fix(docker-watcher): address final review findings

Security:
- Move config export behind auth middleware
- Validate OIDC callback token before storing in localStorage
- Use constant-time comparison for webhook secret
- Encrypt OIDC client secret at rest (like registry tokens)

Performance:
- Make TriggerDeploy async from HTTP handlers (return deploy ID
  immediately, run pipeline in background goroutine)

Robustness:
- Wrap api.ts res.json() in try/catch for non-JSON responses

i18n:
- Replace ~20 hardcoded English validation messages with $t() calls
- Localize ConfirmDialog cancel button, InstanceCard confirm titles,
  ProjectCard instance/instances pluralization
- Add validation keys to both en.json and ru.json

internal/api/deploys.go

@@ -137,16 +137,18 @@ func (s *Server) quickDeploy(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Trigger deploy.
-	if err := s.deployer.TriggerDeploy(r.Context(), project.ID, stage.ID, req.Tag); err != nil {
+	// Trigger deploy asynchronously.
+	deployID, err := s.deployer.AsyncTriggerDeploy(r.Context(), project.ID, stage.ID, req.Tag)
+	if err != nil {
 		respondError(w, http.StatusInternalServerError, "failed to trigger deploy: "+err.Error())
 		return
 	}
 
 	respondJSON(w, http.StatusAccepted, map[string]any{
-		"project": project,
-		"stage":   stage,
-		"tag":     req.Tag,
+		"project":   project,
+		"stage":     stage,
+		"tag":       req.Tag,
+		"deploy_id": deployID,
 		"status":  "deploying",
 	})
 }