fix: deploy error visibility, trap cleanup, variable quoting, frontend resilience

- S10: Add warnings to silent health check failures in deploy scripts
- S11: Add trap cleanup for temp dirs in deploy and tailscale scripts
- S12: Quote 20+ critical unquoted variables across deploy scripts
- S13: Extract hardcoded IPs to deploy-config-defaults.sh
- S15: Add --memory=256m to UI container runs
- F16: Remove in-memory JWT, use cookie-only auth in filebrowser client
- F17: Add meta tag fallback for CSRF token in RPC client
- F19: Track and clear setTimeout in AppSession on unmount

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

scripts/first-boot-containers.sh

@@ -287,7 +287,7 @@ else
   log "Bitcoin Knots already running"
 fi
 # Wait for Bitcoin Knots RPC to be responsive
-if wait_for_container "Bitcoin Knots RPC" "$DOCKER exec bitcoin-knots bitcoin-cli -rpcuser=$BITCOIN_RPC_USER -rpcpassword=$BITCOIN_RPC_PASS getblockchaininfo" 60; then
+if wait_for_container "Bitcoin Knots RPC" "$DOCKER exec bitcoin-knots bitcoin-cli -rpcuser='$BITCOIN_RPC_USER' -rpcpassword='$BITCOIN_RPC_PASS' getblockchaininfo" 60; then
   BITCOIN_READY=true
   log "Bitcoin Knots is ready — dependent containers will proceed"
 else
@@ -297,9 +297,9 @@ fi
 track_container "bitcoin-knots"
 
 # Ensure wallet exists (Bitcoin Knots no longer auto-creates a default wallet)
-if ! $DOCKER exec bitcoin-knots bitcoin-cli -rpcuser=$BITCOIN_RPC_USER -rpcpassword=$BITCOIN_RPC_PASS listwallets 2>/dev/null | grep -q "archipelago"; then
-  $DOCKER exec bitcoin-knots bitcoin-cli -rpcuser=$BITCOIN_RPC_USER -rpcpassword=$BITCOIN_RPC_PASS loadwallet "archipelago" 2>/dev/null || \
-  $DOCKER exec bitcoin-knots bitcoin-cli -rpcuser=$BITCOIN_RPC_USER -rpcpassword=$BITCOIN_RPC_PASS createwallet "archipelago" 2>/dev/null
+if ! $DOCKER exec bitcoin-knots bitcoin-cli "-rpcuser=$BITCOIN_RPC_USER" "-rpcpassword=$BITCOIN_RPC_PASS" listwallets 2>/dev/null | grep -q "archipelago"; then
+  $DOCKER exec bitcoin-knots bitcoin-cli "-rpcuser=$BITCOIN_RPC_USER" "-rpcpassword=$BITCOIN_RPC_PASS" loadwallet "archipelago" 2>/dev/null || \
+  $DOCKER exec bitcoin-knots bitcoin-cli "-rpcuser=$BITCOIN_RPC_USER" "-rpcpassword=$BITCOIN_RPC_PASS" createwallet "archipelago" 2>/dev/null
   log "Bitcoin Knots wallet 'archipelago' created/loaded"
 fi
 
