fix(docker-watcher): phase 8 security fixes

Remove webhook secret from logs and API response.
Add auth-pending note to router. Fix decrypt fallback that
would use ciphertext as auth token on decrypt failure.

web/src/lib/api.ts

@@ -0,0 +1,211 @@
+import type {
+	ApiEnvelope,
+	Deploy,
+	DeployLog,
+	InspectResult,
+	Instance,
+	Project,
+	ProjectDetail,
+	Registry,
+	Settings
+} from './types';
+
+// ── Helpers ─────────────────────────────────────────────────────────
+
+class ApiError extends Error {
+	constructor(
+		message: string,
+		public readonly status: number
+	) {
+		super(message);
+		this.name = 'ApiError';
+	}
+}
+
+async function request<T>(path: string, init?: RequestInit): Promise<T> {
+	const res = await fetch(path, {
+		...init,
+		headers: {
+			'Content-Type': 'application/json',
+			...init?.headers
+		}
+	});
+
+	const envelope: ApiEnvelope<T> = await res.json();
+
+	if (!envelope.success) {
+		throw new ApiError(envelope.error ?? 'Unknown API error', res.status);
+	}
+
+	return envelope.data as T;
+}
+
+function get<T>(path: string): Promise<T> {
+	return request<T>(path);
+}
+
+function post<T>(path: string, body?: unknown): Promise<T> {
+	return request<T>(path, {
+		method: 'POST',
+		body: body !== undefined ? JSON.stringify(body) : undefined
+	});
+}
+
+function put<T>(path: string, body: unknown): Promise<T> {
+	return request<T>(path, {
+		method: 'PUT',
+		body: JSON.stringify(body)
+	});
+}
+
+function del<T>(path: string): Promise<T> {
+	return request<T>(path, { method: 'DELETE' });
+}
+
+// ── Projects ────────────────────────────────────────────────────────
+
+export function listProjects(): Promise<Project[]> {
+	return get<Project[]>('/api/projects');
+}
+
+export function getProject(id: string): Promise<ProjectDetail> {
+	return get<ProjectDetail>(`/api/projects/${id}`);
+}
+
+export function createProject(data: Partial<Project>): Promise<Project> {
+	return post<Project>('/api/projects', data);
+}
+
+export function updateProject(id: string, data: Partial<Project>): Promise<Project> {
+	return put<Project>(`/api/projects/${id}`, data);
+}
+
+export function deleteProject(id: string): Promise<{ deleted: string }> {
+	return del<{ deleted: string }>(`/api/projects/${id}`);
+}
+
+// ── Instances ───────────────────────────────────────────────────────
+
+export function listInstances(projectId: string, stageId: string): Promise<Instance[]> {
+	return get<Instance[]>(`/api/projects/${projectId}/stages/${stageId}/instances`);
+}
+
+export function deployInstance(
+	projectId: string,
+	stageId: string,
+	imageTag: string
+): Promise<{ status: string }> {
+	return post<{ status: string }>(`/api/projects/${projectId}/stages/${stageId}/instances`, {
+		image_tag: imageTag
+	});
+}
+
+export function removeInstance(
+	projectId: string,
+	stageId: string,
+	instanceId: string
+): Promise<{ deleted: string }> {
+	return del<{ deleted: string }>(
+		`/api/projects/${projectId}/stages/${stageId}/instances/${instanceId}`
+	);
+}
+
+export function stopInstance(
+	projectId: string,
+	stageId: string,
+	instanceId: string
+): Promise<{ status: string }> {
+	return post<{ status: string }>(
+		`/api/projects/${projectId}/stages/${stageId}/instances/${instanceId}/stop`
+	);
+}
+
+export function startInstance(
+	projectId: string,
+	stageId: string,
+	instanceId: string
+): Promise<{ status: string }> {
+	return post<{ status: string }>(
+		`/api/projects/${projectId}/stages/${stageId}/instances/${instanceId}/start`
+	);
+}
+
+export function restartInstance(
+	projectId: string,
+	stageId: string,
+	instanceId: string
+): Promise<{ status: string }> {
+	return post<{ status: string }>(
+		`/api/projects/${projectId}/stages/${stageId}/instances/${instanceId}/restart`
+	);
+}
+
+// ── Deploys ─────────────────────────────────────────────────────────
+
+export function listDeploys(limit = 50): Promise<Deploy[]> {
+	return get<Deploy[]>(`/api/deploys?limit=${limit}`);
+}
+
+export function getDeployLogs(deployId: string): Promise<DeployLog[]> {
+	return get<DeployLog[]>(`/api/deploys/${deployId}/logs`);
+}
+
+export function inspectImage(image: string): Promise<InspectResult> {
+	return post<InspectResult>('/api/deploy/inspect', { image });
+}
+
+export function quickDeploy(data: {
+	name?: string;
+	image: string;
+	tag?: string;
+	registry?: string;
+	port?: number;
+}): Promise<{ project: Project; status: string }> {
+	return post<{ project: Project; status: string }>('/api/deploy/quick', data);
+}
+
+// ── Registries ──────────────────────────────────────────────────────
+
+export function listRegistries(): Promise<Registry[]> {
+	return get<Registry[]>('/api/registries');
+}
+
+export function createRegistry(data: Partial<Registry>): Promise<Registry> {
+	return post<Registry>('/api/registries', data);
+}
+
+export function updateRegistry(id: string, data: Partial<Registry>): Promise<Registry> {
+	return put<Registry>(`/api/registries/${id}`, data);
+}
+
+export function deleteRegistry(id: string): Promise<{ deleted: string }> {
+	return del<{ deleted: string }>(`/api/registries/${id}`);
+}
+
+export function testRegistry(id: string): Promise<{ status: string }> {
+	return post<{ status: string }>(`/api/registries/${id}/test`);
+}
+
+export function listRegistryTags(registryId: string, image: string): Promise<string[]> {
+	return get<string[]>(`/api/registries/${registryId}/tags/${encodeURIComponent(image)}`);
+}
+
+// ── Settings ────────────────────────────────────────────────────────
+
+export function getSettings(): Promise<Settings> {
+	return get<Settings>('/api/settings');
+}
+
+export function updateSettings(data: Partial<Settings>): Promise<Settings> {
+	return put<Settings>('/api/settings', data);
+}
+
+export function getWebhookUrl(): Promise<{ url: string }> {
+	return get<{ url: string }>('/api/settings/webhook-url');
+}
+
+export function regenerateWebhookUrl(): Promise<{ url: string }> {
+	return post<{ url: string }>('/api/settings/webhook-url/regenerate');
+}
+
+export { ApiError };