fix(docker-watcher): address final review findings

Security:
- Move config export behind auth middleware
- Validate OIDC callback token before storing in localStorage
- Use constant-time comparison for webhook secret
- Encrypt OIDC client secret at rest (like registry tokens)

Performance:
- Make TriggerDeploy async from HTTP handlers (return deploy ID
  immediately, run pipeline in background goroutine)

Robustness:
- Wrap api.ts res.json() in try/catch for non-JSON responses

i18n:
- Replace ~20 hardcoded English validation messages with $t() calls
- Localize ConfirmDialog cancel button, InstanceCard confirm titles,
  ProjectCard instance/instances pluralization
- Add validation keys to both en.json and ru.json

web/src/lib/api.ts

@@ -46,7 +46,15 @@ async function request<T>(path: string, init?: RequestInit): Promise<T> {
 		headers
 	});
 
-	const envelope: ApiEnvelope<T> = await res.json();
+	let envelope: ApiEnvelope<T>;
+	try {
+		envelope = await res.json();
+	} catch {
+		throw new ApiError(
+			`Server returned non-JSON response (HTTP ${res.status})`,
+			res.status
+		);
+	}
 
 	if (!envelope.success) {
 		throw new ApiError(envelope.error ?? 'Unknown API error', res.status);