@@ -312,8 +312,8 @@ if ! $DOCKER ps -a --format '{{.Names}}' 2>/dev/null | grep -qE 'archy-mempool-d
     --health-cmd="mariadb -uroot -e 'SELECT 1' || exit 1" --health-interval=30s --health-timeout=5s --health-retries=3 \
     --memory=$(mem_limit archy-mempool-db) --network archy-net \
     -v /var/lib/archipelago/mysql-mempool:/var/lib/mysql \
-    -e MYSQL_DATABASE=mempool -e MYSQL_USER=mempool -e MYSQL_PASSWORD=$MEMPOOL_DB_PASS \
-    -e MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASS \
+    -e MYSQL_DATABASE=mempool -e MYSQL_USER=mempool -e "MYSQL_PASSWORD=$MEMPOOL_DB_PASS" \
+    -e "MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASS" \
     docker.io/mariadb:10.11 2>>"$LOG" || true
   wait_for_container "Mempool MariaDB" "echo 'SELECT 1' | $DOCKER exec -i archy-mempool-db mariadb -uroot --password=\"$MYSQL_ROOT_PASS\"" 30
 fi
@@ -351,7 +351,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q mempool-api; then
     -e ELECTRUM_TLS_ENABLED=false -e CORE_RPC_HOST="$TARGET_IP" -e CORE_RPC_PORT=8332 \
     -e "CORE_RPC_USERNAME=$BITCOIN_RPC_USER" -e "CORE_RPC_PASSWORD=$BITCOIN_RPC_PASS" \
     -e DATABASE_ENABLED=true -e DATABASE_HOST="$MYSQL_CNT" -e DATABASE_DATABASE=mempool \
-    -e DATABASE_USERNAME=mempool -e DATABASE_PASSWORD=$MEMPOOL_DB_PASS \
+    -e DATABASE_USERNAME=mempool -e "DATABASE_PASSWORD=$MEMPOOL_DB_PASS" \
     docker.io/mempool/backend:v2.5.0 2>>"$LOG" || true
 fi
 track_container "mempool-api"
@@ -395,7 +395,7 @@ if ! $DOCKER ps -a --format '{{.Names}}' 2>/dev/null | grep -qE 'archy-btcpay-db
     --health-cmd="pg_isready -U postgres || exit 1" --health-interval=30s --health-timeout=5s --health-retries=3 \
     --memory=$(mem_limit archy-btcpay-db) --network archy-net \
     -v /var/lib/archipelago/postgres-btcpay:/var/lib/postgresql/data \
-    -e POSTGRES_DB=btcpay -e POSTGRES_USER=btcpay -e POSTGRES_PASSWORD=$BTCPAY_DB_PASS \
+    -e POSTGRES_DB=btcpay -e POSTGRES_USER=btcpay -e "POSTGRES_PASSWORD=$BTCPAY_DB_PASS" \
     docker.io/postgres:15-alpine 2>>"$LOG" || true
   wait_for_container "BTCPay PostgreSQL" "$DOCKER exec archy-btcpay-db pg_isready -U postgres" 30
 fi
@@ -403,7 +403,7 @@ track_container "archy-btcpay-db"
 # Create nbxplorer DB only if postgres is running
 if $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -qE 'archy-btcpay-db|postgres-btcpay'; then
   $DOCKER exec archy-btcpay-db psql -U postgres -tc "SELECT 1 FROM pg_database WHERE datname='nbxplorer'" 2>/dev/null | grep -q 1 || \
-    $DOCKER exec -e PGPASSWORD=$BTCPAY_DB_PASS archy-btcpay-db psql -U postgres -c "CREATE DATABASE nbxplorer;" 2>/dev/null || true
+    $DOCKER exec -e "PGPASSWORD=$BTCPAY_DB_PASS" archy-btcpay-db psql -U postgres -c "CREATE DATABASE nbxplorer;" 2>/dev/null || true
 fi
 
