feat(ui): themed confirm dialogs, mobile nav + backend safety fixes

[ShogyX]

Summary

Follow-up to #146 (UI bug fixes), landing the higher-value UX / accessibility and backend-safety improvements surfaced by the same full app audit. All changes are verified against the live backend (Vite dev proxy + Playwright) with the full unit suite + targeted backend tests green.

UX / accessibility

• Themed confirm dialogs — replaced native window.confirm() with a promise-based useConfirm() hook backed by the app's Modal (focus trap, Esc, body-scroll lock, dark-mode tokens) across all 11 destructive call sites: rules, integrations, notification channels, automation schedules, tags, optimization profiles (incl. the 409 force-delete), housekeeping, account "sign out other sessions", and the dashboard + rules suggestion dismissals. Delete actions get a red (danger) confirm button, and it's never auto-focused so a stray Enter can't fire a destructive action. The hook degrades to the native dialog when no <ConfirmProvider> is mounted (isolated unit tests), so existing tests keep passing unchanged. ConfirmDialog.tsx, AppProviders.tsx (+ 11 sites)
• Mobile navigation — at ≤640px the sidebar was display:none and navigation depended entirely on the ⌘K palette, unreachable on a touch device. Added a Topbar hamburger that opens the sidebar as a slide-in drawer with a dimmed tap-to-dismiss backdrop and auto-close on navigation. AppShell.tsx, Sidebar.tsx, Topbar.tsx, shell.css
• Notification dropdown — anchored to the topbar row (positioned ancestor) and clamped to the viewport so the 380px panel can't overflow / cause horizontal scroll on narrow screens. shell.css
• DataGrid font drift — bumped the primitive's hardcoded 13px/11px to the 14px/11.5px design baseline so it matches the hand-rolled tables. DataGrid.tsx

Backend hardening

• VirusTotal free-tier-safe default (app/automation/jobs.py) — the per-minute drain cap fell back to 20 when lookups_per_minute was unset (e.g. configs predating the field), silently exceeding VirusTotal's 4/min free-tier limit → 429 → ~24h backoff. Now falls back to the free-tier ceiling (4), which is already the documented schema default.
• Accurate reap status (app/worker.py) — reap_stale_scans now emits each run's real prior status (queued vs running) in the scan.reaped WS event instead of a hardcoded "queued".

Verification

• tsc --noEmit clean · eslint . --max-warnings=0 clean · vitest run 552 passed / 3 skipped
• Backend (deployed venv): test_virustotal_drain / test_virustotal_quota / test_scan_reaper / test_virustotal_stage19 — 34 passed; changed modules import-smoke clean.
• Live (Vite dev proxy → running backend, Playwright):
  • themed confirm dialog opens with title + Cancel and closes with no side effects (native confirm gone)
  • mobile (390px): hamburger shows → drawer opens → a link navigates and closes the drawer → backdrop tap closes it
  • notification dropdown fits within the viewport at 390px (left 8 / right 374 of 390)
  • regression walk across 15 routes: zero console / page / HTTP errors

Reviewer checklist

• cd frontend && npm ci && npm run typecheck && npm run lint && npm test
• Any delete/dismiss shows the themed dialog (not native confirm); Cancel is a no-op, Confirm performs the action
• Narrow to phone width → hamburger → drawer opens / navigates / closes (link + backdrop)
• Bell dropdown stays on-screen at narrow widths

Not included (deferred follow-ups)

• Sonarr/Radarr history sortKey: the cursor compares by id but sorts by date; switching to sortKey=id needs validation against a live Sonarr/Radarr before merging.
• Optimization retry contract: retriable_states includes "completed", but the UI never offers retry on completed items, so there's no user-facing bug; left as-is to avoid surprising direct API callers.
• Skeleton loaders for table/card loads (larger change).

🤖 Generated with Claude Code