feat: v1.0.0 — UX polish, security hardening, code quality

UI/UX:
- Bill detail page tab UI (Analysis / Timeline / Votes / Notes)
- Topic tag pills on bill detail and listing pages — filtered to known
  topics, clickable, properly labelled via shared lib/topics.ts
- Notes panel always-open in Notes tab; sign-in prompt for guests
- Collapsible sidebar with icon-only mode and localStorage persistence
- Bills page defaults to has-text filter enabled
- Follow mode dropdown transparency fix
- Favicon (Landmark icon, blue background)

Security:
- Fernet encryption for ntfy passwords at rest (app/core/crypto.py)
- Separate ENCRYPTION_SECRET_KEY env var; falls back to JWT derivation
- ntfy_password no longer returned in GET response — replaced with
  ntfy_password_set: bool; NotificationSettingsUpdate type for writes
- JWT_SECRET_KEY fail-fast on startup if using default placeholder
- get_optional_user catches (JWTError, ValueError) only, not Exception

Bug fixes & code quality:
- Dashboard N+1 topic query replaced with single OR query
- notification_utils.py topic follower N+1 replaced with batch query
- Note query in bill detail page gated on token (enabled: !!token)
- search.py max_length=500 guard against oversized queries
- CollectionCreate.validate_name wired up with @field_validator
- LLM_RATE_LIMIT_RPM default raised from 10 to 50

Authored by: Jack Levy

backend/app/api/dashboard.py

@@ -2,7 +2,7 @@ from datetime import date, timedelta
 
 from fastapi import Depends
 from fastapi import APIRouter
-from sqlalchemy import desc, select
+from sqlalchemy import desc, or_, select
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import selectinload
 
@@ -92,15 +92,15 @@ async def get_dashboard(
                 feed_bills.append(bill)
                 seen_ids.add(bill.bill_id)
 
-    # 3. Bills matching followed topics
-    for topic in followed_topics:
+    # 3. Bills matching followed topics (single query with OR across all topics)
+    if followed_topics:
         result = await db.execute(
             select(Bill)
             .options(selectinload(Bill.sponsor), selectinload(Bill.briefs), selectinload(Bill.trend_scores))
             .join(BillBrief, Bill.bill_id == BillBrief.bill_id)
-            .where(BillBrief.topic_tags.contains([topic]))
+            .where(or_(*[BillBrief.topic_tags.contains([t]) for t in followed_topics]))
             .order_by(desc(Bill.latest_action_date))
-            .limit(10)
+            .limit(20)
         )
         for bill in result.scalars().all():
             if bill.bill_id not in seen_ids:

backend/app/api/notifications.py

@@ -12,6 +12,7 @@ from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 
 from app.config import settings as app_settings
+from app.core.crypto import decrypt_secret, encrypt_secret
 from app.core.dependencies import get_current_user
 from app.database import get_db
 from app.models.notification import NotificationEvent
@@ -41,7 +42,7 @@ def _prefs_to_response(prefs: dict, rss_token: str | None) -> NotificationSettin
         ntfy_auth_method=prefs.get("ntfy_auth_method", "none"),
         ntfy_token=prefs.get("ntfy_token", ""),
         ntfy_username=prefs.get("ntfy_username", ""),
-        ntfy_password=prefs.get("ntfy_password", ""),
+        ntfy_password_set=bool(decrypt_secret(prefs.get("ntfy_password", ""))),
         ntfy_enabled=prefs.get("ntfy_enabled", False),
         rss_enabled=prefs.get("rss_enabled", False),
         rss_token=rss_token,
@@ -88,7 +89,7 @@ async def update_notification_settings(
     if body.ntfy_username is not None:
         prefs["ntfy_username"] = body.ntfy_username.strip()
     if body.ntfy_password is not None:
-        prefs["ntfy_password"] = body.ntfy_password.strip()
+        prefs["ntfy_password"] = encrypt_secret(body.ntfy_password.strip())
     if body.ntfy_enabled is not None:
         prefs["ntfy_enabled"] = body.ntfy_enabled
     if body.rss_enabled is not None:

backend/app/api/search.py

@@ -11,7 +11,7 @@ router = APIRouter()
 
