diff --git a/TASK.md b/TASK.md
index 746c7ba..6e31a38 100644
--- a/TASK.md
+++ b/TASK.md
@@ -1,855 +1,843 @@
-# TASK: CSRF Protection on POST Endpoints
+# TASK: Storage Namespace (`felhom-data/`) + Test Node Wipe Script (v0.26.0)
 
-**Controller:** v0.22.3 → v0.23.0
-**Hub:** v0.3.7 → v0.3.8
+**Controller:** v0.25.0 → v0.26.0
 
 ## Overview
 
-Add CSRF (Cross-Site Request Forgery) protection to all browser-facing POST endpoints in both the controller and the hub. Currently, any page on the internet can craft a form that POSTs to the controller/hub if the user has a valid session cookie — no origin verification exists.
+All felhom-managed data on external drives moves under a `felhom-data/` subdirectory, cleanly separating our data from user files. Plus a wipe script for repeatable testing.
 
-**Approach: Synchronizer Token Pattern** (per-session CSRF token stored server-side, embedded in forms, validated on POST). This matches the existing setup wizard implementation in `controller/internal/setup/csrf.go` but is more secure: tokens are tied to server-side sessions rather than using the double-submit cookie pattern.
-
-**Key principle:** Bearer-token-authenticated API endpoints (selfupdate, config/apply) do NOT need CSRF protection — browsers never auto-send `Authorization` headers. Only cookie/session-authenticated POST endpoints need protection.
+**Key design principle:** `HDD_PATH` env var stays as the mount point (e.g., `/mnt/hdd_1`). The `felhom-data` segment is embedded in path helpers and compose templates, not in `HDD_PATH`.
 
 ---
 
-## Security Audit Summary
+## Phase 1: Path Helpers (`internal/backup/paths.go`)
 
-### Controller (current state)
+This is the foundation. All other changes depend on this.
 
-| Item | Status | Notes |
-|------|--------|-------|
-| Session cookie HttpOnly | OK | `HttpOnly: true` |
-| Session cookie SameSite | PARTIAL | `SameSite=Lax` (good defense-in-depth but not sufficient alone) |
-| Session cookie Secure | OK | Set when TLS detected |
-| Random session tokens | OK | 64-char hex (32 bytes) |
-| CSRF on web form POSTs | MISSING | **None — vulnerable** |
-| CSRF on JS-driven API POSTs | MISSING | **None — vulnerable** |
-| Bearer-only endpoints exempt | n/a | selfupdate + config endpoints accept Bearer OR session |
+### File: `controller/internal/backup/paths.go`
 
-### Hub (current state — MORE CRITICAL)
+**Add constant at top of file (after imports):**
+```go
+// FelhomDataDir is the namespace directory on storage drives for all felhom-managed data.
+const FelhomDataDir = "felhom-data"
+```
 
-| Item | Status | Notes |
-|------|--------|-------|
-| Session cookie HttpOnly | OK | `HttpOnly: true` |
-| Session cookie SameSite | MISSING | **Not set** (browser default = Lax in modern browsers, but should be explicit) |
-| Session cookie Secure | MISSING | **Not set** |
-| Random session tokens | MISSING | **Cookie value is literal string `"authenticated"`** — any cookie injection = full session |
-| CSRF on web form POSTs | MISSING | **None — vulnerable** |
-| CSRF on JS-driven POSTs | MISSING | **None — vulnerable** |
+**Update 8 functions** to include `FelhomDataDir` in the path. Each function gets `FelhomDataDir` inserted between `drivePath` and the next segment:
 
-**Hub session model is fundamentally weak:** The `hub_session=authenticated` cookie contains no randomness. This means:
-1. Any XSS or subdomain-based cookie injection can forge a session
-2. There is no way to invalidate individual sessions
-3. Combined with no CSRF = highly vulnerable
+| Function | Current first segment | New first segment |
+|----------|----------------------|-------------------|
+| `PrimaryBackupPath` | `"backups"` | `FelhomDataDir, "backups"` |
+| `PrimaryResticRepoPath` | `"backups"` | `FelhomDataDir, "backups"` |
+| `AppDBDumpPath` | `"backups"` | `FelhomDataDir, "backups"` |
+| `SecondaryBackupPath` | `"backups"` | `FelhomDataDir, "backups"` |
+| `AppSecondaryRsyncPath` | `"backups"` | `FelhomDataDir, "backups"` |
+| `SecondaryResticRepoPath` | `"backups"` | `FelhomDataDir, "backups"` |
+| `SecondaryInfraPath` | `"backups"` | `FelhomDataDir, "backups"` |
+| `AppDataDir` | `"appdata"` | `FelhomDataDir, "appdata"` |
 
-This task fixes both the CSRF gap AND the hub session model.
+**DO NOT change `InfraBackupDir`** — it stays at drive root (DR scanner needs it).
+
+Example transformation for each function — replace:
+```go
+return filepath.Join(drivePath, "backups", "primary")
+```
+with:
+```go
+return filepath.Join(drivePath, FelhomDataDir, "backups", "primary")
+```
+
+And for `AppDataDir` replace:
+```go
+return filepath.Join(drivePath, "appdata", stackName)
+```
+with:
+```go
+return filepath.Join(drivePath, FelhomDataDir, "appdata", stackName)
+```
 
 ---
 
-## Part 1: Controller CSRF (v0.23.0)
+## Phase 2: Fix Hardcoded Paths
 
-### Endpoint Map: All State-Changing (POST/DELETE) Endpoints
+### 2a. `controller/internal/stacks/delete.go` — `ProtectedHDDPaths()`
 
-#### Web Form POSTs (need CSRF token in hidden field)
-
-| # | Method | Path | Handler | Auth |
-|---|--------|------|---------|------|
-| 1 | POST | `/settings/password` | `handlePasswordChange` | Session |
-| 2 | POST | `/settings/notifications` | `handleNotificationSettings` | Session |
-| 3 | POST | `/settings/notifications/test` | `handleTestNotification` | Session |
-| 4 | POST | `/settings/storage/add` | `handleStorageAdd` | Session |
-| 5 | POST | `/settings/storage/remove` | `handleStorageRemove` | Session |
-| 6 | POST | `/settings/storage/default` | `handleStorageDefault` | Session |
-| 7 | POST | `/settings/storage/schedulable` | `handleStorageSchedulable` | Session |
-| 8 | POST | `/settings/storage/label` | `handleStorageLabel` | Session |
-| 9 | POST | `/settings/cross-backup/{name}` | `handleCrossBackupSave` | Session |
-| 10 | POST | `/backup/restore` | `handleRestore` | Session |
-
-#### JSON API POSTs called via `fetch()` from UI pages (need X-CSRF-Token header)
-
-| # | Method | Path | Handler | Notes |
-|---|--------|------|---------|-------|
-| 11 | POST | `/api/stacks/{name}/deploy` | `handleDeploy` | Deploy page JS |
-| 12 | POST | `/api/stacks/{name}/start` | `handleStart` | Dashboard buttons |
-| 13 | POST | `/api/stacks/{name}/stop` | `handleStop` | Dashboard buttons |
-| 14 | POST | `/api/stacks/{name}/restart` | `handleRestart` | Dashboard buttons |
-| 15 | POST | `/api/stacks/{name}/update` | `handleUpdate` | Dashboard buttons |
-| 16 | POST | `/api/stacks/{name}/optional-config` | `handleOptionalConfig` | App info page |
-| 17 | POST | `/api/stacks/{name}/remove` | `handleRemove` | Remove modal |
-| 18 | DELETE | `/api/stacks/{name}` | `handleDelete` | Delete modal |
-| 19 | POST | `/api/stacks/{name}/cross-backup` | `handleCrossBackupAPI` | Deploy page |
-| 20 | POST | `/api/stacks/{name}/cross-backup/run` | `handleCrossBackupRun` | Backup page |
-| 21 | POST | `/api/sync` | `handleSync` | Dashboard button |
-| 22 | POST | `/api/backup/run` | `handleBackupRun` | Backup page |
-| 23 | POST | `/api/backup/cross-drive/run-all` | `handleCrossDriveRunAll` | Backup page |
-| 24 | POST | `/api/stacks/rescan` | `handleRescan` | Internal |
-| 25 | POST | `/api/storage/scan` | `handleStorageScan` | Init wizard |
-| 26 | POST | `/api/storage/init` | `handleStorageInit` | Init wizard |
-| 27 | POST | `/api/storage/attach/mount-raw` | `handleAttachMountRaw` | Attach wizard |
-| 28 | POST | `/api/storage/attach/mkdir` | `handleAttachMkdir` | Attach wizard |
-| 29 | POST | `/api/storage/attach` | `handleAttachFinalize` | Attach wizard |
-| 30 | POST | `/api/storage/attach/cancel` | `handleAttachCancel` | Attach wizard |
-| 31 | POST | `/api/storage/migrate` | `handleMigrate` | Migration page |
-| 32 | POST | `/api/storage/stale-cleanup` | `handleStaleCleanup` | Deploy page |
-| 33 | POST | `/api/storage/disconnect` | `handleDisconnect` | Settings |
-| 34 | POST | `/api/storage/reconnect` | `handleReconnect` | Settings |
-| 35 | POST | `/api/storage/restart-apps` | `handleRestartApps` | Settings |
-| 36 | POST | `/api/storage/migrate-drive` | `handleMigrateDrive` | Drive migration |
-| 37 | POST | `/api/storage/decommission/remove` | `handleDecommissionRemove` | Settings |
-| 38 | POST | `/api/assets/sync` | `handleAssetSync` | Internal |
-| 39 | POST | `/api/restore/all` | `handleRestoreAll` | DR page |
-| 40 | POST | `/api/restore/skip` | `handleRestoreSkip` | DR page |
-
-#### Bearer-token API POSTs (CSRF EXEMPT — not browser-initiated)
-
-| # | Method | Path | Notes |
-|---|--------|------|-------|
-| — | POST | `/api/selfupdate/check` | Accepts Bearer token (hub/scripts) |
-| — | POST | `/api/selfupdate/update` | Accepts Bearer token (hub/scripts) |
-| — | POST | `/api/config/apply` | Accepts Bearer token (hub push) |
-
-These three endpoints accept **both** session auth and Bearer auth. When accessed with a Bearer token, CSRF is not needed. When accessed via session cookie from the UI, they should require CSRF. The middleware handles this: if `Authorization: Bearer` header is present and valid, skip CSRF check.
-
-#### GET-only / No-auth endpoints (no CSRF needed)
-
-| Method | Path | Notes |
-|--------|------|-------|
-| GET | `/api/health` | No auth, read-only |
-| GET | `/api/stacks`, `/api/stacks/{name}`, etc. | Read-only |
-| GET | `/api/backup/status`, `/api/backup/snapshots` | Read-only |
-| GET | `/api/metrics/*`, `/api/system/info` | Read-only |
-| GET | `/api/storage/*` (browse, status) | Read-only |
-| GET | `/api/selfupdate/status` | Read-only |
-| GET | `/api/config`, `/api/config/hash` | Read-only |
-| GET | `/api/assets/status` | Read-only |
-
----
-
-### 1.1 Add CSRF token to session struct
-
-**File: `controller/internal/web/auth.go`**
-
-Change the session struct to include a CSRF token:
+**Line 54-65.** Cannot import `backup` package (architectural boundary via `StackDataProvider`).
 
