feat(cutover): hard legacy cutover — drop projects/stacks/sites/deploys

The clean-break delete that closes the workload-first refactor arc.
Net diff: ~30 backend files deleted, ~20 modified, ~12k LOC removed
on the Go side; entire /projects /stacks /sites /deploy frontend
trees gone; ~6.7k LOC removed on the Svelte/TypeScript side.

Backend
- API handlers gone: internal/api/{projects,stages,stage_env,stacks,
  static_sites,deploys,instances,volume_browser}.go
- Store CRUD + tests gone: internal/store/{projects,stages,stage_env,
  stacks,static_sites,static_site_secrets,deploys,poll_state,volumes,
  workload_sync}.go (+ _test.go siblings)
- Legacy deployer pipeline gone: internal/deployer/{bluegreen,promote,
  rollback,subdomain,resolver_test}.go; deployer.go trimmed to just the
  dispatch surface used by the plugin pipeline
- internal/staticsite/{manager,healthcheck}.go and
  internal/stack/manager.go gone (the rest of those packages stay as
  helpers imported by the static + compose plugins)
- internal/registry/poller.go gone (legacy registry poller)
- internal/volume.ResolvePath gone; ResolveWorkloadPath stays
- internal/webhook: handleWebhook (project) + handleSiteWebhook (site)
  gone; only POST /api/webhook/triggers/{secret} remains
- workload-side webhook URL handlers (getWorkloadWebhook +
  regenerateWorkloadWebhook + EnsureWorkloadWebhookSecret +
  SetWorkloadWebhookSecret + GetWorkloadByWebhookSecret) gone — they
  minted URLs that would 404 against the new trigger-only ingress
- cmd/server/main.go: dropped staticsite.Manager, stack.Manager,
  staticsite.HealthChecker, registry poller, SetSiteSyncTriggerer,
  SetStaticSiteManager, SetStackManager, wireStaticBackend
- store/store.go: idempotent DROP TABLE IF EXISTS for every legacy
  table (projects, stages, stage_env, volumes, deploys, deploy_logs,
  poll_states, stacks, stack_revisions, stack_deploys, static_sites,
  static_site_secrets); FK order children-then-parents
- store/models.go: dropped Project, Stage, Deploy, DeployLog, StageEnv,
  Volume, StaticSite, StaticSiteSecret, Stack, StackRevision,
  StackDeploy types; kept WorkloadKind constants as documented strings
- internal/store/helpers.go (new): BoolToInt, rowScanner,
  GenerateWebhookSecret extracted from deleted CRUD files
- internal/api/secrets.go (new): forwards to store.GenerateWebhookSecret
  so api + store paths share one secret-generation impl (no
  panic-vs-UUID-fallback divergence)
- internal/reconciler/reconciler.go: dropped legacy stack-by-compose
  + static-site label paths; only canonical tinyforge.workload.id
  dispatch remains
- providers (gitea_content/github_provider/gitlab_provider) gained
  path-traversal rejection on every tree entry
- internal/webhook ParsedImage / ParseImageRef demoted to package-
  private (no external callers)

Frontend
- /projects /stacks /sites /deploy routes deleted (entire trees)
- ProjectCard / InstanceCard / StaleContainerCard components deleted
- api.ts: dropped every project/stage/stack/site/deploy/instance
  helper + types (Project, Stage, Stack, StaticSite, Deploy,
  Instance, Volume, etc.); kept Workload, Container, App, Settings,
  Registry, EventTrigger, LogScanRule, webhook envelopes
- WorkloadWebhook type + getWorkloadWebhook/regenerateWorkloadWebhook
  api functions gone (mirror of the backend deletion above)
- web/src/routes/+layout.svelte: dropped /projects /sites /stacks
  /deploy nav entries, trimmed quick-nav keymap
- web/src/routes/+page.svelte: dashboard rewrite — reads
  listWorkloads + listContainers only; 4-card stat grid
  (workloads/running/failed/stale) + recent workloads strip
- navCounts.ts, SystemHealthCard.svelte, ContainerLogs.svelte,
  ContainerStats.svelte, StatusBadge.svelte, TagCombobox.svelte,
  proxies/+page.svelte, containers/+page.svelte all rewired to the
  workload-first surface
- AbortController plumbing on dashboard, nav-counts, stale page,
  SystemHealthCard so navigation doesn't leave dangling fetches
- i18n: dropped projects.*, projectDetail.*, envEditor.*,
  volumeEditor.*, volumeBrowser.*, quickDeploy.*, sites.*, stacks.*,
  instance.*, confirm.* namespaces; en/ru parity preserved (1042
  keys each)