 @router.get("")
 async def search(
-    q: str = Query(..., min_length=2),
+    q: str = Query(..., min_length=2, max_length=500),
     db: AsyncSession = Depends(get_db),
 ):
     # Bill ID direct match

backend/app/config.py

@@ -1,4 +1,5 @@
 from functools import lru_cache
+from pydantic import model_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
 
@@ -13,6 +14,11 @@ class Settings(BaseSettings):
     JWT_SECRET_KEY: str = "change-me-in-production"
     JWT_EXPIRE_MINUTES: int = 60 * 24 * 7  # 7 days
 
+    # Symmetric encryption for sensitive user prefs (ntfy password, etc.)
+    # Generate with: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
+    # Falls back to JWT_SECRET_KEY derivation if not set (not recommended for production)
+    ENCRYPTION_SECRET_KEY: str = ""
+
     # Database
     DATABASE_URL: str = "postgresql+asyncpg://congress:congress@postgres:5432/pocketveto"
     SYNC_DATABASE_URL: str = "postgresql://congress:congress@postgres:5432/pocketveto"
@@ -40,9 +46,9 @@ class Settings(BaseSettings):
     OLLAMA_MODEL: str = "llama3.1"
 
     # Max LLM requests per minute — Celery enforces this globally across all workers.
-    # Safe defaults: free Gemini=15 RPM, Anthropic paid=50 RPM, OpenAI paid=500 RPM.
-    # Raise this in .env once you confirm your API tier.
-    LLM_RATE_LIMIT_RPM: int = 10
+    # Defaults: free Gemini=15 RPM, Anthropic paid=50 RPM, OpenAI paid=500 RPM.
+    # Lower this in .env if you hit rate limit errors on a restricted tier.
+    LLM_RATE_LIMIT_RPM: int = 50
 
     # Google Civic Information API (zip → representative lookup)
     # Free key: https://console.cloud.google.com/apis/library/civicinfo.googleapis.com
@@ -54,6 +60,15 @@ class Settings(BaseSettings):
     # pytrends
     PYTRENDS_ENABLED: bool = True
 
+    @model_validator(mode="after")
+    def check_secrets(self) -> "Settings":
+        if self.JWT_SECRET_KEY == "change-me-in-production":
+            raise ValueError(
+                "JWT_SECRET_KEY must be set to a secure random value in .env. "
+                "Generate one with: python -c \"import secrets; print(secrets.token_hex(32))\""
+            )
+        return self
+
     # SMTP (Email notifications)
     SMTP_HOST: str = ""
     SMTP_PORT: int = 587

backend/app/core/crypto.py

@@ -0,0 +1,44 @@
+"""Symmetric encryption for sensitive user prefs (e.g. ntfy password).
+
+Key priority:
+  1. ENCRYPTION_SECRET_KEY env var (recommended — dedicated key, easily rotatable)
+  2. Derived from JWT_SECRET_KEY (fallback for existing installs)
+
+Generate a dedicated key:
+  python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
+"""
+import base64
+import hashlib
+
+from cryptography.fernet import Fernet
+
+_PREFIX = "enc:"
+_fernet_instance: Fernet | None = None
+
+
+def _fernet() -> Fernet:
+    global _fernet_instance
+    if _fernet_instance is None:
+        from app.config import settings
+        if settings.ENCRYPTION_SECRET_KEY:
+            # Use dedicated key directly (must be a valid 32-byte base64url key)
+            _fernet_instance = Fernet(settings.ENCRYPTION_SECRET_KEY.encode())
+        else:
+            # Fallback: derive from JWT secret
+            key_bytes = hashlib.sha256(settings.JWT_SECRET_KEY.encode()).digest()
+            _fernet_instance = Fernet(base64.urlsafe_b64encode(key_bytes))
+    return _fernet_instance
+
+
+def encrypt_secret(plaintext: str) -> str:
+    """Encrypt a string and return a prefixed ciphertext."""
+    if not plaintext:
+        return plaintext
+    return _PREFIX + _fernet().encrypt(plaintext.encode()).decode()
+
+
+def decrypt_secret(value: str) -> str:
+    """Decrypt a value produced by encrypt_secret. Returns plaintext as-is (legacy support)."""
+    if not value or not value.startswith(_PREFIX):
+        return value  # legacy plaintext — return unchanged
+    return _fernet().decrypt(value[len(_PREFIX):].encode()).decode()

