feat(cutover): hard legacy cutover — drop projects/stacks/sites/deploys

The clean-break delete that closes the workload-first refactor arc.
Net diff: ~30 backend files deleted, ~20 modified, ~12k LOC removed
on the Go side; entire /projects /stacks /sites /deploy frontend
trees gone; ~6.7k LOC removed on the Svelte/TypeScript side.

Backend
- API handlers gone: internal/api/{projects,stages,stage_env,stacks,
  static_sites,deploys,instances,volume_browser}.go
- Store CRUD + tests gone: internal/store/{projects,stages,stage_env,
  stacks,static_sites,static_site_secrets,deploys,poll_state,volumes,
  workload_sync}.go (+ _test.go siblings)
- Legacy deployer pipeline gone: internal/deployer/{bluegreen,promote,
  rollback,subdomain,resolver_test}.go; deployer.go trimmed to just the
  dispatch surface used by the plugin pipeline
- internal/staticsite/{manager,healthcheck}.go and
  internal/stack/manager.go gone (the rest of those packages stay as
  helpers imported by the static + compose plugins)
- internal/registry/poller.go gone (legacy registry poller)
- internal/volume.ResolvePath gone; ResolveWorkloadPath stays
- internal/webhook: handleWebhook (project) + handleSiteWebhook (site)
  gone; only POST /api/webhook/triggers/{secret} remains
- workload-side webhook URL handlers (getWorkloadWebhook +
  regenerateWorkloadWebhook + EnsureWorkloadWebhookSecret +
  SetWorkloadWebhookSecret + GetWorkloadByWebhookSecret) gone — they
  minted URLs that would 404 against the new trigger-only ingress
- cmd/server/main.go: dropped staticsite.Manager, stack.Manager,
  staticsite.HealthChecker, registry poller, SetSiteSyncTriggerer,
  SetStaticSiteManager, SetStackManager, wireStaticBackend
- store/store.go: idempotent DROP TABLE IF EXISTS for every legacy
  table (projects, stages, stage_env, volumes, deploys, deploy_logs,
  poll_states, stacks, stack_revisions, stack_deploys, static_sites,
  static_site_secrets); FK order children-then-parents
- store/models.go: dropped Project, Stage, Deploy, DeployLog, StageEnv,
  Volume, StaticSite, StaticSiteSecret, Stack, StackRevision,
  StackDeploy types; kept WorkloadKind constants as documented strings
- internal/store/helpers.go (new): BoolToInt, rowScanner,
  GenerateWebhookSecret extracted from deleted CRUD files
- internal/api/secrets.go (new): forwards to store.GenerateWebhookSecret
  so api + store paths share one secret-generation impl (no
  panic-vs-UUID-fallback divergence)
- internal/reconciler/reconciler.go: dropped legacy stack-by-compose
  + static-site label paths; only canonical tinyforge.workload.id
  dispatch remains
- providers (gitea_content/github_provider/gitlab_provider) gained
  path-traversal rejection on every tree entry
- internal/webhook ParsedImage / ParseImageRef demoted to package-
  private (no external callers)

Frontend
- /projects /stacks /sites /deploy routes deleted (entire trees)
- ProjectCard / InstanceCard / StaleContainerCard components deleted
- api.ts: dropped every project/stage/stack/site/deploy/instance
  helper + types (Project, Stage, Stack, StaticSite, Deploy,
  Instance, Volume, etc.); kept Workload, Container, App, Settings,
  Registry, EventTrigger, LogScanRule, webhook envelopes
- WorkloadWebhook type + getWorkloadWebhook/regenerateWorkloadWebhook
  api functions gone (mirror of the backend deletion above)
- web/src/routes/+layout.svelte: dropped /projects /sites /stacks
  /deploy nav entries, trimmed quick-nav keymap
- web/src/routes/+page.svelte: dashboard rewrite — reads
  listWorkloads + listContainers only; 4-card stat grid
  (workloads/running/failed/stale) + recent workloads strip
- navCounts.ts, SystemHealthCard.svelte, ContainerLogs.svelte,
  ContainerStats.svelte, StatusBadge.svelte, TagCombobox.svelte,
  proxies/+page.svelte, containers/+page.svelte all rewired to the
  workload-first surface
- AbortController plumbing on dashboard, nav-counts, stale page,
  SystemHealthCard so navigation doesn't leave dangling fetches
- i18n: dropped projects.*, projectDetail.*, envEditor.*,
  volumeEditor.*, volumeBrowser.*, quickDeploy.*, sites.*, stacks.*,
  instance.*, confirm.* namespaces; en/ru parity preserved (1042
  keys each)

Hardening from go-reviewer + security-reviewer + typescript-reviewer
subagent passes (0 CRITICAL across all three; 1 HIGH + ~12 MEDIUM
addressed inline before commit):

- Sec H1: dead-end workload webhook URL handlers (would mint URLs
  that 404 the new trigger-only ingress) deleted across backend +
  frontend
- Go M1: IsTerminalDeployStatus dropped (no production callers)
- Go M2: ParsedImage/ParseImageRef lowercased (in-package only)
- Go M6: generateWebhookSecret unified — api shim forwards to
  store.GenerateWebhookSecret
- Doc/comment freshness: stage_id (no longer FK), ProxyRoute legacy
  field names, workloadIDRow rationale, webhook_deliveries.target_type
  enum, WebhookDeliveryLog component header

Doc
- WORKLOAD_REFACTOR_TODO: cutover marked DONE; all three Priority 1
  items are now shipped. Next focus is Priority 3 polish (apps.* i18n
  + codemap entries) and Priority 4 tests.

