fix(docker-watcher): address final review findings

Security:
- Move config export behind auth middleware
- Validate OIDC callback token before storing in localStorage
- Use constant-time comparison for webhook secret
- Encrypt OIDC client secret at rest (like registry tokens)

Performance:
- Make TriggerDeploy async from HTTP handlers (return deploy ID
  immediately, run pipeline in background goroutine)

Robustness:
- Wrap api.ts res.json() in try/catch for non-JSON responses

i18n:
- Replace ~20 hardcoded English validation messages with $t() calls
- Localize ConfirmDialog cancel button, InstanceCard confirm titles,
  ProjectCard instance/instances pluralization
- Add validation keys to both en.json and ru.json

internal/api/instances.go

@@ -74,12 +74,14 @@ func (s *Server) deployInstance(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := s.deployer.TriggerDeploy(r.Context(), projectID, stageID, req.ImageTag); err != nil {
+	deployID, err := s.deployer.AsyncTriggerDeploy(r.Context(), projectID, stageID, req.ImageTag)
+	if err != nil {
 		respondError(w, http.StatusInternalServerError, "failed to trigger deploy: "+err.Error())
 		return
 	}
 	respondJSON(w, http.StatusAccepted, map[string]string{
 		"status":     "deploying",
+		"deploy_id":  deployID,
 		"project_id": projectID,
 		"stage_id":   stageID,
 		"image_tag":  req.ImageTag,
@@ -188,4 +190,5 @@ func (s *Server) controlInstance(w http.ResponseWriter, r *http.Request, action
 // DeployTriggerer is the interface for triggering deployments.
 type DeployTriggerer interface {
 	TriggerDeploy(ctx context.Context, projectID, stageID, imageTag string) error
+	AsyncTriggerDeploy(ctx context.Context, projectID, stageID, imageTag string) (string, error)
 }