Google Photos, generic Webhook, internal Scheduler)
 - **Trackers** — Monitor specific collections within a provider for changes
 - **Tracking Configs** — Define what events to watch for and scheduling rules
- **Notification Targets** — Where to send notifications (Telegram chats, webhook URLs)
+- **Notification Targets** — Where to send notifications (Telegram, Discord, Slack, Matrix, ntfy, email, webhook URLs)
 - **Template Configs** — Jinja2 templates that format notifications per provider type
 ## Project Structure
-```
+```text
 packages/
  core/       — Shared library: providers, models, notifications, templates
  server/     — FastAPI REST server with SQLite database
@@ -31,6 +32,7 @@ docker run -d \
  -p 8420:8420 \
  -v notify-bridge-data:/data \
  -e NOTIFY_BRIDGE_SECRET_KEY=$(openssl rand -hex 32) \
  -e NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS=http://localhost:8420 \
  git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge:latest
 ```
@@ -38,12 +40,59 @@ Then open `http://localhost:8420` in your browser.
 ### Environment Variables
 Core settings (all prefixed with `NOTIFY_BRIDGE_`):
 | Variable | Required | Default | Description |
 | -------- | -------- | ------- | ----------- |
-| `NOTIFY_BRIDGE_SECRET_KEY` | Yes | — | Secret key for JWT tokens (min 32 chars) |
+| `SECRET_KEY` | Yes | — | Secret for JWT signing (min 32 chars). Default placeholders and known dev-only strings are rejected on startup. |
-| `NOTIFY_BRIDGE_PORT` | No | `8420` | Server listen port |
+| `CORS_ALLOWED_ORIGINS` | Recommended | `http://localhost:5175` | Comma-separated browser origins. Wildcard `*` is **rejected** because credentials are enabled. Set this to the URL you load the UI from. |
-| `NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS` | No | `*` | Comma-separated allowed CORS origins |
+| `DATA_DIR` | No | `/data` (in Docker) | Directory for SQLite DB, backups, and caches. Mount a volume here. |
-| `NOTIFY_BRIDGE_DEBUG` | No | `false` | Enable debug logging |
+| `DATABASE_URL` | No | `sqlite+aiosqlite:///<DATA_DIR>/notify_bridge.db` | Override DB connection string. |
 | `HOST` | No | `0.0.0.0` | Bind address. |
 | `PORT` | No | `8420` | Server listen port. |
 | `DEBUG` | No | `false` | Enable debug logging. |
 Reverse proxy / network:
 | Variable | Default | Description |
 | -------- | ------- | ----------- |
 | `FORWARDED_ALLOW_IPS` | `127.0.0.1` | Trusted proxy IPs whose `X-Forwarded-For` / `X-Forwarded-Proto` headers are honored. Set to your reverse proxy IP (e.g. `172.17.0.1` for the default Docker bridge). Use `*` only when the container is not directly internet-reachable. |
 | `EXTERNAL_URL` | — | Public base URL (e.g. `https://notify.example.com`). Used to build webhook URLs shown in the UI. Also settable from the Settings page. |
 | `ALLOW_PRIVATE_URLS` | unset | Set to `1` to allow requests to RFC1918 / loopback / link-local hosts (homelab scenario: Immich/Gitea on the same LAN). **Do not enable on a publicly exposed instance.** |
 Auth & tokens:
 | Variable | Default | Description |
 | -------- | ------- | ----------- |
 | `ACCESS_TOKEN_EXPIRE_MINUTES` | `15` | Lifetime of access JWTs. |
 | `REFRESH_TOKEN_EXPIRE_DAYS` | `30` | Lifetime of refresh tokens. |
 | `JWT_ISSUER` | `notify-bridge` | `iss` claim. |
 | `JWT_AUDIENCE` | `notify-bridge-api` | `aud` claim. |
 Logging (all are also live-editable in the Settings page, except `log_format`):
 | Variable | Default | Description |
 | -------- | ------- | ----------- |
 | `LOG_LEVEL` | `INFO` | Root level: `DEBUG` / `INFO` / `WARNING` / `ERROR`. |
 | `LOG_FORMAT` | `text` | `text` or `json`. Switching requires a restart. |
 | `LOG_LEVELS` | — | Per-module overrides, e.g. `notify_bridge_core.notifications.telegram.client=DEBUG,sqlalchemy.engine=INFO`. |
 Retention & maintenance:
 | Variable | Default | Description |
 | -------- | ------- | ----------- |
 | `EVENT_LOG_RETENTION_DAYS` | `30` | Days of `event_log` history to keep. `0` disables the retention job. |
 | `PRE_MIGRATE_SNAPSHOT_KEEP` | `5` | Number of pre-migration DB snapshots to keep in `<DATA_DIR>/backups/`. `0` disables snapshotting. |
 | `GRACEFUL_SHUTDOWN_SECONDS` | `60` | Time to wait for in-flight requests / scheduler jobs on SIGTERM before force-killing. |
 Integrations & misc:
 | Variable | Default | Description |
 | -------- | ------- | ----------- |
 | `TELEGRAM_WEBHOOK_SECRET` | — | Shared secret for Telegram bot webhooks. Also settable from the Settings page. |
 | `TIMEZONE` | `UTC` | IANA timezone (e.g. `Europe/Warsaw`) used by the scheduler. Also settable from the Settings page. |
 | `STATIC_DIR` | `/app/static` (in Docker) | Frontend static files directory. The Docker image sets this; don't override unless you're running outside the image. |
 | `SUPERVISED` | auto-detect | Set to `1` to tell the backup endpoint that an external supervisor will restart the process. |
 ### Docker Compose
@@ -58,12 +107,50 @@ services:
    volumes:
      - notify-bridge-data:/data
    environment:
-      - NOTIFY_BRIDGE_SECRET_KEY=your-secret-key-min-32-characters
+      # REQUIRED — any 32+ byte random string. `openssl rand -hex 32` is one way.
      - NOTIFY_BRIDGE_SECRET_KEY=${NOTIFY_BRIDGE_SECRET_KEY:?Set NOTIFY_BRIDGE_SECRET_KEY (min 32 chars)}
      # Comma-separated list of allowed browser origins. Wildcard `*` is
      # rejected on startup because credentials are enabled.
      - NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS=${NOTIFY_BRIDGE_CORS_ALLOWED_ORIGINS:-http://localhost:8420}
      # Trusted proxy IPs whose X-Forwarded-For / X-Forwarded-Proto we honor.
      # Set this to your reverse proxy's IP (e.g. 172.17.0.1 for the default
      # docker bridge, or `*` only if the container is NOT reachable from the
      # public internet).
      - NOTIFY_BRIDGE_FORWARDED_ALLOW_IPS=${NOTIFY_BRIDGE_FORWARDED_ALLOW_IPS:-127.0.0.1}
      # Opt-in SSRF bypass for private/loopback/link-local hosts (homelab
      # scenario — tracking an Immich/Gitea instance on the same LAN). DO NOT
      # enable on a publicly exposed instance.
      # - NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=1
    healthcheck:
      # Use /api/ready (not /api/health) so the container is only reported
      # healthy after migrations and the scheduler finish booting.
      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8420/api/ready', timeout=3)"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 30s
    read_only: true
    tmpfs:
      - /tmp
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    mem_limit: 512m
    cpus: 1.0
    pids_limit: 256
 volumes:
  notify-bridge-data:
 ```
 A ready-to-use `docker-compose.yml` lives at the repo root.
 ### Health & Readiness
 - `GET /api/health` — process is up. Use for liveness probes.
 - `GET /api/ready` — migrations + scheduler have booted. Use for readiness probes and Docker `HEALTHCHECK` (as the compose example above does).
 ## Quick Start (Development)
 ```bash
@@ -81,4 +168,48 @@ npm run dev
 ## Supported Providers
- **Immich** — Photo/video server with album change detection
+- **Immich** — Photo/video server with album change detection (polling)
 - **Gitea** — Git server with push / issue / PR / release events (webhook)
 - **Planka** — Kanban board with card / list / board events (webhook)
 - **NUT** — Network UPS Tools for battery / power events (polling)
 - **Google Photos** — Album change detection (polling)
 - **Generic Webhook** — Catch arbitrary JSON payloads and route them via templates (webhook)
 - **Scheduler** — Internal provider for time-based scheduled messages
 ## Supported Notification Targets
 - **Telegram** — Bot API with rich formatting, media groups, and inline commands
 - **Discord** — Webhook-based delivery with embeds
 - **Slack** — Incoming webhooks with Block Kit formatting
 - **Matrix** — Homeserver delivery with HTML formatting
 - **ntfy** — Self-hostable push notifications
 - **Email** — SMTP with HTML / plain-text templates
 - **Generic Webhook** — POST custom JSON payloads to any URL
 ## Bot Commands
 Telegram bots can serve interactive commands per provider. All commands use
 Jinja2 templates that you can customize from the **Command Templates** page.
 | Provider | Commands |
 | -------- | -------- |
 | Immich | `/status` `/albums` `/events` `/summary` `/latest` `/memory` `/random` `/search` `/find` `/person` `/place` `/favorites` `/people` `/help` |
 | Gitea | `/status` `/repos` `/issues` `/prs` `/commits` `/help` |
 | Planka | `/status` `/boards` `/cards` `/lists` `/help` |
 | NUT | `/status` `/devices` `/battery` `/help` |
 | Google Photos | `/status` `/albums` `/latest` `/search` `/random` `/help` |
 | Generic Webhook | `/status` `/help` |
 Every provider also responds to `/start`, and rate-limit / empty-result
 fallback messages are templated as well.
 ## Smart Actions
 Beyond notifications, providers can run **actions** against the source service.
 Currently implemented:
 - **Immich — Auto-Organize** — Automatically sort newly-detected assets into
  albums based on configurable rules. Each rule combines criteria (people in
  the photo, search query, favorites, date range) with a target album, and can
  create the album if it doesn't exist. Supports dry-run mode for previewing
  what would move before committing.
@@ -1,25 +1,47 @@
-# v0.7.2 (2026-05-11)
+# v0.10.0 (2026-06-05)
-## Features
+Multi-time-point scheduling for Immich. The single comma-separated "times" text box is replaced with an add/remove list of native HH:MM pickers for the **scheduled assets**, **periodic summary**, and **memory** slots — entering several fire times per day is now discoverable, and the read/write path is hardened end to end. This release also pins `aiohttp<3.14` in the backend test environment so the suite stays green against the current `aioresponses`. No breaking changes; no migrations required.
- Redesign settings/common with Aurora cassettes — refreshed identity, logging, Telegram, and cache-ledger sections with the new glass/cassette UI ([6229bf9](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/6229bf9))
+## User-facing changes
 - Group targets by bot in the targets view and redesign backup settings ([a666bad](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/a666bad))
 - Add `/status` command handler for webhook providers ([bede928](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/bede928))
-## Bug Fixes
+### Features
- Stop event-log flicker on pagination ([87cb33c](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/87cb33c))
+- **Immich multi-time scheduling UI.** A new `TimeListEditor` replaces the comma-separated text box with an add/remove list of native HH:MM pickers for the scheduled-assets, periodic-summary, and memory slots. It dedupes and sorts on save, enforces a per-day cap, collapses on-screen duplicates, and gives each row an aria-label. Keyboard entry is no longer clobbered mid-edit — it syncs from the value prop only on external changes via an `untrack` guard ([8065e6e](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/8065e6e))
 - **Per-section save guard.** An enabled feature section (scheduled / periodic / memory) must now have at least one time before it can be saved, enforced in the provider descriptor ([8065e6e](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/8065e6e))
 - **Refreshed copy.** New en/ru i18n keys and updated help text for the editor; the dead `invalidTimeList` string was removed ([8065e6e](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/8065e6e))
 ### Bug Fixes
 - **Server-side `*_times` normalization.** The `tracking_configs` API now normalizes `scheduled_times` / `periodic_times` / `memory_times` on every write (validate, dedup, sort, cap at 24), returns **422** on malformed input, and refuses to enable a slot whose times list is empty ([8065e6e](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/8065e6e))
 - **Restored scheduler observability.** The scheduler now warns when an enabled slot has zero or dropped fire times, restoring the visibility that was lost when the old per-call warning was removed ([8065e6e](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/8065e6e))
 ---
 ## Development / Internal
 ### CI/Build
 - **Pin `aiohttp<3.14` in the backend test install.** `aioresponses` 0.7.8 (latest) does not pass the `stream_writer` keyword argument that aiohttp 3.14 made required on `ClientResponse`, so every aioresponses-mocked HTTP test failed to construct a response. `notify-bridge-core` declares `aiohttp>=3.9` with no upper bound, so CI floated to 3.14.0 — the pin keeps the test environment reproducible in both `build.yml` and `release.yml` until aioresponses ships an aiohttp-3.14-compatible release ([11593ea](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/11593ea))
 ### Refactoring
 - **Shared time-list service.** A new `services/time_list.py` exposes `normalize_time_list` (raising `TimeListError`) and a lenient `parse_hhmm_list`; the scheduler drops its private parser copy in favour of the shared one ([8065e6e](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/8065e6e))
 ### Tests
 - **Time-list coverage.** New tests for time-list normalization and parsing (including non-ASCII and odd-shaped input) and for the "enabled implies at least one time" validation ([8065e6e](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/8065e6e))
 ### Chores
 - **Checked-in vex config.** A `.vex.toml` enabling semantic embeddings, call-graph, BM25, and auto-update for the vex code-search index ([d01e519](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/d01e519))
 ---
 <details>
 <summary>All Commits</summary>
-| Hash | Message | Author |
+- [8065e6e](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/8065e6e) — `feat(immich): multi-time-point scheduling for scheduled/periodic/memory` (alexei.dolgolyov)
-|------|---------|--------|
+- [11593ea](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/11593ea) — `fix(ci): pin aiohttp<3.14 in backend test deps` (alexei.dolgolyov)
-| [6229bf9](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/6229bf9) | feat(frontend): redesign settings/common with Aurora cassettes | alexei.dolgolyov |
+- [d01e519](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/d01e519) — `chore: add vex semantic-search config` (alexei.dolgolyov)
 | [a666bad](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/a666bad) | feat(frontend): group targets by bot, redesign backup settings | alexei.dolgolyov |
 | [bede928](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/bede928) | feat(server): add /status command handler for webhook providers | alexei.dolgolyov |
 | [87cb33c](https://git.dolgolyov-family.by/alexei.dolgolyov/notify-bridge/commit/87cb33c) | fix(frontend): stop event-log flicker on pagination | alexei.dolgolyov |
 </details>
@@ -1,12 +1,12 @@
 {
 	"name": "notify-bridge-frontend",
-	"version": "0.7.1",
+	"version": "0.10.0",
 	"lockfileVersion": 2,
 	"requires": true,
 	"packages": {
 		"": {
 			"name": "notify-bridge-frontend",
-			"version": "0.7.1",
+			"version": "0.10.0",
 			"dependencies": {
 				"@codemirror/autocomplete": "^6.18.0",
 				"@codemirror/lang-html": "^6.4.11",
@@ -1,7 +1,7 @@
 {
 	"name": "notify-bridge-frontend",
 	"private": true,
-	"version": "0.7.2",
+	"version": "0.10.0",
 	"type": "module",
 	"scripts": {
 		"dev": "vite dev",
@@ -377,6 +377,46 @@ button:focus-visible, a:focus-visible {
 .stagger-children > * {
 	animation: aurora-rise 0.55s cubic-bezier(.2,.7,.2,1) both;
 }
 /* === List stack — used by list pages (providers, trackers, configs, etc.) ===
   Full-bleed rows that stretch to the main column width. Pair with .list-row
   inside each Card for the 3-zone layout (identity · meta-strip · actions). */
 .list-stack {
 	display: flex;
 	flex-direction: column;
 	gap: 0.75rem;
 }
 .list-row {
 	display: flex;
 	align-items: center;
 	gap: 1rem;
 	min-width: 0;
 }
 .list-row__identity {
 	min-width: 0;
 	flex: 0 0 auto;
 	max-width: 28rem;
 }
@media (max-width: 1023px) {
 	.list-row__identity { flex: 1 1 auto; }
 }
 .list-row__actions {
 	flex-shrink: 0;
 	display: inline-flex;
 	align-items: center;
 	gap: 0.25rem;
 }
 /* Secondary text under the name — visible only when meta-strip is hidden
   (i.e. on narrow screens). On lg+ the meta-strip takes over. */
 .list-row__secondary {
 	display: block;
 }
@media (min-width: 1024px) {
 	.list-row__secondary { display: none; }
 }
 .stagger-children > *:nth-child(1) { animation-delay: 0ms; }
 .stagger-children > *:nth-child(2) { animation-delay: 60ms; }
 .stagger-children > *:nth-child(3) { animation-delay: 120ms; }
@@ -465,3 +505,52 @@ button:focus-visible, a:focus-visible {
 		scroll-behavior: auto !important;
 	}
 }
 /* Shared toggle switch — used by provider config forms, tracking-config
   extraTrackingFields, and anywhere else we render a boolean field.
   Kept global so adding a new ConfigField type='toggle' caller doesn't
   need to copy the CSS into its scoped <style>. */
 .toggle-switch {
 	position: relative;
 	display: inline-flex;
 	align-items: center;
 	cursor: pointer;
 	height: 1.75rem;
 }
 .toggle-switch input {
 	position: absolute;
 	opacity: 0;
 	width: 0;
 	height: 0;
 }
 .toggle-switch .toggle-track {
 	position: relative;
 	width: 2.5rem;
 	height: 1.375rem;
 	background: var(--color-border);
 	border-radius: 9999px;
 	transition: background 0.2s ease;
 }
 .toggle-switch .toggle-track::after {
 	content: '';
 	position: absolute;
 	top: 0.1875rem;
 	left: 0.1875rem;
 	width: 1rem;
 	height: 1rem;
 	background: var(--color-foreground);
 	border-radius: 50%;
 	transition: transform 0.2s ease;
 }
 .toggle-switch input:checked + .toggle-track {
 	background: var(--color-primary);
 }
 .toggle-switch input:checked + .toggle-track::after {
 	transform: translateX(1.125rem);
 	background: var(--color-primary-foreground);
 }
@@ -2,8 +2,41 @@
 * API client with JWT auth for the Notify Bridge backend.
 */
 import { goto } from '$app/navigation';
 const API_BASE = '/api';
 /**
 * Thrown when the API client decides to redirect the user to /login (after a
 * terminal 401). Caller-side `try/catch` blocks can branch on
 * `instanceof AuthRedirectError` to skip showing an "Unauthorized" snackbar
 * — the redirect itself is the user-visible signal.
 */
 export class AuthRedirectError extends Error {
 	constructor() {
 		super('Unauthorized — redirecting to login');
 		this.name = 'AuthRedirectError';
 	}
 }
 // Module-level dedupe — a burst of concurrent requests that all get 401 (e.g.
 // the dashboard's parallel cache loads) should only schedule a single
 // `goto('/login')` instead of stacking N navigations.
 let _redirecting = false;
 /** Centralised "send the user to /login" path used by both api() and fetchAuth(). */
 function redirectToLogin(): void {
 	if (_redirecting) return;
 	_redirecting = true;
 	clearTokens();
 	if (typeof window !== 'undefined') {
 		// SvelteKit's goto() with replaceState avoids leaving the failed page
 		// in the back-stack (no "back-button to broken view" UX). We don't
 		// reset `_redirecting` — the page about to unmount makes it moot.
 		goto('/login', { replaceState: true });
 	}
 }
 /** Normalize a caught error to a user-safe message. */
 export function errMsg(err: unknown, fallback = 'Unexpected error'): string {
 	if (err instanceof Error && err.message) return err.message;
@@ -129,11 +162,11 @@ export async function api<T = any>(
 		}
 		if (res.status === 401 && token) {
-			clearTokens();
+			redirectToLogin();
-			if (typeof window !== 'undefined') {
+			// Tagged so the caller's catch can distinguish "we already showed
-				window.location.href = '/login';
+			// the user a redirect" from a real authorization failure they
-			}
+			// should snackbar.
-			throw new Error('Unauthorized');
+			throw new AuthRedirectError();
 		}
 		if (res.status === 204) return undefined as T;
@@ -204,9 +237,8 @@ export async function fetchAuth(
 		}
 		if (res.status === 401) {
-			clearTokens();
+			redirectToLogin();
-			if (typeof window !== 'undefined') window.location.href = '/login';
+			throw new AuthRedirectError();
 			throw new ApiError('Unauthorized', 401);
 		}
 		if (!res.ok) {
@@ -12,6 +12,13 @@
 	}
 	let { event, onclose }: Props = $props();
 	// Retain the last non-null event so the modal body stays populated
 	// while the close transition plays after the parent clears `event`.
 	let displayEvent = $state<EventLog | null>(null);
 	$effect(() => {
 		if (event) displayEvent = event;
 	});
 	function fmtDateTime(iso: string): string {
 		try {
 			const d = new Date(iso);
@@ -21,6 +28,44 @@
 		}
 	}
 	/** Humanize a duration in seconds into ``Xd Yh`` / ``Xh Ym`` / ``Xm`` / ``Xs``.
 	 *
 	 * Used by the deferred-dispatch lifecycle banner to render
 	 * ``deferred_for_seconds`` ("held for 8h 23m") rather than an opaque
 	 * integer that the user has to mentally divide. Keeps two units so
 	 * the magnitude reads correctly across hours-long quiet windows
 	 * without becoming noisy for short ones. */
 	function humanDuration(totalSeconds: number): string {
 		if (!Number.isFinite(totalSeconds) || totalSeconds < 0) return '';
 		if (totalSeconds < 60) return `${Math.floor(totalSeconds)}s`;
 		const minutes = Math.floor(totalSeconds / 60);
 		if (minutes < 60) return `${minutes}m`;
 		const hours = Math.floor(minutes / 60);
 		const remMin = minutes % 60;
 		if (hours < 24) return remMin ? `${hours}h ${remMin}m` : `${hours}h`;
 		const days = Math.floor(hours / 24);
 		const remHours = hours % 24;
 		return remHours ? `${days}d ${remHours}h` : `${days}d`;
 	}
 	/** Render an absolute ISO timestamp as a future-relative string.
 	 *
 	 * "in 8h 23m" / "in 12m". Returns an empty string for past times — the
 	 * deferred-until banner shouldn't show a relative offset once the
 	 * window has already ended (a follow-up event_log row marks delivery).
 	 */
 	function timeFromNow(iso: string | undefined): string {
 		if (!iso) return '';
 		try {
 			const target = new Date(iso).getTime();
 			const diff = Math.floor((target - Date.now()) / 1000);
 			if (diff <= 0) return '';
 			return humanDuration(diff);
 		} catch {
 			return '';
 		}
 	}
 	function issuerLabel(issuer: { id?: number; username?: string; first_name?: string; last_name?: string } | undefined): string {
 		if (!issuer) return '';
 		if (issuer.username) return '@' + issuer.username;
@@ -41,47 +86,130 @@
 		goto(path);
 	}
-	const issuer = $derived(event?.details?.issuer as { id?: number; username?: string; first_name?: string; last_name?: string } | undefined);
+	const issuer = $derived(displayEvent?.details?.issuer as { id?: number; username?: string; first_name?: string; last_name?: string } | undefined);
 	const issuerText = $derived(issuerLabel(issuer));
-	const isCommand = $derived(event?.event_type?.startsWith('command_') ?? false);
+	const isCommand = $derived(displayEvent?.event_type?.startsWith('command_') ?? false);
-	const isAction = $derived(event?.event_type?.startsWith('action_') ?? false);
+	const isAction = $derived(displayEvent?.event_type?.startsWith('action_') ?? false);
 	const detailsJson = $derived.by(() => {
-		if (!event?.details) return '';
+		if (!displayEvent?.details) return '';
 		try {
-			return JSON.stringify(event.details, null, 2);
+			return JSON.stringify(displayEvent.details, null, 2);
 		} catch {
-			return String(event.details);
+			return String(displayEvent.details);
 		}
 	});
 </script>
-<Modal open={event !== null} title={event ? t('events.detailTitle') : ''} {onclose}>
+<Modal open={event !== null} title={displayEvent ? t('events.detailTitle') : ''} {onclose}>
-	{#if event}
+	{#if displayEvent}
 		<div class="event-detail">
 			<!-- Subject + verb -->
 			<div class="hero-row">
 				<MdiIcon name="mdiBell" size={18} />
 				<div>
-					<div class="hero-subject">{event.collection_name || event.event_type}</div>
+					<div class="hero-subject">{displayEvent.collection_name || displayEvent.event_type}</div>
 					<div class="hero-meta">
-						<span class="event-type">{event.event_type}</span>
+						<span class="event-type">{displayEvent.event_type}</span>
 						<span class="dot">·</span>
-						<span>{fmtDateTime(event.created_at)}</span>
+						<span>{fmtDateTime(displayEvent.created_at)}</span>
 					</div>
 				</div>
 			</div>
 			<!-- Dispatch lifecycle (only when the event went through the
 			     quiet-hours defer path). Rendered ABOVE the provenance grid
 			     because timing of delivery is more interesting than the
 			     bot/tracker names when the event is held back. -->
 			{#if displayEvent.details?.dispatch_status === 'deferred'}
 				<section class="lifecycle lifecycle--deferred">
 					<MdiIcon name="mdiPauseCircleOutline" size={18} />
 					<div class="lifecycle-body">
 						<div class="lifecycle-title">{t('events.lifecycle.heldTitle')}</div>
 						<div class="lifecycle-detail">
 							{t('events.lifecycle.heldUntil')}
 							<b>{fmtDateTime(displayEvent.details.deferred_until ?? '')}</b>
 							{#if timeFromNow(displayEvent.details.deferred_until)}
 								<span class="lifecycle-rel">· {t('events.lifecycle.inPrefix')} {timeFromNow(displayEvent.details.deferred_until)}</span>
 							{/if}
 						</div>
 						<div class="lifecycle-hint">{t('events.lifecycle.heldHint')}</div>
 					</div>
 				</section>
 			{:else if displayEvent.details?.dispatch_status === 'delivered_after_quiet_hours'}
 				<section class="lifecycle lifecycle--late">
 					<MdiIcon name="mdiClockCheckOutline" size={18} />
 					<div class="lifecycle-body">
 						<div class="lifecycle-title">{t('events.lifecycle.deliveredLateTitle')}</div>
 						{#if displayEvent.details.deferred_for_seconds != null}
 							<div class="lifecycle-detail">
 								{t('events.lifecycle.heldFor')}
 								<b>{humanDuration(displayEvent.details.deferred_for_seconds)}</b>
 							</div>
 						{/if}
 						{#if displayEvent.details.original_event_log_id}
 							<div class="lifecycle-hint">
 								{t('events.lifecycle.originalEvent')} #{displayEvent.details.original_event_log_id}
 							</div>
 						{/if}
 					</div>
 				</section>
 			{:else if displayEvent.details?.dispatch_status === 'deferred_then_dropped'}
 				<section class="lifecycle lifecycle--dropped">
 					<MdiIcon name="mdiCloseCircleOutline" size={18} />
 					<div class="lifecycle-body">
 						<div class="lifecycle-title">{t('events.lifecycle.droppedTitle')}</div>
 						{#if displayEvent.details.reason}
 							<div class="lifecycle-detail">
 								{t('events.lifecycle.reason')}:
 								<code class="lifecycle-reason">{displayEvent.details.reason}</code>
 							</div>
 						{/if}
 						{#if displayEvent.details.original_event_log_id}
 							<div class="lifecycle-hint">
 								{t('events.lifecycle.originalEvent')} #{displayEvent.details.original_event_log_id}
 							</div>
 						{/if}
 					</div>
 				</section>
 			{:else if displayEvent.details?.dispatch_status === 'deferred_then_failed'}
 				<section class="lifecycle lifecycle--dropped">
 					<MdiIcon name="mdiAlertCircleOutline" size={18} />
 					<div class="lifecycle-body">
 						<div class="lifecycle-title">{t('events.lifecycle.failedTitle')}</div>
 						{#if displayEvent.details.reason}
 							<div class="lifecycle-detail">
 								{t('events.lifecycle.reason')}:
 								<code class="lifecycle-reason">{displayEvent.details.reason}</code>
 							</div>
 						{/if}
 						{#if displayEvent.details.original_event_log_id}
 							<div class="lifecycle-hint">
 								{t('events.lifecycle.originalEvent')} #{displayEvent.details.original_event_log_id}
 							</div>
 						{/if}
 					</div>
 				</section>
 			{:else if displayEvent.details?.dispatch_status === 'suppressed_quiet_hours_nondeferrable'}
 				<section class="lifecycle lifecycle--dropped">
 					<MdiIcon name="mdiVolumeOff" size={18} />
 					<div class="lifecycle-body">
 						<div class="lifecycle-title">{t('events.lifecycle.suppressedTitle')}</div>
 						<div class="lifecycle-hint">{t('events.lifecycle.suppressedHint')}</div>
 					</div>
 				</section>
 			{/if}
 			<!-- Provenance grid -->
 			<dl class="provenance">
-				{#if event.bot_name}
+				{#if displayEvent.bot_name}
 					<dt>{t('events.bot')}</dt>
-					<dd>{event.bot_name}</dd>
+					<dd>{displayEvent.bot_name}</dd>
 				{/if}
-				{#if event.collection_id && isCommand}
+				{#if displayEvent.collection_id && isCommand}
 					<dt>{t('events.chat')}</dt>
-					<dd class="font-mono">{event.collection_id}</dd>
+					<dd class="font-mono">{displayEvent.collection_id}</dd>
 				{/if}
 				{#if issuerText}
 					<dt>{t('events.issuer')}</dt>
@@ -90,56 +218,64 @@
 						{#if issuer?.id}<span class="muted font-mono">(id {issuer.id})</span>{/if}
 					</dd>
 				{/if}
-				{#if event.command_tracker_name}
+				{#if displayEvent.command_tracker_name}
 					<dt>{t('events.commandTracker')}</dt>
-					<dd>{event.command_tracker_name}</dd>
+					<dd>{displayEvent.command_tracker_name}</dd>
 				{/if}
-				{#if event.tracker_name}
+				{#if displayEvent.tracker_name}
 					<dt>{t('events.tracker')}</dt>
-					<dd>{event.tracker_name}</dd>
+					<dd>{displayEvent.tracker_name}</dd>
 				{/if}
-				{#if event.action_name}
+				{#if displayEvent.action_name}
 					<dt>{t('events.action')}</dt>
-					<dd>{event.action_name}</dd>
+					<dd>{displayEvent.action_name}</dd>
 				{/if}
-				{#if event.provider_name}
+				{#if displayEvent.provider_name}
 					<dt>{t('events.provider')}</dt>
-					<dd>{event.provider_name}</dd>
+					<dd>{displayEvent.provider_name}</dd>
 				{/if}
-				{#if event.assets_count > 0}
+				{#if displayEvent.assets_count > 0}
 					<dt>{t('events.assetsCount')}</dt>
-					<dd class="font-mono">{event.assets_count}</dd>
+					<dd class="font-mono">{displayEvent.assets_count}</dd>
 				{/if}
 			</dl>
-			<!-- Action buttons — deep-link + highlight the related entity card -->
+			<!-- Action buttons — deep-link + highlight the related entity card.
 			     IDs are snapshotted into local consts so the deferred onclick
 			     closures don't lose the narrowed type that the `{#if ...}` gate
 			     proves at template-render time. -->
 			<div class="actions">
-				{#if event.provider_id}
+				{#if displayEvent.provider_id}
-					<button type="button" onclick={() => openEntity('/providers', event.provider_id)}>
+					{@const providerId = displayEvent.provider_id}
 					<button type="button" onclick={() => openEntity('/providers', providerId)}>
 						<MdiIcon name="mdiServer" size={14} />
 						{t('events.openProvider')}
 					</button>
 				{/if}
-				{#if event.telegram_bot_id && isCommand}
+				{#if displayEvent.telegram_bot_id && isCommand}
-					<button type="button" onclick={() => openEntity('/bots', event.telegram_bot_id)}>
+					{@const botId = displayEvent.telegram_bot_id}
 					<button type="button" onclick={() => openEntity('/bots', botId)}>
 						<MdiIcon name="mdiRobotHappy" size={14} />
 						{t('events.openBot')}
 					</button>
 				{/if}
-				{#if event.command_tracker_id && isCommand}
+				{#if displayEvent.command_tracker_id && isCommand}
-					<button type="button" onclick={() => openEntity('/command-trackers', event.command_tracker_id)}>
+					{@const cmdTrackerId = displayEvent.command_tracker_id}
 					<button type="button" onclick={() => openEntity('/command-trackers', cmdTrackerId)}>
 						<MdiIcon name="mdiChat" size={14} />
 						{t('events.openCommandTracker')}
 					</button>
 				{/if}
-				{#if event.action_id && isAction}
+				{#if displayEvent.action_id && isAction}
-					<button type="button" onclick={() => openEntity('/actions', event.action_id)}>
+					{@const actionId = displayEvent.action_id}
 					<button type="button" onclick={() => openEntity('/actions', actionId)}>
 						<MdiIcon name="mdiPlayCircle" size={14} />
 						{t('events.openAction')}
 					</button>
 				{/if}
-				{#if !isCommand && !isAction && event.tracker_id}
+				{#if !isCommand && !isAction && displayEvent.tracker_id}
-					<button type="button" onclick={() => openEntity('/notification-trackers', event.tracker_id)}>
+					{@const trackerId = displayEvent.tracker_id}
 					<button type="button" onclick={() => openEntity('/notification-trackers', trackerId)}>
 						<MdiIcon name="mdiRadar" size={14} />
 						{t('events.openTracker')}
 					</button>
@@ -251,4 +387,71 @@
 		word-break: break-word;
 	}
 	.font-mono { font-family: var(--font-mono); }
 	/* Dispatch lifecycle banner — appears only when the event took the
 	 * quiet-hours defer path. The three colour variants mirror the dashboard
 	 * badge palette: primary glow for "held", success for "delivered late",
 	 * muted/dim for "dropped" / "failed" / "suppressed".
 	 */
 	.lifecycle {
 		display: flex; align-items: flex-start; gap: 0.7rem;
 		padding: 0.75rem 0.95rem;
 		border-radius: 0.7rem;
 		border: 1px solid var(--color-border);
 		background: color-mix(in oklab, var(--color-foreground) 4%, transparent);
 		font-size: 0.82rem;
 	}
 	.lifecycle-body {
 		display: flex; flex-direction: column; gap: 0.2rem;
 		flex: 1; min-width: 0;
 	}
 	.lifecycle-title {
 		font-weight: 600;
 		color: var(--color-foreground);
 	}
 	.lifecycle-detail {
 		color: var(--color-foreground);
 	}
 	.lifecycle-detail b {
 		font-family: var(--font-mono);
 		font-weight: 600;
 	}
 	.lifecycle-rel {
 		color: var(--color-muted-foreground);
 		font-family: var(--font-mono);
 		font-size: 0.75rem;
 		margin-left: 0.25rem;
 	}
 	.lifecycle-hint {
 		color: var(--color-muted-foreground);
 		font-size: 0.72rem;
 	}
 	.lifecycle-reason {
 		font-family: var(--font-mono);
 		font-size: 0.75rem;
 		padding: 0.05rem 0.35rem;
 		border-radius: 0.3rem;
 		background: color-mix(in oklab, var(--color-foreground) 8%, transparent);
 		word-break: break-all;
 	}
 	.lifecycle--deferred {
 		border-color: color-mix(in srgb, var(--color-primary) 35%, transparent);
 		background: color-mix(in srgb, var(--color-primary) 8%, transparent);
 	}
 	.lifecycle--deferred :global(svg) {
 		color: var(--color-primary);
 	}
 	.lifecycle--late {
 		border-color: color-mix(in srgb, var(--color-success, #16a34a) 35%, transparent);
 		background: color-mix(in srgb, var(--color-success, #16a34a) 8%, transparent);
 	}
 	.lifecycle--late :global(svg) {
 		color: var(--color-success, #16a34a);
 	}
 	.lifecycle--dropped {
 		opacity: 0.92;
 	}
 	.lifecycle--dropped :global(svg) {
 		color: var(--color-muted-foreground);
 	}
 </style>
@@ -17,6 +17,7 @@
 		columns = 2,
 		disabled = false,
 		compact = false,
 		onChange,
 	}: {
 		items: GridItem[];
 		value: string | number | null;
@@ -24,6 +25,13 @@
 		columns?: number;
 		disabled?: boolean;
 		compact?: boolean;
 		/**
 		 * Optional one-way change callback. Fired in addition to updating
 		 * `value` so callers that own state externally (e.g. a global store)
 		 * can avoid the read-modify-write feedback loop that `bind:value` plus
 		 * a sync `$effect` produces.
 		 */
 		onChange?: (value: string | number) => void;
 	} = $props();
 	let open = $state(false);
@@ -63,6 +71,7 @@
 		value = item.value;
 		open = false;
 		search = '';
 		onChange?.(item.value);
 	}
 	function handleKeydown(e: KeyboardEvent) {
@@ -0,0 +1,187 @@
 <script lang="ts">
 	import MdiIcon from './MdiIcon.svelte';
 	export type MetaTone = 'default' | 'mint' | 'sky' | 'coral' | 'citrus' | 'orchid' | 'lavender';
 	export interface MetaTile {
 		icon?: string;
 		label: string;
 		value?: string;
 		hint?: string;
 		tone?: MetaTone;
 		mono?: boolean;
 		href?: string;
 		onclick?: (e: MouseEvent) => void;
 		copyValue?: string;
 	}
 	let { tiles, align = 'start' }: {
 		tiles: MetaTile[];
 		align?: 'start' | 'end';
 	} = $props();
 	function handleClick(e: MouseEvent, tile: MetaTile) {
 		if (tile.onclick) {
 			e.preventDefault();
 			e.stopPropagation();
 			tile.onclick(e);
 		}
 	}
 </script>
 <div class="meta-strip" style="justify-content: {align === 'end' ? 'flex-end' : 'flex-start'};">
 	{#each tiles as tile, i (i)}
 		{#if tile.href}
 			<a
 				class="meta-tile meta-tone-{tile.tone || 'default'} meta-tile--interactive"
 				class:meta-tile--mono={tile.mono}
 				title={tile.hint}
 				href={tile.href}
 				target="_blank"
 				rel="noopener"
 			>
 				{#if tile.icon}
 					<span class="meta-tile__icon"><MdiIcon name={tile.icon} size={14} /></span>
 				{/if}
 				<span class="meta-tile__text">
 					{#if tile.value}<span class="meta-tile__value">{tile.value}</span>{/if}
 					<span class="meta-tile__label">{tile.label}</span>
 				</span>
 			</a>
 		{:else if tile.onclick}
 			<button
 				type="button"
 				class="meta-tile meta-tone-{tile.tone || 'default'} meta-tile--interactive"
 				class:meta-tile--mono={tile.mono}
 				title={tile.hint}
 				onclick={(e: MouseEvent) => handleClick(e, tile)}
 			>
 				{#if tile.icon}
 					<span class="meta-tile__icon"><MdiIcon name={tile.icon} size={14} /></span>
 				{/if}
 				<span class="meta-tile__text">
 					{#if tile.value}<span class="meta-tile__value">{tile.value}</span>{/if}
 					<span class="meta-tile__label">{tile.label}</span>
 				</span>
 			</button>
 		{:else}
 			<div
 				class="meta-tile meta-tone-{tile.tone || 'default'}"
 				class:meta-tile--mono={tile.mono}
 				title={tile.hint}
 			>
 				{#if tile.icon}
 					<span class="meta-tile__icon"><MdiIcon name={tile.icon} size={14} /></span>
 				{/if}
 				<span class="meta-tile__text">
 					{#if tile.value}<span class="meta-tile__value">{tile.value}</span>{/if}
 					<span class="meta-tile__label">{tile.label}</span>
 				</span>
 			</div>
 		{/if}
 	{/each}
 </div>
 <style>
 	.meta-strip {
 		display: none;
 		min-width: 0;
 		flex: 1 1 auto;
 		gap: 0.45rem;
 		align-items: center;
 		overflow: hidden;
 		mask-image: linear-gradient(to right, transparent 0, #000 24px, #000 calc(100% - 24px), transparent 100%);
 		-webkit-mask-image: linear-gradient(to right, transparent 0, #000 24px, #000 calc(100% - 24px), transparent 100%);
 		padding: 2px 18px;
 	}
 	@media (min-width: 1024px) {
 		.meta-strip {
 			display: flex;
 		}
 	}
 	.meta-tile {
 		display: inline-flex;
 		align-items: center;
 		gap: 0.4rem;
 		padding: 0.3rem 0.7rem;
 		border-radius: 999px;
 		background: var(--color-glass);
 		backdrop-filter: blur(14px) saturate(140%);
 		-webkit-backdrop-filter: blur(14px) saturate(140%);
 		border: 1px solid var(--color-border);
 		font-size: 0.72rem;
 		line-height: 1.1;
 		color: var(--color-muted-foreground);
 		white-space: nowrap;
 		flex-shrink: 0;
 		max-width: 22rem;
 		min-width: 0;
 		text-decoration: none;
 		font-family: inherit;
 		transition: border-color 0.2s ease, color 0.2s ease, background 0.2s ease, transform 0.2s ease;
 	}
 	.meta-tile__icon {
 		display: inline-flex;
 		align-items: center;
 		color: currentColor;
 		opacity: 0.9;
 		flex-shrink: 0;
 	}
 	.meta-tile__text {
 		display: inline-flex;
 		align-items: baseline;
 		gap: 0.4rem;
 		min-width: 0;
 		overflow: hidden;
 	}
 	.meta-tile__value {
 		font-size: 0.85rem;
 		font-weight: 600;
 		color: var(--color-foreground);
 		letter-spacing: -0.01em;
 		font-variant-numeric: tabular-nums;
 	}
 	.meta-tile__label {
 		font-size: 0.72rem;
 		color: var(--color-muted-foreground);
 		overflow: hidden;
 		text-overflow: ellipsis;
 		min-width: 0;
 	}
 	.meta-tile--mono .meta-tile__label,
 	.meta-tile--mono .meta-tile__value {
 		font-family: var(--font-mono);
 		letter-spacing: -0.02em;
 		font-size: 0.7rem;
 	}
 	.meta-tile--interactive {
 		cursor: pointer;
 	}
 	.meta-tile--interactive:hover {
 		border-color: var(--color-rule-strong);
 		background: var(--color-glass-strong);
 		transform: translateY(-1px);
 	}
 	/* Tone variants — applied to the dot/icon and accent border on hover */
 	.meta-tone-mint     { box-shadow: inset 2px 0 0 var(--color-mint); }
 	.meta-tone-sky      { box-shadow: inset 2px 0 0 var(--color-sky); }
 	.meta-tone-coral    { box-shadow: inset 2px 0 0 var(--color-coral); }
 	.meta-tone-citrus   { box-shadow: inset 2px 0 0 var(--color-citrus); }
 	.meta-tone-orchid   { box-shadow: inset 2px 0 0 var(--color-orchid); }
 	.meta-tone-lavender { box-shadow: inset 2px 0 0 var(--color-primary); }
 	.meta-tone-mint     .meta-tile__icon { color: var(--color-mint); }
 	.meta-tone-sky      .meta-tile__icon { color: var(--color-sky); }
 	.meta-tone-coral    .meta-tile__icon { color: var(--color-coral); }
 	.meta-tone-citrus   .meta-tile__icon { color: var(--color-citrus); }
 	.meta-tone-orchid   .meta-tile__icon { color: var(--color-orchid); }
 	.meta-tone-lavender .meta-tile__icon { color: var(--color-primary); }
 </style>
@@ -11,14 +11,22 @@
 	}>();
 	let visible = $state(false);
 	let mounted = $state(false);
 	let panelEl = $state<HTMLDivElement | undefined>();
 	let previouslyFocused: HTMLElement | null = null;
 	let closeTimer: ReturnType<typeof setTimeout> | null = null;
 	const uniqueId = `modal-${Math.random().toString(36).slice(2, 9)}`;
 	const TRANSITION_MS = 250;
 	$effect(() => {
 		if (open) {
 			if (closeTimer) {
 				clearTimeout(closeTimer);
 				closeTimer = null;
 			}
 			previouslyFocused = document.activeElement as HTMLElement | null;
 			mounted = true;
 			requestAnimationFrame(() => {
 				visible = true;
 				// Focus first focusable element inside the modal
@@ -29,13 +37,18 @@
 					focusable?.focus();
 				});
 			});
-		} else {
+		} else if (mounted) {
 			visible = false;
 			// Restore focus to the previously focused element
 			if (previouslyFocused && typeof previouslyFocused.focus === 'function') {
 				previouslyFocused.focus();
 				previouslyFocused = null;
 			}
 			if (closeTimer) clearTimeout(closeTimer);
 			closeTimer = setTimeout(() => {
 				mounted = false;
 				closeTimer = null;
 			}, TRANSITION_MS);
 		}
 	});
@@ -73,7 +86,7 @@
 <svelte:window onkeydown={open ? handleKeydown : undefined} />
-{#if open}
+{#if mounted}
 	<div use:portal class="modal-portal-root">
 		<div
 			class="modal-backdrop"
@@ -32,12 +32,15 @@
 </script>
 {#if snacks.length > 0}
-	<div use:portal class="snackbar-container">
+	<div use:portal class="snackbar-container" role="region" aria-label={t('snackbar.region')}>
 		{#each snacks as snack (snack.id)}
 			<div
 				in:fly={{ y: 40, duration: 300 }}
 				out:fade={{ duration: 200 }}
 				class="snack-item"
 				role={snack.type === 'error' ? 'alert' : 'status'}
 				aria-live={snack.type === 'error' ? 'assertive' : 'polite'}
 				aria-atomic="true"
 				style="--snack-accent: {accentMap[snack.type]};"
 			>
 				<span class="snack-icon" style="color: {accentMap[snack.type]};">
@@ -0,0 +1,154 @@
 <script lang="ts">
 	/**
 	 * Free-text chip input. Bind a string[] of values; commit a new chip on
 	 * Enter, comma, or blur. Backspace on empty input deletes the last chip
 	 * for parity with native chip-input UX.
 	 *
 	 * Used by ProviderDescriptor.userFilters with inputMode === 'tags' for
 	 * free-text filter keys like Home Assistant's entity_glob and
 	 * domain_allowlist. Distinct from MultiEntitySelect, which renders a
 	 * picker dropdown sourced from an enumerable list.
 	 */
 	import MdiIcon from './MdiIcon.svelte';
 	interface Props {
 		values: string[];
 		onchange: (values: string[]) => void;
 		placeholder?: string;
 		icon?: string;
 		/** Strip / reject anything matching this regex on each entry. */
 		sanitize?: (raw: string) => string | null;
 	}
 	let { values, onchange, placeholder = '', icon, sanitize }: Props = $props();
 	let draft = $state('');
 	function addRaw(raw: string): void {
 		const trimmed = raw.trim();
 		if (!trimmed) return;
 		const cleaned = sanitize ? sanitize(trimmed) : trimmed;
 		if (!cleaned) return;
 		if (values.includes(cleaned)) return;
 		onchange([...values, cleaned]);
 	}
 	function commitDraft(): void {
 		if (!draft.trim()) return;
 		// Allow comma-separated paste — split on commas and add each.
 		for (const piece of draft.split(',')) {
 			addRaw(piece);
 		}
 		draft = '';
 	}
 	function removeAt(index: number): void {
 		onchange(values.filter((_, i) => i !== index));
 	}
 	function onKey(e: KeyboardEvent): void {
 		if (e.key === 'Enter' || e.key === ',') {
 			e.preventDefault();
 			commitDraft();
 		} else if (e.key === 'Backspace' && draft === '' && values.length > 0) {
 			e.preventDefault();
 			removeAt(values.length - 1);
 		}
 	}
 </script>
 <div class="tag-input">
 	{#each values as value, i (`${i}-${value}`)}
 		<span class="tag-chip">
 			{#if icon}<MdiIcon name={icon} size={12} />{/if}
 			<span class="tag-text">{value}</span>
 			<button
 				type="button"
 				aria-label="Remove"
 				class="tag-remove"
 				onclick={() => removeAt(i)}
 			>×</button>
 		</span>
 	{/each}
 	<input
 		type="text"
 		bind:value={draft}
 		onkeydown={onKey}
 		onblur={commitDraft}
 		placeholder={values.length === 0 ? placeholder : ''}
 		class="tag-draft"
 		autocomplete="off"
 		spellcheck="false"
 	/>
 </div>
 <style>
 	.tag-input {
 		display: flex;
 		flex-wrap: wrap;
 		align-items: center;
 		gap: 0.375rem;
 		padding: 0.375rem 0.5rem;
 		min-height: 2.5rem;
 		border: 1px solid var(--color-border);
 		border-radius: 0.375rem;
 		background: var(--color-background);
 		cursor: text;
 	}
 	.tag-input:focus-within {
 		border-color: var(--color-primary);
 	}
 	.tag-chip {
 		display: inline-flex;
 		align-items: center;
 		gap: 0.25rem;
 		padding: 0.1875rem 0.5rem;
 		background: var(--color-muted);
 		border-radius: 9999px;
 		font-size: 0.75rem;
 		line-height: 1;
 		color: var(--color-foreground);
 	}
 	.tag-text {
 		font-family: var(--font-mono, monospace);
 	}
 	.tag-remove {
 		display: inline-flex;
 		align-items: center;
 		justify-content: center;
 		width: 1rem;
 		height: 1rem;
 		padding: 0;
 		font-size: 0.875rem;
 		line-height: 1;
 		background: transparent;
 		border: none;
 		color: var(--color-muted-foreground);
 		cursor: pointer;
 		border-radius: 9999px;
 	}
 	.tag-remove:hover {
 		background: var(--color-border);
 		color: var(--color-foreground);
 	}
 	.tag-draft {
 		flex: 1;
 		min-width: 8rem;
 		border: none;
 		outline: none;
 		background: transparent;
 		font-size: 0.875rem;
 		color: var(--color-foreground);
 		padding: 0.125rem 0;
 	}
 	.tag-draft::placeholder {
 		color: var(--color-muted-foreground);
 	}
 </style>
@@ -0,0 +1,252 @@
 <script lang="ts">
 	/**
 	 * Multi-time-point editor — an add/remove list of native HH:MM pickers.
 	 *
 	 * Used in the tracking-configs form for the Immich scheduled / periodic /
 	 * memory slots, which fire at one or more wall-clock times per day. The
 	 * value crosses the wire as a single comma-separated string ("09:00,18:30")
 	 * matching the backend `normalize_time_list`: each emitted value is
 	 * de-duplicated and sorted ascending.
 	 *
 	 * Internally `rows` is the rendering source of truth and preserves the
 	 * user's current edit state (including a blank, not-yet-filled row) so the
 	 * list never jumps around mid-edit. Normalisation is applied only to the
 	 * emitted value, not to what's on screen; the on-screen order re-settles to
 	 * sorted form on the next external load.
 	 */
 	import { untrack } from 'svelte';
 	import MdiIcon from './MdiIcon.svelte';
 	import { t } from '$lib/i18n';
 	interface Props {
 		/** Comma-separated HH:MM list, e.g. "09:00,18:30". */
 		value: string;
 		/** Called with a normalised (deduped, sorted) comma-separated string. */
 		onchange: (value: string) => void;
 		/** Maximum number of distinct times allowed. */
 		max?: number;
 		/** Placeholder forwarded to each native time input. */
 		placeholder?: string;
 	}
 	let { value, onchange, max = 24, placeholder = '' }: Props = $props();
 	let rows = $state<string[]>([]);
 	// The exact string we last synced-from or emitted. The resync effect below
 	// compares against this so it fires ONLY for genuine external `value` changes
 	// (form reset, config switch) — never for the user's own keystrokes. Without
 	// this guard the effect re-ran on every `bind:value` mutation while `value`
 	// still held the old committed string, clobbering the row being typed in (the
 	// native picker reset just as the user reached the AM/PM segment).
 	let lastValue = '';
 	function parse(raw: string): string[] {
 		return (raw ?? '').split(',').map((s) => s.trim()).filter(Boolean);
 	}
 	/** Distinct, non-blank times, in first-seen order. */
 	function distinct(list: string[]): string[] {
 		const seen = new Set<string>();
 		for (const r of list) {
 			const v = r.trim();
 			if (v) seen.add(v);
 		}
 		return [...seen];
 	}
 	// Populate on mount and re-sync on external `value` changes only. `value` is
 	// the sole reactive dependency; `rows` is read/written inside `untrack`, so
 	// editing a row never re-triggers this and can't clobber an in-progress edit.
 	// `$effect.pre` runs before the first paint, so initial rows show without a
 	// flash of the empty state. HH:MM is zero-padded, so a lexical sort is
 	// chronological.
 	$effect.pre(() => {
 		const incoming = value ?? '';
 		untrack(() => {
 			if (incoming !== lastValue) {
 				rows = parse(incoming);
 				lastValue = incoming;
 			}
 		});
 	});
 	function emit(): void {
 		const next = distinct(rows).sort().join(',');
 		// Record before emitting so the value round-trip back through the parent
 		// isn't mistaken for an external change and used to reset `rows`.
 		lastValue = next;
 		onchange(next);
 	}
 	// Fired when a row's picker changes. Collapse any on-screen duplicate of an
 	// already-present time (keeping the first occurrence and any blank
 	// in-progress row) so the displayed rows match what's persisted — emit()
 	// dedups the saved value, and without this the screen would keep showing two
 	// identical rows. Then emit the canonical value.
 	function onRowChange(): void {
 		const seen = new Set<string>();
 		const next: string[] = [];
 		for (const r of rows) {
 			const v = r.trim();
 			if (!v) { next.push(r); continue; }
 			if (seen.has(v)) continue;
 			seen.add(v);
 			next.push(r);
 		}
 		if (next.length !== rows.length) rows = next;
 		emit();
 	}
 	const filledCount = $derived(distinct(rows).length);
 	const hasBlankRow = $derived(rows.some((r) => !r.trim()));
 	const atMax = $derived(filledCount >= max);
 	// Block adding while a blank row is open (fill it first) or the cap is hit —
 	// keeps the list from stacking empty rows and respects the per-day limit.
 	const canAdd = $derived(!atMax && !hasBlankRow);
 	function addRow(): void {
 		if (!canAdd) return;
 		rows = [...rows, ''];
 	}
 	function removeRow(index: number): void {
 		rows = rows.filter((_, i) => i !== index);
 		emit();
 	}
 </script>
 <div class="time-list">
 	{#each rows as _, i (i)}
 		<div class="time-row">
 			<input
 				type="time"
 				bind:value={rows[i]}
 				onchange={onRowChange}
 				{placeholder}
 				aria-label={t('trackingConfig.timeRowLabel').replace('{n}', String(i + 1))}
 				class="time-input"
 			/>
 			<button
 				type="button"
 				class="time-remove"
 				aria-label={t('trackingConfig.removeTime')}
 				onclick={() => removeRow(i)}
 			>
 				<MdiIcon name="mdiClose" size={14} />
 			</button>
 		</div>
 	{/each}
 	{#if rows.length === 0}
 		<p class="time-empty">
 			<MdiIcon name="mdiClockOutline" size={12} />
 			<span>{t('trackingConfig.noTimes')}</span>
 		</p>
 	{/if}
 	{#if atMax}
 		<p class="time-cap">{t('trackingConfig.maxTimesReached').replace('{n}', String(max))}</p>
 	{:else}
 		<button type="button" class="time-add" disabled={!canAdd} onclick={addRow}>
 			<MdiIcon name="mdiPlus" size={14} />
 			<span>{t('trackingConfig.addTime')}</span>
 		</button>
 	{/if}
 </div>
 <style>
 	.time-list {
 		display: flex;
 		flex-direction: column;
 		gap: 0.375rem;
 	}
 	.time-row {
 		display: flex;
 		align-items: center;
 		gap: 0.375rem;
 	}
 	.time-input {
 		flex: 1;
 		min-width: 0;
 		padding: 0.3125rem 0.5rem;
 		border: 1px solid var(--color-border);
 		border-radius: 0.375rem;
 		background: var(--color-background);
 		color: var(--color-foreground);
 		font-size: 0.875rem;
 		line-height: 1.25;
 		font-variant-numeric: tabular-nums;
 	}
 	.time-input:focus {
 		outline: none;
 		border-color: var(--color-primary);
 		box-shadow: 0 0 0 1px var(--color-primary);
 	}
 	.time-remove {
 		display: inline-flex;
 		align-items: center;
 		justify-content: center;
 		flex-shrink: 0;
 		width: 1.75rem;
 		height: 1.75rem;
 		padding: 0;
 		border: 1px solid transparent;
 		border-radius: 0.375rem;
 		background: transparent;
 		color: var(--color-muted-foreground);
 		cursor: pointer;
 		transition: color 0.12s ease, background 0.12s ease;
 	}
 	.time-remove:hover {
 		background: var(--color-muted);
 		color: var(--color-error-fg);
 	}
 	.time-add {
 		display: inline-flex;
 		align-items: center;
 		justify-content: center;
 		gap: 0.3125rem;
 		width: 100%;
 		padding: 0.3125rem 0.5rem;
 		border: 1px dashed var(--color-border);
 		border-radius: 0.375rem;
 		background: transparent;
 		color: var(--color-muted-foreground);
 		font-size: 0.8125rem;
 		line-height: 1.25;
 		cursor: pointer;
 		transition: color 0.12s ease, border-color 0.12s ease, background 0.12s ease;
 	}
 	.time-add:hover:not(:disabled) {
 		border-color: var(--color-primary);
 		color: var(--color-primary);
 		background: var(--color-muted);
 	}
 	.time-add:disabled {
 		opacity: 0.5;
 		cursor: default;
 	}
 	.time-empty {
 		display: inline-flex;
 		align-items: center;
 		gap: 0.25rem;
 		font-size: 0.6875rem;
 		color: var(--color-muted-foreground);
 	}
 	.time-cap {
 		font-size: 0.6875rem;
 		color: var(--color-muted-foreground);
 		text-align: center;
 	}
 </style>
@@ -120,6 +120,16 @@ export const sortFilterItems = (): GridItem[] => [
 	{ value: 'oldest', icon: 'mdiSortClockAscending', label: t('dashboard.oldestFirst'), desc: t('gridDesc.oldestFirst') },
 ];
 // --- Provider stats scope (dashboard "On watch" deck) ---
 //
 // Toggles whether the provider deck stats reflect only the events visible
 // on the current page or aggregate across all events matching the filters.
 export const providerStatsModeItems = (): GridItem[] => [
 	{ value: 'page', icon: 'mdiFileDocumentOutline', label: t('dashboard.statsModePage'), desc: t('gridDesc.statsModePage') },
 	{ value: 'all',  icon: 'mdiInfinity',            label: t('dashboard.statsModeAll'),  desc: t('gridDesc.statsModeAll') },
 ];
 // --- Auto-refresh interval (dashboard events list) ---
 //
 // Values are seconds (0 = off). Keep these in sync with REFRESH_OPTIONS
@@ -175,6 +185,19 @@ export const providerTypeFilterItems = (): GridItem[] => [
 	...allDescriptors().map(descriptorToGridItem),
 ];
 /** Provider types the user is allowed to create from the "new provider" wizard.
