Make CleanupUploadFilesJob skip tenant upload dirs (#842)

[aprilrieger]

Ref ticket #842

Summary

CleanupUploadFilesJob was enqueueing CleanupSubDirectoryJob for every top-level directory under the uploads path, including tenant UUID directories that hold permanent site/branding files (e.g. site/banner_images/). That could delete banner images and other tenant assets.

Changes

CleanupUploadFilesJob only considers top-level directories whose basename is exactly two hex characters (00–ff). Those are the pair-tree staging dirs used for temporary work uploads; all other top-level dirs are left alone.
Introduced HEX_TOP_DIR_PATTERN and restricted top_level_directories to paths that are directories and whose basename matches this pattern.

When enqueueing CleanupSubDirectoryJob, the job now passes uploads_path for use in validation.
Protected directories (never cleaned)

The job only processes hex dirs; these are never passed to CleanupSubDirectoryJob:

• Tenant UUID/slug dirs – Site assets (banner_images, logo, directory_image, default collection/work images)
• uploaded_collection_thumbnails – Collection thumbnail uploads
• identity_provider – IdentityProvider logos (LogoUploader)
• hyrax – Hyrax UploadedFile cache

Specs

• Stub includes hex dirs (ff, 00, ab) and all of the protected dirs above; only the three hex dirs get child jobs.
• Examples assert that no CleanupSubDirectoryJob is enqueued for tenant UUID dirs, uploaded_collection_thumbnails, identity_provider, or hyrax.
• Existing examples updated so enqueued job args include uploads_path.

Acceptance criteria

[x] CleanupUploadFilesJob does not create a CleanupSubDirectoryJob for tenant/branding directories (e.g. …/56e0eb81-.../site/banner_images/).
[x] Specs document and enforce that uploaded_collection_thumbnails, identity_provider, and hyrax top-level dirs are also never cleaned.

[maxkadel]

Thanks April!