Add extensible notification providers + UI/API

Introduce a provider-based notification system and wire it through the API and admin UI. Added INotificationProvider + notification service implementation and providers (apprise, discord, ntfy, pushover), plus a GET /api/admin/notifications/providers endpoint to expose provider metadata. Refactored code to use provider type strings (removed enum coupling), updated masking/encryption calls, and simplified the test notification endpoint to accept backendId or type+config and call sendToBackend directly.

UI: NotificationsTab now fetches provider metadata and renders provider cards and dynamic config forms (fields driven by provider metadata). Added config field rendering, improved backend cards, and edit/delete actions.

APIs: New providers route, updated admin notification CRUD routes to validate provider types dynamically, updated test route schema. Added download-client categories POST API to fetch categories from clients and wired postImportCategory handling in download-client routes.

Other notable changes: BookDate now fetches Claude models dynamically from Anthropic's Models API; added paginated model fetch helper. Added ALLOW_WEAK_PASSWORD flag exposure to auth providers and password change logic. Doc updates and various tests added/updated. File-organization doc clarifies EPERM fix using stream-based copy.

src/app/api/auth/change-password/route.ts

@@ -39,7 +39,8 @@ export async function POST(request: NextRequest) {
       }
 
       // Validate new password length
-      if (newPassword.length < 8) {
+      const allowWeakPassword = process.env.ALLOW_WEAK_PASSWORD === 'true';
+      if (!allowWeakPassword && newPassword.length < 8) {
         return NextResponse.json(
           {
             success: false,

src/app/api/auth/providers/route.ts

@@ -18,6 +18,9 @@ export async function GET() {
     // Check if local login is disabled via environment variable
     const localLoginDisabled = process.env.DISABLE_LOCAL_LOGIN === 'true';
 
+    // Check if weak passwords are allowed via environment variable
+    const allowWeakPassword = process.env.ALLOW_WEAK_PASSWORD === 'true';
+
     // Check if automation (Phase 3) is configured by checking for Prowlarr/indexer config
     const indexerType = await configService.get('indexer.type');
     const prowlarrUrl = await configService.get('indexer.prowlarr_url');
@@ -47,6 +50,7 @@ export async function GET() {
         hasLocalUsers,
         oidcProviderName: oidcEnabled ? oidcProviderName : null,
         localLoginDisabled,
+        allowWeakPassword,
         automationEnabled,
       });
     } else {
@@ -65,6 +69,7 @@ export async function GET() {
         hasLocalUsers,
         oidcProviderName: null,
         localLoginDisabled,
+        allowWeakPassword,
         automationEnabled,
       });
     }
@@ -72,6 +77,7 @@ export async function GET() {
     logger.error('Failed to fetch auth providers', { error: error instanceof Error ? error.message : String(error) });
     // Default to Plex mode if config can't be read
     const localLoginDisabled = process.env.DISABLE_LOCAL_LOGIN === 'true';
+    const allowWeakPassword = process.env.ALLOW_WEAK_PASSWORD === 'true';
     return NextResponse.json({
       backendMode: 'plex',
       providers: ['plex'],
@@ -79,6 +85,7 @@ export async function GET() {
       hasLocalUsers: false,
       oidcProviderName: null,
       localLoginDisabled,
+      allowWeakPassword,
       automationEnabled: false,
     });
   }