Behavioral notes for operators upgrading from a pre-cutover build
- Existing rows in the dropped tables disappear on first boot.
- Legacy webhook URLs at /api/webhook/{secret} and
  /api/webhook/sites/{secret} return 404; CI configs must repoint to
  /api/webhook/triggers/{secret} (the trigger-split boot backfill
  lifted any embedded workload secret onto a Trigger row, so the
  secret value itself carries over).
- Frontend routes /projects /stacks /sites /deploy are gone; nav
  links replaced with /apps and /triggers.

web/src/routes/apps/[id]/+page.svelte

@@ -328,11 +328,9 @@
 	let newEnvValue = $state('');
 	let newEnvEncrypted = $state(true);
 
-	// ── Webhook ────────────────────────────────────────────────
-	let webhook = $state<api.WorkloadWebhook | null>(null);
-	let webhookLoading = $state(false);
-	let webhookError = $state('');
-	let regenerating = $state(false);
+	// Workload-side webhook UI was removed in the hard legacy cutover —
+	// inbound webhooks are now first-class Triggers. Use the bindings
+	// panel + the /triggers detail page to manage the webhook URL.
 
 	// ── Logs viewer ────────────────────────────────────────────
 	let logContainerRowID = $state<string | null>(null);
@@ -501,18 +499,6 @@
 		}
 	}
 
-	async function loadWebhook() {
-		webhookLoading = true;
-		webhookError = '';
-		try {
-			webhook = await api.getWorkloadWebhook(id);
-		} catch (e) {
-			webhookError = e instanceof Error ? e.message : 'Failed to load webhook';
-		} finally {
-			webhookLoading = false;
-		}
-	}
-
 	async function addEnv() {
 		envError = '';
 		const key = newEnvKey.trim();
@@ -547,18 +533,6 @@
 		}
 	}
 
-	async function regenerateWebhook() {
-		regenerating = true;
-		webhookError = '';
-		try {
-			webhook = await api.regenerateWorkloadWebhook(id);
-		} catch (e) {
-			webhookError = e instanceof Error ? e.message : 'Failed to rotate secret';
-		} finally {
-			regenerating = false;
-		}
-	}
-
 	async function deploy() {
 		deploying = true;
 		lastDeployMsg = '';
@@ -2231,57 +2205,9 @@
 				</p>
 			</section>
 
-			<!-- ── Webhook ──────────────────────────────────── -->
-			<section class="panel">
-				<header class="panel-head split">
-					<h2 class="panel-title">Webhook<span class="title-accent">.</span></h2>
-					{#if !webhook}
-						<button class="forge-btn-ghost" onclick={loadWebhook} disabled={webhookLoading}>
-							{webhookLoading ? 'Loading…' : 'Reveal URL'}
-						</button>
-					{/if}
-				</header>
-				{#if webhookError}
-					<div class="alert inline-alert"><span class="alert-tag">ERR</span><span>{webhookError}</span></div>
-				{/if}
-				{#if webhook}
-					<p class="hint">
-						Point your registry or CI here. The URL itself is the credential — treat it as a
-						secret. Rotate any time without disrupting deploys (the next call uses the new URL).
-					</p>
-					<div class="webhook-row">
-						<code class="webhook-url">{webhook.webhook_url}</code>
-						<button
-							class="forge-btn-ghost"
-							onclick={() => copyToClipboard('webhook', webhook!.webhook_url)}
-							aria-label="Copy webhook URL"
-						>
-							{#if copied.webhook}
-								<IconCheck size={13} /><span>Copied</span>
-							{:else}
-								<IconCopy size={13} /><span>Copy</span>
-							{/if}
-						</button>
-					</div>
-					<div class="webhook-meta">
-						<span class="meta-chip" class:active={webhook.has_signing_secret}>
-							{webhook.has_signing_secret ? 'HMAC SIGNED' : 'UNSIGNED'}
-						</span>
-						<span class="meta-chip" class:active={webhook.webhook_require_signature}>
-							{webhook.webhook_require_signature ? 'SIGNATURE REQUIRED' : 'SIGNATURE OPTIONAL'}
-						</span>
-					</div>
-					<div class="webhook-actions">
-						<button
-							class="forge-btn-ghost danger"
-							onclick={regenerateWebhook}
-							disabled={regenerating}
-						>
-							{regenerating ? 'Rotating…' : 'Rotate secret'}
-						</button>
-					</div>
-				{/if}
-			</section>
+			<!-- Webhook URL panel removed — inbound webhooks live on
+			     the bound Triggers panel above. The trigger detail page
+			     (/triggers/{id}) carries the URL + rotate action. -->
 		{/if}
 
 		<!-- ── Config viewers ───────────────────────────── -->