fix: deploy error visibility, trap cleanup, variable quoting, frontend resilience

- S10: Add warnings to silent health check failures in deploy scripts
- S11: Add trap cleanup for temp dirs in deploy and tailscale scripts
- S12: Quote 20+ critical unquoted variables across deploy scripts
- S13: Extract hardcoded IPs to deploy-config-defaults.sh
- S15: Add --memory=256m to UI container runs
- F16: Remove in-memory JWT, use cookie-only auth in filebrowser client
- F17: Add meta tag fallback for CSRF token in RPC client
- F19: Track and clear setTimeout in AppSession on unmount

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

scripts/deploy-tailscale.sh

@@ -18,7 +18,10 @@ SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 PROJECT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
 TARGET_DIR="/home/archipelago/archy"
 
-# Load deploy config (gitignored)
+# Load deploy config defaults (IP addresses etc.)
+[ -f "$SCRIPT_DIR/deploy-config-defaults.sh" ] && . "$SCRIPT_DIR/deploy-config-defaults.sh"
+
+# Load deploy config (gitignored — overrides defaults)
 [ -f "$SCRIPT_DIR/deploy-config.sh" ] && . "$SCRIPT_DIR/deploy-config.sh"
 
 # Source pinned image versions (single source of truth)
@@ -26,14 +29,14 @@ TARGET_DIR="/home/archipelago/archy"
 
 SSH_KEY="${ARCHIPELAGO_SSH_KEY:-$HOME/.ssh/archipelago-deploy}"
 SSH_OPTS="-o StrictHostKeyChecking=no -o ServerAliveInterval=15 -o ServerAliveCountMax=4 -o ConnectTimeout=10 -i $SSH_KEY"
-BUILD_SOURCE="archipelago@192.168.1.228"
+BUILD_SOURCE="archipelago@${DEFAULT_PRIMARY:-192.168.1.228}"
 BUILD_DIR="/home/archipelago/archy"
 
 # Node registry
 TAILSCALE_NODES=(
-    "archipelago@100.82.97.63"
+    "archipelago@${TAILSCALE_ARCH1:-100.82.97.63}"
     "archipelago@archipelago-2.tail2b6225.ts.net"
-    "archipelago@100.124.105.113"
+    "archipelago@${TAILSCALE_ARCH3:-100.124.105.113}"
 )
 TAILSCALE_NAMES=("Arch 1" "Arch 2" "Arch 3")
 
@@ -49,6 +52,11 @@ ts() { echo "[$(date +%H:%M:%S)]"; }
 step_num=0
 step() { step_num=$((step_num + 1)); echo ""; echo "$(ts) ━━━ Step $step_num: $1"; }
 
+# Temp directory for intermediate files (cleaned up on exit)
+TMPDIR="/tmp/archipelago-deploy-$$"
+mkdir -p "$TMPDIR"
+trap 'rm -rf "$TMPDIR"' EXIT
+
 # ── Deploy a single node ─────────────────────────────────────────────────
 deploy_node() {
     local TARGET="$1"
@@ -232,7 +240,7 @@ deploy_node() {
     fi
     if [ -d "$SNIPPETS_DIR" ]; then
         for f in "$SNIPPETS_DIR"/*.conf; do
-            [ -f "$f" ] && scp $SSH_OPTS "$f" "$TARGET:/tmp/nginx-snippet-$(basename $f)" 2>/dev/null || true
+            [ -f "$f" ] && scp $SSH_OPTS "$f" "$TARGET:/tmp/nginx-snippet-$(basename "$f")" 2>/dev/null || true
         done
         ssh $SSH_OPTS "$TARGET" '
             for f in /tmp/nginx-snippet-*.conf; do
@@ -1050,7 +1058,7 @@ MANIFEST_EOF
     step "Post-deploy health check"
     HEALTH_OK=false
     for i in $(seq 1 12); do
-        HEALTH=$(curl -s -o /dev/null -w '%{http_code}' --connect-timeout 5 "http://$TARGET_IP/health" 2>/dev/null || echo "000")
+        HEALTH=$(curl -s -o /dev/null -w '%{http_code}' --connect-timeout 5 "http://$TARGET_IP/health" 2>/dev/null || { echo "WARNING: Post-deploy health check failed for $TARGET_IP" >&2; echo "000"; })
         if [ "$HEALTH" = "200" ]; then
             echo "   Health: OK (200) after $((i * 5))s"
             HEALTH_OK=true