feat(gitops): config-as-code via .tinyforge.yml for repo-backed workloads

A dockerfile or static workload can opt in to reading its deploy config from a
.tinyforge.yml in its own repo. Tinyforge fetches the file, shows field-level
drift vs the live config, and an admin applies it with an explicit Sync. The
repo becomes the source of truth for the declared fields. Manual-sync only;
no auto-apply on deploy, no multi-workload reconcile, no create/delete in v1.

Scope is deliberately source-aware and source_config-resident: dockerfile
declares port/healthcheck/deploy_strategy, static declares deploy_strategy.
The file never carries repo coords or secrets (those stay in the encrypted
DB), which keeps credentials out of the repo.

Backend:
- internal/gitops: Spec/ParseSpec (KnownFields rejects unknown keys), a
  source-aware ApplyPlan/BuildPlan, MergeAndValidate (omitted-field-preserving
  deep merge + validate-the-merged-result-then-commit — never a partial
  config), declared-only Drift with normalization, and Fetch with
  ok/no_file/fetch_failed/invalid statuses and token-redacted messages.
- staticsite: DownloadFile added to GitProvider + Gitea/GitHub/GitLab impls,
  reusing each provider's SSRF-safe client; 64 KiB cap; ErrFileNotFound.
- store: 4 additive gitops_* columns + setters (disjoint from UpdateWorkload
  so the edit-form save and a sync never clobber each other).
- api: GET /workloads/{id}/gitops (status + raw + live drift + managed_fields),
  PUT /gitops (admin, enable/path, traversal-safe), POST /gitops/sync (admin,
  per-workload locked read->merge->validate->write, audited to event_log).

Frontend:
- GitOpsPanel.svelte: status pill, a purpose-built field-level drift view,
  .tinyforge.yml preview, enable ToggleSwitch, Sync via ConfirmDialog; all five
  statuses handled, admin affordances gated on the real viewer role.
- GitOps-managed badge (list + detail hero) and a read-only edit-form banner.
- api.ts fetchers + types; i18n apps.detail.gitops.* (en + ru parity).

Built phase-by-phase with an adversarial plan review (caught 5 design flaws
pre-implementation) and an independent review per phase (go / security / ts /
final) — all APPROVE, 0 CRITICAL/HIGH. docs/gitops.md documents the schema and
what's intentionally out of v1. Plan: plans/gitops/.

internal/store/gitops.go

@@ -0,0 +1,48 @@
+package store
+
+import "fmt"
+
+// SetWorkloadGitOps toggles GitOps and sets the config path for a workload.
+// Targeted column update (not UpdateWorkload) so it never clobbers the
+// source_config / faces / webhook fields — and conversely, the edit-form save
+// (UpdateWorkload) never touches these columns.
+func (s *Store) SetWorkloadGitOps(id string, enabled bool, path string) error {
+	if path == "" {
+		path = ".tinyforge.yml"
+	}
+	result, err := s.db.Exec(
+		`UPDATE workloads SET gitops_enabled=?, gitops_path=?, updated_at=? WHERE id=?`,
+		BoolToInt(enabled), path, Now(), id,
+	)
+	if err != nil {
+		return fmt.Errorf("set workload gitops: %w", err)
+	}
+	n, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("rows affected: %w", err)
+	}
+	if n == 0 {
+		return fmt.Errorf("workload %s: %w", id, ErrNotFound)
+	}
+	return nil
+}
+
+// RecordGitOpsSync stamps the commit SHA + timestamp of the last successful
+// sync, so the UI can show "last synced <when> at <sha>".
+func (s *Store) RecordGitOpsSync(id, commitSHA, syncedAt string) error {
+	result, err := s.db.Exec(
+		`UPDATE workloads SET gitops_last_sync_at=?, gitops_commit_sha=?, updated_at=? WHERE id=?`,
+		syncedAt, commitSHA, Now(), id,
+	)
+	if err != nil {
+		return fmt.Errorf("record gitops sync: %w", err)
+	}
+	n, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("rows affected: %w", err)
+	}
+	if n == 0 {
+		return fmt.Errorf("workload %s: %w", id, ErrNotFound)
+	}
+	return nil
+}