+Add local constant at top of file (after imports, before types):
 ```go
-type session struct {
-    expiresAt time.Time
-    csrfToken string
+// felhomDataDir matches backup.FelhomDataDir — duplicated to avoid circular import via StackDataProvider.
+const felhomDataDir = "felhom-data"
+```
+
+Update `ProtectedHDDPaths()`:
+```go
+func ProtectedHDDPaths(hddPath string) map[string]bool {
+	if hddPath == "" {
+		return nil
+	}
+	return map[string]bool{
+		hddPath:                                                true,
+		filepath.Join(hddPath, felhomDataDir):                  true,
+		filepath.Join(hddPath, felhomDataDir, "appdata"):       true,
+		filepath.Join(hddPath, felhomDataDir, "backups"):       true,
+		filepath.Join(hddPath, "media"):                        true,
+		filepath.Join(hddPath, "Dokumentumok"):                 true,
+	}
 }
 ```
 
-Update `createSession()` to generate a CSRF token alongside the session token:
+### 2b. `controller/internal/stacks/delete.go` — `GetStackBackupData()`
 
+**Line 355 and 359.** Replace hardcoded paths with the local constant:
+
+Replace:
 ```go
-func (s *Server) createSession() string {
-    b := make([]byte, 32)
-    _, _ = rand.Read(b)
-    token := hex.EncodeToString(b)
-
-    csrfB := make([]byte, 32)
-    _, _ = rand.Read(csrfB)
-    csrfToken := hex.EncodeToString(csrfB)
-
-    s.sessionsMu.Lock()
-    s.sessions[token] = &session{
-        expiresAt: time.Now().Add(sessionMaxAge),
-        csrfToken: csrfToken,
-    }
-    s.sessionsMu.Unlock()
-
-    return token
-}
+dbDumpPath := filepath.Join(drivePath, "backups", "primary", name, "db-dumps")
+```
+with:
+```go
+dbDumpPath := filepath.Join(drivePath, felhomDataDir, "backups", "primary", name, "db-dumps")
 ```
 
-Add a method to retrieve the CSRF token for a session:
-
+Replace:
 ```go
-// csrfTokenForSession returns the CSRF token for the given session cookie value.
-// Returns "" if the session is invalid or expired.
-func (s *Server) csrfTokenForSession(sessionToken string) string {
-    s.sessionsMu.RLock()
-    defer s.sessionsMu.RUnlock()
-    sess, ok := s.sessions[sessionToken]
-    if !ok || time.Now().After(sess.expiresAt) {
-        return ""
-    }
-    return sess.csrfToken
-}
+rsyncPath := filepath.Join(drivePath, "backups", "secondary", name, "rsync")
+```
+with:
+```go
+rsyncPath := filepath.Join(drivePath, felhomDataDir, "backups", "secondary", name, "rsync")
 ```
 
-### 1.2 Create CSRF middleware
-
-**File: `controller/internal/web/csrf.go`** (new file)
+### 2c. `controller/internal/storage/migrate_drive.go` — Conflict check & verify
 
+**Import `backup` package** (safe — `backup` does NOT import `storage`):
 ```go
-package web
+"gitea.dooplex.hu/admin/felhom-controller/internal/backup"
+```
 
-import (
-    "crypto/subtle"
-    "fmt"
-    "html/template"
-    "net/http"
-    "strings"
+**Line 183** — conflict check before migration. Replace:
+```go
+destAppData := filepath.Join(req.DestPath, "appdata", app.Name)
+```
+with:
+```go
+destAppData := backup.AppDataDir(req.DestPath, app.Name)
+```
+
+**Line 325** — verify after copy. Replace:
+```go
+destAppData := filepath.Join(req.DestPath, "appdata", app.Name)
+```
+with:
+```go
+destAppData := backup.AppDataDir(req.DestPath, app.Name)
+```
+
+### 2d. `controller/internal/storage/migrate_drive.go` — rsync exclude paths
+
+**CRITICAL BUG FIX.** Line 254-256. The rsync copies the entire drive root. The exclude patterns are relative paths. After namespace change, restic repos are under `felhom-data/backups/*/restic/`.
+
+Replace:
+```go
+rsyncCmd := exec.CommandContext(ctx, "rsync", "-a", "--info=progress2",
+    "--exclude=backups/primary/restic/",
+    "--exclude=backups/secondary/restic/",
+    req.SourcePath+"/", req.DestPath+"/",
+)
+```
+with:
+```go
+rsyncCmd := exec.CommandContext(ctx, "rsync", "-a", "--info=progress2",
+    "--exclude=felhom-data/backups/primary/restic/",
+    "--exclude=felhom-data/backups/secondary/restic/",
+    req.SourcePath+"/", req.DestPath+"/",
 )
-
-const csrfFormField = "_csrf"
-const csrfHeaderName = "X-CSRF-Token"
-
-// csrfProtect validates CSRF tokens on unsafe HTTP methods (POST, PUT, DELETE, PATCH).
-// Safe methods (GET, HEAD, OPTIONS) pass through — the token is made available
-// to templates via the Server.csrfToken() helper.
-//
-// Exempt: requests with a valid Authorization: Bearer header (API key auth).
-func (s *Server) csrfProtect(next http.Handler) http.Handler {
-    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-        // Safe methods: no CSRF check needed
-        switch r.Method {
-        case http.MethodGet, http.MethodHead, http.MethodOptions:
-            next.ServeHTTP(w, r)
-            return
-        }
-
-        // Skip CSRF if auth is disabled (no password set = open access)
-        if !s.authEnabled() {
-            next.ServeHTTP(w, r)
-            return
-        }
-
-        // Skip CSRF for Bearer-token authenticated requests.
-        // These endpoints also accept session auth, but when a Bearer token
-        // is present, the request is from a script/hub, not a browser.
-        if auth := r.Header.Get("Authorization"); strings.HasPrefix(auth, "Bearer ") {
-            next.ServeHTTP(w, r)
-            return
-        }
-
-        // Get the session's CSRF token
-        cookie, err := r.Cookie(sessionCookieName)
-        if err != nil {
-            s.csrfReject(w, r, "no session")
-            return
-        }
-        expected := s.csrfTokenForSession(cookie.Value)
-        if expected == "" {
-            s.csrfReject(w, r, "invalid session")
-            return
-        }
-
-        // Check form field first, then header (for fetch/AJAX)
-        submitted := r.FormValue(csrfFormField)
-        if submitted == "" {
-            submitted = r.Header.Get(csrfHeaderName)
-        }
-
-        if submitted == "" || subtle.ConstantTimeCompare([]byte(submitted), []byte(expected)) != 1 {
-            s.csrfReject(w, r, "token mismatch")
-            return
-        }
-
-        next.ServeHTTP(w, r)
-    })
-}
-
-// csrfReject sends a 403 response. For API requests returns JSON, for web requests returns HTML.
-func (s *Server) csrfReject(w http.ResponseWriter, r *http.Request, reason string) {
-    s.logger.Printf("[WARN] CSRF rejected: %s %s from %s (%s)", r.Method, r.URL.Path, r.RemoteAddr, reason)
-    if strings.HasPrefix(r.URL.Path, "/api/") {
-        w.Header().Set("Content-Type", "application/json")
-        w.WriteHeader(http.StatusForbidden)
-        fmt.Fprint(w, `{"ok":false,"error":"CSRF token missing or invalid"}`)
-        return
-    }
-    http.Error(w, "CSRF token missing or invalid. Please reload the page and try again.", http.StatusForbidden)
-}
-
-// csrfToken returns the CSRF token for the current request's session.
-// Call from handlers to embed in templates or return to JS.
-func (s *Server) csrfToken(r *http.Request) string {
-    cookie, err := r.Cookie(sessionCookieName)
-    if err != nil {
-        return ""
-    }
-    return s.csrfTokenForSession(cookie.Value)
-}
-
-// csrfField returns an HTML hidden input for embedding in forms.
-func (s *Server) csrfField(r *http.Request) template.HTML {
-    token := s.csrfToken(r)
-    return template.HTML(`<input type="hidden" name="` + csrfFormField + `" value="` + template.HTMLEscapeString(token) + `">`)
-}
 ```
 
