fix: deep bug hunt II — concurrency, security & optimization (25 files)

Critical: watchdog mutex panic safety, SetGeoAppOverride nil guard,
SSD-only app DB restore fallback.

High: double deploy race (atomic Deploying flag), delete/remove during
deploy guard, ScanStacks overwrite protection, FileBrowser mount mutex,
PushEvent history, PushOnce error handling, DB dump sync+close before
rename, restic retry fresh context, encrypt failure logging, cross-backup
path traversal validation, deepCopyStack completeness.

Security: constant-time API key comparison, login rate limiting (5/min),
git credential masking in logs, storage path prefix traversal fix.

Concurrency: MigrateEncryption lock ordering, SubdomainInUse I/O outside
lock, scheduler late-registered jobs, SQLite WAL verification, metrics
shutdown context, telemetry scan error logging, asset sync lock scope.

Optimization: streaming file copy for DB dumps, restic stats dedup,
atomic infra config copy.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

controller/internal/settings/settings.go

@@ -873,9 +873,17 @@ func (s *Settings) SetGeoRestriction(geo *GeoRestriction) error {
 }
 
 // SetGeoAppOverride sets a per-app geo override. Creates the GeoRestriction if nil.
+// Pass override=nil to remove the override (same as RemoveGeoAppOverride).
 func (s *Settings) SetGeoAppOverride(appName string, override *AppGeoOverride) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
+	if override == nil {
+		// nil override = remove (fall back to global)
+		if s.GeoRestriction != nil && s.GeoRestriction.AppOverrides != nil {
+			delete(s.GeoRestriction.AppOverrides, appName)
+		}
+		return s.save()
+	}
 	if s.GeoRestriction == nil {
 		s.GeoRestriction = &GeoRestriction{AllowedCountries: []string{"HU"}}
 	}