 *
 * Excludes ``bridge_self`` because it's auto-created exactly once per user
 * (see ``packages/server/.../seeds.py``). Letting users pick it from the
 * wizard would either duplicate the row or surface a confusing 409.
 */
 const _USER_CREATABLE_PROVIDER_TYPES = (): string[] =>
 	allDescriptors()
 		.filter((d) => d.type !== 'bridge_self')
 		.map((d) => d.type);
 /** Provider type selector (no "All" option). */
 export const providerTypeItems = (): GridItem[] =>
-	allDescriptors().map(descriptorToGridItem);
+	allDescriptors()
 		.filter((d) => _USER_CREATABLE_PROVIDER_TYPES().includes(d.type))
 		.map(descriptorToGridItem);
@@ -124,6 +124,15 @@
 		"newestFirst": "Newest first",
 		"oldestFirst": "Oldest first",
 		"loadingEvents": "Loading events...",
 		"heldUntil": "held until",
 		"deferredTitle": "Quiet hours suppressed this notification; it will dispatch when the window ends.",
 		"deliveredLate": "delivered late",
 		"deliveredLateTitle": "This notification fired after the quiet-hours window ended.",
 		"deferredThenDropped": "dropped after defer",
 		"deferredThenDroppedTitle": "Held by quiet hours, then dropped — the target or link was removed before the window ended.",
 		"deferredThenFailed": "failed after defer",
 		"suppressedQuietHours": "suppressed (quiet hours)",
 		"suppressedNondeferrableTitle": "Wall-clock event suppressed by quiet hours. Scheduled/periodic/memory dispatches drop rather than defer.",
 		"asset": "asset",
 		"assets": "assets",
 		"eventActivity": "Event Activity",
@@ -148,6 +157,9 @@
 		"eventsLabel": "events",
 		"onWatchTitle": "On",
 		"onWatchEmphasis": "watch",
 		"statsModeTitle": "Provider deck stats scope",
 		"statsModePage": "Page",
 		"statsModeAll": "All",
 		"noProviders": "No providers yet.",
 		"addProvider": "Add provider",
 		"addProviderHint": "Connect a service to start tracking",
@@ -179,7 +191,21 @@
 		"openCommandTracker": "Open command tracker",
 		"openAction": "Open action",
 		"openTracker": "Open tracker",
-		"rawDetails": "Raw details"
+		"rawDetails": "Raw details",
 		"lifecycle": {
 			"heldTitle": "Held by quiet hours",
 			"heldUntil": "Will dispatch at",
 			"heldFor": "Held for",
 			"heldHint": "Notifications during quiet hours wait until the window ends. Add/remove pairs cancel out automatically.",
 			"inPrefix": "in",
 			"deliveredLateTitle": "Delivered after quiet hours",
 			"originalEvent": "Original event",
 			"droppedTitle": "Dropped after defer",
 			"failedTitle": "Failed after defer",
 			"reason": "Reason",
 			"suppressedTitle": "Suppressed by quiet hours",
 			"suppressedHint": "Scheduled, periodic, and memory dispatches are wall-clock — they drop instead of deferring so a 'good morning' message doesn't arrive in the afternoon."
 		}
 	},
 	"providers": {
 		"title": "Service",
@@ -209,6 +235,20 @@
 		"typeNut": "NUT (UPS)",
 		"typeGooglePhotos": "Google Photos",
 		"typeWebhook": "Generic Webhook",
 		"typeHomeAssistant": "Home Assistant",
 		"typeBridgeSelf": "Bridge Self-Monitoring",
 		"bridgeSelfPollThreshold": "Tracker poll failure threshold",
 		"bridgeSelfPollThresholdHint": "Notify after this many consecutive poll failures for any tracker.",
 		"bridgeSelfDeferredThreshold": "Deferred backlog threshold",
 		"bridgeSelfDeferredThresholdHint": "Notify when pending deferred-dispatch rows exceed this count.",
 		"bridgeSelfTargetThreshold": "Target send failure threshold",
 		"bridgeSelfTargetThresholdHint": "Notify after this many consecutive 5xx/network failures for any target.",
 		"haAccessToken": "Long-Lived Access Token",
 		"haAccessTokenKeep": "Long-Lived Access Token (leave empty to keep current)",
 		"haAccessTokenHint": "Create one in HA → Profile → Long-Lived Access Tokens. Required for WebSocket subscription.",
 		"haAccessTokenRequired": "Home Assistant access token is required.",
 		"haVerifyTls": "Verify TLS certificate",
 		"haVerifyTlsHint": "Disable only for self-signed HA on a trusted LAN. Keep enabled for any internet-reachable instance.",
 		"loadError": "Failed to load providers.",
 		"externalDomain": "External Domain",
 		"optional": "optional",
@@ -294,6 +334,13 @@
 		"selectBoards": "Select boards...",
 		"upsDevices": "UPS Devices",
 		"selectUpsDevices": "Select UPS devices...",
 		"entities": "Entities",
 		"selectEntities": "Select entities...",
 		"entities_count": "entity(ies)",
 		"haEntityGlob": "Entity glob filter",
 		"haEntityGlobPlaceholder": "light.*, binary_sensor.*_motion",
 		"haDomainAllowlist": "Domain allowlist",
 		"haDomainAllowlistPlaceholder": "light, switch, binary_sensor",
 		"eventTypes": "Event Types",
 		"notificationTargets": "Notification Targets",
 		"scanInterval": "Scan Interval (seconds)",
@@ -433,6 +480,7 @@
 		"videoWarning": "Video size warning",
 		"disableUrlPreview": "Disable link previews",
 		"sendLargeAsDocuments": "Send large photos as documents",
 		"sendLargeVideosAsDocuments": "Send oversized videos as documents (bypass 50 MB limit)",
 		"chatAction": "Chat action",
 		"chatActionNone": "None (no action)",
 		"chatActionTyping": "Typing",
@@ -462,6 +510,11 @@
 		"confirmDeleteReceiver": "Delete this receiver?",
 		"receiverEnabled": "Receiver enabled",
 		"receiverDisabled": "Receiver disabled",
 		"telegramOptions": "Telegram options",
 		"telegramOptionsSaved": "Telegram options saved",
 		"telegramDisableNotification": "Send silently (no sound / vibration)",
 		"telegramThreadId": "Forum topic ID",
 		"telegramThreadIdPlaceholder": "Leave empty for general topic",
 		"groupNoBot": "No bot linked",
 		"groupDirect": "Direct delivery",
 		"groupBotMissing": "Unknown bot",
@@ -474,6 +527,7 @@
 		"countLabel": "users",
 		"title": "Users",
 		"description": "Manage user accounts (admin only)",
 		"you": "you",
 		"addUser": "Add User",
 		"cancel": "Cancel",
 		"username": "Username",
@@ -617,6 +671,14 @@
 		"upsOverload": "UPS overloaded",
 		"scheduledMessage": "Scheduled message",
 		"webhookReceived": "Webhook received",
 		"haStateChanged": "Entity state changed",
 		"haAutomationTriggered": "Automation triggered",
 		"haServiceCalled": "Service called",
 		"haEventFired": "Other HA event (catch-all)",
 		"haEventFiredHint": "Fires for any HA event type not covered by the boxes above. Useful for custom integrations; expect high volume.",
 		"bridgeSelfPollFailures": "Tracker poll failures",
 		"bridgeSelfDeferredBacklog": "Deferred backlog crossed threshold",
 		"bridgeSelfTargetFailures": "Target send failures",
 		"trackImages": "Track images",
 		"trackVideos": "Track videos",
 		"favoritesOnly": "Favorites only",
@@ -666,8 +728,13 @@
 		"deleted": "deleted",
 		"providerType": "Provider Type",
 		"sortRandom": "Random",
-		"timesInlineHelp": "HH:MM, comma-separated",
+		"timesInlineHelp": "One or more times per day",
-		"invalidTimeList": "Use HH:MM format, e.g. 09:00 or 09:00, 18:30",
+		"addTime": "Add time",
 		"removeTime": "Remove time",
 		"timeRowLabel": "Time {n}",
 		"noTimes": "No times set — add at least one",
 		"maxTimesReached": "Maximum {n} times reached",
 		"timesRequiredFor": "Add at least one time for \"{slot}\"",
 		"previewTemplate": "Preview template",
 		"previewSampleNote": "Rendered with sample data — not your real assets. Shows the shipped default template.",
 		"editTemplate": "Edit template",
@@ -841,6 +908,22 @@
 		"identityHeadline": "How this instance presents itself to bots, webhooks, and recipients",
 		"telegramHeadline": "Webhook authentication and media cache tuning",
 		"loggingHeadline": "Verbosity, output format, and per-module overrides",
 		"diagnostics": "Diagnostics",
 		"diagnosticsHeadline": "Temporary DEBUG for one module, auto-reverted",
 		"diagnosticsHint": "Use to investigate a specific dispatch failure without flooding stderr. The chosen module flips to DEBUG immediately and reverts to its baseline (your per-module overrides or the noisy-library defaults) when the window ends. Restarts also reset.",
 		"diagModuleQuick": "Module (quick pick)",
 		"diagModuleCustom": "Or a custom module name",
 		"diagModuleCustomPlaceholder": "e.g. notify_bridge_server.services.deferred_dispatch",
 		"diagModuleRequired": "Pick a module first",
 		"diagDuration": "Duration",
 		"diagActivate": "Activate DEBUG",
 		"diagActivated": "Diagnostic mode activated",
 		"diagActivateFailed": "Failed to activate diagnostic mode",
 		"diagActive": "Active overrides",
 		"diagRevertsIn": "Reverts in",
 		"diagRevertNow": "Revert now",
 		"diagReverted": "Diagnostic mode reverted",
 		"diagRevertFailed": "Failed to revert diagnostic mode",
 		"heroNoUrl": "External URL not set",
 		"heroNoLocales": "no locales",
 		"copy": "Copy",
@@ -870,7 +953,58 @@
 		"changedOne": "1 setting changed",
 		"changedMany": "{n} settings changed",
 		"discard": "Discard",
-		"saveChanges": "Save changes"
+		"saveChanges": "Save changes",
 		"release": {
 			"eyebrow": "Releases",
 			"headline": "Stay current with upstream",
 			"provider": "Provider",
 			"providerHint": "Where to check for new versions. Gitea is the only active backend today; GitHub will follow.",
 			"comingSoon": "Coming soon",
 			"disabled": "Disabled",
 			"repository": "Repository",
 			"repositoryHint": "Public repository URL and owner/name (e.g. alexei.dolgolyov/notify-bridge).",
 			"options": "Options",
 			"includePrereleases": "Include pre-releases",
 			"prereleasesHint": "When off, release candidates and betas are ignored even if they're newer than your installed version.",
 			"interval": "Check interval",
 			"intervalHint": "How often the background job probes upstream. Manual checks are always available.",
 			"intervalRange": "1–168 hrs",
 			"hoursUnit": "hrs",
 			"testConnection": "Test connection",
 			"checkNow": "Check now",
 			"checkDone": "Release check complete",
 			"checkFailed": "Release check failed",
 			"testOk": "Provider reachable",
 			"testFailed": "Provider unreachable",
 			"testFound": "Provider returned",
 			"viewRelease": "View v{v} release",
 			"statusUpToDate": "You're up to date",
 			"statusUpdate": "Update available",
 			"statusDisabled": "Release checks disabled",
 			"statusError": "Last check failed",
 			"statusUnknown": "Not checked yet",
 			"heroAvailable": "available",
 			"updateAvailableTooltip": "v{v} available — open Settings",
 			"lastChecked": "Last checked",
 			"never": "never",
 			"justNow": "just now",
 			"minutesAgo": "{n} min ago",
 			"hoursAgo": "{n} hr ago",
 			"daysAgo": "{n} d ago",
 			"error": {
 				"disabled": "Release checks are disabled",
 				"misconfigured": "Provider not fully configured",
 				"provider_changed": "Provider changed — awaiting next check",
 				"no_release_found": "No matching release found upstream",
 				"network_error": "Upstream unreachable",
 				"http_error": "Upstream returned an error",
 				"parse_error": "Upstream response could not be parsed",
 				"unsafe_url": "URL rejected by safety check",
 				"not_implemented": "Provider not implemented yet",
 				"unknown_error": "Unknown error",
 				"error": "Last check failed"
 			}
 		}
 	},
 	"hints": {
 		"periodicSummary": "Sends a scheduled summary of all tracked albums at specified times. Great for daily/weekly digests.",
@@ -882,7 +1016,7 @@
 		"maxAssets": "Maximum number of asset details to include in a single notification message.",
 		"periodicStartDate": "Reference date in the app timezone. The first summary fires at the next configured HH:MM on/after this date, then every N days.",
 		"intervalDays": "Days between successive summaries. 1 = daily, 7 = weekly.",
-		"times": "Time(s) of day to send notifications, in HH:MM format. Use commas for multiple times: 09:00,18:00",
+		"times": "Time(s) of day to send notifications. Add as many time points per day as you need.",
 		"albumMode": "Per album: separate notification per album. Combined: one notification with all albums. Random: pick one album randomly.",
 		"scheduledAlbumMode": "How albums are grouped in scheduled deliveries. Default: Per album (one notification per tracked album).",
 		"memoryAlbumMode": "How albums are grouped in memory deliveries. Default: Combined (a single notification aggregating matches from all tracked albums).",
@@ -1020,9 +1154,22 @@
 		"scopeInherit": "Inherit: derive from notification routing",
 		"noCollections": "No albums available."
 	},
 	"commands": {
 		"bridgeSelf": {
 			"status": "Bridge status",
 			"statusDesc": "Show current bridge health counters",
 			"thresholds": "Bridge thresholds",
 			"thresholdsDesc": "Show configured alert thresholds",
 			"reset": "Reset counter",
 			"resetDesc": "Manually reset a failure counter",
 			"health": "Bridge health",
 			"healthDesc": "Terse one-line health summary"
 		}
 	},
 	"snackbar": {
 		"showDetails": "Show details",
-		"hideDetails": "Hide details"
+		"hideDetails": "Hide details",
 		"region": "Notifications"
 	},
 	"timezone": {
 		"searchPlaceholder": "Search cities or IANA codes…",
@@ -1031,6 +1178,8 @@
 		"noMatches": "No timezones match"
 	},
 	"locales": {
 		"label": "language",
 		"labelPlural": "languages",
 		"empty": "No languages selected. Add one below to start authoring templates.",
 		"add": "Add language",
 		"searchPlaceholder": "Search or type a code (e.g. de-CH)…",
@@ -1100,6 +1249,7 @@
 	},
 	"common": {
 		"loading": "Loading...",
 		"auto": "Auto",
 		"save": "Save",
 		"cancel": "Cancel",
 		"delete": "Delete",
@@ -1241,6 +1391,8 @@
 		"refresh30s": "Refresh every 30 seconds",
 		"refresh60s": "Refresh every minute",
 		"refresh5m": "Refresh every 5 minutes",
 		"statsModePage": "Count only events on the current page",
 		"statsModeAll": "Count all events matching the current filters",
 		"newestFirst": "Most recent events on top",
 		"oldestFirst": "Oldest events on top",
 		"chatActionNone": "No indicator shown",
@@ -1263,7 +1415,9 @@
 		"providerScheduler": "Time-based scheduled messages",
 		"providerNut": "Network UPS monitoring",
 		"providerGooglePhotos": "Google Photos albums & shared libraries",
-		"providerWebhook": "Receive events via HTTP POST"
+		"providerWebhook": "Receive events via HTTP POST",
 		"providerHomeAssistant": "Home Assistant event bus over WebSocket",
 		"providerBridgeSelf": "Internal health alerts when polling, dispatch, or sends fail"
 	},
 	"webhookLogs": {
 		"title": "Recent Payloads",
@@ -124,6 +124,15 @@
 		"newestFirst": "Сначала новые",
 		"oldestFirst": "Сначала старые",
 		"loadingEvents": "Загрузка событий...",
 		"heldUntil": "ожидает до",
 		"deferredTitle": "Тихий режим задержал уведомление; оно будет отправлено после окончания окна.",
 		"deliveredLate": "доставлено позже",
 		"deliveredLateTitle": "Уведомление отправлено после окончания тихих часов.",
 		"deferredThenDropped": "отброшено после задержки",
 		"deferredThenDroppedTitle": "Задержано тихими часами, затем отброшено — цель или связь были удалены до окончания окна.",
 		"deferredThenFailed": "ошибка после задержки",
 		"suppressedQuietHours": "подавлено (тихие часы)",
 		"suppressedNondeferrableTitle": "Событие по расписанию подавлено тихими часами. Запланированные/периодические/воспоминания отбрасываются, а не откладываются.",
 		"asset": "файл",
 		"assets": "файлов",
 		"eventActivity": "Активность событий",
@@ -148,6 +157,9 @@
 		"eventsLabel": "событий",
 		"onWatchTitle": "На",
 		"onWatchEmphasis": "слежении",
 		"statsModeTitle": "Область статистики провайдеров",
 		"statsModePage": "Страница",
 		"statsModeAll": "Все",
 		"noProviders": "Пока нет провайдеров.",
 		"addProvider": "Добавить",
 		"addProviderHint": "Подключите сервис, чтобы начать слежение",
@@ -179,7 +191,21 @@
 		"openCommandTracker": "Открыть командный трекер",
 		"openAction": "Открыть действие",
 		"openTracker": "Открыть трекер",
-		"rawDetails": "Сырые данные"
+		"rawDetails": "Сырые данные",
 		"lifecycle": {
 			"heldTitle": "Задержано тихими часами",
 			"heldUntil": "Будет отправлено в",
 			"heldFor": "Задержано на",
 			"heldHint": "Уведомления в тихие часы ждут окончания окна. Пары добавление/удаление отменяются автоматически.",
 			"inPrefix": "через",
 			"deliveredLateTitle": "Доставлено после тихих часов",
 			"originalEvent": "Исходное событие",
 			"droppedTitle": "Отброшено после задержки",
 			"failedTitle": "Ошибка после задержки",
 			"reason": "Причина",
 			"suppressedTitle": "Подавлено тихими часами",
 			"suppressedHint": "Запланированные, периодические и воспоминания привязаны ко времени — они отбрасываются, а не откладываются, чтобы «доброе утро» не пришло днём."
 		}
 	},
 	"providers": {
 		"title": "Сервисные",
@@ -209,6 +235,20 @@
 		"typeNut": "NUT (ИБП)",
 		"typeGooglePhotos": "Google Фото",
 		"typeWebhook": "Универсальный вебхук",
 		"typeHomeAssistant": "Home Assistant",
 		"typeBridgeSelf": "Самомониторинг моста",
 		"bridgeSelfPollThreshold": "Порог сбоев опроса трекера",
 		"bridgeSelfPollThresholdHint": "Уведомлять после стольких подряд сбоев опроса любого трекера.",
 		"bridgeSelfDeferredThreshold": "Порог очереди отложенной отправки",
 		"bridgeSelfDeferredThresholdHint": "Уведомлять, когда количество ожидающих записей deferred_dispatch превысит это значение.",
 		"bridgeSelfTargetThreshold": "Порог сбоев отправки в адресат",
 		"bridgeSelfTargetThresholdHint": "Уведомлять после стольких подряд сбоев 5xx/сети при отправке в любой адресат.",
 		"haAccessToken": "Долгоживущий токен доступа",
 		"haAccessTokenKeep": "Долгоживущий токен (оставьте пустым для сохранения)",
 		"haAccessTokenHint": "Создайте в HA → Профиль → Long-Lived Access Tokens. Нужен для WebSocket-подписки.",
 		"haAccessTokenRequired": "Токен доступа Home Assistant обязателен.",
 		"haVerifyTls": "Проверять TLS-сертификат",
 		"haVerifyTlsHint": "Отключайте только для самоподписанного HA в доверенной локальной сети. Оставляйте включённым для любого экземпляра, доступного из интернета.",
 		"loadError": "Не удалось загрузить провайдеры.",
 		"externalDomain": "Внешний домен",
 		"optional": "необязательно",
@@ -294,6 +334,13 @@
 		"selectBoards": "Выберите доски...",
 		"upsDevices": "ИБП устройства",
 		"selectUpsDevices": "Выберите ИБП...",
 		"entities": "Сущности",
 		"selectEntities": "Выберите сущности...",
 		"entities_count": "сущность(ей)",
 		"haEntityGlob": "Фильтр по entity (glob)",
 		"haEntityGlobPlaceholder": "light.*, binary_sensor.*_motion",
 		"haDomainAllowlist": "Разрешённые домены",
 		"haDomainAllowlistPlaceholder": "light, switch, binary_sensor",
 		"eventTypes": "Типы событий",
 		"notificationTargets": "Получатели уведомлений",
 		"scanInterval": "Интервал проверки (секунды)",
@@ -433,6 +480,7 @@
 		"videoWarning": "Предупреждение о размере видео",
 		"disableUrlPreview": "Отключить превью ссылок",
 		"sendLargeAsDocuments": "Отправлять большие фото как документы",
 		"sendLargeVideosAsDocuments": "Отправлять видео сверх лимита как документы (обход 50 МБ)",
 		"chatAction": "Действие в чате",
 		"chatActionNone": "Нет (без действия)",
 		"chatActionTyping": "Печатает",
@@ -462,6 +510,11 @@
 		"confirmDeleteReceiver": "Удалить этого получателя?",
 		"receiverEnabled": "Получатель включён",
 		"receiverDisabled": "Получатель отключён",
 		"telegramOptions": "Параметры Telegram",
 		"telegramOptionsSaved": "Параметры Telegram сохранены",
 		"telegramDisableNotification": "Отправлять без звука и вибрации",
 		"telegramThreadId": "ID темы форума",
 		"telegramThreadIdPlaceholder": "Оставьте пустым для общей темы",
 		"groupNoBot": "Без привязки к боту",
 		"groupDirect": "Прямая доставка",
 		"groupBotMissing": "Неизвестный бот",
@@ -474,6 +527,7 @@
 		"countLabel": "пользователей",
 		"title": "Пользователи",
 		"description": "Управление аккаунтами (только админ)",
 		"you": "вы",
 		"addUser": "Добавить пользователя",
 		"cancel": "Отмена",
 		"username": "Имя пользователя",
@@ -617,6 +671,14 @@
 		"upsOverload": "Перегрузка ИБП",
 		"scheduledMessage": "Запланированное сообщение",
 		"webhookReceived": "Вебхук получен",
 		"haStateChanged": "Состояние сущности изменилось",
 		"haAutomationTriggered": "Сработала автоматизация",
 		"haServiceCalled": "Вызвана служба",
 		"haEventFired": "Прочее событие HA (catch-all)",
 		"haEventFiredHint": "Срабатывает на любые типы событий HA, не охваченные чекбоксами выше. Полезно для пользовательских интеграций; ожидайте большой объём.",
 		"bridgeSelfPollFailures": "Сбои опроса трекера",
 		"bridgeSelfDeferredBacklog": "Очередь отложенной отправки превысила порог",
 		"bridgeSelfTargetFailures": "Сбои отправки в адресат",
 		"trackImages": "Фото",
 		"trackVideos": "Видео",
 		"favoritesOnly": "Только избранные",
@@ -666,8 +728,13 @@
 		"deleted": "удалён",
 		"providerType": "Тип провайдера",
 		"sortRandom": "Случайный",
-		"timesInlineHelp": "ЧЧ:ММ, через запятую",
+		"timesInlineHelp": "Одно или несколько значений времени в день",
-		"invalidTimeList": "Используйте формат ЧЧ:ММ, например 09:00 или 09:00, 18:30",
+		"addTime": "Добавить время",
 		"removeTime": "Удалить время",
 		"timeRowLabel": "Время {n}",
 		"noTimes": "Время не задано — добавьте хотя бы одно",
 		"maxTimesReached": "Достигнут максимум: {n}",
 		"timesRequiredFor": "Добавьте хотя бы одно время для «{slot}»",
 		"previewTemplate": "Предпросмотр шаблона",
 		"previewSampleNote": "Отрисовано на демо-данных, не на ваших реальных фото. Показан шаблон по умолчанию.",
 		"editTemplate": "Редактировать шаблон",
@@ -841,6 +908,22 @@
 		"identityHeadline": "Как этот сервер представляется ботам, вебхукам и получателям",
 		"telegramHeadline": "Аутентификация вебхуков и настройка медиакэша",
 		"loggingHeadline": "Подробность, формат вывода и переопределения по модулям",
 		"diagnostics": "Диагностика",
 		"diagnosticsHeadline": "Временный DEBUG для одного модуля с авто-возвратом",
 		"diagnosticsHint": "Включите, чтобы разобраться в конкретной ошибке отправки без заливания stderr. Выбранный модуль немедленно переходит в DEBUG и возвращается к базовому уровню (вашим переопределениям или умолчаниям для шумных библиотек) по истечении окна. При перезапуске сервера всё сбрасывается.",
 		"diagModuleQuick": "Модуль (быстрый выбор)",
 		"diagModuleCustom": "Или произвольное имя модуля",
 		"diagModuleCustomPlaceholder": "напр. notify_bridge_server.services.deferred_dispatch",
 		"diagModuleRequired": "Сначала выберите модуль",
 		"diagDuration": "Длительность",
 		"diagActivate": "Включить DEBUG",
 		"diagActivated": "Режим диагностики включён",
 		"diagActivateFailed": "Не удалось включить режим диагностики",
 		"diagActive": "Активные переопределения",
 		"diagRevertsIn": "Вернётся через",
 		"diagRevertNow": "Вернуть сейчас",
 		"diagReverted": "Режим диагностики отменён",
 		"diagRevertFailed": "Не удалось отменить режим диагностики",
 		"heroNoUrl": "Внешний URL не задан",
 		"heroNoLocales": "нет локалей",
 		"copy": "Копировать",
@@ -870,7 +953,58 @@
 		"changedOne": "Изменена 1 настройка",
 		"changedMany": "Изменено настроек: {n}",
 		"discard": "Отменить",
-		"saveChanges": "Сохранить"
+		"saveChanges": "Сохранить",
 		"release": {
 			"eyebrow": "Релизы",
 			"headline": "Следите за обновлениями",
 			"provider": "Источник",
 			"providerHint": "Где искать новые версии. Сейчас доступен только Gitea; GitHub появится позже.",
 			"comingSoon": "Скоро",
 			"disabled": "Отключено",
 			"repository": "Репозиторий",
 			"repositoryHint": "URL публичного репозитория и owner/name (например, alexei.dolgolyov/notify-bridge).",
 			"options": "Опции",
 			"includePrereleases": "Учитывать пре-релизы",
 			"prereleasesHint": "Если выключено, кандидаты в релизы и бета-версии игнорируются, даже если они новее установленной.",
 			"interval": "Интервал проверки",
 			"intervalHint": "Как часто фоновая задача опрашивает источник. Ручная проверка всегда доступна.",
 			"intervalRange": "1–168 ч",
 			"hoursUnit": "ч",
 			"testConnection": "Проверить связь",
 			"checkNow": "Проверить сейчас",
 			"checkDone": "Проверка релизов завершена",
 			"checkFailed": "Не удалось проверить релизы",
 			"testOk": "Источник доступен",
 			"testFailed": "Источник недоступен",
 			"testFound": "Найдена версия",
 			"viewRelease": "Открыть релиз v{v}",
 			"statusUpToDate": "Актуальная версия",
 			"statusUpdate": "Доступно обновление",
 			"statusDisabled": "Проверка релизов отключена",
 			"statusError": "Ошибка последней проверки",
 			"statusUnknown": "Ещё не проверялось",
 			"heroAvailable": "доступна",
 			"updateAvailableTooltip": "Доступна версия v{v} — открыть Настройки",
 			"lastChecked": "Последняя проверка",
 			"never": "никогда",
 			"justNow": "только что",
 			"minutesAgo": "{n} мин назад",
 			"hoursAgo": "{n} ч назад",
 			"daysAgo": "{n} д назад",
 			"error": {
 				"disabled": "Проверка релизов отключена",
 				"misconfigured": "Источник настроен не полностью",
 				"provider_changed": "Источник изменён — ожидание следующей проверки",
 				"no_release_found": "Подходящий релиз на источнике не найден",
 				"network_error": "Источник недоступен",
 				"http_error": "Источник вернул ошибку",
 				"parse_error": "Не удалось разобрать ответ источника",
 				"unsafe_url": "URL отклонён проверкой безопасности",
 				"not_implemented": "Источник пока не реализован",
 				"unknown_error": "Неизвестная ошибка",
 				"error": "Ошибка последней проверки"
 			}
 		}
 	},
 	"hints": {
 		"periodicSummary": "Отправляет плановую сводку по всем отслеживаемым альбомам в указанное время. Подходит для ежедневных/еженедельных дайджестов.",
@@ -882,7 +1016,7 @@
 		"maxAssets": "Максимальное количество ассетов в одном уведомлении.",
 		"periodicStartDate": "Опорная дата в часовом поясе приложения. Первая сводка отправится в ближайшее заданное время ЧЧ:ММ, начиная с этой даты, затем каждые N дней.",
 		"intervalDays": "Период между сводками в днях. 1 = ежедневно, 7 = еженедельно.",
-		"times": "Время отправки уведомлений в формате ЧЧ:ММ. Для нескольких значений через запятую: 09:00,18:00",
+		"times": "Время отправки уведомлений. Добавьте сколько угодно значений времени в день.",
 		"albumMode": "По альбому: отдельное уведомление для каждого. Объединённый: одно уведомление со всеми. Случайный: выбирается один альбом.",
 		"scheduledAlbumMode": "Как альбомы группируются в запланированных отправках. По умолчанию: По альбому (одно уведомление на каждый отслеживаемый альбом).",
 		"memoryAlbumMode": "Как альбомы группируются в воспоминаниях. По умолчанию: Объединённый (одно уведомление со всеми совпадениями из всех альбомов).",
@@ -1020,9 +1154,22 @@
 		"scopeInherit": "Наследовать: вычислить из маршрутизации уведомлений",
 		"noCollections": "Нет доступных альбомов."
 	},
 	"commands": {
 		"bridgeSelf": {
 			"status": "Состояние моста",
 			"statusDesc": "Показать счётчики состояния моста",
 			"thresholds": "Пороги моста",
 			"thresholdsDesc": "Показать настроенные пороги оповещений",
 			"reset": "Сбросить счётчик",
 			"resetDesc": "Вручную сбросить счётчик сбоев",
 			"health": "Здоровье моста",
 			"healthDesc": "Краткая однострочная сводка состояния"
 		}
 	},
 	"snackbar": {
 		"showDetails": "Показать детали",
-		"hideDetails": "Скрыть детали"
+		"hideDetails": "Скрыть детали",
 		"region": "Уведомления"
 	},
 	"timezone": {
 		"searchPlaceholder": "Поиск по городам или IANA-кодам…",
@@ -1031,6 +1178,8 @@
 		"noMatches": "Нет совпадений"
 	},
 	"locales": {
 		"label": "язык",
 		"labelPlural": "языков",
 		"empty": "Языки не выбраны. Добавьте язык ниже, чтобы начать редактирование шаблонов.",
 		"add": "Добавить язык",
 		"searchPlaceholder": "Найти или ввести код (например de-CH)…",
@@ -1100,6 +1249,7 @@
 	},
 	"common": {
 		"loading": "Загрузка...",
 		"auto": "Авто",
 		"save": "Сохранить",
 		"cancel": "Отмена",
 		"delete": "Удалить",
@@ -1241,6 +1391,8 @@
 		"refresh30s": "Обновлять каждые 30 секунд",
 		"refresh60s": "Обновлять каждую минуту",
 		"refresh5m": "Обновлять каждые 5 минут",
 		"statsModePage": "Учитывать только события на текущей странице",
 		"statsModeAll": "Учитывать все события под текущими фильтрами",
 		"newestFirst": "Сначала новые события",
 		"oldestFirst": "Сначала старые события",
 		"chatActionNone": "Индикатор не показывается",
@@ -1263,7 +1415,9 @@
 		"providerScheduler": "Запланированные сообщения по расписанию",
 		"providerNut": "Мониторинг ИБП через NUT",
 		"providerGooglePhotos": "Альбомы и общие библиотеки Google Фото",
-		"providerWebhook": "Приём событий через HTTP POST"
+		"providerWebhook": "Приём событий через HTTP POST",
 		"providerHomeAssistant": "Шина событий Home Assistant по WebSocket",
 		"providerBridgeSelf": "Внутренние оповещения о сбоях опроса, отправки или диспатча"
 	},
 	"webhookLogs": {
 		"title": "Последние запросы",
@@ -0,0 +1,98 @@
 import type { ProviderDescriptor } from './types';
 /**
 * Bridge self-monitoring provider descriptor.
 *
 * The bridge_self provider has no remote URL and no credentials. The only
 * configuration surface is the three thresholds below, used by the server
 * to decide when an internal failure deserves a notification.
 *
 * Exactly one bridge_self provider exists per user, auto-seeded on user
 * creation (see ``packages/server/src/notify_bridge_server/database/seeds.py``).
 */
 export const bridgeSelfDescriptor: ProviderDescriptor = {
 	type: 'bridge_self',
 	defaultName: 'Bridge Self-Monitoring',
 	icon: 'mdiAlertCircleOutline',
 	hasUrl: false,
 	configFields: [
 		{
 			key: 'poll_failure_threshold',
 			configKey: 'poll_failure_threshold',
 			label: 'providers.bridgeSelfPollThreshold',
 			type: 'number',
 			optional: true,
 			min: 1,
 			defaultValue: 3,
 			hint: 'providers.bridgeSelfPollThresholdHint',
 		},
 		{
 			key: 'deferred_backlog_threshold',
 			configKey: 'deferred_backlog_threshold',
 			label: 'providers.bridgeSelfDeferredThreshold',
 			type: 'number',
 			optional: true,
 			min: 1,
 			defaultValue: 100,
 			hint: 'providers.bridgeSelfDeferredThresholdHint',
 		},
 		{
 			key: 'target_failure_threshold',
 			configKey: 'target_failure_threshold',
 			label: 'providers.bridgeSelfTargetThreshold',
 			type: 'number',
 			optional: true,
 			min: 1,
 			defaultValue: 5,
 			hint: 'providers.bridgeSelfTargetThresholdHint',
 		},
 	],
 	buildConfig(form) {
 		const toInt = (raw: unknown, fallback: number): number => {
 			const n = typeof raw === 'number' ? raw : parseInt(String(raw ?? ''), 10);
 			return Number.isFinite(n) && n >= 1 ? n : fallback;
 		};
 		return {
 			config: {
 				poll_failure_threshold: toInt(form.poll_failure_threshold, 3),
 				deferred_backlog_threshold: toInt(form.deferred_backlog_threshold, 100),
 				target_failure_threshold: toInt(form.target_failure_threshold, 5),
 			},
 		};
 	},
 	hasConfigChanged(form, existing) {
 		const toInt = (raw: unknown, fallback: number): number => {
 			const n = typeof raw === 'number' ? raw : parseInt(String(raw ?? ''), 10);
 			return Number.isFinite(n) && n >= 1 ? n : fallback;
 		};
 		return (
 			toInt(form.poll_failure_threshold, 3) !== toInt(existing.poll_failure_threshold, 3) ||
 			toInt(form.deferred_backlog_threshold, 100) !== toInt(existing.deferred_backlog_threshold, 100) ||
 			toInt(form.target_failure_threshold, 5) !== toInt(existing.target_failure_threshold, 5)
 		);
 	},
 	eventFields: [
 		{
 			key: 'track_bridge_self_poll_failures',
 			label: 'trackingConfig.bridgeSelfPollFailures',
 			default: true,
 		},
 		{
 			key: 'track_bridge_self_deferred_backlog',
 			label: 'trackingConfig.bridgeSelfDeferredBacklog',
 			default: true,
 		},
 		{
 			key: 'track_bridge_self_target_failures',
 			label: 'trackingConfig.bridgeSelfTargetFailures',
 			default: true,
 		},
 	],
 	collectionMeta: null,
 	webhookBased: false,
 };
@@ -0,0 +1,96 @@
 import type { ProviderDescriptor } from './types';
 export const homeAssistantDescriptor: ProviderDescriptor = {
 	type: 'home_assistant',
 	defaultName: 'Home Assistant',
 	icon: 'mdiHomeAssistant',
 	hasUrl: true,
 	urlPlaceholder: 'http://homeassistant.local:8123',
 	configFields: [
 		{
 			key: 'access_token', configKey: 'access_token',
 			label: 'providers.haAccessToken', editLabel: 'providers.haAccessTokenKeep',
 			type: 'password', required: 'create-only', hint: 'providers.haAccessTokenHint',
 		},
 		{
 			key: 'verify_tls', configKey: 'verify_tls',
 			label: 'providers.haVerifyTls',
 			type: 'toggle', optional: true, hint: 'providers.haVerifyTlsHint',
 			defaultValue: true,
 		},
 	],
 	buildConfig(form, editing) {
 		const config: Record<string, unknown> = { url: form.url };
 		if (form.access_token) config.access_token = form.access_token;
 		// Coerce truthy/falsy form values to a real boolean. The toggle
 		// control binds to `checked`, so this is normally already a bool,
 		// but legacy form state may carry the string defaults.
 		config.verify_tls = form.verify_tls === false || form.verify_tls === 'false' ? false : true;
 		if (!editing && !form.access_token) {
 			return { config, error: 'providers.haAccessTokenRequired' };
 		}
 		return { config };
 	},
 	hasConfigChanged(form, existing) {
 		const existingVerify = existing.verify_tls !== false;
 		const formVerify = !(form.verify_tls === false || form.verify_tls === 'false');
 		return (
 			form.url !== (existing.url || '') ||
 			!!form.access_token ||
 			existingVerify !== formVerify
 		);
 	},
 	eventFields: [
 		{ key: 'track_ha_state_changed', label: 'trackingConfig.haStateChanged', default: true },
 		{ key: 'track_ha_automation_triggered', label: 'trackingConfig.haAutomationTriggered', default: false },
 		{ key: 'track_ha_service_called', label: 'trackingConfig.haServiceCalled', default: false },
 		{
 			key: 'track_ha_event_fired',
 			label: 'trackingConfig.haEventFired',
 			default: false,
 			hint: 'trackingConfig.haEventFiredHint',
 		},
 	],
 	// entity_glob / domain_allowlist tag-style filters. Stored on the
 	// tracker's `filters` JSON column (not the flat form root) — the
 	// TrackerForm reads `inputMode: 'tags'` to render a chip input rather
 	// than a picker, and `filterKey` routes the value into
 	// `tracker.filters[filterKey]` at save time.
 	userFilters: [
 		{
 			key: 'entity_glob',
 			filterKey: 'entity_glob',
 			inputMode: 'tags',
 			label: 'notificationTracker.haEntityGlob',
 			placeholder: 'notificationTracker.haEntityGlobPlaceholder',
 			icon: 'mdiAsterisk',
 		},
 		{
 			key: 'domain_allowlist',
 			filterKey: 'domain_allowlist',
 			inputMode: 'tags',
 			label: 'notificationTracker.haDomainAllowlist',
 			placeholder: 'notificationTracker.haDomainAllowlistPlaceholder',
 			icon: 'mdiTagOutline',
 		},
 	],
 	collectionMeta: {
 		label: 'notificationTracker.entities',
 		icon: 'mdiViewList',
 		placeholder: 'notificationTracker.selectEntities',
 		countLabel: 'notificationTracker.entities_count',
 		desc: (col: { state?: string; domain?: string; entity_id?: string; id?: string }) => {
 			const parts: string[] = [];
 			if (col.domain) parts.push(col.domain);
 			if (col.state) parts.push(col.state);
 			if (parts.length === 0) return col.entity_id || col.id || '';
 			return parts.join(' · ');
 		},
 	},
 };
@@ -13,6 +13,7 @@ export const immichDescriptor: ProviderDescriptor = {
 	icon: 'mdiImageMultiple',
 	hasUrl: true,
 	urlPlaceholder: undefined, // uses generic i18n placeholder
 	supportsAutoOrganize: true,
 	configFields: [
 		{
@@ -67,14 +68,14 @@ export const immichDescriptor: ProviderDescriptor = {
 			fields: [
 				{ key: 'periodic_interval_days', label: 'trackingConfig.intervalDays', type: 'number', min: 1, defaultValue: 1, hint: 'hints.intervalDays' },
 				{ key: 'periodic_start_date', label: 'trackingConfig.startDate', type: 'date', defaultValue: todayIso, hint: 'hints.periodicStartDate' },
-				{ key: 'periodic_times', label: 'trackingConfig.times', type: 'time-list', defaultValue: '12:00', hint: 'hints.times', inlineHelp: 'trackingConfig.timesInlineHelp', validateFormat: true },
+				{ key: 'periodic_times', label: 'trackingConfig.times', type: 'time-list', defaultValue: '12:00', hint: 'hints.times', inlineHelp: 'trackingConfig.timesInlineHelp' },
 			],
 		},
 		{
 			key: 'scheduled', legend: 'trackingConfig.scheduledAssets', legendHint: 'hints.scheduledAssets',
 			enabledField: 'scheduled_enabled', enabledDefault: false,
 			fields: [
-				{ key: 'scheduled_times', label: 'trackingConfig.times', type: 'time-list', defaultValue: '09:00', hint: 'hints.times', inlineHelp: 'trackingConfig.timesInlineHelp', validateFormat: true },
+				{ key: 'scheduled_times', label: 'trackingConfig.times', type: 'time-list', defaultValue: '09:00', hint: 'hints.times', inlineHelp: 'trackingConfig.timesInlineHelp' },
 				{ key: 'scheduled_collection_mode', label: 'trackingConfig.albumMode', type: 'grid-select', gridItems: 'albumModeItems', gridColumns: 3, defaultValue: 'per_collection', hint: 'hints.scheduledAlbumMode' },
 				{ key: 'scheduled_limit', label: 'trackingConfig.maxAssets', type: 'number', min: 1, max: 100, defaultValue: 10, hint: 'hints.maxAssets' },
 				{ key: 'scheduled_asset_type', label: 'trackingConfig.assetType', type: 'grid-select', gridItems: 'assetTypeItems', gridColumns: 3, defaultValue: 'all' },
@@ -86,7 +87,7 @@ export const immichDescriptor: ProviderDescriptor = {
 			key: 'memory', legend: 'trackingConfig.memoryMode', legendHint: 'hints.memoryMode',
 			enabledField: 'memory_enabled', enabledDefault: false,
 			fields: [
-				{ key: 'memory_times', label: 'trackingConfig.times', type: 'time-list', defaultValue: '09:00', hint: 'hints.times', inlineHelp: 'trackingConfig.timesInlineHelp', validateFormat: true },
+				{ key: 'memory_times', label: 'trackingConfig.times', type: 'time-list', defaultValue: '09:00', hint: 'hints.times', inlineHelp: 'trackingConfig.timesInlineHelp' },
 				{ key: 'memory_collection_mode', label: 'trackingConfig.albumMode', type: 'grid-select', gridItems: 'albumModeItems', gridColumns: 3, defaultValue: 'combined', hint: 'hints.memoryAlbumMode' },
 				{ key: 'memory_limit', label: 'trackingConfig.maxAssets', type: 'number', min: 1, max: 100, defaultValue: 10, hint: 'hints.maxAssets' },
 				{ key: 'memory_asset_type', label: 'trackingConfig.assetType', type: 'grid-select', gridItems: 'assetTypeItems', gridColumns: 3, defaultValue: 'all' },
@@ -113,6 +114,17 @@ export const immichDescriptor: ProviderDescriptor = {
 		desc: (col) => `${col.assetCount ?? col.asset_count ?? 0} assets`,
 	},
 	// Periodic summaries / scheduled picks / memories / quiet hours all live on
 	// the linked tracking & template configs — surface that connection on the
 	// tracker form so users don't need to read docs to find them.
 	featureDiscoveryHint: {
 		messageKey: 'notificationTracker.featureDiscovery',
 		ctas: [
 			{ href: '/tracking-configs?edit={tracking_config_id}', labelKey: 'notificationTracker.openTrackingConfig', icon: 'mdiArrowRight' },
 			{ href: '/template-configs?edit={template_config_id}', labelKey: 'notificationTracker.openTemplateConfig', icon: 'mdiArrowRight' },
 		],
 	},
 	async onBeforeSave({ form, previousCollectionIds, collections, api: apiFn }) {
 		const newIds = (form.collection_ids as string[]).filter(id => !previousCollectionIds.includes(id));
 		if (newIds.length === 0) return { proceed: true };
@@ -13,6 +13,8 @@ import { schedulerDescriptor } from './scheduler';
 import { nutDescriptor } from './nut';
 import { googlePhotosDescriptor } from './google-photos';
 import { webhookDescriptor } from './webhook';
 import { homeAssistantDescriptor } from './home-assistant';
 import { bridgeSelfDescriptor } from './bridge-self';
 const REGISTRY: ReadonlyMap<string, ProviderDescriptor> = new Map([
 	['immich', immichDescriptor],
@@ -22,6 +24,8 @@ const REGISTRY: ReadonlyMap<string, ProviderDescriptor> = new Map([
 	['nut', nutDescriptor],
 	['google_photos', googlePhotosDescriptor],
 	['webhook', webhookDescriptor],
 	['home_assistant', homeAssistantDescriptor],
 	['bridge_self', bridgeSelfDescriptor],
 ]);
 /** Look up a provider descriptor by type. Returns null for unknown types. */
@@ -20,7 +20,7 @@ export interface ConfigField {
 	configKey?: string;
 	/** i18n key for the field label. */
 	label: string;
-	type: 'text' | 'password' | 'number' | 'grid-select';
+	type: 'text' | 'password' | 'number' | 'grid-select' | 'toggle';
 	/** Grid-select item source function name from grid-items.ts. */
 	gridItems?: string;
 	gridColumns?: number;
@@ -67,7 +67,8 @@ export interface ExtraTrackingField {
 	 * - `toggle`       — on/off switch
 	 * - `date`         — HTML date picker (YYYY-MM-DD)
 	 * - `time`         — HTML time picker (HH:MM)
-	 * - `time-list`    — comma-separated HH:MM list, validated on blur
+	 * - `time-list`    — add/remove list of HH:MM pickers (TimeListEditor),
 	 *                    serialized as a comma-separated string
 	 */
 	type: 'number' | 'grid-select' | 'toggle' | 'date' | 'time' | 'time-list';
 	/** Grid-select item source function name from grid-items.ts. */
@@ -78,8 +79,6 @@ export interface ExtraTrackingField {
 	inlineHelp?: string;
 	min?: number;
 	max?: number;
 	/** For time-list: show live validation + auto-normalize on blur. */
 	validateFormat?: boolean;
 	/**
 	 * Default value. Can be a function for dynamic values (e.g. today's date)
 	 * evaluated each time the form is reset.
@@ -123,17 +122,30 @@ export interface CollectionMeta {
 // ── User-identity filters (TrackerForm) ──────────────────────────────
 /**
- * Declares a filter that picks user identities from the provider's known
+ * Declares a filter rendered on the tracker form. Two input modes:
- * senders. Rendered as a MultiEntitySelect populated from the provider's
+ *
- * `/users` endpoint. The picked values are stored as `string[]` under
+ * * ``picker`` (default) — populated from the provider's ``/users``
- * `tracker.filters[key]`.
+ *   endpoint, rendered as a ``MultiEntitySelect``. Used for sender
 *   allowlists / blocklists where the valid values are known.
 * * ``tags`` — free-text chip input. Used for glob patterns and other
 *   filter values that aren't enumerable in advance.
 *
 * Either way the picked values are stored as ``string[]`` under
 * ``tracker.filters[filterKey ?? key]``.
 */
 export interface UserFilterMeta {
-	/** Filter key inside `tracker.filters` (e.g. "senders", "exclude_senders"). */
+	/** Form field key — used internally for binding. */
 	key: string;
-	/** i18n key for the label rendered above the picker. */
+	/**
 	 * Filter key inside ``tracker.filters``. Defaults to ``key`` when
 	 * omitted (backward compat with the original sender allowlist usage).
 	 */
 	filterKey?: string;
 	/** ``picker`` (default) or ``tags`` for free-text chip input. */
 	inputMode?: 'picker' | 'tags';
 	/** i18n key for the label rendered above the input. */
 	label: string;
-	/** i18n key for the picker placeholder. */
+	/** i18n key for the placeholder (picker dropdown or chip input). */
 	placeholder: string;
 	/** MDI icon shown on chips and dropdown rows. */
 	icon: string;
@@ -183,6 +195,31 @@ export interface ProviderDescriptor {
 	/** Whether this provider stores incoming payload history for debugging. */
 	payloadHistory?: boolean;
 	// ── Capability flags ──
 	/**
 	 * True when the provider exposes asset/people/album endpoints that the
 	 * Auto-Organize action rule editor needs to render its people / album
 	 * pickers (currently only Immich). Used in place of `type === 'immich'`
 	 * checks per CLAUDE.md rule 8.
 	 */
 	supportsAutoOrganize?: boolean;
 	// ── Tracker-form discovery hint ──
 	/**
 	 * Optional info banner shown on the TrackerForm to point users at related
 	 * configuration pages they would otherwise have to discover from docs.
 	 *
 	 * The hint is rendered as a single i18n message followed by zero or more
 	 * call-to-action links. ``ctas[].href`` may include ``{tracking_config_id}``
 	 * / ``{template_config_id}`` placeholders that the form substitutes from
 	 * the tracker's currently selected default-config IDs (or omits the
 	 * ``?edit=...`` query when the value is 0).
 	 */
 	featureDiscoveryHint?: {
 		messageKey: string;
 		ctas?: Array<{ href: string; labelKey: string; icon?: string }>;
 	};
 	// ── Provider-specific hooks ──
 	/**
 	 * Called after collection selection changes (before save).
@@ -20,6 +20,7 @@ import type {
 	CommandTemplateConfig,
 	CommandTracker,
 	Action,
 	ReleaseStatus,
 } from '$lib/types';
 /** Service providers — used by Dashboard, Trackers, Command Trackers, Providers page. */
@@ -140,6 +141,46 @@ export const externalUrlCache = (() => {
 	};
 })();
 /** Upstream release status — drives the sidebar badge and Settings cassette. */
 export const releaseStatusCache = (() => {
 	let data = $state<ReleaseStatus | null>(null);
 	let fetchedAt = $state(0);
 	let inflight: Promise<ReleaseStatus | null> | null = null;
 	// 5 min TTL — fresh enough that "Check now" feels instant on revisit,
 	// long enough that route changes don't hammer the endpoint.
 	const TTL = 300_000;
 	return {
 		get value() { return data; },
 		invalidate() { fetchedAt = 0; },
 		clear() {
 			data = null;
 			fetchedAt = 0;
 			inflight = null;
 		},
 		set(next: ReleaseStatus | null) {
 			data = next;
 			fetchedAt = Date.now();
 		},
 		async fetch(force = false): Promise<ReleaseStatus | null> {
 			if (!force && fetchedAt > 0 && Date.now() - fetchedAt < TTL) return data;
 			if (inflight) return inflight;
 			inflight = (async () => {
 				try {
 					data = await api<ReleaseStatus>('/settings/release');
 					fetchedAt = Date.now();
 					return data;
 				} catch {
 					// Swallow — the badge falls back to its default "no status" state.
 					return data;
 				} finally {
 					inflight = null;
 				}
 			})();
 			return inflight;
 		},
 	};
 })();
 /** Supported template locales — fetched from app settings. */
 export const supportedLocalesCache = (() => {
 	let data = $state<string[]>(['en', 'ru']);
@@ -192,7 +233,13 @@ export async function fetchAllCaches(): Promise<void> {
 /**
 * Invalidate all entity caches. Useful on logout.
 *
 * Singleton state caches (release status, external URL, supported locales)
 * live outside `allCaches` because their shape differs from entity caches —
 * we clear them explicitly so a returning user as a different role can't
 * briefly see the previous user's cached payload.
 */
 export function clearAllCaches(): void {
 	Object.values(allCaches).forEach(c => c.clear());
 	releaseStatusCache.clear();
 }
@@ -16,8 +16,19 @@ const DEFAULT_TTL_MS = 30_000; // 30 seconds
 export interface EntityCache<T extends { id: number }> {
 	/** Reactive list of cached entities. */
 	readonly items: T[];
-	/** True only during the very first fetch (no cached data yet). */
+	/**
 	 * True only during the very first fetch — when there is no cached data
 	 * to show yet. Background re-fetches keep `loading` false so consumers
 	 * keep rendering the previous list and don't flash a spinner; observe
 	 * `refreshing` instead if a subtle indicator is needed.
 	 */
 	readonly loading: boolean;
 	/**
 	 * True during any non-first fetch (cached items already populated).
 	 * Lets consumers distinguish "show skeleton" (loading) from "show subtle
 	 * shimmer/disabled state" (refreshing) without sharing one flag.
