Fix: Prevent version downgrades and centralize CDN configuration (#7383)

## Root Cause
Between Nov 25-26, a CDN redirect was added without curl's `-L` flag,
causing version cache corruption and automatic downgrades.

## Three Critical Bugs Fixed

### Bug #1: CheckForUpdatesJob could overwrite newer cached version
- Problem: CDN serving older version would overwrite local cache
- Solution: Smart version merge - keep max Coolify version, update other components
- Location: app/Jobs/CheckForUpdatesJob.php:33-52

### Bug #2: Manual updates bypassed downgrade protection
- Problem: Downgrade guard only applied to auto-updates
- Solution: Always block downgrades for both manual and auto-updates
- Location: app/Actions/Server/UpdateCoolify.php:65-75

### Bug #3: Updates used stale local cache
- Problem: Never validated cache against CDN at update time
- Solution: Fetch fresh CDN data before executing updates
- Location: app/Actions/Server/UpdateCoolify.php:34-49

## Additional Improvement: Centralized CDN Configuration

Added three new config keys for easy CDN management:
- `cdn_url` - Base CDN URL (default: https://cdn.coollabs.io)
- `versions_url` - Full versions.json URL
- `upgrade_script_url` - Full upgrade.sh URL

All configurable via environment variables:
```bash
CDN_URL=https://cdn.coolify.io
VERSIONS_URL=https://custom-cdn.example.com/versions.json
UPGRADE_SCRIPT_URL=https://custom-cdn.example.com/upgrade.sh
```

## Files Modified
- config/constants.php - CDN configuration
- app/Jobs/CheckForUpdatesJob.php - Smart version merge + centralized URL
- app/Actions/Server/UpdateCoolify.php - Downgrade protection + fresh fetch + centralized URLs
- app/Jobs/CheckHelperImageJob.php - Centralized URL
- bootstrap/helpers/shared.php - Centralized URL

## Testing
- ✅ All modified files pass Pint formatting
- ✅ 78 unit tests pass (2 pre-existing failures unrelated to changes)

## Impact
- No breaking changes - defaults to current CDN
- Easy CDN migration via environment variables
- Prevents all downgrade scenarios
- Maintains independent Sentinel/Helper/Traefik updates

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

app/Jobs/CheckForUpdatesJob.php

@@ -10,6 +10,7 @@ use Illuminate\Queue\InteractsWithQueue;
 use Illuminate\Queue\SerializesModels;
 use Illuminate\Support\Facades\File;
 use Illuminate\Support\Facades\Http;
+use Illuminate\Support\Facades\Log;
 
 class CheckForUpdatesJob implements ShouldBeEncrypted, ShouldQueue
 {
@@ -22,20 +23,44 @@ class CheckForUpdatesJob implements ShouldBeEncrypted, ShouldQueue
                 return;
             }
             $settings = instanceSettings();
-            $response = Http::retry(3, 1000)->get('https://cdn.coollabs.io/coolify/versions.json');
+            $response = Http::retry(3, 1000)->get(config('constants.coolify.versions_url'));
             if ($response->successful()) {
                 $versions = $response->json();
 
                 $latest_version = data_get($versions, 'coolify.v4.version');
                 $current_version = config('constants.coolify.version');
 
+                // Read existing cached version
+                $existingVersions = null;
+                $existingCoolifyVersion = null;
+                if (File::exists(base_path('versions.json'))) {
+                    $existingVersions = json_decode(File::get(base_path('versions.json')), true);
+                    $existingCoolifyVersion = data_get($existingVersions, 'coolify.v4.version');
+                }
+
+                // Detect CDN serving older Coolify version
+                if ($existingCoolifyVersion && version_compare($latest_version, $existingCoolifyVersion, '<')) {
+                    Log::warning('CDN served older Coolify version', [
+                        'cdn_version' => $latest_version,
+                        'cached_version' => $existingCoolifyVersion,
+                        'current_version' => $current_version,
+                    ]);
+
+                    // Keep the NEWER Coolify version from cache, but update other components
+                    $versions['coolify']['v4']['version'] = $existingCoolifyVersion;
+                    $latest_version = $existingCoolifyVersion;
+                }
+
+                // ALWAYS write versions.json (for Sentinel, Helper, Traefik updates)
+                File::put(base_path('versions.json'), json_encode($versions, JSON_PRETTY_PRINT));
+
+                // Invalidate cache to ensure fresh data is loaded
+                invalidate_versions_cache();
+
+                // Only mark new version available if Coolify version actually increased
                 if (version_compare($latest_version, $current_version, '>')) {
                     // New version available
                     $settings->update(['new_version_available' => true]);
-                    File::put(base_path('versions.json'), json_encode($versions, JSON_PRETTY_PRINT));
-
-                    // Invalidate cache to ensure fresh data is loaded
-                    invalidate_versions_cache();
                 } else {
                     $settings->update(['new_version_available' => false]);
                 }