fix: notifications for AJAX backups, download CSRF token

SteppedBackupEngine now sends email + ntfy notifications on both
success (completeRecord) and failure (failRecord). Previously only
BackupEngine (synchronous CLI/toolbar path) sent notifications.

Download link in backups template now includes the CSRF token in
the URL query string, fixing "security token did not match" error
when clicking download buttons.

source/packages/com_mokosuitebackup/src/Engine/SteppedBackupEngine.php

@@ -433,14 +433,47 @@ class SteppedBackupEngine
 			error_log('MokoSuiteBackup: Could not write log file: ' . $logPath);
 		}
 
+		$totalSize = is_file($session->archivePath) ? filesize($session->archivePath) : 0;
+
 		$update = (object) [
-			'id'        => $session->recordId,
-			'status'    => 'complete',
-			'backupend' => date('Y-m-d H:i:s'),
-			'log'       => $logContent,
+			'id'          => $session->recordId,
+			'status'      => 'complete',
+			'backupend'   => date('Y-m-d H:i:s'),
+			'total_size'  => $totalSize,
+			'log'         => $logContent,
 		];
 
 		$db->updateObject('#__mokosuitebackup_records', $update, 'id');
+
+		// Send notifications (email + ntfy)
+		try {
+			$query = $db->getQuery(true)
+				->select('*')
+				->from($db->quoteName('#__mokosuitebackup_profiles'))
+				->where($db->quoteName('id') . ' = ' . (int) $session->profileId);
+			$db->setQuery($query);
+			$profile = $db->loadObject();
+
+			if ($profile) {
+				$record = (object) [
+					'id'          => $session->recordId,
+					'description' => $session->description ?? '',
+					'backup_type' => $session->backupType,
+					'archivename' => $session->archiveName,
+					'origin'      => $session->origin,
+					'backupstart' => '',
+					'backupend'   => date('Y-m-d H:i:s'),
+					'total_size'  => $totalSize,
+					'files_count' => $session->filesCount ?? 0,
+					'tables_count' => $session->tablesCount ?? 0,
+					'remote_filename' => '',
+				];
+
+				NotificationSender::send($profile, $record, true, $logContent);
+			}
+		} catch (\Exception $e) {
+			error_log('MokoSuiteBackup: SteppedBackupEngine notification failed: ' . $e->getMessage());
+		}
 	}
 
 	/**
@@ -448,15 +481,47 @@ class SteppedBackupEngine
 	 */
 	private function failRecord(SteppedSession $session, string $error): void
 	{
-		$db     = Factory::getDbo();
+		$db         = Factory::getDbo();
+		$logContent = implode("\n", $session->log);
+
 		$update = (object) [
 			'id'        => $session->recordId,
 			'status'    => 'fail',
 			'backupend' => date('Y-m-d H:i:s'),
-			'log'       => implode("\n", $session->log),
+			'log'       => $logContent,
 		];
 
 		$db->updateObject('#__mokosuitebackup_records', $update, 'id');
+
+		// Send failure notification
+		try {
+			$query = $db->getQuery(true)
+				->select('*')
+				->from($db->quoteName('#__mokosuitebackup_profiles'))
+				->where($db->quoteName('id') . ' = ' . (int) $session->profileId);
+			$db->setQuery($query);
+			$profile = $db->loadObject();
+
+			if ($profile) {
+				$record = (object) [
+					'id'          => $session->recordId,
+					'description' => $session->description,
+					'backup_type' => $session->backupType,
+					'archivename' => $session->archiveName,
+					'origin'      => $session->origin,
+					'backupstart' => '',
+					'backupend'   => date('Y-m-d H:i:s'),
+					'total_size'  => 0,
+					'files_count' => $session->filesCount,
+					'tables_count' => $session->tablesCount,
+					'remote_filename' => '',
+				];
+
+				NotificationSender::send($profile, $record, false, $logContent);
+			}
+		} catch (\Exception $e) {
+			error_log('MokoSuiteBackup: SteppedBackupEngine failure notification failed: ' . $e->getMessage());
+		}
 	}
 
 	/**

source/packages/com_mokosuitebackup/tmpl/backups/default.php

@@ -145,7 +145,7 @@ $listDirn  = $this->escape($this->state->get('list.direction'));
 										$isWebAccessible = !empty($item->absolute_path)
 											&& strpos(realpath($item->absolute_path) ?: $item->absolute_path, realpath(JPATH_ROOT) ?: JPATH_ROOT) === 0;
 									?>
-										<a href="<?php echo Route::_('index.php?option=com_mokosuitebackup&task=backups.download&id=' . $item->id); ?>"
+										<a href="<?php echo Route::_('index.php?option=com_mokosuitebackup&task=backups.download&id=' . $item->id . '&' . Session::getFormToken() . '=1'); ?>"
 										   class="btn btn-sm btn-outline-primary" title="<?php echo Text::_('COM_MOKOJOOMBACKUP_DOWNLOAD'); ?>">
 											<span class="icon-download"></span>
 										</a>