 if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q archy-nbxplorer; then
@@ -418,7 +418,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q archy-nbxplorer; the
       -p 32838:32838 -v /var/lib/archipelago/nbxplorer:/data \
       -e NBXPLORER_DATADIR=/data -e NBXPLORER_NETWORK=mainnet -e NBXPLORER_CHAINS=btc \
       -e NBXPLORER_BIND=0.0.0.0:32838 -e NBXPLORER_BTCRPCURL=http://bitcoin-knots:8332 \
-      -e NBXPLORER_BTCRPCUSER=$BITCOIN_RPC_USER -e NBXPLORER_BTCRPCPASSWORD=$BITCOIN_RPC_PASS \
+      -e "NBXPLORER_BTCRPCUSER=$BITCOIN_RPC_USER" -e "NBXPLORER_BTCRPCPASSWORD=$BITCOIN_RPC_PASS" \
       -e NBXPLORER_POSTGRES='User ID=btcpay;Password=$BTCPAY_DB_PASS;Host=archy-btcpay-db;Port=5432;Database=nbxplorer;Include Error Detail=true' \
       docker.io/nicolasdorier/nbxplorer:2.6.0 2>>"$LOG" && sleep 5 || true
   fi
@@ -767,7 +767,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q immich_server; then
       --health-cmd="pg_isready -U postgres || exit 1" --health-interval=30s --health-timeout=5s --health-retries=3 \
       --memory=$(mem_limit immich_postgres) --network immich-net \
       -v /var/lib/archipelago/immich-db:/var/lib/postgresql/data \
-      -e POSTGRES_PASSWORD=$IMMICH_DB_PASS -e POSTGRES_USER=postgres -e POSTGRES_DB=immich \
+      -e "POSTGRES_PASSWORD=$IMMICH_DB_PASS" -e POSTGRES_USER=postgres -e POSTGRES_DB=immich \
       ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0 2>>"$LOG" || true
     sleep 3
     for i in 1 2 3 4 5 6 7 8 9 10; do
@@ -787,7 +787,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q immich_server; then
       --health-cmd="curl -sf http://localhost:2283/ || exit 1" --health-interval=30s --health-timeout=5s --health-retries=3 \
       --memory=$(mem_limit immich_server) --network immich-net \
       -p 2283:2283 -v /var/lib/archipelago/immich:/usr/src/app/upload \
-      -e DB_HOSTNAME=immich_postgres -e DB_USERNAME=postgres -e DB_PASSWORD=$IMMICH_DB_PASS \
+      -e DB_HOSTNAME=immich_postgres -e DB_USERNAME=postgres -e "DB_PASSWORD=$IMMICH_DB_PASS" \
       -e DB_DATABASE_NAME=immich -e REDIS_HOSTNAME=immich_redis \
       -e UPLOAD_LOCATION=/usr/src/app/upload \
       ghcr.io/immich-app/immich-server:release 2>>"$LOG" || true
@@ -805,7 +805,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q penpot-frontend; the
       --health-cmd="pg_isready -U penpot || exit 1" --health-interval=30s --health-timeout=5s --health-retries=3 \
       --memory=$(mem_limit penpot-postgres) --network penpot-net \
       -v /var/lib/archipelago/penpot-postgres:/var/lib/postgresql/data \
-      -e POSTGRES_DB=penpot -e POSTGRES_USER=penpot -e POSTGRES_PASSWORD=$PENPOT_DB_PASS \
+      -e POSTGRES_DB=penpot -e POSTGRES_USER=penpot -e "POSTGRES_PASSWORD=$PENPOT_DB_PASS" \
       docker.io/postgres:15 2>>"$LOG" || true
     sleep 5
   fi
@@ -825,7 +825,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q penpot-frontend; the
       -e PENPOT_PUBLIC_URI="http://${TARGET_IP}:9001" \
       -e PENPOT_SECRET_KEY=archipelago-penpot-secret-key-change-in-production \
       -e PENPOT_DATABASE_URI=postgresql://penpot-postgres/penpot \
-      -e PENPOT_DATABASE_USERNAME=penpot -e PENPOT_DATABASE_PASSWORD=$PENPOT_DB_PASS \
+      -e PENPOT_DATABASE_USERNAME=penpot -e "PENPOT_DATABASE_PASSWORD=$PENPOT_DB_PASS" \
       -e PENPOT_REDIS_URI=redis://penpot-valkey/0 \
       -e PENPOT_OBJECTS_STORAGE_BACKEND=fs \
       -e PENPOT_OBJECTS_STORAGE_FS_DIRECTORY=/opt/data/assets \