fix(docker-watcher): address final review findings

Security:
- Move config export behind auth middleware
- Validate OIDC callback token before storing in localStorage
- Use constant-time comparison for webhook secret
- Encrypt OIDC client secret at rest (like registry tokens)

Performance:
- Make TriggerDeploy async from HTTP handlers (return deploy ID
  immediately, run pipeline in background goroutine)

Robustness:
- Wrap api.ts res.json() in try/catch for non-JSON responses

i18n:
- Replace ~20 hardcoded English validation messages with $t() calls
- Localize ConfirmDialog cancel button, InstanceCard confirm titles,
  ProjectCard instance/instances pluralization
- Add validation keys to both en.json and ru.json

web/src/lib/components/InstanceCard.svelte

@@ -7,6 +7,7 @@
 	import ConfirmDialog from './ConfirmDialog.svelte';
 	import { IconPlay, IconStop, IconRestart, IconTrash, IconExternalLink } from '$lib/components/icons';
 	import { t } from '$lib/i18n';
+	import { t } from '$lib/i18n';
 	import * as api from '$lib/api';
 
 	interface Props {
@@ -148,7 +149,7 @@
 
 <ConfirmDialog
 	open={confirmAction !== null}
-	title="{confirmAction ? confirmAction.charAt(0).toUpperCase() + confirmAction.slice(1) : ''} Instance"
+	title={confirmAction ? $t(`confirm.${confirmAction}Instance`) : ''}
 	message={confirmAction ? $t(`instance.${confirmAction}Confirm`) : ''}
 	confirmLabel={confirmAction ? confirmAction.charAt(0).toUpperCase() + confirmAction.slice(1) : ''}
 	confirmVariant={confirmAction === 'remove' ? 'danger' : 'primary'}