v0.26.0: Storage namespace felhom-data/ + test node wipe script

All felhom-managed data on external drives now lives under felhom-data/
subdirectory, cleanly separating controller data from user files.

- backup/paths.go: add FelhomDataDir constant, update 8 path helpers
- stacks/delete.go: add local felhomDataDir constant (circular import
  boundary), update ProtectedHDDPaths + GetStackBackupData
- storage/migrate_drive.go: import backup pkg, fix conflict check, verify,
  rsync excludes (felhom-data/backups/*/restic/), size estimation
- storage/migrate.go: import backup pkg, fix DB dump paths
- web/handlers.go: fix legacy 'storage' path -> backup.AppDataDir()
- storage/format_linux.go: create felhom-data/ instead of storage/
- storage/attach_linux.go: create felhom-data/ instead of storage/
- scripts/felhom-wipe.sh: new multi-level test node wipe script
  (soft/controller/full/nuclear)
- CHANGELOG.md, controller/README.md, scripts/README.md: updated docs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

controller/README.md

@@ -4,7 +4,7 @@
 
 A single, lightweight Go container that replaces Portainer + scattered systemd scripts with a unified, Hungarian-language web dashboard for managing Docker Compose stacks, backups, storage, monitoring, and notifications on customer hardware.
 
-**Current version: v0.25.0**
+**Current version: v0.26.0**
 
 ---
 
@@ -227,21 +227,35 @@ self-sufficient backup** — any single tier can fully restore an app.
 
 The nightly backup has two phases that run sequentially. All paths are **per-drive** — each physical drive gets its own restic repo and per-app DB dump directories.
 
-**Drive layout (v0.14.1):**
+**Drive layout (v0.26.0):**
 ```
 <drive>/
-├── appdata/<app>/              ← app user data
-└── backups/
-    └── primary/
-        ├── restic/             ← one restic repo per drive (all apps on this drive)
-        └── <app>/db-dumps/     ← per-app DB dump files
+├── felhom-data/                ← all controller-managed data (namespace, v0.26.0+)
+│   ├── appdata/<app>/          ← app user data
+│   └── backups/
+│       ├── primary/
+│       │   ├── restic/         ← one restic repo per drive (all apps on this drive)
+│       │   └── <app>/db-dumps/ ← per-app DB dump files
+│       └── secondary/
+│           ├── restic/         ← secondary restic repo (cross-drive)
+│           ├── _infra/         ← infra config mirror
+│           └── <app>/rsync/    ← per-app rsync data
+├── .felhom-infra-backup/       ← DR marker (stays at drive root for scanner)
+├── Dokumentumok/               ← user files (not controller-managed)
+└── media/                      ← user files (not controller-managed)
 ```
 
-Path computation is centralized in `backup/paths.go`:
-- `PrimaryResticRepoPath(drivePath)` → `<drive>/backups/primary/restic/`
-- `AppDBDumpPath(drivePath, stackName)` → `<drive>/backups/primary/<stack>/db-dumps/`
-- `AppDataDir(drivePath, stackName)` → `<drive>/appdata/<stack>/`
-- `SecondaryInfraPath(drivePath)` → `<drive>/backups/secondary/_infra/`
+> **Note:** `HDD_PATH` env var in `app.yaml` is still the mount point (e.g., `/mnt/hdd_1`). The `felhom-data` segment is embedded in path helpers — not in `HDD_PATH`.
+> Pre-v0.26.0 installations use `<drive>/appdata/` and `<drive>/backups/` directly (no `felhom-data/` namespace).
+
+Path computation is centralized in `backup/paths.go` via the `FelhomDataDir = "felhom-data"` constant:
+- `PrimaryResticRepoPath(drivePath)` → `<drive>/felhom-data/backups/primary/restic/`
+- `AppDBDumpPath(drivePath, stackName)` → `<drive>/felhom-data/backups/primary/<stack>/db-dumps/`
+- `AppDataDir(drivePath, stackName)` → `<drive>/felhom-data/appdata/<stack>/`
+- `SecondaryResticRepoPath(drivePath)` → `<drive>/felhom-data/backups/secondary/restic/`
+- `AppSecondaryRsyncPath(drivePath, stackName)` → `<drive>/felhom-data/backups/secondary/<stack>/rsync/`
+- `SecondaryInfraPath(drivePath)` → `<drive>/felhom-data/backups/secondary/_infra/`
+- `InfraBackupDir(mountPath)` → `<drive>/.felhom-infra-backup/` (**unchanged** — stays at drive root for DR scanner)
 
