feat(volume-browser): absolute scope with allowlist security

- Add 'absolute' volume scope for direct host paths (NFS, external mounts)
- Allowlist in settings: allowed_volume_paths (JSON array of prefixes)
- Validation: absolute source must be under an allowed prefix
- Empty allowlist = absolute scope disabled entirely
- Settings API exposes/validates allowed_volume_paths
- Frontend type updated with absolute scope

internal/store/models.go

@@ -57,6 +57,7 @@ type Settings struct {
 	BaseVolumePath   string `json:"base_volume_path"`
 	SSLCertificateID   int    `json:"ssl_certificate_id"`
 	StaleThresholdDays int    `json:"stale_threshold_days"`
+	AllowedVolumePaths string `json:"allowed_volume_paths"` // JSON array of allowed absolute paths
 	UpdatedAt          string `json:"updated_at"`
 }
 
@@ -120,12 +121,14 @@ const (
 	VolumeScopeProjectNamed VolumeScope = "project_named"
 	VolumeScopeNamed        VolumeScope = "named"
 	VolumeScopeEphemeral    VolumeScope = "ephemeral"
+	VolumeScopeAbsolute     VolumeScope = "absolute"
 )
 
 // ValidVolumeScopes contains all valid scope values for validation.
 var ValidVolumeScopes = []VolumeScope{
 	VolumeScopeInstance, VolumeScopeStage, VolumeScopeProject,
 	VolumeScopeProjectNamed, VolumeScopeNamed, VolumeScopeEphemeral,
+	VolumeScopeAbsolute,
 }
 
 // IsValidVolumeScope returns true if the given string is a valid scope.

internal/store/settings.go

@@ -9,10 +9,14 @@ func (s *Store) GetSettings() (Settings, error) {
 	var st Settings
 	err := s.db.QueryRow(
 		`SELECT domain, server_ip, network, subdomain_pattern, notification_url,
-		        npm_url, npm_email, npm_password, webhook_secret, polling_interval, base_volume_path, ssl_certificate_id, stale_threshold_days, updated_at
+		        npm_url, npm_email, npm_password, webhook_secret, polling_interval,
+		        base_volume_path, ssl_certificate_id, stale_threshold_days,
+		        allowed_volume_paths, updated_at
 		 FROM settings WHERE id = 1`,
 	).Scan(&st.Domain, &st.ServerIP, &st.Network, &st.SubdomainPattern, &st.NotificationURL,
-		&st.NpmURL, &st.NpmEmail, &st.NpmPassword, &st.WebhookSecret, &st.PollingInterval, &st.BaseVolumePath, &st.SSLCertificateID, &st.StaleThresholdDays, &st.UpdatedAt)
+		&st.NpmURL, &st.NpmEmail, &st.NpmPassword, &st.WebhookSecret, &st.PollingInterval,
+		&st.BaseVolumePath, &st.SSLCertificateID, &st.StaleThresholdDays,
+		&st.AllowedVolumePaths, &st.UpdatedAt)
 	if err != nil {
 		return Settings{}, fmt.Errorf("query settings: %w", err)
 	}
@@ -25,10 +29,14 @@ func (s *Store) UpdateSettings(st Settings) error {
 	_, err := s.db.Exec(
 		`UPDATE settings SET
 			domain=?, server_ip=?, network=?, subdomain_pattern=?, notification_url=?,
-			npm_url=?, npm_email=?, npm_password=?, webhook_secret=?, polling_interval=?, base_volume_path=?, ssl_certificate_id=?, stale_threshold_days=?, updated_at=?
+			npm_url=?, npm_email=?, npm_password=?, webhook_secret=?, polling_interval=?,
+			base_volume_path=?, ssl_certificate_id=?, stale_threshold_days=?,
+			allowed_volume_paths=?, updated_at=?
 		 WHERE id = 1`,
 		st.Domain, st.ServerIP, st.Network, st.SubdomainPattern, st.NotificationURL,
-		st.NpmURL, st.NpmEmail, st.NpmPassword, st.WebhookSecret, st.PollingInterval, st.BaseVolumePath, st.SSLCertificateID, st.StaleThresholdDays, st.UpdatedAt,
+		st.NpmURL, st.NpmEmail, st.NpmPassword, st.WebhookSecret, st.PollingInterval,
+		st.BaseVolumePath, st.SSLCertificateID, st.StaleThresholdDays,
+		st.AllowedVolumePaths, st.UpdatedAt,
 	)
 	if err != nil {
 		return fmt.Errorf("update settings: %w", err)

internal/store/store.go

@@ -88,6 +88,8 @@ func (s *Store) runMigrations() error {
 		// Add name column and rename mode→scope for volume scopes redesign (2026-03-31).
 		`ALTER TABLE volumes ADD COLUMN name TEXT NOT NULL DEFAULT ''`,
 		`ALTER TABLE volumes ADD COLUMN scope TEXT NOT NULL DEFAULT ''`,
+		// Add allowed_volume_paths to settings for absolute volume scope allowlist (2026-04-01).
+		`ALTER TABLE settings ADD COLUMN allowed_volume_paths TEXT NOT NULL DEFAULT '[]'`,
 	}
 
 	for _, m := range migrations {