internal/store/gitops_test.go

@@ -0,0 +1,63 @@
+package store
+
+import "testing"
+
+func TestSetWorkloadGitOps_RoundTrip(t *testing.T) {
+	s := newTestStore(t)
+	w, err := s.CreateWorkload(Workload{Kind: "plugin", Name: "app", SourceKind: "dockerfile"})
+	if err != nil {
+		t.Fatalf("CreateWorkload: %v", err)
+	}
+
+	// Fresh row defaults: GitOps off, default path applied by CreateWorkload.
+	if w.GitOpsEnabled {
+		t.Fatalf("new workload should default to gitops disabled")
+	}
+	if w.GitOpsPath != ".tinyforge.yml" {
+		t.Fatalf("default path = %q, want .tinyforge.yml", w.GitOpsPath)
+	}
+
+	// Enable with a custom path.
+	if err := s.SetWorkloadGitOps(w.ID, true, "deploy/.tinyforge.yml"); err != nil {
+		t.Fatalf("SetWorkloadGitOps: %v", err)
+	}
+	got, err := s.GetWorkloadByID(w.ID)
+	if err != nil {
+		t.Fatalf("GetWorkloadByID: %v", err)
+	}
+	if !got.GitOpsEnabled || got.GitOpsPath != "deploy/.tinyforge.yml" {
+		t.Fatalf("after enable: enabled=%v path=%q", got.GitOpsEnabled, got.GitOpsPath)
+	}
+
+	// Empty path falls back to the default.
+	if err := s.SetWorkloadGitOps(w.ID, false, ""); err != nil {
+		t.Fatalf("SetWorkloadGitOps disable: %v", err)
+	}
+	got, _ = s.GetWorkloadByID(w.ID)
+	if got.GitOpsEnabled || got.GitOpsPath != ".tinyforge.yml" {
+		t.Fatalf("after disable: enabled=%v path=%q", got.GitOpsEnabled, got.GitOpsPath)
+	}
+}
+
+func TestRecordGitOpsSync(t *testing.T) {
+	s := newTestStore(t)
+	w, _ := s.CreateWorkload(Workload{Kind: "plugin", Name: "app", SourceKind: "static"})
+
+	if err := s.RecordGitOpsSync(w.ID, "abc123", "2026-06-21 10:00:00"); err != nil {
+		t.Fatalf("RecordGitOpsSync: %v", err)
+	}
+	got, _ := s.GetWorkloadByID(w.ID)
+	if got.GitOpsCommitSHA != "abc123" || got.GitOpsLastSyncAt != "2026-06-21 10:00:00" {
+		t.Fatalf("sync not recorded: sha=%q at=%q", got.GitOpsCommitSHA, got.GitOpsLastSyncAt)
+	}
+}
+
+func TestGitOpsSetters_NotFound(t *testing.T) {
+	s := newTestStore(t)
+	if err := s.SetWorkloadGitOps("nope", true, ""); err == nil {
+		t.Fatalf("expected ErrNotFound for missing workload")
+	}
+	if err := s.RecordGitOpsSync("nope", "x", "y"); err == nil {
+		t.Fatalf("expected ErrNotFound for missing workload")
+	}
+}

internal/store/models.go

@@ -394,8 +394,14 @@ type Workload struct {
 	WebhookSecret           string `json:"-"` // URL-identifier secret; never serialized
 	WebhookSigningSecret    string `json:"-"` // HMAC key; never serialized
 	WebhookRequireSignature bool   `json:"webhook_require_signature"`
-	CreatedAt               string `json:"created_at"`
-	UpdatedAt               string `json:"updated_at"`
+	// GitOps config-as-code (dockerfile/static only). Opt-in: when enabled,
+	// the workload reads its deploy config from GitOpsPath in its own repo.
+	GitOpsEnabled    bool   `json:"gitops_enabled"`
+	GitOpsPath       string `json:"gitops_path"`         // repo-relative; default ".tinyforge.yml"
+	GitOpsLastSyncAt string `json:"gitops_last_sync_at"` // "" = never synced
+	GitOpsCommitSHA  string `json:"gitops_commit_sha"`   // sha applied at last sync
+	CreatedAt        string `json:"created_at"`
+	UpdatedAt        string `json:"updated_at"`
 }
 