 **Phase 1 — Database Dumps** (`internal/backup/dbdump.go`, scheduled 02:30)
 
@@ -405,7 +419,7 @@ A step-by-step UI at `/settings/storage/init`:
 1. **Scan** — Lists available disks with model, size, partition info
 2. **Select** — User picks a disk and enters a mount name (e.g., `hdd_1`)
 3. **Confirm** — User types "FORMAZAS" to confirm destructive operation
-4. **Format pipeline**: `wipefs` → `sfdisk` (GPT) → `mkfs.ext4` → `blkid` UUID → backup fstab → append UUID-based fstab entry → mount → `findmnt` verification → `chown 1000:1000` → create `appdata/`, `backups/`, and `Dokumentumok/` subdirectories
+4. **Format pipeline**: `wipefs` → `sfdisk` (GPT) → `mkfs.ext4` → `blkid` UUID → backup fstab → append UUID-based fstab entry → mount → `findmnt` verification → `chown 1000:1000` → create `felhom-data/` and `Dokumentumok/` subdirectories
 5. Auto-registers new storage path in settings.json
 6. Smart partition detection: skips repartitioning for existing empty partitions
 
@@ -415,7 +429,7 @@ Safety guards: system disk detection, mount path conflict check, confirmation re
 
 A step-by-step UI at `/settings/storage/attach` for drives that already have a filesystem (e.g., a previously used ext4 drive). Unlike the init wizard, this does **not** format the drive — existing data is preserved.
 
-**Problem solved:** Mounting a whole drive at `/mnt/<name>` would mix existing user data with the controller's directory structure (`storage/`, `Dokumentumok/`, backup repos). The bind-mount approach isolates the controller's working directory from other data on the drive.
+**Problem solved:** Mounting a whole drive at `/mnt/<name>` would mix existing user data with the controller's directory structure (`felhom-data/`, `Dokumentumok/`, etc.). The bind-mount approach isolates the controller's working directory from other data on the drive.
 
 1. **Scan** — Lists available disks, filtered to partitions that have an existing filesystem (FSType != "")
 2. **Mount raw** — Partition is mounted read-only at a hidden staging path (`/mnt/.felhom-raw/<label>`)
@@ -424,7 +438,7 @@ A step-by-step UI at `/settings/storage/attach` for drives that already have a f
 5. **Finalize** — Bind-mounts the selected subfolder at `/mnt/<name>`. Two fstab entries are created (both with `nofail`):
    - Raw mount: `UUID=<uuid> /mnt/.felhom-raw/<x> <fstype> defaults,nofail,noatime 0 2`
    - Bind mount: `/mnt/.felhom-raw/<x>/<subfolder> /mnt/<name> none bind,nofail 0 0`
-6. Sets permissions (`chown 1000:1000`), creates `storage/` and `Dokumentumok/` subdirectories
+6. Sets permissions (`chown 1000:1000`), creates `felhom-data/` and `Dokumentumok/` subdirectories
 7. Auto-registers the storage path in settings.json + syncs FileBrowser mounts
 
 Cancel at any point cleans up the temporary raw mount. The bind mount path (`/mnt/<name>`) is a real mount point, so all existing code (disk usage, IsMountPoint checks, etc.) works unchanged.
@@ -458,7 +472,7 @@ Progress UI at `/stacks/{name}/migrate` with byte counter and percentage.
 After migration, the deploy page detects leftover data on previous storage paths:
 - Shows path, size, and a delete button
 - Two-step confirmation required
-- Protected paths (appdata, backups, media, Dokumentumok) cannot be deleted
+- Protected paths (`felhom-data/`, `felhom-data/appdata/`, `felhom-data/backups/`, `media/`, `Dokumentumok/`) cannot be deleted
 
 #### FileBrowser Mount Sync
 
@@ -1044,7 +1058,7 @@ controller/
 │   │   └── *_other.go              # Non-Linux stubs for cross-compilation
 │   ├── backup/
 │   │   ├── backup.go               # Orchestrator (per-drive dumps + restic + cross-drive chain)
-│   │   ├── paths.go                # Per-drive path helpers (PrimaryResticRepoPath, InfraBackupDir, etc.)
+│   │   ├── paths.go                # Per-drive path helpers (FelhomDataDir constant, PrimaryResticRepoPath, AppDataDir, InfraBackupDir, etc.)
 │   │   ├── local_infra.go          # Local infra backup to all drives (.felhom-infra-backup/)
 │   │   ├── dbdump.go               # DB auto-discovery + dump (pg_dump, mariadb-dump)
 │   │   ├── restic.go               # Restic operations (init, snapshot, prune, check) — repoPath as param