fix: preserve oauth client_secret on roundtrip, harden rollback path validation, guard non-dict payload

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

hbd/server/http.py

@@ -1089,6 +1089,9 @@ async def start(
         except Exception:
             return web.json_response({"error": "Invalid JSON"}, status=400)
 
+        if not isinstance(payload, dict):
+            return web.json_response({"error": "Invalid JSON"}, status=400)
+
         try:
             data = configio_mod.read_roundtrip(_config_path)
 
@@ -1112,7 +1115,17 @@ async def start(
                 configio_mod.apply_structured_section(data, "users", users_payload)
 
             if "oauth" in payload:
-                data["oauth"] = payload["oauth"]
+                existing_oauth = data.get("oauth") or {}
+                new_oauth = payload["oauth"]
+                for name, attrs in new_oauth.items():
+                    cs = attrs.get("client_secret", "")
+                    if not cs or cs == "•••":
+                        existing_cs = (existing_oauth.get(name) or {}).get("client_secret", "")
+                        if existing_cs:
+                            attrs["client_secret"] = existing_cs
+                        else:
+                            attrs.pop("client_secret", None)
+                data["oauth"] = new_oauth
 
             for section in ("notification_channels", "thresholds", "hosts", "dns"):
                 if section in payload:
@@ -1144,8 +1157,7 @@ async def start(
             return web.json_response({"error": "Invalid JSON"}, status=400)
 
         backup = body.get("backup", "")
-        expected_prefix = _config_path + ".bak."
-        if not backup or not backup.startswith(expected_prefix) or not os.path.exists(backup):
+        if not backup or backup not in configio_mod.list_backups(_config_path):
             return web.json_response({"error": "Invalid or missing backup"}, status=400)
 
         try: