feat(apps): stepped creation wizard, branch previews, and app-creation fixes

This session (frontend focus):
- Rebuild /apps/new as a 4-step wizard (Basics → Configure → Trigger → Review):
  WizardRail, SourceKindPicker card grid, AppManifest review, per-step validation,
  ConfirmDialog-based unsaved-changes guard.
- Extract lib/workload/sourceForms.ts (single source of truth for source_config)
  + {Image,Compose,Static,Dockerfile}SourceForm + StaticDiscoveryWizard; fold the
  /apps/[id] edit form onto the same components (removes the duplication). Add
  vitest + sourceForms unit tests.
- Branch preview environments UI: /chain is_preview/preview_branch + a Preview
  environments panel on /apps/[id] (per-branch URLs, ConfirmDialog teardown, armed
  state); RegistryImagePicker on the registry trigger and the image source.
- Fixes: image-inspect 404 -> admin-gated POST /api/discovery/image/inspect;
  conflict-panel blur flicker; friendly localized discovery errors; CPU/Memory
  label hints; dashboard + /apps "Total workloads" count only source_kind workloads
  (drop stale trigger_kind gate); NPM cert/access-list name cache; EntityPicker
  empty-list guard.
- Update CLAUDE.md frontend conventions + add a Build & Test section.

Also captures pre-existing in-progress platform work (not from this session):
workload notifications, Prometheus metrics export, store lockfile, health probes,
backup hardening, and related store/webhook/scheduler changes.

internal/webhook/vendor_parsers.go

@@ -327,6 +327,10 @@ func parseGitLabPushEvent(body []byte, headers http.Header) vendorParseResult {
 			Ref:       probe.Ref,
 			CommitSHA: probe.After,
 			Pusher:    pusher,
+			// GitLab does not emit `deleted: true`; the canonical signal
+			// is an all-zero `after` SHA. Same parser helper used for the
+			// GitHub / Gitea fallback so the two branches agree.
+			Deleted: isZeroSHA(probe.After),
 		},
 	}
 	if strings.HasPrefix(probe.Ref, "refs/heads/") {
@@ -346,6 +350,7 @@ func parseGenericGitPush(body []byte) (plugin.InboundEvent, error) {
 	var probe struct {
 		Ref        string `json:"ref"`
 		After      string `json:"after"`
+		Deleted    bool   `json:"deleted"`
 		Repository struct {
 			FullName string `json:"full_name"`
 			CloneURL string `json:"clone_url"`
@@ -370,6 +375,12 @@ func parseGenericGitPush(body []byte) (plugin.InboundEvent, error) {
 	if pusher == "" {
 		pusher = probe.Pusher.Username
 	}
+	// Branch / tag deletion is signalled either by the explicit
+	// `deleted: true` flag (GitHub / Gitea) or by an all-zero `after`
+	// SHA (older shapes). Both are honoured so the preview-deploy flow
+	// can tear down ephemeral workloads even when a vendor omits the
+	// boolean flag.
+	deleted := probe.Deleted || isZeroSHA(probe.After)
 	evt := plugin.InboundEvent{
 		Kind: "git-push",
 		Git: &plugin.GitEvent{
@@ -377,6 +388,7 @@ func parseGenericGitPush(body []byte) (plugin.InboundEvent, error) {
 			Ref:       probe.Ref,
 			CommitSHA: probe.After,
 			Pusher:    pusher,
+			Deleted:   deleted,
 		},
 	}
 	if strings.HasPrefix(probe.Ref, "refs/heads/") {
@@ -388,3 +400,19 @@ func parseGenericGitPush(body []byte) (plugin.InboundEvent, error) {
 	}
 	return evt, nil
 }
+
+// isZeroSHA returns true when sha is the canonical "no commit" sentinel
+// (40 zeros) that vendors emit on the `after` field of a branch- or
+// tag-delete push event. Length-tolerant because some test fixtures
+// truncate the SHA.
+func isZeroSHA(sha string) bool {
+	if sha == "" {
+		return false
+	}
+	for _, r := range sha {
+		if r != '0' {
+			return false
+		}
+	}
+	return len(sha) >= 7
+}