 	 */
 	readonly refreshing: boolean;
 	/** Timestamp of last successful fetch. */
 	readonly fetchedAt: number;
 	/** Fetch entities — returns cached data if fresh, else hits network. */
@@ -43,6 +54,7 @@ export function createEntityCache<T extends { id: number }>(
 ): EntityCache<T> {
 	let _items = $state<T[]>([]);
 	let _loading = $state(false);
 	let _refreshing = $state(false);
 	let _fetchedAt = $state(0);
 	function isFresh(): boolean {
@@ -56,8 +68,12 @@ export function createEntityCache<T extends { id: number }>(
 		const existing = inflightRequests.get(endpoint);
 		if (existing) return existing;
 		// First-load vs background-refresh state. We split these so consumers
 		// can keep the previous list visible during a re-fetch (refreshing)
 		// instead of flashing a spinner placeholder (loading).
 		const isFirstLoad = _fetchedAt === 0;
 		if (isFirstLoad) _loading = true;
 		else _refreshing = true;
 		const request = api<T[]>(endpoint)
 			.then((data) => {
@@ -67,6 +83,7 @@ export function createEntityCache<T extends { id: number }>(
 			})
 			.finally(() => {
 				_loading = false;
 				_refreshing = false;
 				inflightRequests.delete(endpoint);
 			});
@@ -104,6 +121,7 @@ export function createEntityCache<T extends { id: number }>(
 	return {
 		get items() { return _items; },
 		get loading() { return _loading; },
 		get refreshing() { return _refreshing; },
 		get fetchedAt() { return _fetchedAt; },
 		fetch,
 		invalidate,
@@ -26,15 +26,14 @@ function loadFromStorage(): void {
 loadFromStorage();
 export const globalProviderFilter = {
-	get id() {
+	/**
-		// If providers are loaded and the stored ID doesn't match any, auto-clear
+	 * Pure getter — returns whatever was last stored, never mutates. Stale-ID
-		if (_providerId != null && providersCache.items.length > 0 &&
+	 * reconciliation against `providersCache` is the responsibility of a
-			!providersCache.items.some(p => p.id === _providerId)) {
+	 * one-time `$effect` in `+layout.svelte` (see `reconcileStaleProviderId`),
-			globalProviderFilter.clear();
+	 * because writing during read inside a `$state`-derived getter triggers
-			return null;
+	 * Svelte 5's `state_unsafe_mutation` warning.
-		}
+	 */
-		return _providerId;
+	get id() { return _providerId; },
 	},
 	get initialized() { return _initialized; },
 	set(id: number | null) {
@@ -52,9 +51,24 @@ export const globalProviderFilter = {
 		this.set(null);
 	},
 	/**
 	 * Drop the stored provider ID if it no longer matches any item in the
 	 * providers cache. Safe to call from a `$effect` after the cache has been
 	 * fetched. Returns true when reconciliation actually changed state, so the
 	 * caller can short-circuit follow-up work.
 	 */
 	reconcileWithCache(): boolean {
 		if (_providerId != null && providersCache.items.length > 0 &&
 			!providersCache.items.some(p => p.id === _providerId)) {
 			this.clear();
 			return true;
 		}
 		return false;
 	},
 	/** The currently selected provider object (reactive). */
 	get provider() {
-		const id = this.id; // triggers stale-ID auto-clear
+		const id = _providerId;
 		if (id == null) return null;
 		return providersCache.items.find(p => p.id === id) ?? null;
 	},
@@ -212,6 +212,58 @@ export interface TemplateConfig {
 	created_at: string;
 }
 /**
 * Lifecycle marker the backend stores in ``EventLog.details.dispatch_status``
 * when a notification doesn't take the immediate-deliver happy path.
 *
 * * ``deferred`` — held back by quiet hours; ``deferred_until`` carries the
 *   UTC ISO datetime at which a drain job will fire.
 * * ``delivered_after_quiet_hours`` — a drain successfully dispatched the
 *   originally-deferred event. ``original_event_log_id`` points back at the
 *   row from when the event was first detected.
 * * ``deferred_then_dropped`` — drain time arrived but the link/target was
 *   removed, disabled, or otherwise unsendable. See ``reason`` for detail.
 * * ``deferred_then_failed`` — drain dispatched but the target returned an
 *   error; ``reason`` carries the truncated provider error.
 * * ``suppressed_quiet_hours_nondeferrable`` — wall-clock event type (e.g.
 *   ``scheduled_message``) caught by quiet hours, dropped on principle.
 */
 export type DispatchStatus =
 	| 'deferred'
 	| 'delivered_after_quiet_hours'
 	| 'deferred_then_dropped'
 	| 'deferred_then_failed'
 	| 'suppressed_quiet_hours_nondeferrable';
 export interface DispatchSummaryError {
 	index: number;
 	error: string;
 }
 export interface DispatchSummaryMediaError {
 	target_index: number;
 	kind?: string;
 	chunk?: number;
 	item_index?: number;
 	error?: string;
 	code?: number;
 }
 export interface DispatchSummary {
 	targets_attempted: number;
 	targets_succeeded: number;
 	targets_failed: number;
 	errors?: DispatchSummaryError[];
 	errors_truncated?: number;
 	media?: {
 		delivered: number;
 		skipped: number;
 		failed: number;
 	};
 	media_errors?: DispatchSummaryMediaError[];
 	media_errors_truncated?: number;
 }
 export interface EventLog {
 	id: number;
 	event_type: string;
@@ -228,7 +280,15 @@ export interface EventLog {
 	telegram_bot_id?: number | null;
 	bot_name?: string;
 	assets_count: number;
-	details: Record<string, any>;
+	details: Record<string, any> & {
 		dispatch_status?: DispatchStatus;
 		deferred_until?: string;
 		original_event_log_id?: number | null;
 		deferred_for_seconds?: number;
 		dispatch_id?: string;
 		request_id?: string;
 		dispatch_summary?: DispatchSummary;
 	};
 	created_at: string;
 }
@@ -344,4 +404,38 @@ export interface DashboardStatus {
 	total_events: number;
 	recent_events: EventLog[];
 	command_trackers?: number;
 	/** Provider name → total event count across ALL events matching the
 	 *  current filters (ignores pagination). Powers the "On watch" deck
 	 *  when the user opts out of page-scoped stats. */
 	provider_event_counts?: Record<string, number>;
 }
 export type ReleaseProviderKind = 'disabled' | 'gitea' | 'github';
 export interface ReleaseStatus {
 	provider: ReleaseProviderKind;
 	current: string;
 	latest: string | null;
 	latest_tag: string | null;
 	latest_url: string | null;
 	latest_name: string | null;
 	latest_body: string | null;
 	latest_published_at: string | null;
 	latest_prerelease: boolean;
 	checked_at: string | null;
 	update_available: boolean;
 	error: string | null;
 }
 export interface ReleaseTestResult {
 	ok: boolean;
 	info: {
 		tag: string;
 		version: string;
 		name: string | null;
 		url: string | null;
 		published_at: string | null;
 		prerelease: boolean;
 	} | null;
 	error: string | null;
 }
@@ -5,7 +5,7 @@
 	import { onMount } from 'svelte';
 	import { fade, slide } from 'svelte/transition';
 	import { cubicOut } from 'svelte/easing';
-	import { api } from '$lib/api';
+	import { api, errMsg } from '$lib/api';
 	import { getAuth, loadUser, logout } from '$lib/auth.svelte';
 	import { t, getLocale, setLocale } from '$lib/i18n';
 	import { getTheme, initTheme, setTheme, type Theme } from '$lib/theme.svelte';
@@ -18,7 +18,7 @@
 		providersCache, notificationTrackersCache, trackingConfigsCache,
 		templateConfigsCache, commandConfigsCache, commandTemplateConfigsCache,
 		commandTrackersCache, actionsCache, telegramBotsCache, emailBotsCache,
-		matrixBotsCache, targetsCache,
+		matrixBotsCache, targetsCache, releaseStatusCache,
 	} from '$lib/stores/caches.svelte';
 	import { globalProviderFilter } from '$lib/stores/provider-filter.svelte';
 	import { topbarAction } from '$lib/stores/topbar-action.svelte';
@@ -31,34 +31,55 @@
 	let allProviders = $derived(providersCache.items);
 	// Sidebar release indicator — reads from the cache populated in onMount.
 	const releaseUpdateAvailable = $derived(!!releaseStatusCache.value?.update_available);
 	// A screen reader hits the brand-version link on every page — keep the
 	// label informative only when an update is available, otherwise announce
 	// the version + product so we don't repeat "Up to date" everywhere.
 	const releaseTooltip = $derived(
 		releaseUpdateAvailable
 			? t('settings.release.updateAvailableTooltip').replace('{v}', releaseStatusCache.value?.latest ?? '')
 			: `Notify Bridge v${__APP_VERSION__}`
 	);
 	let providerFilterItems = $derived([
 		{ value: 0, icon: 'mdiFilterOff', label: t('common.allProviders'), desc: '' },
 		...allProviders.map(p => ({ value: p.id, icon: providerDefaultIcon(p), label: p.name, desc: p.type })),
 	]);
-	let providerFilterValue = $state(globalProviderFilter.id ?? 0);
+	// One-way: the store is the source of truth, the filter widget displays it.
-	let _syncingFilter = false;
+	// IconGridSelect mutations route through `onChange` (see template) so we
 	// never need a paired `$effect` to mirror the local <-> store value, which
 	// previously required a `_syncingFilter` reentrancy flag.
 	let providerFilterValue = $derived(globalProviderFilter.id ?? 0);
 	// Reserve the provider-filter row from first paint until the cache resolves.
 	// Without this, the row appears mid-paint and pushes nav items down on every
 	// hard reload — the most visible "jump" the user reported.
 	let showProviderFilter = $derived(allProviders.length >= 1 || providersCache.fetchedAt === 0);
-	// Sync filter value → store
+	// Reconcile a stale persisted provider ID against the freshly-loaded
 	// providers cache. Lives here (not in the store getter) because writing
 	// `_providerId` from a `$state`-derived getter triggers Svelte's
 	// `state_unsafe_mutation`. Runs once per cache refresh.
 	$effect(() => {
-		const v = providerFilterValue;
+		// Track `fetchedAt` so we re-run after the cache loads.
-		if (_syncingFilter) return;
+		void providersCache.fetchedAt;
-		globalProviderFilter.set(v === 0 ? null : v);
+		void providersCache.items.length;
 		globalProviderFilter.reconcileWithCache();
 	});
-	// Sync store → filter value (handles auto-clear of stale IDs)
+	function setProviderFilter(v: string | number) {
-	$effect(() => {
+		const num = typeof v === 'number' ? v : Number(v);
-		const storeId = globalProviderFilter.id;
+		globalProviderFilter.set(num === 0 ? null : num);
-		if (storeId === null && providerFilterValue !== 0) {
+	}
-			_syncingFilter = true;
+
-			providerFilterValue = 0;
+	// Collapsed-rail filter cycles through providers via the same setter so the
-			_syncingFilter = false;
+	// store stays the single write path.
-		}
+	function cycleProviderFilter() {
-	});
+		const ids = [0, ...allProviders.map(p => p.id)];
 		const idx = ids.indexOf(providerFilterValue);
 		setProviderFilter(ids[(idx + 1) % ids.length]);
 	}
 	let showPasswordForm = $state(false);
 	let redirecting = $state(false);
@@ -80,7 +101,7 @@
 			pwdCurrent = ''; pwdNew = ''; pwdConfirm = '';
 			snackSuccess(t('snack.passwordChanged'));
 			setTimeout(() => { showPasswordForm = false; pwdMsg = ''; pwdSuccess = false; pwdConfirm = ''; }, 2000);
-		} catch (err: any) { pwdMsg = err.message; pwdSuccess = false; snackError(err.message); }
+		} catch (err: unknown) { const m = errMsg(err); pwdMsg = m; pwdSuccess = false; snackError(m); }
 	}
 	// Read persisted UI state synchronously so first paint already matches the
@@ -306,6 +327,7 @@
 				emailBotsCache.fetch(),
 				matrixBotsCache.fetch(),
 				targetsCache.fetch(),
 				releaseStatusCache.fetch(),
 			]).catch(e => console.warn('Failed to load caches for nav counts:', e));
 		}
 	});
@@ -401,7 +423,20 @@
 								{/if}
 								Notify Bridge
 							</h1>
-							<p class="brand-version font-mono">v{__APP_VERSION__}</p>
+							<p class="brand-version font-mono">
 								<a
 									class="brand-version-link"
 									class:has-update={releaseUpdateAvailable}
 									href="/settings#release"
 									aria-label={releaseTooltip}
 									title={releaseUpdateAvailable ? releaseTooltip : undefined}
 								>
 									<span>v{__APP_VERSION__}</span>
 									{#if releaseUpdateAvailable}
 										<span class="brand-version-dot" aria-hidden="true"></span>
 									{/if}
 								</a>
 							</p>
 						</div>
 					</div>
 				{:else}
@@ -421,18 +456,14 @@
 			{#if showProviderFilter}
 				<div class="{collapsed ? 'px-2 py-1' : 'px-3 py-1.5'}" style="border-bottom: 1px solid var(--color-border);">
 					{#if collapsed}
-						<button onclick={() => {
+						<button onclick={cycleProviderFilter}
 							const ids = [0, ...allProviders.map(p => p.id)];
 							const idx = ids.indexOf(providerFilterValue);
 							providerFilterValue = ids[(idx + 1) % ids.length];
 						}}
 							class="provider-filter-btn flex items-center justify-center w-full py-1.5 rounded-lg text-sm transition-all duration-200"
 							title={globalProviderFilter.provider?.name || t('common.allProviders')}
 							aria-label={globalProviderFilter.provider?.name || t('common.allProviders')}>
 							<NavIcon name={globalProviderFilter.provider ? providerDefaultIcon(globalProviderFilter.provider) : 'mdiFilterOff'} size={16} />
 						</button>
 					{:else}
-						<IconGridSelect items={providerFilterItems} bind:value={providerFilterValue} columns={Math.min(providerFilterItems.length, 3)} compact />
+						<IconGridSelect items={providerFilterItems} value={providerFilterValue} onChange={setProviderFilter} columns={Math.min(providerFilterItems.length, 3)} compact />
 					{/if}
 				</div>
 			{/if}
@@ -468,6 +499,7 @@
 									<a
 										href={child.href}
 										class="nav-link nav-link-child group flex items-center gap-2 px-2.5 py-1.5 rounded-lg text-sm transition-all duration-200 relative {isActive(child.href) ? 'active' : ''}"
 										aria-current={isActive(child.href) ? 'page' : undefined}
 									>
 										{#if isActive(child.href)}
 											<div class="active-indicator" style="position: absolute; left: -13px; top: 50%; transform: translateY(-50%); width: 3px; height: 60%; border-radius: 0 3px 3px 0; background: var(--color-primary); box-shadow: 0 0 8px var(--color-glow-strong);"></div>
@@ -487,6 +519,7 @@
 							href={entry.href}
 							class="nav-link group flex items-center gap-2.5 {collapsed ? 'justify-center px-2' : 'px-3'} py-2 rounded-lg text-sm transition-all duration-200 relative {isActive(entry.href) ? 'active' : ''}"
 							title={collapsed ? t(entry.key) : ''}
 							aria-current={isActive(entry.href) ? 'page' : undefined}
 						>
 							{#if isActive(entry.href)}
 								<div class="active-indicator" style="position: absolute; left: 0; top: 50%; transform: translateY(-50%); width: 3px; height: 60%; border-radius: 0 3px 3px 0; background: var(--color-primary); box-shadow: 0 0 8px var(--color-glow-strong);"></div>
@@ -570,6 +603,7 @@
 				<NavIcon name="mdiMagnify" size={20} />
 			</button>
 			<button onclick={() => mobileMoreOpen = !mobileMoreOpen} aria-label={t('nav.more')}
 				aria-expanded={mobileMoreOpen}
 				class="flex flex-col items-center gap-0.5 px-2 py-1.5 text-xs rounded-lg transition-all duration-200"
 				style="color: {mobileMoreOpen ? 'var(--color-primary)' : 'var(--color-muted-foreground)'};">
 				<NavIcon name="mdiDotsHorizontal" size={20} />
@@ -584,7 +618,7 @@
 				transition:slide={{ duration: 200, easing: cubicOut }}>
 				{#if allProviders.length >= 1}
 					<div class="mb-3 pb-3" style="border-bottom: 1px solid var(--color-border);">
-						<IconGridSelect items={providerFilterItems} bind:value={providerFilterValue} columns={Math.min(providerFilterItems.length, 4)} compact />
+						<IconGridSelect items={providerFilterItems} value={providerFilterValue} onChange={setProviderFilter} columns={Math.min(providerFilterItems.length, 4)} compact />
 					</div>
 				{/if}
 				<div class="space-y-3">
@@ -772,6 +806,40 @@
 		letter-spacing: 0.02em;
 		font-weight: 500;
 	}
 	.brand-version-link {
 		display: inline-flex;
 		align-items: center;
 		gap: 0.3rem;
 		color: inherit;
 		text-decoration: none;
 		border-radius: 0.3rem;
 		padding: 1px 4px;
 		margin: -1px -4px;
 		transition: color 0.15s, background 0.15s;
 	}
 	.brand-version-link:hover {
 		color: var(--color-foreground);
 		background: var(--color-glass-strong);
 	}
 	.brand-version-link.has-update {
 		color: var(--color-citrus, #d4a73a);
 	}
 	.brand-version-dot {
 		width: 6px;
 		height: 6px;
 		border-radius: 999px;
 		background: var(--color-citrus, #d4a73a);
 		box-shadow: 0 0 6px color-mix(in srgb, var(--color-citrus, #d4a73a) 70%, transparent);
 		animation: brand-version-pulse 2.4s ease-in-out infinite;
 	}
 	@keyframes brand-version-pulse {
 		0%, 100% { transform: scale(1); opacity: 1; }
 		50%      { transform: scale(1.35); opacity: 0.65; }
 	}
 	@media (prefers-reduced-motion: reduce) {
 		.brand-version-dot { animation: none; }
 		.brand-version-link { transition: none; }
 	}
 	.brand-orb {
 		width: 32px; height: 32px;
 		border-radius: 11px;
@@ -18,7 +18,7 @@
 	import ConfirmModal from '$lib/components/ConfirmModal.svelte';
 	import EventDetailModal from '$lib/components/EventDetailModal.svelte';
 	import { snackSuccess, snackError } from '$lib/stores/snackbar.svelte';
-	import { eventTypeFilterItems, refreshIntervalItems, sortFilterItems, providerDefaultIcon } from '$lib/grid-items';
+	import { eventTypeFilterItems, refreshIntervalItems, sortFilterItems, providerStatsModeItems, providerDefaultIcon } from '$lib/grid-items';
 	import { globalProviderFilter } from '$lib/stores/provider-filter.svelte';
 	import { getDescriptor } from '$lib/providers';
@@ -76,6 +76,17 @@
 		return stored ? parseInt(stored, 10) || 10 : 10;
 	}
 	// "On watch" provider deck stats scope. ``'page'`` = derive counts from
 	// the events visible on the current page (legacy behavior); ``'all'`` =
 	// use the server-aggregated ``provider_event_counts`` map covering every
 	// event that matches the active filters.
 	const PROVIDER_STATS_MODE_KEY = 'dashboard_provider_stats_mode';
 	function loadProviderStatsMode(): string {
 		if (typeof localStorage === 'undefined') return 'page';
 		const stored = localStorage.getItem(PROVIDER_STATS_MODE_KEY);
 		return stored === 'all' ? 'all' : 'page';
 	}
 	// Auto-refresh: 0 = off, otherwise seconds between refreshes.
 	// Allowed cadences are defined in ``refreshIntervalItems()`` — keep
 	// this whitelist in sync with that helper so a stale localStorage
@@ -95,6 +106,7 @@
 	let eventsLoading = $state(false);
 	let confirmClearEvents = $state(false);
 	let refreshSeconds = $state(loadRefreshSeconds());
 	let providerStatsMode = $state(loadProviderStatsMode());
 	let selectedEvent = $state<EventLog | null>(null);
 	// Stagger entry animation should play once on initial load only —
 	// without this, every pagination/filter change re-runs the cascade
@@ -128,6 +140,14 @@
 		if (typeof localStorage !== 'undefined') localStorage.setItem(EVENTS_REFRESH_KEY, String(v));
 	});
 	// Persist the provider deck stats mode the same way.
 	let _providerStatsHydrated = false;
 	$effect(() => {
 		const v = providerStatsMode;
 		if (!_providerStatsHydrated) { _providerStatsHydrated = true; return; }
 		if (typeof localStorage !== 'undefined') localStorage.setItem(PROVIDER_STATS_MODE_KEY, v);
 	});
 	async function clearEvents() {
 		try {
 			const res = await api<{ deleted: number }>('/status/events', { method: 'DELETE' });
@@ -197,6 +217,7 @@
 					targets: next.targets,
 					total_events: next.total_events,
 					command_trackers: next.command_trackers,
 					provider_event_counts: next.provider_event_counts,
 				};
 				return;
 			}
@@ -298,9 +319,21 @@
 		: displayProviders);
 	// === Provider deck — derive activity counts from recent events ===
 	//
 	// ``providerStatsMode`` controls the scope: ``'page'`` derives counts
 	// from the visible page (legacy), ``'all'`` uses the server-aggregated
 	// ``provider_event_counts`` map covering every event under the active
 	// filters regardless of pagination.
 	const providerEventCounts = $derived.by(() => {
 		const counts = new Map<string, number>();
 		if (!status) return counts;
 		if (providerStatsMode === 'all' && status.provider_event_counts) {
 			for (const [name, total] of Object.entries(status.provider_event_counts)) {
 				if (!name) continue;
 				counts.set(name, total);
 			}
 			return counts;
 		}
 		for (const ev of status.recent_events) {
 			const k = ev.provider_name || '';
 			if (!k) continue;
@@ -724,6 +757,37 @@
 										<b class="signal-emph signal-emph--accent truncate">«{event.collection_name}»</b>
 									{/if}
 								</div>
 								{#if event.details?.dispatch_status === 'deferred' && event.details?.deferred_until}
 									<span class="dispatch-badge dispatch-badge--deferred"
 										title={t('dashboard.deferredTitle')}>
 										<MdiIcon name="mdiPauseCircleOutline" size={12} />
 										{t('dashboard.heldUntil')} {timeShort(event.details.deferred_until)}
 									</span>
 								{:else if event.details?.dispatch_status === 'delivered_after_quiet_hours'}
 									<span class="dispatch-badge dispatch-badge--late"
 										title={t('dashboard.deliveredLateTitle')}>
 										<MdiIcon name="mdiClockCheckOutline" size={12} />
 										{t('dashboard.deliveredLate')}
 									</span>
 								{:else if event.details?.dispatch_status === 'deferred_then_dropped'}
 									<span class="dispatch-badge dispatch-badge--dropped"
 										title={t('dashboard.deferredThenDroppedTitle')}>
 										<MdiIcon name="mdiCloseCircleOutline" size={12} />
 										{t('dashboard.deferredThenDropped')}
 									</span>
 								{:else if event.details?.dispatch_status === 'deferred_then_failed'}
 									<span class="dispatch-badge dispatch-badge--dropped"
 										title={event.details?.reason ?? ''}>
 										<MdiIcon name="mdiAlertCircleOutline" size={12} />
 										{t('dashboard.deferredThenFailed')}
 									</span>
 								{:else if event.details?.dispatch_status === 'suppressed_quiet_hours_nondeferrable'}
 									<span class="dispatch-badge dispatch-badge--dropped"
 										title={t('dashboard.suppressedNondeferrableTitle')}>
 										<MdiIcon name="mdiVolumeOff" size={12} />
 										{t('dashboard.suppressedQuietHours')}
 									</span>
 								{/if}
 								{#if event.event_type?.startsWith('command_')}
 									{@const issuer = event.details?.issuer as { id?: number; username?: string; first_name?: string; last_name?: string } | undefined}
 									{@const issuerLabel = issuer
@@ -781,11 +845,18 @@
 					<h2 class="panel-title">{t('dashboard.onWatchTitle')} <em>{t('dashboard.onWatchEmphasis')}</em></h2>
 					<p class="panel-meta"><b>{providerDeck.length}</b> {t('dashboard.providersShort')}</p>
 				</div>
-				<button type="button" onclick={() => toggleSection('on_watch')}
+				<div class="panel-head-actions">
-					class="ghost-icon-btn"
+					<div class="w-32" title={t('dashboard.statsModeTitle')}>
-					title={sectionExpanded.on_watch ? t('common.hide') : t('common.show')}>
+						<IconGridSelect items={providerStatsModeItems()}
-					<NavIcon name={sectionExpanded.on_watch ? 'mdiChevronDown' : 'mdiChevronRight'} size={16} />
+							bind:value={providerStatsMode}
-				</button>
+							columns={2} compact />
 					</div>
 					<button type="button" onclick={() => toggleSection('on_watch')}
 						class="ghost-icon-btn"
 						title={sectionExpanded.on_watch ? t('common.hide') : t('common.show')}>
 						<NavIcon name={sectionExpanded.on_watch ? 'mdiChevronDown' : 'mdiChevronRight'} size={16} />
 					</button>
 				</div>
 			</header>
 			{#if sectionExpanded.on_watch}
@@ -1334,6 +1405,36 @@
 		border-radius: 6px;
 	}
 	.signal-trail .arrow { color: var(--color-muted-foreground); }
 	/* Dispatch lifecycle badges (quiet-hours deferral, late delivery, drops).
 	 * Coloured to match the verb (held = primary glow, late = success, drop
 	 * = muted). The icon is intentionally small so the badge doesn't pull
 	 * focus from the event verb itself. */
 	.dispatch-badge {
 		display: inline-flex; align-items: center; gap: 0.25rem;
 		font-size: 0.68rem;
 		font-family: var(--font-mono);
 		padding: 0.1rem 0.4rem;
 		border-radius: 999px;
 		border: 1px solid var(--color-border);
 		background: var(--color-glass-strong);
 		color: var(--color-muted-foreground);
 		margin-left: 0.4rem;
 		white-space: nowrap;
 	}
 	.dispatch-badge--deferred {
 		color: var(--color-primary);
 		border-color: color-mix(in srgb, var(--color-primary) 35%, transparent);
 		background: color-mix(in srgb, var(--color-primary) 10%, var(--color-glass-strong));
 	}
 	.dispatch-badge--late {
 		color: var(--color-success, #16a34a);
 		border-color: color-mix(in srgb, var(--color-success, #16a34a) 35%, transparent);
 		background: color-mix(in srgb, var(--color-success, #16a34a) 10%, var(--color-glass-strong));
 	}
 	.dispatch-badge--dropped {
 		color: var(--color-muted-foreground);
 		opacity: 0.85;
 	}
 	.signal-when {
 		text-align: right;
 		font-size: 0.7rem;
@@ -1,7 +1,7 @@
 <script lang="ts">
 	import { onMount } from 'svelte';
 	import { slide } from 'svelte/transition';
-	import { api } from '$lib/api';
+	import { api , errMsg} from '$lib/api';
 	import { t } from '$lib/i18n';
 	import { actionsCache, providersCache, capabilitiesCache } from '$lib/stores/caches.svelte';
 	import PageHeader from '$lib/components/PageHeader.svelte';
@@ -22,6 +22,7 @@
 	import ExecutionHistory from './ExecutionHistory.svelte';
 	import ErrorBanner from '$lib/components/ErrorBanner.svelte';
 	import Button from '$lib/components/Button.svelte';
 	import MetaStrip, { type MetaTile } from '$lib/components/MetaStrip.svelte';
 	import type { Action, ActionRule } from '$lib/types';
 	let allActions = $derived(actionsCache.items);
@@ -98,8 +99,8 @@
 				capabilitiesCache.fetch(),
 			]);
 			loadError = '';
-		} catch (err: any) {
+		} catch (err: unknown) {
-			loadError = err.message || t('actions.loadError');
+			loadError = errMsg(err, t('actions.loadError'));
 		} finally { loaded = true; highlightFromUrl(); }
 	}
@@ -137,7 +138,7 @@
 			}
 			showForm = false; editing = null; actionsCache.invalidate(); await load();
 			snackSuccess(t('actions.saved'));
-		} catch (err: any) { error = err.message; snackError(err.message); }
+		} catch (err: unknown) { const __m = errMsg(err); error = __m; snackError(__m); }
 		submitting = false;
 	}
@@ -150,7 +151,7 @@
 			await api(`/actions/${id}`, { method: 'DELETE' });
 			actionsCache.invalidate(); await load();
 			snackSuccess(t('actions.deleted'));
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 	}
 	async function executeAction(id: number, dryRun = false) {
@@ -164,7 +165,7 @@
 				: `${t('actions.execute')}: ${affected} ${t('actions.affected')}`;
 			snackSuccess(msg);
 			actionsCache.invalidate(); await load();
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 		executing = { ...executing, [id]: false };
 	}
@@ -193,6 +194,51 @@
 		if (status === 'failed') return 'var(--color-error-fg)';
 		return 'var(--color-muted-foreground)';
 	}
 	function statusTone(status: string | undefined): MetaTile['tone'] {
 		if (status === 'success') return 'mint';
 		if (status === 'partial') return 'citrus';
 		if (status === 'failed') return 'coral';
 		return 'default';
 	}
 	function actionTiles(action: Action): MetaTile[] {
 		const tiles: MetaTile[] = [];
 		tiles.push(action.enabled
 			? { icon: 'mdiCheckCircle', label: t('commandTracker.enabled'), tone: 'mint' }
 			: { icon: 'mdiPauseCircleOutline', label: t('commandTracker.disabled'), tone: 'default' });
 		tiles.push({
 			icon: 'mdiServer',
 			label: getProviderName(action.provider_id),
 			tone: 'lavender',
 		});
 		tiles.push({
 			icon: 'mdiTagOutline',
 			label: action.action_type,
 			tone: 'sky',
 			mono: true,
 		});
 		tiles.push({
 			icon: action.schedule_type === 'cron' ? 'mdiClockOutline' : 'mdiTimerOutline',
 			label: formatSchedule(action),
 			tone: 'orchid',
 			mono: true,
 		});
 		tiles.push({
 			icon: 'mdiFormatListBulleted',
 			value: String(action.rules?.length || 0),
 			label: t('actions.rules'),
 			tone: (action.rules?.length || 0) > 0 ? 'sky' : 'default',
 		});
 		if (action.last_run_status) {
 			tiles.push({
 				icon: 'mdiHistory',
 				label: action.last_run_status,
 				tone: statusTone(action.last_run_status),
 			});
 		}
 		return tiles;
 	}
 </script>
 <PageHeader
@@ -323,32 +369,35 @@
 		<EmptyState icon="mdiFilterOff" message={t('common.noFilterResults')} />
 	</Card>
 {:else if !showForm}
-	<div class="space-y-3 stagger-children">
+	<div class="list-stack stagger-children">
 		{#each actions as action}
 			<Card hover entityId={action.id}>
-				<div class="flex items-center justify-between">
+				<div class="list-row">
-					<div class="flex items-center gap-3">
+					<div class="list-row__identity">
-						<div class="w-2.5 h-2.5 rounded-full flex-shrink-0"
+						<div class="flex items-center gap-3 min-w-0">
-							style="background: {action.enabled ? '#059669' : 'var(--color-muted-foreground)'}"></div>
+							<div class="w-2.5 h-2.5 rounded-full flex-shrink-0"
-						<span style="color: var(--color-primary);"><MdiIcon name={action.icon || 'mdiPlayCircleOutline'} size={20} /></span>
+								style="background: {action.enabled ? '#059669' : 'var(--color-muted-foreground)'}"></div>
-						<div>
+							<span style="color: var(--color-primary);" class="shrink-0"><MdiIcon name={action.icon || 'mdiPlayCircleOutline'} size={20} /></span>
-							<div class="flex items-center gap-2">
+							<div class="min-w-0">
-								<p class="font-medium">{action.name}</p>
+								<div class="flex items-center gap-2 min-w-0">
-								<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)]">{action.action_type}</span>
+									<p class="font-medium truncate">{action.name}</p>
-							</div>
+									<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)] shrink-0">{action.action_type}</span>
-							<div class="flex items-center gap-3 text-xs text-[var(--color-muted-foreground)]">
+								</div>
-								<CrossLink href="/providers" icon={providerDefaultIcon(getProvider(action.provider_id) || {})} label={getProviderName(action.provider_id)} entityId={action.provider_id} />
+								<div class="flex items-center gap-3 text-xs text-[var(--color-muted-foreground)] list-row__secondary">
-								<span>{formatSchedule(action)}</span>
+									<CrossLink href="/providers" icon={providerDefaultIcon(getProvider(action.provider_id) || {})} label={getProviderName(action.provider_id)} entityId={action.provider_id} />
-								<span>{action.rules?.length || 0} {t('actions.rules')}</span>
+									<span>{formatSchedule(action)}</span>
-								{#if action.last_run_status}
+									<span>{action.rules?.length || 0} {t('actions.rules')}</span>
-									<span style="color: {statusColor(action.last_run_status)}">
+									{#if action.last_run_status}
-										{action.last_run_status}
+										<span style="color: {statusColor(action.last_run_status)}">
-									</span>
+											{action.last_run_status}
-								{/if}
+										</span>
 									{/if}
 								</div>
 							</div>
 						</div>
 					</div>
-					<div class="flex items-center gap-1">
+					<MetaStrip tiles={actionTiles(action)} />
 					<div class="list-row__actions">
 						<IconButton icon="mdiPlay" title={t('actions.execute')}
 							onclick={() => executeAction(action.id)}
 							disabled={executing[action.id]} />
@@ -1,5 +1,5 @@
 <script lang="ts">
-	import { api } from '$lib/api';
+	import { api , errMsg} from '$lib/api';
 	import { t } from '$lib/i18n';
 	import { providersCache } from '$lib/stores/caches.svelte';
 	import { snackSuccess, snackError } from '$lib/stores/snackbar.svelte';
@@ -7,6 +7,7 @@
 	import IconButton from '$lib/components/IconButton.svelte';
 	import EntitySelect from '$lib/components/EntitySelect.svelte';
 	import MultiEntitySelect from '$lib/components/MultiEntitySelect.svelte';
 	import { getDescriptor } from '$lib/providers';
 	import type { ActionRule } from '$lib/types';
 	let { actionId, actionType, providerId }: { actionId: number; actionType: string; providerId: number } = $props();
@@ -47,14 +48,16 @@
 		loading = true;
 		try {
 			rules = await api<ActionRule[]>(`/actions/${actionId}/rules`);
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 		loading = false;
 	}
 	async function loadProviderData() {
 		if (actionType !== 'auto_organize') return;
 		const provider = providersCache.items.find((p: any) => p.id === providerId);
-		if (!provider || provider.type !== 'immich') return;
+		if (!provider) return;
 		const descriptor = getDescriptor(provider.type);
 		if (!descriptor?.supportsAutoOrganize) return;
 		try {
 			const [p, a] = await Promise.all([
 				api<any>(`/providers/${providerId}/people`),
@@ -79,7 +82,7 @@
 			resetNewRule();
 			await loadRules();
 			snackSuccess(t('actions.ruleSaved'));
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 		submitting = false;
 	}
@@ -91,7 +94,7 @@
 			});
 			await loadRules();
 			snackSuccess(t('actions.ruleSaved'));
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 	}
 	async function deleteRule(ruleId: number) {
@@ -99,7 +102,7 @@
 			await api(`/actions/${actionId}/rules/${ruleId}`, { method: 'DELETE' });
 			await loadRules();
 			snackSuccess(t('actions.ruleDeleted'));
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 	}
 	async function toggleRule(rule: ActionRule) {
@@ -1,7 +1,7 @@
 <script lang="ts">
 	import { onMount } from 'svelte';
 	import { page } from '$app/state';
-	import { api } from '$lib/api';
+	import { api , errMsg} from '$lib/api';
 	import { t } from '$lib/i18n';
 	import { telegramBotsCache, emailBotsCache, matrixBotsCache } from '$lib/stores/caches.svelte';
 	import Loading from '$lib/components/Loading.svelte';
@@ -29,7 +29,7 @@
 				emailBotsCache.fetch(true),
 				matrixBotsCache.fetch(true),
 			]);
-		} catch (err: any) { error = err.message || t('common.loadError'); snackError(error); }
+		} catch (err: unknown) { error = errMsg(err, t('common.loadError')); snackError(error); }
 		finally { loaded = true; highlightFromUrl(); }
 	}
 </script>
@@ -1,5 +1,5 @@
 <script lang="ts">
-	import { api, getBlockedBy, type BlockedByDetail } from '$lib/api';
+	import { api, getBlockedBy, type BlockedByDetail , errMsg} from '$lib/api';
 	import BlockedByModal from '$lib/components/BlockedByModal.svelte';
 	import { t, getLocale } from '$lib/i18n';
 	import { emailBotsCache } from '$lib/stores/caches.svelte';
@@ -13,6 +13,7 @@
 	import { snackSuccess, snackError } from '$lib/stores/snackbar.svelte';
 	import Button from '$lib/components/Button.svelte';
 	import ErrorBanner from '$lib/components/ErrorBanner.svelte';
 	import MetaStrip, { type MetaTile } from '$lib/components/MetaStrip.svelte';
 	import type { EmailBot } from '$lib/types';
 	let { onreload }: { onreload: () => Promise<void> } = $props();
@@ -39,6 +40,30 @@
 		}
 	});
 	function emailBotTiles(bot: EmailBot): MetaTile[] {
 		const tiles: MetaTile[] = [];
 		tiles.push({
 			icon: 'mdiEmailOutline',
 			label: bot.email,
 			tone: 'lavender',
 			mono: true,
 		});
 		tiles.push({
 			icon: 'mdiServerNetwork',
 			label: `${bot.smtp_host}:${bot.smtp_port}`,
 			tone: 'sky',
 			mono: true,
 		});
 		if (bot.smtp_use_tls) {
 			tiles.push({
 				icon: 'mdiLockOutline',
 				label: 'TLS',
 				tone: 'mint',
 			});
 		}
 		return tiles;
 	}
 	function openNewEmail() { emailForm = defaultEmailForm(); nameManuallyEdited = false; editingEmail = null; showEmailForm = true; }
 	function editEmailBot(bot: EmailBot) {
 		emailForm = {
@@ -64,7 +89,7 @@
 				snackSuccess(t('snack.emailBotCreated'));
 			}
 			emailForm = defaultEmailForm(); nameManuallyEdited = false; showEmailForm = false; editingEmail = null; await onreload();
-		} catch (err: any) { error = err.message; snackError(err.message); }
+		} catch (err: unknown) { const __m = errMsg(err); error = __m; snackError(__m); }
 		finally { emailSubmitting = false; }
 	}
@@ -74,10 +99,10 @@
 			id,
 			onconfirm: async () => {
 				try { await api(`/email-bots/${id}`, { method: 'DELETE' }); await onreload(); snackSuccess(t('snack.emailBotDeleted')); }
-				catch (err: any) {
+				catch (err: unknown) {
 					const bb = getBlockedBy(err);
 					if (bb) { blockedBy = bb; return; }
-					error = err.message; snackError(err.message);
+					const m = errMsg(err); error = m; snackError(m);
 				}
 				finally { confirmDeleteEmail = null; }
 			}
@@ -90,7 +115,7 @@
 			const res = await api(`/email-bots/${botId}/test?locale=${getLocale()}`, { method: 'POST' });
 			if (res.success) snackSuccess(t('snack.emailBotTestSent'));
 			else snackError(res.error || t('emailBot.operationFailed'));
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 		emailTesting = { ...emailTesting, [botId]: false };
 	}
 </script>
@@ -165,16 +190,16 @@
 		<EmptyState icon="mdiEmailOutline" message={t('emailBot.noBots')} />
 	</Card>
 {:else}
-	<div class="space-y-3 stagger-children">
+	<div class="list-stack stagger-children">
 		{#each emailBots as bot}
 			<Card hover entityId={bot.id}>
-				<div class="flex items-center justify-between">
+				<div class="list-row">
-					<div>
+					<div class="list-row__identity">
-						<div class="flex items-center gap-2">
+						<div class="flex items-center gap-2 min-w-0">
-							<span style="color: var(--color-primary);"><MdiIcon name={bot.icon || 'mdiEmailOutline'} size={20} /></span>
+							<span style="color: var(--color-primary);" class="shrink-0"><MdiIcon name={bot.icon || 'mdiEmailOutline'} size={20} /></span>
-							<p class="font-medium">{bot.name}</p>
+							<p class="font-medium truncate">{bot.name}</p>
 						</div>
-						<div class="flex items-center gap-2 mt-1 flex-wrap">
+						<div class="flex items-center gap-2 mt-1 flex-wrap list-row__secondary">
 							<span class="text-xs text-[var(--color-muted-foreground)] font-mono">{bot.email}</span>
 							<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)]">{bot.smtp_host}:{bot.smtp_port}</span>
 							{#if bot.smtp_use_tls}
@@ -182,7 +207,8 @@
 							{/if}
 						</div>
 					</div>
-					<div class="flex items-center gap-1">
+					<MetaStrip tiles={emailBotTiles(bot)} />
 					<div class="list-row__actions">
 						<IconButton icon="mdiSend" title={t('emailBot.testConnection')} onclick={() => testEmailBot(bot.id)} disabled={emailTesting[bot.id]} />
 						<IconButton icon="mdiPencil" title={t('common.edit')} onclick={() => editEmailBot(bot)} />
 						<IconButton icon="mdiDelete" title={t('common.delete')} onclick={() => removeEmail(bot.id)} variant="danger" />
@@ -1,5 +1,5 @@
 <script lang="ts">
-	import { api, getBlockedBy, type BlockedByDetail } from '$lib/api';
+	import { api, getBlockedBy, type BlockedByDetail , errMsg} from '$lib/api';
 	import BlockedByModal from '$lib/components/BlockedByModal.svelte';
 	import { t, getLocale } from '$lib/i18n';
 	import { matrixBotsCache } from '$lib/stores/caches.svelte';
@@ -13,6 +13,7 @@
 	import { snackSuccess, snackError } from '$lib/stores/snackbar.svelte';
 	import Button from '$lib/components/Button.svelte';
 	import ErrorBanner from '$lib/components/ErrorBanner.svelte';
 	import MetaStrip, { type MetaTile } from '$lib/components/MetaStrip.svelte';
 	import type { MatrixBot } from '$lib/types';
 	let { onreload }: { onreload: () => Promise<void> } = $props();
@@ -38,6 +39,28 @@
 		}
 	});
 	function matrixBotTiles(bot: MatrixBot): MetaTile[] {
 		const tiles: MetaTile[] = [];
 		let host = bot.homeserver_url;
 		try { host = new URL(bot.homeserver_url).host; } catch { /* keep raw */ }
 		tiles.push({
 			icon: 'mdiServerNetwork',
 			label: host,
 			hint: bot.homeserver_url,
 			href: bot.homeserver_url,
 			tone: 'lavender',
 			mono: true,
 		});
 		if (bot.display_name) {
 			tiles.push({
 				icon: 'mdiAccountCircleOutline',
 				label: bot.display_name,
 				tone: 'sky',
 			});
 		}
 		return tiles;
 	}
 	function openNewMatrix() { matrixForm = defaultMatrixForm(); nameManuallyEdited = false; editingMatrix = null; showMatrixForm = true; }
 	function editMatrixBot(bot: MatrixBot) {
 		matrixForm = {
@@ -62,7 +85,7 @@
 				snackSuccess(t('snack.matrixBotCreated'));
 			}
 			matrixForm = defaultMatrixForm(); nameManuallyEdited = false; showMatrixForm = false; editingMatrix = null; await onreload();
-		} catch (err: any) { error = err.message; snackError(err.message); }
+		} catch (err: unknown) { const __m = errMsg(err); error = __m; snackError(__m); }
 		finally { matrixSubmitting = false; }
 	}
@@ -72,10 +95,10 @@
 			id,
 			onconfirm: async () => {
 				try { await api(`/matrix-bots/${id}`, { method: 'DELETE' }); await onreload(); snackSuccess(t('snack.matrixBotDeleted')); }
-				catch (err: any) {
+				catch (err: unknown) {
 					const bb = getBlockedBy(err);
 					if (bb) { blockedBy = bb; return; }
-					error = err.message; snackError(err.message);
+					const m = errMsg(err); error = m; snackError(m);
 				}
 				finally { confirmDeleteMatrix = null; }
 			}
@@ -88,7 +111,7 @@
 			const res = await api(`/matrix-bots/${botId}/test?locale=${getLocale()}`, { method: 'POST' });
 			if (res.success) snackSuccess(t('snack.matrixBotTestOk'));
 			else snackError(res.error || t('matrixBot.operationFailed'));
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 		matrixTesting = { ...matrixTesting, [botId]: false };
 	}
 </script>
@@ -148,23 +171,24 @@
 		<EmptyState icon="mdiMatrix" message={t('matrixBot.noBots')} />
 	</Card>
 {:else}
-	<div class="space-y-3 stagger-children">
+	<div class="list-stack stagger-children">
 		{#each matrixBots as bot}
 			<Card hover entityId={bot.id}>
-				<div class="flex items-center justify-between">
+				<div class="list-row">
-					<div>
+					<div class="list-row__identity">
-						<div class="flex items-center gap-2">
+						<div class="flex items-center gap-2 min-w-0">
-							<span style="color: var(--color-primary);"><MdiIcon name={bot.icon || 'mdiMatrix'} size={20} /></span>
+							<span style="color: var(--color-primary);" class="shrink-0"><MdiIcon name={bot.icon || 'mdiMatrix'} size={20} /></span>
-							<p class="font-medium">{bot.name}</p>
+							<p class="font-medium truncate">{bot.name}</p>
 						</div>
-						<div class="flex items-center gap-2 mt-1 flex-wrap">
+						<div class="flex items-center gap-2 mt-1 flex-wrap list-row__secondary">
 							<span class="text-xs text-[var(--color-muted-foreground)] font-mono">{bot.homeserver_url}</span>
 							{#if bot.display_name}
 								<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)]">{bot.display_name}</span>
 							{/if}
 						</div>
 					</div>
-					<div class="flex items-center gap-1">
+					<MetaStrip tiles={matrixBotTiles(bot)} />
 					<div class="list-row__actions">
 						<IconButton icon="mdiConnection" title={t('matrixBot.testConnection')} onclick={() => testMatrixBot(bot.id)} disabled={matrixTesting[bot.id]} />
 						<IconButton icon="mdiPencil" title={t('common.edit')} onclick={() => editMatrixBot(bot)} />
 						<IconButton icon="mdiDelete" title={t('common.delete')} onclick={() => removeMatrix(bot.id)} variant="danger" />
@@ -1,7 +1,7 @@
 <script lang="ts">
 	import { slide, fade } from 'svelte/transition';
 	import { flip } from 'svelte/animate';
-	import { api, getBlockedBy, type BlockedByDetail } from '$lib/api';
+	import { api, errMsg, getBlockedBy, type BlockedByDetail } from '$lib/api';
 	import BlockedByModal from '$lib/components/BlockedByModal.svelte';
 	import { t, getLocale } from '$lib/i18n';
 	import { telegramBotsCache } from '$lib/stores/caches.svelte';
@@ -16,6 +16,7 @@
 	import { snackSuccess, snackError, snackInfo } from '$lib/stores/snackbar.svelte';
 	import Button from '$lib/components/Button.svelte';
 	import ErrorBanner from '$lib/components/ErrorBanner.svelte';
 	import MetaStrip, { type MetaTile } from '$lib/components/MetaStrip.svelte';
 	import type { TelegramBot, TelegramChat } from '$lib/types';
 	interface CommandTrackerSummary { id: number; name: string; icon?: string; enabled: boolean }
@@ -60,6 +61,36 @@
 	let botListenerStatus = $state<Record<number, CommandTrackerSummary[]>>({});
 	let botListenerLoading = $state<Record<number, boolean>>({});
 	function telegramBotTiles(bot: TelegramBot): MetaTile[] {
 		const tiles: MetaTile[] = [];
 		const mode = bot.update_mode || 'none';
 		const modeTone: MetaTile['tone'] = mode === 'webhook' ? 'lavender' : mode === 'polling' ? 'mint' : 'default';
 		const modeLabel = mode === 'webhook' ? t('telegramBot.webhook') : mode === 'polling' ? t('telegramBot.polling') : t('telegramBot.none');
 		tiles.push({
 			icon: mode === 'webhook' ? 'mdiWebhook' : mode === 'polling' ? 'mdiSync' : 'mdiPowerOff',
 			label: modeLabel,
 			tone: modeTone,
 		});
 		if (bot.bot_username) {
 			tiles.push({
 				icon: 'mdiAt',
 				label: bot.bot_username,
 				tone: 'sky',
 				mono: true,
 			});
 		}
 		const chatCount = chats[bot.id]?.length;
 		if (chatCount !== undefined) {
 			tiles.push({
 				icon: 'mdiChat',
 				value: String(chatCount),
 				label: t('telegramBot.chats'),
 				tone: chatCount > 0 ? 'orchid' : 'default',
 			});
 		}
 		return tiles;
 	}
 	function openNew() { form = { name: '', icon: '', token: '' }; nameManuallyEdited = false; editing = null; showForm = true; }
 	function editBot(bot: TelegramBot) { form = { name: bot.name, icon: bot.icon || '', token: '' }; nameManuallyEdited = true; editing = bot.id; showForm = true; }
@@ -74,7 +105,7 @@
 				snackSuccess(t('snack.botRegistered'));
 			}
 			form = { name: '', icon: '', token: '' }; nameManuallyEdited = false; showForm = false; editing = null; await onreload();
-		} catch (err: any) { error = err.message; snackError(err.message); }
+		} catch (err: unknown) { const m = errMsg(err); error = m; snackError(m); }
 		finally { submitting = false; }
 	}
@@ -84,10 +115,10 @@
 			id,
 			onconfirm: async () => {
 				try { await api(`/telegram-bots/${id}`, { method: 'DELETE' }); await onreload(); snackSuccess(t('snack.botDeleted')); }
-				catch (err: any) {
+				catch (err: unknown) {
 					const bb = getBlockedBy(err);
 					if (bb) { blockedBy = bb; return; }
-					error = err.message; snackError(err.message);
+					const m = errMsg(err); error = m; snackError(m);
 				}
 				finally { confirmDelete = null; }
 			}
@@ -116,7 +147,7 @@
 		try {
 			chats = { ...chats, [botId]: await api<TelegramChat[]>(`/telegram-bots/${botId}/chats/discover`, { method: 'POST' }) };
 			snackSuccess(t('telegramBot.chatsDiscovered'));
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 		chatsRefreshing = { ...chatsRefreshing, [botId]: false };
 	}
@@ -125,11 +156,15 @@
 			await api(`/telegram-bots/${botId}/chats/${chatDbId}`, { method: 'DELETE' });
 			chats[botId] = (chats[botId] || []).filter((c) => c.id !== chatDbId);
 			snackSuccess(t('telegramBot.chatDeleted'));
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 	}
-	const LANG_ITEMS = [
+	// `desc` is the only locale-sensitive field — language *names* are intentionally
-		{ value: '', label: '—', icon: 'mdiTranslate', desc: 'Auto' },
+	// shown in their own language (English under EN, Русский under RU, …) so users
 	// recognise them regardless of the current UI locale. Only the "Auto" sentinel
 	// for the no-override row is translated.
