feat(webhook): per-project and per-site webhook URLs

Replace the single global webhook secret with entity-scoped secrets stored
on each project and static site. Webhook-driven project autocreate is
removed — projects must exist before their URL can trigger deploys.

Also wires static-site webhooks (sync_trigger=push|tag), turning the
previously inert "push" trigger into a functional one: POST the site's
webhook URL from a Git provider and Tinyforge re-syncs on matching refs.

- Adds webhook_secret columns + unique indexes to projects and static_sites
- Per-entity GET/regenerate endpoints under /api/projects/{id}/webhook
  and /api/sites/{id}/webhook (admin-only)
- Removes /api/settings/webhook-url and the global webhook panel
- Reusable WebhookPanel Svelte component on both detail pages, i18n in en/ru
- Tests for matcher (siteRefMatches, ParseImageRef) and handler (project
  match/mismatch/404 and site push/manual/branch-skip)

internal/store/models.go

@@ -11,6 +11,7 @@ type Project struct {
 	Env              string `json:"env"`     // JSON-encoded map
 	Volumes          string `json:"volumes"` // JSON-encoded map
 	NpmAccessListID  int    `json:"npm_access_list_id"` // per-project override, 0 = use global
+	WebhookSecret    string `json:"-"`                  // per-project webhook secret; never serialized directly
 	CreatedAt        string `json:"created_at"`
 	UpdatedAt        string `json:"updated_at"`
 }
@@ -57,7 +58,6 @@ type Settings struct {
 	NpmURL           string `json:"npm_url"`
 	NpmEmail         string `json:"npm_email"`
 	NpmPassword      string `json:"npm_password"`
-	WebhookSecret    string `json:"webhook_secret"`
 	PollingInterval  string `json:"polling_interval"`
 	BaseVolumePath   string `json:"base_volume_path"`
 	SSLCertificateID   int    `json:"ssl_certificate_id"`
@@ -219,6 +219,7 @@ type StaticSite struct {
 	Error          string `json:"error"`
 	StorageEnabled bool   `json:"storage_enabled"`
 	StorageLimitMB int    `json:"storage_limit_mb"` // 0 = unlimited
+	WebhookSecret  string `json:"-"`                 // per-site webhook secret; never serialized directly
 	CreatedAt      string `json:"created_at"`
 	UpdatedAt      string `json:"updated_at"`
 }

internal/store/projects.go

@@ -8,16 +8,25 @@ import (
 	"github.com/google/uuid"
 )
 
-// CreateProject inserts a new project and returns it.
+// projectCols is the canonical column list for projects queries.
+const projectCols = `id, name, registry, image, port, healthcheck, env, volumes,
+	npm_access_list_id, webhook_secret, created_at, updated_at`
+
+// CreateProject inserts a new project and returns it. A webhook secret is
+// generated automatically if one is not already set on the input.
 func (s *Store) CreateProject(p Project) (Project, error) {
 	p.ID = uuid.New().String()
 	p.CreatedAt = Now()
 	p.UpdatedAt = p.CreatedAt
+	if p.WebhookSecret == "" {
+		p.WebhookSecret = uuid.New().String()
+	}
 
 	_, err := s.db.Exec(
-		`INSERT INTO projects (id, name, registry, image, port, healthcheck, env, volumes, npm_access_list_id, created_at, updated_at)
-		 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
-		p.ID, p.Name, p.Registry, p.Image, p.Port, p.Healthcheck, p.Env, p.Volumes, p.NpmAccessListID, p.CreatedAt, p.UpdatedAt,
+		`INSERT INTO projects (`+projectCols+`)
+		 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+		p.ID, p.Name, p.Registry, p.Image, p.Port, p.Healthcheck, p.Env, p.Volumes,
+		p.NpmAccessListID, p.WebhookSecret, p.CreatedAt, p.UpdatedAt,
 	)
 	if err != nil {
 		return Project{}, fmt.Errorf("insert project: %w", err)
@@ -29,9 +38,9 @@ func (s *Store) CreateProject(p Project) (Project, error) {
 func (s *Store) GetProjectByID(id string) (Project, error) {
 	var p Project
 	err := s.db.QueryRow(
-		`SELECT id, name, registry, image, port, healthcheck, env, volumes, npm_access_list_id, created_at, updated_at
-		 FROM projects WHERE id = ?`, id,
-	).Scan(&p.ID, &p.Name, &p.Registry, &p.Image, &p.Port, &p.Healthcheck, &p.Env, &p.Volumes, &p.NpmAccessListID, &p.CreatedAt, &p.UpdatedAt)
+		`SELECT `+projectCols+` FROM projects WHERE id = ?`, id,
+	).Scan(&p.ID, &p.Name, &p.Registry, &p.Image, &p.Port, &p.Healthcheck, &p.Env, &p.Volumes,
+		&p.NpmAccessListID, &p.WebhookSecret, &p.CreatedAt, &p.UpdatedAt)
 	if errors.Is(err, sql.ErrNoRows) {
 		return Project{}, fmt.Errorf("project %s: %w", id, ErrNotFound)
 	}
@@ -41,11 +50,30 @@ func (s *Store) GetProjectByID(id string) (Project, error) {
 	return p, nil
 }
 