-### 1.3 Wire CSRF middleware into the server
+Use `backup.FelhomDataDir` constant in the string construction if preferred, but since these are string literals for rsync args, hardcoding `"felhom-data"` is acceptable.
 
-**File: `controller/internal/web/server.go`**
+### 2e. `controller/internal/storage/migrate_drive.go` — Size estimation
 
-The controller uses a custom router in `ServeHTTP`. The CSRF middleware must wrap the handler AFTER auth but protect all POST routes. Find where `RequireAuth` wraps the server's handler and add `csrfProtect` inside it.
+**BUG FIX.** Lines 196-208. This scans the drive root for size estimation. After namespace change, `entry.Name() == "backups"` never matches because backups are now under `felhom-data/`.
 
-In `server.go`, locate the HTTP server setup. The pattern is typically:
+Replace the size estimation block:
 ```go
-handler := s.RequireAuth(s)
-```
-
-Change to:
-```go
-handler := s.RequireAuth(s.csrfProtect(s))
-```
-
-This means: RequireAuth runs first (verifies session), then csrfProtect runs (verifies CSRF token on POST), then the actual handler runs.
-
-**Important:** Check the exact wiring in `server.go`. The auth middleware likely wraps the mux in `Start()` or `ListenAndServe()`. Find that location and insert `csrfProtect` between auth and handler. If the `RequireAuth` is applied in `main.go`, adjust there instead.
-
-### 1.4 Add CSRF token to all template data
-
-**File: `controller/internal/web/handlers.go`** (and `storage_handlers.go`, `handler_restore.go`)
-
-Every handler that renders an HTML page must include the CSRF token in its template data. The recommended approach:
-
-**Add `CSRFField` and `CSRFToken` to every template data map.** In each handler that renders a page, add these two fields:
-
-```go
-data["CSRFField"] = s.csrfField(r)
-data["CSRFToken"] = s.csrfToken(r)
-```
-
-Alternatively, create an `executeTemplate` wrapper method that auto-injects these:
-
-```go
-// executeTemplate renders a template with per-request CSRF data injected.
-func (s *Server) executeTemplate(w http.ResponseWriter, r *http.Request, name string, data map[string]interface{}) {
-    if data == nil {
-        data = make(map[string]interface{})
-    }
-    data["CSRFField"] = s.csrfField(r)
-    data["CSRFToken"] = s.csrfToken(r)
-    w.Header().Set("Content-Type", "text/html; charset=utf-8")
-    if err := s.tmpl.ExecuteTemplate(w, name, data); err != nil {
-        s.logger.Printf("[ERROR] Template error (%s): %v", name, err)
-        http.Error(w, "Internal error", http.StatusInternalServerError)
+// Estimate total size (exclude restic repos)
+var totalBytes int64
+entries, _ := os.ReadDir(req.SourcePath)
+for _, entry := range entries {
+    entryPath := filepath.Join(req.SourcePath, entry.Name())
+    if entry.IsDir() {
+        // Skip restic repos in size estimate
+        if entry.Name() == "backups" {
+            totalBytes += dirSizeExcluding(entryPath, "restic")
+        } else {
+            totalBytes += dirSize(entryPath)
+        }
     }
 }
 ```
 
-Then replace all `s.tmpl.ExecuteTemplate(w, "templateName", data)` calls with `s.executeTemplate(w, r, "templateName", data)`.
-
-**Handlers that render pages (all need CSRFField/CSRFToken):**
-- `handleDashboard` → dashboard template
-- `handleStacks` → stacks template (if separate from dashboard)
-- `handleDeploy` → deploy template
-- `handleBackups` → backups template
-- `handleMonitoring` → monitoring template
-- `handleSettings` → settings template
-- `handleAppInfo` → app_info template
-- `handleLogs` → logs template
-- `handleMigrate` → migrate template
-- `handleMigrateDrive` → migrate_drive template
-- `handleStorageInit` → init_disk template
-- `handleStorageAttach` → attach_disk template
-- `handleRestorePage` → restore template
-- `renderLogin` → login template (**no CSRF needed** — no session yet)
-
-### 1.5 Add hidden field to all HTML form templates
-
-**File: `controller/internal/web/templates/*.html`**
-
-For every `<form method="POST" ...>` in every template, add the CSRF hidden field right after the `<form>` tag:
-
-```html
-<form method="POST" action="/settings/password">
-    {{.CSRFField}}
-    <!-- existing form fields -->
-</form>
-```
-
-Templates to update (search for `method="POST"` or `method="post"` in all template files):
-
-| # | Template | Form action(s) |
-|---|----------|----------------|
-| 1 | `settings.html` | `/settings/password`, `/settings/notifications`, `/settings/notifications/test`, `/settings/storage/add`, `/settings/storage/remove`, `/settings/storage/default`, `/settings/storage/schedulable`, `/settings/storage/label` |
-| 2 | `deploy.html` | Cross-backup form (if any form POST exists) |
-| 3 | `backups.html` | `/backup/restore` form, cross-backup save forms |
-| 4 | `init_disk.html` | Storage init wizard (if form-based) |
-| 5 | `attach_disk.html` | Attach wizard (if form-based) |
-| 6 | `restore.html` | DR restore (if form-based) |
-
-**Note:** Many operations on these pages use JavaScript `fetch()` instead of HTML form submissions. For those, see section 1.6.
-
-### 1.6 Add CSRF token to JavaScript fetch() calls
-
-For all JavaScript code that makes POST/DELETE requests via `fetch()`, include the CSRF token in the `X-CSRF-Token` header.
-
-**Step A: Embed the token in a meta tag in the base layout.**
-
-In the template that defines the `<head>` section (likely within `{{define "head"}}` or the shared HTML header), add:
-
-```html
-<meta name="csrf-token" content="{{.CSRFToken}}">
-```
-
-**Step B: Create a helper function in the shared JS.**
-
-At the top of the `<script>` block in the layout or in each template, add a reusable helper:
-
-```javascript
-function csrfHeaders() {
-    var el = document.querySelector('meta[name="csrf-token"]');
-    return el ? {'X-CSRF-Token': el.content} : {};
+with:
+```go
+// Estimate total size (exclude restic repos inside felhom-data/backups/)
+var totalBytes int64
+entries, _ := os.ReadDir(req.SourcePath)
+for _, entry := range entries {
+    if !entry.IsDir() {
+        continue
+    }
+    entryPath := filepath.Join(req.SourcePath, entry.Name())
+    if entry.Name() == backup.FelhomDataDir {
+        // Scan inside namespace dir, excluding restic repos from estimate
+        subEntries, _ := os.ReadDir(entryPath)
+        for _, sub := range subEntries {
+            if !sub.IsDir() {
+                continue
+            }
+            subPath := filepath.Join(entryPath, sub.Name())
+            if sub.Name() == "backups" {
+                totalBytes += dirSizeExcluding(subPath, "restic")
+            } else {
+                totalBytes += dirSize(subPath)
+            }
+        }
+    } else {
+        totalBytes += dirSize(entryPath)
+    }
 }
 ```
 
-**Step C: Update every `fetch()` call to include CSRF headers.**
+### 2f. `controller/internal/storage/migrate.go` — Post-migration DB dump copy
 
-Example — before:
-```javascript
-fetch('/api/stacks/' + name + '/start', {method: 'POST'})
+**Lines 397-398.** Add import for `backup` package (same import section as 2c — `storage` package can safely import `backup`).
+
+Replace:
+```go
+srcDBDumps := filepath.Join(req.CurrentHDDPath, "backups", "primary", req.StackName, "db-dumps")
+dstDBDumps := filepath.Join(req.TargetPath, "backups", "primary", req.StackName, "db-dumps")
+```
+with:
+```go
+srcDBDumps := backup.AppDBDumpPath(req.CurrentHDDPath, req.StackName)
+dstDBDumps := backup.AppDBDumpPath(req.TargetPath, req.StackName)
 ```
 