Hardening from go-reviewer + security-reviewer + typescript-reviewer
subagent passes (0 CRITICAL across all three; 1 HIGH + ~12 MEDIUM
addressed inline before commit):

- Sec H1: dead-end workload webhook URL handlers (would mint URLs
  that 404 the new trigger-only ingress) deleted across backend +
  frontend
- Go M1: IsTerminalDeployStatus dropped (no production callers)
- Go M2: ParsedImage/ParseImageRef lowercased (in-package only)
- Go M6: generateWebhookSecret unified — api shim forwards to
  store.GenerateWebhookSecret
- Doc/comment freshness: stage_id (no longer FK), ProxyRoute legacy
  field names, workloadIDRow rationale, webhook_deliveries.target_type
  enum, WebhookDeliveryLog component header

Doc
- WORKLOAD_REFACTOR_TODO: cutover marked DONE; all three Priority 1
  items are now shipped. Next focus is Priority 3 polish (apps.* i18n
  + codemap entries) and Priority 4 tests.

Behavioral notes for operators upgrading from a pre-cutover build
- Existing rows in the dropped tables disappear on first boot.
- Legacy webhook URLs at /api/webhook/{secret} and
  /api/webhook/sites/{secret} return 404; CI configs must repoint to
  /api/webhook/triggers/{secret} (the trigger-split boot backfill
  lifted any embedded workload secret onto a Trigger row, so the
  secret value itself carries over).
- Frontend routes /projects /stacks /sites /deploy are gone; nav
  links replaced with /apps and /triggers.

internal/config/config.go

@@ -7,11 +7,12 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
-// SeedConfig represents the top-level YAML seed configuration.
+// SeedConfig represents the top-level YAML seed configuration. After the
+// hard cutover only global settings + registries are supported; workloads
+// are created through the API.
 type SeedConfig struct {
-	Global     GlobalConfig            `yaml:"global"`
-	Registries map[string]RegistryDef  `yaml:"registries"`
-	Projects   map[string]ProjectDef   `yaml:"projects"`
+	Global     GlobalConfig           `yaml:"global"`
+	Registries map[string]RegistryDef `yaml:"registries"`
 }
 
 // GlobalConfig holds domain-wide settings from the seed file.
@@ -38,27 +39,6 @@ type RegistryDef struct {
 	Token string `yaml:"token"`
 }
 
-// ProjectDef defines a project from the seed file.
-type ProjectDef struct {
-	Registry    string            `yaml:"registry"`
-	Image       string            `yaml:"image"`
-	Port        int               `yaml:"port"`
-	Healthcheck string            `yaml:"healthcheck"`
-	Env         map[string]string `yaml:"env"`
-	Volumes     map[string]string `yaml:"volumes"`
-	Stages      map[string]StageDef `yaml:"stages"`
-}
-
-// StageDef defines a deployment stage from the seed file.
-type StageDef struct {
-	TagPattern   string `yaml:"tag_pattern"`
-	AutoDeploy   bool   `yaml:"auto_deploy"`
-	MaxInstances int    `yaml:"max_instances"`
-	Confirm      bool   `yaml:"confirm"`
-	PromoteFrom  string `yaml:"promote_from"`
-	Subdomain    string `yaml:"subdomain"`
-}
-
 // LoadSeedFile reads and parses the YAML seed config from the given path.
 func LoadSeedFile(path string) (SeedConfig, error) {
 	data, err := os.ReadFile(path)
@@ -88,25 +68,5 @@ func validate(cfg SeedConfig) error {
 	if cfg.Global.Domain == "" {
 		return fmt.Errorf("global.domain is required")
 	}
-
-	for name, proj := range cfg.Projects {
-		if proj.Image == "" {
-			return fmt.Errorf("project %q: image is required", name)
-		}
-		if proj.Registry != "" {
-			if _, ok := cfg.Registries[proj.Registry]; !ok {
-				return fmt.Errorf("project %q: references unknown registry %q", name, proj.Registry)
-			}
-		}
-		for stageName, stage := range proj.Stages {
-			if stage.TagPattern == "" {
-				return fmt.Errorf("project %q stage %q: tag_pattern is required", name, stageName)
-			}
-			if stage.MaxInstances < 0 {
-				return fmt.Errorf("project %q stage %q: max_instances must be >= 0", name, stageName)
-			}
-		}
-	}
-
 	return nil
 }

internal/config/export.go

@@ -1,7 +1,6 @@
 package config
 
 import (
-	"encoding/json"
 	"fmt"
 
