Migrate codebase from CommonJS to ES Modules

- Convert all require()/module.exports to import/export across 260+ files
- Add "type": "module" to package.json to enable ESM by default
- Add migrations/package.json with "type": "commonjs" to keep db-migrate compatible
- Convert eslint.config.js to ESM with sourceType: "module"
- Replace __dirname/__filename with import.meta.dirname/import.meta.filename
- Replace require.main === module with process.argv[1] === import.meta.filename
- Remove 'use strict' directives (implicit in ESM)
- Convert dynamic require() in switch statements to static import lookup maps
  (dns.js, domains.js, backupformats.js, backupsites.js, network.js)
- Extract self-referencing exports.CONSTANT patterns into standalone const
  declarations (apps.js, services.js, locks.js, users.js, mail.js, etc.)
- Lazify SERVICES object in services.js to avoid circular dependency TDZ issues
- Add clearMailQueue() to mailer.js for ESM-safe queue clearing in tests
- Add _setMockApp() to ldapserver.js for ESM-safe test mocking
- Add _setMockResolve() wrapper to dig.js for ESM-safe DNS mocking in tests
- Convert backupupload.js to use dynamic imports so --check exits before
  loading the module graph (which requires BOX_ENV)
- Update check-install to use ESM import for infra_version.js
- Convert scripts/ (hotfix, release, remote_hotfix.js, find-unused-translations)
- All 1315 tests passing

Migration stats (AI-assisted using Cursor with Claude):
- Wall clock time: ~3-4 hours
- Assistant completions: ~80-100
- Estimated token usage: ~1-2M tokens

Co-authored-by: Cursor <cursoragent@cursor.com>

src/backupformat/tgz.js

@@ -1,22 +1,22 @@
-'use strict';
+import assert from 'node:assert';
+import * as backupSites from '../backupsites.js';
+import BoxError from '../boxerror.js';
+import DataLayout from '../datalayout.js';
+import debugModule from 'debug';
+import { DecryptStream, EncryptStream } from '../hush.js';
+import fs from 'node:fs';
+import HashStream from '../hash-stream.js';
+import path from 'node:path';
+import ProgressStream from '../progress-stream.js';
+import promiseRetry from '../promise-retry.js';
+import safe from 'safetydance';
+import stream from 'stream/promises';
+import { Transform } from 'node:stream';
+import tar from 'tar-stream';
+import util from 'node:util';
+import zlib from 'node:zlib';
 
-const assert = require('node:assert'),
-    backupSites = require('../backupsites.js'),
-    BoxError = require('../boxerror.js'),
-    DataLayout = require('../datalayout.js'),
-    debug = require('debug')('box:backupformat/tgz'),
-    { DecryptStream, EncryptStream } = require('../hush.js'),
-    fs = require('node:fs'),
-    HashStream = require('../hash-stream.js'),
-    path = require('node:path'),
-    ProgressStream = require('../progress-stream.js'),
-    promiseRetry = require('../promise-retry.js'),
-    safe = require('safetydance'),
-    stream = require('stream/promises'),
-    { Transform } = require('node:stream'),
-    tar = require('tar-stream'),
-    util = require('node:util'),
-    zlib = require('node:zlib');
+const debug = debugModule('box:backupformat/tgz');
 
 // In tar, the entry header contains the file size. If we don't provide it those many bytes, the tar will become corrupt
 // Linux provides no guarantee of how many bytes can be read from a file. This is the case with sqlite and log files
@@ -345,13 +345,13 @@ function getFileExtension(encryption) {
     return encryption ? '.tar.gz.enc' : '.tar.gz';
 }
 
-exports = module.exports = {
+const _EnsureFileSizeStream = EnsureFileSizeStream;
+
+export {
     download,
     upload,
     verify,
     getFileExtension,
     copy,
-
-    // exported for testing
-    _EnsureFileSizeStream: EnsureFileSizeStream
+    _EnsureFileSizeStream,
 };