-After:
-```javascript
-fetch('/api/stacks/' + name + '/start', {method: 'POST', headers: csrfHeaders()})
+Add to the import block:
+```go
+"gitea.dooplex.hu/admin/felhom-controller/internal/backup"
 ```
 
-For fetch calls that already have headers (e.g., `Content-Type: application/json`), merge:
-```javascript
-fetch('/api/stacks/' + name + '/deploy', {
-    method: 'POST',
-    headers: Object.assign({'Content-Type': 'application/json'}, csrfHeaders()),
-    body: JSON.stringify(data)
-})
+### 2g. `controller/internal/web/handlers.go` — Legacy "storage" path (pre-existing bug)
+
+**Line 1223.** Replace legacy dead code that uses `"storage"` instead of `"appdata"`.
+
+The `backup` package is already imported in `handlers.go`, so use the helper directly:
+
+Replace:
+```go
+appDataDir := filepath.Join(storagePath, "storage", stack.Name)
+```
+with:
+```go
+appDataDir := backup.AppDataDir(storagePath, stack.Name)
 ```
 
-**Comprehensive list of templates with fetch() POST calls to update:**
-
-Search all `.html` template files for `fetch(` with `method:` containing `POST` or `DELETE`:
-
-| Template | fetch() calls to update |
-|----------|------------------------|
-| `dashboard.html` | Stack start/stop/restart/update buttons |
-| `deploy.html` | Deploy, optional-config, cross-backup save/run, stale-cleanup |
-| `stacks.html` | (if any action buttons) |
-| `backups.html` | Backup run, cross-drive run-all, cross-backup run |
-| `settings.html` | Storage disconnect/reconnect/restart-apps, self-update check/update, storage label/schedulable (if AJAX) |
-| `init_disk.html` | Storage scan, init, poll status |
-| `attach_disk.html` | Mount-raw, mkdir, attach, cancel, poll status |
-| `migrate.html` | Migrate start, poll status |
-| `migrate_drive.html` | Drive migration start, poll status |
-| `app_info.html` | Optional config save |
-| `restore.html` | Restore all, skip |
-
-### 1.7 Files changed summary (Controller)
-
-| # | File | Action | Description |
-|---|------|--------|-------------|
-| 1 | `internal/web/auth.go` | Edit | Add `csrfToken` field to session struct, generate in `createSession()`, add `csrfTokenForSession()` |
-| 2 | `internal/web/csrf.go` | **New** | CSRF middleware, helpers (`csrfProtect`, `csrfReject`, `csrfToken`, `csrfField`) |
-| 3 | `internal/web/server.go` | Edit | Wire `csrfProtect` middleware after `RequireAuth`, optionally add `executeTemplate` wrapper |
-| 4 | `internal/web/handlers.go` | Edit | Pass CSRFField/CSRFToken to every page template render |
-| 5 | `internal/web/storage_handlers.go` | Edit | Pass CSRFField/CSRFToken to storage page renders |
-| 6 | `internal/web/handler_restore.go` | Edit | Pass CSRFField/CSRFToken to restore page render |
-| 7 | `internal/web/templates/settings.html` | Edit | Add `{{.CSRFField}}` to all `<form>` tags + CSRF meta tag + update JS |
-| 8 | `internal/web/templates/deploy.html` | Edit | CSRF meta tag + update JS fetch calls |
-| 9 | `internal/web/templates/backups.html` | Edit | Add `{{.CSRFField}}` to restore form + CSRF meta tag + update JS |
-| 10 | `internal/web/templates/dashboard.html` | Edit | CSRF meta tag + update JS fetch calls |
-| 11 | `internal/web/templates/init_disk.html` | Edit | CSRF meta tag + update JS fetch calls |
-| 12 | `internal/web/templates/attach_disk.html` | Edit | CSRF meta tag + update JS fetch calls |
-| 13 | `internal/web/templates/migrate.html` | Edit | CSRF meta tag + update JS fetch calls |
-| 14 | `internal/web/templates/migrate_drive.html` | Edit | CSRF meta tag + update JS fetch calls |
-| 15 | `internal/web/templates/app_info.html` | Edit | CSRF meta tag + update JS fetch calls |
-| 16 | `internal/web/templates/restore.html` | Edit | CSRF meta tag + update JS fetch calls |
-| 17 | `internal/web/templates/monitoring.html` | Edit | CSRF meta tag (if any POST actions exist) |
-| 18 | `cmd/controller/main.go` | Edit | Bump Version to "0.23.0" |
+No import addition needed.
 
 ---
 
-## Part 2: Hub CSRF (v0.3.8)
+## Phase 3: Format & Attach — Create `felhom-data/` Directory
 
-### Endpoint Map: All State-Changing (POST) Endpoints
+### 3a. `controller/internal/storage/format_linux.go`
 
-#### Web Form/JS POSTs (need CSRF — session-authenticated)
+**Line 211.** Replace `"storage"` with `"felhom-data"` in the subdirectory creation list:
 
-| # | Method | Path | Handler | Type |
-|---|--------|------|---------|------|
-| 1 | POST | `/configs/new` | `handleConfigCreate` | Form submit |
-| 2 | POST | `/configs/{id}/edit` | `handleConfigUpdate` | Form submit |
-| 3 | POST | `/configs/{id}/delete` | `handleConfigDelete` | JS fetch |
-| 4 | POST | `/configs/{id}/regen-password` | `handleConfigRegenPassword` | JS fetch |
-| 5 | POST | `/customers/{id}/trigger-update` | `handleTriggerUpdate` | JS fetch |
-| 6 | POST | `/customers/{id}/block` | `handleBlockCustomer` | JS fetch |
-| 7 | POST | `/customers/{id}/unblock` | `handleUnblockCustomer` | JS fetch |
-| 8 | POST | `/customers/{id}/push-config` | `handlePushConfig` | JS fetch |
-| 9 | POST | `/customers/{id}/pull-config` | `handlePullConfig` | JS fetch |
-| 10 | POST | `/customers/{id}/create-config` | `handleCreateConfigFromReport` | JS fetch |
+Replace:
+```go
+for _, subdir := range []string{"storage", "Dokumentumok"} {
+```
+with:
+```go
+for _, subdir := range []string{"felhom-data", "Dokumentumok"} {
+```
 
-#### API POSTs (CSRF EXEMPT — Bearer-token authenticated, not browser-initiated)
+### 3b. `controller/internal/storage/attach_linux.go`
 
-| # | Method | Path | Notes |
-|---|--------|------|-------|
-| — | POST | `/api/v1/report` | Controller pushes report (Bearer) |
-| — | POST | `/api/v1/event` | Controller pushes event (Bearer) |
-| — | POST | `/api/v1/notify` | Legacy notification (Bearer) |
-| — | POST | `/api/v1/preferences` | Preference sync (Bearer) |
-| — | POST | `/api/v1/infra-backup` | Infra backup push (Bearer) |
+**Line 313.** Same change:
 
-These all live under `/api/v1/` and use Bearer token auth exclusively. The CSRF middleware should skip all paths starting with `/api/v1/`.
+Replace:
+```go
+for _, subdir := range []string{"storage", "Dokumentumok"} {
+```
+with:
+```go
+for _, subdir := range []string{"felhom-data", "Dokumentumok"} {
+```
 
 ---
 
-### 2.1 Fix hub session model (PREREQUISITE)
+## Phase 4: Verification Grep
 
-**File: `hub/internal/web/server.go`**
+After making all the above changes, run these greps to verify no hardcoded paths remain:
 
