feat: production hardening + password reset, metrics, signed webhooks

Security hardening (CRITICAL/HIGH from production-readiness audit):
- Require strong JWT_SECRET + separate INTEGRATION_ENCRYPTION_KEY at boot;
  refuse placeholder defaults. Integration key now derived via HKDF.
- SSRF guard (src/lib/server/utils/safeFetch.ts): DNS-resolves and rejects
  RFC1918/loopback/link-local/IPv4-mapped IPv6/decimal-IP/cloud-metadata.
  Manual redirect handling re-validates each 3xx Location hop. Applied to
  healthcheck, RSS, calendar, metric, system-stats, camera, notifications,
  discovery, apps/preview, and all integration clients.
- API tokens, session refresh tokens, invite tokens, password-reset tokens
  switched from bcrypt to sha256 with @unique indexed lookup (O(1) instead
  of O(N) bcrypt-compares; eliminates a trivial DoS).
- Refresh-token reuse detection via Session.previousTokenHash.
- Permission checks on App PATCH/DELETE and Widget/Section endpoints.
- /api/integrations/alerts now requires auth.
- SVG uploads sanitized through DOMPurify (svg profile, scheme allow-list).
- Custom CSS sanitizer + selector scoping (decodes CSS unicode escapes
  before pattern match, drops forbidden at-rules incl. @import without
  whitespace, strips dangerous url() args). Scoped to .custom-css-scope.
- Backup restore validates SQLite magic header, takes a safety snapshot,
  uses atomic rename, re-applies pragmas.
- SQLite WAL + busy_timeout + foreign_keys + synchronous=NORMAL at startup.
- Healthcheck scheduler was dead code; wired in hooks.server.ts with
  HMR-safe singleton, concurrency cap, overlap prevention, retention jobs
  for AppClick/Notification/AuditLog. Composite indexes added on hot paths.
- Security headers (CSP, HSTS-on-https, X-Frame-Options, Permissions-Policy)
  emitted on every response.
- Account-enumeration mitigation on login (dummy bcrypt on no-user/oauth
  branches) + rate limiting on login/register/onboarding/refresh/invite/
  password-reset.
- OAuth callback sanitizes IdP error_description before echoing.

New features:
- Custom +error.svelte pages (root + boards + admin) via shared
  ErrorState component. Inverted hierarchy (status as label, title as hero).
- /forgot-password + /reset-password + admin-mediated /admin/password-resets
  page. SHA256 tokens, 24h TTL, all sessions revoked on apply.
- /invite page for manual invite-token redemption.
- /api/metrics Prometheus exposition with optional METRICS_TOKEN bearer
  auth. Counters for login/healthcheck/notification/integration; gauges
  for users/boards/apps + per-status app counts.
- Webhook HMAC-SHA256 signing for HTTP notification channels (optional
  shared secret + configurable signature header, default X-Signature-256).
- PATCH /api/users/me/password for self-service password change.
- Persistent uploads at /app/data/uploads with served-from-volume handler
  at /uploads/[...path]. SVGs served with CSP: sandbox.
- /api/health does a DB ping; returns 503 on disconnect.
- Public /status filtered to guest-accessible-board apps when unauthenticated.
- Audit log coverage: LOGIN_SUCCESS/FAILED, LOGOUT, OAUTH_LOGIN,
  OAUTH_USER_PROVISIONED, SESSION_REVOKED, API_TOKEN_*, INVITE_*,
  APP_UPDATED, PASSWORD_CHANGED, PASSWORD_RESET_*.

Performance:
- Board page: removed double findAll() over-fetch; include links + appTags
  in board query; widgets lazy-loaded via dynamic imports (marked,
  DOMPurify, hls.js, integration renderers).
- uptimeService.getAllAppsUptime: single batched query instead of N+1.
- 30s in-memory user-locals cache; invalidated on user mutation.
- pruneOldStatuses: single window-function DELETE instead of N+1.

Code quality:
- Typed error classes (NotFoundError, PermissionError, RateLimitError,
  IntegrationError) with toHttpError mapper.
- Locals.user shape exposes avatarUrl and narrows role via guard.
- App input types derived from Zod schemas via z.infer.
- 274 tests passing (up from 212); 62 new tests covering SSRF guard,
  CSS sanitizer, SVG sanitizer, rate limiter.

CI / Docker / config:
- Test workflow adds build, docker-build, audit jobs. Release workflow
  uses buildx multi-arch (amd64+arm64) with provenance + SBOM.
- Dockerfile uses tini, multi-stage prune, persistent uploads dir, single
  prisma migrate deploy (no destructive db push fallback).
- docker-compose: JWT_SECRET + INTEGRATION_ENCRYPTION_KEY required at
  startup, log rotation, resource limits.
- README documents breaking-change upgrade path.

Bug fixes from UI/UX review:
- ~55 missing i18n keys added to en/ru (auth flows, error pages, admin
  nav, register invite banner, settings.card_style).
- Hardcoded English on login replaced with $t('auth.remember_me').
- Admin nav uses i18n keys; mobile horizontal-scroll layout.
- Page <title> tags standardized.
- Password-resets: separated error/info/success surfaces, ConfirmDialog
  replaces window.confirm.
- Auth pages have matching lucide icon badges.
- Webhook secret has eye toggle and monospace input.
- text-green-500 → text-emerald-500 to match codebase convention.