+// GetProjectByWebhookSecret looks up a project by its webhook secret.
+// Returns ErrNotFound if no project has this secret (including empty).
+func (s *Store) GetProjectByWebhookSecret(secret string) (Project, error) {
+	if secret == "" {
+		return Project{}, ErrNotFound
+	}
+	var p Project
+	err := s.db.QueryRow(
+		`SELECT `+projectCols+` FROM projects WHERE webhook_secret = ?`, secret,
+	).Scan(&p.ID, &p.Name, &p.Registry, &p.Image, &p.Port, &p.Healthcheck, &p.Env, &p.Volumes,
+		&p.NpmAccessListID, &p.WebhookSecret, &p.CreatedAt, &p.UpdatedAt)
+	if errors.Is(err, sql.ErrNoRows) {
+		return Project{}, ErrNotFound
+	}
+	if err != nil {
+		return Project{}, fmt.Errorf("query project by webhook secret: %w", err)
+	}
+	return p, nil
+}
+
 // GetAllProjects returns every project ordered by name.
 func (s *Store) GetAllProjects() ([]Project, error) {
 	rows, err := s.db.Query(
-		`SELECT id, name, registry, image, port, healthcheck, env, volumes, npm_access_list_id, created_at, updated_at
-		 FROM projects ORDER BY name`,
+		`SELECT ` + projectCols + ` FROM projects ORDER BY name`,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("query projects: %w", err)
@@ -55,7 +83,8 @@ func (s *Store) GetAllProjects() ([]Project, error) {
 	projects := []Project{}
 	for rows.Next() {
 		var p Project
-		if err := rows.Scan(&p.ID, &p.Name, &p.Registry, &p.Image, &p.Port, &p.Healthcheck, &p.Env, &p.Volumes, &p.NpmAccessListID, &p.CreatedAt, &p.UpdatedAt); err != nil {
+		if err := rows.Scan(&p.ID, &p.Name, &p.Registry, &p.Image, &p.Port, &p.Healthcheck, &p.Env, &p.Volumes,
+			&p.NpmAccessListID, &p.WebhookSecret, &p.CreatedAt, &p.UpdatedAt); err != nil {
 			return nil, fmt.Errorf("scan project: %w", err)
 		}
 		projects = append(projects, p)
@@ -66,8 +95,7 @@ func (s *Store) GetAllProjects() ([]Project, error) {
 // GetProjectsByImage returns all projects using the given image, newest first.
 func (s *Store) GetProjectsByImage(image string) ([]Project, error) {
 	rows, err := s.db.Query(
-		`SELECT id, name, registry, image, port, healthcheck, env, volumes, npm_access_list_id, created_at, updated_at
-		 FROM projects WHERE image = ? ORDER BY created_at DESC`, image,
+		`SELECT `+projectCols+` FROM projects WHERE image = ? ORDER BY created_at DESC`, image,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("query projects by image: %w", err)
@@ -77,7 +105,8 @@ func (s *Store) GetProjectsByImage(image string) ([]Project, error) {
 	projects := []Project{}
 	for rows.Next() {
 		var p Project
-		if err := rows.Scan(&p.ID, &p.Name, &p.Registry, &p.Image, &p.Port, &p.Healthcheck, &p.Env, &p.Volumes, &p.NpmAccessListID, &p.CreatedAt, &p.UpdatedAt); err != nil {
+		if err := rows.Scan(&p.ID, &p.Name, &p.Registry, &p.Image, &p.Port, &p.Healthcheck, &p.Env, &p.Volumes,
+			&p.NpmAccessListID, &p.WebhookSecret, &p.CreatedAt, &p.UpdatedAt); err != nil {
 			return nil, fmt.Errorf("scan project: %w", err)
 		}
 		projects = append(projects, p)
@@ -85,13 +114,16 @@ func (s *Store) GetProjectsByImage(image string) ([]Project, error) {
 	return projects, rows.Err()
 }
 
