fix: deep bug hunt II — concurrency, security & optimization (25 files)

Critical: watchdog mutex panic safety, SetGeoAppOverride nil guard,
SSD-only app DB restore fallback.

High: double deploy race (atomic Deploying flag), delete/remove during
deploy guard, ScanStacks overwrite protection, FileBrowser mount mutex,
PushEvent history, PushOnce error handling, DB dump sync+close before
rename, restic retry fresh context, encrypt failure logging, cross-backup
path traversal validation, deepCopyStack completeness.

Security: constant-time API key comparison, login rate limiting (5/min),
git credential masking in logs, storage path prefix traversal fix.

Concurrency: MigrateEncryption lock ordering, SubdomainInUse I/O outside
lock, scheduler late-registered jobs, SQLite WAL verification, metrics
shutdown context, telemetry scan error logging, asset sync lock scope.

Optimization: streaming file copy for DB dumps, restic stats dedup,
atomic infra config copy.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

controller/internal/monitor/watchdog.go

@@ -232,9 +232,14 @@ func (w *StorageWatchdog) handleConnectedProbe(sp settings.StoragePath, state *p
 		sp.Path, state.consecutiveFailures, probeThreshold, result.Err)
 
 	if state.consecutiveFailures >= probeThreshold {
-		state.mu.Unlock()
-		w.handleDisconnect(sp, state, result)
-		state.mu.Lock() // re-acquire for deferred Unlock
+		// Release state.mu before calling handleDisconnect (which re-acquires it
+		// internally). Re-acquire afterwards so the deferred Unlock stays balanced.
+		// Wrap in a func to guarantee re-lock even if handleDisconnect panics.
+		func() {
+			state.mu.Unlock()
+			defer state.mu.Lock()
+			w.handleDisconnect(sp, state, result)
+		}()
 	}
 }