backend/app/core/dependencies.py

@@ -40,7 +40,7 @@ async def get_optional_user(
     try:
         user_id = decode_token(token)
         return await db.get(User, user_id)
-    except Exception:
+    except (JWTError, ValueError):
         return None
 
 

backend/app/schemas/schemas.py

@@ -1,7 +1,7 @@
 from datetime import date, datetime
 from typing import Any, Generic, Optional, TypeVar
 
-from pydantic import BaseModel
+from pydantic import BaseModel, field_validator
 
 
 # ── Notifications ──────────────────────────────────────────────────────────────
@@ -31,7 +31,7 @@ class NotificationSettingsResponse(BaseModel):
     ntfy_auth_method: str = "none"  # none | token | basic
     ntfy_token: str = ""
     ntfy_username: str = ""
-    ntfy_password: str = ""
+    ntfy_password_set: bool = False
     ntfy_enabled: bool = False
     rss_enabled: bool = False
     rss_token: Optional[str] = None
@@ -315,11 +315,13 @@ class CollectionCreate(BaseModel):
     name: str
     is_public: bool = False
 
-    def validate_name(self) -> str:
-        name = self.name.strip()
-        if not 1 <= len(name) <= 100:
+    @field_validator("name")
+    @classmethod
+    def validate_name(cls, v: str) -> str:
+        v = v.strip()
+        if not 1 <= len(v) <= 100:
             raise ValueError("name must be 1–100 characters")
-        return name
+        return v
 
 
 class CollectionUpdate(BaseModel):

backend/app/workers/notification_dispatcher.py

@@ -14,6 +14,7 @@ from datetime import datetime, timedelta, timezone
 
 import requests
 
+from app.core.crypto import decrypt_secret
 from app.database import get_sync_db
 from app.models.follow import Follow
 from app.models.notification import NotificationEvent
@@ -162,7 +163,7 @@ def dispatch_notifications(self):
             ntfy_auth_method = prefs.get("ntfy_auth_method", "none")
             ntfy_token = prefs.get("ntfy_token", "").strip()
             ntfy_username = prefs.get("ntfy_username", "").strip()
-            ntfy_password = prefs.get("ntfy_password", "").strip()
+            ntfy_password = decrypt_secret(prefs.get("ntfy_password", "").strip())
             ntfy_enabled = prefs.get("ntfy_enabled", False)
             rss_enabled = prefs.get("rss_enabled", False)
             digest_enabled = prefs.get("digest_enabled", False)

backend/app/workers/notification_utils.py

@@ -129,16 +129,20 @@ def emit_topic_follow_notifications(
     from app.models.follow import Follow
     from app.models.notification import NotificationEvent
 
-    # Collect unique followers across all matching tags, recording the first matching tag per user
+    # Single query for all topic followers, then deduplicate by user_id
+    all_follows = db.query(Follow).filter(
+        Follow.follow_type == "topic",
+        Follow.follow_value.in_(topic_tags),
+    ).all()
+
     seen_user_ids: set[int] = set()
     followers = []
     follower_topic: dict[int, str] = {}
-    for tag in topic_tags:
-        for follow in db.query(Follow).filter_by(follow_type="topic", follow_value=tag).all():
-            if follow.user_id not in seen_user_ids:
-                seen_user_ids.add(follow.user_id)
-                followers.append(follow)
-                follower_topic[follow.user_id] = tag
+    for follow in all_follows:
+        if follow.user_id not in seen_user_ids:
+            seen_user_ids.add(follow.user_id)
+            followers.append(follow)
+            follower_topic[follow.user_id] = follow.follow_value
 
     if not followers:
         return 0