Apply six isolated, low-risk fixes surfaced by the parallel
production-readiness review (backend, frontend, security, perf,
UI/UX, bugs+features).
Backend
- Mask access_token in provider GET responses and drop it on edit
when carrying the *** placeholder — fixes plaintext leak of HA
long-lived tokens (security H-1). Centralized via
PROVIDER_SECRET_FIELDS so all call sites stay in sync (C-5).
- Hold HA status-change tasks in a module-level set with a
done_callback — asyncio.create_task only keeps weak refs and
the task could be GC'd before its row was written (C-1).
- Roll back the request session in the Telegram-webhook catch-all
so a handler exception cannot leak uncommitted writes into the
next request (C-2).
- Bail before reading the 1 MiB webhook body when the Gitea
provider has no secret configured or the request has no
signature header. For the generic webhook with bearer_token
auth, verify the Authorization header before the body read.
Closes the pre-auth resource-exhaustion amplifier (C-3).
Frontend
- Add supportsAutoOrganize capability to ProviderDescriptor and
consume it from RuleEditor instead of `provider.type !== 'immich'`,
bringing the last action-rule editor under CLAUDE.md rule 8
(no provider-type hardcoding in components).
- Snackbar: add role="region" + per-toast role/aria-live/aria-atomic
so screen readers announce success/error toasts.
- Sidebar nav: add aria-current="page" on the active link so the
active state has an accessible name.
- New snackbar.region key in en + ru (locale parity preserved).
Out of scope for this commit (tracked in .claude/reviews/README.md
ship-blocker list): secret encryption at rest, JWT cookie move,
Alembic adoption, webhook idempotency, deferred-dispatch crash
window, persisted Telegram update watermark, bridge_self counter
lock — each needs more than a mechanical edit.
alexei.dolgolyov
2d59a5b994