 	let LANG_ITEMS = $derived([
 		{ value: '', label: '—', icon: 'mdiTranslate', desc: t('common.auto') },
 		{ value: 'en', label: 'EN', icon: 'mdiAlphaECircle', desc: 'English' },
 		{ value: 'ru', label: 'RU', icon: 'mdiAlphaRCircle', desc: 'Русский' },
 		{ value: 'uk', label: 'UK', icon: 'mdiAlphaUCircle', desc: 'Українська' },
@@ -146,7 +181,7 @@
 		{ value: 'tr', label: 'TR', icon: 'mdiAlphaTCircle', desc: 'Türkçe' },
 		{ value: 'ar', label: 'AR', icon: 'mdiAlphaACircle', desc: 'العربية' },
 		{ value: 'hi', label: 'HI', icon: 'mdiAlphaHCircle', desc: 'हिन्दी' },
-	];
+	]);
 	async function updateChatLanguage(botId: number, chat: TelegramChat, lang: string) {
 		try {
@@ -158,7 +193,7 @@
 				c.id === chat.id ? { ...c, language_override: lang } : c
 			);
 			snackSuccess(t('telegramBot.languageUpdated'));
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 	}
 	async function toggleChatCommands(botId: number, chat: TelegramChat) {
@@ -171,7 +206,7 @@
 			chats[botId] = (chats[botId] || []).map(c =>
 				c.id === chat.id ? { ...c, commands_enabled: newVal } : c
 			);
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 	}
 	async function loadListenerStatus(botId: number) {
@@ -201,7 +236,7 @@
 					t.id === trk.id ? { ...t, enabled: !t.enabled } : t
 				),
 			};
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 	}
 	async function syncCommands(botId: number) {
@@ -210,7 +245,7 @@
 			const res = await api<ApiResult>(`/telegram-bots/${botId}/sync-commands`, { method: 'POST' });
 			if (res.success) snackSuccess(t('telegramBot.commandsSynced'));
 			else snackError(res.error || t('telegramBot.saveFailed'));
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 		modeChanging = { ...modeChanging, [botId]: false };
 	}
@@ -223,7 +258,7 @@
 				await loadWebhookStatus(botId);
 			}
 			snackSuccess(t('snack.botUpdated'));
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 		modeChanging = { ...modeChanging, [botId]: false };
 	}
@@ -243,7 +278,7 @@
 			} else {
 				snackError(res.error || t('telegramBot.webhookFailed'));
 			}
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 		modeChanging = { ...modeChanging, [botId]: false };
 	}
@@ -253,7 +288,7 @@
 			const res = await api<ApiResult>(`/telegram-bots/${botId}/webhook/unregister`, { method: 'POST' });
 			if (res.success) { snackSuccess(t('telegramBot.webhookUnregistered')); await loadWebhookStatus(botId); }
 			else snackError(res.error || t('telegramBot.saveFailed'));
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 		modeChanging = { ...modeChanging, [botId]: false };
 	}
@@ -284,7 +319,7 @@
 			const res = await api<ApiResult>(`/telegram-bots/${botId}/chats/${chatId}/test?locale=${getLocale()}`, { method: 'POST' });
 			if (res.success) snackSuccess(t('snack.targetTestSent'));
 			else snackError(res.error || t('telegramBot.saveFailed'));
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 		chatTesting = { ...chatTesting, [key]: false };
 	}
@@ -343,18 +378,19 @@
 		<EmptyState icon="mdiRobot" message={t('telegramBot.noBots')} />
 	</Card>
 {:else}
-	<div class="space-y-3 stagger-children">
+	<div class="list-stack stagger-children">
 		{#each bots as bot}
 			<Card hover entityId={bot.id}>
-				<div class="flex items-center justify-between gap-2 flex-wrap">
+				<div class="list-row">
-					<div class="min-w-0">
+					<div class="list-row__identity">
-						<div class="flex items-center gap-2 flex-wrap">
+						<div class="flex items-center gap-2 flex-wrap min-w-0">
-							<span style="color: var(--color-primary);"><MdiIcon name={bot.icon || 'mdiRobot'} size={20} /></span>
+							<span style="color: var(--color-primary);" class="shrink-0"><MdiIcon name={bot.icon || 'mdiRobot'} size={20} /></span>
-							<p class="font-medium">{bot.name}</p>
+							<p class="font-medium truncate">{bot.name}</p>
 							{#if bot.bot_username}
-								<span class="text-xs text-[var(--color-muted-foreground)]">@{bot.bot_username}</span>
+								<span class="text-xs text-[var(--color-muted-foreground)] shrink-0">@{bot.bot_username}</span>
 							{/if}
-							<!-- Mode badge -->
+						</div>
 						<div class="list-row__secondary mt-0.5 flex items-center gap-2 flex-wrap">
 							<span class="text-xs px-1.5 py-0.5 rounded font-mono {(bot.update_mode || 'none') === 'webhook'
 								? 'bg-[var(--color-primary)]/10 text-[var(--color-primary)]'
 								: (bot.update_mode || 'none') === 'polling'
@@ -362,10 +398,11 @@
 									: 'bg-[var(--color-muted)] text-[var(--color-muted-foreground)]'}">
 								{(bot.update_mode || 'none') === 'webhook' ? t('telegramBot.webhook') : (bot.update_mode || 'none') === 'polling' ? t('telegramBot.polling') : t('telegramBot.none')}
 							</span>
 							<p class="text-xs text-[var(--color-muted-foreground)] font-mono">{bot.token_preview}</p>
 						</div>
 						<p class="text-xs text-[var(--color-muted-foreground)] font-mono">{bot.token_preview}</p>
 					</div>
-					<div class="flex items-center gap-1 flex-shrink-0 flex-wrap">
+					<MetaStrip tiles={telegramBotTiles(bot)} />
 					<div class="list-row__actions flex-wrap justify-end">
 						<IconButton icon="mdiPencil" title={t('common.edit')} onclick={() => editBot(bot)} />
 						<button onclick={() => toggleSection(bot.id, 'chats')}
 							disabled={chatsLoading[bot.id]}
@@ -431,6 +468,10 @@
 										</div>
 										<div style="justify-self:center" role="presentation" onclick={(e: MouseEvent) => e.stopPropagation()} onkeydown={(e: KeyboardEvent) => e.stopPropagation()}>
 											<button
 												type="button"
 												role="switch"
 												aria-checked={chat.commands_enabled}
 												aria-label={t('telegramBot.commandsToggle')}
 												style="width:28px; height:16px; border-radius:8px; position:relative; transition:background-color 0.2s; background-color:{chat.commands_enabled ? 'var(--color-primary)' : 'var(--color-border)'};"
 												title={t('telegramBot.commandsToggle')}
 												onclick={() => toggleChatCommands(bot.id, chat)}>
@@ -478,6 +519,10 @@
 											<a href="/command-trackers" class="font-medium text-[var(--color-primary)] hover:underline">{trk.name}</a>
 										</div>
 										<button
 											type="button"
 											role="switch"
 											aria-checked={trk.enabled}
 											aria-label={trk.enabled ? t('notificationTracker.pause') : t('notificationTracker.resume')}
 											style="width:28px; height:16px; border-radius:8px; position:relative; transition:background-color 0.2s; background-color:{trk.enabled ? 'var(--color-primary)' : 'var(--color-border)'};"
 											title={trk.enabled ? t('notificationTracker.pause') : t('notificationTracker.resume')}
 											onclick={() => toggleListenerEnabled(bot.id, trk)}>
@@ -1,6 +1,6 @@
 <script lang="ts">
 	import { onMount } from 'svelte';
-	import { api, getBlockedBy, type BlockedByDetail } from '$lib/api';
+	import { api, getBlockedBy, type BlockedByDetail , errMsg} from '$lib/api';
 	import BlockedByModal from '$lib/components/BlockedByModal.svelte';
 	import { t } from '$lib/i18n';
 	import { commandConfigsCache, commandTemplateConfigsCache, capabilitiesCache } from '$lib/stores/caches.svelte';
@@ -22,6 +22,7 @@
 	import { globalProviderFilter } from '$lib/stores/provider-filter.svelte';
 	import ErrorBanner from '$lib/components/ErrorBanner.svelte';
 	import { getDescriptor } from '$lib/providers';
 	import MetaStrip, { type MetaTile } from '$lib/components/MetaStrip.svelte';
 	import type { CommandConfig } from '$lib/types';
 	function templateName(id: number | null): string {
@@ -104,10 +105,46 @@
 				commandTemplateConfigsCache.fetch(),
 				capabilitiesCache.fetch(),
 			]);
-		} catch (err: any) { error = err.message || t('common.loadError'); snackError(error); }
+		} catch (err: unknown) { error = errMsg(err, t('common.loadError')); snackError(error); }
 		finally { loaded = true; highlightFromUrl(); }
 	}
 	function commandConfigTiles(cfg: CommandConfig): MetaTile[] {
 		const tiles: MetaTile[] = [];
 		tiles.push({
 			icon: 'mdiServer',
 			label: cfg.provider_type,
 			tone: 'lavender',
 			mono: true,
 		});
 		const cmdCount = (cfg.enabled_commands || []).length;
 		tiles.push({
 			icon: 'mdiSlashForward',
 			value: String(cmdCount),
 			label: t('commandConfig.commands'),
 			tone: cmdCount > 0 ? 'mint' : 'coral',
 		});
 		tiles.push({
 			icon: cfg.response_mode === 'media' ? 'mdiImageOutline' : 'mdiTextBoxOutline',
 			label: cfg.response_mode === 'media' ? t('commandConfig.modeMedia') : t('commandConfig.modeText'),
 			tone: 'sky',
 		});
 		tiles.push({
 			icon: 'mdiNumeric',
 			value: String(cfg.default_count),
 			label: t('commandConfig.defaultCount'),
 			tone: 'citrus',
 		});
 		if (cfg.command_template_config_id) {
 			tiles.push({
 				icon: 'mdiCodeBracesBox',
 				label: templateName(cfg.command_template_config_id),
 				tone: 'orchid',
 			});
 		}
 		return tiles;
 	}
 	function openNew() {
 		form = defaultForm();
 		// Auto-select first provider type with commands
@@ -177,7 +214,7 @@
 				snackSuccess(t('snack.commandConfigSaved'));
 			}
 			form = defaultForm(); nameManuallyEdited = false; showForm = false; editing = null; await load();
-		} catch (err: any) { error = err.message; snackError(err.message); }
+		} catch (err: unknown) { const __m = errMsg(err); error = __m; snackError(__m); }
 		finally { submitting = false; }
 	}
@@ -190,10 +227,10 @@
 					await api(`/command-configs/${cfg.id}`, { method: 'DELETE' });
 					await load();
 					snackSuccess(t('snack.commandConfigDeleted'));
-				} catch (err: any) {
+				} catch (err: unknown) {
 					const bb = getBlockedBy(err);
 					if (bb) { blockedBy = bb; return; }
-					snackError(err.message);
+					snackError(errMsg(err));
 				}
 				finally { confirmDelete = null; }
 			}
@@ -316,22 +353,20 @@
 		<EmptyState icon="mdiFilterOff" message={t('common.noFilterResults')} />
 	</Card>
 {:else}
-	<div class="space-y-3 stagger-children">
+	<div class="list-stack stagger-children">
 		{#each configs as cfg}
 			<Card hover entityId={cfg.id}>
-				<div class="flex items-center justify-between">
+				<div class="list-row">
-					<div>
+					<div class="list-row__identity">
-						<div class="flex items-center gap-2">
+						<div class="flex items-center gap-2 min-w-0">
-							<span style="color: var(--color-primary);"><MdiIcon name={cfg.icon || 'mdiConsoleLine'} size={20} /></span>
+							<span style="color: var(--color-primary);" class="shrink-0"><MdiIcon name={cfg.icon || 'mdiConsoleLine'} size={20} /></span>
-							<p class="font-medium">{cfg.name}</p>
+							<p class="font-medium truncate">{cfg.name}</p>
-							<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)] font-mono">{cfg.provider_type}</span>
+							<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)] font-mono shrink-0">{cfg.provider_type}</span>
 							<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-success-bg)] text-[var(--color-success-fg)] font-mono">
 								{(cfg.enabled_commands || []).length} {t('commandConfig.commands')}
 							</span>
 						</div>
-						<div class="flex items-center gap-2 mt-0.5">
+						<div class="flex items-center gap-2 mt-0.5 list-row__secondary">
 							<span class="text-xs text-[var(--color-muted-foreground)]">
-								{t('commandConfig.responseMode')}: {cfg.response_mode === 'media' ? t('commandConfig.modeMedia') : t('commandConfig.modeText')}
+								{(cfg.enabled_commands || []).length} {t('commandConfig.commands')}
 								&middot; {t('commandConfig.responseMode')}: {cfg.response_mode === 'media' ? t('commandConfig.modeMedia') : t('commandConfig.modeText')}
 								&middot; {t('commandConfig.defaultCount')}: {cfg.default_count}
 							</span>
 							{#if cfg.command_template_config_id}
@@ -339,7 +374,8 @@
 							{/if}
 						</div>
 					</div>
-					<div class="flex items-center gap-1">
+					<MetaStrip tiles={commandConfigTiles(cfg)} />
 					<div class="list-row__actions">
 						<IconButton icon="mdiPencil" title={t('common.edit')} onclick={() => editConfig(cfg)} />
 						<IconButton icon="mdiDelete" title={t('common.delete')} onclick={() => remove(cfg)} variant="danger" />
 					</div>
@@ -1,7 +1,7 @@
 <script lang="ts">
 	import { onMount } from 'svelte';
 	import { slide } from 'svelte/transition';
-	import { api, getBlockedBy, type BlockedByDetail } from '$lib/api';
+	import { api, getBlockedBy, type BlockedByDetail , errMsg} from '$lib/api';
 	import BlockedByModal from '$lib/components/BlockedByModal.svelte';
 	import { t } from '$lib/i18n';
 	import { sanitizePreview } from '$lib/sanitize';
@@ -27,6 +27,7 @@
 	import { highlightFromUrl } from '$lib/highlight';
 	import { globalProviderFilter } from '$lib/stores/provider-filter.svelte';
 	import { getDescriptor } from '$lib/providers';
 	import MetaStrip, { type MetaTile } from '$lib/components/MetaStrip.svelte';
 	interface CmdTemplateConfig {
 		id: number;
@@ -212,8 +213,8 @@
 			allCmdTplConfigs = cfgs;
 			allCapabilities = caps;
 			varsRef = vars;
-		} catch (err: any) {
+		} catch (err: unknown) {
-			error = err.message || t('common.loadError');
+			error = errMsg(err, t('common.loadError'));
 			snackError(error);
 		} finally {
 			loaded = true;
@@ -262,6 +263,44 @@
 		}
 	}
 	function cmdTemplateConfigTiles(config: CmdTemplateConfig): MetaTile[] {
 		const tiles: MetaTile[] = [];
 		tiles.push({
 			icon: 'mdiServer',
 			label: config.provider_type,
 			tone: 'lavender',
 			mono: true,
 		});
 		const slotCount = Object.keys(config.slots || {}).length;
 		tiles.push({
 			icon: 'mdiViewGridOutline',
 			value: String(slotCount),
 			label: t('templateConfig.slots'),
 			tone: slotCount > 0 ? 'sky' : 'default',
 		});
 		const locales = new Set<string>();
 		for (const s of Object.values(config.slots || {})) {
 			for (const loc of Object.keys(s || {})) locales.add(loc);
 		}
 		if (locales.size > 0) {
 			tiles.push({
 				icon: 'mdiTranslate',
 				value: String(locales.size),
 				label: locales.size === 1 ? t('locales.label') : t('locales.labelPlural'),
 				hint: [...locales].sort().join(', '),
 				tone: 'mint',
 			});
 		}
 		if (config.user_id === 0) {
 			tiles.push({
 				icon: 'mdiShieldStarOutline',
 				label: t('common.system'),
 				tone: 'orchid',
 			});
 		}
 		return tiles;
 	}
 	function openNew() {
 		form = defaultForm();
 		const typesWithCmdSlots = providerTypes.filter(t => (allCapabilities[t]?.command_slots?.length || 0) > 0);
@@ -315,9 +354,10 @@
 			editing = null;
 			await load();
 			snackSuccess(t('snack.cmdTemplateSaved'));
-		} catch (err: any) {
+		} catch (err: unknown) {
-			error = err.message;
+			const m = errMsg(err);
-			snackError(err.message);
+			error = m;
 			snackError(m);
 		}
 	}
@@ -368,8 +408,8 @@
 				refreshAllPreviews();
 			}
 			snackSuccess(t('templateConfig.resetApplied'));
-		} catch (err: any) {
+		} catch (err: unknown) {
-			snackError(err.message);
+			snackError(errMsg(err));
 		}
 	}
@@ -405,11 +445,12 @@
 					await api(`/command-template-configs/${id}`, { method: 'DELETE' });
 					await load();
 					snackSuccess(t('snack.cmdTemplateDeleted'));
-				} catch (err: any) {
+				} catch (err: unknown) {
 					const bb = getBlockedBy(err);
 					if (bb) { blockedBy = bb; return; }
-					error = err.message;
+					const m = errMsg(err);
-					snackError(err.message);
+					error = m;
 					snackError(m);
 				} finally {
 					confirmDelete = null;
 				}
@@ -548,7 +589,7 @@
 								{#if slotErrorTypes[slot.name] === 'undefined'}
 									<p class="mt-1 text-xs" style="color: var(--color-warning-fg);">⚠ {t('common.undefinedVar')}: {slotErrors[slot.name]}</p>
 								{:else}
-									<p class="mt-1 text-xs" style="color: var(--color-error-fg);">✕ {t('common.syntaxError')}: {slotErrors[slot.name]}{slotErrorLines[slot.name] ? ` (${t('common.line')} ${slotErrorLines[slot.name]})` : ''}</p>
+									<p class="mt-1 text-xs" style="color: var(--color-error-fg);">РІСљвЂў {t('common.syntaxError')}: {slotErrors[slot.name]}{slotErrorLines[slot.name] ? ` (${t('common.line')} ${slotErrorLines[slot.name]})` : ''}</p>
 								{/if}
 							{/if}
 						</CollapsibleSlot>
@@ -587,25 +628,25 @@
 		<EmptyState icon="mdiFilterOff" message={t('common.noFilterResults')} />
 	</Card>
 {:else}
-	<div class="space-y-3 stagger-children">
+	<div class="list-stack stagger-children">
 		{#each configs as config}
 			<Card hover entityId={config.id}>
-				<div class="flex items-start justify-between">
+				<div class="list-row">
-					<div class="flex-1">
+					<div class="list-row__identity">
-						<div class="flex items-center gap-2">
+						<div class="flex items-center gap-2 min-w-0">
-							<span style="color: var(--color-primary);"><MdiIcon name={config.icon || 'mdiConsoleLine'} size={20} /></span>
+							<span style="color: var(--color-primary);" class="shrink-0"><MdiIcon name={config.icon || 'mdiConsoleLine'} size={20} /></span>
-							<p class="font-medium">{config.name}</p>
+							<p class="font-medium truncate">{config.name}</p>
-							<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)]">{config.provider_type}</span>
+							<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)] shrink-0">{config.provider_type}</span>
 							{#if config.user_id === 0}
-								<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)]">{t('common.system')}</span>
+								<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)] shrink-0">{t('common.system')}</span>
 							{/if}
 							<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)]">{Object.keys(config.slots).length} {t('templateConfig.slots')}</span>
 						</div>
 						{#if config.description}
-							<p class="text-sm text-[var(--color-muted-foreground)] mt-1">{config.description}</p>
+							<p class="text-sm text-[var(--color-muted-foreground)] mt-1 list-row__secondary">{config.description}</p>
 						{/if}
 					</div>
-					<div class="flex items-center gap-1 ml-4">
+					<MetaStrip tiles={cmdTemplateConfigTiles(config)} />
 					<div class="list-row__actions">
 						<IconButton icon="mdiContentCopy" title={t('common.clone')} onclick={() => clone(config)} />
 						<IconButton icon="mdiPencil" title={t('common.edit')} onclick={() => edit(config)} />
 						<IconButton icon="mdiDelete" title={t('common.delete')} onclick={() => remove(config.id)} variant="danger" />
@@ -1,7 +1,7 @@
 <script lang="ts">
 	import { onMount, onDestroy } from 'svelte';
 	import { slide } from 'svelte/transition';
-	import { api } from '$lib/api';
+	import { api , errMsg} from '$lib/api';
 	import { topbarAction } from '$lib/stores/topbar-action.svelte';
 	import { t } from '$lib/i18n';
 	import { providersCache, telegramBotsCache, commandConfigsCache } from '$lib/stores/caches.svelte';
@@ -21,6 +21,7 @@
 	import { globalProviderFilter } from '$lib/stores/provider-filter.svelte';
 	import { providerDefaultIcon } from '$lib/grid-items';
 	import Button from '$lib/components/Button.svelte';
 	import MetaStrip, { type MetaTile } from '$lib/components/MetaStrip.svelte';
 	import type { ServiceProvider, TelegramBot } from '$lib/types';
 	let allCmdTrackers = $state<any[]>([]);
@@ -106,7 +107,7 @@
 				providersCache.fetch(), commandConfigsCache.fetch(),
 				telegramBotsCache.fetch(),
 			]);
-		} catch (err: any) { error = err.message || t('common.loadError'); snackError(error); }
+		} catch (err: unknown) { error = errMsg(err, t('common.loadError')); snackError(error); }
 		finally { loaded = true; highlightFromUrl(); }
 	}
@@ -167,7 +168,7 @@
 				snackSuccess(t('snack.commandTrackerCreated'));
 			}
 			form = defaultForm(); nameManuallyEdited = false; showForm = false; editing = null; await load();
-		} catch (err: any) { error = err.message; snackError(err.message); }
+		} catch (err: unknown) { const __m = errMsg(err); error = __m; snackError(__m); }
 		finally { submitting = false; }
 	}
@@ -179,7 +180,7 @@
 					await api(`/command-trackers/${trk.id}`, { method: 'DELETE' });
 					await load();
 					snackSuccess(t('snack.commandTrackerDeleted'));
-				} catch (err: any) { snackError(err.message); }
+				} catch (err: unknown) { snackError(errMsg(err)); }
 				finally { confirmDelete = null; }
 			}
 		};
@@ -192,7 +193,7 @@
 			await api(`/command-trackers/${trk.id}/${endpoint}`, { method: 'POST' });
 			snackSuccess(trk.enabled ? t('snack.commandTrackerDisabled') : t('snack.commandTrackerEnabled'));
 			await load();
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 		toggling = { ...toggling, [trk.id]: false };
 	}
@@ -225,7 +226,7 @@
 			snackSuccess(t('snack.listenerAdded'));
 			await loadListeners(trkId);
 			newListenerBotId = { ...newListenerBotId, [trkId]: 0 };
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 		addingListener = { ...addingListener, [trkId]: false };
 	}
@@ -234,7 +235,7 @@
 			await api(`/command-trackers/${trkId}/listeners/${listenerId}`, { method: 'DELETE' });
 			snackSuccess(t('snack.listenerRemoved'));
 			await loadListeners(trkId);
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 	}
 	// Per-listener album scope editing
@@ -263,7 +264,7 @@
 			snackSuccess(t('snack.listenerScopeSaved'));
 			await loadListeners(scopeEditor.trkId);
 			scopeEditor = null;
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 	}
 	function providerName(id: number): string {
@@ -272,6 +273,32 @@
 	function configName(id: number): string {
 		return commandConfigs.find(c => c.id === id)?.name || '?';
 	}
 	function commandTrackerTiles(trk: any): MetaTile[] {
 		const tiles: MetaTile[] = [];
 		tiles.push(trk.enabled
 			? { icon: 'mdiCheckCircle', label: t('commandTracker.enabled'), tone: 'mint' }
 			: { icon: 'mdiCloseCircle', label: t('commandTracker.disabled'), tone: 'coral' });
 		tiles.push({
 			icon: 'mdiServer',
 			label: providerName(trk.provider_id),
 			tone: 'lavender',
 		});
 		tiles.push({
 			icon: 'mdiCog',
 			label: configName(trk.command_config_id),
 			tone: 'sky',
 		});
 		if (trk.listener_count !== undefined) {
 			tiles.push({
 				icon: 'mdiAccountMultipleOutline',
 				value: String(trk.listener_count),
 				label: t('commandTracker.listeners').toLowerCase(),
 				tone: trk.listener_count > 0 ? 'orchid' : 'default',
 			});
 		}
 		return tiles;
 	}
 </script>
 <PageHeader
@@ -341,34 +368,37 @@
 		<EmptyState icon="mdiFilterOff" message={t('common.noFilterResults')} />
 	</Card>
 {:else}
-	<div class="space-y-3 stagger-children">
+	<div class="list-stack stagger-children">
 		{#each trackers as trk}
 			<Card hover entityId={trk.id}>
-				<div class="flex items-center justify-between">
+				<div class="list-row">
-					<div>
+					<div class="list-row__identity">
-						<div class="flex items-center gap-2">
+						<div class="flex items-center gap-2 min-w-0">
-							<span style="color: var(--color-primary);"><MdiIcon name={trk.icon || 'mdiConsoleLine'} size={20} /></span>
+							<span style="color: var(--color-primary);" class="shrink-0"><MdiIcon name={trk.icon || 'mdiConsoleLine'} size={20} /></span>
-							<p class="font-medium">{trk.name}</p>
+							<p class="font-medium truncate">{trk.name}</p>
-							<CrossLink href="/providers" icon="mdiServer" label={providerName(trk.provider_id)} entityId={trk.provider_id} />
+							<span class="text-xs px-1.5 py-0.5 rounded font-mono shrink-0 {trk.enabled
 							<CrossLink href="/command-configs" icon="mdiCog" label={configName(trk.command_config_id)} entityId={trk.command_config_id} />
 							<span class="text-xs px-1.5 py-0.5 rounded font-mono {trk.enabled
 								? 'bg-[var(--color-success-bg)] text-[var(--color-success-fg)]'
 								: 'bg-[var(--color-error-bg)] text-[var(--color-error-fg)]'}">
 								{trk.enabled ? t('commandTracker.enabled') : t('commandTracker.disabled')}
 							</span>
 						</div>
-						{#if trk.listener_count !== undefined}
+						<div class="list-row__secondary mt-0.5 flex items-center gap-2 flex-wrap">
-							<p class="text-xs text-[var(--color-muted-foreground)] mt-0.5">
+							<CrossLink href="/providers" icon="mdiServer" label={providerName(trk.provider_id)} entityId={trk.provider_id} />
-								{trk.listener_count} {t('commandTracker.listeners').toLowerCase()}
+							<CrossLink href="/command-configs" icon="mdiCog" label={configName(trk.command_config_id)} entityId={trk.command_config_id} />
-							</p>
+							{#if trk.listener_count !== undefined}
-						{/if}
+								<span class="text-xs text-[var(--color-muted-foreground)]">
 									{trk.listener_count} {t('commandTracker.listeners').toLowerCase()}
 								</span>
 							{/if}
 						</div>
 					</div>
-					<div class="flex items-center gap-1">
+					<MetaStrip tiles={commandTrackerTiles(trk)} />
 					<div class="list-row__actions flex-wrap justify-end">
 						<IconButton icon="mdiPencil" title={t('common.edit')} onclick={() => editTracker(trk)} />
 						<IconButton icon={trk.enabled ? 'mdiPause' : 'mdiPlay'} title={trk.enabled ? t('notificationTracker.pause') : t('notificationTracker.resume')} onclick={() => toggleEnabled(trk)} disabled={toggling[trk.id]} />
 						<button onclick={() => toggleListeners(trk.id)}
 							class="text-xs text-[var(--color-muted-foreground)] hover:underline px-2 py-1">
-							{t('commandTracker.listeners')} {expandedTracker === trk.id ? '▲' : '▼'}
+							{t('commandTracker.listeners')} {expandedTracker === trk.id ? 'в–І' : 'в–ј'}
 						</button>
 						<IconButton icon="mdiDelete" title={t('common.delete')} onclick={() => remove(trk)} variant="danger" />
 					</div>
@@ -443,7 +473,7 @@
 							onclick={() => { if (scopeEditor) scopeEditor.selectedIds = scopeEditor.collections.map((c: any) => c.id); }}>
 							{t('backup.selectAll')}
 						</button>
-						<span aria-hidden="true">·</span>
+						<span aria-hidden="true">В·</span>
 						<button type="button" class="underline hover:text-[var(--color-primary)]"
 							onclick={() => { if (scopeEditor) scopeEditor.selectedIds = []; }}>
 							{t('backup.deselectAll')}
@@ -1,7 +1,7 @@
 <script lang="ts">
 	import { goto } from '$app/navigation';
 	import { onMount } from 'svelte';
-	import { api } from '$lib/api';
+	import { api , errMsg} from '$lib/api';
 	import { login } from '$lib/auth.svelte';
 	import { t, getLocale, setLocale } from '$lib/i18n';
 	import { initTheme, getTheme, setTheme, type Theme } from '$lib/theme.svelte';
@@ -37,7 +37,7 @@
 			const res = await api<{ needs_setup: boolean }>('/auth/needs-setup');
 			if (res.needs_setup) goto('/setup');
 		} catch {
-			// The backend is unreachable — surface that distinctly so the user
+			// The backend is unreachable вЂ” surface that distinctly so the user
 			// doesn't blame the login form for a network/backend problem.
 			backendDown = true;
 		}
@@ -50,8 +50,8 @@
 		try {
 			await login(username, password);
 			window.location.href = '/';
-		} catch (err: any) {
+		} catch (err: unknown) {
-			error = err.message || t('auth.loginFailed');
+			error = errMsg(err, t('auth.loginFailed'));
 		}
 		submitting = false;
 	}
@@ -1,6 +1,6 @@
 <script lang="ts">
 	import { onMount, onDestroy } from 'svelte';
-	import { api, parseDate } from '$lib/api';
+	import { api, parseDate , errMsg} from '$lib/api';
 	import { topbarAction } from '$lib/stores/topbar-action.svelte';
 	import { t, getLocale } from '$lib/i18n';
 	import { providersCache, targetsCache, trackingConfigsCache, templateConfigsCache, capabilitiesCache } from '$lib/stores/caches.svelte';
@@ -22,6 +22,7 @@
 	import ErrorBanner from '$lib/components/ErrorBanner.svelte';
 	import type { Tracker, TrackerTarget, TrackingConfig, TemplateConfig, NotificationTarget } from '$lib/types';
 	import MetaStrip, { type MetaTile } from '$lib/components/MetaStrip.svelte';
 	import TrackerForm from './TrackerForm.svelte';
 	import LinkedTargetsSection from './LinkedTargetsSection.svelte';
 	import SharedLinkModal from './SharedLinkModal.svelte';
@@ -165,8 +166,8 @@
 				trackingConfigsCache.fetch(), templateConfigsCache.fetch(),
 				capabilitiesCache.fetch(),
 			]);
-		} catch (err: any) {
+		} catch (err: unknown) {
-			loadError = err.message || t('common.loadFailed');
+			loadError = errMsg(err, t('common.loadFailed'));
 			snackError(loadError);
 		} finally { loaded = true; highlightFromUrl(); }
 	}
@@ -288,7 +289,7 @@
 				snackSuccess(t('snack.trackerCreated'));
 			}
 			showForm = false; editing = null; linkWarning = null; await load();
-		} catch (err: any) { error = err.message; snackError(err.message); } finally { submitting = false; }
+		} catch (err: unknown) { const __m = errMsg(err); error = __m; snackError(__m); } finally { submitting = false; }
 	}
 	async function autoCreateLinks() {
@@ -300,8 +301,8 @@
 				try {
 					await api(`/providers/${linkWarning.providerId}/albums/${album.id}/shared-links`, { method: 'POST' });
 					created++;
-				} catch (err: any) {
+				} catch (err: unknown) {
-					snackError(`Failed to create link for "${album.name}": ${err.message}`);
+					snackError(`Failed to create link for "${album.name}": ${errMsg(err)}`);
 				}
 			}
 		}
@@ -323,7 +324,7 @@
 			await api(`/notification-trackers/${tracker.id}`, { method: 'PUT', body: JSON.stringify({ enabled: !tracker.enabled }) });
 			await load();
 			snackSuccess(tracker.enabled ? t('snack.trackerPaused') : t('snack.trackerResumed'));
-		} catch (err: any) { snackError(err.message); } finally { toggling = { ...toggling, [tracker.id]: false }; }
+		} catch (err: unknown) { snackError(errMsg(err)); } finally { toggling = { ...toggling, [tracker.id]: false }; }
 	}
 	function startDelete(tracker: Tracker) { confirmDelete = tracker; }
@@ -334,7 +335,7 @@
 			await api(`/notification-trackers/${confirmDelete.id}`, { method: 'DELETE' });
 			await load();
 			snackSuccess(t('snack.trackerDeleted'));
-		} catch (err: any) { error = err.message; snackError(err.message); }
+		} catch (err: unknown) { const __m = errMsg(err); error = __m; snackError(__m); }
 		confirmDelete = null;
 	}
@@ -374,6 +375,54 @@
 		return desc?.collectionMeta ? t(desc.collectionMeta.countLabel) : t('notificationTracker.collections_count');
 	}
 	/**
 	 * Meta tiles for a tracker row. Visible on lg+ in the dead middle space
 	 * between identity and actions. Mirrors the secondary text shown on narrow
 	 * screens, but as live tiles users can scan at a glance.
 	 */
 	function trackerTiles(tracker: Tracker): MetaTile[] {
 		const tiles: MetaTile[] = [];
 		const trkDesc = getDescriptor(getProviderType(tracker));
 		// Status — armed/paused with color tone
 		tiles.push(tracker.enabled
 			? { icon: 'mdiPulse', label: t('notificationTracker.armed'), tone: 'mint' }
 			: { icon: 'mdiPauseCircleOutline', label: t('notificationTracker.paused'), tone: 'citrus' });
 		// Provider
 		tiles.push({
 			icon: 'mdiServer',
 			label: getProviderName(tracker.provider_id),
 			tone: 'lavender',
 		});
 		// Collections — count + label (varies per provider descriptor)
 		const collCount = (tracker.collection_ids || []).length;
 		if (collCount > 0 || !trkDesc?.webhookBased) {
 			tiles.push({
 				icon: 'mdiFolderMultipleOutline',
 				value: String(collCount),
 				label: getCollectionLabel(tracker),
 				tone: 'sky',
 			});
 		}
 		// Scan interval — only meaningful for polling trackers
 		if (!trkDesc?.webhookBased) {
 			tiles.push({
 				icon: 'mdiTimerOutline',
 				value: `${tracker.scan_interval}s`,
 				label: t('notificationTracker.every').trim(),
 				tone: 'orchid',
 			});
 		}
 		// Linked targets
 		const tgtCount = (tracker.tracker_targets || []).length;
 		tiles.push({
 			icon: 'mdiTarget',
 			value: String(tgtCount),
 			label: t('notificationTracker.linkedTargets'),
 			tone: tgtCount > 0 ? 'mint' : 'coral',
 		});
 		return tiles;
 	}
 	function configsForTracker(tracker: Tracker, configs: (TrackingConfig | TemplateConfig)[]): (TrackingConfig | TemplateConfig)[] {
 		const pt = getProviderType(tracker);
 		return pt ? configs.filter((c) => c.provider_type === pt) : configs;
@@ -402,7 +451,7 @@
 			newLinkTemplateConfigId[trackerId] = 0;
 			await load();
 			snackSuccess(t('snack.targetLinked'));
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 		addingTarget = { ...addingTarget, [trackerId]: false };
 	}
@@ -411,7 +460,7 @@
 			await api(`/notification-trackers/${trackerId}/targets/${ttId}`, { method: 'DELETE' });
 			await load();
 			snackSuccess(t('snack.targetUnlinked'));
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 	}
 	async function updateTargetLink(trackerId: number, tt: TrackerTarget, field: string, value: string | number | boolean | null) {
@@ -421,7 +470,7 @@
 				body: JSON.stringify({ [field]: value }),
 			});
 			await load();
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 	}
 	async function testTrackerTarget(trackerId: number, ttId: number, testType: string) {
@@ -443,8 +492,8 @@
 			} else {
 				snackSuccess(t('snack.targetTestSent'));
 			}
-		} catch (err: any) {
+		} catch (err: unknown) {
-			snackError(err.message);
+			snackError(errMsg(err));
 		} finally {
 			ttTesting = { ...ttTesting, [key]: '' };
 		}
@@ -528,27 +577,30 @@
 		<EmptyState icon="mdiFilterOff" message={t('common.noFilterResults')} />
 	</Card>
 {:else if !showForm}
-	<div class="space-y-3 stagger-children">
+	<div class="list-stack stagger-children">
 		{#each notificationTrackers as tracker (tracker.id)}
 			{@const trkDesc = getDescriptor(getProviderType(tracker))}
 			<Card hover entityId={tracker.id}>
-				<div class="flex items-center justify-between">
+				<div class="list-row">
-					<div>
+					<div class="list-row__identity">
-						<div class="flex items-center gap-2">
+						<div class="flex items-center gap-2 min-w-0">
-							<span style="color: var(--color-primary);"><MdiIcon name={tracker.icon || 'mdiRadar'} size={20} /></span>
+							<span style="color: var(--color-primary);" class="shrink-0"><MdiIcon name={tracker.icon || 'mdiRadar'} size={20} /></span>
-							<p class="font-medium">{tracker.name}</p>
+							<p class="font-medium truncate">{tracker.name}</p>
-							<span class="text-xs px-1.5 py-0.5 rounded {tracker.enabled ? 'bg-[var(--color-success-bg)] text-[var(--color-success-fg)]' : 'bg-[var(--color-muted)] text-[var(--color-muted-foreground)]'}">
+							<span class="text-xs px-1.5 py-0.5 rounded shrink-0 {tracker.enabled ? 'bg-[var(--color-success-bg)] text-[var(--color-success-fg)]' : 'bg-[var(--color-muted)] text-[var(--color-muted-foreground)]'}">
 								{tracker.enabled ? t('notificationTracker.active') : t('notificationTracker.paused')}
 							</span>
 						<CrossLink href="/providers" icon="mdiServer" label={getProviderName(tracker.provider_id)} entityId={tracker.provider_id} />
 						</div>
-						<p class="text-sm text-[var(--color-muted-foreground)]">
+						<div class="list-row__secondary mt-0.5">
-							{(tracker.collection_ids || []).length} {getCollectionLabel(tracker)} ·
+							<CrossLink href="/providers" icon="mdiServer" label={getProviderName(tracker.provider_id)} entityId={tracker.provider_id} />
-							{#if !trkDesc?.webhookBased}{t('notificationTracker.every')} {tracker.scan_interval}s ·{/if}
+							<p class="text-sm text-[var(--color-muted-foreground)]">
-							{(tracker.tracker_targets || []).length} {t('notificationTracker.linkedTargets')}
+								{(tracker.collection_ids || []).length} {getCollectionLabel(tracker)} ·
-						</p>
+								{#if !trkDesc?.webhookBased}{t('notificationTracker.every')} {tracker.scan_interval}s ·{/if}
 								{(tracker.tracker_targets || []).length} {t('notificationTracker.linkedTargets')}
 							</p>
 						</div>
 					</div>
-					<div class="flex items-center gap-1 flex-wrap justify-end">
+					<MetaStrip tiles={trackerTiles(tracker)} />
 					<div class="list-row__actions flex-wrap justify-end">
 						<IconButton icon="mdiPencil" title={t('common.edit')} onclick={() => edit(tracker)} />
 						<IconButton icon={tracker.enabled ? 'mdiPause' : 'mdiPlay'} title={tracker.enabled ? t('notificationTracker.pause') : t('notificationTracker.resume')} onclick={() => toggle(tracker)} disabled={toggling[tracker.id]} />
 						<button onclick={() => toggleExpand(tracker.id)}
@@ -1,6 +1,6 @@
 <script lang="ts">
 	import { t } from '$lib/i18n';
-	import { api } from '$lib/api';
+	import { api , errMsg} from '$lib/api';
 	import { snackError, snackSuccess } from '$lib/stores/snackbar.svelte';
 	import Modal from '$lib/components/Modal.svelte';
 	import MdiIcon from '$lib/components/MdiIcon.svelte';
@@ -23,7 +23,7 @@
 	let replacing = $state<Record<string, boolean>>({});
 	/**
-	 * Expired and password-protected links can't be repaired in place — the
+	 * Expired and password-protected links can't be repaired in place вЂ” the
 	 * Immich API has no "reset" endpoint. The only remedy is to recreate the
 	 * link (which the backend does by POSTing a new one and returning it).
 	 * We surface the action per-row so users don't have to leave the form.
@@ -39,8 +39,8 @@
 			snackSuccess(t('notificationTracker.createdLinks').replace('{count}', '1'));
 			const remaining = linkWarning.albums.filter(a => a.id !== album.id);
 			if (onupdate) onupdate(remaining);
-		} catch (err: any) {
+		} catch (err: unknown) {
-			snackError(t('notificationTracker.linkReplaceFailed').replace('{name}', album.name) + ': ' + err.message);
+			snackError(t('notificationTracker.linkReplaceFailed').replace('{name}', album.name) + ': ' + errMsg(err));
 		} finally {
 			replacing = { ...replacing, [album.id]: false };
 		}
@@ -7,6 +7,7 @@
 	import MdiIcon from '$lib/components/MdiIcon.svelte';
 	import EntitySelect from '$lib/components/EntitySelect.svelte';
 	import MultiEntitySelect from '$lib/components/MultiEntitySelect.svelte';
 	import TagInput from '$lib/components/TagInput.svelte';
 	import { getDescriptor } from '$lib/providers';
 	interface Props {
@@ -58,9 +59,36 @@
 	}: Props = $props();
 	let descriptor = $derived(getDescriptor(providerType));
 	let isScheduler = $derived(providerType === 'scheduler');
 	let isWebhook = $derived(descriptor?.webhookBased ?? false);
 	let colMeta = $derived(descriptor?.collectionMeta);
 	// Providers without a collection (currently just the scheduler) drive the
 	// scheduler-specific form layout. Reading from the descriptor keeps the
 	// branch out of the component and lets a future provider opt in by
 	// declaring `collectionMeta: null`.
 	let isScheduler = $derived(colMeta == null);
 	let isWebhook = $derived(descriptor?.webhookBased ?? false);
 	/**
 	 * Resolve `{tracking_config_id}` / `{template_config_id}` placeholders in a
 	 * descriptor-declared CTA href. When the corresponding form field is unset
 	 * (value 0), strip the entire `?edit=...` query so the link still goes to
 	 * the list page. Centralising this here avoids per-provider href logic
 	 * leaking back into the template.
 	 */
 	function resolveHintHref(href: string): string {
 		const tcId = form.default_tracking_config_id;
 		const tplId = form.default_template_config_id;
 		if (href.includes('{tracking_config_id}')) {
 			return tcId
 				? href.replace('{tracking_config_id}', String(tcId))
 				: href.split('?')[0];
 		}
 		if (href.includes('{template_config_id}')) {
 			return tplId
 				? href.replace('{template_config_id}', String(tplId))
 				: href.split('?')[0];
 		}
 		return href;
 	}
 	// Custom variable management for scheduler
 	function addVariable() {
@@ -123,14 +151,24 @@
 		{#if descriptor?.userFilters && descriptor.userFilters.length > 0}
 			{@const userItems = users.map(u => ({ value: u.id, label: u.name }))}
 			{#each descriptor.userFilters as uf (uf.key)}
 				{@const filterKey = uf.filterKey ?? uf.key}
 				<div>
 					<div class="block text-sm font-medium mb-1">{t(uf.label)}</div>
-					<MultiEntitySelect
+					{#if uf.inputMode === 'tags'}
-						items={userItems.map(i => ({ ...i, icon: uf.icon }))}
+						<TagInput
-						values={form.filters[uf.key] || []}
+							values={form.filters[filterKey] || []}
-						onchange={(vals) => form.filters = { ...form.filters, [uf.key]: vals }}
+							onchange={(vals) => form.filters = { ...form.filters, [filterKey]: vals }}
-						placeholder={t(uf.placeholder)}
+							placeholder={t(uf.placeholder)}
-					/>
+							icon={uf.icon}
 						/>
 					{:else}
 						<MultiEntitySelect
 							items={userItems.map(i => ({ ...i, icon: uf.icon }))}
 							values={form.filters[filterKey] || []}
 							onchange={(vals) => form.filters = { ...form.filters, [filterKey]: vals }}
 							placeholder={t(uf.placeholder)}
 						/>
 					{/if}
 				</div>
 			{/each}
 		{/if}
@@ -220,29 +258,27 @@
 		{/if}
 		<!-- Feature discovery: the periodic/scheduled/memory/quiet-hours controls
-		     live on the tracking config, not on the tracker itself. Surface this
+		     live on the tracking config, not on the tracker itself. The hint
-		     here so users don't have to stumble onto the feature by reading docs. -->
+		     content (message + CTAs) is declared on the provider descriptor so
-		{#if providerType === 'immich'}
+		     each provider can surface its own discoverability links without
 		     embedding `if (type === 'xyz')` here. -->
 		{#if descriptor?.featureDiscoveryHint}
 		{@const hint = descriptor.featureDiscoveryHint}
 		<div class="flex items-start gap-2 rounded-md border border-[var(--color-border)] bg-[var(--color-muted)]/30 px-3 py-2">
 			<span style="color: var(--color-primary);"><MdiIcon name="mdiInformationOutline" size={16} /></span>
 			<div class="flex-1 text-xs">
-				<p style="color: var(--color-muted-foreground);">{t('notificationTracker.featureDiscovery')}</p>
+				<p style="color: var(--color-muted-foreground);">{t(hint.messageKey)}</p>
-				<div class="flex flex-wrap gap-x-4 gap-y-1 mt-1">
+				{#if hint.ctas && hint.ctas.length > 0}
-					<a href={form.default_tracking_config_id
+					<div class="flex flex-wrap gap-x-4 gap-y-1 mt-1">
-						? `/tracking-configs?edit=${form.default_tracking_config_id}`
+						{#each hint.ctas as cta}
-						: '/tracking-configs'}
+							<a href={resolveHintHref(cta.href)}
-						class="inline-flex items-center gap-1 text-[var(--color-primary)] hover:underline">
+								class="inline-flex items-center gap-1 text-[var(--color-primary)] hover:underline">
-						<MdiIcon name="mdiArrowRight" size={12} />
+								<MdiIcon name={cta.icon ?? 'mdiArrowRight'} size={12} />
-						{t('notificationTracker.openTrackingConfig')}
+								{t(cta.labelKey)}
-					</a>
+							</a>
-					<a href={form.default_template_config_id
+						{/each}
-						? `/template-configs?edit=${form.default_template_config_id}`
+					</div>
-						: '/template-configs'}
+				{/if}
 						class="inline-flex items-center gap-1 text-[var(--color-primary)] hover:underline">
 						<MdiIcon name="mdiArrowRight" size={12} />
 						{t('notificationTracker.openTemplateConfig')}
 					</a>
 				</div>
 			</div>
 		</div>
 		{/if}
@@ -1,7 +1,7 @@
 <script lang="ts">
 	import { onMount } from 'svelte';
 	import { slide } from 'svelte/transition';
-	import { api, getBlockedBy, type BlockedByDetail } from '$lib/api';
+	import { api, getBlockedBy, type BlockedByDetail , errMsg} from '$lib/api';
 	import { t } from '$lib/i18n';
 	import { providersCache, externalUrlCache } from '$lib/stores/caches.svelte';
 	import PageHeader from '$lib/components/PageHeader.svelte';
@@ -25,6 +25,7 @@
 	import { highlightFromUrl } from '$lib/highlight';
 	import { getDescriptor, buildProviderFormDefaults } from '$lib/providers';
 	import Button from '$lib/components/Button.svelte';
 	import MetaStrip, { type MetaTile } from '$lib/components/MetaStrip.svelte';
 	import WebhookPayloadHistory from './WebhookPayloadHistory.svelte';
 	import type { ServiceProvider } from '$lib/types';
@@ -52,6 +53,67 @@
 		return externalUrl ? `${externalUrl}${path}` : path;
 	}
 	/**
 	 * Build meta tiles for a provider row. Filled into the dead middle space
 	 * on wide displays; on narrow screens the secondary text line takes over.
 	 */
 	function providerTiles(provider: ServiceProvider): MetaTile[] {
 		const tiles: MetaTile[] = [];
 		const h = health[provider.id];
 		const provDesc = getDescriptor(provider.type);
 		// Status — first tile, color-coded
 		if (h === true) {
 			tiles.push({ icon: 'mdiCheckCircle', label: t('providers.online'), tone: 'mint' });
 		} else if (h === false) {
 			tiles.push({ icon: 'mdiCloseCircle', label: t('providers.offline'), tone: 'coral' });
 		} else {
 			tiles.push({ icon: 'mdiTimerSand', label: t('providers.checking'), tone: 'citrus' });
 		}
 		// Type / connection address
 		const cfg = provider.config as Record<string, any> | undefined;
 		if (cfg?.url) {
 			tiles.push({
 				icon: 'mdiLinkVariant',
 				label: shortenUrl(cfg.url),
 				hint: cfg.url,
 				href: cfg.url,
 				tone: 'sky',
 				mono: true,
 			});
 		} else if (cfg?.host) {
 			tiles.push({
 				icon: 'mdiServer',
 				label: `${cfg.host}:${cfg.port || 3493}`,
 				tone: 'sky',
 				mono: true,
 			});
 		}
 		// Webhook URL (copy to clipboard)
 		if (provDesc?.webhookUrlPattern) {
 			const webhookUrl = buildWebhookUrl(provDesc.webhookUrlPattern, provider.webhook_token);
 			tiles.push({
 				icon: 'mdiContentCopy',
 				label: t('providers.webhookUrl'),
 				hint: webhookUrl,
 				tone: 'orchid',
 				onclick: (e) => copyWebhookUrl(e, webhookUrl),
 			});
 		}
 		return tiles;
 	}
 	/** Trim the visible URL so it fits a meta tile; keep host + first path segment. */
 	function shortenUrl(url: string): string {
 		try {
 			const u = new URL(url);
 			const segments = u.pathname.split('/').filter(Boolean);
 			const tail = segments.length ? `/${segments[0]}${segments.length > 1 ? '/…' : ''}` : '';
 			return `${u.host}${tail}`;
 		} catch {
 			return url.length > 32 ? `${url.slice(0, 30)}…` : url;
 		}
 	}
 	function copyWebhookUrl(e: Event, url: string) {
 		e.preventDefault();
 		e.stopPropagation();
@@ -107,8 +169,8 @@
 		try {
 			await providersCache.fetch(true);
 			loadError = '';
-		} catch (err: any) {
+		} catch (err: unknown) {
-			loadError = err.message || t('providers.loadError');
+			loadError = errMsg(err, t('providers.loadError'));
 		} finally { loaded = true; highlightFromUrl(); }
 		// Ping all providers in background (use unfiltered list)
 		for (const p of allProviders) {
@@ -175,7 +237,7 @@
 			}
 			showForm = false; editing = null; providersCache.invalidate(); await load();
 			snackSuccess(t('snack.providerSaved'));
-		} catch (err: any) { error = err.message; snackError(err.message); }
+		} catch (err: unknown) { const __m = errMsg(err); error = __m; snackError(__m); }
 		submitting = false;
 	}
@@ -186,10 +248,10 @@
 		const id = confirmDelete.id;
 		confirmDelete = null;
 		try { await api(`/providers/${id}`, { method: 'DELETE' }); providersCache.invalidate(); await load(); snackSuccess(t('snack.providerDeleted')); }
-		catch (err: any) {
+		catch (err: unknown) {
 			const bb = getBlockedBy(err);
 			if (bb) { blockedBy = bb; return; }
-			error = err.message; snackError(err.message);
+			const m = errMsg(err); error = m; snackError(m);
 		}
 	}
 </script>
@@ -222,7 +284,7 @@
 {/if}
 {#if showForm}
-	<div in:slide={{ duration: 200 }}>
+	<div in:slide={{ duration: 200 }} class="list-stack">
 	<Card class="mb-6">
 		<ErrorBanner message={error} />
 		<form onsubmit={save} class="space-y-3">
@@ -259,6 +321,11 @@
 					<input id="prv-{field.key}" type="number" bind:value={form[field.key]}
 						min={field.min} max={field.max}
 						class="w-full px-3 py-2 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
 				{:else if field.type === 'toggle'}
 					<label class="toggle-switch">
 						<input id="prv-{field.key}" type="checkbox" bind:checked={form[field.key]} />
 						<span class="toggle-track"></span>
 					</label>
 				{:else}
 					<input id="prv-{field.key}" type={field.type} bind:value={form[field.key]}
 						required={field.required === true || (field.required === 'create-only' && !editing)}
@@ -292,9 +359,11 @@
 {/if}
 {#if !showForm && allProviders.length > 0}
-<div class="flex items-center gap-2 mb-3">
+<div class="list-stack mb-3">
-	<input type="text" bind:value={filterText} placeholder={t('common.filterByName')}
+	<div class="flex items-center gap-2">
-		class="flex-1 px-3 py-1.5 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
+		<input type="text" bind:value={filterText} placeholder={t('common.filterByName')}
 			class="flex-1 px-3 py-1.5 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
 	</div>
 </div>
 {/if}
@@ -307,37 +376,43 @@
 		<EmptyState icon="mdiFilterOff" message={t('common.noFilterResults')} />
 	</Card>
 {:else}
-	<div class="space-y-3 stagger-children">
+	<div class="list-stack stagger-children">
 		{#each providers as provider}
 			{@const provDesc = getDescriptor(provider.type)}
 			<Card hover entityId={provider.id}>
-				<div class="flex items-center justify-between">
+				<div class="list-row">
-					<div class="flex items-center gap-3">
+					<div class="list-row__identity">
-						<div class="health-dot {health[provider.id] === true ? 'online' : health[provider.id] === false ? 'offline' : 'checking'}"></div>
+						<div class="flex items-center gap-3">
-						<span style="color: var(--color-primary);"><MdiIcon name={providerDefaultIcon(provider)} size={20} /></span>
+							<div class="health-dot {health[provider.id] === true ? 'online' : health[provider.id] === false ? 'offline' : 'checking'}"></div>
-						<div>
+							<span style="color: var(--color-primary);"><MdiIcon name={providerDefaultIcon(provider)} size={20} /></span>
-							<div class="flex items-center gap-2">
+							<div class="min-w-0">
-								<p class="font-medium">{provider.name}</p>
+								<div class="flex items-center gap-2 min-w-0">
-								<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)]">{provider.type}</span>
+									<p class="font-medium truncate">{provider.name}</p>
 									<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)] shrink-0">{provider.type}</span>
 								</div>
 								<!-- Narrow-screen secondary line (hidden on lg+ where MetaStrip takes over) -->
 								<div class="list-row__secondary">
 									{#if provider.config?.url}
 										<a href={provider.config.url} target="_blank" rel="noopener" class="text-xs text-[var(--color-muted-foreground)] font-mono hover:text-[var(--color-primary)] hover:underline break-all">{provider.config.url}</a>
 									{:else if provider.config?.host}
 										<p class="text-xs text-[var(--color-muted-foreground)] font-mono">{provider.config.host}:{provider.config.port || 3493}</p>
 									{/if}
 									{#if provDesc?.webhookUrlPattern}
 										{@const webhookUrl = buildWebhookUrl(provDesc.webhookUrlPattern, provider.webhook_token)}
 										<p class="text-xs text-[var(--color-muted-foreground)] font-mono mt-0.5">
 											{t('providers.webhookUrl')}:
 											<button type="button"
 												onclick={(e) => copyWebhookUrl(e, webhookUrl)}
 												title={t('providers.webhookUrlCopyTitle')}
 												class="hover:text-[var(--color-primary)] cursor-pointer break-all text-left">{webhookUrl}</button>
 										</p>
 									{/if}
 								</div>
 							</div>
 							{#if provider.config?.url}
 								<a href={provider.config.url} target="_blank" rel="noopener" class="text-xs text-[var(--color-muted-foreground)] font-mono hover:text-[var(--color-primary)] hover:underline">{provider.config.url}</a>
 							{:else if provider.config?.host}
 								<p class="text-xs text-[var(--color-muted-foreground)] font-mono">{provider.config.host}:{provider.config.port || 3493}</p>
 							{/if}
 							{#if provDesc?.webhookUrlPattern}
 								{@const webhookUrl = buildWebhookUrl(provDesc.webhookUrlPattern, provider.webhook_token)}
 								<p class="text-xs text-[var(--color-muted-foreground)] font-mono mt-0.5">
 									{t('providers.webhookUrl')}:
 									<button type="button"
 										onclick={(e) => copyWebhookUrl(e, webhookUrl)}
 										title={t('providers.webhookUrlCopyTitle')}
 										class="hover:text-[var(--color-primary)] cursor-pointer break-all text-left">{webhookUrl}</button>
 								</p>
 							{/if}
 						</div>
 					</div>
-					<div class="flex items-center gap-1">
+					<MetaStrip tiles={providerTiles(provider)} />
 					<div class="list-row__actions">
 						<IconButton icon="mdiPencil" title={t('common.edit')} onclick={() => edit(provider)} />
 						<IconButton icon="mdiDelete" title={t('common.delete')} onclick={() => startDelete(provider)} variant="danger" />
 					</div>
@@ -107,6 +107,11 @@
 				{:else if field.type === 'number'}
 					<input id="prv-{field.key}" type="number" bind:value={form[field.key]} min={field.min} max={field.max}
 						class="w-full px-3 py-2 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
 				{:else if field.type === 'toggle'}
 					<label class="toggle-switch">
 						<input id="prv-{field.key}" type="checkbox" bind:checked={form[field.key]} />
 						<span class="toggle-track"></span>
 					</label>
 				{:else}
 					<input id="prv-{field.key}" type={field.type} bind:value={form[field.key]}
 						required={field.required === true || field.required === 'create-only'}
@@ -6,13 +6,15 @@
 	import ErrorBanner from '$lib/components/ErrorBanner.svelte';
 	import ConfirmModal from '$lib/components/ConfirmModal.svelte';
 	import { snackSuccess, snackError } from '$lib/stores/snackbar.svelte';
-	import { externalUrlCache } from '$lib/stores/caches.svelte';
+	import { externalUrlCache, releaseStatusCache } from '$lib/stores/caches.svelte';
 	import SettingsHero from './SettingsHero.svelte';
 	import IdentityCassette from './IdentityCassette.svelte';
 	import TelegramCassette from './TelegramCassette.svelte';
 	import ReleaseCassette from './ReleaseCassette.svelte';
 	import CacheLedger from './CacheLedger.svelte';
 	import LoggingCassette from './LoggingCassette.svelte';
 	import DiagnosticsCassette from './DiagnosticsCassette.svelte';
 	import SaveBar from './SaveBar.svelte';
 	interface CacheBucketStats {
@@ -36,6 +38,11 @@
 		log_level: string;
 		log_format: string;
 		log_levels: string;
 		release_provider_kind: string;
 		release_provider_url: string;
 		release_provider_repo: string;
 		release_include_prereleases: string;
 		release_check_interval_hours: string;
 	}
 	const EMPTY: Settings = {
@@ -48,6 +55,11 @@
 		log_level: 'INFO',
 		log_format: 'text',
 		log_levels: '',
 		release_provider_kind: 'gitea',
 		release_provider_url: 'https://git.dolgolyov-family.by',
 		release_provider_repo: 'alexei.dolgolyov/notify-bridge',
 		release_include_prereleases: '0',
 		release_check_interval_hours: '12',
 	};
 	let loaded = $state(false);
@@ -86,6 +98,8 @@
 			settings = { ...EMPTY, ...fetched };
 			baseline = { ...settings };
 			await loadCacheStats();
 			// Warm the release status so the cassette renders the strip on first paint.
 			await releaseStatusCache.fetch();
 		} catch (err: unknown) {
 			const msg = err instanceof Error ? err.message : 'Failed to load settings';
 			error = msg;
@@ -108,6 +122,12 @@
 			settings = { ...EMPTY, ...next };
 			baseline = { ...settings };
 			externalUrlCache.invalidate();
 			// Release config may have changed → drop the cached status and
 			// refetch so the sidebar badge + cassette strip reflect the
 			// freshly-rescheduled probe without waiting for the next route
 			// change to trigger another read.
 			releaseStatusCache.invalidate();
 			void releaseStatusCache.fetch(true);
 			snackSuccess(t('settings.saved'));
 		} catch (err: unknown) {
 			const msg = err instanceof Error ? err.message : 'Save failed';
@@ -171,11 +191,21 @@
 			/>
 		</div>
 		<ReleaseCassette
 			bind:providerKind={settings.release_provider_kind}
 			bind:providerUrl={settings.release_provider_url}
 			bind:providerRepo={settings.release_provider_repo}
 			bind:includePrereleases={settings.release_include_prereleases}
 			bind:checkIntervalHours={settings.release_check_interval_hours}
 		/>
 		<LoggingCassette
 			bind:logLevel={settings.log_level}
 			bind:logFormat={settings.log_format}
 			bind:logLevels={settings.log_levels}
 		/>
 		<DiagnosticsCassette />
 	</div>
 	<SaveBar
@@ -2,6 +2,7 @@
 	import { t } from '$lib/i18n';
 	import MdiIcon from '$lib/components/MdiIcon.svelte';
 	import Button from '$lib/components/Button.svelte';
 	import Hint from '$lib/components/Hint.svelte';
 	type Tone = 'mint' | 'sky' | 'citrus' | 'coral';
@@ -104,6 +105,7 @@
 				{#if totalBytes > 0}
 					<span class="ledger-sep">·</span>
 					<span class="ledger-bytes font-mono">{formatBytes(totalBytes)}</span>
 					<Hint text={t('settings.cacheStatsHint')} />
 				{/if}
 			</div>
 		</div>
@@ -0,0 +1,424 @@
 <script lang="ts">
 	import { onMount, onDestroy } from 'svelte';
 	import { slide } from 'svelte/transition';
 	import { api } from '$lib/api';
 	import { t } from '$lib/i18n';
 	import MdiIcon from '$lib/components/MdiIcon.svelte';
 	import IconButton from '$lib/components/IconButton.svelte';
 	import IconGridSelect from '$lib/components/IconGridSelect.svelte';
 	import { snackSuccess, snackError } from '$lib/stores/snackbar.svelte';
 	interface ActiveOverride {
 		module: string;
 		baseline_level: string;
 		current_level: string;
 		activated_at: string;
 		expires_at: string;
 		remaining_seconds: number;
 	}
 	// Modules ship with shortcuts; users can also type a freeform name
 	// matching the backend allowlist (notify_bridge_*, sqlalchemy.*, etc.).
