fix(thorium): Migrated to astra-tokio-tar to resolve cve

Previously Thorium used tokio-tar which was found to improperly handle
tar unpacking resulting in CVE-2025-62518. Thorium now uses a different
tar dependency which does not have this issue.

chore(readme): Added toolbox info to the FAQ

This updates the tools section in the FAQ to include the new toolbox
feature in Thorium. It also includes a short gif of the toolbox.

Fixed several bugs in Thorium

🐛 Bug Fixes

- *(operator)* Fixed issue where the config could not be made into a CRD
- *(scaler)* Scalers now only requests details on clusters they care about
- *(agent)* Fixed issue where the agent was not injecting kwargs correctly
- *(api)* Fixed issue where the API was incorrectly rejecting result paths

Change Details

fix(agent): Fixed issue where the agent was not injecting kwargs correctly

This was causing the agent to add a list of values after each kwargs
instead of repeating the kwarg for each value. This means Thorium will
now use --kwarg <value> --kwarg <value> instead of --kwarg <value>
<value>.

fix(api): Fixed issue where the API was incorrectly rejecting result paths

This was due to an incorrect check for '..' in file paths.

fix(operator): Fixed issue where the config could not be made into a CRD

This was caused by an enum having different types for each branch. The
downside of this fix is that our config does allow someone to configure
certificate validation settings while also disabling certificate
validation. That could lead to some confusing scenarios where you think
validation is enabled but its not.

fix(scaler): Scalers now only requests details on clusters they care about

This helps resolves issues where the scaler tries to get info on clusters
that it cannot and will not schedule on.

Closes #31

Fix(api): Fixed several vulnerabilities in Thorium

None of these issues allow for RCE or privilege escalation.

Result File Path Normalization

The API was not validating that uploaded result file paths are not
absolute paths and do not contain any '..' components. This was not
exploitable due to the fact that:
- Some s3 servers (Minio and CEPH were tested) do not allow .. in paths
- The agent panics when downloading files with an absolute path
- Thorctl nests the absolute path in its relative path and returns an
error Regardless this has been resolved, and Thorium will now validate
and reject any absolute paths or paths where any component contains only
'.'s.

LDAP Injection

Thorium was not escaping user controlled strings that it sent to LDAP.
This would allow attackers to perform LDAP injection if they can add
metagroups to groups. In order to perform this attack, an attacker
would already have the permissions to modify group permissions at will.
Thorium now properly escapes user controlled strings in ldap.

Spam Verification Emails For Unverified Users

Thorium was not limiting how often verification emails could be resent
to unverified users in systems that have email verification configured.
This means that if an attacker knew a user's username and that user had
not yet verified their email, they could spam them with emails. Only the
verification email would sent this does not allow an attacker to send
arbitrary emails. Thorium now allows admins to set a rate limit value
that currently defaults to only allowing an email to be resent every 10
minutes.

Token Not Rotating When Resetting Passwords

Thorium was generating a new token but not saving it when updating a
users password. This meant that if a user was updating their password
due to a password or token being leaked, Thorium did not properly remove
all prior access. This is only relevant to LDAP enabled Thorium clusters.
Thorium now saves the new token on password updates.

Disabled TLS Verification To Elasticsearch

Thorium was not allowing users to configure how they want to validate
the certificate used by elastic search and was defaulting to not
verifying it. This option is now configurable.

Divide By Zero When Getting Streams

If a user set a split of 0 when getting streams, that request would panic
due to a divide by zero error. This has been resolved by requiring a
NonZeroU64 instead of a u64.

Thanks to OpenAI Security Research for bringing these issues to our attention.

Fixed minithor deployment issues

This fixes several issues using our minithor localhost deployment where
the UI wouldn't be able to reach the API due to 127.0.0.1 dns not mapping
to localhost on some systems. This also updates minithor infrastructure
dependencies to latest supported versions and handles aliases better
for non-interactive environments.

Closes #19 #22