fix: harden notify pipeline — edit truncation, timing-safe auth, stable assertions

[GeiserX]

Summary

Follow-up to #123 (pg_notify bound parameters by @tondeaf). Addresses all findings from the 11-agent review swarm:

• Edit notifications no longer silently dropped on long messages — The 500-char truncation guard only protected data["message"]["text"] (new_message path), leaving data["new_text"] (edit path) unprotected. A 4096-char emoji edit could produce a ~16KB payload exceeding PostgreSQL's 8KB NOTIFY limit. Both paths now truncated via shared _truncate_notify_data() helper.
• Push secret comparison is now timing-safe — /internal/push endpoint used != for bearer token comparison; switched to secrets.compare_digest() consistent with the rest of the auth layer.
• Test assertions use stable TextClause.text attribute — Replaced str(stmt) with stmt.text for SQLAlchemy SQL assertions, avoiding reliance on undocumented __str__ behavior.
• 3 new tests for edit notification truncation (55 total realtime tests, 1557 full suite)

Test plan

• All 55 realtime tests pass
• Full suite: 1557 passed, 0 failed
• ruff lint + format clean

[coderabbitai]

Warning

Rate limit exceeded

@GeiserX has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 19 minutes and 59 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 19 minutes and 59 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 93989ce2-c820-467e-92a4-071ada535f5b

📥 Commits

Reviewing files that changed from the base of the PR and between 1a8b195 and 6fab616.

📒 Files selected for processing (6)

• docs/CHANGELOG.md
• pyproject.toml
• src/__init__.py
• src/realtime.py
• src/web/main.py
• tests/test_realtime.py

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/notify-hardening

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.46%. Comparing base (1a8b195) to head (6fab616).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #131   +/-   ##
=======================================
  Coverage   94.45%   94.46%           
=======================================
  Files          21       21           
  Lines        5931     5941   +10     
=======================================
+ Hits         5602     5612   +10     
  Misses        329      329           

Files with missing lines	Coverage Δ
src/__init__.py	100.00% <100.00%> (ø)
src/realtime.py	100.00% <100.00%> (ø)
src/web/main.py	87.43% <100.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🐳 Dev images published!

• drumsergio/telegram-archive:dev
• drumsergio/telegram-archive-viewer:dev

The dev/test instance will pick up these changes automatically (Portainer GitOps).

To test locally:

docker pull drumsergio/telegram-archive:dev
docker pull drumsergio/telegram-archive-viewer:dev