-The hub currently uses `hub_session=authenticated` as the cookie value — a literal string, not a random token. This must be fixed before CSRF can work (CSRF tokens must be tied to unpredictable sessions).
-
-**A) Add session storage to the Server struct:**
-
-```go
-type Server struct {
-    // ... existing fields ...
-    sessions   map[string]*hubSession
-    sessionsMu sync.RWMutex
-}
-
-type hubSession struct {
-    expiresAt time.Time
-    csrfToken string
-}
+```bash
+grep -rn '"appdata"' controller/internal/ --include='*.go' | grep -v '_test.go\|paths.go\|CLAUDE\|README'
+grep -rn '"backups"' controller/internal/ --include='*.go' | grep -v '_test.go\|paths.go\|CLAUDE\|README'
 ```
 
-Initialize in `New()`:
-```go
-sessions: make(map[string]*hubSession),
-```
+**Expected remaining hits** (all OK — not filesystem path construction):
+- `web/handlers.go` — `"backups"` as page name for template routing (display context)
+- `web/templates/layout.html` — navigation link text
+- `web/templates/backups.html` — template define name
+- Any template/HTML display contexts
 
-**B) Update `handleLogin` to create random session tokens:**
-
-```go
-func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) {
-    if r.Method == http.MethodPost {
-        password := r.FormValue("password")
-        if bcrypt.CompareHashAndPassword([]byte(s.passwordHash), []byte(password)) == nil {
-            // Generate random session token
-            b := make([]byte, 32)
-            _, _ = rand.Read(b)
-            sessionToken := hex.EncodeToString(b)
-
-            // Generate CSRF token
-            cb := make([]byte, 32)
-            _, _ = rand.Read(cb)
-            csrfToken := hex.EncodeToString(cb)
-
-            s.sessionsMu.Lock()
-            s.sessions[sessionToken] = &hubSession{
-                expiresAt: time.Now().Add(7 * 24 * time.Hour),
-                csrfToken: csrfToken,
-            }
-            s.sessionsMu.Unlock()
-
-            isSecure := r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https"
-            http.SetCookie(w, &http.Cookie{
-                Name:     "hub_session",
-                Value:    sessionToken,
-                Path:     "/",
-                HttpOnly: true,
-                SameSite: http.SameSiteLaxMode,
-                Secure:   isSecure,
-                MaxAge:   86400 * 7,
-            })
-            http.Redirect(w, r, "/", http.StatusSeeOther)
-            return
-        }
-        http.Error(w, "Invalid password", http.StatusUnauthorized)
-        return
-    }
-    // Render login page (keep existing minimal HTML or use template)
-    w.WriteHeader(http.StatusOK)
-    w.Write([]byte(`<html><body><form method="post"><input type="password" name="password"><button>Login</button></form></body></html>`))
-}
-```
-
-**C) Update `RequireAuth` to validate random tokens:**
-
-Replace the cookie check:
-```go
-// OLD:
-if cookie, err := r.Cookie("hub_session"); err == nil && cookie.Value == "authenticated" {
-
-// NEW:
-if cookie, err := r.Cookie("hub_session"); err == nil {
-    s.sessionsMu.RLock()
-    sess, ok := s.sessions[cookie.Value]
-    s.sessionsMu.RUnlock()
-    if ok && time.Now().Before(sess.expiresAt) {
-        next.ServeHTTP(w, r)
-        return
-    }
-}
-```
-
-**D) Add session cleanup goroutine** (start from `main.go`):
-
-```go
-func (s *Server) CleanupSessions(ctx context.Context) {
-    ticker := time.NewTicker(15 * time.Minute)
-    defer ticker.Stop()
-    for {
-        select {
-        case <-ctx.Done():
-            return
-        case <-ticker.C:
-            s.sessionsMu.Lock()
-            now := time.Now()
-            for t, sess := range s.sessions {
-                if now.After(sess.expiresAt) {
-                    delete(s.sessions, t)
-                }
-            }
-            s.sessionsMu.Unlock()
-        }
-    }
-}
-```
-
-Start it in `main.go`: `go webServer.CleanupSessions(ctx)`
-
-**E) Add imports** to `server.go`: `"crypto/rand"`, `"encoding/hex"`, `"sync"`
-
-### 2.2 Add CSRF validation to hub
-
-**File: `hub/internal/web/server.go`**
-
-The simplest approach for the hub is to add CSRF validation directly in `ServeHTTP` at the top, before the routing switch. This avoids middleware composition complexity:
-
-```go
-func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-    path := r.URL.Path
-
-    // CSRF protection for all POST/PUT/DELETE requests (web routes only)
-    if r.Method != http.MethodGet && r.Method != http.MethodHead && r.Method != http.MethodOptions {
-        if path != "/login" && s.passwordHash != "" {
-            if !s.validateCSRF(r) {
-                s.logger.Printf("[WARN] CSRF rejected: %s %s from %s", r.Method, path, r.RemoteAddr)
-                http.Error(w, "CSRF token missing or invalid. Please reload the page.", http.StatusForbidden)
-                return
-            }
-        }
-    }
-
-    // ... existing switch/case routing ...
-}
-```
-
-Add a `validateCSRF` helper method:
-
-```go
-func (s *Server) validateCSRF(r *http.Request) bool {
-    // If no session cookie present, this is a Basic Auth or non-browser request — skip CSRF
-    cookie, err := r.Cookie("hub_session")
-    if err != nil {
-        return true  // No session cookie = not a browser CSRF attack
-    }
-
-    s.sessionsMu.RLock()
-    sess, ok := s.sessions[cookie.Value]
-    s.sessionsMu.RUnlock()
-    if !ok {
-        return false
-    }
-
-    submitted := r.FormValue("_csrf")
-    if submitted == "" {
-        submitted = r.Header.Get("X-CSRF-Token")
-    }
-    return submitted != "" && subtle.ConstantTimeCompare([]byte(submitted), []byte(sess.csrfToken)) == 1
-}
-```
-
-Add helper methods for templates:
-
-```go
-// csrfToken returns the CSRF token for the current session.
-func (s *Server) csrfToken(r *http.Request) string {
-    cookie, err := r.Cookie("hub_session")
-    if err != nil {
-        return ""
-    }
-    s.sessionsMu.RLock()
-    sess, ok := s.sessions[cookie.Value]
-    s.sessionsMu.RUnlock()
-    if !ok {
-        return ""
-    }
-    return sess.csrfToken
-}
-
-// csrfField returns an HTML hidden input for forms.
-func (s *Server) csrfField(r *http.Request) template.HTML {
-    tok := s.csrfToken(r)
-    return template.HTML(`<input type="hidden" name="_csrf" value="` + template.HTMLEscapeString(tok) + `">`)
-}
-```
-
-Add import: `"crypto/subtle"`
-
-### 2.3 Add CSRF token to hub templates
-
-**File: `hub/internal/web/templates/*.html`**
-
-**A) Config form (`config_form.html`)** — used for both create and edit:
-
-Add `{{.CSRFField}}` after each `<form>` opening tag.
-
-**B) Customer unified page (`customer_unified.html`)** — has JS fetch() for trigger-update, block, unblock, push-config, pull-config, create-config:
-
-Add CSRF meta tag in head:
-```html
-<meta name="csrf-token" content="{{.CSRFToken}}">
-```
-
-Update all `fetch()` calls to include `X-CSRF-Token` header. Add helper:
-```javascript
-function csrfHeaders() {
-    var el = document.querySelector('meta[name="csrf-token"]');
-    return el ? {'X-CSRF-Token': el.content} : {};
-}
-```
-
-**C) Configs list (`configs.html`)** — has delete button with JS fetch():
-
-Add CSRF meta tag + update delete/regen-password fetch calls.
-
-**D) Dashboard (`dashboard.html`)** — likely read-only, but check for any POST actions. Add meta tag if needed.
-
-**Templates to update:**
-
-| # | Template | Changes |
-|---|----------|---------|
-| 1 | `config_form.html` | Add `{{.CSRFField}}` inside `<form>` |
-| 2 | `customer_unified.html` | Add meta tag + update all fetch() POST calls |
-| 3 | `configs.html` | Add meta tag + update delete/regen-password fetch() calls |
-| 4 | `dashboard.html` | Check for POST actions, add meta tag if needed |
-
-**E) Update all handler functions** to pass `CSRFField` and `CSRFToken` in template data:
-
-For every handler that renders a template, add to the data struct/map:
-```go
-CSRFField: s.csrfField(r),
-CSRFToken: s.csrfToken(r),
-```
-
-Hub handlers that render templates:
-- `handleDashboard` — pass CSRFToken (if any POST actions on page)
-- `handleCustomerUnified` — pass CSRFField + CSRFToken
-- `handleConfigList` — pass CSRFToken
-- `handleConfigNewForm` — pass CSRFField + CSRFToken
-- `handleConfigEditForm` — pass CSRFField + CSRFToken
-
-### 2.4 Hub Basic Auth note
-
-The hub allows HTTP Basic Auth as an alternative to session cookies. The `validateCSRF` method above handles this correctly: if no session cookie is present (pure Basic Auth request), CSRF validation is skipped. This is safe because:
-
-1. Cross-site forms cannot inject Basic Auth headers
-2. Browser-cached Basic Auth is only auto-sent to the same origin
-3. The SameSite=Lax cookie prevents cross-site cookie-based attacks
-
-### 2.5 Files changed summary (Hub)
-
-| # | File | Action | Description |
-|---|------|--------|-------------|
-| 1 | `internal/web/server.go` | Edit | Add session map + mutex + hubSession struct, random session tokens, SameSite=Lax, Secure flag, session cleanup, CSRF validation in ServeHTTP, csrfToken/csrfField/validateCSRF helpers |
-| 2 | `internal/web/configs.go` | Edit | Pass CSRFField/CSRFToken to template data in all config handlers |
-| 3 | `internal/web/templates/config_form.html` | Edit | Add `{{.CSRFField}}` to form |
-| 4 | `internal/web/templates/customer_unified.html` | Edit | Add CSRF meta tag + update all JS fetch() calls |
-| 5 | `internal/web/templates/configs.html` | Edit | Add CSRF meta tag + update JS fetch() calls |
-| 6 | `internal/web/templates/dashboard.html` | Edit | Add CSRF meta tag (if any POST actions) |
-| 7 | `cmd/hub/main.go` | Edit | Start session cleanup goroutine |
+**Any remaining `filepath.Join(*, "appdata", *)` or `filepath.Join(*, "backups", *)` outside of `paths.go` is a BUG** — fix it.
 
 ---
 
-## Implementation Order
+## Phase 5: Verification of Auto-Propagating Changes
 
-1. **Controller first** (v0.23.0) — larger surface area, more endpoints to protect
-   1. `auth.go` — Add csrfToken to session struct
-   2. `csrf.go` — New file with CSRF middleware + helpers
-   3. `server.go` — Wire middleware, add executeTemplate or inject CSRFField/CSRFToken
-   4. `handlers.go` — Pass CSRF data to all page renders
-   5. `storage_handlers.go` — Pass CSRF data to storage page renders
-   6. `handler_restore.go` — Pass CSRF data to restore page render
