Code Review Issues

#	Severity	File	Issue	Status
1	Critical	`scripts/deploy.sh`	`SCRIPT_DIR` resolves to `scripts/` but paths assume repo root (e.g. `$SCRIPT_DIR/caddy/docker-compose.yml`). All scripts broken after move to `scripts/`. Fix: use `REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"`	DONE
2	Critical	`scripts/backup.sh`	Same broken `SCRIPT_DIR` path issue	DONE
3	Critical	`scripts/restore.sh`	Same broken `SCRIPT_DIR` path issue	DONE
4	High	`scripts/backup.sh:20`	`pg_dumpall -U nextcloud` hardcodes DB username instead of reading from env	TODO
5	High	`scripts/restore.sh:68`	`psql -U nextcloud` hardcodes DB username instead of reading from env	TODO
6	High	`scripts/deploy.sh:13`	`source .env` in a root-privileged script can execute arbitrary commands. Consider safer parsing or variable validation	TODO
7	Medium	`monitoring/docker-compose.yml`	Docker socket + `/proc` + `/sys` + `/` mounted into Alloy container. Consider using a Docker socket proxy to limit API access	TODO
8	Medium	`caddy/Caddyfile`	No rate limiting configured at the reverse proxy layer	TODO
9	Low	`gitea/docker-compose.yml`	`gitea/gitea:latest-rootless` unpinned — pin to specific version like Nextcloud does	TODO
10	Low	`monitoring/docker-compose.yml`	`grafana/alloy:latest` unpinned — pin to specific version	TODO