 	// Icons let the IconGridSelect render each entry as a visual chip
 	// instead of a bare text list — same pattern as the surrounding
 	// log-level / log-format selectors.
 	const QUICK_MODULES: { value: string; icon: string; label: string; desc?: string }[] = [
 		{ value: 'notify_bridge_core.notifications.telegram.client', icon: 'mdiSend', label: 'Telegram client' },
 		{ value: 'notify_bridge_core.notifications.dispatcher', icon: 'mdiCallSplit', label: 'Dispatcher' },
 		{ value: 'notify_bridge_core.providers.immich', icon: 'mdiImageMultiple', label: 'Immich provider' },
 		{ value: 'notify_bridge_server.services.watcher', icon: 'mdiEyeOutline', label: 'Watcher' },
 		{ value: 'notify_bridge_server.services.deferred_dispatch', icon: 'mdiClockOutline', label: 'Deferred dispatch' },
 		{ value: 'notify_bridge_server.services.scheduled_dispatch', icon: 'mdiCalendarClock', label: 'Scheduled dispatch' },
 		{ value: 'sqlalchemy.engine', icon: 'mdiDatabase', label: 'SQLAlchemy engine (SQL)' },
 		{ value: 'aiohttp.client', icon: 'mdiWeb', label: 'aiohttp client' },
 	];
 	const DURATION_PRESETS: { minutes: number; label: string }[] = [
 		{ minutes: 5, label: '5m' },
 		{ minutes: 15, label: '15m' },
 		{ minutes: 30, label: '30m' },
 		{ minutes: 60, label: '1h' },
 		{ minutes: 120, label: '2h' },
 	];
 	let active = $state<ActiveOverride[]>([]);
 	let pickedModule = $state(QUICK_MODULES[0].value);
 	let customModule = $state('');
 	let pickedMinutes = $state(30);
 	let submitting = $state(false);
 	let tickHandle: ReturnType<typeof setInterval> | null = null;
 	// Resync from the backend every N seconds so a server-side auto-revert
 	// is reflected even if we missed a tick. Tracked as elapsed-time so the
 	// 1s ticker can drift without breaking the cadence.
 	const RESYNC_EVERY_SECONDS = 30;
 	let lastResyncAt = Date.now();
 	async function refresh(): Promise<void> {
 		try {
 			const data = await api<{ active: ActiveOverride[] }>(
 				'/settings/diagnostic-mode',
 				{ method: 'GET' },
 			);
 			active = data.active || [];
 		} catch (err: unknown) {
 			// Surface non-401 errors only; settings page already shows a banner
 			// when the API is unreachable.
 		}
 	}
 	function tick(): void {
 		// Cheap local countdown so the UI doesn't poll the server every second
 		// to render a clock. The full refresh happens every 30s OR on action.
 		if (active.length === 0) return;
 		const now = Date.now();
 		active = active
 			.map(a => ({
 				...a,
 				remaining_seconds: Math.max(
 					0,
 					Math.floor((new Date(a.expires_at).getTime() - now) / 1000),
 				),
 			}))
 			.filter(a => a.remaining_seconds > 0);
 	}
 	function startTicker(): void {
 		if (tickHandle != null) return;
 		tickHandle = setInterval(() => {
 			tick();
 			const now = Date.now();
 			if (now - lastResyncAt >= RESYNC_EVERY_SECONDS * 1000) {
 				lastResyncAt = now;
 				void refresh();
 			}
 		}, 1000);
 	}
 	function stopTicker(): void {
 		if (tickHandle != null) {
 			clearInterval(tickHandle);
 			tickHandle = null;
 		}
 	}
 	onMount(() => {
 		lastResyncAt = Date.now();
 		void refresh();
 		startTicker();
 	});
 	onDestroy(() => {
 		stopTicker();
 	});
 	function effectiveModule(): string {
 		return (customModule.trim() || pickedModule).trim();
 	}
 	async function activate(): Promise<void> {
 		const mod = effectiveModule();
 		if (!mod) {
 			snackError(t('settings.diagModuleRequired'));
 			return;
 		}
 		submitting = true;
 		try {
 			const entry = await api<ActiveOverride>('/settings/diagnostic-mode', {
 				method: 'POST',
 				body: JSON.stringify({ module: mod, duration_minutes: pickedMinutes }),
 			});
 			// Replace any existing row for this module with the new schedule.
 			active = [
 				...active.filter(a => a.module !== entry.module),
 				entry,
 			];
 			customModule = '';
 			snackSuccess(t('settings.diagActivated'));
 		} catch (err: unknown) {
 			const msg = err instanceof Error ? err.message : String(err);
 			snackError(msg || t('settings.diagActivateFailed'));
 		} finally {
 			submitting = false;
 		}
 	}
 	async function revert(module: string): Promise<void> {
 		try {
 			await api(`/settings/diagnostic-mode/${encodeURIComponent(module)}`, {
 				method: 'DELETE',
 			});
 			active = active.filter(a => a.module !== module);
 			snackSuccess(t('settings.diagReverted'));
 		} catch (err: unknown) {
 			const msg = err instanceof Error ? err.message : String(err);
 			snackError(msg || t('settings.diagRevertFailed'));
 		}
 	}
 	function formatRemaining(seconds: number): string {
 		if (seconds <= 0) return '0s';
 		const mins = Math.floor(seconds / 60);
 		const secs = seconds % 60;
 		if (mins >= 60) {
 			const hours = Math.floor(mins / 60);
 			const remMins = mins % 60;
 			return `${hours}h ${remMins}m`;
 		}
 		if (mins > 0) return `${mins}m ${secs}s`;
 		return `${secs}s`;
 	}
 </script>
 <section class="diag glass">
 	<header class="diag-head">
 		<div class="diag-eyebrow">
 			<MdiIcon name="mdiBugOutline" size={12} />
 			<span>{t('settings.diagnostics')}</span>
 		</div>
 		<h3 class="diag-title">{t('settings.diagnosticsHeadline')}</h3>
 		<p class="diag-sub">{t('settings.diagnosticsHint')}</p>
 	</header>
 	<!-- Compose new override -->
 	<div class="diag-compose">
 		<div class="diag-label">
 			<span>{t('settings.diagModuleQuick')}</span>
 			<IconGridSelect items={QUICK_MODULES} bind:value={pickedModule} columns={2} compact />
 		</div>
 		<label class="diag-label">
 			<span>{t('settings.diagModuleCustom')}</span>
 			<input
 				bind:value={customModule}
 				type="text"
 				autocomplete="off"
 				spellcheck="false"
 				placeholder={t('settings.diagModuleCustomPlaceholder')}
 				class="diag-input"
 			/>
 		</label>
 		<div class="diag-label">
 			<span>{t('settings.diagDuration')}</span>
 			<div class="diag-duration-chips">
 				{#each DURATION_PRESETS as preset (preset.minutes)}
 					<button
 						type="button"
 						class="diag-chip"
 						class:diag-chip-active={pickedMinutes === preset.minutes}
 						onclick={() => (pickedMinutes = preset.minutes)}
 					>
 						{preset.label}
 					</button>
 				{/each}
 			</div>
 		</div>
 		<button
 			type="button"
 			onclick={activate}
 			disabled={submitting}
 			class="diag-activate"
 		>
 			<MdiIcon name="mdiPlay" size={14} />
 			<span>{submitting ? t('common.loading') : t('settings.diagActivate')}</span>
 		</button>
 	</div>
 	<!-- Active overrides list -->
 	{#if active.length > 0}
 		<div class="diag-active" in:slide={{ duration: 180 }}>
 			<div class="diag-active-head">
 				<MdiIcon name="mdiTimerSandComplete" size={12} />
 				<span>{t('settings.diagActive')}</span>
 			</div>
 			{#each active as ov (ov.module)}
 				<div class="diag-row">
 					<div class="diag-row-info">
 						<code class="diag-row-module">{ov.module}</code>
 						<span class="diag-row-meta">
 							{t('settings.diagRevertsIn')} <strong>{formatRemaining(ov.remaining_seconds)}</strong>
 							<span class="diag-row-baseline">→ {ov.baseline_level}</span>
 						</span>
 					</div>
 					<IconButton
 						icon="mdiUndoVariant"
 						title={t('settings.diagRevertNow')}
 						onclick={() => revert(ov.module)}
 						size={16}
 					/>
 				</div>
 			{/each}
 		</div>
 	{/if}
 </section>
 <style>
 	.diag {
 		padding: 1.5rem 1.6rem 1.4rem;
 		display: flex;
 		flex-direction: column;
 		gap: 1.15rem;
 	}
 	.diag-head {
 		position: relative;
 		z-index: 1;
 	}
 	.diag-eyebrow {
 		display: inline-flex;
 		align-items: center;
 		gap: 0.35rem;
 		font-family: var(--font-mono);
 		font-size: 0.62rem;
 		text-transform: uppercase;
 		letter-spacing: 0.18em;
 		color: var(--color-muted-foreground);
 		margin-bottom: 0.45rem;
 	}
 	.diag-title {
 		margin: 0;
 		font-family: var(--font-display);
 		font-style: italic;
 		font-weight: 400;
 		font-size: 1.15rem;
 		line-height: 1.35;
 		letter-spacing: -0.015em;
 		color: var(--color-foreground);
 		max-width: 38ch;
 	}
 	.diag-sub {
 		margin: 0.45rem 0 0 0;
 		font-size: 0.78rem;
 		color: var(--color-muted-foreground);
 		max-width: 56ch;
 	}
 	.diag-compose {
 		position: relative;
 		z-index: 1;
 		display: flex;
 		flex-direction: column;
 		gap: 0.7rem;
 		padding-top: 0.4rem;
 		border-top: 1px solid var(--color-border);
 	}
 	.diag-label {
 		display: flex;
 		flex-direction: column;
 		gap: 0.32rem;
 	}
 	.diag-label > span {
 		font-size: 0.74rem;
 		font-weight: 500;
 		color: var(--color-foreground);
 	}
 	.diag-input {
 		width: 100%;
 		font-family: var(--font-mono);
 		font-size: 0.78rem;
 		padding: 0.45rem 0.7rem;
 		border: 1px solid var(--color-border);
 		border-radius: 8px;
 		background: var(--color-glass);
 		color: var(--color-foreground);
 	}
 	.diag-duration-chips {
 		display: flex;
 		flex-wrap: wrap;
 		gap: 0.35rem;
 	}
 	.diag-chip {
 		padding: 0.32rem 0.75rem;
 		border-radius: 999px;
 		border: 1px solid var(--color-border);
 		background: transparent;
 		color: var(--color-muted-foreground);
 		font-family: var(--font-mono);
 		font-size: 0.72rem;
 		cursor: pointer;
 		transition: background 0.15s, color 0.15s, border-color 0.15s;
 	}
 	.diag-chip:hover {
 		background: var(--color-glass-strong);
 		color: var(--color-foreground);
 	}
 	.diag-chip-active {
 		background: color-mix(in srgb, var(--color-primary) 12%, transparent);
 		color: var(--color-primary);
 		border-color: color-mix(in srgb, var(--color-primary) 45%, var(--color-border));
 	}
 	.diag-activate {
 		display: inline-flex;
 		align-items: center;
 		justify-content: center;
 		gap: 0.4rem;
 		align-self: flex-start;
 		padding: 0.55rem 1.1rem;
 		border-radius: 10px;
 		border: 1px solid color-mix(in srgb, var(--color-primary) 45%, var(--color-border));
 		background: color-mix(in srgb, var(--color-primary) 12%, transparent);
 		color: var(--color-primary);
 		font-family: var(--font-display);
 		font-style: italic;
 		font-size: 0.85rem;
 		cursor: pointer;
 		transition: background 0.15s, color 0.15s, border-color 0.15s;
 	}
 	.diag-activate:hover {
 		background: color-mix(in srgb, var(--color-primary) 18%, transparent);
 		border-color: color-mix(in srgb, var(--color-primary) 65%, var(--color-border));
 	}
 	.diag-activate:disabled {
 		opacity: 0.5;
 		cursor: not-allowed;
 	}
 	.diag-active {
 		display: flex;
 		flex-direction: column;
 		gap: 0.4rem;
 		padding-top: 0.55rem;
 		border-top: 1px solid var(--color-border);
 	}
 	.diag-active-head {
 		display: inline-flex;
 		align-items: center;
 		gap: 0.3rem;
 		font-family: var(--font-mono);
 		font-size: 0.58rem;
 		text-transform: uppercase;
 		letter-spacing: 0.18em;
 		color: var(--color-muted-foreground);
 	}
 	.diag-row {
 		display: flex;
 		align-items: center;
 		justify-content: space-between;
 		gap: 0.6rem;
 		padding: 0.5rem 0.65rem;
 		border-radius: 10px;
 		border: 1px solid var(--color-border);
 		background: var(--color-glass-strong);
 	}
 	.diag-row-info {
 		display: flex;
 		flex-direction: column;
 		gap: 0.2rem;
 		min-width: 0;
 	}
 	.diag-row-module {
 		font-family: var(--font-mono);
 		font-size: 0.78rem;
 		color: var(--color-foreground);
 		word-break: break-all;
 	}
 	.diag-row-meta {
 		font-size: 0.72rem;
 		color: var(--color-muted-foreground);
 	}
 	.diag-row-baseline {
 		font-family: var(--font-mono);
 		font-size: 0.7rem;
 		margin-left: 0.4rem;
 		opacity: 0.7;
 	}
 </style>
@@ -0,0 +1,698 @@
 <script lang="ts">
 	import { t } from '$lib/i18n';
 	import MdiIcon from '$lib/components/MdiIcon.svelte';
 	import Hint from '$lib/components/Hint.svelte';
 	import { api } from '$lib/api';
 	import { snackSuccess, snackError } from '$lib/stores/snackbar.svelte';
 	import { releaseStatusCache } from '$lib/stores/caches.svelte';
 	import type { ReleaseProviderKind, ReleaseStatus, ReleaseTestResult } from '$lib/types';
 	interface Props {
 		// All five fields are persisted as strings via the /settings PUT —
 		// the parent owns the boundary type. Bool flags use "0" / "1".
 		providerKind: string;
 		providerUrl: string;
 		providerRepo: string;
 		includePrereleases: string;
 		checkIntervalHours: string;
 	}
 	let {
 		providerKind = $bindable(),
 		providerUrl = $bindable(),
 		providerRepo = $bindable(),
 		includePrereleases = $bindable(),
 		checkIntervalHours = $bindable(),
 	}: Props = $props();
 	let checking = $state(false);
 	let testing = $state(false);
 	let testResult = $state<ReleaseTestResult | null>(null);
 	const status = $derived(releaseStatusCache.value);
 	const prereleaseChecked = $derived(includePrereleases === '1');
 	const isDisabled = $derived(providerKind === 'disabled');
 	// Stale Test-result on input change is misleading — wipe whenever any of
 	// the probed parameters change so the strip reflects "current" state.
 	$effect(() => {
 		// Touch each parameter to register dependency.
 		void providerKind; void providerUrl; void providerRepo; void prereleaseChecked;
 		testResult = null;
 	});
 	type Tone = 'mint' | 'citrus' | 'coral' | 'sky';
 	const stateTone: Tone = $derived.by(() => {
 		if (!status) return 'sky';
 		if (status.error && status.error !== 'disabled' && status.error !== 'provider_changed') return 'coral';
 		if (status.update_available) return 'citrus';
 		if (status.provider === 'disabled') return 'sky';
 		return 'mint';
 	});
 	const stateLabel = $derived.by(() => {
 		if (!status) return t('settings.release.statusUnknown');
 		if (status.provider === 'disabled') return t('settings.release.statusDisabled');
 		if (status.error && status.error !== 'provider_changed') return t('settings.release.statusError');
 		if (status.update_available) return t('settings.release.statusUpdate');
 		if (status.latest) return t('settings.release.statusUpToDate');
 		return t('settings.release.statusUnknown');
 	});
 	// Map backend error taxonomy → localized text. Falls back to the raw code
 	// only when the key is missing (so a new server code surfaces something).
 	function localizedError(code: string | null): string {
 		if (!code) return '';
 		const key = `settings.release.error.${code}`;
 		const localized = t(key);
 		// `t` falls back to the key itself when missing — detect by exact match.
 		return localized === key ? code : localized;
 	}
 	function relTime(iso: string | null): string {
 		if (!iso) return t('settings.release.never');
 		const then = Date.parse(iso);
 		if (!Number.isFinite(then)) return t('settings.release.never');
 		const diff = Date.now() - then;
 		const min = Math.round(diff / 60_000);
 		if (min < 1) return t('settings.release.justNow');
 		if (min < 60) return t('settings.release.minutesAgo').replace('{n}', String(min));
 		const h = Math.round(min / 60);
 		if (h < 24) return t('settings.release.hoursAgo').replace('{n}', String(h));
 		const d = Math.round(h / 24);
 		return t('settings.release.daysAgo').replace('{n}', String(d));
 	}
 	function setProvider(kind: ReleaseProviderKind): void {
 		providerKind = kind;
 	}
 	function onIntervalInput(e: Event): void {
 		// The native input emits string values; we keep the contract by
 		// re-coercing to string before assigning to the bindable prop.
 		const raw = (e.currentTarget as HTMLInputElement).value;
 		checkIntervalHours = raw === '' ? '' : String(Math.max(1, Math.min(168, Number(raw))));
 	}
 	async function checkNow(): Promise<void> {
 		checking = true;
 		try {
 			const next = await api<ReleaseStatus>('/settings/release/check', { method: 'POST' });
 			releaseStatusCache.set(next);
 			snackSuccess(t('settings.release.checkDone'));
 		} catch (err: unknown) {
 			snackError(err instanceof Error ? err.message : t('settings.release.checkFailed'));
 		} finally {
 			checking = false;
 		}
 	}
 	async function testProvider(): Promise<void> {
 		testing = true;
 		testResult = null;
 		try {
 			testResult = await api<ReleaseTestResult>('/settings/release/test', {
 				method: 'POST',
 				body: JSON.stringify({
 					provider_kind: providerKind,
 					provider_url: providerUrl,
 					provider_repo: providerRepo,
 					include_prereleases: prereleaseChecked,
 				}),
 			});
 			if (testResult.ok) snackSuccess(t('settings.release.testOk'));
 			else snackError(t('settings.release.testFailed'));
 		} catch (err: unknown) {
 			snackError(err instanceof Error ? err.message : t('settings.release.testFailed'));
 		} finally {
 			testing = false;
 		}
 	}
 </script>
 <section class="rel glass" id="release">
 	<header class="rel-head">
 		<div class="rel-eyebrow">
 			<MdiIcon name="mdiUpdate" size={12} />
 			<span>{t('settings.release.eyebrow')}</span>
 		</div>
 		<h3 class="rel-title">{t('settings.release.headline')}</h3>
 	</header>
 	<div class="rel-body">
 		<!-- 01 Provider — native radios for free keyboard a11y. -->
 		<div class="row">
 			<div class="row-label">
 				<span class="row-num">01</span>
 				<span class="row-name">
 					{t('settings.release.provider')}
 					<Hint text={t('settings.release.providerHint')} />
 				</span>
 			</div>
 			<div class="row-control">
 				<div class="seg" role="radiogroup" aria-label={t('settings.release.provider')}>
 					<label class="seg-item" class:seg-active={providerKind === 'gitea'}>
 						<input
 							type="radio"
 							name="release-provider"
 							value="gitea"
 							checked={providerKind === 'gitea'}
 							onchange={() => setProvider('gitea')}
 							class="seg-radio"
 						/>
 						<span class="seg-content"><MdiIcon name="mdiGit" size={13} /> Gitea</span>
 					</label>
 					<label class="seg-item seg-soon" title={t('settings.release.comingSoon')}>
 						<input
 							type="radio"
 							name="release-provider"
 							value="github"
 							disabled
 							class="seg-radio"
 						/>
 						<span class="seg-content"><MdiIcon name="mdiGithub" size={13} /> GitHub</span>
 					</label>
 					<label class="seg-item" class:seg-active={providerKind === 'disabled'}>
 						<input
 							type="radio"
 							name="release-provider"
 							value="disabled"
 							checked={providerKind === 'disabled'}
 							onchange={() => setProvider('disabled')}
 							class="seg-radio"
 						/>
 						<span class="seg-content"><MdiIcon name="mdiPowerSettings" size={13} /> {t('settings.release.disabled')}</span>
 					</label>
 				</div>
 			</div>
 		</div>
 		<!-- 02 Repository -->
 		<div class="row" class:row-dim={isDisabled}>
 			<div class="row-label">
 				<span class="row-num">02</span>
 				<span class="row-name">
 					{t('settings.release.repository')}
 					<Hint text={t('settings.release.repositoryHint')} />
 				</span>
 			</div>
 			<div class="row-control repo-grid">
 				<input
 					bind:value={providerUrl}
 					placeholder="https://git.example.com"
 					class="text-input"
 					type="url"
 					spellcheck="false"
 					disabled={isDisabled}
 				/>
 				<input
 					bind:value={providerRepo}
 					placeholder="owner/repo"
 					class="text-input mono"
 					spellcheck="false"
 					disabled={isDisabled}
 				/>
 			</div>
 		</div>
 		<!-- 03 Options — slider toggle for include-prereleases. -->
 		<div class="row" class:row-dim={isDisabled}>
 			<div class="row-label">
 				<span class="row-num">03</span>
 				<span class="row-name">
 					{t('settings.release.options')}
 					<Hint text={t('settings.release.prereleasesHint')} />
 				</span>
 			</div>
 			<div class="row-control">
 				<button
 					type="button"
 					class="toggle"
 					class:toggle-disabled={isDisabled}
 					onclick={() => { if (!isDisabled) includePrereleases = prereleaseChecked ? '0' : '1'; }}
 					aria-pressed={prereleaseChecked}
 					disabled={isDisabled}
 				>
 					<span class="toggle-track" class:toggle-on={prereleaseChecked} aria-hidden="true">
 						<span class="toggle-thumb"></span>
 					</span>
 					<span class="toggle-label-text">{t('settings.release.includePrereleases')}</span>
 				</button>
 			</div>
 		</div>
 		<!-- 04 Check interval -->
 		<div class="row" class:row-dim={isDisabled}>
 			<div class="row-label">
 				<span class="row-num">04</span>
 				<span class="row-name">
 					{t('settings.release.interval')}
 					<Hint text={t('settings.release.intervalHint')} />
 				</span>
 			</div>
 			<div class="row-control interval">
 				<input
 					type="number"
 					min={1}
 					max={168}
 					value={checkIntervalHours}
 					oninput={onIntervalInput}
 					class="text-input num"
 					disabled={isDisabled}
 				/>
 				<span class="unit">{t('settings.release.hoursUnit')}</span>
 				<span class="footnote">{t('settings.release.intervalRange')}</span>
 			</div>
 		</div>
 	</div>
 	<!-- State strip -->
 	<footer class="strip" data-tone={stateTone}>
 		<div class="strip-left">
 			<span class="dot" data-tone={stateTone} aria-hidden="true"></span>
 			<div class="strip-text">
 				<div class="strip-state">{stateLabel}</div>
 				<div class="strip-meta">
 					<span class="versions">
 						<span class="v-current">v{status?.current ?? '—'}</span>
 						{#if status?.latest && status.latest !== status.current}
 							<span class="arrow" aria-hidden="true">→</span>
 							<span
 								class="v-latest"
 								class:v-latest-update={status.update_available}
 							>v{status.latest}{#if status.latest_prerelease} · pre{/if}</span>
 						{/if}
 					</span>
 					<span class="sep" aria-hidden="true">·</span>
 					<span class="checked">
 						{t('settings.release.lastChecked')}: <span class="rel-time">{relTime(status?.checked_at ?? null)}</span>
 					</span>
 				</div>
 				{#if status?.error && status.error !== 'disabled' && status.error !== 'provider_changed'}
 					<div class="strip-error">
 						<MdiIcon name="mdiAlertCircleOutline" size={12} /> {localizedError(status.error)}
 					</div>
 				{/if}
 				{#if testResult && !testResult.ok}
 					<div class="strip-error">
 						<MdiIcon name="mdiAlertCircleOutline" size={12} /> {t('settings.release.testFailed')}:
 						{localizedError(testResult.error)}
 					</div>
 				{/if}
 				{#if testResult && testResult.ok && testResult.info}
 					<div class="strip-test-ok">
 						<MdiIcon name="mdiCheckCircleOutline" size={12} /> {t('settings.release.testFound')}:
 						<span class="mono">v{testResult.info.version}</span>
 					</div>
 				{/if}
 			</div>
 		</div>
 		<div class="strip-actions">
 			{#if status?.update_available && status.latest_url}
 				<a
 					class="strip-btn strip-btn-cta"
 					href={status.latest_url}
 					target="_blank"
 					rel="noopener noreferrer"
 				>
 					<MdiIcon name="mdiOpenInNew" size={13} />
 					<span>{t('settings.release.viewRelease').replace('{v}', status.latest ?? '')}</span>
 				</a>
 			{/if}
 			<button
 				type="button"
 				class="strip-btn"
 				onclick={testProvider}
 				disabled={testing || isDisabled || !providerRepo}
 			>
 				<MdiIcon name={testing ? 'mdiLoading' : 'mdiCheckNetworkOutline'} size={13} />
 				<span>{t('settings.release.testConnection')}</span>
 			</button>
 			<button
 				type="button"
 				class="strip-btn strip-btn-primary"
 				onclick={checkNow}
 				disabled={checking || isDisabled}
 			>
 				<MdiIcon name={checking ? 'mdiLoading' : 'mdiRefresh'} size={13} />
 				<span>{t('settings.release.checkNow')}</span>
 			</button>
 		</div>
 	</footer>
 </section>
 <style>
 	.rel {
 		padding: 1.5rem 1.6rem 0;
 		display: flex;
 		flex-direction: column;
 		gap: 1.2rem;
 		overflow: hidden;
 	}
 	.rel-head { position: relative; z-index: 1; }
 	.rel-eyebrow {
 		display: inline-flex;
 		align-items: center;
 		gap: 0.35rem;
 		font-family: var(--font-mono);
 		font-size: 0.62rem;
 		text-transform: uppercase;
 		letter-spacing: 0.18em;
 		color: var(--color-muted-foreground);
 		margin-bottom: 0.45rem;
 	}
 	.rel-title {
 		margin: 0;
 		font-family: var(--font-display);
 		font-weight: 400;
 		font-style: italic;
 		font-size: 1.25rem;
 		line-height: 1.3;
 		letter-spacing: -0.015em;
 		color: var(--color-foreground);
 		max-width: 42ch;
 	}
 	.rel-body {
 		position: relative;
 		z-index: 1;
 		display: flex;
 		flex-direction: column;
 	}
 	.row {
 		display: grid;
 		grid-template-columns: 11rem 1fr;
 		gap: 1.4rem;
 		padding: 1rem 0;
 		border-top: 1px solid var(--color-border);
 	}
 	.row:first-child { border-top: 0; padding-top: 0.4rem; }
 	.row-dim { opacity: 0.55; }
 	.row-label {
 		display: flex;
 		flex-direction: column;
 		gap: 0.3rem;
 		padding-top: 0.15rem;
 	}
 	.row-num {
 		font-family: var(--font-mono);
 		font-size: 0.62rem;
 		letter-spacing: 0.18em;
 		color: var(--color-muted-foreground);
 	}
 	.row-name {
 		font-size: 0.78rem;
 		font-weight: 500;
 		color: var(--color-foreground);
 		letter-spacing: -0.005em;
 		display: inline-flex;
 		align-items: center;
 	}
 	.row-control { min-width: 0; }
 	/* Segmented provider control — uses real radios so arrow-key + tab
 	   navigation just work via the browser. */
 	.seg {
 		display: inline-flex;
 		gap: 0.25rem;
 		padding: 0.25rem;
 		background: var(--color-glass-strong);
 		border: 1px solid var(--color-rule-strong);
 		border-radius: 0.6rem;
 	}
 	.seg-item {
 		display: inline-flex;
 		align-items: center;
 		border-radius: 0.45rem;
 		cursor: pointer;
 		position: relative;
 	}
 	.seg-radio {
 		position: absolute;
 		opacity: 0;
 		pointer-events: none;
 		inset: 0;
 	}
 	.seg-radio:focus-visible + .seg-content {
 		outline: 2px solid var(--color-primary);
 		outline-offset: 2px;
 	}
 	.seg-content {
 		display: inline-flex;
 		align-items: center;
 		gap: 0.4rem;
 		padding: 0.4rem 0.7rem;
 		border-radius: 0.45rem;
 		font-size: 0.78rem;
 		color: var(--color-muted-foreground);
 		transition: background 0.18s, color 0.18s;
 	}
 	.seg-item:hover:not(.seg-soon) .seg-content {
 		color: var(--color-foreground);
 		background: var(--color-glass);
 	}
 	.seg-active .seg-content {
 		color: var(--color-foreground);
 		background: var(--color-input-bg);
 		box-shadow: 0 0 0 1px var(--color-primary);
 	}
 	.seg-soon { opacity: 0.45; cursor: not-allowed; }
 	/* Text fields */
 	.repo-grid {
 		display: grid;
 		grid-template-columns: minmax(14rem, 18rem) minmax(0, 1fr);
 		gap: 0.6rem;
 		max-width: 100%;
 	}
 	.text-input {
 		width: 100%;
 		padding: 0.55rem 0.75rem;
 		border: 1px solid var(--color-rule-strong);
 		border-radius: 0.6rem;
 		background: var(--color-input-bg);
 		font-family: var(--font-sans);
 		font-size: 0.82rem;
 		color: var(--color-foreground);
 		transition: border-color 0.18s, box-shadow 0.18s;
 	}
 	.text-input.mono { font-family: var(--font-mono); }
 	.text-input.num { max-width: 6rem; text-align: right; }
 	.text-input:focus {
 		outline: 0;
 		border-color: var(--color-primary);
 		box-shadow: 0 0 0 3px var(--color-glow);
 	}
 	.text-input:disabled { cursor: not-allowed; opacity: 0.55; }
 	/* Interval */
 	.interval { display: inline-flex; align-items: center; gap: 0.6rem; flex-wrap: wrap; }
 	.unit {
 		font-family: var(--font-mono);
 		font-size: 0.72rem;
 		color: var(--color-muted-foreground);
 		letter-spacing: 0.08em;
 		text-transform: uppercase;
 	}
 	.footnote {
 		font-size: 0.68rem;
 		color: var(--color-muted-foreground);
 		font-style: italic;
 	}
 	/* Slider toggle — mirrors the backup ScheduleCassette pattern. */
 	.toggle {
 		display: inline-flex;
 		align-items: center;
 		gap: 0.7rem;
 		background: transparent;
 		border: 0;
 		padding: 0;
 		font: inherit;
 		color: var(--color-foreground);
 		cursor: pointer;
 	}
 	.toggle:focus-visible { outline: 2px solid var(--color-primary); outline-offset: 4px; border-radius: 4px; }
 	.toggle-track {
 		position: relative;
 		width: 40px;
 		height: 22px;
 		border-radius: 999px;
 		background: var(--color-glass-strong);
 		border: 1px solid var(--color-rule-strong);
 		flex-shrink: 0;
 		transition: background 0.2s, border-color 0.2s;
 	}
 	.toggle-thumb {
 		position: absolute;
 		top: 2px;
 		left: 2px;
 		width: 16px; height: 16px;
 		border-radius: 50%;
 		background: var(--color-muted-foreground);
 		transition: transform 0.2s, background 0.2s;
 	}
 	.toggle-on {
 		background: linear-gradient(135deg, color-mix(in srgb, var(--color-mint) 60%, transparent), color-mix(in srgb, var(--color-primary) 60%, transparent));
 		border-color: color-mix(in srgb, var(--color-mint) 60%, var(--color-rule-strong));
 	}
 	.toggle-on .toggle-thumb {
 		background: white;
 		transform: translateX(18px);
 	}
 	.toggle-label-text { font-size: 0.82rem; }
 	.toggle-disabled { opacity: 0.55; cursor: not-allowed; }
 	/* State strip */
 	.strip {
 		margin: 0 -1.6rem;
 		padding: 1rem 1.6rem;
 		border-top: 1px solid var(--color-border);
 		background:
 			linear-gradient(180deg,
 				color-mix(in srgb, var(--color-glass-strong) 60%, transparent),
 				transparent
 			);
 		display: flex;
 		align-items: flex-start;
 		justify-content: space-between;
 		gap: 1rem;
 		flex-wrap: wrap;
 		position: relative;
 	}
 	.strip[data-tone="citrus"]::before {
 		content: '';
 		position: absolute;
 		left: 0;
 		right: 0;
 		top: 0;
 		height: 1px;
 		background: linear-gradient(
 			90deg,
 			transparent 10%,
 			color-mix(in srgb, var(--color-citrus, #d4a73a) 70%, transparent) 50%,
 			transparent 90%
 		);
 		animation: aurora-shimmer 4s linear infinite;
 	}
 	.strip-left { display: flex; align-items: flex-start; gap: 0.7rem; min-width: 0; flex: 1 1 auto; }
 	.dot {
 		width: 0.55rem;
 		height: 0.55rem;
 		border-radius: 999px;
 		margin-top: 0.45rem;
 		flex-shrink: 0;
 	}
 	.dot[data-tone="mint"]    { background: var(--color-mint, #6fcfa6); box-shadow: 0 0 8px color-mix(in srgb, var(--color-mint, #6fcfa6) 60%, transparent); }
 	.dot[data-tone="citrus"]  { background: var(--color-citrus, #d4a73a); box-shadow: 0 0 10px color-mix(in srgb, var(--color-citrus, #d4a73a) 70%, transparent); }
 	.dot[data-tone="coral"]   { background: var(--color-coral, #d27a7a); box-shadow: 0 0 8px color-mix(in srgb, var(--color-coral, #d27a7a) 60%, transparent); }
 	.dot[data-tone="sky"]     { background: var(--color-muted-foreground); }
 	.strip-text { display: flex; flex-direction: column; gap: 0.25rem; min-width: 0; }
 	.strip-state {
 		font-family: var(--font-display);
 		font-style: italic;
 		font-size: 0.95rem;
 		letter-spacing: -0.01em;
 		color: var(--color-foreground);
 	}
 	.strip-meta {
 		display: inline-flex;
 		align-items: center;
 		flex-wrap: wrap;
 		gap: 0.4rem;
 		font-size: 0.74rem;
 		color: var(--color-muted-foreground);
 	}
 	.versions { display: inline-flex; align-items: center; gap: 0.35rem; }
 	.v-current { font-family: var(--font-mono); color: var(--color-foreground); }
 	.arrow { color: var(--color-muted-foreground); }
 	.v-latest { font-family: var(--font-mono); color: var(--color-foreground); }
 	.v-latest-update { color: var(--color-citrus, #d4a73a); font-weight: 600; }
 	.sep { opacity: 0.5; }
 	.rel-time { color: var(--color-foreground); }
 	.strip-error {
 		font-size: 0.72rem;
 		color: var(--color-coral, #d27a7a);
 		display: inline-flex;
 		align-items: center;
 		gap: 0.3rem;
 		margin-top: 0.15rem;
 	}
 	.strip-test-ok {
 		font-size: 0.72rem;
 		color: var(--color-mint, #6fcfa6);
 		display: inline-flex;
 		align-items: center;
 		gap: 0.3rem;
 		margin-top: 0.15rem;
 	}
 	.strip-actions { display: inline-flex; gap: 0.5rem; flex-shrink: 0; flex-wrap: wrap; }
 	.strip-btn {
 		display: inline-flex;
 		align-items: center;
 		gap: 0.4rem;
 		padding: 0.5rem 0.85rem;
 		border: 1px solid var(--color-rule-strong);
 		border-radius: 0.55rem;
 		background: var(--color-input-bg);
 		font-size: 0.76rem;
 		color: var(--color-foreground);
 		cursor: pointer;
 		text-decoration: none;
 		transition: background 0.18s, border-color 0.18s, transform 0.18s;
 	}
 	.strip-btn:hover:not(:disabled) {
 		background: var(--color-glass-strong);
 		border-color: var(--color-primary);
 	}
 	.strip-btn:active:not(:disabled) { transform: translateY(1px); }
 	.strip-btn:disabled { opacity: 0.5; cursor: not-allowed; }
 	.strip-btn-primary {
 		background: color-mix(in srgb, var(--color-primary) 12%, var(--color-input-bg));
 		border-color: color-mix(in srgb, var(--color-primary) 35%, var(--color-rule-strong));
 	}
 	/* The CTA — high-visibility when an update is available. */
 	.strip-btn-cta {
 		background: linear-gradient(135deg,
 			color-mix(in srgb, var(--color-citrus, #d4a73a) 26%, var(--color-input-bg)),
 			color-mix(in srgb, var(--color-citrus, #d4a73a) 14%, var(--color-input-bg))
 		);
 		border-color: color-mix(in srgb, var(--color-citrus, #d4a73a) 55%, var(--color-rule-strong));
 		color: var(--color-foreground);
 		font-weight: 500;
 		box-shadow: 0 0 12px color-mix(in srgb, var(--color-citrus, #d4a73a) 25%, transparent);
 	}
 	.strip-btn-cta:hover {
 		background: linear-gradient(135deg,
 			color-mix(in srgb, var(--color-citrus, #d4a73a) 40%, var(--color-input-bg)),
 			color-mix(in srgb, var(--color-citrus, #d4a73a) 22%, var(--color-input-bg))
 		);
 		border-color: color-mix(in srgb, var(--color-citrus, #d4a73a) 75%, var(--color-rule-strong));
 	}
 	.mono { font-family: var(--font-mono); }
 	@keyframes aurora-shimmer {
 		0% { transform: translateX(-100%); }
 		100% { transform: translateX(100%); }
 	}
 	@media (prefers-reduced-motion: reduce) {
 		.strip[data-tone="citrus"]::before { animation: none; }
 		.strip-btn { transition: none; }
 	}
 	@media (max-width: 720px) {
 		.row {
 			grid-template-columns: 1fr;
 			gap: 0.55rem;
 			padding: 0.95rem 0;
 		}
 		.row-label { padding-top: 0; }
 		.repo-grid { grid-template-columns: 1fr; }
 		.strip { flex-direction: column; align-items: stretch; }
 		.strip-actions { justify-content: stretch; }
 		.strip-btn { flex: 1; justify-content: center; }
 	}
 </style>
@@ -2,6 +2,7 @@
 	import { onMount, onDestroy } from 'svelte';
 	import { t } from '$lib/i18n';
 	import PageHeader, { type HeaderPill } from '$lib/components/PageHeader.svelte';
 	import { releaseStatusCache } from '$lib/stores/caches.svelte';
 	type Tone = 'mint' | 'sky' | 'orchid' | 'coral' | 'citrus' | 'primary';
@@ -81,6 +82,19 @@
 			tone: SEVERITY_TONE[lvl] ?? 'mint',
 		});
 		const rs = releaseStatusCache.value;
 		if (rs) {
 			if (rs.provider === 'disabled') {
 				out.push({ label: t('settings.release.statusDisabled'), tone: 'sky' });
 			} else if (rs.error && rs.error !== 'provider_changed') {
 				out.push({ label: t('settings.release.statusError'), tone: 'coral' });
 			} else if (rs.update_available && rs.latest) {
 				out.push({ label: `v${rs.latest} ${t('settings.release.heroAvailable')}`, tone: 'citrus' });
 			} else if (rs.latest) {
 				out.push({ label: t('settings.release.statusUpToDate'), tone: 'mint' });
 			}
 		}
 		return out;
 	});
 </script>
@@ -1,6 +1,6 @@
 <script lang="ts">
 	import { onMount } from 'svelte';
-	import { api, fetchAuth } from '$lib/api';
+	import { api, fetchAuth , errMsg} from '$lib/api';
 	import { t } from '$lib/i18n';
 	import Loading from '$lib/components/Loading.svelte';
 	import MdiIcon from '$lib/components/MdiIcon.svelte';
@@ -97,9 +97,10 @@
 			scheduledSettings = settings;
 			backupFiles = files;
 			pending = p;
-		} catch (err: any) {
+		} catch (err: unknown) {
-			error = err.message;
+			const m = errMsg(err);
-			snackError(err.message);
+			error = m;
 			snackError(m);
 		} finally {
 			loaded = true;
 		}
@@ -110,7 +111,7 @@
 			await api('/backup/pending-restore', { method: 'DELETE' });
 			snackSuccess(t('backup.pendingCancelled'));
 			pending = null;
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 	}
 	async function applyAndRestart(): Promise<void> {
@@ -131,9 +132,9 @@
 				if (attempts < 120) setTimeout(poll, 1000);
 			};
 			setTimeout(poll, 1500);
-		} catch (err: any) {
+		} catch (err: unknown) {
 			restartingOverlay = false;
-			snackError(err.message);
+			snackError(errMsg(err));
 		}
 	}
@@ -144,8 +145,8 @@
 			await api(`/backup/files?secrets_mode=${mode}`, { method: 'POST' });
 			snackSuccess(t('backup.manualCreated'));
 			await refreshFiles();
-		} catch (err: any) {
+		} catch (err: unknown) {
-			snackError(err.message);
+			snackError(errMsg(err));
 		} finally {
 			creatingBackup = false;
 		}
@@ -178,8 +179,8 @@
 			a.click();
 			URL.revokeObjectURL(url);
 			snackSuccess(t('backup.exportSuccess'));
-		} catch (err: any) {
+		} catch (err: unknown) {
-			snackError(err.message);
+			snackError(errMsg(err));
 		} finally {
 			exporting = false;
 		}
@@ -202,8 +203,8 @@
 			formData.append('file', importFile);
 			const res = await fetchAuth('/backup/validate', { method: 'POST', body: formData });
 			validationResult = await res.json();
-		} catch (err: any) {
+		} catch (err: unknown) {
-			snackError(err.message);
+			snackError(errMsg(err));
 		} finally {
 			validating = false;
 		}
@@ -230,8 +231,8 @@
 			snackSuccess(t('backup.restorePrepared'));
 			postRestoreModalOpen = true;
 			importFile = null;
-		} catch (err: any) {
+		} catch (err: unknown) {
-			snackError(err.message);
+			snackError(errMsg(err));
 		} finally {
 			importing = false;
 		}
@@ -246,8 +247,8 @@
 				body: JSON.stringify(scheduledSettings),
 			});
 			snackSuccess(t('backup.scheduleSaved'));
-		} catch (err: any) {
+		} catch (err: unknown) {
-			snackError(err.message);
+			snackError(errMsg(err));
 		} finally {
 			savingSchedule = false;
 		}
@@ -258,8 +259,8 @@
 		loadingFiles = true;
 		try {
 			backupFiles = await api<BackupFile[]>('/backup/files');
-		} catch (err: any) {
+		} catch (err: unknown) {
-			snackError(err.message);
+			snackError(errMsg(err));
 		} finally {
 			loadingFiles = false;
 		}
@@ -275,8 +276,8 @@
 			a.download = filename;
 			a.click();
 			URL.revokeObjectURL(url);
-		} catch (err: any) {
+		} catch (err: unknown) {
-			snackError(err.message);
+			snackError(errMsg(err));
 		}
 	}
@@ -286,8 +287,8 @@
 			snackSuccess(t('backup.fileDeleted'));
 			confirmDeleteFile = '';
 			await refreshFiles();
-		} catch (err: any) {
+		} catch (err: unknown) {
-			snackError(err.message);
+			snackError(errMsg(err));
 		}
 	}
 </script>
@@ -2,6 +2,7 @@
 	import { goto } from '$app/navigation';
 	import { onMount } from 'svelte';
 	import { setup } from '$lib/auth.svelte';
 	import { errMsg } from '$lib/api';
 	import { t } from '$lib/i18n';
 	import { initTheme } from '$lib/theme.svelte';
 	import MdiIcon from '$lib/components/MdiIcon.svelte';
@@ -25,7 +26,7 @@
 		try {
 			await setup(username, password);
 			window.location.href = '/';
-		} catch (err: any) { error = err.message || t('auth.setupFailed'); }
+		} catch (err: unknown) { error = errMsg(err, t('auth.setupFailed')); }
 		submitting = false;
 	}
 </script>
@@ -3,7 +3,7 @@
 	import { SvelteSet } from 'svelte/reactivity';
 	import { slide } from 'svelte/transition';
 	import { page } from '$app/state';
-	import { api, getBlockedBy, type BlockedByDetail } from '$lib/api';
+	import { api, getBlockedBy, type BlockedByDetail , errMsg} from '$lib/api';
 	import BlockedByModal from '$lib/components/BlockedByModal.svelte';
 	import { t, getLocale } from '$lib/i18n';
 	import { targetsCache, telegramBotsCache, emailBotsCache, matrixBotsCache } from '$lib/stores/caches.svelte';
@@ -15,6 +15,7 @@
 	import EmptyState from '$lib/components/EmptyState.svelte';
 	import ConfirmModal from '$lib/components/ConfirmModal.svelte';
 	import IconButton from '$lib/components/IconButton.svelte';
 	import MetaStrip, { type MetaTile } from '$lib/components/MetaStrip.svelte';
 	import { chatActionItems } from '$lib/grid-items';
 	import { snackSuccess, snackError } from '$lib/stores/snackbar.svelte';
 	import { highlightFromUrl } from '$lib/highlight';
@@ -25,7 +26,7 @@
 	import ReceiverSection from './ReceiverSection.svelte';
 	import BotGroupHeader from './BotGroupHeader.svelte';
-	// ── Helpers ──
+	// ──── Helpers ────
 	function getBotName(target: NotificationTarget): string | null {
 		if (target.type === 'telegram' && target.config?.bot_id) {
@@ -73,7 +74,7 @@
 		return recv.receiver_key || '?';
 	}
-	// ── Constants ──
+	// ──── Constants ────
 	const ALL_TYPES = ['telegram', 'webhook', 'email', 'discord', 'slack', 'ntfy', 'matrix', 'broadcast'] as const;
 	type TargetType = typeof ALL_TYPES[number];
@@ -94,7 +95,54 @@
 		label: tt.charAt(0).toUpperCase() + tt.slice(1),
 	})));
-	// ── Derived state ──
+	function targetTiles(target: NotificationTarget): MetaTile[] {
 		const tiles: MetaTile[] = [];
 		// Type tile — useful when the "all types" filter is active and rows
 		// from multiple types appear side-by-side. The receivers count is
 		// already shown inside the `target-summary` button, so we don't repeat
 		// it as a tile.
 		tiles.push({
 			icon: TYPE_ICONS[target.type] || 'mdiTarget',
 			label: target.type,
 			tone: 'lavender',
 			mono: true,
 		});
 		const botName = getBotName(target);
 		if (botName) {
 			tiles.push({
 				icon: 'mdiRobot',
 				label: botName,
 				tone: 'sky',
 			});
 		}
 		// Telegram targets expose a chat label in config — surface it so the
 		// row reads "Telegram · @bot · Family chat" without expanding.
 		const cfg = (target.config || {}) as Record<string, any>;
 		if (target.type === 'telegram' && cfg.chat_id) {
 			tiles.push({
 				icon: 'mdiChat',
 				label: String(cfg.chat_id),
 				tone: 'orchid',
 				mono: true,
 			});
 		}
 		// Webhook target — show host
 		if (target.type === 'webhook' && cfg.url) {
 			let host = String(cfg.url);
 			try { host = new URL(host).host; } catch { /* keep raw */ }
 			tiles.push({
 				icon: 'mdiLinkVariant',
 				label: host,
 				hint: String(cfg.url),
 				href: String(cfg.url),
 				tone: 'orchid',
 				mono: true,
 			});
 		}
 		return tiles;
 	}
 	// ──── Derived state ────
 	let allTargets = $derived(targetsCache.items);
 	let activeType = $derived(page.url.searchParams.get('type') as TargetType | null);
@@ -110,7 +158,7 @@
 	const emailBotItems = $derived(emailBots.map(b => ({ value: b.id, label: b.name, icon: b.icon || 'mdiEmailOutline', desc: b.email })));
 	const matrixBotItems = $derived(matrixBots.map(b => ({ value: b.id, label: b.name, icon: b.icon || 'mdiMatrix', desc: b.display_name || b.homeserver_url })));
-	// ── Target form state ──
+	// ──── Target form state ────
 	let showForm = $state(false);
 	let editing = $state<number | null>(null);
@@ -118,7 +166,7 @@
 	const defaultForm = () => ({
 		name: '', icon: '', bot_id: 0, bot_token: '',
 		max_media_to_send: 50, max_media_per_group: 10, media_delay: 500, max_asset_size: 50,
-		disable_url_preview: true, send_large_photos_as_documents: false, ai_captions: false, chat_action: 'typing',
+		disable_url_preview: true, send_large_photos_as_documents: false, send_large_videos_as_documents: false, ai_captions: false, chat_action: 'typing',
 		// Discord/Slack shared settings
 		username: '',
 		// ntfy shared settings
@@ -156,7 +204,7 @@
 		formEl?.scrollIntoView({ behavior: 'smooth', block: 'start' });
 	}
-	// ── Receiver inline form state ──
+	// ──── Receiver inline form state ────
 	let addingReceiverForTarget = $state<number | null>(null);
 	let receiverForm = $state<Record<string, any>>({});
@@ -180,7 +228,7 @@
 		if (!expandedTargets.has(id)) expandedTargets.add(id);
 	}
-	// ── Effects ──
+	// ──── Effects ────
 	// Reset form when switching target type tabs
 	$effect(() => {
@@ -191,11 +239,11 @@
 		addingReceiverForTarget = null;
 	});
-	// ── Data loading ──
+	// ──── Data loading ────
 	onMount(load);
-	// ── Bot grouping ──
+	// ──── Bot grouping ────
 	type TargetGroup = {
 		key: string;
@@ -307,8 +355,8 @@
 				emailBotsCache.fetch(), matrixBotsCache.fetch(),
 			]);
 			loadError = '';
-		} catch (err: any) {
+		} catch (err: unknown) {
-			loadError = err.message || t('common.loadError');
+			loadError = errMsg(err, t('common.loadError'));
 			snackError(loadError);
 		} finally {
 			loaded = true;
@@ -334,7 +382,7 @@
 		} catch (e) { console.warn('Failed to discover bot chats:', e); }
 	}
-	// ── Target CRUD ──
+	// ──── Target CRUD ────
 	function openNew() {
 		form = defaultForm();
@@ -359,7 +407,7 @@
 			bot_id: c.bot_id || 0, bot_token: '',
 			max_media_to_send: c.max_media_to_send ?? 50, max_media_per_group: c.max_media_per_group ?? 10,
 			media_delay: c.media_delay ?? 500, max_asset_size: c.max_asset_size ?? 50,
-			disable_url_preview: c.disable_url_preview ?? false, send_large_photos_as_documents: c.send_large_photos_as_documents ?? false,
+			disable_url_preview: c.disable_url_preview ?? false, send_large_photos_as_documents: c.send_large_photos_as_documents ?? false, send_large_videos_as_documents: c.send_large_videos_as_documents ?? false,
 			ai_captions: c.ai_captions ?? false, chat_action: tgt.chat_action ?? c.chat_action ?? 'typing',
 			// discord/slack
 			username: c.username || '',
@@ -400,6 +448,7 @@
 					max_media_to_send: form.max_media_to_send, max_media_per_group: form.max_media_per_group,
 					media_delay: form.media_delay, max_asset_size: form.max_asset_size,
 					disable_url_preview: form.disable_url_preview, send_large_photos_as_documents: form.send_large_photos_as_documents,
 					send_large_videos_as_documents: form.send_large_videos_as_documents,
 					ai_captions: form.ai_captions,
 				};
 			} else if (formType === 'webhook') {
@@ -427,9 +476,10 @@
 			editing = null;
 			await load();
 			snackSuccess(t('snack.targetSaved'));
-		} catch (err: any) {
+		} catch (err: unknown) {
-			error = err.message;
+			const m = errMsg(err);
-			snackError(err.message);
+			error = m;
 			snackError(m);
 		} finally {
 			submitting = false;
 		}
@@ -440,7 +490,7 @@
 			const res = await api<{ success: boolean; error?: string }>(`/targets/${id}/test?locale=${getLocale()}`, { method: 'POST' });
 			if (res.success) snackSuccess(t('snack.targetTestSent'));
 			else snackError(`Failed: ${res.error}`);
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 	}
 	let blockedBy = $state<BlockedByDetail | null>(null);
@@ -449,15 +499,16 @@
 			await api(`/targets/${id}`, { method: 'DELETE' });
 			await load();
 			snackSuccess(t('snack.targetDeleted'));
-		} catch (err: any) {
+		} catch (err: unknown) {
 			const bb = getBlockedBy(err);
 			if (bb) { blockedBy = bb; return; }
-			error = err.message;
+			const m = errMsg(err);
-			snackError(err.message);
+			error = m;
 			snackError(m);
 		}
 	}
-	// ── Receiver CRUD ──
+	// ──── Receiver CRUD ────
 	async function openReceiverForm(targetId: number, targetType: string) {
 		// Force a remount of any picker palette when the same target is reopened
@@ -527,8 +578,8 @@
 			addingReceiverForTarget = null;
 			await load();
 			snackSuccess(t('targets.receiverAdded'));
-		} catch (err: any) {
+		} catch (err: unknown) {
-			snackError(err.message);
+			snackError(errMsg(err));
 		} finally {
 			receiverSubmitting = false;
 		}
@@ -542,7 +593,7 @@
 			});
 			await load();
 			snackSuccess(receiver.enabled ? t('targets.receiverDisabled') : t('targets.receiverEnabled'));
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 	}
 	async function removeReceiver(targetId: number, receiverId: number) {
@@ -550,7 +601,64 @@
 			await api(`/targets/${targetId}/receivers/${receiverId}`, { method: 'DELETE' });
 			await load();
 			snackSuccess(t('targets.receiverDeleted'));
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 	}
 	// Per-Telegram-receiver options panel: silent send + forum thread id.