-   7. Templates — Add `{{.CSRFField}}` to forms + meta tags + update JS
-   8. Test: attempt POST without token → 403, with token → success
+These components use path helpers and automatically get the namespace change from Phase 1:
 
-2. **Hub second** (v0.3.8) — fewer endpoints, session model fix is critical
-   1. `server.go` — Random session tokens, SameSite, Secure, cleanup
-   2. CSRF validation + helpers in server.go
-   3. `configs.go` — Pass CSRF data to template renders
-   4. Templates — Add hidden fields + meta tags + update JS
-   5. `main.go` — Start session cleanup goroutine
-   6. Test: attempt POST without token → 403, with token → success
+### 5a. `controller/internal/backup/crossdrive.go`
+
+The `syncInfraConfig()` method (line 504) uses `SecondaryInfraPath(dest)` — auto-updated.
+The `runRsyncBackup()` method (line 367) uses `AppSecondaryRsyncPath()` — auto-updated.
+The `copyStackDBDumps()` method (line 455) uses `AppDBDumpPath()` — auto-updated.
+
+**No changes needed.** Just verify by reading the file.
+
+### 5b. `controller/internal/backup/restore.go`
+
+Line 65: `AppDBDumpPath(drivePath, stackName)` — auto-updated.
+Line 84: `PrimaryResticRepoPath(drivePath)` — auto-updated.
+
+**No changes needed.**
+
+### 5c. `controller/internal/backup/backup.go`
+
+Multiple uses of `AppDataDir()`, `AppDBDumpPath()`, `PrimaryResticRepoPath()` — all auto-updated.
+
+**No changes needed.**
+
+---
+
+## Phase 6: Build & Verify
+
+```bash
+cd controller && go build ./... && go vet ./...
+```
+
+Must compile cleanly with no errors or warnings.
+
+---
+
+## Phase 7: Wipe Script
+
+### File: `controller/scripts/felhom-wipe.sh`
+
+Create the following script. It must be executable (`chmod +x`).
+
+```bash
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ===================================================================
+# felhom-wipe.sh — Clean felhom data from a test node
+# Usage: ./felhom-wipe.sh --level <soft|controller|full|nuclear> [--yes]
+# ===================================================================
+
+# --- Colors ---
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+GREEN='\033[0;32m'
+CYAN='\033[0;36m'
+BOLD='\033[1m'
+NC='\033[0m'
+
+# --- Defaults ---
+LEVEL=""
+DRY_RUN=true
+INCLUDE_PROTECTED=false
+
+# --- Configuration (auto-detected) ---
+CONTROLLER_YAML="/opt/docker/felhom-controller/controller.yaml"
+DATA_DIR="/opt/docker/felhom-controller/data"
+COMPOSE_DIR="/opt/docker/felhom-controller"
+STACKS_DIR="/opt/docker/stacks"
+SETTINGS_JSON="$DATA_DIR/settings.json"
+
+# --- Helpers ---
+die()  { echo -e "${RED}ERROR: $1${NC}" >&2; exit 1; }
+info() { echo -e "${GREEN}$1${NC}"; }
+warn() { echo -e "${YELLOW}$1${NC}"; }
+bold() { echo -e "${BOLD}$1${NC}"; }
+
+human_size() {
+    local path="$1"
+    if [ -e "$path" ]; then
+        du -sh "$path" 2>/dev/null | cut -f1 || echo "?"
+    else
+        echo "n/a"
+    fi
+}
+
+usage() {
+    cat <<EOF
+Usage: $(basename "$0") --level <level> [--yes] [--include-protected]
+
+Levels:
+  soft        Controller state only (settings.json, metrics.db, session data)
+  controller  Soft + remove all app containers, volumes, stack dirs, app.yaml files
+  full        Controller + felhom-data/ on all drives (appdata, backups)
+  nuclear     Full + controller.yaml, controller container, Traefik, Portainer, all Docker data
+
+Options:
+  --yes                Execute the wipe (default: dry run)
+  --include-protected  Also remove protected stacks (controller level only)
+
+EOF
+    exit 1
+}
+
+# --- Parse Args ---
+parse_args() {
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+            --level)       LEVEL="$2"; shift 2 ;;
+            --yes)         DRY_RUN=false; shift ;;
+            --include-protected) INCLUDE_PROTECTED=true; shift ;;
+            -h|--help)     usage ;;
+            *)             die "Unknown argument: $1" ;;
+        esac
+    done
+
+    [[ -z "$LEVEL" ]] && usage
+    case "$LEVEL" in
+        soft|controller|full|nuclear) ;;
+        *) die "Invalid level: $LEVEL (must be soft|controller|full|nuclear)" ;;
+    esac
+}
+
+# --- Detect Paths ---
+detect_paths() {
+    # Auto-detect from controller.yaml if present
+    if [ -f "$CONTROLLER_YAML" ]; then
+        local sd
+        sd=$(grep -oP 'stacks_dir:\s*\K\S+' "$CONTROLLER_YAML" 2>/dev/null || true)
+        [ -n "$sd" ] && STACKS_DIR="$sd"
+        local dd
+        dd=$(grep -oP 'data_dir:\s*\K\S+' "$CONTROLLER_YAML" 2>/dev/null || true)
+        [ -n "$dd" ] && DATA_DIR="$dd" && SETTINGS_JSON="$dd/settings.json"
+    fi
+}
+
+# --- Detect Storage Paths ---
+declare -a STORAGE_PATHS=()
+
+detect_storage_paths() {
+    # From settings.json
+    if [ -f "$SETTINGS_JSON" ]; then
+        while IFS= read -r p; do
+            [ -n "$p" ] && STORAGE_PATHS+=("$p")
+        done < <(python3 -c "
+import json, sys
+try:
+    d = json.load(open('$SETTINGS_JSON'))
+    for sp in d.get('storage_paths', []):
+        print(sp.get('path', ''))
+except: pass
+" 2>/dev/null || true)
+    fi
+
+    # Also scan /mnt/* for felhom-data dirs not in registry
+    for d in /mnt/*/; do
+        [ -d "${d}felhom-data" ] || [ -d "${d}appdata" ] || continue
+        local already=false
+        for sp in "${STORAGE_PATHS[@]:-}"; do
+            [ "$sp" = "${d%/}" ] && already=true && break
+        done
+        $already || STORAGE_PATHS+=("${d%/}")
+    done
+}
+
+# --- List App Containers (non-infra) ---
+list_app_containers() {
+    docker ps -a --format '{{.Names}}' 2>/dev/null | grep -v -E '^(felhom-controller|traefik|cloudflared|portainer)$' || true
+}
+
+# --- List App Volumes (non-infra) ---
+list_app_volumes() {
+    docker volume ls -q 2>/dev/null | grep -v -E '^(portainer_data)$' || true
+}
+
+# --- Protected Stacks ---
+get_protected_stacks() {
+    if [ -f "$CONTROLLER_YAML" ]; then
+        grep -A 20 'protected_stacks:' "$CONTROLLER_YAML" 2>/dev/null | grep -oP '^\s*-\s*\K\S+' || true
+    fi
+}
+
+# --- Print Plan ---
+print_plan() {
+    echo ""
+    bold "=== Felhom Wipe — Level: $LEVEL ==="
+    echo ""
+
+    # State files
+    echo -e "${CYAN}Controller state:${NC}"
+    local state_files=("$DATA_DIR/settings.json" "$DATA_DIR/metrics.db" "$DATA_DIR/setup-state.json" "$DATA_DIR/update-state.json" "$DATA_DIR/session-data.json" "$DATA_DIR/snapshot-history.json")
+    for f in "${state_files[@]}"; do
+        if [ -f "$f" ]; then
+            echo -e "  ${YELLOW}DELETE${NC} $f ($(human_size "$f"))"
+        fi
+    done
+
+    if [[ "$LEVEL" == "controller" || "$LEVEL" == "full" || "$LEVEL" == "nuclear" ]]; then
+        echo ""
+        echo -e "${CYAN}Docker containers:${NC}"
+        local containers
+        containers=$(list_app_containers)
+        if [ -n "$containers" ]; then
+            echo "$containers" | while read -r c; do
+                echo -e "  ${YELLOW}REMOVE${NC} $c"
+            done
+        else
+            echo -e "  ${GREEN}(none)${NC}"
+        fi
+
+        echo ""
+        echo -e "${CYAN}Docker volumes:${NC}"
+        local volumes
+        volumes=$(list_app_volumes)
+        if [ -n "$volumes" ]; then
+            echo "$volumes" | while read -r v; do
+                echo -e "  ${YELLOW}REMOVE${NC} $v"
+            done
+        else
+            echo -e "  ${GREEN}(none)${NC}"
+        fi
+
+        echo ""
+        echo -e "${CYAN}Stack directories:${NC}"
+        if [ -d "$STACKS_DIR" ]; then
+            for sd in "$STACKS_DIR"/*/; do
+                [ -d "$sd" ] || continue
+                local stack_name
+                stack_name=$(basename "$sd")
+                local protected_stacks
+                protected_stacks=$(get_protected_stacks)
+                if echo "$protected_stacks" | grep -qx "$stack_name" && ! $INCLUDE_PROTECTED; then
+                    echo -e "  ${GREEN}KEEP${NC}   $sd (protected)"
+                else
+                    echo -e "  ${YELLOW}DELETE${NC} $sd"
+                fi
+            done
+        else
+            echo -e "  ${GREEN}(not found)${NC}"
+        fi
+    fi
+
+    if [[ "$LEVEL" == "full" || "$LEVEL" == "nuclear" ]]; then
+        echo ""
+        echo -e "${CYAN}Storage data:${NC}"
+        if [ ${#STORAGE_PATHS[@]} -gt 0 ]; then
+            for sp in "${STORAGE_PATHS[@]}"; do
+                if [ -d "$sp/felhom-data" ]; then
+                    echo -e "  ${YELLOW}DELETE${NC} $sp/felhom-data/ ($(human_size "$sp/felhom-data"))"
+                fi
+                # Old-style paths
+                if [ -d "$sp/appdata" ]; then
+                    echo -e "  ${YELLOW}DELETE${NC} $sp/appdata/ ($(human_size "$sp/appdata")) [old-style]"
+                fi
+                if [ -d "$sp/backups" ]; then
+                    echo -e "  ${YELLOW}DELETE${NC} $sp/backups/ ($(human_size "$sp/backups")) [old-style]"
+                fi
+            done
+        else
+            echo -e "  ${GREEN}(no storage paths found)${NC}"
+        fi
+    fi
+
+    if [[ "$LEVEL" == "nuclear" ]]; then
+        echo ""
+        echo -e "${RED}Nuclear:${NC}"
+        echo -e "  ${RED}DELETE${NC} controller.yaml"
+        echo -e "  ${RED}DELETE${NC} controller container + image"
+        echo -e "  ${RED}DELETE${NC} Traefik container"
+        echo -e "  ${RED}DELETE${NC} Cloudflared container"
+        echo -e "  ${RED}DELETE${NC} Portainer container + volume"
+        echo -e "  ${RED}DELETE${NC} .felhom-infra-backup/ (DR markers on all drives)"
+        echo -e "  ${RED}DELETE${NC} All Docker data (docker system prune -af --volumes)"
+    fi
+
+    echo ""
+    echo -e "${CYAN}Will preserve:${NC}"
+    echo -e "  ${GREEN}- OS and system files${NC}"
+    if [[ "$LEVEL" != "nuclear" ]]; then
+        echo -e "  ${GREEN}- Controller container (felhom-controller)${NC}"
+        echo -e "  ${GREEN}- Controller image${NC}"
+        echo -e "  ${GREEN}- Traefik, Cloudflare Tunnel${NC}"
+        echo -e "  ${GREEN}- controller.yaml${NC}"
+        echo -e "  ${GREEN}- .felhom-infra-backup/ (DR markers on drives)${NC}"
+    fi
+    if [[ "$LEVEL" != "full" && "$LEVEL" != "nuclear" ]]; then
+        echo -e "  ${GREEN}- Storage data on drives${NC}"
+    fi
+    echo -e "  ${GREEN}- User files (Dokumentumok, media, etc.)${NC}"
+    echo ""
+}
+
+# --- Wipe Functions ---
+
+do_soft_wipe() {
+    info "Soft wipe: removing controller state..."
