refactor(server): replace node-fetch with native fetch + undici, fix photo integrations

Replace node-fetch v2 with Node 22's built-in fetch API across the entire server.
Add undici as an explicit dependency to provide the dispatcher API needed for
DNS pinning (SSRF rebinding prevention) in ssrfGuard.ts. All seven service files
that used a plain `import fetch from 'node-fetch'` are updated to use the global.
The ssrfGuard safeFetch/createPinnedAgent is rewritten as createPinnedDispatcher
using an undici Agent, with correct handling of the `all: true` lookup callback
required by Node 18+. The collabService dynamic require() and notifications agent
option are updated to use the dispatcher pattern. Test mocks are migrated from
vi.mock('node-fetch') to vi.stubGlobal('fetch'), and streaming test fixtures are
updated to use Web ReadableStream instead of Node Readable.

Fix several bugs in the Synology and Immich photo integrations:
- pipeAsset: guard against setting headers after stream has already started
- _getSynologySession: clear stale SID and re-login when decrypt_api_key returns null
  instead of propagating success(null) downstream
- _requestSynologyApi: return retrySession error (not stale session) on retry failure;
  also retry on error codes 106 (timeout) and 107 (duplicate login), not only 119
- searchSynologyPhotos: fix incorrect total field type (Synology list_item returns no
  total); hasMore correctly uses allItems.length === limit
- _splitPackedSynologyId: validate cache_key format before use; callers return 400
- getImmichCredentials / _getSynologyCredentials: treat null from decrypt_api_key as
  a missing-credentials condition rather than casting null to string
- Synology size param: enforce allowlist ['sm', 'm', 'xl'] per API documentation

server/tests/helpers/factories.ts

@@ -7,6 +7,7 @@
 import Database from 'better-sqlite3';
 import bcrypt from 'bcryptjs';
 import { encryptMfaSecret } from '../../src/services/mfaCrypto';
+import { encrypt_api_key } from '../../src/services/apiKeyCrypto';
 
 let _userSeq = 0;
 let _tripSeq = 0;
@@ -506,3 +507,75 @@ export function disableNotificationPref(
     'INSERT OR REPLACE INTO notification_channel_preferences (user_id, event_type, channel, enabled) VALUES (?, ?, ?, 0)'
   ).run(userId, eventType, channel);
 }
+
+// ---------------------------------------------------------------------------
+// Photo integration helpers
+// ---------------------------------------------------------------------------
+
+export interface TestTripPhoto {
+  id: number;
+  trip_id: number;
+  user_id: number;
+  asset_id: string;
+  provider: string;
+  shared: number;
+  album_link_id: number | null;
+}
+
+export function addTripPhoto(
+  db: Database.Database,
+  tripId: number,
+  userId: number,
+  assetId: string,
+  provider: string,
+  opts: { shared?: boolean; albumLinkId?: number } = {}
+): TestTripPhoto {
+  const result = db.prepare(
+    'INSERT OR IGNORE INTO trip_photos (trip_id, user_id, asset_id, provider, shared, album_link_id) VALUES (?, ?, ?, ?, ?, ?)'
+  ).run(tripId, userId, assetId, provider, opts.shared ? 1 : 0, opts.albumLinkId ?? null);
+  return db.prepare('SELECT * FROM trip_photos WHERE id = ?').get(result.lastInsertRowid) as TestTripPhoto;
+}
+
+export interface TestAlbumLink {
+  id: number;
+  trip_id: number;
+  user_id: number;
+  provider: string;
+  album_id: string;
+  album_name: string;
+}
+
+export function addAlbumLink(
+  db: Database.Database,
+  tripId: number,
+  userId: number,
+  provider: string,
+  albumId: string,
+  albumName = 'Test Album'
+): TestAlbumLink {
+  const result = db.prepare(
+    'INSERT INTO trip_album_links (trip_id, user_id, provider, album_id, album_name) VALUES (?, ?, ?, ?, ?)'
+  ).run(tripId, userId, provider, albumId, albumName);
+  return db.prepare('SELECT * FROM trip_album_links WHERE id = ?').get(result.lastInsertRowid) as TestAlbumLink;
+}
+
+export function setImmichCredentials(
+  db: Database.Database,
+  userId: number,
+  url: string,
+  apiKey: string
+): void {
+  db.prepare('UPDATE users SET immich_url = ?, immich_api_key = ? WHERE id = ?')
+    .run(url, encrypt_api_key(apiKey), userId);
+}
+
+export function setSynologyCredentials(
+  db: Database.Database,
+  userId: number,
+  url: string,
+  username: string,
+  password: string
+): void {
+  db.prepare('UPDATE users SET synology_url = ?, synology_username = ?, synology_password = ? WHERE id = ?')
+    .run(url, username, encrypt_api_key(password), userId);
+}

server/tests/helpers/test-db.ts

@@ -91,12 +91,22 @@ const DEFAULT_ADDONS = [
   { id: 'collab',    name: 'Collab',          description: 'Notes, polls, live chat',    type: 'trip',        icon: 'Users',       enabled: 1, sort_order: 6  },
 ];
 
+const DEFAULT_PHOTO_PROVIDERS = [
+  { id: 'immich',         name: 'Immich',          enabled: 1 },
+  { id: 'synologyphotos', name: 'Synology Photos',  enabled: 1 },
+];
+
 function seedDefaults(db: Database.Database): void {
   const insertCat = db.prepare('INSERT OR IGNORE INTO categories (name, color, icon) VALUES (?, ?, ?)');
   for (const cat of DEFAULT_CATEGORIES) insertCat.run(cat.name, cat.color, cat.icon);
 
   const insertAddon = db.prepare('INSERT OR IGNORE INTO addons (id, name, description, type, icon, enabled, sort_order) VALUES (?, ?, ?, ?, ?, ?, ?)');
   for (const a of DEFAULT_ADDONS) insertAddon.run(a.id, a.name, a.description, a.type, a.icon, a.enabled, a.sort_order);
+
+  try {
+    const insertProvider = db.prepare('INSERT OR IGNORE INTO photo_providers (id, name, description, icon, enabled, sort_order) VALUES (?, ?, ?, ?, ?, ?)');
+    for (const p of DEFAULT_PHOTO_PROVIDERS) insertProvider.run(p.id, p.name, p.id, 'Image', p.enabled, 0);
+  } catch { /* table may not exist in very old schemas */ }
 }
 
 /**