Permit single-quoted arguments in SHELL_SAFE_COMMAND_PATTERN while
keeping dangerous metacharacters blocked, and add security test cases
for quoted --entrypoint and --hostname values.
The "+" icon buttons next to "Projects" and "Servers" headings used
text-white without a dark: prefix, making them invisible on light
backgrounds. Changed to text-black dark:text-white so the icon is
visible in both themes.
Fixes#9454
Update helper to 1.0.13 and realtime to 1.0.12 in constants,
version manifests, and production/windows docker compose files,
including nightly variants.
Delete the enhancement bounty issue template and remove bounty references
from bug reports, PR template wording, CONTRIBUTING guidelines, and README
badges/sponsors to align contribution messaging.
Limit team cleanup to apps owned by the deleted team and nullify cross-team application source references before deleting team-owned sources. Adds feature tests covering user deletion with GitHub app-backed applications, preserving system-wide apps, and nullifying external source links.
The production Dockerfile already runs apk upgrade at build time.
The helper and realtime Dockerfiles were missing this step.
The helper (Alpine 3.21) ships with CVE-2025-15467 in OpenSSL 3.3.5.
The realtime (Alpine 3.18) has outdated OpenSSL 3.1.2 with HIGH CVEs.
Adding apk upgrade before apk add makes both images consistent
with the production Dockerfile.
Add `WithoutOverlapping` middleware to `DatabaseBackupJob` keyed by backup ID
with timeout-based lock expiry to prevent concurrent runs.
Mark long-running backup executions as failed when they exceed the stale
time threshold, and add periodic retention enforcement in
`CleanupInstanceStuffsJob` with cache-based throttling.
Also add float casts for retention max-storage fields on
`ScheduledDatabaseBackup` and comprehensive feature tests covering
overlap middleware, stale detection, casts, and retention behavior.
Using 'stub' as default would break existing installations that stored files
under the default tenantId 'storage-single-tenant' (pre-TENANT_ID era).
After upgrading, storage-api would look for files under 'stub/...' prefix
instead of 'storage-single-tenant/...', making all existing files inaccessible.