+    local state_files=("$DATA_DIR/settings.json" "$DATA_DIR/metrics.db" "$DATA_DIR/setup-state.json" "$DATA_DIR/update-state.json" "$DATA_DIR/session-data.json" "$DATA_DIR/snapshot-history.json")
+    for f in "${state_files[@]}"; do
+        [ -f "$f" ] && rm -f "$f" && info "  Removed: $f"
+    done
+}
+
+do_controller_wipe() {
+    do_soft_wipe
+
+    info "Controller wipe: stopping and removing app containers..."
+
+    # Stop and remove app containers
+    local containers
+    containers=$(list_app_containers)
+    if [ -n "$containers" ]; then
+        echo "$containers" | while read -r c; do
+            docker rm -f "$c" 2>/dev/null && info "  Removed container: $c" || warn "  Failed to remove: $c"
+        done
+    fi
+
+    # Remove app volumes
+    info "Removing app volumes..."
+    local volumes
+    volumes=$(list_app_volumes)
+    if [ -n "$volumes" ]; then
+        echo "$volumes" | while read -r v; do
+            docker volume rm "$v" 2>/dev/null && info "  Removed volume: $v" || warn "  Failed to remove: $v"
+        done
+    fi
+
+    # Remove stack directories
+    info "Removing stack directories..."
+    if [ -d "$STACKS_DIR" ]; then
+        local protected_stacks
+        protected_stacks=$(get_protected_stacks)
+        for sd in "$STACKS_DIR"/*/; do
+            [ -d "$sd" ] || continue
+            local stack_name
+            stack_name=$(basename "$sd")
+            if echo "$protected_stacks" | grep -qx "$stack_name" && ! $INCLUDE_PROTECTED; then
+                warn "  Skipping protected stack: $stack_name"
+                continue
+            fi
+            rm -rf "$sd" && info "  Removed: $sd"
+        done
+    fi
+
+    # NOTE: No restart here — callers handle restart after all cleanup is done.
+}
+
+do_full_wipe() {
+    do_controller_wipe
+
+    info "Full wipe: removing storage data..."
+    for sp in "${STORAGE_PATHS[@]}"; do
+        # New-style namespace
+        if [ -d "$sp/felhom-data" ]; then
+            rm -rf "$sp/felhom-data" && info "  Removed: $sp/felhom-data/"
+        fi
+        # Old-style paths
+        if [ -d "$sp/appdata" ]; then
+            rm -rf "$sp/appdata" && info "  Removed: $sp/appdata/ [old-style]"
+        fi
+        if [ -d "$sp/backups" ]; then
+            rm -rf "$sp/backups" && info "  Removed: $sp/backups/ [old-style]"
+        fi
+    done
+
+    # Restart controller after all cleanup is done
+    info "Restarting controller..."
+    docker restart felhom-controller 2>/dev/null || warn "Could not restart controller"
+}
+
+do_nuclear_wipe() {
+    do_full_wipe
+
+    info "Nuclear wipe: removing all infrastructure..."
+
+    # Stop infrastructure containers
+    for c in felhom-controller traefik cloudflared portainer; do
+        docker rm -f "$c" 2>/dev/null && info "  Removed: $c" || true
+    done
+
+    # Remove controller.yaml
+    [ -f "$CONTROLLER_YAML" ] && rm -f "$CONTROLLER_YAML" && info "  Removed: controller.yaml"
+
+    # Remove DR markers (nuclear = brand-new machine simulation)
+    for sp in "${STORAGE_PATHS[@]}"; do
+        if [ -d "$sp/.felhom-infra-backup" ]; then
+            rm -rf "$sp/.felhom-infra-backup" && info "  Removed: $sp/.felhom-infra-backup/"
+        fi
+    done
+
+    # Remove all Docker data
+    warn "Pruning all Docker data..."
+    docker system prune -af --volumes 2>/dev/null || warn "Docker prune failed"
+
+    echo ""
+    info "Nuclear wipe complete."
+    echo -e "${CYAN}To redeploy, run:${NC}"
+    echo "  curl -fsSL https://gitea.dooplex.hu/admin/deploy-felhom-compose/raw/branch/main/scripts/docker-setup.sh | bash"
+}
+
+# --- Main ---
+main() {
+    # Must run as root
+    if [ "$(id -u)" -ne 0 ]; then
+        die "Must run as root (use sudo)"
+    fi
+
+    # Check Docker
+    if ! docker info >/dev/null 2>&1; then
+        die "Docker is not running"
+    fi
+
+    parse_args "$@"
+    detect_paths
+    detect_storage_paths
+    print_plan
+
+    if $DRY_RUN; then
+        warn "Dry run — nothing deleted. Use --yes to execute."
+        exit 0
+    fi
+
+    # Confirmation
+    echo -e "${RED}${BOLD}This will permanently delete the data listed above.${NC}"
+    read -rp "Type YES to confirm: " confirm
+    if [ "$confirm" != "YES" ]; then
+        echo "Aborted."
+        exit 1
+    fi
+
+    echo ""
+    case "$LEVEL" in
+        soft)       do_soft_wipe ;;
+        controller) do_controller_wipe
+                    info "Restarting controller..."
+                    docker restart felhom-controller 2>/dev/null || warn "Could not restart controller"
+                    ;;
+        full)       do_full_wipe ;;
+        nuclear)    do_nuclear_wipe ;;
+    esac
+
+    echo ""
+    info "Wipe complete (level: $LEVEL)."
+}
+
+main "$@"
+```
+
+---
+
+## Phase 8: Version Bump
+
+### File: `controller/cmd/controller/main.go`
+
+Find the `Version` constant and update:
+```go
+const Version = "0.26.0"
+```
+
+---
+
+## Phase 9: Documentation
+
+### 9a. CHANGELOG.md
+
+Read first 30 lines for format reference, then insert new entry at top of changelog:
+
+```markdown
+## v0.26.0 — 2026-02-XX
+
+### Changed
+- **Storage namespace**: All felhom-managed data on external drives now lives under `felhom-data/` subdirectory, cleanly separating from user files
+  - Path helpers (`paths.go`) updated: 8 functions now include `felhom-data` segment
+  - `InfraBackupDir()` unchanged — stays at drive root for DR scanner
+  - `ProtectedHDDPaths()` updated with namespace-aware paths
+  - Fixed hardcoded paths in `delete.go`, `migrate.go`, `migrate_drive.go`
+  - Format and attach wizards now create `felhom-data/` instead of legacy `storage/` subdirectory
+  - Fixed legacy `"storage"` path reference in `handlers.go` (was dead code)
+  - Drive migration rsync excludes updated for new path structure
+  - Drive migration size estimation updated for namespace directory
+
+### Added
+- `scripts/felhom-wipe.sh` — Test node cleanup script with 4 wipe levels (soft, controller, full, nuclear)
+- `backup.FelhomDataDir` constant for namespace directory name
+
+### Notes
+- Pre-v0.26.0 restic snapshots use old path structure without `felhom-data/`
+- App-catalog compose templates need separate update (see post-implementation task)
+- `HDD_PATH` env var value unchanged — still the mount point (e.g., `/mnt/hdd_1`)
+```
+
+### 9b. Controller README.md
+
+Update the "Storage Layout" section to show the new `felhom-data/` structure. Update path helper documentation. Add wipe script to scripts section. Add note about pre-v0.26.0 restic snapshot paths.
+
+---
+
+## Complete File Change List
+
+| # | File | Action | Phase |
+|---|------|--------|-------|
+| 1 | `internal/backup/paths.go` | Edit: add constant + update 8 functions | 1 |
+| 2 | `internal/stacks/delete.go` | Edit: add local constant + fix `ProtectedHDDPaths()` + fix `GetStackBackupData()` | 2a, 2b |
+| 3 | `internal/storage/migrate_drive.go` | Edit: add import + fix conflict check + fix verify + fix rsync excludes + fix size estimation | 2c, 2d, 2e |
+| 4 | `internal/storage/migrate.go` | Edit: add import + fix DB dump copy paths | 2f |
+| 5 | `internal/web/handlers.go` | Edit: fix legacy `"storage"` path | 2g |
+| 6 | `internal/storage/format_linux.go` | Edit: replace `"storage"` with `"felhom-data"` | 3a |
+| 7 | `internal/storage/attach_linux.go` | Edit: replace `"storage"` with `"felhom-data"` | 3b |
+| 8 | `scripts/felhom-wipe.sh` | **New file** | 7 |
+| 9 | `cmd/controller/main.go` | Edit: version bump | 8 |
+| 10 | `CHANGELOG.md` | Edit: add v0.26.0 entry | 9a |
+| 11 | `README.md` | Edit: update storage layout + paths + scripts sections | 9b |
 
 ---
 
 ## Testing Checklist
 
-### Controller
-
-- [ ] Login still works (no CSRF on login — no session yet)
-- [ ] All form submissions work with CSRF token (settings, notifications, storage, backup restore)
-- [ ] All JS-driven actions work (deploy, start/stop/restart, update, remove, delete, sync, backup, storage wizards, migration)
-- [ ] Bearer-token requests still work without CSRF (selfupdate, config/apply from hub)
-- [ ] Cross-site POST without token returns 403
-- [ ] Cross-site fetch() without X-CSRF-Token returns 403
-- [ ] After session expires and re-login, new CSRF token works
-- [ ] Open-access mode (no password) still works — CSRF skipped
-
-### Hub
-
-- [ ] Login creates random session token (not literal "authenticated")
-- [ ] Session cookie has SameSite=Lax + Secure (when TLS)
-- [ ] All form submissions work (config create/edit)
-- [ ] All JS-driven actions work (delete, regen-password, trigger-update, block/unblock, push/pull config)
-- [ ] API endpoints still work with Bearer token (report push, event push, etc.)
-- [ ] Cross-site POST without token returns 403
-- [ ] Session cleanup removes expired sessions
-- [ ] Basic Auth requests (no session cookie) bypass CSRF correctly
+1. `go build ./...` succeeds
+2. `go vet ./...` passes
+3. `grep -rn '"appdata"' controller/internal/ --include='*.go' | grep -v paths.go` — only display/template contexts
+4. `grep -rn '"backups"' controller/internal/ --include='*.go' | grep -v paths.go` — only display/template contexts
+5. Verify `felhom-wipe.sh` has correct bash syntax: `bash -n scripts/felhom-wipe.sh`
 
 ---
 
-## Build & Deploy
+## Post-Implementation: App Catalog Update (SEPARATE TASK)
 
-### Controller (v0.23.0)
-
-```bash
-SSH=/c/Windows/System32/OpenSSH/ssh.exe
-
-# 1. Commit and push
-cd /e/git/deploy-felhom-compose
-git add -A && git commit -m "feat: CSRF protection on all POST endpoints (v0.23.0)" && git push
-
-# 2. Build
-$SSH kisfenyo@192.168.0.180 "cd ~/build/felhom-controller && git -C ~/git/deploy-felhom-compose pull && ./build.sh v0.23.0 --push"
-
-# 3. Deploy
-$SSH kisfenyo@192.168.0.162 "cd /opt/docker/felhom-controller && sudo docker pull gitea.dooplex.hu/admin/felhom-controller:v0.23.0 && sudo sed -i 's|image: gitea.dooplex.hu/admin/felhom-controller:.*|image: gitea.dooplex.hu/admin/felhom-controller:v0.23.0|' docker-compose.yml && sudo docker compose up -d"
-
-# 4. Verify
-$SSH kisfenyo@192.168.0.162 "docker ps --filter name=felhom-controller --format '{{.Image}} {{.Status}}'"
+After this task, update `app-catalog-felhom.eu` compose templates:
+```
+${HDD_PATH}/appdata/  →  ${HDD_PATH}/felhom-data/appdata/
+${HDD_PATH}/backups/  →  ${HDD_PATH}/felhom-data/backups/
 ```
 