Pre-existing CI lint failures cleaned up (31 errors → 0): each-key
attributes added, unused-svelte-ignore comments removed, two any casts
typed, dead skeleton components removed, /boards/[id]/edit redirect to
inline edit mode.

Tests: 274 / 274 passing
Type check: 0 errors / 0 warnings
Build: green

src/lib/utils/validators.ts

@@ -11,28 +11,82 @@ import {
 	CardSize,
 	NotificationType,
 	ApiTokenScope,
-	AuditAction
+	AuditAction,
+	DEFAULTS
 } from './constants.js';
 
 // --- Auth ---
 
+const COMMON_PASSWORDS = new Set([
+	'password',
+	'password1',
+	'12345678',
+	'qwerty',
+	'qwerty123',
+	'letmein',
+	'welcome',
+	'admin',
+	'administrator',
+	'changeme',
+	'iloveyou',
+	'monkey'
+]);
+
+function passwordPolicy(min: number) {
+	return z
+		.string()
+		.min(min, `Password must be at least ${min} characters`)
+		.max(DEFAULTS.MAX_PASSWORD_LENGTH, `Password must be at most ${DEFAULTS.MAX_PASSWORD_LENGTH} characters`)
+		.refine((p) => !COMMON_PASSWORDS.has(p.toLowerCase()), {
+			message: 'Password is too common'
+		});
+}
+
+export const userPasswordSchema = passwordPolicy(DEFAULTS.MIN_PASSWORD_LENGTH);
+export const adminPasswordSchema = passwordPolicy(DEFAULTS.MIN_ADMIN_PASSWORD_LENGTH);
+
+/**
+ * URL schema that only accepts http:// or https://. Use this everywhere we
+ * accept a URL the server will later fetch or the browser will navigate to,
+ * to block javascript:/data:/file: vectors.
+ */
+export const httpUrlSchema = z
+	.string()
+	.url('Invalid URL')
+	.refine(
+		(u) => {
+			try {
+				const p = new URL(u).protocol;
+				return p === 'http:' || p === 'https:';
+			} catch {
+				return false;
+			}
+		},
+		{ message: 'Only http(s) URLs are allowed' }
+	);
+
 export const loginSchema = z.object({
 	email: z.string().email('Invalid email address'),
-	password: z.string().min(1, 'Password is required'),
+	password: z.string().min(1, 'Password is required').max(DEFAULTS.MAX_PASSWORD_LENGTH),
 	rememberMe: z.boolean().optional().default(false)
 });
 
 export const registerSchema = z.object({
 	email: z.string().email('Invalid email address'),
-	password: z.string().min(6, 'Password must be at least 6 characters'),
+	password: userPasswordSchema,
 	displayName: z.string().min(1, 'Display name is required').max(100)
 });
 
+export const changePasswordSchema = z.object({
+	currentPassword: z.string().min(1).max(DEFAULTS.MAX_PASSWORD_LENGTH),
+	newPassword: userPasswordSchema
+});
+
 // --- User ---
 
 export const createUserSchema = z.object({
 	email: z.string().email('Invalid email address'),
-	password: z.string().min(6).optional(),
+	password: userPasswordSchema.optional(),
 	displayName: z.string().min(1).max(100),
 	avatarUrl: z.string().url().optional(),
 	authProvider: z.enum([AuthMode.LOCAL, AuthMode.OAUTH]).optional(),
@@ -65,7 +119,7 @@ export const updateGroupSchema = z.object({
 
 export const createAppSchema = z.object({
 	name: z.string().min(1, 'App name is required').max(200),
-	url: z.string().url('Invalid URL'),
+	url: httpUrlSchema,
 	icon: z.string().max(500).optional(),
 	iconType: z.enum([IconType.LUCIDE, IconType.SIMPLE, IconType.URL, IconType.EMOJI]).optional(),
 	description: z.string().max(1000).optional(),
@@ -83,7 +137,7 @@ export const createAppSchema = z.object({
 
 export const updateAppSchema = z.object({
 	name: z.string().min(1).max(200).optional(),
-	url: z.string().url().optional(),
+	url: httpUrlSchema.optional(),
 	icon: z.string().max(500).nullable().optional(),
 	iconType: z.enum([IconType.LUCIDE, IconType.SIMPLE, IconType.URL, IconType.EMOJI]).optional(),
 	description: z.string().max(1000).nullable().optional(),
@@ -150,12 +204,14 @@ export const updateSectionSchema = z.object({
 
 // --- Widget Config Schemas ---
 
+const httpUrl = httpUrlSchema;
+
 export const appWidgetConfigSchema = z.object({
 	appId: z.string().min(1, 'App ID is required')
 });
 
 export const bookmarkWidgetConfigSchema = z.object({
-	url: z.string().url('Invalid URL'),
+	url: httpUrl,
 	label: z.string().min(1, 'Label is required').max(200),
 	icon: z.string().max(100).optional(),
 	description: z.string().max(500).optional()
@@ -167,9 +223,14 @@ export const noteWidgetConfigSchema = z.object({
 });
 
 export const embedWidgetConfigSchema = z.object({
-	url: z.string().url('Invalid URL'),
+	url: httpUrl,
 	height: z.number().int().min(100).max(2000).default(300),
-	sandbox: z.string().max(200).optional()
+	// Default to a strict sandbox; explicit override required to relax.
+	sandbox: z
+		.string()
+		.max(200)
+		.optional()
+		.default('allow-scripts allow-same-origin allow-forms allow-popups')
 });
 
 export const statusWidgetConfigSchema = z.object({