 	// Edits the receiver's config dict in place via PUT.
 	let editingReceiverId = $state<number | null>(null);
 	// ``<input type="number">`` binds either a ``number`` or empty string
 	// when the field is blank — model both so TS strict mode and the save
 	// path's ``Number(raw)`` coercion agree.
 	let editingReceiverOptions = $state<{ disable_notification: boolean; message_thread_id: number | '' }>({
 		disable_notification: false,
 		message_thread_id: '',
 	});
 	function openEditReceiver(_targetId: number, receiver: TargetReceiver) {
 		editingReceiverId = receiver.id;
 		// Empty string maps to "no thread" — the form's <input type=number>
 		// produces '' for an empty field, which we normalize to null on save.
 		const raw = receiver.config?.message_thread_id;
 		const parsed = raw == null || raw === '' ? '' : Number(raw);
 		editingReceiverOptions = {
 			disable_notification: Boolean(receiver.config?.disable_notification),
 			message_thread_id: typeof parsed === 'number' && Number.isFinite(parsed) ? parsed : '',
 		};
 	}
 	function cancelEditReceiver() {
 		editingReceiverId = null;
 	}
 	async function saveEditReceiver(targetId: number, receiverId: number) {
 		const target = allTargets.find(t => t.id === targetId);
 		const receiver = target?.receivers?.find(r => r.id === receiverId);
 		if (!receiver) return;
 		// Merge new options into the existing config so we don't lose the chat_id
 		// or any other receiver-specific keys (language_code on Telegram).
 		const newConfig: Record<string, any> = { ...receiver.config };
 		newConfig.disable_notification = editingReceiverOptions.disable_notification;
 		const raw = editingReceiverOptions.message_thread_id;
 		if (raw === '' || raw == null) {
 			delete newConfig.message_thread_id;
 		} else {
 			const parsed = Number(raw);
 			if (Number.isFinite(parsed) && parsed > 0) {
 				newConfig.message_thread_id = Math.trunc(parsed);
 			} else {
 				delete newConfig.message_thread_id;
 			}
 		}
 		try {
 			await api(`/targets/${targetId}/receivers/${receiverId}`, {
 				method: 'PUT',
 				body: JSON.stringify({ config: newConfig }),
 			});
 			editingReceiverId = null;
 			await load();
 			snackSuccess(t('targets.telegramOptionsSaved'));
 		} catch (err: unknown) { snackError(errMsg(err)); }
 	}
 	async function toggleBroadcastChild(targetId: number, childId: number) {
@@ -565,7 +673,7 @@
 				body: JSON.stringify({ config: { ...tgt.config, disabled_child_ids: [...disabled] } }),
 			});
 			await load();
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 	}
 	async function testReceiver(targetId: number, receiverId: number) {
@@ -574,7 +682,7 @@
 			const res = await api<{ success: boolean; error?: string }>(`/targets/${targetId}/receivers/${receiverId}/test?locale=${getLocale()}`, { method: 'POST' });
 			if (res.success) snackSuccess(t('snack.targetTestSent'));
 			else snackError(`Failed: ${res.error}`);
-		} catch (err: any) { snackError(err.message); }
+		} catch (err: unknown) { snackError(errMsg(err)); }
 		finally { receiverTesting = { ...receiverTesting, [receiverId]: false }; }
 	}
 </script>
@@ -660,7 +768,7 @@
 						{@const childLabel = target.type === 'broadcast' ? t('targets.childTargets') : t('targets.receivers')}
 						<Card hover entityId={target.id}>
 							<!-- Target header (clickable to toggle receiver visibility) -->
-							<div class="flex items-center justify-between gap-2">
+							<div class="flex items-center gap-2">
 								<button
 									type="button"
 									class="target-summary"
@@ -682,6 +790,7 @@
 										<span class="target-summary__count target-summary__count--empty">{t('targets.noReceivers')}</span>
 									{/if}
 								</button>
 								<MetaStrip tiles={targetTiles(target)} />
 								<div class="flex items-center gap-1 shrink-0">
 									<IconButton icon="mdiPencil" title={t('common.edit')} onclick={() => edit(target)} />
 									<IconButton icon="mdiSend" title={t('targets.test')} onclick={() => test(target.id)} />
@@ -702,6 +811,8 @@
 										{receiverBotChats}
 										{receiverTesting}
 										{receiverLabel}
 										{editingReceiverId}
 										bind:editingReceiverOptions
 										onopenReceiverForm={openReceiverForm}
 										onsaveReceiver={saveReceiver}
 										oncancelReceiver={() => addingReceiverForTarget = null}
@@ -711,6 +822,9 @@
 										onloadBotChats={loadReceiverBotChats}
 										onchangeReceiverForm={(f) => receiverForm = f}
 										ontoggleBroadcastChild={toggleBroadcastChild}
 										onopenEditReceiver={openEditReceiver}
 										oncancelEditReceiver={cancelEditReceiver}
 										onsaveEditReceiver={saveEditReceiver}
 									/>
 								</div>
 							{/if}
@@ -765,7 +879,7 @@
 	}
 	.target-summary {
-		flex: 1;
+		flex: 1 1 auto;
 		min-width: 0;
 		display: flex;
 		align-items: center;
@@ -780,6 +894,12 @@
 		border-radius: 8px;
 		transition: background 0.15s ease;
 	}
 	@media (min-width: 1024px) {
 		.target-summary {
 			flex: 0 1 auto;
 			max-width: 32rem;
 		}
 	}
 	.target-summary:hover {
 		background: var(--color-glass-strong);
 	}
@@ -16,6 +16,12 @@
 		receiverBotChats: Record<number, TelegramChat[]>;
 		receiverTesting: Record<number, boolean>;
 		receiverLabel: (target: NotificationTarget, recv: TargetReceiver) => string;
 		// Telegram-only editing state. Optional so a future caller that
 		// reuses this component for a non-Telegram target page doesn't have
 		// to pass dead props; the cog button only renders when both the
 		// target type matches AND the handlers are wired.
 		editingReceiverId?: number | null;
 		editingReceiverOptions?: Record<string, any>;
 		onopenReceiverForm: (targetId: number, targetType: string) => void;
 		onsaveReceiver: (targetId: number) => void;
 		oncancelReceiver: () => void;
@@ -25,6 +31,9 @@
 		onloadBotChats: (botId: number) => void;
 		onchangeReceiverForm: (form: Record<string, any>) => void;
 		ontoggleBroadcastChild?: (targetId: number, childId: number) => void;
 		onopenEditReceiver?: (targetId: number, receiver: TargetReceiver) => void;
 		oncancelEditReceiver?: () => void;
 		onsaveEditReceiver?: (targetId: number, receiverId: number) => void;
 	}
 	let {
@@ -37,6 +46,8 @@
 		receiverBotChats,
 		receiverTesting,
 		receiverLabel,
 		editingReceiverId,
 		editingReceiverOptions = $bindable(),
 		onopenReceiverForm,
 		onsaveReceiver,
 		oncancelReceiver,
@@ -46,6 +57,9 @@
 		onloadBotChats,
 		onchangeReceiverForm,
 		ontoggleBroadcastChild,
 		onopenEditReceiver,
 		oncancelEditReceiver,
 		onsaveEditReceiver,
 	}: Props = $props();
 </script>
@@ -92,11 +106,25 @@
 				{#if (recv as any).language_code || recv.config?.language_code}
 					<span class="text-xs px-1 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)]">{((recv as any).language_code || recv.config.language_code).toUpperCase()}</span>
 				{/if}
 				{#if target.type === 'telegram' && recv.config?.disable_notification}
 					<MdiIcon name="mdiBellOff" size={12} />
 				{/if}
 				{#if target.type === 'telegram' && recv.config?.message_thread_id != null && recv.config?.message_thread_id !== ''}
 					<span class="text-xs px-1 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)]" title={t('targets.telegramThreadId')}>#{recv.config.message_thread_id}</span>
 				{/if}
 			</div>
 			<div class="flex items-center gap-1">
 				<IconButton icon="mdiSend" title={t('targets.test')}
 					onclick={() => ontestReceiver(target.id, recv.id)}
 					disabled={receiverTesting[recv.id]} size={16} />
 				{#if target.type === 'telegram' && onopenEditReceiver != null}
 					<IconButton
 						icon="mdiCog"
 						title={t('targets.telegramOptions')}
 						onclick={() => onopenEditReceiver!(target.id, recv)}
 						size={16}
 					/>
 				{/if}
 				<IconButton
 					icon={recv.enabled ? 'mdiToggleSwitch' : 'mdiToggleSwitchOff'}
 					title={recv.enabled ? t('targets.receiverDisabled') : t('targets.receiverEnabled')}
@@ -112,6 +140,31 @@
 				/>
 			</div>
 		</div>
 		{#if target.type === 'telegram' && editingReceiverId === recv.id && editingReceiverOptions != null && onsaveEditReceiver != null && oncancelEditReceiver != null}
 			<div in:slide={{ duration: 150 }} class="mb-2 ml-6 mr-2 p-2 rounded-md border border-[var(--color-border)] bg-[var(--color-background)]">
 				<label class="flex items-center gap-2 text-sm mb-2 cursor-pointer">
 					<input type="checkbox" bind:checked={editingReceiverOptions.disable_notification} />
 					<span>{t('targets.telegramDisableNotification')}</span>
 				</label>
 				<label class="flex flex-col gap-1 text-sm mb-2">
 					<span>{t('targets.telegramThreadId')}</span>
 					<input type="number" min="1" inputmode="numeric"
 						bind:value={editingReceiverOptions.message_thread_id}
 						placeholder={t('targets.telegramThreadIdPlaceholder')}
 						class="w-full px-2 py-1 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
 				</label>
 				<div class="flex gap-2">
 					<button type="button" onclick={() => onsaveEditReceiver!(target.id, recv.id)}
 						class="px-3 py-1 bg-[var(--color-primary)] text-[var(--color-primary-foreground)] rounded-md text-xs font-medium hover:opacity-90">
 						{t('common.save')}
 					</button>
 					<button type="button" onclick={oncancelEditReceiver}
 						class="px-3 py-1 border border-[var(--color-border)] rounded-md text-xs hover:bg-[var(--color-muted)]">
 						{t('targets.cancel')}
 					</button>
 				</div>
 			</div>
 		{/if}
 	{/each}
 	<!-- Telegram: chat picker palette opens directly from the "Add receiver" button — no inline section. -->
@@ -23,6 +23,7 @@
 			max_asset_size: number;
 			disable_url_preview: boolean;
 			send_large_photos_as_documents: boolean;
 			send_large_videos_as_documents: boolean;
 			ai_captions: boolean;
 			chat_action: string;
 			username: string;
@@ -131,6 +132,7 @@
 					</div>
 					<label class="flex items-center gap-2 text-sm col-span-2"><input type="checkbox" bind:checked={form.disable_url_preview} /> {t('targets.disableUrlPreview')}</label>
 					<label class="flex items-center gap-2 text-sm col-span-2"><input type="checkbox" bind:checked={form.send_large_photos_as_documents} /> {t('targets.sendLargeAsDocuments')}</label>
 						<label class="flex items-center gap-2 text-sm col-span-2"><input type="checkbox" bind:checked={form.send_large_videos_as_documents} /> {t('targets.sendLargeVideosAsDocuments')}</label>
 				</div>
 				{/if}
 			</div>
@@ -1,7 +1,7 @@
 <script lang="ts">
 	import { onMount, onDestroy } from 'svelte';
 	import { slide } from 'svelte/transition';
-	import { api, getBlockedBy, type BlockedByDetail } from '$lib/api';
+	import { api, getBlockedBy, type BlockedByDetail , errMsg} from '$lib/api';
 	import { topbarAction } from '$lib/stores/topbar-action.svelte';
 	import BlockedByModal from '$lib/components/BlockedByModal.svelte';
 	import { t } from '$lib/i18n';
@@ -28,6 +28,7 @@
 	import { globalProviderFilter } from '$lib/stores/provider-filter.svelte';
 	import ErrorBanner from '$lib/components/ErrorBanner.svelte';
 	import Button from '$lib/components/Button.svelte';
 	import MetaStrip, { type MetaTile } from '$lib/components/MetaStrip.svelte';
 	import { getDescriptor } from '$lib/providers';
 	import type { TemplateConfig } from '$lib/types';
@@ -260,7 +261,7 @@
 				capabilitiesCache.fetch(),
 				supportedLocalesCache.fetch(),
 			]);
-		} catch (err: any) { error = err.message || t('common.loadError'); snackError(error); }
+		} catch (err: unknown) { error = errMsg(err, t('common.loadError')); snackError(error); }
 		finally { loaded = true; highlightFromUrl(); _openEditFromUrl(); handleDeepLink(); }
 	}
@@ -346,7 +347,7 @@
 			else await api('/template-configs', { method: 'POST', body: JSON.stringify(form) });
 			showForm = false; editing = null; await load();
 			snackSuccess(t('snack.templateSaved'));
-		} catch (err: any) { error = err.message; snackError(err.message); }
+		} catch (err: unknown) { const __m = errMsg(err); error = __m; snackError(__m); }
 	}
 	/**
@@ -403,8 +404,8 @@
 				refreshAllPreviews();
 			}
 			snackSuccess(t('templateConfig.resetApplied'));
-		} catch (err: any) {
+		} catch (err: unknown) {
-			snackError(err.message);
+			snackError(errMsg(err));
 		}
 	}
@@ -426,16 +427,55 @@
 		setTimeout(() => refreshAllPreviews(), 100);
 	}
 	function templateConfigTiles(config: TemplateConfig): MetaTile[] {
 		const tiles: MetaTile[] = [];
 		tiles.push({
 			icon: 'mdiServer',
 			label: config.provider_type,
 			tone: 'lavender',
 			mono: true,
 		});
 		const slotCount = Object.keys(config.slots || {}).length;
 		tiles.push({
 			icon: 'mdiViewGridOutline',
 			value: String(slotCount),
 			label: t('templateConfig.slots'),
 			tone: slotCount > 0 ? 'sky' : 'default',
 		});
 		// Locale coverage — count unique locales present across all slots
 		const locales = new Set<string>();
 		for (const s of Object.values(config.slots || {})) {
 			for (const loc of Object.keys(s || {})) locales.add(loc);
 		}
 		if (locales.size > 0) {
 			tiles.push({
 				icon: 'mdiTranslate',
 				value: String(locales.size),
 				label: locales.size === 1 ? t('locales.label') : t('locales.labelPlural'),
 				hint: [...locales].sort().join(', '),
 				tone: 'mint',
 			});
 		}
 		if (config.user_id === 0) {
 			tiles.push({
 				icon: 'mdiShieldStarOutline',
 				label: t('common.system'),
 				tone: 'orchid',
 			});
 		}
 		return tiles;
 	}
 	let blockedBy = $state<BlockedByDetail | null>(null);
 	function remove(id: number) {
 		confirmDelete = {
 			id,
 			onconfirm: async () => {
 				try { await api(`/template-configs/${id}`, { method: 'DELETE' }); await load(); snackSuccess(t('snack.templateDeleted')); }
-				catch (err: any) {
+				catch (err: unknown) {
 					const bb = getBlockedBy(err);
 					if (bb) { blockedBy = bb; return; }
-					error = err.message; snackError(err.message);
+					const m = errMsg(err); error = m; snackError(m);
 				}
 				finally { confirmDelete = null; }
 			}
@@ -586,7 +626,7 @@
 									{#if slotErrorTypes[slot.key] === 'undefined'}
 										<p class="mt-1 text-xs" style="color: var(--color-warning-fg);">⚠ {t('common.undefinedVar')}: {slotErrors[slot.key]}</p>
 									{:else}
-										<p class="mt-1 text-xs" style="color: var(--color-error-fg);">✕ {t('common.syntaxError')}: {slotErrors[slot.key]}{slotErrorLines[slot.key] ? ` (${t('common.line')} ${slotErrorLines[slot.key]})` : ''}</p>
+										<p class="mt-1 text-xs" style="color: var(--color-error-fg);">РІСљвЂў {t('common.syntaxError')}: {slotErrors[slot.key]}{slotErrorLines[slot.key] ? ` (${t('common.line')} ${slotErrorLines[slot.key]})` : ''}</p>
 									{/if}
 								{/if}
 							</CollapsibleSlot>
@@ -627,24 +667,25 @@
 		<EmptyState icon="mdiFilterOff" message={t('common.noFilterResults')} />
 	</Card>
 {:else}
-	<div class="space-y-3 stagger-children">
+	<div class="list-stack stagger-children">
 		{#each configs as config}
 			<Card hover entityId={config.id}>
-				<div class="flex items-start justify-between">
+				<div class="list-row">
-					<div class="flex-1">
+					<div class="list-row__identity">
-						<div class="flex items-center gap-2">
+						<div class="flex items-center gap-2 min-w-0">
-							<span style="color: var(--color-primary);"><MdiIcon name={config.icon || 'mdiFileDocumentEdit'} size={20} /></span>
+							<span style="color: var(--color-primary);" class="shrink-0"><MdiIcon name={config.icon || 'mdiFileDocumentEdit'} size={20} /></span>
-							<p class="font-medium">{config.name}</p>
+							<p class="font-medium truncate">{config.name}</p>
-							<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)]">{config.provider_type}</span>
+							<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)] shrink-0">{config.provider_type}</span>
 							{#if config.user_id === 0}
-								<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)]">{t('common.system')}</span>
+								<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)] shrink-0">{t('common.system')}</span>
 							{/if}
 						</div>
 						{#if config.description}
-							<p class="text-sm text-[var(--color-muted-foreground)] mt-1">{config.description}</p>
+							<p class="text-sm text-[var(--color-muted-foreground)] mt-1 list-row__secondary">{config.description}</p>
 						{/if}
 					</div>
-					<div class="flex items-center gap-1 ml-4">
+					<MetaStrip tiles={templateConfigTiles(config)} />
 					<div class="list-row__actions">
 						<IconButton icon="mdiContentCopy" title={t('common.clone')} onclick={() => clone(config)} />
 						<IconButton icon="mdiPencil" title={t('common.edit')} onclick={() => edit(config)} />
 						<IconButton icon="mdiDelete" title={t('common.delete')} onclick={() => remove(config.id)} variant="danger" />
@@ -1,7 +1,7 @@
 <script lang="ts">
 	import { onMount, onDestroy } from 'svelte';
 	import { slide } from 'svelte/transition';
-	import { api, getBlockedBy, type BlockedByDetail } from '$lib/api';
+	import { api, getBlockedBy, type BlockedByDetail , errMsg} from '$lib/api';
 	import { topbarAction } from '$lib/stores/topbar-action.svelte';
 	import BlockedByModal from '$lib/components/BlockedByModal.svelte';
 	import { t } from '$lib/i18n';
@@ -26,6 +26,8 @@
 	import { getDescriptor, buildTrackingFormDefaults } from '$lib/providers';
 	import ErrorBanner from '$lib/components/ErrorBanner.svelte';
 	import Button from '$lib/components/Button.svelte';
 	import MetaStrip, { type MetaTile } from '$lib/components/MetaStrip.svelte';
 	import TimeListEditor from '$lib/components/TimeListEditor.svelte';
 	/** Grid-select item source lookup — maps descriptor string name to actual function. */
 	const gridItemSources: Record<string, () => any[]> = {
@@ -33,44 +35,12 @@
 	};
 	/**
-	 * HH:MM, comma-separated: "09:00" or "09:00, 18:30" — the only format cron
+	 * Max distinct dispatch times per slot — mirrors the backend cap
-	 * dispatch accepts. Matched on blur for time-list fields; invalid values
+	 * (`MAX_DISPATCH_TIMES` in services/time_list.py). The TimeListEditor
-	 * are surfaced inline next to the input.
+	 * disables "+ Add time" once this many rows are filled; the server enforces
 	 * the same limit on write.
 	 */
-	const TIME_LIST_RE = /^\s*(?:[01]\d|2[0-3]):[0-5]\d(?:\s*,\s*(?:[01]\d|2[0-3]):[0-5]\d)*\s*$/;
+	const MAX_DISPATCH_TIMES = 24;
 	/** Per-field error messages surfaced inline under time-list inputs. */
 	let timeListErrors = $state<Record<string, string>>({});
 	/** Normalize "9:0 , 18:30" → "09:00,18:30" on blur, clear error when valid. */
 	function normalizeTimeList(key: string) {
 		const raw = String(form[key] ?? '').trim();
 		if (!raw) { timeListErrors = { ...timeListErrors, [key]: '' }; return; }
 		if (!TIME_LIST_RE.test(raw)) {
 			// Try a lenient normalization: split on commas, zero-pad each part.
 			const parts = raw.split(',').map(p => p.trim()).filter(Boolean);
 			const fixed: string[] = [];
 			let ok = true;
 			for (const p of parts) {
 				const m = /^(\d{1,2}):(\d{1,2})$/.exec(p);
 				if (!m) { ok = false; break; }
 				const hh = Number(m[1]);
 				const mm = Number(m[2]);
 				if (!Number.isFinite(hh) || !Number.isFinite(mm) || hh < 0 || hh > 23 || mm < 0 || mm > 59) { ok = false; break; }
 				fixed.push(`${String(hh).padStart(2, '0')}:${String(mm).padStart(2, '0')}`);
 			}
 			if (ok) {
 				form[key] = fixed.join(',');
 				timeListErrors = { ...timeListErrors, [key]: '' };
 				return;
 			}
 			timeListErrors = { ...timeListErrors, [key]: t('trackingConfig.invalidTimeList') };
 			return;
 		}
 		// Canonicalise spacing.
 		form[key] = raw.split(',').map(s => s.trim()).join(',');
 		timeListErrors = { ...timeListErrors, [key]: '' };
 	}
 	/**
 	 * Quiet-hours preview: "22:00 → 07:00 next day (9h)" or "Quiet period is 0
@@ -157,8 +127,8 @@
 				error: res?.error || '',
 				locale,
 			};
-		} catch (err: any) {
+		} catch (err: unknown) {
-			previewModal = { slotName, rendered: '', error: err.message, locale };
+			previewModal = { slotName, rendered: '', error: errMsg(err), locale };
 		} finally {
 			previewLoading = false;
 		}
@@ -216,7 +186,7 @@
 	});
 	async function load() {
 		try { await trackingConfigsCache.fetch(true); }
-		catch (err: any) { error = err.message || t('common.loadError'); snackError(error); }
+		catch (err: unknown) { error = errMsg(err, t('common.loadError')); snackError(error); }
 		finally { loaded = true; highlightFromUrl(); _openEditFromUrl(); }
 	}
@@ -238,6 +208,38 @@
 		window.history.replaceState(null, '', cleanUrl);
 	}
 	function trackingConfigTiles(config: Record<string, any>): MetaTile[] {
 		const tiles: MetaTile[] = [];
 		const desc = getDescriptor(config.provider_type);
 		const events = (desc?.eventFields ?? []).filter(f => config[f.key]);
 		tiles.push({
 			icon: 'mdiPulse',
 			value: String(events.length),
 			label: t('trackingConfig.eventTracking'),
 			hint: events.map(f => t(f.label)).join(', ') || undefined,
 			tone: events.length > 0 ? 'lavender' : 'default',
 		});
 		if (config.periodic_enabled) {
 			tiles.push({ icon: 'mdiTimerSyncOutline', label: t('trackingConfig.periodic'), tone: 'mint' });
 		}
 		if (config.scheduled_enabled) {
 			tiles.push({ icon: 'mdiCalendarClock', label: t('trackingConfig.scheduled'), tone: 'sky' });
 		}
 		if (config.memory_enabled) {
 			tiles.push({ icon: 'mdiHistory', label: t('trackingConfig.memory'), tone: 'orchid' });
 		}
 		if (config.quiet_hours_start && config.quiet_hours_end) {
 			tiles.push({
 				icon: 'mdiWeatherNight',
 				label: `${config.quiet_hours_start}–${config.quiet_hours_end}`,
 				hint: t('trackingConfig.quietHoursStart'),
 				tone: 'citrus',
 				mono: true,
 			});
 		}
 		return tiles;
 	}
 	function openNew() { form = defaultForm(); nameManuallyEdited = false; editing = null; showForm = true; }
 	function edit(c: any) {
 		form = { ...defaultForm(), ...c };
@@ -247,12 +249,24 @@
 	async function save(e: SubmitEvent) {
 		e.preventDefault(); error = '';
 		// Descriptor-driven guard: an enabled feature section that uses a
 		// time-list must have at least one time, otherwise it saves but the
 		// scheduler creates no cron job and the slot silently never fires.
 		for (const section of descriptor?.featureSections ?? []) {
 			const timeField = section.fields.find((f) => f.type === 'time-list');
 			if (!timeField) continue;
 			if (form[section.enabledField] && !String(form[timeField.key] ?? '').trim()) {
 				const msg = t('trackingConfig.timesRequiredFor').replace('{slot}', t(section.legend));
 				error = msg; snackError(msg);
 				return;
 			}
 		}
 		try {
 			if (editing) await api(`/tracking-configs/${editing}`, { method: 'PUT', body: JSON.stringify(form) });
 			else await api('/tracking-configs', { method: 'POST', body: JSON.stringify(form) });
 			showForm = false; editing = null; await load();
 			snackSuccess(t('snack.trackingConfigSaved'));
-		} catch (err: any) { error = err.message; snackError(err.message); }
+		} catch (err: unknown) { const __m = errMsg(err); error = __m; snackError(__m); }
 	}
 	let blockedBy = $state<BlockedByDetail | null>(null);
@@ -261,10 +275,10 @@
 			id,
 			onconfirm: async () => {
 				try { await api(`/tracking-configs/${id}`, { method: 'DELETE' }); await load(); snackSuccess(t('snack.trackingConfigDeleted')); }
-				catch (err: any) {
+				catch (err: unknown) {
 					const bb = getBlockedBy(err);
 					if (bb) { blockedBy = bb; return; }
-					error = err.message; snackError(err.message);
+					const m = errMsg(err); error = m; snackError(m);
 				}
 				finally { confirmDelete = null; }
 			}
@@ -380,22 +394,24 @@
 							</label>
 						{:else if field.type === 'grid-select' && field.gridItems}
 							<IconGridSelect items={gridItemSources[field.gridItems]()} bind:value={form[field.key]} columns={field.gridColumns ?? 2} compact />
-						{:else}
+						{:else if field.type === 'time-list'}
-							{@const inputType = field.type === 'date' ? 'date'
+							<TimeListEditor
-								: field.type === 'time' ? 'time'
+								value={String(form[field.key] ?? '')}
-								: field.type === 'time-list' ? 'text'
+								onchange={(v) => form[field.key] = v}
-								: 'number'}
+								max={MAX_DISPATCH_TIMES} />
 							{@const hasError = field.type === 'time-list' && !!timeListErrors[field.key]}
 							<input type={inputType}
 								bind:value={form[field.key]} min={field.min} max={field.max}
 								onblur={field.type === 'time-list' && field.validateFormat ? () => normalizeTimeList(field.key) : undefined}
 								placeholder={field.type === 'time-list' || field.type === 'time' ? String(typeof field.defaultValue === 'function' ? field.defaultValue() : (field.defaultValue ?? '')) : ''}
 								class="w-full px-2 py-1 border rounded-md text-sm bg-[var(--color-background)] {hasError ? 'border-[var(--color-error-fg)]' : 'border-[var(--color-border)]'}" />
 							{#if field.inlineHelp}
 								<p class="text-[10px] mt-0.5" style="color: var(--color-muted-foreground);">{t(field.inlineHelp)}</p>
 							{/if}
-							{#if hasError}
+						{:else}
-								<p class="text-[10px] mt-0.5" style="color: var(--color-error-fg);">{timeListErrors[field.key]}</p>
+							{@const inputType = field.type === 'date' ? 'date'
 								: field.type === 'time' ? 'time'
 								: 'number'}
 							<input type={inputType}
 								bind:value={form[field.key]} min={field.min} max={field.max}
 								placeholder={field.type === 'time' ? String(typeof field.defaultValue === 'function' ? field.defaultValue() : (field.defaultValue ?? '')) : ''}
 								class="w-full px-2 py-1 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
 							{#if field.inlineHelp}
 								<p class="text-[10px] mt-0.5" style="color: var(--color-muted-foreground);">{t(field.inlineHelp)}</p>
 							{/if}
 						{/if}
 					</div>
@@ -448,25 +464,26 @@
 		<EmptyState icon="mdiFilterOff" message={t('common.noFilterResults')} />
 	</Card>
 {:else}
-	<div class="space-y-3 stagger-children">
+	<div class="list-stack stagger-children">
 		{#each configs as config}
 			{@const desc = getDescriptor(config.provider_type)}
 			<Card hover entityId={config.id}>
-				<div class="flex items-center justify-between">
+				<div class="list-row">
-					<div>
+					<div class="list-row__identity">
-						<div class="flex items-center gap-2">
+						<div class="flex items-center gap-2 min-w-0">
-							<span style="color: var(--color-primary);"><MdiIcon name={providerDefaultIcon({ icon: config.icon, type: config.provider_type })} size={20} /></span>
+							<span style="color: var(--color-primary);" class="shrink-0"><MdiIcon name={providerDefaultIcon({ icon: config.icon, type: config.provider_type })} size={20} /></span>
-							<p class="font-medium">{config.name}</p>
+							<p class="font-medium truncate">{config.name}</p>
-							<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)] font-mono">{config.provider_type}</span>
+							<span class="text-xs px-1.5 py-0.5 rounded bg-[var(--color-muted)] text-[var(--color-muted-foreground)] font-mono shrink-0">{config.provider_type}</span>
 						</div>
-						<p class="text-sm text-[var(--color-muted-foreground)]">
+						<p class="text-sm text-[var(--color-muted-foreground)] list-row__secondary">
 							{(desc?.eventFields ?? []).filter(f => (config as Record<string, any>)[f.key]).map(f => t(f.label)).join(', ')}
 							{config.periodic_enabled ? ` · ${t('trackingConfig.periodic')}` : ''}
 							{config.scheduled_enabled ? ` · ${t('trackingConfig.scheduled')}` : ''}
 							{config.memory_enabled ? ` · ${t('trackingConfig.memory')}` : ''}
 						</p>
 					</div>
-					<div class="flex items-center gap-1">
+					<MetaStrip tiles={trackingConfigTiles(config)} />
 					<div class="list-row__actions">
 						<IconButton icon="mdiPencil" title={t('common.edit')} onclick={() => edit(config)} />
 						<IconButton icon="mdiDelete" title={t('common.delete')} onclick={() => remove(config.id)} variant="danger" />
 					</div>
@@ -1,200 +1,225 @@
-<script lang="ts">
+<script lang="ts">
-	import { onMount } from 'svelte';
+	import { onMount } from 'svelte';
-	import { api, parseDate } from '$lib/api';
+	import { api, parseDate , errMsg} from '$lib/api';
-	import { t } from '$lib/i18n';
+	import { t } from '$lib/i18n';
-	import { getAuth } from '$lib/auth.svelte';
+	import { getAuth } from '$lib/auth.svelte';
-	import PageHeader from '$lib/components/PageHeader.svelte';
+	import PageHeader from '$lib/components/PageHeader.svelte';
-	import Card from '$lib/components/Card.svelte';
+	import Card from '$lib/components/Card.svelte';
-	import Loading from '$lib/components/Loading.svelte';
+	import Loading from '$lib/components/Loading.svelte';
-	import Modal from '$lib/components/Modal.svelte';
+	import Modal from '$lib/components/Modal.svelte';
-	import ConfirmModal from '$lib/components/ConfirmModal.svelte';
+	import ConfirmModal from '$lib/components/ConfirmModal.svelte';
-	import MdiIcon from '$lib/components/MdiIcon.svelte';
+	import MdiIcon from '$lib/components/MdiIcon.svelte';
-	import EmptyState from '$lib/components/EmptyState.svelte';
+	import EmptyState from '$lib/components/EmptyState.svelte';
-	import IconButton from '$lib/components/IconButton.svelte';
+	import IconButton from '$lib/components/IconButton.svelte';
-	import { snackSuccess, snackError } from '$lib/stores/snackbar.svelte';
+	import { snackSuccess, snackError } from '$lib/stores/snackbar.svelte';
-	import ErrorBanner from '$lib/components/ErrorBanner.svelte';
+	import ErrorBanner from '$lib/components/ErrorBanner.svelte';
-	import Button from '$lib/components/Button.svelte';
+	import Button from '$lib/components/Button.svelte';
-	import type { User } from '$lib/types';
+	import MetaStrip, { type MetaTile } from '$lib/components/MetaStrip.svelte';
-
+	import type { User } from '$lib/types';
-	const auth = getAuth();
+
-	let users = $state<User[]>([]);
+	const auth = getAuth();
-	let showForm = $state(false);
+	let users = $state<User[]>([]);
-	let form = $state({ username: '', password: '', role: 'user' });
+	let showForm = $state(false);
-	let error = $state('');
+	let form = $state({ username: '', password: '', role: 'user' });
-	let loaded = $state(false);
+	let error = $state('');
-	let confirmDelete = $state<{ id: number; onconfirm: () => Promise<void> } | null>(null);
+	let loaded = $state(false);
-
+	let confirmDelete = $state<{ id: number; onconfirm: () => Promise<void> } | null>(null);
-	// Admin reset password
+
-	let resetUserId = $state<number | null>(null);
+	// Admin reset password
-	let resetUsername = $state('');
+	let resetUserId = $state<number | null>(null);
-	let resetPassword = $state('');
+	let resetUsername = $state('');
-	let resetMsg = $state('');
+	let resetPassword = $state('');
-	let resetSuccess = $state(false);
+	let resetMsg = $state('');
-
+	let resetSuccess = $state(false);
-	// Admin edit username/role
+
-	let editUserId = $state<number | null>(null);
+	// Admin edit username/role
-	let editUsername = $state('');
+	let editUserId = $state<number | null>(null);
-	let editRole = $state('user');
+	let editUsername = $state('');
-	let editMsg = $state('');
+	let editRole = $state('user');
-	let editSuccess = $state(false);
+	let editMsg = $state('');
-
+	let editSuccess = $state(false);
-	onMount(load);
+
-	async function load() {
+	onMount(load);
-		try { users = await api('/users'); }
+	async function load() {
-		catch (err: any) { error = err.message || t('common.loadError'); snackError(error); }
+		try { users = await api('/users'); }
-		finally { loaded = true; }
+		catch (err: unknown) { error = errMsg(err, t('common.loadError')); snackError(error); }
-	}
+		finally { loaded = true; }
-
+	}
-	async function create(e: SubmitEvent) {
+
-		e.preventDefault(); error = '';
+	async function create(e: SubmitEvent) {
-		try { await api('/users', { method: 'POST', body: JSON.stringify(form) }); form = { username: '', password: '', role: 'user' }; showForm = false; await load(); snackSuccess(t('snack.userCreated')); }
+		e.preventDefault(); error = '';
-		catch (err: any) { error = err.message; snackError(err.message); }
+		try { await api('/users', { method: 'POST', body: JSON.stringify(form) }); form = { username: '', password: '', role: 'user' }; showForm = false; await load(); snackSuccess(t('snack.userCreated')); }
 catch (err: unknown) { const __m = errMsg(err); error = __m; snackError(__m); }
-	}
+	}
-	function remove(id: number) {
+	function remove(id: number) {
-		confirmDelete = {
+		confirmDelete = {
-			id,
+			id,
-			onconfirm: async () => {
+			onconfirm: async () => {
-				try { await api(`/users/${id}`, { method: 'DELETE' }); await load(); snackSuccess(t('snack.userDeleted')); }
+				try { await api(`/users/${id}`, { method: 'DELETE' }); await load(); snackSuccess(t('snack.userDeleted')); }
 catch (err: unknown) { const __m = errMsg(err); error = __m; snackError(__m); }
-				catch (err: any) { error = err.message; snackError(err.message); }
+				finally { confirmDelete = null; }
-				finally { confirmDelete = null; }
+			}
-			}
+		};
-		};
+	}
-	}
+	function openResetPassword(user: any) {
-	function openResetPassword(user: any) {
+		resetUserId = user.id; resetUsername = user.username; resetPassword = ''; resetMsg = ''; resetSuccess = false;
-		resetUserId = user.id; resetUsername = user.username; resetPassword = ''; resetMsg = ''; resetSuccess = false;
+	}
-	}
+	function openEditUser(user: any) {
-	function openEditUser(user: any) {
+		editUserId = user.id; editUsername = user.username; editRole = user.role; editMsg = ''; editSuccess = false;
-		editUserId = user.id; editUsername = user.username; editRole = user.role; editMsg = ''; editSuccess = false;
+	}
-	}
+	async function saveUserEdit(e: SubmitEvent) {
-	async function saveUserEdit(e: SubmitEvent) {
+		e.preventDefault(); editMsg = ''; editSuccess = false;
-		e.preventDefault(); editMsg = ''; editSuccess = false;
+		try {
-		try {
+			await api(`/users/${editUserId}`, { method: 'PATCH', body: JSON.stringify({ username: editUsername, role: editRole }) });
-			await api(`/users/${editUserId}`, { method: 'PATCH', body: JSON.stringify({ username: editUsername, role: editRole }) });
+			editMsg = t('snack.userUpdated');
-			editMsg = t('snack.userUpdated');
+			editSuccess = true;
-			editSuccess = true;
+			snackSuccess(editMsg);
-			snackSuccess(editMsg);
+			await load();
-			await load();
+			setTimeout(() => { editUserId = null; editMsg = ''; editSuccess = false; }, 1200);
-			setTimeout(() => { editUserId = null; editMsg = ''; editSuccess = false; }, 1200);
+		} catch (err: unknown) { const __m = errMsg(err); editMsg = __m; editSuccess = false; snackError(__m); }
-		} catch (err: any) { editMsg = err.message; editSuccess = false; snackError(err.message); }
+	}
-	}
+	async function resetUserPassword(e: SubmitEvent) {
-	async function resetUserPassword(e: SubmitEvent) {
+		e.preventDefault(); resetMsg = ''; resetSuccess = false;
-		e.preventDefault(); resetMsg = ''; resetSuccess = false;
+		try {
-		try {
+			await api(`/users/${resetUserId}/password`, { method: 'PUT', body: JSON.stringify({ new_password: resetPassword }) });
-			await api(`/users/${resetUserId}/password`, { method: 'PUT', body: JSON.stringify({ new_password: resetPassword }) });
+			resetMsg = t('common.passwordChanged');
-			resetMsg = t('common.passwordChanged');
+			resetSuccess = true;
-			resetSuccess = true;
+			snackSuccess(t('snack.passwordChanged'));
-			snackSuccess(t('snack.passwordChanged'));
+			setTimeout(() => { resetUserId = null; resetMsg = ''; resetSuccess = false; }, 2000);
-			setTimeout(() => { resetUserId = null; resetMsg = ''; resetSuccess = false; }, 2000);
+		} catch (err: unknown) { const __m = errMsg(err); resetMsg = __m; resetSuccess = false; snackError(__m); }
-		} catch (err: any) { resetMsg = err.message; resetSuccess = false; snackError(err.message); }
+	}
-	}
+
-</script>
+	function userTiles(user: User): MetaTile[] {
-
+		const tiles: MetaTile[] = [];
-<PageHeader
+		const isAdmin = user.role === 'admin';
-	title={t('users.title')}
+		tiles.push({
-	emphasis={t('users.titleEmphasis')}
+			icon: isAdmin ? 'mdiShieldCrownOutline' : 'mdiAccountOutline',
-	description={t('users.description')}
+			label: isAdmin ? t('users.roleAdmin') : t('users.roleUser'),
-	crumb={t('crumbs.systemAccess')}
+			tone: isAdmin ? 'orchid' : 'sky',
-	count={users.length}
+		});
-	countLabel={t('users.countLabel')}
+		tiles.push({
->
+			icon: 'mdiCalendarOutline',
-	<Button size="sm" onclick={() => showForm = !showForm}>
+			label: parseDate(user.created_at).toLocaleDateString(),
-		{showForm ? t('users.cancel') : t('users.addUser')}
+			hint: t('users.joined'),
-	</Button>
+			tone: 'lavender',
-</PageHeader>
+			mono: true,
-
+		});
-{#if !loaded}<Loading />{:else}
+		if (user.id === auth.user?.id) {
-
+			tiles.push({
-{#if showForm}
+				icon: 'mdiAccountStar',
-	<Card class="mb-6">
+				label: t('users.you', 'you'),
-		{#if error}<ErrorBanner message={error} />{/if}
+				tone: 'mint',
-		<form onsubmit={create} class="space-y-3">
+			});
-			<div>
+		}
-				<label for="usr-name" class="block text-sm font-medium mb-1">{t('users.username')}</label>
+		return tiles;
-				<input id="usr-name" bind:value={form.username} required class="w-full px-3 py-2 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
+	}
-			</div>
+</script>
-			<div>
+
-				<label for="usr-pass" class="block text-sm font-medium mb-1">{t('users.password')}</label>
+<PageHeader
-				<input id="usr-pass" bind:value={form.password} required type="password" class="w-full px-3 py-2 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
+	title={t('users.title')}
-			</div>
+	emphasis={t('users.titleEmphasis')}
-			<div>
+	description={t('users.description')}
-				<label for="usr-role" class="block text-sm font-medium mb-1">{t('users.role')}</label>
+	crumb={t('crumbs.systemAccess')}
-				<select id="usr-role" bind:value={form.role} class="w-full px-3 py-2 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]">
+	count={users.length}
-					<option value="user">{t('users.roleUser')}</option>
+	countLabel={t('users.countLabel')}
-					<option value="admin">{t('users.roleAdmin')}</option>
+>
-				</select>
+	<Button size="sm" onclick={() => showForm = !showForm}>
-			</div>
+		{showForm ? t('users.cancel') : t('users.addUser')}
-			<Button type="submit">{t('users.create')}</Button>
+	</Button>
-		</form>
+</PageHeader>
-	</Card>
+
-{/if}
+{#if !loaded}<Loading />{:else}
-
+
-{#if users.length === 0}
+{#if showForm}
-<Card>
+	<Card class="mb-6">
-	<EmptyState icon="mdiAccountGroup" message={t('users.noUsers')} />
+		{#if error}<ErrorBanner message={error} />{/if}
-</Card>
+		<form onsubmit={create} class="space-y-3">
-{:else}
+			<div>
-<div class="space-y-3 stagger-children">
+				<label for="usr-name" class="block text-sm font-medium mb-1">{t('users.username')}</label>
-	{#each users as user}
+				<input id="usr-name" bind:value={form.username} required class="w-full px-3 py-2 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
-		<Card hover>
+			</div>
-			<div class="flex items-center justify-between">
+			<div>
-				<div>
+				<label for="usr-pass" class="block text-sm font-medium mb-1">{t('users.password')}</label>
-					<p class="font-medium">{user.username}</p>
+				<input id="usr-pass" bind:value={form.password} required type="password" class="w-full px-3 py-2 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
-					<p class="text-sm text-[var(--color-muted-foreground)]">{user.role === 'admin' ? t('users.roleAdmin') : t('users.roleUser')} · {t('users.joined')} {parseDate(user.created_at).toLocaleDateString()}</p>
+			</div>
-				</div>
+			<div>
-				<div class="flex items-center gap-1">
+				<label for="usr-role" class="block text-sm font-medium mb-1">{t('users.role')}</label>
-					<IconButton icon="mdiPencil" title={t('users.edit')} onclick={() => openEditUser(user)} />
+				<select id="usr-role" bind:value={form.role} class="w-full px-3 py-2 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]">
-					{#if user.id !== auth.user?.id}
+					<option value="user">{t('users.roleUser')}</option>
-						<IconButton icon="mdiKeyVariant" title={t('common.changePassword')} onclick={() => openResetPassword(user)} />
+					<option value="admin">{t('users.roleAdmin')}</option>
-						<IconButton icon="mdiDelete" title={t('users.delete')} onclick={() => remove(user.id)} variant="danger" />
+				</select>
-					{/if}
+			</div>
-				</div>
+			<Button type="submit">{t('users.create')}</Button>
-			</div>
+		</form>
-		</Card>
+	</Card>
-	{/each}
+{/if}
-</div>
+
-{/if}
+{#if users.length === 0}
-
+<Card>
-{/if}
+	<EmptyState icon="mdiAccountGroup" message={t('users.noUsers')} />
-
+</Card>
-<!-- Admin reset password modal -->
+{:else}
-<Modal open={resetUserId !== null} title="{t('common.changePassword')}: {resetUsername}" onclose={() => { resetUserId = null; resetMsg = ''; resetSuccess = false; }}>
+<div class="list-stack stagger-children">
-	<form onsubmit={resetUserPassword} class="space-y-3">
+	{#each users as user}
-		<div>
+		<Card hover>
-			<label for="reset-pwd" class="block text-sm font-medium mb-1">{t('common.newPassword')}</label>
+			<div class="list-row">
-			<input id="reset-pwd" type="password" bind:value={resetPassword} required
+				<div class="list-row__identity">
-				class="w-full px-3 py-2 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
+					<p class="font-medium truncate">{user.username}</p>
-		</div>
+					<p class="text-sm text-[var(--color-muted-foreground)] list-row__secondary">{user.role === 'admin' ? t('users.roleAdmin') : t('users.roleUser')} В· {t('users.joined')} {parseDate(user.created_at).toLocaleDateString()}</p>
-		{#if resetMsg}
+				</div>
-			<p class="text-sm {resetSuccess ? 'text-[var(--color-success-fg)]' : 'text-[var(--color-error-fg)]'}">{resetMsg}</p>
+				<MetaStrip tiles={userTiles(user)} />
-		{/if}
+				<div class="list-row__actions">
-		<Button type="submit" class="w-full">
+					<IconButton icon="mdiPencil" title={t('users.edit')} onclick={() => openEditUser(user)} />
-			{t('common.save')}
+					{#if user.id !== auth.user?.id}
-		</Button>
+						<IconButton icon="mdiKeyVariant" title={t('common.changePassword')} onclick={() => openResetPassword(user)} />
-	</form>
+						<IconButton icon="mdiDelete" title={t('users.delete')} onclick={() => remove(user.id)} variant="danger" />
-</Modal>
+					{/if}
-
+				</div>
-<!-- Admin edit username/role modal -->
+			</div>
-<Modal open={editUserId !== null} title={t('users.edit')} onclose={() => { editUserId = null; editMsg = ''; editSuccess = false; }}>
+		</Card>
-	<form onsubmit={saveUserEdit} class="space-y-3">
+	{/each}
-		<div>
+</div>
-			<label for="edit-username" class="block text-sm font-medium mb-1">{t('users.username')}</label>
+{/if}
-			<input id="edit-username" bind:value={editUsername} required
+
-				class="w-full px-3 py-2 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
+{/if}
-		</div>
+
-		<div>
+<!-- Admin reset password modal -->
-			<label for="edit-role" class="block text-sm font-medium mb-1">{t('users.role')}</label>
+<Modal open={resetUserId !== null} title="{t('common.changePassword')}: {resetUsername}" onclose={() => { resetUserId = null; resetMsg = ''; resetSuccess = false; }}>
-			<select id="edit-role" bind:value={editRole}
+	<form onsubmit={resetUserPassword} class="space-y-3">
-				class="w-full px-3 py-2 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]">
+		<div>
-				<option value="user">{t('users.roleUser')}</option>
+			<label for="reset-pwd" class="block text-sm font-medium mb-1">{t('common.newPassword')}</label>
-				<option value="admin">{t('users.roleAdmin')}</option>
+			<input id="reset-pwd" type="password" bind:value={resetPassword} required
-			</select>
+				class="w-full px-3 py-2 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
-		</div>
+		</div>
-		{#if editMsg}
+		{#if resetMsg}
-			<p class="text-sm {editSuccess ? 'text-[var(--color-success-fg)]' : 'text-[var(--color-error-fg)]'}">{editMsg}</p>
+			<p class="text-sm {resetSuccess ? 'text-[var(--color-success-fg)]' : 'text-[var(--color-error-fg)]'}">{resetMsg}</p>
-		{/if}
+		{/if}
-		<Button type="submit" class="w-full">{t('common.save')}</Button>
+		<Button type="submit" class="w-full">
-	</form>
+			{t('common.save')}
-</Modal>
+		</Button>
-
+	</form>
-<ConfirmModal open={confirmDelete !== null} message={t('users.confirmDelete')}
+</Modal>
-	onconfirm={() => confirmDelete?.onconfirm()} oncancel={() => confirmDelete = null} />
+
 <!-- Admin edit username/role modal -->
 <Modal open={editUserId !== null} title={t('users.edit')} onclose={() => { editUserId = null; editMsg = ''; editSuccess = false; }}>
 	<form onsubmit={saveUserEdit} class="space-y-3">
 		<div>
 			<label for="edit-username" class="block text-sm font-medium mb-1">{t('users.username')}</label>
 			<input id="edit-username" bind:value={editUsername} required
 				class="w-full px-3 py-2 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]" />
 		</div>
 		<div>
 			<label for="edit-role" class="block text-sm font-medium mb-1">{t('users.role')}</label>
 			<select id="edit-role" bind:value={editRole}
 				class="w-full px-3 py-2 border border-[var(--color-border)] rounded-md text-sm bg-[var(--color-background)]">
 				<option value="user">{t('users.roleUser')}</option>
 				<option value="admin">{t('users.roleAdmin')}</option>
 			</select>
 		</div>
 		{#if editMsg}
 			<p class="text-sm {editSuccess ? 'text-[var(--color-success-fg)]' : 'text-[var(--color-error-fg)]'}">{editMsg}</p>
 		{/if}
 		<Button type="submit" class="w-full">{t('common.save')}</Button>
 	</form>
 </Modal>
 <ConfirmModal open={confirmDelete !== null} message={t('users.confirmDelete')}
 	onconfirm={() => confirmDelete?.onconfirm()} oncancel={() => confirmDelete = null} />
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "notify-bridge-core"
-version = "0.7.2"
+version = "0.10.0"
 description = "Core library for Notify Bridge — service provider abstractions, models, notifications, and templates"
 requires-python = ">=3.12"
 dependencies = [
@@ -14,6 +14,7 @@ Kept in ``notify_bridge_core`` so core modules (``TelegramClient``,
 from __future__ import annotations
 import uuid
 from contextlib import contextmanager
 from contextvars import ContextVar, Token
 from typing import Any, Iterator
@@ -56,6 +57,22 @@ def bind_log_context(**kwargs: Any) -> Iterator[None]:
            var.reset(tok)
 def ensure_dispatch_id() -> str:
    """Return the bound ``dispatch_id`` if one is active, else a new one.
    Format matches :class:`NotificationDispatcher.dispatch` (``disp:<12 hex>``)
    so logs and ``EventLog.details.dispatch_id`` use a single shape. Callers
    typically wrap a top-level handler with::
        with bind_log_context(dispatch_id=ensure_dispatch_id()):
            ...
    so nested calls inherit the same id and any ``EventLog`` row written
    inside the block can be correlated with the dispatcher's log lines.
    """
    return dispatch_id_var.get() or f"disp:{uuid.uuid4().hex[:12]}"
 def current_log_context() -> dict[str, Any]:
    """Return a snapshot of the currently-bound context values (non-None)."""
    snap: dict[str, Any] = {}
@@ -64,3 +81,43 @@ def current_log_context() -> dict[str, Any]:
        if val is not None:
            snap[key] = val
    return snap
 # Keys copied onto ``EventLog.details`` so an operator can grep stderr for
 # the matching ``disp=``/``req=`` log lines after spotting a row in the UI.
 # Kept narrow on purpose — ``chat_id``/``bot_id``/``command`` are already
 # represented by dedicated EventLog columns.
 _CORRELATION_KEYS = ("dispatch_id", "request_id")
 def enrich_details_with_correlation(
    details: dict[str, Any] | None,
 ) -> dict[str, Any]:
    """Return a (shallow) copy of ``details`` with active correlation IDs merged in.
    Use this when constructing an ``EventLog.details`` dict so the persisted
    row carries the same ``dispatch_id`` / ``request_id`` that the stderr log
    lines emitted during the same dispatch carry. The mapping makes it
    possible to jump from a row in the dashboard to the corresponding log
    lines without server-side correlation.
    Existing keys in ``details`` are NOT overwritten — callers can pin a
    specific value (e.g. a synthetic dispatch_id for a backfilled row) by
    setting it themselves before calling.
    The copy is shallow. Nested mutable values (lists, dicts) are shared with
    the input — fine for the all-scalar dicts every current call site passes,
    but callers that intend to mutate after this returns should ``deepcopy``
    themselves.
    """
    result: dict[str, Any] = dict(details or {})
    for key in _CORRELATION_KEYS:
        if key in result:
            continue
        var = _VAR_MAP.get(key)
        if var is None:
            continue
        val = var.get()
        if val is not None:
            result[key] = val
    return result
@@ -65,6 +65,18 @@ class EventType(str, Enum):
    UPS_REPLACE_BATTERY = "ups_replace_battery"
    UPS_OVERLOAD = "ups_overload"
    # Home Assistant events
    HA_STATE_CHANGED = "ha_state_changed"
    HA_AUTOMATION_TRIGGERED = "ha_automation_triggered"
    HA_SERVICE_CALLED = "ha_service_called"
    HA_EVENT_FIRED = "ha_event_fired"
    # Bridge self-monitoring events — emitted by the bridge itself when
    # internal failures cross configured thresholds.
    BRIDGE_SELF_POLL_FAILURES = "bridge_self_poll_failures"
    BRIDGE_SELF_DEFERRED_BACKLOG = "bridge_self_deferred_backlog"
    BRIDGE_SELF_TARGET_FAILURES = "bridge_self_target_failures"
@dataclass
 class ServiceEvent:
@@ -5,13 +5,12 @@ from __future__ import annotations
 import asyncio
 import contextlib
 import logging
 import uuid
 from dataclasses import dataclass, field
 from typing import Any, AsyncIterator, Awaitable, Callable, Final
 import aiohttp
-from notify_bridge_core.log_context import bind_log_context, dispatch_id_var
+from notify_bridge_core.log_context import bind_log_context, ensure_dispatch_id
 from notify_bridge_core.models.events import ServiceEvent
 from notify_bridge_core.templates.context import build_template_context
 from notify_bridge_core.templates.renderer import render_template
@@ -107,6 +106,12 @@ class NotificationDispatcher:
        # Optional shared session owned by the caller; when supplied we reuse
        # its connection pool instead of opening a fresh per-dispatch session.
        self._shared_session = session
        # Per-dispatch render cache, keyed by locale. Populated by
        # ``_send_to_target`` and consumed inside ``_message_for_receiver``
        # so a 100-receiver fan-out renders each unique locale once.
        # Initialized to empty so handlers called outside the normal
        # dispatch path (tests) still see a valid dict.
        self._render_cache: dict[str, str] = {}
    @contextlib.asynccontextmanager
    async def _session_ctx(self) -> AsyncIterator[aiohttp.ClientSession]:
@@ -126,7 +131,7 @@ class NotificationDispatcher:
        Returns one result per target. Per-target failures are isolated;
        a single bad target cannot poison the batch.
        """
-        new_id = dispatch_id_var.get() or f"disp:{uuid.uuid4().hex[:12]}"
+        new_id = ensure_dispatch_id()
        with bind_log_context(dispatch_id=new_id):
            _LOGGER.info(
@@ -198,20 +203,49 @@ class NotificationDispatcher:
    def _message_for_receiver(
        self, receiver: Receiver, default_message: str,
        event: ServiceEvent, target: TargetConfig,
        cache: dict[str, str] | None = None,
    ) -> str:
-        if receiver.locale and receiver.locale != target.locale:
+        """Render message respecting receiver locale, with optional cache.
-            return self._render_message(event, target, receiver.locale)
+
-        return default_message
+        The ``cache`` dict (typically created in ``_send_to_target`` and
        threaded through the per-channel ``_send_*`` handlers) memoizes
        per-locale renders so a 100-receiver fan-out with two locales
        renders twice instead of one hundred times.
        """
        loc = receiver.locale or target.locale
        if loc == target.locale:
            return default_message
        if cache is not None:
            cached = cache.get(loc)
            if cached is not None:
                return cached
            rendered = self._render_message(event, target, loc)
            cache[loc] = rendered
            return rendered
        return self._render_message(event, target, loc)
    async def _send_to_target(
        self, event: ServiceEvent, target: TargetConfig
    ) -> dict[str, Any]:
-        """Dispatch to a single target via the registered handler."""
+        """Dispatch to a single target via the registered handler.
        Builds a per-locale render cache once and threads it through the
        send handler. The cache is keyed by receiver locale; the default
        locale's render lives in ``default_message`` and is short-circuited
        before any cache lookup.