-// UpdateProject updates an existing project's mutable fields.
+// UpdateProject updates an existing project's mutable fields. Webhook secret
+// is intentionally not updated here — use SetProjectWebhookSecret instead.
 func (s *Store) UpdateProject(p Project) error {
 	p.UpdatedAt = Now()
 	result, err := s.db.Exec(
-		`UPDATE projects SET name=?, registry=?, image=?, port=?, healthcheck=?, env=?, volumes=?, npm_access_list_id=?, updated_at=?
+		`UPDATE projects SET name=?, registry=?, image=?, port=?, healthcheck=?, env=?, volumes=?,
+		   npm_access_list_id=?, updated_at=?
 		 WHERE id=?`,
-		p.Name, p.Registry, p.Image, p.Port, p.Healthcheck, p.Env, p.Volumes, p.NpmAccessListID, p.UpdatedAt, p.ID,
+		p.Name, p.Registry, p.Image, p.Port, p.Healthcheck, p.Env, p.Volumes,
+		p.NpmAccessListID, p.UpdatedAt, p.ID,
 	)
 	if err != nil {
 		return fmt.Errorf("update project: %w", err)
@@ -103,6 +135,41 @@ func (s *Store) UpdateProject(p Project) error {
 	return nil
 }
 
+// SetProjectWebhookSecret assigns a webhook secret to a project.
+// Pass an empty string to disable webhook access for the project.
+func (s *Store) SetProjectWebhookSecret(id, secret string) error {
+	result, err := s.db.Exec(
+		`UPDATE projects SET webhook_secret=?, updated_at=? WHERE id=?`,
+		secret, Now(), id,
+	)
+	if err != nil {
+		return fmt.Errorf("set project webhook secret: %w", err)
+	}
+	n, _ := result.RowsAffected()
+	if n == 0 {
+		return fmt.Errorf("project %s: %w", id, ErrNotFound)
+	}
+	return nil
+}
+
+// EnsureProjectWebhookSecret returns the current webhook secret for a project,
+// generating one on the fly if the stored value is empty (lazy backfill for
+// projects created before the per-project webhook migration).
+func (s *Store) EnsureProjectWebhookSecret(id string) (string, error) {
+	project, err := s.GetProjectByID(id)
+	if err != nil {
+		return "", err
+	}
+	if project.WebhookSecret != "" {
+		return project.WebhookSecret, nil
+	}
+	secret := uuid.New().String()
+	if err := s.SetProjectWebhookSecret(id, secret); err != nil {
+		return "", err
+	}
+	return secret, nil
+}
+
 // DeleteProject removes a project by ID. Cascading deletes handle stages, instances, and deploys.
 func (s *Store) DeleteProject(id string) error {
 	result, err := s.db.Exec(`DELETE FROM projects WHERE id = ?`, id)

