fix(docker-watcher): phase 8 security fixes

Remove webhook secret from logs and API response.
Add auth-pending note to router. Fix decrypt fallback that
would use ciphertext as auth token on decrypt failure.

internal/api/registries.go

@@ -195,10 +195,10 @@ func (s *Server) testRegistry(w http.ResponseWriter, r *http.Request) {
 	if token != "" {
 		decrypted, err := crypto.Decrypt(s.encKey, token)
 		if err != nil {
-			token = reg.Token // Fall back to raw token.
-		} else {
-			token = decrypted
+			respondError(w, http.StatusInternalServerError, "failed to decrypt registry token")
+			return
 		}
+		token = decrypted
 	}
 
 	client, err := registry.NewClient(reg.Type, reg.URL, token)
@@ -239,10 +239,10 @@ func (s *Server) listRegistryTags(w http.ResponseWriter, r *http.Request) {
 	if token != "" {
 		decrypted, err := crypto.Decrypt(s.encKey, token)
 		if err != nil {
-			token = reg.Token
-		} else {
-			token = decrypted
+			respondError(w, http.StatusInternalServerError, "failed to decrypt registry token")
+			return
 		}
+		token = decrypted
 	}
 
 	client, err := registry.NewClient(reg.Type, reg.URL, token)

internal/api/router.go

@@ -35,6 +35,8 @@ func NewServer(
 }
 
 // Router returns a chi router with all API routes mounted.
+// NOTE: Authentication middleware is added in Phase 12 (Hardening).
+// Until then, this API should only be exposed on trusted networks.
 func (s *Server) Router() chi.Router {
 	r := chi.NewRouter()
 

internal/api/settings.go

@@ -111,8 +111,7 @@ func (s *Server) getWebhookURL(w http.ResponseWriter, r *http.Request) {
 	}
 
 	respondJSON(w, http.StatusOK, map[string]string{
-		"webhook_url":    webhookURL,
-		"webhook_secret": settings.WebhookSecret,
+		"webhook_url": webhookURL,
 	})
 }