feat: streamline S3 restore with single-step flow and improved UI consistency

Major architectural improvements:
- Merged download and restore into single atomic operation
- Eliminated separate S3DownloadFinished event (redundant)
- Files now transfer directly: S3 → helper container → server → database container
- Removed download progress tracking in favor of unified restore progress

UI/UX improvements:
- Unified restore method selection with visual cards
- Consistent "File Information" display between local and S3 restore
- Single slide-over for all restore operations (removed separate S3 download monitor)
- Better visual feedback with loading states

Security enhancements:
- Added isSafeTmpPath() helper for path traversal protection
- URL decode validation to catch encoded attacks
- Canonical path resolution to prevent symlink attacks
- Comprehensive path validation in all cleanup events

Cleanup improvements:
- S3RestoreJobFinished now handles all cleanup (helper container + all temp files)
- RestoreJobFinished uses new isSafeTmpPath() validation
- CoolifyTask dispatches cleanup events even on job failure
- All cleanup uses non-throwing commands (2>/dev/null || true)

Other improvements:
- S3 storage policy authorization on Show component
- Storage Form properly syncs is_usable state after test
- Removed debug code and improved error handling
- Better command organization and documentation

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>

app/Events/RestoreJobFinished.php

@@ -17,17 +17,20 @@ class RestoreJobFinished
         $tmpPath = data_get($data, 'tmpPath');
         $container = data_get($data, 'container');
         $serverId = data_get($data, 'serverId');
-        if (filled($scriptPath) && filled($tmpPath) && filled($container) && filled($serverId)) {
-            if (str($tmpPath)->startsWith('/tmp/')
-                && str($scriptPath)->startsWith('/tmp/')
-                && ! str($tmpPath)->contains('..')
-                && ! str($scriptPath)->contains('..')
-                && strlen($tmpPath) > 5  // longer than just "/tmp/"
-                && strlen($scriptPath) > 5
-            ) {
-                $commands[] = "docker exec {$container} sh -c 'rm {$scriptPath}'";
-                $commands[] = "docker exec {$container} sh -c 'rm {$tmpPath}'";
-                instant_remote_process($commands, Server::find($serverId), throwError: true);
+
+        if (filled($container) && filled($serverId)) {
+            $commands = [];
+
+            if (isSafeTmpPath($scriptPath)) {
+                $commands[] = "docker exec {$container} sh -c 'rm {$scriptPath} 2>/dev/null || true'";
+            }
+
+            if (isSafeTmpPath($tmpPath)) {
+                $commands[] = "docker exec {$container} sh -c 'rm {$tmpPath} 2>/dev/null || true'";
+            }
+
+            if (! empty($commands)) {
+                instant_remote_process($commands, Server::find($serverId), throwError: false);
             }
         }
     }

app/Events/S3DownloadFinished.php

@@ -1,59 +0,0 @@
-<?php
-
-namespace App\Events;
-
-use App\Models\Server;
-use Illuminate\Broadcasting\InteractsWithSockets;
-use Illuminate\Broadcasting\PrivateChannel;
-use Illuminate\Contracts\Broadcasting\ShouldBroadcast;
-use Illuminate\Foundation\Events\Dispatchable;
-use Illuminate\Queue\SerializesModels;
-
-class S3DownloadFinished implements ShouldBroadcast
-{
-    use Dispatchable, InteractsWithSockets, SerializesModels;
-
-    public int|string|null $userId = null;
-
-    public ?string $downloadPath = null;
-
-    public function __construct($teamId, $data = null)
-    {
-        if (is_null($data)) {
-            return;
-        }
-
-        // Get userId from event data (the user who triggered the download)
-        $this->userId = data_get($data, 'userId');
-        $this->downloadPath = data_get($data, 'downloadPath');
-
-        $containerName = data_get($data, 'containerName');
-        $serverId = data_get($data, 'serverId');
-
-        if (filled($containerName) && filled($serverId)) {
-            // Clean up the MinIO client container
-            $commands = [];
-            $commands[] = "docker stop {$containerName} 2>/dev/null || true";
-            $commands[] = "docker rm {$containerName} 2>/dev/null || true";
-            instant_remote_process($commands, Server::find($serverId), throwError: false);
-        }
-    }
-
-    public function broadcastOn(): ?array
-    {
-        if (is_null($this->userId)) {
-            return [];
-        }
-
-        return [
-            new PrivateChannel("user.{$this->userId}"),
-        ];
-    }
-
-    public function broadcastWith(): array
-    {
-        return [
-            'downloadPath' => $this->downloadPath,
-        ];
-    }
-}

app/Events/S3RestoreJobFinished.php

@@ -13,37 +13,43 @@ class S3RestoreJobFinished
 
     public function __construct($data)
     {
+        $containerName = data_get($data, 'containerName');
+        $serverTmpPath = data_get($data, 'serverTmpPath');
         $scriptPath = data_get($data, 'scriptPath');
-        $tmpPath = data_get($data, 'tmpPath');
+        $containerTmpPath = data_get($data, 'containerTmpPath');
         $container = data_get($data, 'container');
         $serverId = data_get($data, 'serverId');
-        $s3DownloadedFile = data_get($data, 's3DownloadedFile');
 
-        // Clean up temporary files from container
-        if (filled($scriptPath) && filled($tmpPath) && filled($container) && filled($serverId)) {
-            if (str($tmpPath)->startsWith('/tmp/')
-                && str($scriptPath)->startsWith('/tmp/')
-                && ! str($tmpPath)->contains('..')
-                && ! str($scriptPath)->contains('..')
-                && strlen($tmpPath) > 5  // longer than just "/tmp/"
-                && strlen($scriptPath) > 5
-            ) {
-                $commands[] = "docker exec {$container} sh -c 'rm {$scriptPath}'";
-                $commands[] = "docker exec {$container} sh -c 'rm {$tmpPath}'";
-                instant_remote_process($commands, Server::find($serverId), throwError: true);
-            }
-        }
+        // Clean up helper container and temporary files
+        if (filled($serverId)) {
+            $commands = [];
 
-        // Clean up S3 downloaded file from server
-        if (filled($s3DownloadedFile) && filled($serverId)) {
-            if (str($s3DownloadedFile)->startsWith('/tmp/s3-restore-')
-                && ! str($s3DownloadedFile)->contains('..')
-                && strlen($s3DownloadedFile) > 16  // longer than just "/tmp/s3-restore-"
-            ) {
-                $commands = [];
-                $commands[] = "rm -f {$s3DownloadedFile}";
-                instant_remote_process($commands, Server::find($serverId), throwError: false);
+            // Stop and remove helper container
+            if (filled($containerName)) {
+                $commands[] = "docker rm -f {$containerName} 2>/dev/null || true";
             }
+
+            // Clean up downloaded file from server /tmp
+            if (isSafeTmpPath($serverTmpPath)) {
+                $commands[] = "rm -f {$serverTmpPath} 2>/dev/null || true";
+            }
+
+            // Clean up script from server
+            if (isSafeTmpPath($scriptPath)) {
+                $commands[] = "rm -f {$scriptPath} 2>/dev/null || true";
+            }
+
+            // Clean up files from database container
+            if (filled($container)) {
+                if (isSafeTmpPath($containerTmpPath)) {
+                    $commands[] = "docker exec {$container} rm -f {$containerTmpPath} 2>/dev/null || true";
+                }
+                if (isSafeTmpPath($scriptPath)) {
+                    $commands[] = "docker exec {$container} rm -f {$scriptPath} 2>/dev/null || true";
+                }
+            }
+
+            instant_remote_process($commands, Server::find($serverId), throwError: false);
         }
     }
 }