fix: improve robustness and security in database restore flows

- Add null checks for server instances in restore events to prevent errors
- Escape S3 credentials to prevent command injection vulnerabilities
- Fix file upload clearing custom location to prevent UI confusion
- Optimize isSafeTmpPath helper by avoiding redundant dirname calls
- Remove unnecessary --rm flag from long-running S3 restore container
- Prioritize uploaded files over custom location in import logic
- Add comprehensive unit tests for restore event null server handling

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

bootstrap/helpers/shared.php

@@ -3247,10 +3247,12 @@ function isSafeTmpPath(?string $path): bool
         $canonicalTmpPath = '/tmp';
     }
 
+    // Calculate dirname once to avoid redundant calls
+    $dirPath = dirname($resolvedPath);
+
     // If the directory exists, resolve it via realpath to catch symlink attacks
-    if (file_exists($resolvedPath) || is_dir(dirname($resolvedPath))) {
+    if (file_exists($resolvedPath) || is_dir($dirPath)) {
         // For existing paths, resolve to absolute path to catch symlinks
-        $dirPath = dirname($resolvedPath);
         if (is_dir($dirPath)) {
             $realDir = realpath($dirPath);
             if ($realDir === false) {