feat(docker-watcher): phase 12 - hardening

Blue-green zero-downtime deploys, promote flow validation.
Dual auth: local (bcrypt + JWT) and OAuth2/OIDC (any provider).
Auth middleware, login page, auth settings UI.
Structured logging (slog JSON), config export to YAML.
Graceful shutdown with deploy draining.
Multi-stage Dockerfile and production docker-compose.yml.
Swap phase order: Volumes & Env before UI Polish.

internal/deployer/promote.go

@@ -0,0 +1,49 @@
+package deployer
+
+import (
+	"fmt"
+
+	"github.com/alexei/docker-watcher/internal/store"
+)
+
+// validatePromoteFrom checks that a tag is running in the promote_from stage
+// before allowing it to be deployed to the target stage.
+// Returns nil if no promote_from is configured or if the tag is eligible.
+func (d *Deployer) validatePromoteFrom(stage store.Stage, imageTag string) error {
+	if stage.PromoteFrom == "" {
+		return nil
+	}
+
+	// Look up the source stage by name within the same project.
+	stages, err := d.store.GetStagesByProjectID(stage.ProjectID)
+	if err != nil {
+		return fmt.Errorf("get stages for project: %w", err)
+	}
+
+	var sourceStage *store.Stage
+	for _, s := range stages {
+		if s.Name == stage.PromoteFrom {
+			sCopy := s
+			sourceStage = &sCopy
+			break
+		}
+	}
+
+	if sourceStage == nil {
+		return fmt.Errorf("promote_from stage %q not found in project", stage.PromoteFrom)
+	}
+
+	// Check if the tag is running in the source stage.
+	instances, err := d.store.GetInstancesByStageID(sourceStage.ID)
+	if err != nil {
+		return fmt.Errorf("get instances for source stage: %w", err)
+	}
+
+	for _, inst := range instances {
+		if inst.ImageTag == imageTag && (inst.Status == "running" || inst.Status == "stopped") {
+			return nil // Tag found in source stage, promotion is allowed.
+		}
+	}
+
+	return fmt.Errorf("tag %q is not running in stage %q; promotion denied", imageTag, stage.PromoteFrom)
+}