-### Hub (v0.3.8)
+Media paths (`${HDD_PATH}/media/`) stay at drive root (user data, not felhom-managed).
 
-```bash
-# 1. Commit and push
-cd /e/git/felhom.eu
-git add -A && git commit -m "feat: CSRF protection + random session tokens (v0.3.8)" && git push
+---
 
-# 2. Build
-$SSH kisfenyo@192.168.0.180 "cd ~/build/felhom-hub && git checkout -- hub/go.mod && git pull && cd ~/build/felhom-hub && ./build.sh v0.3.8 --push"
+## Important Reminders
 
-# 3. Deploy via ArgoCD — update manifests/hub.yaml image tag to v0.3.8, then:
-$SSH kisfenyo@192.168.0.180 "cd ~/git/felhom.eu && git pull && kubectl apply -f manifests/hub.yaml"
-
-# 4. Verify
-$SSH kisfenyo@192.168.0.180 "kubectl get pods -n felhom-system -l app=hub && kubectl logs -n felhom-system -l app=hub --tail 10"
-```
-
-**Deploy order:** Either order works. Both components are backward-compatible — CSRF tokens are only checked on the component's own forms/JS, not cross-component communication (which uses Bearer tokens).
+- `FelhomDataDir` = `"felhom-data"` (hyphen, not underscore)
+- `InfraBackupDir()` does NOT get namespace — stays at drive root
+- `stacks/delete.go` duplicates the constant (can't import `backup`)
+- `storage/migrate.go` and `storage/migrate_drive.go` CAN import `backup` (no cycle)
+- Wipe script handles BOTH old-style and new-style paths
+- `HDD_PATH` env var in app.yaml stays as mount point — does NOT include `felhom-data`