 	"github.com/alexei/tinyforge/internal/store"
@@ -9,8 +8,10 @@ import (
 )
 
 // ExportConfig reads the current database state and produces a SeedConfig YAML
-// representation. Credential fields (tokens, passwords) are exported as placeholder
-// strings since they are encrypted in the database.
+// representation. Credential fields (tokens, passwords) are exported as
+// placeholder strings since they are encrypted in the database. After the hard
+// cutover, only global settings + registries are exported — workloads and
+// triggers are created through the API, not via seed files.
 func ExportConfig(db *store.Store) ([]byte, error) {
 	cfg, err := buildSeedConfig(db)
 	if err != nil {
@@ -25,7 +26,6 @@ func ExportConfig(db *store.Store) ([]byte, error) {
 	return data, nil
 }
 
-// buildSeedConfig constructs a SeedConfig from the current database state.
 func buildSeedConfig(db *store.Store) (SeedConfig, error) {
 	settings, err := db.GetSettings()
 	if err != nil {
@@ -37,11 +37,6 @@ func buildSeedConfig(db *store.Store) (SeedConfig, error) {
 		return SeedConfig{}, fmt.Errorf("get registries: %w", err)
 	}
 
-	projects, err := db.GetAllProjects()
-	if err != nil {
-		return SeedConfig{}, fmt.Errorf("get projects: %w", err)
-	}
-
 	cfg := SeedConfig{
 		Global: GlobalConfig{
 			Domain:           settings.Domain,
@@ -56,7 +51,6 @@ func buildSeedConfig(db *store.Store) (SeedConfig, error) {
 			},
 		},
 		Registries: make(map[string]RegistryDef),
-		Projects:   make(map[string]ProjectDef),
 	}
 
 	for _, reg := range registries {
@@ -67,52 +61,5 @@ func buildSeedConfig(db *store.Store) (SeedConfig, error) {
 		}
 	}
 
-	for _, proj := range projects {
-		stages, err := db.GetStagesByProjectID(proj.ID)
-		if err != nil {
-			return SeedConfig{}, fmt.Errorf("get stages for project %s: %w", proj.Name, err)
-		}
-
-		stageDefs := make(map[string]StageDef)
-		for _, st := range stages {
-			stageDefs[st.Name] = StageDef{
-				TagPattern:   st.TagPattern,
-				AutoDeploy:   st.AutoDeploy,
-				MaxInstances: st.MaxInstances,
-				Confirm:      st.Confirm,
-				PromoteFrom:  st.PromoteFrom,
-				Subdomain:    st.Subdomain,
-			}
-		}
-
-		envMap := parseJSONMap(proj.Env)
-		volMap := parseJSONMap(proj.Volumes)
-
-		cfg.Projects[proj.Name] = ProjectDef{
-			Registry:    proj.Registry,
-			Image:       proj.Image,
-			Port:        proj.Port,
-			Healthcheck: proj.Healthcheck,
-			Env:         envMap,
-			Volumes:     volMap,
-			Stages:      stageDefs,
-		}
-	}
-
 	return cfg, nil
 }
-
-// parseJSONMap safely parses a JSON-encoded map string. Returns nil on failure.
-func parseJSONMap(jsonStr string) map[string]string {
-	if jsonStr == "" || jsonStr == "{}" {
-		return nil
-	}
-	var m map[string]string
-	if err := json.Unmarshal([]byte(jsonStr), &m); err != nil {
-		return nil
-	}
-	if len(m) == 0 {
-		return nil
-	}
-	return m
-}

internal/config/seed.go

@@ -1,7 +1,11 @@
+// Package config loads and exports seed configuration. After the hard
+// cutover the seed shape covers only what survives the workload-first
+// refactor: global settings and registries. Project / stage / volume
+// seeding is gone; the new way to bootstrap a workload is the plugin
+// pipeline (POST /api/workloads).
 package config
 
 import (
-	"encoding/json"
 	"fmt"
 	"log/slog"
 	"os"
@@ -12,7 +16,7 @@ import (
 )
 