internal/store/settings.go

@@ -10,7 +10,7 @@ func (s *Store) GetSettings() (Settings, error) {
 	var wildcardDNS, npmRemote, backupEnabled int
 	err := s.db.QueryRow(
 		`SELECT domain, server_ip, public_ip, network, subdomain_pattern, notification_url,
-		        npm_url, npm_email, npm_password, webhook_secret, polling_interval,
+		        npm_url, npm_email, npm_password, polling_interval,
 		        base_volume_path, ssl_certificate_id, stale_threshold_days,
 		        allowed_volume_paths, wildcard_dns, dns_provider,
 		        cloudflare_api_token, cloudflare_zone_id,
@@ -21,7 +21,7 @@ func (s *Store) GetSettings() (Settings, error) {
 		        updated_at
 		 FROM settings WHERE id = 1`,
 	).Scan(&st.Domain, &st.ServerIP, &st.PublicIP, &st.Network, &st.SubdomainPattern, &st.NotificationURL,
-		&st.NpmURL, &st.NpmEmail, &st.NpmPassword, &st.WebhookSecret, &st.PollingInterval,
+		&st.NpmURL, &st.NpmEmail, &st.NpmPassword, &st.PollingInterval,
 		&st.BaseVolumePath, &st.SSLCertificateID, &st.StaleThresholdDays,
 		&st.AllowedVolumePaths, &wildcardDNS, &st.DNSProvider,
 		&st.CloudflareAPIToken, &st.CloudflareZoneID,
@@ -57,7 +57,7 @@ func (s *Store) UpdateSettings(st Settings) error {
 	_, err := s.db.Exec(
 		`UPDATE settings SET
 			domain=?, server_ip=?, public_ip=?, network=?, subdomain_pattern=?, notification_url=?,
-			npm_url=?, npm_email=?, npm_password=?, webhook_secret=?, polling_interval=?,
+			npm_url=?, npm_email=?, npm_password=?, polling_interval=?,
 			base_volume_path=?, ssl_certificate_id=?, stale_threshold_days=?,
 			allowed_volume_paths=?, wildcard_dns=?, dns_provider=?,
 			cloudflare_api_token=?, cloudflare_zone_id=?,
@@ -68,7 +68,7 @@ func (s *Store) UpdateSettings(st Settings) error {
 			updated_at=?
 		 WHERE id = 1`,
 		st.Domain, st.ServerIP, st.PublicIP, st.Network, st.SubdomainPattern, st.NotificationURL,
-		st.NpmURL, st.NpmEmail, st.NpmPassword, st.WebhookSecret, st.PollingInterval,
+		st.NpmURL, st.NpmEmail, st.NpmPassword, st.PollingInterval,
 		st.BaseVolumePath, st.SSLCertificateID, st.StaleThresholdDays,
 		st.AllowedVolumePaths, wildcardDNS, st.DNSProvider,
 		st.CloudflareAPIToken, st.CloudflareZoneID,

internal/store/static_sites.go

@@ -13,23 +13,27 @@ import (
 const staticSiteCols = `id, name, provider, gitea_url, repo_owner, repo_name, branch, folder_path,
 	access_token, domain, mode, render_markdown, sync_trigger, tag_pattern,
 	container_id, proxy_route_id, status, last_sync_at, last_commit_sha, error,
-	storage_enabled, storage_limit_mb, created_at, updated_at`
+	storage_enabled, storage_limit_mb, webhook_secret, created_at, updated_at`
 
-// CreateStaticSite inserts a new static site and returns it.
+// CreateStaticSite inserts a new static site and returns it. A webhook secret
+// is generated automatically if one is not already set on the input.
 func (s *Store) CreateStaticSite(site StaticSite) (StaticSite, error) {
 	site.ID = uuid.New().String()
 	site.CreatedAt = Now()
 	site.UpdatedAt = site.CreatedAt
+	if site.WebhookSecret == "" {
+		site.WebhookSecret = uuid.New().String()
+	}
 
