correctness batch: atomic writes, task refs, hmac, import-star, pickle

Per review §2:

- web/db.py: new _tx() context manager wraps multi-statement writers in
  BEGIN IMMEDIATE … COMMIT/ROLLBACK (our connections run in autocommit
  mode, so plain `with _lock:` doesn't give atomicity). partnership_accept
  (UPDATE + DELETE) and cleanup_retention (3 deletes/updates) now use it.
- Fire-and-forget tasks: add module-level _bg_tasks sets in web/app.py and
  web/enrichment.py. A _spawn() helper holds a strong ref until the task
  finishes so the GC can't drop it mid-flight (CPython's event loop only
  weakly references pending tasks).
- apply/main.py: require_api_key uses hmac.compare_digest, matching web's
  check. Also imports now use explicit names instead of `from settings *`.
- apply/language.py: replace `from settings import *` + `from paths import *`
  with explicit imports — this is the pattern that caused the LANGUAGE
  NameError earlier.
- alert/utils.py: pickle-based hash_any_object → deterministic JSON+sha256.
  Cheaper, portable across Python versions, no pickle attack surface.
- web/notifications.py: /fehler links repointed to /bewerbungen (the
  former page doesn't exist).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

web/db.py

@@ -9,6 +9,7 @@ import json
 import logging
 import sqlite3
 import threading
+from contextlib import contextmanager
 from datetime import datetime, timedelta, timezone
 from typing import Any, Iterable, Optional
 
@@ -42,6 +43,23 @@ def _get_conn() -> sqlite3.Connection:
     return c
 
 
+@contextmanager
+def _tx():
+    """Atomic BEGIN IMMEDIATE … COMMIT/ROLLBACK. Required for multi-statement
+    writes because our connections run in autocommit mode (isolation_level=None).
+    Combine with _lock to serialize writers and avoid BUSY.
+    """
+    c = _get_conn()
+    c.execute("BEGIN IMMEDIATE")
+    try:
+        yield c
+    except Exception:
+        c.execute("ROLLBACK")
+        raise
+    else:
+        c.execute("COMMIT")
+
+
 # ---------------------------------------------------------------------------
 # Schema
 # ---------------------------------------------------------------------------
@@ -845,13 +863,13 @@ def partnership_accept(request_id: int, user_id: int) -> bool:
     if get_accepted_partnership(row["from_user_id"]) or get_accepted_partnership(user_id):
         return False
     partner_id = row["from_user_id"]
-    with _lock:
-        _get_conn().execute(
+    with _lock, _tx() as c:
+        c.execute(
             "UPDATE partnerships SET status = 'accepted', accepted_at = ? WHERE id = ?",
             (now_iso(), request_id),
         )
         # clean up any stale pending requests touching either user
-        _get_conn().execute(
+        c.execute(
             """DELETE FROM partnerships
                 WHERE status = 'pending'
                   AND (from_user_id IN (?, ?) OR to_user_id IN (?, ?))""",
@@ -899,12 +917,12 @@ def partner_flat_actions(partner_id: int) -> dict:
 def cleanup_retention() -> dict:
     cutoff = (datetime.now(timezone.utc) - timedelta(days=RETENTION_DAYS)).isoformat(timespec="seconds")
     stats = {}
-    with _lock:
+    with _lock, _tx() as c:
         for table in ("errors", "audit_log"):
-            cur = _get_conn().execute(f"DELETE FROM {table} WHERE timestamp < ?", (cutoff,))
+            cur = c.execute(f"DELETE FROM {table} WHERE timestamp < ?", (cutoff,))
             stats[table] = cur.rowcount
         # Drop forensics from old applications (but keep the row itself for history)
-        cur = _get_conn().execute(
+        cur = c.execute(
             "UPDATE applications SET forensics_json = NULL WHERE started_at < ? AND forensics_json IS NOT NULL",
             (cutoff,),
         )