        """
        default_message = self._render_message(event, target, target.locale)
        send_method = _PROVIDER_HANDLERS.get(target.type)
        if send_method is None:
            return {"success": False, "error": f"Unknown target type: {target.type}"}
-        return await send_method(self, target, default_message, event)
+        # Stash the cache on the dispatcher instance for the duration of
        # this dispatch — handlers pick it up via _message_for_receiver.
        # Avoids changing every _send_* signature.
        self._render_cache: dict[str, str] = {}
        try:
            return await send_method(self, target, default_message, event)
        finally:
            self._render_cache = {}
    # ------------------------------------------------------------------
    # Asset preload (Telegram-specific)
@@ -306,6 +340,7 @@ class NotificationDispatcher:
        max_size_mb = target.config.get("max_asset_size")
        max_size_bytes = max_size_mb * 1024 * 1024 if max_size_mb else None
        send_large_as_docs = target.config.get("send_large_photos_as_documents", False)
        send_large_videos_as_docs = target.config.get("send_large_videos_as_documents", False)
        if not bot_token:
            return {"success": False, "error": "Missing bot_token"}
@@ -352,11 +387,13 @@ class NotificationDispatcher:
            async def send_one(receiver: Receiver) -> dict[str, Any]:
                if not isinstance(receiver, TelegramReceiver) or not receiver.chat_id:
                    return {"success": False, "error": "Invalid telegram receiver"}
-                message = self._message_for_receiver(receiver, default_message, event, target)
+                message = self._message_for_receiver(receiver, default_message, event, target, cache=self._render_cache)
                text_result = await client.send_message(
                    chat_id=receiver.chat_id,
                    text=message,
                    disable_web_page_preview=bool(disable_preview),
                    disable_notification=receiver.disable_notification,
                    message_thread_id=receiver.message_thread_id,
                )
                if not text_result.get("success"):
                    _LOGGER.warning(
@@ -374,22 +411,45 @@ class NotificationDispatcher:
                        chunk_delay=chunk_delay,
                        max_asset_data_size=max_size_bytes,
                        send_large_photos_as_documents=send_large_as_docs,
                        send_large_videos_as_documents=send_large_videos_as_docs,
                        chat_action=chat_action or None,
                        disable_notification=receiver.disable_notification,
                        message_thread_id=receiver.message_thread_id,
                    )
-                    if not media_result.get("success"):
+                    delivered = media_result.get("delivered_count", 0)
                    skipped = media_result.get("skipped_count", 0)
                    failed = media_result.get("failed_count", 0)
                    media_success = media_result.get("success", False)
                    has_partial_loss = skipped > 0 or failed > 0
                    if not media_success:
                        _LOGGER.warning(
-                            "Text sent OK but media failed for chat %s: %s",
+                            "Text sent OK but media failed for chat %s "
-                            receiver.chat_id, media_result.get("error"),
+                            "(delivered=%d skipped=%d failed=%d): %s",
                            receiver.chat_id, delivered, skipped, failed,
                            media_result.get("error"),
                        )
                    elif has_partial_loss:
                        _LOGGER.warning(
                            "Partial media delivery for chat %s "
                            "(delivered=%d skipped=%d failed=%d)",
                            receiver.chat_id, delivered, skipped, failed,
                        )
                    if not media_success or has_partial_loss:
                        # Preserve both outcomes — text succeeded, media
-                        # didn't. Operators losing media-failure detail
+                        # partially or fully didn't. Operators losing
-                        # in the result dict made root-cause analysis
+                        # media-failure detail made root-cause analysis
                        # impossible.
                        return {
                            "success": True,
                            "message_id": text_result.get("message_id"),
                            "media_error": media_result.get("error"),
                            "media_failed_at_chunk": media_result.get("failed_at_chunk"),
                            "media_delivered_count": delivered,
                            "media_skipped_count": skipped,
                            "media_failed_count": failed,
                            "media_errors": media_result.get("errors"),
                        }
                return text_result
@@ -407,7 +467,7 @@ class NotificationDispatcher:
            async def send_one(receiver: Receiver) -> dict[str, Any]:
                if not isinstance(receiver, WebhookReceiver) or not receiver.url:
                    return {"success": False, "error": "Invalid webhook receiver"}
-                message = self._message_for_receiver(receiver, default_message, event, target)
+                message = self._message_for_receiver(receiver, default_message, event, target, cache=self._render_cache)
                payload = {
                    "message": message,
                    "event_type": event.event_type.value,
@@ -450,7 +510,7 @@ class NotificationDispatcher:
        async def send_one(receiver: Receiver) -> dict[str, Any]:
            if not isinstance(receiver, EmailReceiver) or not receiver.email:
                return {"success": False, "error": "Invalid email receiver"}
-            message = self._message_for_receiver(receiver, default_message, event, target)
+            message = self._message_for_receiver(receiver, default_message, event, target, cache=self._render_cache)
            # body_html=None lets EmailClient build a safely-escaped HTML
            # alternative from body_text instead of trusting user content.
            return await email_client.send(
@@ -479,7 +539,7 @@ class NotificationDispatcher:
            async def send_one(receiver: Receiver) -> dict[str, Any]:
                if not isinstance(receiver, DiscordReceiver) or not receiver.webhook_url:
                    return {"success": False, "error": "Invalid discord receiver"}
-                message = self._message_for_receiver(receiver, default_message, event, target)
+                message = self._message_for_receiver(receiver, default_message, event, target, cache=self._render_cache)
                return await client.send(receiver.webhook_url, message, username=username)
            results = await self._fan_out(target.receivers, send_one)
@@ -501,7 +561,7 @@ class NotificationDispatcher:
            async def send_one(receiver: Receiver) -> dict[str, Any]:
                if not isinstance(receiver, SlackReceiver) or not receiver.webhook_url:
                    return {"success": False, "error": "Invalid slack receiver"}
-                message = self._message_for_receiver(receiver, default_message, event, target)
+                message = self._message_for_receiver(receiver, default_message, event, target, cache=self._render_cache)
                return await client.send(receiver.webhook_url, message, username=username)
            results = await self._fan_out(target.receivers, send_one)
@@ -530,7 +590,7 @@ class NotificationDispatcher:
            async def send_one(receiver: Receiver) -> dict[str, Any]:
                if not isinstance(receiver, NtfyReceiver) or not receiver.topic:
                    return {"success": False, "error": "Invalid ntfy receiver"}
-                message = self._message_for_receiver(receiver, default_message, event, target)
+                message = self._message_for_receiver(receiver, default_message, event, target, cache=self._render_cache)
                return await client.send(
                    server_url, receiver.topic, message,
                    title=title, priority=receiver.priority, auth_token=auth_token,
@@ -563,7 +623,7 @@ class NotificationDispatcher:
            async def send_one(receiver: Receiver) -> dict[str, Any]:
                if not isinstance(receiver, MatrixReceiver) or not receiver.room_id:
                    return {"success": False, "error": "Invalid matrix receiver"}
-                message = self._message_for_receiver(receiver, default_message, event, target)
+                message = self._message_for_receiver(receiver, default_message, event, target, cache=self._render_cache)
                # body_html is the same plain text — Matrix accepts the
                # raw message as both ``body`` and ``formatted_body``.
                # If templates emit HTML in the future, generate a
@@ -20,9 +20,21 @@ class Receiver:
@dataclass
 class TelegramReceiver(Receiver):
-    """Telegram chat receiver."""
+    """Telegram chat receiver.
    ``disable_notification`` toggles Telegram's ``disable_notification=true``
    flag — the message is delivered without an audible / vibration alert.
    Useful for low-priority chats that the user reads but doesn't want to
    be paged by.
    ``message_thread_id`` routes the send into a specific forum topic on a
    supergroup with topics enabled. ``None`` means "general topic" (default
    Telegram behaviour).
    """
    chat_id: str = ""
    disable_notification: bool = False
    message_thread_id: int | None = None
@dataclass
@@ -80,9 +92,30 @@ def _coerce_int(value: Any, default: int) -> int:
        return default
 def _coerce_telegram_thread_id(value: Any) -> int | None:
    """Coerce a config value to a positive Telegram forum-topic id.
    The Bot API treats omission, ``0``, and negative values all as
    "general topic", so we collapse them to ``None`` for consistency
    with the frontend (which rejects ``<= 0``). Booleans are explicitly
    rejected so ``int(True) == 1`` doesn't silently route a misconfigured
    chat into topic #1.
    """
    if value is None or value == "" or isinstance(value, bool):
        return None
    try:
        n = int(value)
    except (TypeError, ValueError):
        return None
    return n if n > 0 else None
 _RECEIVER_FACTORIES: dict[str, _ReceiverFactory] = {
    "telegram": lambda locale, config: TelegramReceiver(
-        locale=locale, config=config, chat_id=str(config.get("chat_id", "")),
+        locale=locale, config=config,
        chat_id=str(config.get("chat_id", "")),
        disable_notification=bool(config.get("disable_notification", False)),
        message_thread_id=_coerce_telegram_thread_id(config.get("message_thread_id")),
    ),
    "webhook": lambda locale, config: WebhookReceiver(
        locale=locale, config=config,
@@ -3,12 +3,14 @@
 from __future__ import annotations
 import asyncio
 import contextlib
 import json
 import logging
 import mimetypes
 import re
 from contextvars import ContextVar
 from dataclasses import dataclass, field
-from typing import Any, Callable, Final
+from typing import Any, Callable, Final, Iterator
 import aiohttp
 from aiohttp import FormData
@@ -19,6 +21,7 @@ from .cache import TelegramFileCache
 from .media import (
    TELEGRAM_API_BASE_URL,
    TELEGRAM_MAX_CAPTION_LENGTH,
    TELEGRAM_MAX_GROUP_TOTAL_BYTES,
    TELEGRAM_MAX_PHOTO_SIZE,
    TELEGRAM_MAX_TEXT_LENGTH,
    TELEGRAM_MAX_VIDEO_SIZE,
@@ -27,7 +30,6 @@ from .media import (
    extract_asset_id_from_url,
    is_asset_cache_key,
    is_asset_id,
    split_media_by_upload_size,
 )
 _LOGGER = logging.getLogger(__name__)
@@ -56,6 +58,68 @@ _UPLOAD_TIMEOUT: Final = aiohttp.ClientTimeout(total=120, connect=10)
 _DOWNLOAD_TIMEOUT: Final = aiohttp.ClientTimeout(total=120, connect=10)
 # ---------------------------------------------------------------------------
 # Per-send options (disable_notification, message_thread_id, …)
 # ---------------------------------------------------------------------------
 #
 # These are properties of a single send, not of the bot or the client, and
 # they fan out into the JSON / multipart payload at four different sites
 # (sendMessage, sendPhoto/Video/Document, sendMediaGroup, cache-hit POST).
 # Rather than threading the kwargs through every internal helper, we bind
 # them on a ContextVar inside the public ``send_message`` / ``send_notification``
 # entry points; the payload builders read the var when constructing the
 # request. ContextVar propagation isolates concurrent ``asyncio.gather``
 # fan-outs in the dispatcher (one task per receiver) — each task sees the
 # value its own caller bound.
@dataclass(frozen=True)
 class _SendOptions:
    """Per-send Telegram flags applied to every API call within one send.
    ``disable_notification`` maps to Bot API ``disable_notification=true``
    — the chat receives the message silently. ``message_thread_id`` routes
    the message into a specific forum-topic on supergroups with topics
    enabled; ``None`` means "general topic" (Bot API omits the field).
    """
    disable_notification: bool = False
    message_thread_id: int | None = None
 _send_options_var: ContextVar[_SendOptions] = ContextVar(
    "_tg_send_options", default=_SendOptions(),
 )
@contextlib.contextmanager
 def _bind_send_options(opts: _SendOptions) -> Iterator[None]:
    """Bind per-send options for the duration of the ``with`` block."""
    token = _send_options_var.set(opts)
    try:
        yield
    finally:
        _send_options_var.reset(token)
 def _apply_send_opts_to_payload(payload: dict[str, Any]) -> None:
    """Merge the active per-send options into a JSON request body."""
    opts = _send_options_var.get()
    if opts.disable_notification:
        payload["disable_notification"] = True
    if opts.message_thread_id is not None:
        payload["message_thread_id"] = opts.message_thread_id
 def _apply_send_opts_to_form(form: FormData) -> None:
    """Merge the active per-send options into a multipart form payload."""
    opts = _send_options_var.get()
    if opts.disable_notification:
        form.add_field("disable_notification", "true")
    if opts.message_thread_id is not None:
        form.add_field("message_thread_id", str(opts.message_thread_id))
 def _extract_retry_after(result: dict[str, Any]) -> int | None:
    """Return the retry_after seconds from a Telegram error response.
@@ -135,10 +199,27 @@ class _MediaItem:
    keyed by position. Bundling these together prevents the
    ``media_json`` and ``cache_info`` lists from drifting out of
    alignment under future edits.
    ``source_url`` and ``download_headers`` let the per-item fallback
    re-download a cache-hit item if its ``file_id`` POST returns
    transient errors — without them, a stale ``file_id`` would silently
    lose a cached asset that the original single-item path would have
    recovered.
    """
    media_json: dict[str, Any]
    cache_info: tuple[str, str, str | None, int] | None
    attachment: tuple[str, bytes, str, str] | None  # (name, data, filename, content_type)
    source_url: str | None = None
    download_headers: dict[str, str] | None = None
    @property
    def upload_bytes(self) -> int:
        """Bytes this item contributes to a multipart sendMediaGroup payload.
        Cached items (referenced by ``file_id``) contribute 0 since
        Telegram serves them server-side without us re-uploading.
        """
        return len(self.attachment[1]) if self.attachment else 0
 def _truncate(text: str, limit: int, *, marker: str = "…") -> str:
@@ -222,21 +303,48 @@ class TelegramClient:
        """SSRF-guarded GET that returns ``(data, error)``.
        Validates the URL via ``avalidate_outbound_url`` before any HTTP
-        traffic. Errors are returned (not raised) and stripped of any
+        traffic. Redirects are walked manually so each ``Location`` is
-        embedded secrets before they propagate to the operator-visible
+        re-validated — without this an attacker-controlled origin could
-        result dict.
+        302 to a private-IP target after the initial guard passed.
        Errors are returned (not raised) and stripped of any embedded
        secrets before they propagate to the operator-visible result
        dict.
        """
        max_redirects = 3
        current_url = url
        try:
-            await avalidate_outbound_url(url)
+            await avalidate_outbound_url(current_url)
        except UnsafeURLError as err:
            return None, f"Unsafe URL: {redact_exc(err)}"
        try:
-            async with self._session.get(
+            for _ in range(max_redirects + 1):
-                url, headers=headers or {}, timeout=_DOWNLOAD_TIMEOUT,
+                async with self._session.get(
-            ) as resp:
+                    current_url,
-                if resp.status != 200:
+                    headers=headers or {},
-                    return None, f"HTTP {resp.status}"
+                    timeout=_DOWNLOAD_TIMEOUT,
-                return await resp.read(), None
+                    allow_redirects=False,
                ) as resp:
                    if resp.status in (301, 302, 303, 307, 308):
                        loc = resp.headers.get("Location")
                        if not loc:
                            return None, f"HTTP {resp.status} without Location header"
                        # ``resp.url`` is a yarl.URL; ``.join`` resolves
                        # relative redirects (``/foo/bar``) against it.
                        from yarl import URL as _URL
                        try:
                            next_url = str(resp.url.join(_URL(loc)))
                        except (ValueError, TypeError):
                            return None, "Malformed redirect Location"
                        try:
                            await avalidate_outbound_url(next_url)
                        except UnsafeURLError as err:
                            return None, f"Unsafe redirect: {redact_exc(err)}"
                        current_url = next_url
                        continue
                    if resp.status != 200:
                        return None, f"HTTP {resp.status}"
                    return await resp.read(), None
            return None, f"Too many redirects (>{max_redirects})"
        except (aiohttp.ClientError, asyncio.TimeoutError, OSError) as err:
            return None, redact_exc(err)
@@ -275,6 +383,7 @@ class TelegramClient:
            payload["caption"] = _truncate(caption, TELEGRAM_MAX_CAPTION_LENGTH)
        if reply_to_message_id is not None:
            payload["reply_parameters"] = {"message_id": reply_to_message_id}
        _apply_send_opts_to_payload(payload)
        try:
            async with self._session.post(
                self._api_url(kind.api_method), json=payload, timeout=_API_TIMEOUT,
@@ -324,6 +433,7 @@ class TelegramClient:
                f.add_field("caption", capped_caption)
            if reply_to_message_id is not None:
                f.add_field("reply_parameters", json.dumps({"message_id": reply_to_message_id}))
            _apply_send_opts_to_form(f)
            return f
        for attempt in range(1, _TG_429_MAX_ATTEMPTS + 1):
@@ -388,18 +498,54 @@ class TelegramClient:
        chunk_delay: int = 0,
        max_asset_data_size: int | None = None,
        send_large_photos_as_documents: bool = False,
        send_large_videos_as_documents: bool = False,
        chat_action: str | None = "typing",
        *,
        disable_notification: bool = False,
        message_thread_id: int | None = None,
    ) -> NotificationResult:
        if not assets:
            return await self.send_message(
                chat_id, caption or "", reply_to_message_id,
                disable_web_page_preview, parse_mode,
                disable_notification=disable_notification,
                message_thread_id=message_thread_id,
            )
        keepalive: _KeepaliveHandle | None = None
        if chat_action:
            keepalive = self.start_chat_action_keepalive(chat_id, chat_action)
        # Bind for the whole media-send fan-out — every internal helper
        # (_send_photo / _send_video / _send_document / _send_media_group /
        # _post_media_group / _send_from_cache / _upload_media) reads the
        # current value when it constructs its request payload.
        opts = _SendOptions(
            disable_notification=disable_notification,
            message_thread_id=message_thread_id,
        )
        with _bind_send_options(opts):
            return await self._send_notification_body(
                chat_id, assets, caption, reply_to_message_id, parse_mode,
                max_group_size, chunk_delay, max_asset_data_size,
                send_large_photos_as_documents, send_large_videos_as_documents,
                keepalive,
            )
    async def _send_notification_body(
        self,
        chat_id: str,
        assets: list[dict[str, Any]],
        caption: str | None,
        reply_to_message_id: int | None,
        parse_mode: str,
        max_group_size: int,
        chunk_delay: int,
        max_asset_data_size: int | None,
        send_large_photos_as_documents: bool,
        send_large_videos_as_documents: bool,
        keepalive: _KeepaliveHandle | None,
    ) -> NotificationResult:
        try:
            if len(assets) == 1 and assets[0].get("type") == "photo":
                return await self._send_photo(
@@ -416,6 +562,7 @@ class TelegramClient:
                    assets[0].get("content_type"), assets[0].get("cache_key"),
                    download_headers=assets[0].get("headers"),
                    preloaded_data=assets[0].get("data"),
                    send_large_videos_as_documents=send_large_videos_as_documents,
                )
            if len(assets) == 1 and assets[0].get("type", "document") == "document":
                url = assets[0].get("url")
@@ -438,7 +585,7 @@ class TelegramClient:
            return await self._send_media_group(
                chat_id, assets, caption, reply_to_message_id, max_group_size,
                chunk_delay, parse_mode, max_asset_data_size,
-                send_large_photos_as_documents,
+                send_large_photos_as_documents, send_large_videos_as_documents,
            )
        finally:
            await self.stop_keepalive(keepalive)
@@ -450,6 +597,9 @@ class TelegramClient:
        reply_to_message_id: int | None = None,
        disable_web_page_preview: bool | None = None,
        parse_mode: str = "HTML",
        *,
        disable_notification: bool = False,
        message_thread_id: int | None = None,
    ) -> NotificationResult:
        if not text:
            _LOGGER.warning("send_message called with empty text — using placeholder")
@@ -463,7 +613,19 @@ class TelegramClient:
            payload["reply_parameters"] = {"message_id": reply_to_message_id}
        if disable_web_page_preview:
            payload["link_preview_options"] = {"is_disabled": True}
        # sendMessage is a leaf call — its kwargs go straight into the
        # JSON body. The ContextVar pattern is reserved for the deeper
        # media paths (``_upload_media`` / ``_post_media_group`` /
        # ``_send_from_cache``) that can't easily plumb kwargs through.
        if disable_notification:
            payload["disable_notification"] = True
        if message_thread_id is not None:
            payload["message_thread_id"] = message_thread_id
        return await self._post_send_message(payload)
    async def _post_send_message(
        self, payload: dict[str, Any],
    ) -> NotificationResult:
        url = self._api_url("sendMessage")
        try:
            async with self._session.post(url, json=payload, timeout=_API_TIMEOUT) as response:
@@ -624,6 +786,7 @@ class TelegramClient:
        max_asset_data_size: int | None = None, content_type: str | None = None,
        cache_key: str | None = None, download_headers: dict[str, str] | None = None,
        preloaded_data: bytes | None = None,
        send_large_videos_as_documents: bool = False,
    ) -> NotificationResult:
        if not url:
            return {"success": False, "error": "Missing 'url' for video"}
@@ -645,6 +808,18 @@ class TelegramClient:
        if max_asset_data_size is not None and len(data) > max_asset_data_size:
            return {"success": False, "error": "Video exceeds size limit", "skipped": True}
        if len(data) > TELEGRAM_MAX_VIDEO_SIZE:
            # Telegram's sendVideo hard-caps at 50 MB. Documents accept
            # up to 2 GB, so when the operator opts in we deliver the
            # bytes as a document instead of silently dropping the asset.
            # Loses inline playback but preserves delivery.
            if send_large_videos_as_documents:
                filename = url.split("/")[-1].split("?")[0] or "video.mp4"
                if "." not in filename:
                    filename = "video.mp4"
                return await self._send_document(
                    chat_id, data, filename, caption, reply_to_message_id,
                    parse_mode, url, content_type, cache_key,
                )
            return {
                "success": False,
                "error": f"Video exceeds Telegram's {TELEGRAM_MAX_VIDEO_SIZE // (1024*1024)} MB limit",
@@ -696,6 +871,7 @@ class TelegramClient:
        caption: str | None = None, reply_to_message_id: int | None = None,
        max_group_size: int = 10, chunk_delay: int = 0, parse_mode: str = "HTML",
        max_asset_data_size: int | None = None, send_large_photos_as_documents: bool = False,
        send_large_videos_as_documents: bool = False,
    ) -> NotificationResult:
        # Telegram rejects mixed photo/video + document in a single
        # sendMediaGroup. Split before chunking so a malformed input
@@ -703,75 +879,293 @@ class TelegramClient:
        partitions = self._partition_media_by_kind(assets)
        all_message_ids: list[int] = []
-        first_chunk_overall = True
+        errors: list[dict[str, Any]] = []
        delivered = 0
        skipped = 0
        failed = 0
        first_send = True
        # Oversized videos that the operator wants delivered as
        # documents. Sent after all media-group chunks finish so
        # they ride out on their own (Telegram refuses to mix
        # documents with photo/video in one group).
        deferred_documents: list[_MediaItem] = []
        # Caption + reply_to are "spent" on the first send attempt,
        # mirroring the prior contract. If that first attempt fails
        # entirely, they're lost — same as before. Tracking these as
        # standalone flags (rather than deriving from ``chunk_idx==0``)
        # keeps the semantics right across multiple partitions.
        caption_pending = bool(caption)
        reply_pending = reply_to_message_id is not None
        async def maybe_delay() -> None:
            nonlocal first_send
            if not first_send and chunk_delay > 0:
                await asyncio.sleep(chunk_delay / 1000)
            first_send = False
        for partition in partitions:
            chunks = [
                partition[i:i + max_group_size]
                for i in range(0, len(partition), max_group_size)
            ]
            for chunk_idx, chunk in enumerate(chunks):
-                if not first_chunk_overall and chunk_delay > 0:
+                # Fetch + filter the parent chunk. Skipped items
-                    await asyncio.sleep(chunk_delay / 1000)
+                # (oversized, bad photo, failed download) never enter
-
+                # ``items`` — count them so the operator-facing result
-                # Single-item chunk → use the simpler send_photo/video path.
+                # reflects what actually went out vs got dropped.
-                if len(chunk) == 1:
+                # Oversized videos opted into doc-fallback get
-                    item = chunk[0]
+                # deferred — they're delivered (eventually) so they
-                    chunk_caption = caption if first_chunk_overall else None
+                # don't count as skipped.
-                    chunk_reply = reply_to_message_id if first_chunk_overall else None
+                items, chunk_deferred = await self._build_media_items(
-                    if item.get("type") == "photo":
+                    chunk, max_asset_data_size, send_large_videos_as_documents,
                        result = await self._send_photo(
                            chat_id, item.get("url"), chunk_caption, chunk_reply, parse_mode,
                            max_asset_data_size, send_large_photos_as_documents,
                            item.get("content_type"), item.get("cache_key"),
                            download_headers=item.get("headers"),
                            preloaded_data=item.get("data"),
                        )
                    elif item.get("type") == "video":
                        result = await self._send_video(
                            chat_id, item.get("url"), chunk_caption, chunk_reply, parse_mode,
                            max_asset_data_size,
                            item.get("content_type"), item.get("cache_key"),
                            download_headers=item.get("headers"),
                            preloaded_data=item.get("data"),
                        )
                    else:
                        first_chunk_overall = False
                        continue
                    first_chunk_overall = False
                    if not result.get("success"):
                        result["failed_at_chunk"] = chunk_idx + 1
                        return result
                    if result.get("message_id") is not None:
                        all_message_ids.append(result["message_id"])
                    continue
                items = await self._build_media_items(
                    chunk, max_asset_data_size, caption if first_chunk_overall else None,
                    parse_mode,
                )
                deferred_documents.extend(chunk_deferred)
                skipped += len(chunk) - len(items) - len(chunk_deferred)
                if not items:
                    _LOGGER.warning(
-                        "sendMediaGroup skipped — chunk %d/%d had %d input items but 0 usable (all filtered/failed)",
+                        "sendMediaGroup: chunk %d/%d had %d input items but 0 usable",
                        chunk_idx + 1, len(chunks), len(chunk),
                    )
                    first_chunk_overall = False
                    continue
-                chunk_msg_ids, chunk_err = await self._post_media_group(
+                # Split the chunk into sub-chunks that each fit under
-                    chat_id, items, reply_to_message_id if first_chunk_overall else None,
+                # Telegram's per-request byte cap. Per-item filtering
-                    chunk_idx, len(chunks),
+                # alone can't prevent 413s when several legal-sized
                # items together bust the envelope.
                sub_chunks = self._split_items_by_byte_budget(
                    items, TELEGRAM_MAX_GROUP_TOTAL_BYTES,
                )
-                first_chunk_overall = False
+                if len(sub_chunks) > 1:
-                if chunk_err is not None:
+                    _LOGGER.info(
-                    return chunk_err
+                        "sendMediaGroup: byte-budget split chunk %d/%d into %d sub-chunks",
-                all_message_ids.extend(chunk_msg_ids)
+                        chunk_idx + 1, len(chunks), len(sub_chunks),
                    )
-        if not all_message_ids:
+                for sub_items in sub_chunks:
-            _LOGGER.warning(
+                    await maybe_delay()
-                "sendMediaGroup completed with 0 message_ids — nothing was delivered",
+                    sub_caption = caption if caption_pending else None
                    sub_reply = reply_to_message_id if reply_pending else None
                    caption_pending = False
                    reply_pending = False
                    if sub_caption:
                        self._attach_caption_to_first(
                            sub_items, sub_caption, parse_mode,
                        )
                    msg_ids, err = await self._post_media_group(
                        chat_id, sub_items, sub_reply, chunk_idx, len(chunks),
                    )
                    if err is None:
                        all_message_ids.extend(msg_ids)
                        delivered += len(sub_items)
                        continue
                    # Telegram rejected the sub-chunk after our
                    # pre-flight passed (content / transient / rate).
                    # Try each item as its own message so partial
                    # delivery survives the chunk-level failure.
                    # Record the chunk-level cause first so the
                    # operator-visible ``errors`` list reads in
                    # cause-then-consequence order.
                    _LOGGER.warning(
                        "sendMediaGroup chunk %d/%d failed (%s) — falling back to per-item",
                        chunk_idx + 1, len(chunks), err.get("error"),
                    )
                    errors.append({
                        "kind": "chunk",
                        "chunk": chunk_idx + 1,
                        "error": err.get("error", "unknown"),
                        "code": err.get("error_code"),
                    })
                    for item_idx, item in enumerate(sub_items):
                        item_caption = sub_caption if item_idx == 0 else None
                        item_reply = sub_reply if item_idx == 0 else None
                        # No ``maybe_delay()`` here: per-item retries
                        # are a recovery path where added latency
                        # only widens the outage window — the
                        # individual sendPhoto/sendVideo calls have
                        # their own 429 backoff in ``_upload_media``.
                        item_result = await self._send_item_individually(
                            chat_id, item, item_caption, item_reply, parse_mode,
                        )
                        if item_result.get("success"):
                            delivered += 1
                            mid = item_result.get("message_id")
                            if mid is not None:
                                all_message_ids.append(mid)
                        else:
                            failed += 1
                            errors.append({
                                "kind": "item",
                                "chunk": chunk_idx + 1,
                                "item_index": item_idx,
                                "error": item_result.get("error", "unknown"),
                            })
        # Deferred oversized-videos-as-documents: send each on its own
        # via sendDocument. They couldn't ride in the media group
        # because Telegram refuses to mix document with photo/video,
        # and per-item failures don't poison siblings.
        for deferred in deferred_documents:
            await maybe_delay()
            d_caption = caption if caption_pending else None
            d_reply = reply_to_message_id if reply_pending else None
            caption_pending = False
            reply_pending = False
            d_result = await self._send_item_individually(
                chat_id, deferred, d_caption, d_reply, parse_mode,
            )
-            return {"success": False, "error": "no_items_delivered"}
+            if d_result.get("success"):
-        return {"success": True, "message_ids": all_message_ids}
+                delivered += 1
                mid = d_result.get("message_id")
                if mid is not None:
                    all_message_ids.append(mid)
            else:
                failed += 1
                errors.append({
                    "kind": "deferred_document",
                    "error": d_result.get("error", "unknown"),
                })
        if delivered == 0:
            if skipped > 0 and not errors:
                msg = f"all {skipped} item(s) filtered before send"
            elif errors:
                msg = errors[0].get("error", "no_items_delivered")
            else:
                msg = "no_items_delivered"
            _LOGGER.warning(
                "sendMediaGroup delivered 0 items (skipped=%d failed=%d)",
                skipped, failed,
            )
            return {
                "success": False,
                "error": msg,
                "message_ids": [],
                "delivered_count": 0,
                "skipped_count": skipped,
                "failed_count": failed,
                "errors": errors or None,
                "failed_at_chunk": errors[0].get("chunk") if errors else None,
            }
        return {
            "success": True,
            "message_ids": all_message_ids,
            "delivered_count": delivered,
            "skipped_count": skipped,
            "failed_count": failed,
            "errors": errors or None,
        }
    @staticmethod
    def _split_items_by_byte_budget(
        items: list[_MediaItem], max_bytes: int,
    ) -> list[list[_MediaItem]]:
        """Greedy-pack ``items`` into sub-chunks under ``max_bytes`` each.
        Cached items (``upload_bytes == 0``) are free and never force a
        split. A single item that on its own exceeds the budget is
        placed alone — letting Telegram return a precise error rather
        than dropping it silently. Order is preserved so caption
        attachment stays deterministic.
        """
        if not items:
            return []
        groups: list[list[_MediaItem]] = []
        current: list[_MediaItem] = []
        current_size = 0
        for item in items:
            cost = item.upload_bytes
            if current and current_size + cost > max_bytes:
                groups.append(current)
                current = []
                current_size = 0
            current.append(item)
            current_size += cost
        if current:
            groups.append(current)
        return groups
    @staticmethod
    def _attach_caption_to_first(
        items: list[_MediaItem], caption: str, parse_mode: str,
    ) -> None:
        """Inject caption + parse_mode into the first item's media_json.
        Telegram displays the caption of the first media-group item; the
        rest are ignored. Idempotent — re-attaching simply overwrites.
        """
        if not items:
            return
        items[0].media_json["caption"] = _truncate(caption, TELEGRAM_MAX_CAPTION_LENGTH)
        items[0].media_json["parse_mode"] = parse_mode
    async def _send_item_individually(
        self, chat_id: str, item: _MediaItem,
        caption: str | None, reply_to_message_id: int | None,
        parse_mode: str,
    ) -> NotificationResult:
        """Send one ``_MediaItem`` as a standalone sendPhoto/sendVideo/sendDocument.
        Used as the per-item fallback when sendMediaGroup itself
        rejects a sub-chunk after pre-flight passed. Reuses already-
        fetched bytes for fresh items; for cache-hit items that fail
        the file_id POST, re-downloads from ``source_url`` so a stale
        ``file_id`` doesn't silently lose an asset — the original
        single-item path does the same recovery.
        """
        media_type = item.media_json.get("type") or "photo"
        if media_type == "photo":
            kind = _PHOTO_KIND
        elif media_type == "video":
            kind = _VIDEO_KIND
        else:
            kind = _DOCUMENT_KIND
        cache: TelegramFileCache | None = None
        cache_key: str | None = None
        thumbhash: str | None = None
        if item.cache_info is not None:
            ck, _ck_type, ck_thumb, _ck_size = item.cache_info
            cache = self._get_cache_for_key(ck)
            cache_key = ck
            thumbhash = ck_thumb
        # Cached items have no attachment bytes — POST the file_id
        # reference first; if that fails transiently, re-download via
        # source_url and upload fresh. This matches what _send_photo /
        # _send_video do for their cache path.
        if item.attachment is None:
            file_id = item.media_json.get("media", "")
            if file_id and not file_id.startswith("attach://"):
                cached_result = await self._send_from_cache(
                    kind, chat_id, file_id, caption, reply_to_message_id, parse_mode,
                )
                if cached_result is not None:
                    return cached_result
            if not item.source_url:
                return {"success": False, "error": "Cached fallback send failed (no source URL)"}
            data, err = await self._safe_get(
                self._resolve_url(item.source_url), item.download_headers,
            )
            if data is None:
                return {"success": False, "error": f"Re-download failed: {err}"}
            return await self._upload_media(
                kind, chat_id, data,
                kind.default_filename, kind.default_content_type,
                caption, reply_to_message_id, parse_mode,
                cache, cache_key, thumbhash,
            )
        _, data, filename, content_type = item.attachment
        return await self._upload_media(
            kind, chat_id, data, filename, content_type,
            caption, reply_to_message_id, parse_mode,
            cache, cache_key, thumbhash,
        )
    @staticmethod
    def _partition_media_by_kind(
@@ -803,23 +1197,40 @@ class TelegramClient:
        self,
        chunk: list[dict[str, Any]],
        max_asset_data_size: int | None,
-        first_caption: str | None,
+        send_large_videos_as_documents: bool = False,
-        parse_mode: str,
+    ) -> tuple[list[_MediaItem], list[_MediaItem]]:
    ) -> list[_MediaItem]:
        """Fetch + filter a chunk and return aligned media-group items.
        Returns ``(items, deferred_documents)`` — ``items`` go into
        sendMediaGroup, ``deferred_documents`` are oversized videos
        retagged as documents (when the caller opted in) that will be
        sent individually via ``_send_item_individually`` *after* the
        group sends. Telegram rejects mixing documents with photo/video
        in one group, so they have to ride out separately.
        Concurrency is bounded by ``_MEDIA_FETCH_CONCURRENCY`` so peak
        memory stays predictable. Per-fetch exceptions are isolated via
        ``return_exceptions=True`` so a single failed download cannot
        cancel its peers.
        Caption injection is intentionally NOT performed here — callers
        attach the caption after byte-budget sub-splitting so it lands
        on the first item of the first delivered sub-chunk.
        """
        sem = asyncio.Semaphore(_MEDIA_FETCH_CONCURRENCY)
-        async def fetch(idx: int, item: dict[str, Any]) -> tuple[int, dict | None, bytes | None]:
+        async def fetch(
            idx: int, item: dict[str, Any],
        ) -> tuple[int, dict | None, bytes | None, bool]:
            """Returns ``(idx, cached_entry, data, defer_as_document)``.
            ``defer_as_document=True`` signals "video bytes valid but
            too big for sendVideo — caller should send as document".
            """
            url = item.get("url")
            if not url:
                _LOGGER.warning("Media skipped: missing url (idx=%d type=%s)", idx, item.get("type"))
-                return idx, None, None
+                return idx, None, None, False
            media_type = item.get("type", "photo")
            custom_cache_key = item.get("cache_key")
@@ -833,7 +1244,7 @@ class TelegramClient:
            )
            cached = item_cache.get(ck, thumbhash=item_thumbhash) if item_cache else None
            if cached and cached.get("file_id"):
-                return idx, cached, None
+                return idx, cached, None, False
            preloaded = item.get("data")
            data: bytes | None
@@ -847,34 +1258,40 @@ class TelegramClient:
                        "Media skipped: download failed (idx=%d type=%s): %s",
                        idx, media_type, err,
                    )
-                    return idx, None, None
+                    return idx, None, None, False
            if max_asset_data_size and len(data) > max_asset_data_size:
                _LOGGER.warning(
                    "Media skipped: size %d exceeds max_asset_data_size %d (idx=%d type=%s)",
                    len(data), max_asset_data_size, idx, media_type,
                )
-                return idx, None, None
+                return idx, None, None, False
            if media_type == "video" and len(data) > TELEGRAM_MAX_VIDEO_SIZE:
                if send_large_videos_as_documents:
                    _LOGGER.info(
                        "Video %d bytes over Telegram limit (idx=%d) — deferring as document",
                        len(data), idx,
                    )
                    return idx, None, data, True
                _LOGGER.warning(
                    "Media skipped: video %d bytes exceeds Telegram limit %d (idx=%d)",
                    len(data), TELEGRAM_MAX_VIDEO_SIZE, idx,
                )
-                return idx, None, None
+                return idx, None, None, False
            if media_type == "photo":
                exceeds, reason, _, _ = check_photo_limits(data)
                if exceeds:
                    _LOGGER.warning(
                        "Media skipped: photo %s (idx=%d)", reason, idx,
                    )
-                    return idx, None, None
+                    return idx, None, None, False
-            return idx, None, data
+            return idx, None, data, False
        raw = await asyncio.gather(
            *(fetch(i, item) for i, item in enumerate(chunk)),
            return_exceptions=True,
        )
-        results: list[tuple[int, dict | None, bytes | None]] = []
+        results: list[tuple[int, dict | None, bytes | None, bool]] = []
        for entry in raw:
            if isinstance(entry, Exception):
                _LOGGER.warning("Media fetch raised: %s", redact_exc(entry))
@@ -882,8 +1299,9 @@ class TelegramClient:
            results.append(entry)
        items: list[_MediaItem] = []
        deferred_documents: list[_MediaItem] = []
        upload_idx = 0
-        for idx, cached_entry, data in results:
+        for idx, cached_entry, data, defer_as_document in results:
            item = chunk[idx]
            url = item.get("url")
            if not url:
@@ -891,6 +1309,35 @@ class TelegramClient:
            media_type = item.get("type") or "photo"
            custom_cache_key = item.get("cache_key")
            # Deferred videos-as-documents are NEVER cache hits (the
            # cache lookup branch returns early before the size check),
            # so we always have fresh bytes here. Retag the
            # media_json so ``_send_item_individually`` routes via
            # ``_DOCUMENT_KIND`` to /sendDocument.
            if defer_as_document and data is not None:
                ct = item.get("content_type") or "video/mp4"
                # Best-effort filename preserves the original
                # extension so Telegram clients give it a sensible
                # icon and the recipient can re-open it.
                fname = url.split("/")[-1].split("?")[0] or "video.mp4"
                if "." not in fname:
                    fname = "video.mp4"
                ck = custom_cache_key or extract_asset_id_from_url(url) or url
                ck_is_asset = is_asset_cache_key(ck)
                bare_ck = asset_id_from_cache_key(ck) if ck_is_asset else ck
                th = (
                    self._thumbhash_resolver(bare_ck)
                    if ck_is_asset and self._thumbhash_resolver else None
                )
                deferred_documents.append(_MediaItem(
                    media_json={"type": "document", "media": "attach://deferred"},
                    cache_info=(ck, "document", th, len(data)),
                    attachment=("deferred", data, fname, ct),
                    source_url=url,
                    download_headers=item.get("headers"),
                ))
                continue
            if cached_entry and cached_entry.get("file_id"):
                mij: dict[str, Any] = {"type": media_type, "media": cached_entry["file_id"]}
                cache_info: tuple[str, str, str | None, int] | None = None
@@ -913,14 +1360,14 @@ class TelegramClient:
            else:
                continue
-            if first_caption and not items:
+            items.append(_MediaItem(
-                # Only the first usable item in the first chunk receives
+                media_json=mij,
-                # the caption, per Telegram's media-group semantics.
+                cache_info=cache_info,
-                mij["caption"] = _truncate(first_caption, TELEGRAM_MAX_CAPTION_LENGTH)
+                attachment=attachment,
-                mij["parse_mode"] = parse_mode
+                source_url=url,
-
+                download_headers=item.get("headers"),
-            items.append(_MediaItem(media_json=mij, cache_info=cache_info, attachment=attachment))
+            ))
-        return items
+        return items, deferred_documents
    async def _post_media_group(
        self,
@@ -946,6 +1393,7 @@ class TelegramClient:
            for name, payload, filename, ct in attachments:
                f.add_field(name, payload, filename=filename, content_type=ct)
            f.add_field("media", json.dumps(media_json))
            _apply_send_opts_to_form(f)
            return f
        for attempt in range(1, _TG_429_MAX_ATTEMPTS + 1):
@@ -13,6 +13,11 @@ _LOGGER = logging.getLogger(__name__)
 TELEGRAM_API_BASE_URL: Final = "https://api.telegram.org/bot"
 TELEGRAM_MAX_PHOTO_SIZE: Final = 10 * 1024 * 1024  # 10 MB
 TELEGRAM_MAX_VIDEO_SIZE: Final = 50 * 1024 * 1024  # 50 MB
 # Telegram's sendMediaGroup envelope tops out near 50 MB total (multipart
 # bytes including form overhead). 45 MB keeps a safety margin so we don't
 # eat 413s when the per-item budget admits items that, summed, would
 # bust Telegram's request cap.
 TELEGRAM_MAX_GROUP_TOTAL_BYTES: Final = 45 * 1024 * 1024  # 45 MB
 TELEGRAM_MAX_DIMENSION_SUM: Final = 10000
 # Telegram message-text limit (sendMessage) and caption limit
 # (sendPhoto/sendVideo/sendDocument/first item of sendMediaGroup).
@@ -126,36 +131,6 @@ def build_telegram_asset_entry(
    return entry
 def split_media_by_upload_size(
    media_items: list[tuple], max_upload_size: int
 ) -> list[list[tuple]]:
    """Split media items into sub-groups respecting upload size limit."""
    if not media_items:
        return []
    groups: list[list[tuple]] = []
    current_group: list[tuple] = []
    current_size = 0
    for item in media_items:
        media_ref = item[1]
        is_cached = item[4]
        item_size = 0 if is_cached else (len(media_ref) if isinstance(media_ref, bytes) else 0)
        if current_group and current_size + item_size > max_upload_size:
            groups.append(current_group)
            current_group = []
            current_size = 0
        current_group.append(item)
        current_size += item_size
    if current_group:
        groups.append(current_group)
    return groups
 def check_photo_limits(
    data: bytes,
 ) -> tuple[bool, str | None, int | None, int | None]:
@@ -4,7 +4,7 @@ from __future__ import annotations
 from abc import ABC, abstractmethod
 from enum import Enum
-from typing import TYPE_CHECKING, Any
+from typing import TYPE_CHECKING, Any, Awaitable, Callable
 if TYPE_CHECKING:
    from notify_bridge_core.models.events import ServiceEvent
@@ -21,6 +21,14 @@ class ServiceProviderType(str, Enum):
    NUT = "nut"
    GOOGLE_PHOTOS = "google_photos"
    WEBHOOK = "webhook"
    HOME_ASSISTANT = "home_assistant"
    BRIDGE_SELF = "bridge_self"
 # Callback signature for push-style providers: a coroutine that accepts a
 # parsed ServiceEvent and is expected to enqueue it for dispatch. Returning
 # None keeps the contract narrow — error handling stays inside the callback.
 EventEmitCallback = Callable[["ServiceEvent"], Awaitable[None]]
 class ServiceProvider(ABC):
@@ -28,10 +36,27 @@ class ServiceProvider(ABC):
    A service provider connects to an external service (e.g., Immich photo server)
    and can poll for changes, producing generic ServiceEvent objects.
    Two ingest modes coexist on this base class:
    * Polling providers (Immich, NUT, Google Photos, Scheduler) implement
      :meth:`poll` and leave :attr:`supports_subscription` False.
    * Webhook providers (Gitea, Planka, generic Webhook) no-op :meth:`poll`
      and receive events out-of-band via ``api/webhooks.py``.
    * Subscription providers (Home Assistant) flip
      :attr:`supports_subscription` to True and implement :meth:`subscribe`
      to run a long-lived task that pushes events through an
      ``emit`` callback. They typically no-op :meth:`poll`.
    """
    provider_type: ServiceProviderType
    # When True, the lifecycle layer (server-side subscription manager) starts
    # a long-running task that calls :meth:`subscribe` instead of registering
    # this provider with the polling scheduler. Default False keeps the
    # legacy poll/webhook flow intact for every existing provider.
    supports_subscription: bool = False
    @abstractmethod
    async def connect(self) -> bool:
        """Connect to the service and verify connectivity.
@@ -59,6 +84,27 @@ class ServiceProvider(ABC):
            Tuple of (list of events detected, updated state dict).
        """
    async def subscribe(self, emit: EventEmitCallback) -> None:
        """Run a long-lived subscription that calls ``emit`` for each event.
        Override on providers with :attr:`supports_subscription` = True. The
        implementation is expected to:
        * Loop until cancelled (the subscription manager uses
          :func:`asyncio.Task.cancel` on shutdown).
        * Handle its own reconnect with exponential backoff — never propagate
          transient network errors to the caller.
        * Pass parsed :class:`ServiceEvent` instances to ``emit`` for
          enqueueing/dispatch. The callback is responsible for routing.
        The default implementation raises :class:`NotImplementedError` so
        accidental wiring of a polling provider into the subscription manager
        fails loudly rather than silently doing nothing.
        """
        raise NotImplementedError(
            f"{type(self).__name__} does not support subscription-based ingest"
        )
    @abstractmethod
    def get_available_variables(self) -> list[TemplateVariableDefinition]:
        """Return the template variables this provider makes available."""
@@ -0,0 +1,39 @@
 """Bridge self-monitoring service provider.
 Unlike external providers (Immich, Gitea, NUT, ...), the ``bridge_self``
 provider does not connect to any remote service. Its sole purpose is to
 give operators a configurable surface (thresholds + notification slots
 + trackers + targets) for events that the bridge itself emits when its
 internal subsystems fail.
 Three failure conditions are surfaced as :class:`ServiceEvent` instances
 through the same dispatch pipeline that all other providers use:
 * ``bridge_self_poll_failures``    — N consecutive poll failures for
  any tracker exceed the configured threshold.
 * ``bridge_self_deferred_backlog`` — pending ``deferred_dispatch`` row
  count crosses the configured threshold.
 * ``bridge_self_target_failures``  — N consecutive 5xx / network failures
  for a single notification target.
 Events are constructed by ``services/bridge_self.py`` on the server side
 (it owns DB access for looking up the bridge_self provider per user)
 and then fed into ``dispatch_provider_event`` like any other event.
 """
 from notify_bridge_core.providers.base import ServiceProviderType
 from notify_bridge_core.templates.variables import registry
 from .event_parser import build_event
 from .provider import BRIDGE_SELF_VARIABLES, BridgeSelfServiceProvider
 # Register variables so the validator and template-vars API see them.
 registry.register_provider_variables(
    ServiceProviderType.BRIDGE_SELF, BRIDGE_SELF_VARIABLES,
 )
 __all__ = [
    "BRIDGE_SELF_VARIABLES",
    "BridgeSelfServiceProvider",
    "build_event",
 ]
@@ -0,0 +1,89 @@
 """Bridge self-monitoring event parser.
 The bridge generates these events from internal subsystems (watcher,
 scheduler, dispatcher) — the parser turns a flat payload dict into the
 generic :class:`ServiceEvent` shape that the rest of the dispatch
 pipeline expects.
 Payload shape::
    {
        "failure_type": "poll_failures" | "deferred_backlog" | "target_failures",
        "subject_id":   int,        # tracker_id, target_id, or 0
        "subject_name": str,
        "count":        int,        # consecutive failures or pending count
        "threshold":    int,
        "last_error":   str,        # may be empty
        "details":      dict[str, Any],  # extra context
    }
 """
 from __future__ import annotations
 from datetime import datetime, timezone
 from typing import Any
 from notify_bridge_core.models.events import EventType, ServiceEvent
 from notify_bridge_core.providers.base import ServiceProviderType
 # Defensive cap on the persisted error message; very long tracebacks would
 # bloat the EventLog details JSON column otherwise.
 _MAX_ERROR_LEN = 1000
 _FAILURE_TYPE_TO_EVENT: dict[str, EventType] = {
    "poll_failures": EventType.BRIDGE_SELF_POLL_FAILURES,
    "deferred_backlog": EventType.BRIDGE_SELF_DEFERRED_BACKLOG,
    "target_failures": EventType.BRIDGE_SELF_TARGET_FAILURES,
 }
 def build_event(
    payload: dict[str, Any],
    *,
    provider_name: str = "Bridge Self-Monitoring",
    timestamp: datetime | None = None,
 ) -> ServiceEvent | None:
    """Convert a self-monitoring payload dict into a ServiceEvent.
    Returns None for malformed payloads (unknown failure_type or missing
    keys) — the caller drops without raising so a misbehaving emitter
    can never tip over the dispatch pipeline.
    """
    if not isinstance(payload, dict):
        return None
    failure_type = payload.get("failure_type")
    event_type = _FAILURE_TYPE_TO_EVENT.get(str(failure_type) if failure_type else "")
    if event_type is None:
        return None
    subject_id = int(payload.get("subject_id") or 0)
    subject_name = str(payload.get("subject_name") or "")
    count = int(payload.get("count") or 0)
    threshold = int(payload.get("threshold") or 0)
    last_error = str(payload.get("last_error") or "")[:_MAX_ERROR_LEN]
    details = payload.get("details") if isinstance(payload.get("details"), dict) else {}
    when = timestamp or datetime.now(timezone.utc)
    return ServiceEvent(
        event_type=event_type,
        provider_type=ServiceProviderType.BRIDGE_SELF,
        provider_name=provider_name,
        # ``collection_id`` / ``collection_name`` are required fields on
        # ServiceEvent; we use the subject so quiet-hours / dedupe logic
        # treats different subjects as distinct streams.
        collection_id=str(subject_id),
        collection_name=subject_name or str(failure_type),
        timestamp=when,
        extra={
            "failure_type": str(failure_type),
            "subject_id": subject_id,
            "subject_name": subject_name,
            "count": count,
            "threshold": threshold,
            "last_error": last_error,
            "details": dict(details),
        },
    )
@@ -0,0 +1,148 @@
 """Bridge self-monitoring service provider — emits internal-failure events.
 This is a passive provider: it does not connect to anything, never polls,
 and never subscribes. It exists so the rest of the bridge's CRUD / config /
 template / target plumbing has a single ``ServiceProvider`` to attach
 self-monitoring trackers and notification slots to.
 Events are constructed by the server-side helper
 ``services/bridge_self.emit_bridge_self_event`` and pushed into
 ``dispatch_provider_event`` directly — the provider itself is not asked
 to produce events.
 """
 from __future__ import annotations
 from typing import Any
 from notify_bridge_core.models.events import ServiceEvent
 from notify_bridge_core.providers.base import (
    ServiceProvider,
    ServiceProviderType,
 )
 from notify_bridge_core.templates.variables import TemplateVariableDefinition
 # Configuration keys recognised on the bridge_self provider's ``config`` JSON.
 DEFAULT_POLL_FAILURE_THRESHOLD = 3
 DEFAULT_DEFERRED_BACKLOG_THRESHOLD = 100
 DEFAULT_TARGET_FAILURE_THRESHOLD = 5
 # Template variables exposed to bridge_self templates.
 BRIDGE_SELF_VARIABLES: list[TemplateVariableDefinition] = [
    TemplateVariableDefinition(
        name="failure_type",
        type="string",
        description="Which self-monitoring condition fired",
        example="poll_failures",
        provider_type=ServiceProviderType.BRIDGE_SELF,
    ),
    TemplateVariableDefinition(
        name="subject_id",
        type="int",
        description="ID of the affected entity (tracker_id, target_id, or 0)",
        example="42",
        provider_type=ServiceProviderType.BRIDGE_SELF,
    ),
    TemplateVariableDefinition(
        name="subject_name",
        type="string",
        description="Human-readable name of the affected entity",
        example="My Immich Tracker",
        provider_type=ServiceProviderType.BRIDGE_SELF,
    ),
    TemplateVariableDefinition(
        name="count",
        type="int",
        description="Consecutive failure count or current backlog size",
        example="3",
        provider_type=ServiceProviderType.BRIDGE_SELF,
    ),
    TemplateVariableDefinition(
        name="threshold",
        type="int",
        description="Configured threshold that was crossed",
        example="3",
        provider_type=ServiceProviderType.BRIDGE_SELF,
    ),
    TemplateVariableDefinition(
        name="last_error",
        type="string",
        description="Last underlying error message (truncated)",
        example="Connection refused",
        provider_type=ServiceProviderType.BRIDGE_SELF,
    ),
    TemplateVariableDefinition(
        name="details",
        type="dict",
        description="Extra structured context for the event",
        example='{"provider_id": 7}',
        provider_type=ServiceProviderType.BRIDGE_SELF,
    ),
 ]
 class BridgeSelfServiceProvider(ServiceProvider):
    """Passive provider — exposes nothing remote, holds only thresholds.
    Polling is a no-op and ``connect`` always succeeds; the bridge itself
    is what generates events for this provider.
    """
    provider_type = ServiceProviderType.BRIDGE_SELF
    supports_subscription = False
    def __init__(self, name: str = "Bridge Self-Monitoring") -> None:
        self._name = name
    async def connect(self) -> bool:
        return True
    async def disconnect(self) -> None:
        return None
    async def poll(
        self,
        collection_ids: list[str],
        tracker_state: dict[str, Any],
    ) -> tuple[list[ServiceEvent], dict[str, Any]]:
        # No external service to poll. Returning empty keeps the contract
        # so accidental scheduling no-ops cleanly.
        return [], tracker_state
    def get_available_variables(self) -> list[TemplateVariableDefinition]:
        return list(BRIDGE_SELF_VARIABLES)
    def get_provider_config_schema(self) -> dict[str, Any]:
        return {
            "type": "object",
            "properties": {
                "poll_failure_threshold": {
                    "type": "integer",
                    "minimum": 1,
                    "default": DEFAULT_POLL_FAILURE_THRESHOLD,
                    "description": "Consecutive tracker poll failures before alerting",
                },
                "deferred_backlog_threshold": {
                    "type": "integer",
                    "minimum": 1,
                    "default": DEFAULT_DEFERRED_BACKLOG_THRESHOLD,
                    "description": "Pending deferred_dispatch rows before alerting",
                },
                "target_failure_threshold": {
                    "type": "integer",
                    "minimum": 1,
                    "default": DEFAULT_TARGET_FAILURE_THRESHOLD,
                    "description": "Consecutive target send failures before alerting",
                },
            },
            "required": [],
        }
    async def list_collections(self) -> list[dict[str, Any]]:
        # No collection concept — operators don't pick anything for this provider.
        return []
    async def test_connection(self) -> dict[str, Any]:
        return {"ok": True, "message": "Bridge self-monitoring is always available"}
@@ -444,6 +444,133 @@ WEBHOOK_CAPABILITIES = ProviderCapabilities(
    ],
 )
 # ---------------------------------------------------------------------------
 # Home Assistant provider capabilities
 # ---------------------------------------------------------------------------
 HOME_ASSISTANT_CAPABILITIES = ProviderCapabilities(
    provider_type="home_assistant",
    display_name="Home Assistant",
    webhook_based=False,
    supported_filters=[
        {
            "key": "collections",
            "label": "Entities",
            "type": "tags",
            "placeholder": "light.kitchen",
        },
        {
            "key": "entity_glob",
            "label": "Entity glob",
            "type": "tags",
            "placeholder": "light.*",
        },
        {
            "key": "domain_allowlist",
            "label": "Domains",
            "type": "tags",
            "placeholder": "light, binary_sensor",
        },
    ],
    notification_slots=[
        {"name": "message_ha_state_changed", "description": "Entity state changed"},
        {"name": "message_ha_automation_triggered", "description": "Automation triggered"},
        {"name": "message_ha_service_called", "description": "HA service called"},
        {"name": "message_ha_event_fired", "description": "Other HA event fired"},
    ],
    events=[
        {"name": "ha_state_changed", "description": "Entity state changed"},
        {"name": "ha_automation_triggered", "description": "Automation triggered"},
        {"name": "ha_service_called", "description": "HA service called"},
        {"name": "ha_event_fired", "description": "Other HA event fired (catch-all)"},
    ],
    command_slots=[
        # Response templates
        {"name": "start", "description": "/start greeting message"},
        {"name": "help", "description": "/help command listing"},
        {"name": "status", "description": "/status connection summary"},
        {"name": "entities", "description": "/entities matching glob"},
        {"name": "state", "description": "/state single-entity drill-down"},
        {"name": "areas", "description": "/areas with entity counts"},
        {"name": "rate_limited", "description": "Rate limit warning message"},
        {"name": "no_results", "description": "Empty results fallback"},
        # Description slots
        {"name": "desc_help", "description": "Menu description for /help"},
        {"name": "desc_status", "description": "Menu description for /status"},
        {"name": "desc_entities", "description": "Menu description for /entities"},
        {"name": "desc_state", "description": "Menu description for /state"},
        {"name": "desc_areas", "description": "Menu description for /areas"},
        # Usage examples
        {"name": "usage_entities", "description": "Usage example for /entities"},
        {"name": "usage_state", "description": "Usage example for /state"},
    ],
    commands=[
        {"name": "status", "description": "Show connection status"},
        {"name": "entities", "description": "List entities (optional glob)"},
        {"name": "state", "description": "Show state for one entity"},
        {"name": "areas", "description": "List HA areas with entity counts"},
        {"name": "help", "description": "Show commands"},
    ],
 )
 # ---------------------------------------------------------------------------
 # Bridge self-monitoring capabilities
 # ---------------------------------------------------------------------------
 BRIDGE_SELF_CAPABILITIES = ProviderCapabilities(
    provider_type="bridge_self",
    display_name="Bridge Self-Monitoring",
    webhook_based=False,
    supported_filters=[],
    notification_slots=[
        {
            "name": "message_bridge_self_poll_failures",
            "description": "Tracker poll failures crossed threshold",
        },
        {
            "name": "message_bridge_self_deferred_backlog",
            "description": "Deferred dispatch backlog crossed threshold",
        },
        {
            "name": "message_bridge_self_target_failures",
            "description": "Target send failures crossed threshold",
        },
    ],
    events=[
        {"name": "bridge_self_poll_failures", "description": "Tracker poll failures"},
        {"name": "bridge_self_deferred_backlog", "description": "Deferred backlog high"},
        {"name": "bridge_self_target_failures", "description": "Target send failures"},
    ],
    command_slots=[
        # Response templates
        {"name": "start", "description": "/start greeting message"},
        {"name": "help", "description": "/help command listing"},
        {"name": "status", "description": "/status full counter snapshot"},
        {"name": "thresholds", "description": "/thresholds configured alert thresholds"},
        {"name": "reset", "description": "/reset manual counter reset"},
        {"name": "health", "description": "/health terse one-line summary"},
        {"name": "rate_limited", "description": "Rate limit warning message"},
        {"name": "no_results", "description": "Empty results fallback"},
        # Description slots
        {"name": "desc_help", "description": "Menu description for /help"},
        {"name": "desc_status", "description": "Menu description for /status"},
        {"name": "desc_thresholds", "description": "Menu description for /thresholds"},
        {"name": "desc_reset", "description": "Menu description for /reset"},
        {"name": "desc_health", "description": "Menu description for /health"},
        # Usage examples
        {"name": "usage_reset", "description": "Usage example for /reset"},
    ],
    commands=[
        {"name": "status", "description": "Show current bridge health counters"},
        {"name": "thresholds", "description": "Show configured alert thresholds"},
        {"name": "reset", "description": "Manually reset a failure counter"},
        {"name": "health", "description": "Terse one-line health summary"},
        {"name": "help", "description": "Show commands"},
    ],
 )
 # ---------------------------------------------------------------------------
 # Registry
 # ---------------------------------------------------------------------------
@@ -456,6 +583,8 @@ _REGISTRY: dict[str, ProviderCapabilities] = {
    "nut": NUT_CAPABILITIES,
    "google_photos": GOOGLE_PHOTOS_CAPABILITIES,
    "webhook": WEBHOOK_CAPABILITIES,
    "home_assistant": HOME_ASSISTANT_CAPABILITIES,
    "bridge_self": BRIDGE_SELF_CAPABILITIES,
 }
@@ -0,0 +1,34 @@
 """Home Assistant service provider implementation."""
 from notify_bridge_core.providers.base import ServiceProviderType
 from notify_bridge_core.templates.variables import registry
 from .client import (
    HomeAssistantApiError,
    HomeAssistantAuthError,
    HomeAssistantWSClient,
    _redact as redact_ha_message,
 )
 from .event_parser import parse_event
 from .provider import (
    DEFAULT_HA_EVENT_TYPES,
    HOME_ASSISTANT_VARIABLES,
    HomeAssistantServiceProvider,
 )
 # Register HA variables in the global registry — same pattern as the other
 # providers in this package.
 registry.register_provider_variables(
    ServiceProviderType.HOME_ASSISTANT, HOME_ASSISTANT_VARIABLES,
 )
 __all__ = [
    "DEFAULT_HA_EVENT_TYPES",
    "HOME_ASSISTANT_VARIABLES",
    "HomeAssistantApiError",
    "HomeAssistantAuthError",
    "HomeAssistantServiceProvider",
    "HomeAssistantWSClient",
    "parse_event",
    "redact_ha_message",
 ]
@@ -0,0 +1,506 @@
 """Home Assistant WebSocket client.