 // ImportSeed loads the seed YAML file and imports its contents into the store.
-// Import is idempotent: it is skipped if any projects or registries already exist.
+// Import is idempotent: it is skipped if any registries already exist.
 // Credential fields (registry tokens, NPM password) are encrypted before storage.
 func ImportSeed(db *store.Store, seedPath string) error {
 	if _, err := os.Stat(seedPath); os.IsNotExist(err) {
@@ -47,16 +51,10 @@ func ImportSeed(db *store.Store, seedPath string) error {
 	return nil
 }
 
-// isPopulated returns true if the store already contains projects or registries.
+// isPopulated returns true if the store already contains any registries.
+// Workloads / apps are intentionally not consulted — they get created
+// through the API, not seeded.
 func isPopulated(db *store.Store) (bool, error) {
-	projects, err := db.GetAllProjects()
-	if err != nil {
-		return false, fmt.Errorf("get projects: %w", err)
-	}
-	if len(projects) > 0 {
-		return true, nil
-	}
-
 	registries, err := db.GetAllRegistries()
 	if err != nil {
 		return false, fmt.Errorf("get registries: %w", err)
@@ -64,8 +62,7 @@ func isPopulated(db *store.Store) (bool, error) {
 	return len(registries) > 0, nil
 }
 
-// importAll runs the full seed import inside a database transaction.
-// Uses raw SQL within the transaction so all inserts are atomic.
+// importAll runs the seed import inside a database transaction.
 func importAll(db *store.Store, cfg SeedConfig, encKey [32]byte) error {
 	tx, err := db.DB().Begin()
 	if err != nil {
@@ -75,7 +72,6 @@ func importAll(db *store.Store, cfg SeedConfig, encKey [32]byte) error {
 
 	timestamp := store.Now()
 
-	// Import registries first — projects reference them by name.
 	for name, regDef := range cfg.Registries {
 		encToken, err := crypto.EncryptIfNotEmpty(encKey, regDef.Token)
 		if err != nil {
@@ -93,50 +89,6 @@ func importAll(db *store.Store, cfg SeedConfig, encKey [32]byte) error {
 		}
 	}
 
-	// Import projects and their stages.
-	for name, projDef := range cfg.Projects {
-		envJSON, err := mapToJSON(projDef.Env)
-		if err != nil {
-			return fmt.Errorf("encode env for project %q: %w", name, err)
-		}
-		volJSON, err := mapToJSON(projDef.Volumes)
-		if err != nil {
-			return fmt.Errorf("encode volumes for project %q: %w", name, err)
-		}
-
-		projectID := uuid.New().String()
-		_, err = tx.Exec(
-			`INSERT INTO projects (id, name, registry, image, port, healthcheck, env, volumes, created_at, updated_at)
-			 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
-			projectID, name, projDef.Registry, projDef.Image, projDef.Port,
-			projDef.Healthcheck, envJSON, volJSON, timestamp, timestamp,
-		)
-		if err != nil {
-			return fmt.Errorf("insert project %q: %w", name, err)
-		}
-
-		for stageName, stageDef := range projDef.Stages {
-			maxInstances := stageDef.MaxInstances
-			if maxInstances == 0 {
-				maxInstances = 1
-			}
-
-			stageID := uuid.New().String()
-			_, err = tx.Exec(
-				`INSERT INTO stages (id, project_id, name, tag_pattern, auto_deploy, max_instances, confirm, promote_from, subdomain, created_at, updated_at)
-				 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
-				stageID, projectID, stageName, stageDef.TagPattern,
-				store.BoolToInt(stageDef.AutoDeploy), maxInstances,
-				store.BoolToInt(stageDef.Confirm), stageDef.PromoteFrom,
-				stageDef.Subdomain, timestamp, timestamp,
-			)
-			if err != nil {
-				return fmt.Errorf("insert stage %q for project %q: %w", stageName, name, err)
-			}
-		}
-	}
-
-	// Import global settings — encrypt NPM password.
 	encNpmPassword, err := crypto.EncryptIfNotEmpty(encKey, cfg.Global.Npm.Password)
 	if err != nil {
 		return fmt.Errorf("encrypt npm password: %w", err)
@@ -166,15 +118,3 @@ func importAll(db *store.Store, cfg SeedConfig, encKey [32]byte) error {
 
 	return nil
 }
-
-// mapToJSON encodes a string map to JSON. Returns "{}" for nil maps.
-func mapToJSON(m map[string]string) (string, error) {
-	if m == nil {
-		return "{}", nil
-	}
-	b, err := json.Marshal(m)
-	if err != nil {
-		return "", err
-	}
-	return string(b), nil
-}