fix: P0+P1 critical bug fixes across controller (24 files)

Concurrency fixes:
- Deep-copy stacks in GetStack/GetStacks to prevent shared state mutation (C04)
- Add per-state mutex to watchdog pathProbeState (C05)
- Guard MetricsCollector.Start() with sync.Once against double-start (C06)
- Hold diskJobMu across entire raw mount operation (C07)
- Add mutex to SetEncryptionKey (C08), MigrateEncryption write lock (H03)
- Use sync.Once for sync.Stop() channel close (H08)
- Set syncing=true before releasing lock in TriggerSync (H09)
- Deep-copy lastDBDump/lastBackup in GetFullStatus (H11)
- Add WaitGroup for stderr goroutine in MigrateDrive (H19)
- Add mutex to SetBackupRunningCheck (M18)

Security fixes:
- Validate Bearer token against Hub API key in CSRF middleware (H16)
- Validate backup paths start with expected prefix in RemoveStack (M12)
- Guard uuid[:8] slice with length check (H20)
- Parse fstab fields exactly for mount target matching (H21)

Bug fixes:
- Use decrypted env vars for compose deploy (C01)
- Log decrypt failures in DecryptMap instead of swallowing (C02)
- Move Deployed=false inside lock in runComposeDeploy (C03)
- Fix activeDrives() to skip disconnected drives (H02)
- Fix Snapshot() stderr extraction from exec.ExitError (H01)
- Check unlockCmd.Run() error in restic (H01)
- Buffer template rendering via bytes.Buffer (H07)
- Thread context.Context through cloudflare client (H10)
- Fix leaf-name collision detection in cross-drive backup (H15)
- Add nil check for crossDriveRunner (H17)
- Use strings.TrimSpace instead of slice on command output (H18)
- Make SaveAppConfig atomic with write-to-tmp+rename (H04)
- Pass encKey on deploy failure SaveAppConfig (H05)
- Fix IPv6 address format in TCP health probe

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

controller/internal/cloudflare/geosync.go

@@ -76,7 +76,7 @@ func (g *GeoSyncManager) Sync(ctx context.Context) error {
 	zoneID := geo.ZoneID
 	if zoneID == "" {
 		var err error
-		zoneID, err = g.client.GetZoneID(g.domain)
+		zoneID, err = g.client.GetZoneID(ctx, g.domain)
 		if err != nil {
 			g.saveError(zoneID, "", err.Error())
 			return fmt.Errorf("resolve zone: %w", err)
@@ -87,13 +87,13 @@ func (g *GeoSyncManager) Sync(ctx context.Context) error {
 	rulesetID := geo.RulesetID
 	if rulesetID == "" {
 		var err error
-		rulesetID, err = g.client.GetCustomRulesetID(zoneID)
+		rulesetID, err = g.client.GetCustomRulesetID(ctx, zoneID)
 		if err != nil {
 			g.saveError(zoneID, "", err.Error())
 			return fmt.Errorf("get ruleset: %w", err)
 		}
 		if rulesetID == "" {
-			rulesetID, err = g.client.CreateCustomRuleset(zoneID)
+			rulesetID, err = g.client.CreateCustomRuleset(ctx, zoneID)
 			if err != nil {
 				g.saveError(zoneID, "", err.Error())
 				return fmt.Errorf("create ruleset: %w", err)
@@ -102,7 +102,7 @@ func (g *GeoSyncManager) Sync(ctx context.Context) error {
 	}
 
 	// 3. List existing felhom-managed rules
-	existing, err := g.client.GetFelhomRules(zoneID, rulesetID)
+	existing, err := g.client.GetFelhomRules(ctx, zoneID, rulesetID)
 	if err != nil {
 		g.saveError(zoneID, rulesetID, err.Error())
 		return fmt.Errorf("list existing rules: %w", err)
@@ -112,7 +112,7 @@ func (g *GeoSyncManager) Sync(ctx context.Context) error {
 	desired := g.buildDesiredRules(geo)
 
 	// 5. Diff and apply
-	if err := g.applyDiff(zoneID, rulesetID, existing, desired); err != nil {
+	if err := g.applyDiff(ctx, zoneID, rulesetID, existing, desired); err != nil {
 		g.saveError(zoneID, rulesetID, err.Error())
 		return fmt.Errorf("apply diff: %w", err)
 	}
@@ -138,14 +138,14 @@ func (g *GeoSyncManager) deleteAllRules(ctx context.Context, geo *settings.GeoRe
 		return nil
 	}
 
-	existing, err := g.client.GetFelhomRules(zoneID, rulesetID)
+	existing, err := g.client.GetFelhomRules(ctx, zoneID, rulesetID)
 	if err != nil {
 		g.logger.Printf("[GEO] Warning: could not list rules for cleanup: %v", err)
 		return nil
 	}
 
 	for _, r := range existing {
-		if err := g.client.DeleteRule(zoneID, rulesetID, r.ID); err != nil {
+		if err := g.client.DeleteRule(ctx, zoneID, rulesetID, r.ID); err != nil {
 			g.logger.Printf("[GEO] Warning: could not delete rule %s: %v", r.ID, err)
 		}
 	}
@@ -202,7 +202,7 @@ func (g *GeoSyncManager) buildDesiredRules(geo *settings.GeoRestriction) []desir
 }
 
 // applyDiff applies the difference between existing and desired rules.
-func (g *GeoSyncManager) applyDiff(zoneID, rulesetID string, existing []GeoRule, desired []desiredRule) error {
+func (g *GeoSyncManager) applyDiff(ctx context.Context, zoneID, rulesetID string, existing []GeoRule, desired []desiredRule) error {
 	// Index existing by description
 	existingByDesc := make(map[string]GeoRule)
 	for _, r := range existing {
@@ -221,14 +221,14 @@ func (g *GeoSyncManager) applyDiff(zoneID, rulesetID string, existing []GeoRule,
 			// Rule exists — check if expression changed
 			if ex.Expression != d.expression {
 				r := newBlockRule(d.description, d.expression)
-				if err := g.client.UpdateRule(zoneID, rulesetID, ex.ID, r); err != nil {
+				if err := g.client.UpdateRule(ctx, zoneID, rulesetID, ex.ID, r); err != nil {
 					return fmt.Errorf("update rule %q: %w", d.description, err)
 				}
 			}
 		} else {
 			// New rule — create
 			r := newBlockRule(d.description, d.expression)
-			if _, err := g.client.CreateRule(zoneID, rulesetID, r); err != nil {
+			if _, err := g.client.CreateRule(ctx, zoneID, rulesetID, r); err != nil {
 				return fmt.Errorf("create rule %q: %w", d.description, err)
 			}
 		}
@@ -237,7 +237,7 @@ func (g *GeoSyncManager) applyDiff(zoneID, rulesetID string, existing []GeoRule,
 	// Delete rules that are no longer desired
 	for _, ex := range existing {
 		if _, ok := desiredByDesc[ex.Description]; !ok {
-			if err := g.client.DeleteRule(zoneID, rulesetID, ex.ID); err != nil {
+			if err := g.client.DeleteRule(ctx, zoneID, rulesetID, ex.ID); err != nil {
 				return fmt.Errorf("delete rule %q: %w", ex.Description, err)
 			}
 		}