 Implements the slice of the HA WebSocket API we need for Phase 1:
 * Authenticate with a long-lived access token.
 * Subscribe to events (optionally filtered by ``event_type``).
 * Fetch the state list (``get_states``) for entity picker UI.
 * Fetch the entity and area registries to build an ``entity_id -> area_id``
  lookup that the parser uses to enrich ``state_changed`` events with the
  area name.
 * Run an indefinite subscription loop with exponential backoff reconnect.
 The HA protocol reference is at
 https://developers.home-assistant.io/docs/api/websocket/ — message ids are
 ascending integers, server replies use the same id, and authentication must
 complete before any other command is accepted.
 """
 from __future__ import annotations
 import asyncio
 import itertools
 import logging
 import random
 import time
 from contextlib import asynccontextmanager
 from typing import Any, AsyncIterator, Awaitable, Callable
 from urllib.parse import urlparse, urlunparse
 import aiohttp
 _LOGGER = logging.getLogger(__name__)
 class HomeAssistantAuthError(Exception):
    """Raised when HA rejects our access token. Fatal — no point retrying."""
 class HomeAssistantApiError(Exception):
    """Raised when an HA WS command returns ``success: false``."""
 # Default reconnect backoff: 2s, 4s, 8s, ..., capped at 60s with jitter.
 _RECONNECT_BASE_SECONDS = 2.0
 _RECONNECT_MAX_SECONDS = 60.0
 _RECONNECT_JITTER_RATIO = 0.2
 # Bounded queue between the WS receive loop and the emit consumer. Overflow
 # drops the oldest event (FIFO) and logs at WARNING — better to lose one
 # state_changed than fall behind the firehose indefinitely.
 _EMIT_QUEUE_SIZE = 1000
 def _ws_url_from_base(base_url: str) -> str:
    """Derive the HA WebSocket URL from the user-provided HTTP(S) base URL.
    ``http://homeassistant.local:8123`` -> ``ws://homeassistant.local:8123/api/websocket``.
    The user enters their normal HA URL; we transform the scheme + append
    the API path. This keeps the UI single-field and avoids confusion about
    which URL form to use.
    Userinfo (``user:pass@host``) is **stripped** — credentials embedded in
    the URL would otherwise flow into log lines and exception strings via
    ``aiohttp`` error messages. The HA WS protocol uses an access-token
    handshake; HTTP basic auth in the URL is never the intended path.
    """
    parsed = urlparse(base_url.rstrip("/"))
    if parsed.scheme in ("ws", "wss"):
        scheme = parsed.scheme
    elif parsed.scheme == "https":
        scheme = "wss"
    else:
        scheme = "ws"
    # ``netloc`` may contain ``user:pass@host:port``; ``hostname`` + ``port``
    # rebuild it without the credential prefix.
    host = parsed.hostname or ""
    if parsed.port is not None:
        netloc = f"{host}:{parsed.port}"
    else:
        netloc = host
    return urlunparse(
        (scheme, netloc, "/api/websocket", "", "", "")
    )
 def _redact(text: str) -> str:
    """Strip embedded credentials from text before logging.
    ``aiohttp`` exception strings include the URL, so a malformed
    ``https://token@host`` would otherwise expose the token. This is a
    defense-in-depth measure — ``_ws_url_from_base`` already strips
    userinfo from the connect URL, but third-party libs may quote the
    user-supplied input separately.
    """
    if not text:
        return text
    # Match ``scheme://[user[:pass]@]host`` and drop the userinfo segment.
    import re
    return re.sub(
        r"(?P<scheme>\w+://)(?:[^/@\s]+@)",
        r"\g<scheme>",
        text,
    )
 class HomeAssistantWSClient:
    """Single-instance WebSocket client for one HA server."""
    def __init__(
        self,
        session: aiohttp.ClientSession,
        base_url: str,
        access_token: str,
        verify_tls: bool = True,
    ) -> None:
        self._session = session
        self._ws_url = _ws_url_from_base(base_url)
        self._access_token = access_token
        self._verify_tls = verify_tls
        self._id_counter = itertools.count(1)
    # ------------------------------------------------------------------
    # Connection primitives
    # ------------------------------------------------------------------
    @asynccontextmanager
    async def _connect(self) -> AsyncIterator[aiohttp.ClientWebSocketResponse]:
        """Open a fresh WS, complete the auth handshake, and yield the socket.
        Raises :class:`HomeAssistantAuthError` on invalid token (fatal) and
        :class:`HomeAssistantApiError` on other handshake failures (caller
        decides whether to retry).
        """
        ws = await self._session.ws_connect(
            self._ws_url,
            ssl=None if self._verify_tls else False,
            heartbeat=30,
            autoping=True,
        )
        try:
            await self._authenticate(ws)
            yield ws
        finally:
            await ws.close()
    async def _authenticate(self, ws: aiohttp.ClientWebSocketResponse) -> None:
        """Run the HA auth handshake on a freshly-opened socket."""
        greeting = await ws.receive_json(timeout=10)
        if greeting.get("type") != "auth_required":
            raise HomeAssistantApiError(
                f"Expected auth_required, got {greeting.get('type')!r}"
            )
        await ws.send_json({"type": "auth", "access_token": self._access_token})
        result = await ws.receive_json(timeout=10)
        msg_type = result.get("type")
        if msg_type == "auth_ok":
            return
        if msg_type == "auth_invalid":
            raise HomeAssistantAuthError(
                result.get("message") or "Home Assistant rejected the access token"
            )
        raise HomeAssistantApiError(
            f"Unexpected auth response: {msg_type!r}"
        )
    async def _send_command(
        self,
        ws: aiohttp.ClientWebSocketResponse,
        payload: dict[str, Any],
    ) -> int:
        """Send a command with an auto-assigned id; return that id."""
        msg_id = next(self._id_counter)
        await ws.send_json({"id": msg_id, **payload})
        return msg_id
    async def _await_result(
        self,
        ws: aiohttp.ClientWebSocketResponse,
        msg_id: int,
        timeout: float = 15.0,
    ) -> Any:
        """Wait for a ``result`` message matching ``msg_id`` and return its payload.
        ``time.monotonic`` is the right clock here — wall-clock deadlines
        would jump on NTP sync, and ``asyncio.get_event_loop().time()``
        is deprecated when called outside a running-loop context.
        """
        deadline = time.monotonic() + timeout
        while True:
            remaining = deadline - time.monotonic()
            if remaining <= 0:
                raise HomeAssistantApiError(
                    f"Timed out waiting for result of command id={msg_id}"
                )
            msg = await ws.receive_json(timeout=remaining)
            if msg.get("id") != msg_id:
                # Ignore unsolicited events that arrive between sending a
                # request-style command and its result.
                continue
            if msg.get("type") != "result":
                continue
            if not msg.get("success", False):
                err = msg.get("error", {})
                raise HomeAssistantApiError(
                    f"HA command failed: {err.get('code')} {err.get('message')}"
                )
            return msg.get("result")
    # ------------------------------------------------------------------
    # Multi-command session
    # ------------------------------------------------------------------
    @asynccontextmanager
    async def session(self) -> AsyncIterator["HomeAssistantSession"]:
        """Open one authenticated WS and let the caller run multiple commands.
        Each one-shot method (``get_states``, ``get_area_registry``, ...)
        opens a brand-new connection with a full TCP + WS + auth handshake.
        For callers that need to chain several queries (e.g. /status: connection
        check + entity list + area count) that overhead adds up — 3 separate
        TLS handshakes and 3 auth round-trips for what is really one logical
        request.
        Usage:
            async with client.session() as sess:
                states = await sess.get_states()
                areas = await sess.get_area_registry()
        The session shares the same id counter as the client, so message ids
        are unique across both one-shot calls and session-scoped calls if
        they happen to run concurrently against the same client instance.
        """
        async with self._connect() as ws:
            yield HomeAssistantSession(self, ws)
    # ------------------------------------------------------------------
    # One-shot commands
    # ------------------------------------------------------------------
    async def test_connection(self) -> tuple[bool, str]:
        """Connect, authenticate, and immediately close. Returns ``(ok, message)``."""
        try:
            async with self._connect() as _ws:
                return True, "OK"
        except HomeAssistantAuthError as err:
            return False, f"Auth failed: {err}"
        except (aiohttp.ClientError, asyncio.TimeoutError) as err:
            return False, f"Connection failed: {err}"
        except HomeAssistantApiError as err:
            return False, str(err)
    async def get_states(self) -> list[dict[str, Any]]:
        """Fetch the current state of every entity HA knows about."""
        async with self._connect() as ws:
            msg_id = await self._send_command(ws, {"type": "get_states"})
            result = await self._await_result(ws, msg_id)
            return list(result or [])
    async def get_area_registry(self) -> list[dict[str, Any]]:
        """Fetch the area registry (``area_id`` -> name + metadata)."""
        async with self._connect() as ws:
            msg_id = await self._send_command(
                ws, {"type": "config/area_registry/list"}
            )
            result = await self._await_result(ws, msg_id)
            return list(result or [])
    async def get_entity_registry(self) -> list[dict[str, Any]]:
        """Fetch the entity registry (entity_id -> area_id + metadata)."""
        async with self._connect() as ws:
            msg_id = await self._send_command(
                ws, {"type": "config/entity_registry/list"}
            )
            result = await self._await_result(ws, msg_id)
            return list(result or [])
    async def get_entity_to_area_lookup(self) -> dict[str, str]:
        """Build ``{entity_id: area_name}`` using the entity + area registries.
        Best-effort: returns an empty dict on any failure so the parser still
        works without area enrichment.
        """
        try:
            entities = await self.get_entity_registry()
            areas = await self.get_area_registry()
        except (HomeAssistantApiError, aiohttp.ClientError, asyncio.TimeoutError) as err:
            _LOGGER.warning("Could not fetch HA registry, areas disabled: %s", err)
            return {}
        area_names = {a.get("area_id"): a.get("name") for a in areas if a.get("area_id")}
        lookup: dict[str, str] = {}
        for entry in entities:
            entity_id = entry.get("entity_id")
            area_id = entry.get("area_id")
            if not isinstance(entity_id, str) or not area_id:
                continue
            name = area_names.get(area_id)
            if name:
                lookup[entity_id] = str(name)
        return lookup
    # ------------------------------------------------------------------
    # Subscription loop with reconnect
    # ------------------------------------------------------------------
    async def run_subscription(
        self,
        on_event: Callable[[dict[str, Any]], Awaitable[None]],
        event_types: list[str] | None = None,
        on_status_change: Callable[[str, str | None], None] | None = None,
        refresh_areas: Callable[[], Awaitable[dict[str, str]]] | None = None,
    ) -> None:
        """Run an indefinite subscription loop, reconnecting on drop.
        Parameters
        ----------
        on_event:
            Coroutine called with the inner ``event`` dict (the WS envelope is
            stripped). Slow callbacks apply TCP backpressure naturally; the
            internal queue prevents unbounded memory growth if the callback
            stalls.
        event_types:
            Restrict the subscription to these HA event types. ``None`` or
            empty subscribes to everything (very loud — only use for debug).
        on_status_change:
            Callback invoked with ``("connected", None)`` after a successful
            handshake and ``("disconnected", reason)`` when a connection drops.
            Useful for surfacing connection state in the event log.
        refresh_areas:
            Optional coroutine called on each (re)connect to refresh the
            area lookup. The result is not used by ``run_subscription``
            itself — the caller stores it where its ``on_event`` can read.
        """
        attempt = 0
        queue: asyncio.Queue[dict[str, Any]] = asyncio.Queue(maxsize=_EMIT_QUEUE_SIZE)
        overflow_count = 0
        async def _drain() -> None:
            while True:
                evt = await queue.get()
                try:
                    await on_event(evt)
                except Exception:  # noqa: BLE001
                    _LOGGER.exception("on_event callback raised; continuing")
                finally:
                    queue.task_done()
        drain_task = asyncio.create_task(_drain(), name="ha-emit-drain")
        try:
            while True:
                try:
                    async with self._connect() as ws:
                        attempt = 0
                        if on_status_change is not None:
                            on_status_change("connected", None)
                        if refresh_areas is not None:
                            try:
                                # Note: refresh_areas opens its own WS in our
                                # current design (each one-shot command does).
                                # Fine for v1 — a few hundred ms once per
                                # (re)connect.
                                await refresh_areas()
                            except Exception:  # noqa: BLE001
                                _LOGGER.exception("Area refresh failed; continuing without")
                        # Subscribe. Passing per-event-type subscriptions is
                        # cheaper than subscribing to everything and filtering
                        # in Python — HA does the filtering.
                        if event_types:
                            for evt_type in event_types:
                                sub_id = await self._send_command(
                                    ws,
                                    {"type": "subscribe_events", "event_type": evt_type},
                                )
                                await self._await_result(ws, sub_id)
                        else:
                            sub_id = await self._send_command(
                                ws, {"type": "subscribe_events"}
                            )
                            await self._await_result(ws, sub_id)
                        async for msg in ws:
                            if msg.type == aiohttp.WSMsgType.TEXT:
                                payload = msg.json()
                                if payload.get("type") != "event":
                                    continue
                                event_obj = payload.get("event")
                                if not isinstance(event_obj, dict):
                                    continue
                                try:
                                    queue.put_nowait(event_obj)
                                except asyncio.QueueFull:
                                    overflow_count += 1
                                    if overflow_count % 50 == 1:
                                        _LOGGER.warning(
                                            "HA event queue full, dropped %d events so far "
                                            "(consumer is slower than HA event rate)",
                                            overflow_count,
                                        )
                                    # Drop oldest, retry put. This keeps the
                                    # most recent state visible at the cost
                                    # of older transient changes.
                                    try:
                                        queue.get_nowait()
                                        queue.task_done()
                                    except asyncio.QueueEmpty:
                                        pass
                                    try:
                                        queue.put_nowait(event_obj)
                                    except asyncio.QueueFull:
                                        pass
                            elif msg.type in (
                                aiohttp.WSMsgType.CLOSED,
                                aiohttp.WSMsgType.CLOSING,
                                aiohttp.WSMsgType.ERROR,
                            ):
                                raise aiohttp.ClientConnectionError(
                                    f"WS closed: {msg.type.name}"
                                )
                            else:
                                # PING/PONG handled by aiohttp autoping=True;
                                # BINARY/CONTINUATION are not used by HA today.
                                # Log at debug so a future protocol change is
                                # visible without spamming production logs.
                                _LOGGER.debug(
                                    "Ignored WS message of type %s", msg.type.name,
                                )
                except HomeAssistantAuthError as err:
                    # Fatal — caller must fix the access token. Reraise so
                    # the provider can mark itself unhealthy.
                    if on_status_change is not None:
                        on_status_change("disconnected", _redact(f"auth: {err}"))
                    raise
                except asyncio.CancelledError:
                    if on_status_change is not None:
                        on_status_change("disconnected", "cancelled")
                    raise
                except Exception as err:  # noqa: BLE001
                    redacted = _redact(str(err))
                    if on_status_change is not None:
                        on_status_change("disconnected", redacted)
                    delay = min(
                        _RECONNECT_BASE_SECONDS * (2 ** attempt),
                        _RECONNECT_MAX_SECONDS,
                    )
                    delay *= 1 + random.uniform(-_RECONNECT_JITTER_RATIO, _RECONNECT_JITTER_RATIO)
                    _LOGGER.warning(
                        "HA WS connection lost (%s); reconnecting in %.1fs",
                        redacted, delay,
                    )
                    attempt = min(attempt + 1, 10)
                    await asyncio.sleep(delay)
        finally:
            drain_task.cancel()
            # Drain task may finish via CancelledError (normal) or via an
            # unhandled exception thrown by on_event. Either way is fine here
            # — we're tearing down. Split the two cases for clarity rather
            # than catching `Exception` + `CancelledError` in one clause.
            try:
                await drain_task
            except asyncio.CancelledError:
                pass
            except Exception:  # noqa: BLE001
                _LOGGER.exception("HA drain task raised during shutdown")
 # ---------------------------------------------------------------------------
 # Multi-command session
 # ---------------------------------------------------------------------------
 class HomeAssistantSession:
    """A multi-command HA WS session bound to a single authenticated socket.
    Created via :meth:`HomeAssistantWSClient.session`. Use when you need to
    issue several commands in a row — sharing the connection saves the TCP
    + WS + auth round trips for every command after the first.
    The session forwards id assignment to the parent client's monotonic
    counter so ids stay unique across all sessions sharing the same client.
    """
    def __init__(
        self,
        client: HomeAssistantWSClient,
        ws: aiohttp.ClientWebSocketResponse,
    ) -> None:
        self._client = client
        self._ws = ws
    async def send(self, payload: dict[str, Any], timeout: float = 15.0) -> Any:
        """Send one command and wait for its ``result`` envelope."""
        msg_id = await self._client._send_command(self._ws, payload)
        return await self._client._await_result(self._ws, msg_id, timeout=timeout)
    async def get_states(self) -> list[dict[str, Any]]:
        result = await self.send({"type": "get_states"})
        return list(result or [])
    async def get_area_registry(self) -> list[dict[str, Any]]:
        result = await self.send({"type": "config/area_registry/list"})
        return list(result or [])
    async def get_entity_registry(self) -> list[dict[str, Any]]:
        result = await self.send({"type": "config/entity_registry/list"})
        return list(result or [])
@@ -0,0 +1,267 @@
 """Home Assistant event parser — HA WebSocket event dict -> ServiceEvent.
 The HA event bus delivers events with this envelope:
 .. code-block:: json
    {
        "id": 7,
        "type": "event",
        "event": {
            "event_type": "state_changed",
            "data": { ... event-type-specific ... },
            "origin": "LOCAL",
            "time_fired": "2026-05-13T12:34:56.789Z",
            "context": { ... }
        }
    }
 The parser accepts the inner ``event`` dict (the WS client strips the outer
 envelope before calling us) and emits a :class:`ServiceEvent` ready for the
 existing dispatch path. Areas are looked up via an optional ``area_lookup``
 mapping so the parser stays pure — the WS client maintains the registry
 cache and passes its current snapshot on each call.
 """
 from __future__ import annotations
 import json
 import logging
 from datetime import datetime, timezone
 from typing import Any
 from notify_bridge_core.models.events import EventType, ServiceEvent
 from notify_bridge_core.providers.base import ServiceProviderType
 _LOGGER = logging.getLogger(__name__)
 # Defensive caps for fields that get persisted to the event_log row. Home
 # Assistant's own constraints keep entity ids well under 70 chars, but a
 # misbehaving custom integration could emit kilobyte-sized strings that
 # would bloat the JSON details column.
 _MAX_ENTITY_ID_LEN = 255
 _MAX_EVENT_DATA_BYTES = 4096
 def _parse_time_fired(raw: Any) -> datetime:
    """Parse HA's ``time_fired`` ISO string, falling back to now() on garbage.
    HA always sends UTC with a ``Z`` suffix or explicit ``+00:00``. Datetime
    parsing is wrapped because a malformed payload should not break the
    pipeline — better to dispatch with a slightly-off timestamp than drop.
    """
    if isinstance(raw, str):
        try:
            # ``datetime.fromisoformat`` accepts ``+00:00`` natively; rewrite
            # the trailing ``Z`` since pre-3.11 stdlib rejects it.
            cleaned = raw[:-1] + "+00:00" if raw.endswith("Z") else raw
            return datetime.fromisoformat(cleaned)
        except ValueError:
            _LOGGER.debug("Unparseable HA time_fired %r, using now()", raw)
    return datetime.now(timezone.utc)
 def _domain_of(entity_id: str) -> str:
    """Return the HA domain prefix (``light.kitchen`` -> ``light``)."""
    if "." in entity_id:
        return entity_id.split(".", 1)[0]
    return ""
 def _friendly_name(state_obj: dict[str, Any] | None, entity_id: str) -> str:
    """Pull ``friendly_name`` from attributes or fall back to entity_id."""
    if not state_obj:
        return entity_id
    attrs = state_obj.get("attributes") or {}
    name = attrs.get("friendly_name")
    return str(name) if name else entity_id
 def parse_event(
    ha_event: dict[str, Any],
    provider_name: str,
    area_lookup: dict[str, str] | None = None,
 ) -> ServiceEvent | None:
    """Parse one HA event dict into a :class:`ServiceEvent`.
    Returns None for malformed payloads (missing ``event_type`` etc.) so the
    caller can drop without raising. Genuine network/parsing exceptions
    bubble up — only known-bad payload shapes return None.
    """
    if not isinstance(ha_event, dict):
        return None
    event_type_raw = ha_event.get("event_type")
    if not isinstance(event_type_raw, str):
        return None
    data = ha_event.get("data") or {}
    timestamp = _parse_time_fired(ha_event.get("time_fired"))
    area_lookup = area_lookup or {}
    if event_type_raw == "state_changed":
        return _parse_state_changed(data, timestamp, provider_name, area_lookup)
    if event_type_raw == "automation_triggered":
        return _parse_automation_triggered(data, timestamp, provider_name)
    if event_type_raw == "call_service":
        return _parse_call_service(data, timestamp, provider_name)
    # Everything else maps to the generic "event_fired" slot. Tracking
    # configs decide whether to enable this loud catch-all.
    return _parse_generic_event(event_type_raw, data, timestamp, provider_name)
 def _parse_state_changed(
    data: dict[str, Any],
    timestamp: datetime,
    provider_name: str,
    area_lookup: dict[str, str],
 ) -> ServiceEvent | None:
    entity_id = data.get("entity_id")
    if not isinstance(entity_id, str):
        return None
    entity_id = entity_id[:_MAX_ENTITY_ID_LEN]
    old_state_obj = data.get("old_state") if isinstance(data.get("old_state"), dict) else None
    new_state_obj = data.get("new_state") if isinstance(data.get("new_state"), dict) else None
    # ``new_state`` is None when an entity is removed — surface it as a
    # transition to the literal string "removed" so templates can branch.
    old_state_val = old_state_obj.get("state") if old_state_obj else None
    new_state_val = new_state_obj.get("state") if new_state_obj else "removed"
    attributes = (new_state_obj or {}).get("attributes") or {}
    friendly_name = _friendly_name(new_state_obj or old_state_obj, entity_id)
    domain = _domain_of(entity_id)
    extra: dict[str, Any] = {
        "entity_id": entity_id,
        "friendly_name": friendly_name,
        "domain": domain,
        "old_state": old_state_val,
        "new_state": new_state_val,
        "attributes": attributes,
        "device_class": attributes.get("device_class"),
        "unit_of_measurement": attributes.get("unit_of_measurement"),
        "area": area_lookup.get(entity_id),
        "ha_event_type": "state_changed",
    }
    if new_state_obj and "last_changed" in new_state_obj:
        extra["last_changed"] = new_state_obj["last_changed"]
    if new_state_obj and "last_updated" in new_state_obj:
        extra["last_updated"] = new_state_obj["last_updated"]
    return ServiceEvent(
        event_type=EventType.HA_STATE_CHANGED,
        provider_type=ServiceProviderType.HOME_ASSISTANT,
        provider_name=provider_name,
        collection_id=entity_id,
        collection_name=friendly_name,
        timestamp=timestamp,
        extra=extra,
    )
 def _parse_automation_triggered(
    data: dict[str, Any],
    timestamp: datetime,
    provider_name: str,
 ) -> ServiceEvent | None:
    entity_id = data.get("entity_id")
    if isinstance(entity_id, str):
        entity_id = entity_id[:_MAX_ENTITY_ID_LEN]
    automation_name = data.get("name") or (entity_id if isinstance(entity_id, str) else "automation")
    source = data.get("source") or ""
    collection_id = entity_id if isinstance(entity_id, str) else f"automation.{automation_name}"
    collection_id = collection_id[:_MAX_ENTITY_ID_LEN]
    return ServiceEvent(
        event_type=EventType.HA_AUTOMATION_TRIGGERED,
        provider_type=ServiceProviderType.HOME_ASSISTANT,
        provider_name=provider_name,
        collection_id=collection_id,
        collection_name=str(automation_name),
        timestamp=timestamp,
        extra={
            "entity_id": entity_id,
            "automation_name": str(automation_name),
            "trigger_source": str(source),
            "ha_event_type": "automation_triggered",
        },
    )
 def _parse_call_service(
    data: dict[str, Any],
    timestamp: datetime,
    provider_name: str,
 ) -> ServiceEvent | None:
    domain = data.get("domain")
    service = data.get("service")
    if not isinstance(domain, str) or not isinstance(service, str):
        return None
    domain = domain[:_MAX_ENTITY_ID_LEN]
    service = service[:_MAX_ENTITY_ID_LEN]
    service_data = data.get("service_data") if isinstance(data.get("service_data"), dict) else {}
    qualified = f"{domain}.{service}"
    target_entity = None
    if isinstance(service_data, dict):
        raw_target = service_data.get("entity_id")
        if isinstance(raw_target, str):
            target_entity = raw_target
        elif isinstance(raw_target, list) and raw_target:
            target_entity = ", ".join(str(x) for x in raw_target)
    return ServiceEvent(
        event_type=EventType.HA_SERVICE_CALLED,
        provider_type=ServiceProviderType.HOME_ASSISTANT,
        provider_name=provider_name,
        collection_id=qualified,
        collection_name=qualified,
        timestamp=timestamp,
        extra={
            "service_domain": domain,
            "service_name": service,
            "service_called": qualified,
            "service_data": service_data,
            "target_entity": target_entity,
            "ha_event_type": "call_service",
        },
    )
 def _parse_generic_event(
    event_type_raw: str,
    data: dict[str, Any],
    timestamp: datetime,
    provider_name: str,
 ) -> ServiceEvent | None:
    event_type_raw = event_type_raw[:_MAX_ENTITY_ID_LEN]
    # Cap the serialized payload so a custom HA integration that emits
    # a multi-megabyte event_data dict doesn't blow up the event_log JSON
    # column. Templates can still reference fields up to the cap; beyond it
    # the dict is replaced with a marker so the limit is visible to authors.
    capped_data: Any = data
    try:
        serialized = json.dumps(data, default=str)
    except (TypeError, ValueError):
        # Unserializable payload — keep the dict in-memory so templates can
        # still read scalar fields, but flag the size as 0 to avoid surprises.
        serialized = ""
    if len(serialized.encode("utf-8")) > _MAX_EVENT_DATA_BYTES:
        capped_data = {
            "_truncated": True,
            "_original_size_bytes": len(serialized.encode("utf-8")),
            "_note": f"event_data exceeded {_MAX_EVENT_DATA_BYTES}B and was dropped",
        }
    return ServiceEvent(
        event_type=EventType.HA_EVENT_FIRED,
        provider_type=ServiceProviderType.HOME_ASSISTANT,
        provider_name=provider_name,
        collection_id=event_type_raw,
        collection_name=event_type_raw,
        timestamp=timestamp,
        extra={
            "ha_event_type": event_type_raw,
            "event_data": capped_data,
        },
    )
@@ -0,0 +1,323 @@
 """Home Assistant service provider — WebSocket subscription based.
 Unlike polling providers (Immich, NUT, Google Photos) and webhook providers
 (Gitea, Planka), the HA provider maintains a long-lived WebSocket connection
 to the HA server and pushes events into the dispatch pipeline as they
 arrive. The lifecycle is owned by the server-side subscription manager
 (see ``services/ha_subscription.py``).
 """
 from __future__ import annotations
 import logging
 from typing import Any, Callable
 import aiohttp
 from notify_bridge_core.models.events import ServiceEvent
 from notify_bridge_core.providers.base import (
    EventEmitCallback,
    ServiceProvider,
    ServiceProviderType,
 )
 from notify_bridge_core.templates.variables import TemplateVariableDefinition
 from .client import HomeAssistantWSClient
 from .event_parser import parse_event
 # Status callback signature: ``(state, detail)`` where ``state`` is one of
 # ``"connected"`` / ``"disconnected"`` and ``detail`` is an optional already-
 # redacted reason string (or None on connect).
 StatusChangeCallback = Callable[[str, str | None], None]
 _LOGGER = logging.getLogger(__name__)
 # Home Assistant template variables exposed to Jinja2.
 HOME_ASSISTANT_VARIABLES: list[TemplateVariableDefinition] = [
    TemplateVariableDefinition(
        name="entity_id",
        type="string",
        description="HA entity id (e.g. light.kitchen)",
        example="light.kitchen",
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
    TemplateVariableDefinition(
        name="friendly_name",
        type="string",
        description="Human-readable entity name from attributes.friendly_name",
        example="Kitchen Light",
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
    TemplateVariableDefinition(
        name="domain",
        type="string",
        description="HA domain prefix of the entity (e.g. light, sensor, binary_sensor)",
        example="light",
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
    TemplateVariableDefinition(
        name="old_state",
        type="string",
        description="Previous state string before the change",
        example="off",
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
    TemplateVariableDefinition(
        name="new_state",
        type="string",
        description="New state string (literal 'removed' when entity was deleted)",
        example="on",
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
    TemplateVariableDefinition(
        name="attributes",
        type="dict",
        description="Full attributes dict of the new state",
        example='{"brightness": 255, "color_mode": "brightness"}',
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
    TemplateVariableDefinition(
        name="device_class",
        type="string",
        description="Device class from attributes (motion, door, temperature, ...)",
        example="motion",
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
    TemplateVariableDefinition(
        name="unit_of_measurement",
        type="string",
        description="Unit suffix for numeric sensors",
        example="°C",
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
    TemplateVariableDefinition(
        name="area",
        type="string",
        description="Area name from the HA area registry (empty when not assigned)",
        example="Kitchen",
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
    TemplateVariableDefinition(
        name="last_changed",
        type="string",
        description="ISO timestamp of last state change",
        example="2026-05-13T12:34:56.789+00:00",
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
    TemplateVariableDefinition(
        name="last_updated",
        type="string",
        description="ISO timestamp of last attribute or state update",
        example="2026-05-13T12:34:56.789+00:00",
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
    TemplateVariableDefinition(
        name="automation_name",
        type="string",
        description="Automation name (automation_triggered events)",
        example="Front Door Notification",
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
    TemplateVariableDefinition(
        name="trigger_source",
        type="string",
        description="Why an automation fired (automation_triggered events)",
        example="state of binary_sensor.front_door",
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
    TemplateVariableDefinition(
        name="service_called",
        type="string",
        description="Qualified service name (call_service events)",
        example="light.turn_on",
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
    TemplateVariableDefinition(
        name="service_domain",
        type="string",
        description="Service domain (call_service events)",
        example="light",
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
    TemplateVariableDefinition(
        name="service_name",
        type="string",
        description="Service name within domain (call_service events)",
        example="turn_on",
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
    TemplateVariableDefinition(
        name="service_data",
        type="dict",
        description="Service payload (call_service events)",
        example='{"entity_id": "light.kitchen"}',
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
    TemplateVariableDefinition(
        name="target_entity",
        type="string",
        description="entity_id targeted by a service call (comma-joined for multi-target)",
        example="light.kitchen",
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
    TemplateVariableDefinition(
        name="ha_event_type",
        type="string",
        description="Raw HA event_type (state_changed, automation_triggered, ...)",
        example="state_changed",
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
    TemplateVariableDefinition(
        name="event_data",
        type="dict",
        description="Raw event data (generic event_fired events)",
        example='{"key": "value"}',
        provider_type=ServiceProviderType.HOME_ASSISTANT,
    ),
 ]
 # Default event types subscribed to when the user does not override. Only
 # state_changed is on by default — the others are loud and opt-in via the
 # tracking-config event checkboxes.
 DEFAULT_HA_EVENT_TYPES: tuple[str, ...] = ("state_changed",)
 class HomeAssistantServiceProvider(ServiceProvider):
    """Home Assistant WebSocket subscription provider."""
    provider_type = ServiceProviderType.HOME_ASSISTANT
    supports_subscription = True
    def __init__(
        self,
        session: aiohttp.ClientSession,
        url: str,
        access_token: str,
        verify_tls: bool = True,
        event_types: list[str] | None = None,
        name: str = "Home Assistant",
    ) -> None:
        self._client = HomeAssistantWSClient(
            session=session,
            base_url=url,
            access_token=access_token,
            verify_tls=verify_tls,
        )
        self._name = name
        self._event_types = list(event_types) if event_types else list(DEFAULT_HA_EVENT_TYPES)
        # ``_area_lookup`` is refreshed on every (re)connect by run_subscription's
        # ``refresh_areas`` hook so the parser can enrich state_changed events
        # with the current area name.
        self._area_lookup: dict[str, str] = {}
    @property
    def client(self) -> HomeAssistantWSClient:
        return self._client
    async def connect(self) -> bool:
        ok, _ = await self._client.test_connection()
        return ok
    async def disconnect(self) -> None:
        # Session lifecycle is managed by the caller; the WS connection is
        # owned by run_subscription which exits on cancel.
        return None
    async def poll(
        self,
        collection_ids: list[str],
        tracker_state: dict[str, Any],
    ) -> tuple[list[ServiceEvent], dict[str, Any]]:
        # Subscription-based ingest. The polling scheduler MUST NOT call us
        # — the subscription manager owns this provider's lifecycle instead.
        return [], tracker_state
    async def subscribe(
        self,
        emit: EventEmitCallback,
        on_status_change: StatusChangeCallback | None = None,
    ) -> None:
        async def _on_event(ha_event: dict[str, Any]) -> None:
            event = parse_event(
                ha_event,
                provider_name=self._name,
                area_lookup=self._area_lookup,
            )
            if event is None:
                return
            await emit(event)
        async def _refresh_areas() -> dict[str, str]:
            try:
                self._area_lookup = await self._client.get_entity_to_area_lookup()
            except Exception:  # noqa: BLE001
                # Best-effort: keep the previous lookup on failure.
                _LOGGER.exception("Failed to refresh HA area lookup")
            return self._area_lookup
        await self._client.run_subscription(
            on_event=_on_event,
            event_types=self._event_types,
            refresh_areas=_refresh_areas,
            on_status_change=on_status_change,
        )
    def get_available_variables(self) -> list[TemplateVariableDefinition]:
        return list(HOME_ASSISTANT_VARIABLES)
    def get_provider_config_schema(self) -> dict[str, Any]:
        return {
            "type": "object",
            "properties": {
                "url": {
                    "type": "string",
                    "description": "Home Assistant base URL (http://homeassistant.local:8123)",
                    "example": "http://homeassistant.local:8123",
                },
                "access_token": {
                    "type": "string",
                    "description": "Long-lived access token (HA Profile -> Long-Lived Access Tokens)",
                    "secret": True,
                },
                "verify_tls": {
                    "type": "boolean",
                    "description": "Validate TLS certificate. Disable only for self-signed HA setups on trusted networks.",
                    "default": True,
                },
                "event_types": {
                    "type": "array",
                    "items": {"type": "string"},
                    "description": "HA event types to subscribe to. Defaults to ['state_changed'].",
                    "default": list(DEFAULT_HA_EVENT_TYPES),
                },
            },
            "required": ["url", "access_token"],
        }
    async def list_collections(self) -> list[dict[str, Any]]:
        """Return the current entity list for the entity-picker UI."""
        try:
            states = await self._client.get_states()
        except Exception as err:  # noqa: BLE001
            _LOGGER.warning("Could not fetch HA states: %s", err)
            return []
        out: list[dict[str, Any]] = []
        for state in states:
            entity_id = state.get("entity_id")
            if not isinstance(entity_id, str):
                continue
            attrs = state.get("attributes") or {}
            out.append({
                "id": entity_id,
                "name": attrs.get("friendly_name") or entity_id,
                "state": state.get("state"),
                "domain": entity_id.split(".", 1)[0] if "." in entity_id else "",
            })
        return out
    async def test_connection(self) -> dict[str, Any]:
        ok, message = await self._client.test_connection()
        return {"ok": ok, "message": message}
@@ -29,10 +29,21 @@ _LOGGER = logging.getLogger(__name__)
 # calls per poll cycle.  TTL is conservative (1h) and a hashed key keeps the
 # raw api_key out of dict keys in case of a memory dump.
 _USERS_CACHE_TTL_SECONDS = 3600
-_users_cache_lock = asyncio.Lock()
+# Lazy init: ``asyncio.Lock()`` at module import binds to whichever event
 # loop is current at import time (often none, or the wrong one when tests
 # spin up dedicated loops). Defer creation to first use.
 _users_cache_lock: asyncio.Lock | None = None
 _users_cache: dict[str, tuple[float, dict[str, str]]] = {}
 def _get_users_cache_lock() -> asyncio.Lock:
    """Return the module users-cache lock, creating it on first call."""
    global _users_cache_lock
    if _users_cache_lock is None:
        _users_cache_lock = asyncio.Lock()
    return _users_cache_lock
 def _users_cache_key(url: str, api_key: str) -> str:
    digest = hashlib.sha256(f"{url}|{api_key}".encode("utf-8")).hexdigest()
    return digest[:32]
@@ -51,7 +62,7 @@ async def _get_cached_users(
    if entry is not None and (now - entry[0]) < _USERS_CACHE_TTL_SECONDS:
        return entry[1]
-    async with _users_cache_lock:
+    async with _get_users_cache_lock():
        # Re-check after acquiring the lock — another coroutine may have
        # refreshed the entry while we waited.
        entry = _users_cache.get(key)
@@ -200,10 +200,28 @@ class NutServiceProvider(ServiceProvider):
        try:
            for ups_name in collection_ids:
                prev = tracker_state.get(ups_name, {})
                # First-ever observation has no baseline — emitting transition
                # events for whatever flags the device happens to carry would
                # spam the user with "OB"/"LB"/"REPLBATT" alerts on every fresh
                # tracker even when nothing changed. Seed state silently and
                # skip event emission until the next poll provides a baseline.
                is_first_observation = ups_name not in tracker_state
                try:
                    variables = await client.list_var(ups_name)
                    data = NutUpsData.from_variables(ups_name, variables)
                    if is_first_observation:
                        new_state[ups_name] = {
                            "name": data.description or ups_name,
                            "status": data.status,
                            "battery_charge": data.battery_charge,
                            "comms_ok": True,
                            "asset_ids": [],
                            "pending_asset_ids": [],
                            "shared": False,
                        }
                        continue
                    # Check for comms restored
                    if not prev.get("comms_ok", True):
                        events.append(self._make_event(
@@ -0,0 +1,32 @@
 """Upstream release-check providers.
 This package is intentionally separate from :mod:`notify_bridge_core.providers`:
 * service providers are user-configured entities persisted per-tenant in the DB;
 * release providers are admin-level upstream-version probes selected by setting,
  with at most one active provider per installation.
 Mixing them in one enum/factory bled responsibilities and complicated future
 additions (e.g. a GitHub release provider that has nothing to do with Gitea
 service integrations).
 """
 from .base import (
    ReleaseErrorCode,
    ReleaseInfo,
    ReleaseProvider,
    ReleaseProviderKind,
    ReleaseTestResult,
    is_valid_repo,
 )
 from .registry import build_release_provider
 __all__ = [
    "ReleaseErrorCode",
    "ReleaseInfo",
    "ReleaseProvider",
    "ReleaseProviderKind",
    "ReleaseTestResult",
    "build_release_provider",
    "is_valid_repo",
 ]
@@ -0,0 +1,156 @@
 """ReleaseProvider abstraction and shared tag/version utilities."""
 from __future__ import annotations
 import re
 from dataclasses import dataclass
 from enum import Enum
 from typing import ClassVar, Protocol, TypedDict, runtime_checkable
 class ReleaseProviderKind(str, Enum):
    """Supported upstream release-check providers."""
    DISABLED = "disabled"
    GITEA = "gitea"
    GITHUB = "github"
 # Single source of truth for `release_error` taxonomy. Surfaced into the cached
 # `AppSetting`, returned via the API, and translated by the frontend.
 class ReleaseErrorCode(str, Enum):
    DISABLED = "disabled"
    MISCONFIGURED = "misconfigured"
    PROVIDER_CHANGED = "provider_changed"
    NO_RELEASE_FOUND = "no_release_found"
    NETWORK_ERROR = "network_error"
    HTTP_ERROR = "http_error"
    PARSE_ERROR = "parse_error"
    UNSAFE_URL = "unsafe_url"
    NOT_IMPLEMENTED = "not_implemented"
    UNKNOWN_ERROR = "unknown_error"
@dataclass(frozen=True)
 class ReleaseInfo:
    """Normalised release metadata returned by a provider."""
    tag: str
    version: str
    name: str | None = None
    body: str | None = None
    url: str | None = None
    published_at: str | None = None
    prerelease: bool = False
    draft: bool = False
 class ReleaseTestResult(TypedDict):
    """Structured shape returned by :meth:`ReleaseProvider.test`."""
    ok: bool
    info: ReleaseInfo | None
    error: str | None
@runtime_checkable
 class ReleaseProvider(Protocol):
    """Protocol implemented by every release provider.
    Implementations are expected to be safe to instantiate without external
    side effects — connectivity is deferred until :meth:`fetch_latest` or
    :meth:`test` is awaited.
    """
    kind: ClassVar[ReleaseProviderKind]
    async def fetch_latest(self, *, include_prereleases: bool = False) -> ReleaseInfo | None:
        """Return the latest release, or ``None`` if there is nothing to report."""
    async def test(self) -> ReleaseTestResult:
        """Probe the upstream and return a structured status payload."""
 # Owner/name validation — matches Gitea/GitHub's allowed identifier chars.
 _REPO_RE = re.compile(r"^[A-Za-z0-9._-]+/[A-Za-z0-9._-]+$")
 def is_valid_repo(repo: str) -> bool:
    """``True`` when ``repo`` is a safe ``owner/name`` string (no path traversal)."""
    return bool(repo) and _REPO_RE.match(repo) is not None
 _TAG_NUMERIC = re.compile(r"\d+")
 # Stop reading numeric segments at the first non-digit-non-dot character so
 # ``1.0a2`` doesn't get parsed as ``(1, 0, 2)``.
 _HEAD_SPLIT = re.compile(r"[^0-9.]")
 def normalise_version(tag: str) -> str:
    """Strip a leading ``v`` from a tag (``"v1.2.3"`` → ``"1.2.3"``)."""
    if not tag:
        return ""
    cleaned = tag.strip()
    if cleaned.startswith(("v", "V")) and len(cleaned) > 1 and cleaned[1].isdigit():
        cleaned = cleaned[1:]
    return cleaned
 def _split_version(version: str) -> tuple[tuple[int, ...], str]:
    """Split a version into (numeric segments, prerelease suffix).
    A non-empty prerelease suffix marks the version as pre-stable. We use it
    as a tie-break only — when numeric segments are equal a stable build
    sorts strictly newer than its pre-release counterpart (``0.7.2`` >
    ``0.7.2-rc1``), which prevents the badge from flickering between
    "up to date" and "downgrade available" on installs that ship the GA.
    """
    if not version:
        return (), ""
    work = version.split("+", 1)[0]
    if "-" in work:
        head, _, suffix = work.partition("-")
    else:
        # Implicit prerelease form: ``1.0a2`` / ``1.0rc1``. Anything after the
        # first non-digit-non-dot is treated as the suffix.
        m = _HEAD_SPLIT.search(work)
        if m and m.start() > 0:
            head, suffix = work[: m.start()], work[m.start():]
        else:
            head, suffix = work, ""
    segments = tuple(int(n) for n in _TAG_NUMERIC.findall(head))
    return segments, suffix.strip()
 def compare_versions(a: str, b: str) -> int:
    """Return ``1`` if ``a > b``, ``-1`` if ``a < b``, ``0`` if equal.
    Numeric segments win. When numerically equal, *stable* (no suffix) beats
    *prerelease* (any non-empty suffix); two equally-prereleased versions
    compare equal — we deliberately do not order ``rc2`` over ``rc1`` because
    that requires real semver parsing and would only matter for downgrades.
    """
    sa, suffix_a = _split_version(normalise_version(a))
    sb, suffix_b = _split_version(normalise_version(b))
    length = max(len(sa), len(sb))
    for i in range(length):
        x = sa[i] if i < len(sa) else 0
        y = sb[i] if i < len(sb) else 0
        if x != y:
            return 1 if x > y else -1
    # Equal numerics — stable beats prerelease.
    if not suffix_a and suffix_b:
        return 1
    if suffix_a and not suffix_b:
        return -1
    return 0
 def is_newer(candidate: str, baseline: str) -> bool:
    """``True`` when ``candidate`` is strictly newer than ``baseline``."""
    return compare_versions(candidate, baseline) > 0
@@ -0,0 +1,167 @@
 """Gitea release provider — queries ``/api/v1/repos/{owner}/{repo}/releases``."""
 from __future__ import annotations
 import asyncio
 import logging
 from typing import ClassVar
 import aiohttp
 from ..notifications.ssrf import UnsafeURLError, avalidate_outbound_url
 from .base import (
    ReleaseErrorCode,
    ReleaseInfo,
    ReleaseProviderKind,
    ReleaseTestResult,
    is_valid_repo,
    normalise_version,
 )
 _LOGGER = logging.getLogger(__name__)
 # Cap upstream response body — release lists are normally a few KB; anything
 # beyond this is either a misconfigured target or a malicious payload.
 _MAX_BODY_BYTES = 1_000_000
 class GiteaReleaseProvider:
    """Anonymous Gitea release probe.
    Hits the ``releases`` endpoint (not ``releases/latest``) because the latter
    skips pre-releases unconditionally — we want to honour the caller's
    ``include_prereleases`` flag instead of relying on Gitea's filtering.
    """
    kind: ClassVar[ReleaseProviderKind] = ReleaseProviderKind.GITEA
    def __init__(self, session: aiohttp.ClientSession, url: str, repo: str) -> None:
        if not url:
            raise ValueError("Gitea release provider requires a base URL")
        if not is_valid_repo(repo):
            raise ValueError(
                "Gitea release provider requires repo as 'owner/name' "
                "(alphanumerics, dot, dash, underscore only)"
            )
        self._session = session
        self._url = url.rstrip("/")
        self._repo = repo.strip("/")
    @property
    def _endpoint(self) -> str:
        return f"{self._url}/api/v1/repos/{self._repo}/releases"
    async def fetch_latest(self, *, include_prereleases: bool = False) -> ReleaseInfo | None:
        try:
            await avalidate_outbound_url(self._endpoint)
        except UnsafeURLError as err:
            _LOGGER.warning("Gitea release URL rejected by SSRF guard: %s", err)
            return None
        try:
            async with self._session.get(
                self._endpoint,
                params={"limit": "20", "page": "1", "draft": "false"},
            ) as response:
                if response.status != 200:
                    _LOGGER.warning(
                        "Gitea releases fetch failed: HTTP %s for %s",
                        response.status, self._endpoint,
                    )
                    return None
                # Enforce a size cap without trusting chunked encoding: read
                # the whole body (aiohttp buffers it) but reject anything that
                # advertised more than the cap up front, and bail if it grew
                # past the cap after the fact.
                if response.content_length is not None and response.content_length > _MAX_BODY_BYTES:
                    _LOGGER.warning(
                        "Gitea releases response advertised %d bytes — refusing",
                        response.content_length,
                    )
                    return None
                raw = await response.read()
                if len(raw) > _MAX_BODY_BYTES:
                    _LOGGER.warning(
                        "Gitea releases response exceeded %d bytes — refusing to parse",
                        _MAX_BODY_BYTES,
                    )
                    return None
                import json
                payload = json.loads(raw.decode("utf-8"))
        except (aiohttp.ClientError, asyncio.TimeoutError) as err:
            _LOGGER.warning("Gitea releases fetch error: %s", err)
            return None
        except (ValueError, UnicodeDecodeError) as err:
            _LOGGER.warning("Gitea releases parse error: %s", err)
            return None
        if not isinstance(payload, list):
            return None
        for entry in payload:
            if not isinstance(entry, dict):
                continue
            if entry.get("draft"):
                continue
            if entry.get("prerelease") and not include_prereleases:
                continue
            return _to_release_info(entry)
        return None
    async def test(self) -> ReleaseTestResult:
        # Validate URL first so the "test" button surfaces an SSRF rejection
        # to the operator rather than silently returning "unreachable".
        try:
            await avalidate_outbound_url(self._endpoint)
        except UnsafeURLError:
            return {"ok": False, "info": None, "error": ReleaseErrorCode.UNSAFE_URL.value}
        try:
            async with self._session.get(
                self._endpoint,
                params={"limit": "1", "page": "1", "draft": "false"},
            ) as response:
                if response.status != 200:
                    return {"ok": False, "info": None, "error": ReleaseErrorCode.HTTP_ERROR.value}
                # Enforce a size cap without trusting chunked encoding: read
                # the whole body (aiohttp buffers it) but reject anything that
                # advertised more than the cap up front, and bail if it grew
                # past the cap after the fact.
                if response.content_length is not None and response.content_length > _MAX_BODY_BYTES:
                    _LOGGER.warning(
                        "Gitea releases response advertised %d bytes — refusing",
                        response.content_length,
                    )
                    return None
                raw = await response.read()
                if len(raw) > _MAX_BODY_BYTES:
                    return {"ok": False, "info": None, "error": ReleaseErrorCode.PARSE_ERROR.value}
                import json
                payload = json.loads(raw.decode("utf-8"))
        except (aiohttp.ClientError, asyncio.TimeoutError):
            return {"ok": False, "info": None, "error": ReleaseErrorCode.NETWORK_ERROR.value}
        except (ValueError, UnicodeDecodeError):
            return {"ok": False, "info": None, "error": ReleaseErrorCode.PARSE_ERROR.value}
        if not isinstance(payload, list) or not payload:
            return {"ok": False, "info": None, "error": ReleaseErrorCode.NO_RELEASE_FOUND.value}
        first = payload[0]
        if not isinstance(first, dict):
            return {"ok": False, "info": None, "error": ReleaseErrorCode.PARSE_ERROR.value}
        return {"ok": True, "info": _to_release_info(first), "error": None}
 def _to_release_info(entry: dict) -> ReleaseInfo:
    tag = str(entry.get("tag_name") or "").strip()
    return ReleaseInfo(
        tag=tag,
        version=normalise_version(tag),
        name=entry.get("name") or None,
        body=entry.get("body") or None,
        url=entry.get("html_url") or None,
        published_at=entry.get("published_at") or entry.get("created_at") or None,
        prerelease=bool(entry.get("prerelease", False)),
        draft=bool(entry.get("draft", False)),
    )
@@ -0,0 +1,34 @@
 """GitHub release provider stub.
 Reserved so the registry advertises the option and the frontend can render the
 provider toggle without a follow-up backend release. The full implementation
 will mirror :class:`GiteaReleaseProvider` against
 ``api.github.com/repos/{owner}/{repo}/releases``.
 """
 from __future__ import annotations
 from typing import ClassVar
 import aiohttp
 from .base import ReleaseErrorCode, ReleaseInfo, ReleaseProviderKind, ReleaseTestResult
 class GitHubReleaseProvider:
    """Not yet implemented — placeholder so the registry is forward-compatible."""
    kind: ClassVar[ReleaseProviderKind] = ReleaseProviderKind.GITHUB
    def __init__(self, session: aiohttp.ClientSession, repo: str) -> None:
        self._session = session
        self._repo = repo
    async def fetch_latest(self, *, include_prereleases: bool = False) -> ReleaseInfo | None:
        # Soft-fail rather than raise — `run_check` already catches
        # NotImplementedError but a None return keeps the persisted
        # `release_error` taxonomy clean (NOT_IMPLEMENTED, not "not impl…").
        return None
    async def test(self) -> ReleaseTestResult:
        return {"ok": False, "info": None, "error": ReleaseErrorCode.NOT_IMPLEMENTED.value}
@@ -0,0 +1,51 @@
 """Factory for release providers — single entry point for callers."""
 from __future__ import annotations
 from typing import TYPE_CHECKING
 from .base import ReleaseProvider, ReleaseProviderKind, is_valid_repo
 from .gitea import GiteaReleaseProvider
 from .github import GitHubReleaseProvider
 if TYPE_CHECKING:
    import aiohttp
 def build_release_provider(
    kind: str | ReleaseProviderKind,
    *,
    session: aiohttp.ClientSession,
    url: str = "",
    repo: str = "",
 ) -> ReleaseProvider | None:
    """Build a release provider for the given kind.
    Returns ``None`` when disabled or when required configuration is missing
    or unsafe (invalid repo format, empty URL) — callers treat the absence as
    "no checks performed" without branching on the kind string everywhere.
    """
    try:
        normalised = (
            ReleaseProviderKind(kind)
            if not isinstance(kind, ReleaseProviderKind)
            else kind
        )
    except ValueError:
        return None
    if normalised is ReleaseProviderKind.DISABLED:
        return None
    if normalised is ReleaseProviderKind.GITEA:
        if not url or not is_valid_repo(repo):
            return None
        try:
            return GiteaReleaseProvider(session=session, url=url, repo=repo)
        except ValueError:
            return None
    if normalised is ReleaseProviderKind.GITHUB:
        if not is_valid_repo(repo):
            return None
        return GitHubReleaseProvider(session=session, repo=repo)
    return None
@@ -0,0 +1 @@
 Terse one-line health summary
@@ -0,0 +1 @@
 Show available commands
@@ -0,0 +1 @@
 Reset a failure counter (tracker:&lt;id&gt;, target:&lt;id&gt;, or all)
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1 @@`
							`Reset a failure counter (tracker:<id>, target:<id>, or all)`