 // WorkloadNotification is one configured outbound notification route for

internal/store/store.go

@@ -173,6 +173,14 @@ func (s *Store) runMigrations() error {
 		`ALTER TABLE workloads ADD COLUMN trigger_config TEXT NOT NULL DEFAULT '{}'`,
 		`ALTER TABLE workloads ADD COLUMN public_faces TEXT NOT NULL DEFAULT '[]'`,
 		`ALTER TABLE workloads ADD COLUMN parent_workload_id TEXT NOT NULL DEFAULT ''`,
+		// GitOps config-as-code: a dockerfile/static workload may read its
+		// deploy config from a .tinyforge.yml in its own repo. Opt-in per
+		// workload; all four land additively so existing rows default to
+		// "GitOps off" and stay byte-identical.
+		`ALTER TABLE workloads ADD COLUMN gitops_enabled INTEGER NOT NULL DEFAULT 0`,
+		`ALTER TABLE workloads ADD COLUMN gitops_path TEXT NOT NULL DEFAULT '.tinyforge.yml'`,
+		`ALTER TABLE workloads ADD COLUMN gitops_last_sync_at TEXT NOT NULL DEFAULT ''`,
+		`ALTER TABLE workloads ADD COLUMN gitops_commit_sha TEXT NOT NULL DEFAULT ''`,
 		// Schedule trigger needs a column to remember when it last fired so
 		// the scheduler can compute next-fire windows across restarts.
 		// Empty string = never fired. Pre-trigger-split DBs land the column

internal/store/workloads.go

@@ -13,6 +13,7 @@ const workloadColumns = `id, kind, ref_id, name, app_id,
 	public_faces, parent_workload_id,
 	notification_url, notification_secret,
 	webhook_secret, webhook_signing_secret, webhook_require_signature,
+	gitops_enabled, gitops_path, gitops_last_sync_at, gitops_commit_sha,
 	created_at, updated_at`
 
 func scanWorkload(scanner interface{ Scan(...any) error }) (Workload, error) {
@@ -23,6 +24,7 @@ func scanWorkload(scanner interface{ Scan(...any) error }) (Workload, error) {
 		&w.PublicFaces, &w.ParentWorkloadID,
 		&w.NotificationURL, &w.NotificationSecret,
 		&w.WebhookSecret, &w.WebhookSigningSecret, &w.WebhookRequireSignature,
+		&w.GitOpsEnabled, &w.GitOpsPath, &w.GitOpsLastSyncAt, &w.GitOpsCommitSHA,
 		&w.CreatedAt, &w.UpdatedAt,
 	)
 	return w, err
@@ -53,14 +55,18 @@ func (s *Store) CreateWorkload(w Workload) (Workload, error) {
 	if w.PublicFaces == "" {
 		w.PublicFaces = "[]"
 	}
+	if w.GitOpsPath == "" {
+		w.GitOpsPath = ".tinyforge.yml"
+	}
 	_, err := s.db.Exec(
 		`INSERT INTO workloads (`+workloadColumns+`)
-		 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+		 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
 		w.ID, w.Kind, w.RefID, w.Name, w.AppID,
 		w.SourceKind, w.SourceConfig, w.TriggerKind, w.TriggerConfig,
 		w.PublicFaces, w.ParentWorkloadID,
 		w.NotificationURL, w.NotificationSecret,
 		w.WebhookSecret, w.WebhookSigningSecret, BoolToInt(w.WebhookRequireSignature),
+		BoolToInt(w.GitOpsEnabled), w.GitOpsPath, w.GitOpsLastSyncAt, w.GitOpsCommitSHA,
 		w.CreatedAt, w.UpdatedAt,
 	)
 	if err != nil {