feat: v1.0.0 — UX polish, security hardening, code quality

UI/UX:
- Bill detail page tab UI (Analysis / Timeline / Votes / Notes)
- Topic tag pills on bill detail and listing pages — filtered to known
  topics, clickable, properly labelled via shared lib/topics.ts
- Notes panel always-open in Notes tab; sign-in prompt for guests
- Collapsible sidebar with icon-only mode and localStorage persistence
- Bills page defaults to has-text filter enabled
- Follow mode dropdown transparency fix
- Favicon (Landmark icon, blue background)

Security:
- Fernet encryption for ntfy passwords at rest (app/core/crypto.py)
- Separate ENCRYPTION_SECRET_KEY env var; falls back to JWT derivation
- ntfy_password no longer returned in GET response — replaced with
  ntfy_password_set: bool; NotificationSettingsUpdate type for writes
- JWT_SECRET_KEY fail-fast on startup if using default placeholder
- get_optional_user catches (JWTError, ValueError) only, not Exception

Bug fixes & code quality:
- Dashboard N+1 topic query replaced with single OR query
- notification_utils.py topic follower N+1 replaced with batch query
- Note query in bill detail page gated on token (enabled: !!token)
- search.py max_length=500 guard against oversized queries
- CollectionCreate.validate_name wired up with @field_validator
- LLM_RATE_LIMIT_RPM default raised from 10 to 50

Authored by: Jack Levy

backend/app/config.py

@@ -1,4 +1,5 @@
 from functools import lru_cache
+from pydantic import model_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
 
@@ -13,6 +14,11 @@ class Settings(BaseSettings):
     JWT_SECRET_KEY: str = "change-me-in-production"
     JWT_EXPIRE_MINUTES: int = 60 * 24 * 7  # 7 days
 
+    # Symmetric encryption for sensitive user prefs (ntfy password, etc.)
+    # Generate with: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
+    # Falls back to JWT_SECRET_KEY derivation if not set (not recommended for production)
+    ENCRYPTION_SECRET_KEY: str = ""
+
     # Database
     DATABASE_URL: str = "postgresql+asyncpg://congress:congress@postgres:5432/pocketveto"
     SYNC_DATABASE_URL: str = "postgresql://congress:congress@postgres:5432/pocketveto"
@@ -40,9 +46,9 @@ class Settings(BaseSettings):
     OLLAMA_MODEL: str = "llama3.1"
 
     # Max LLM requests per minute — Celery enforces this globally across all workers.
-    # Safe defaults: free Gemini=15 RPM, Anthropic paid=50 RPM, OpenAI paid=500 RPM.
-    # Raise this in .env once you confirm your API tier.
-    LLM_RATE_LIMIT_RPM: int = 10
+    # Defaults: free Gemini=15 RPM, Anthropic paid=50 RPM, OpenAI paid=500 RPM.
+    # Lower this in .env if you hit rate limit errors on a restricted tier.
+    LLM_RATE_LIMIT_RPM: int = 50
 
     # Google Civic Information API (zip → representative lookup)
     # Free key: https://console.cloud.google.com/apis/library/civicinfo.googleapis.com
@@ -54,6 +60,15 @@ class Settings(BaseSettings):
     # pytrends
     PYTRENDS_ENABLED: bool = True
 
+    @model_validator(mode="after")
+    def check_secrets(self) -> "Settings":
+        if self.JWT_SECRET_KEY == "change-me-in-production":
+            raise ValueError(
+                "JWT_SECRET_KEY must be set to a secure random value in .env. "
+                "Generate one with: python -c \"import secrets; print(secrets.token_hex(32))\""
+            )
+        return self
+
     # SMTP (Email notifications)
     SMTP_HOST: str = ""
     SMTP_PORT: int = 587