feat: add update management system with version check and one-click update

- Bake version info (commit, branch, date) into /app/version.json at build time
  via Docker ARG GIT_COMMIT/GIT_BRANCH/GIT_COMMIT_DATE
- Mount source directory as /app-source for in-container git operations
- Add git config safe.directory for /app-source (ownership mismatch fix)
- Add SystemConfig fields: git_repo_url, git_branch, git_token_encrypted
- Add DB migrations for the three new columns
- Add git_token encryption in update_settings() handler
- New endpoints:
    GET  /api/settings/version  — current version + latest from Gitea API
    POST /api/settings/update   — DB backup + git pull + docker compose rebuild
- New service: app/services/update_service.py
    get_current_version()  — reads /app/version.json
    check_for_updates()    — queries Gitea API for latest commit on branch
    backup_database()      — timestamped SQLite copy to /app/backups/
    trigger_update()       — git pull + fire-and-forget compose rebuild
- New script: update.sh — SSH-based manual update with health check

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

app/utils/validators.py

@@ -154,6 +154,10 @@ class SystemConfigUpdate(BaseModel):
     ldap_base_dn: Optional[str] = Field(None, max_length=500)
     ldap_user_filter: Optional[str] = Field(None, max_length=255)
     ldap_group_dn: Optional[str] = Field(None, max_length=500)
+    # Update management
+    git_repo_url: Optional[str] = Field(None, max_length=500)
+    git_branch: Optional[str] = Field(None, max_length=100)
+    git_token: Optional[str] = None  # plaintext, encrypted before storage
 
     @field_validator("ssl_mode")
     @classmethod