 	_, err := s.db.Exec(
 		`INSERT INTO static_sites (`+staticSiteCols+`)
-		 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+		 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
 		site.ID, site.Name, site.Provider, site.GiteaURL, site.RepoOwner, site.RepoName,
 		site.Branch, site.FolderPath, site.AccessToken, site.Domain, site.Mode,
 		BoolToInt(site.RenderMarkdown), site.SyncTrigger, site.TagPattern,
 		site.ContainerID, site.ProxyRouteID, site.Status, site.LastSyncAt,
 		site.LastCommitSHA, site.Error, BoolToInt(site.StorageEnabled), site.StorageLimitMB,
-		site.CreatedAt, site.UpdatedAt,
+		site.WebhookSecret, site.CreatedAt, site.UpdatedAt,
 	)
 	if err != nil {
 		return StaticSite{}, fmt.Errorf("insert static site: %w", err)
@@ -222,7 +226,7 @@ func scanStaticSiteRow(row *sql.Row) (StaticSite, error) {
 		&renderMarkdown, &site.SyncTrigger, &site.TagPattern,
 		&site.ContainerID, &site.ProxyRouteID, &site.Status, &site.LastSyncAt,
 		&site.LastCommitSHA, &site.Error, &storageEnabled, &site.StorageLimitMB,
-		&site.CreatedAt, &site.UpdatedAt,
+		&site.WebhookSecret, &site.CreatedAt, &site.UpdatedAt,
 	)
 	if err != nil {
 		return StaticSite{}, err
@@ -242,7 +246,7 @@ func scanStaticSiteRows(rows *sql.Rows) (StaticSite, error) {
 		&renderMarkdown, &site.SyncTrigger, &site.TagPattern,
 		&site.ContainerID, &site.ProxyRouteID, &site.Status, &site.LastSyncAt,
 		&site.LastCommitSHA, &site.Error, &storageEnabled, &site.StorageLimitMB,
-		&site.CreatedAt, &site.UpdatedAt,
+		&site.WebhookSecret, &site.CreatedAt, &site.UpdatedAt,
 	)
 	if err != nil {
 		return StaticSite{}, fmt.Errorf("scan static site: %w", err)
@@ -251,3 +255,55 @@ func scanStaticSiteRows(rows *sql.Rows) (StaticSite, error) {
 	site.StorageEnabled = storageEnabled != 0
 	return site, nil
 }
+
+// GetStaticSiteByWebhookSecret looks up a static site by its webhook secret.
+// Returns ErrNotFound if no site has this secret (including empty).
+func (s *Store) GetStaticSiteByWebhookSecret(secret string) (StaticSite, error) {
+	if secret == "" {
+		return StaticSite{}, ErrNotFound
+	}
+	site, err := scanStaticSiteRow(s.db.QueryRow(
+		`SELECT `+staticSiteCols+` FROM static_sites WHERE webhook_secret = ?`, secret,
+	))
+	if errors.Is(err, sql.ErrNoRows) {
+		return StaticSite{}, ErrNotFound
+	}
+	if err != nil {
+		return StaticSite{}, fmt.Errorf("query static site by webhook secret: %w", err)
+	}
+	return site, nil
+}
+
+// SetStaticSiteWebhookSecret assigns a webhook secret to a static site.
+// Pass an empty string to disable webhook access for the site.
+func (s *Store) SetStaticSiteWebhookSecret(id, secret string) error {
+	result, err := s.db.Exec(
+		`UPDATE static_sites SET webhook_secret=?, updated_at=? WHERE id=?`,
+		secret, Now(), id,
+	)
+	if err != nil {
+		return fmt.Errorf("set static site webhook secret: %w", err)
+	}
+	n, _ := result.RowsAffected()
+	if n == 0 {
+		return fmt.Errorf("static site %s: %w", id, ErrNotFound)
+	}
+	return nil
+}
+
+// EnsureStaticSiteWebhookSecret returns the current webhook secret for a site,
+// generating one on the fly if the stored value is empty (lazy backfill).
+func (s *Store) EnsureStaticSiteWebhookSecret(id string) (string, error) {
+	site, err := s.GetStaticSiteByID(id)
+	if err != nil {
+		return "", err
+	}
+	if site.WebhookSecret != "" {
+		return site.WebhookSecret, nil
+	}
+	secret := uuid.New().String()
+	if err := s.SetStaticSiteWebhookSecret(id, secret); err != nil {
+		return "", err
+	}
+	return secret, nil
+}

internal/store/store.go

@@ -128,6 +128,11 @@ func (s *Store) runMigrations() error {
 		// Add persistent storage columns to static_sites (2026-04-12).
 		`ALTER TABLE static_sites ADD COLUMN storage_enabled INTEGER NOT NULL DEFAULT 0`,
 		`ALTER TABLE static_sites ADD COLUMN storage_limit_mb INTEGER NOT NULL DEFAULT 0`,
+		// Per-project + per-site webhook secrets (2026-04-23). Global
+		// settings.webhook_secret is deprecated; its column is retained to
+		// avoid a destructive migration on SQLite.
+		`ALTER TABLE projects ADD COLUMN webhook_secret TEXT NOT NULL DEFAULT ''`,
+		`ALTER TABLE static_sites ADD COLUMN webhook_secret TEXT NOT NULL DEFAULT ''`,
 	}
 
 	// Additive stack tables (2026-04-16). Created here rather than in the
@@ -194,6 +199,8 @@ func (s *Store) runMigrations() error {
 		`CREATE INDEX IF NOT EXISTS idx_static_site_secrets_site_id ON static_site_secrets(site_id)`,
 		`CREATE INDEX IF NOT EXISTS idx_stack_revisions_stack_id ON stack_revisions(stack_id)`,
 		`CREATE INDEX IF NOT EXISTS idx_stack_deploys_stack_id ON stack_deploys(stack_id)`,
+		`CREATE UNIQUE INDEX IF NOT EXISTS idx_projects_webhook_secret ON projects(webhook_secret) WHERE webhook_secret != ''`,
+		`CREATE UNIQUE INDEX IF NOT EXISTS idx_static_sites_webhook_secret ON static_sites(webhook_secret) WHERE webhook_secret != ''`,
 	}
 	for _, idx := range indexes {
 		if _, err := s.db.Exec(idx); err != nil {