fix(docker-watcher): address final review findings

Security:
- Move config export behind auth middleware
- Validate OIDC callback token before storing in localStorage
- Use constant-time comparison for webhook secret
- Encrypt OIDC client secret at rest (like registry tokens)

Performance:
- Make TriggerDeploy async from HTTP handlers (return deploy ID
  immediately, run pipeline in background goroutine)

Robustness:
- Wrap api.ts res.json() in try/catch for non-JSON responses

i18n:
- Replace ~20 hardcoded English validation messages with $t() calls
- Localize ConfirmDialog cancel button, InstanceCard confirm titles,
  ProjectCard instance/instances pluralization
- Add validation keys to both en.json and ru.json

web/src/routes/login/+page.svelte

@@ -16,11 +16,26 @@
 		applyTheme($resolvedTheme);
 	});
 
-	onMount(() => {
+	onMount(async () => {
 		const urlToken = $page.url.searchParams.get('token');
 		if (urlToken) {
-			localStorage.setItem('auth_token', urlToken);
-			goto('/');
+			// Validate the token against the backend before trusting it.
+			try {
+				const res = await fetch('/api/auth/me', {
+					headers: { 'Authorization': `Bearer ${urlToken}` }
+				});
+				if (res.ok) {
+					localStorage.setItem('auth_token', urlToken);
+					// Remove token from URL to prevent leakage via history/referrer.
+					history.replaceState(null, '', '/login');
+					goto('/');
+					return;
+				}
+			} catch {
+				// Token validation failed — fall through to login form.
+			}
+			// Remove invalid token from URL.
+			history.replaceState(null, '', '/login');
 		}
 		const existingToken = localStorage.getItem('auth_token');
 		if (existingToken) {