refactor: extract ProxyProvider interface with None and NPM implementations

Replace direct npm.Client usage throughout the codebase with the
proxy.Provider interface, enabling pluggable proxy backends. The
deployer, API layer, and proxy manager now use provider-agnostic
route management (ConfigureRoute/DeleteRoute) instead of NPM-specific
API calls. Adds ProxyRouteID (string) to Instance model and
ProxyProvider setting to Settings, with SQLite migrations for
backward compatibility.

internal/api/stale.go

@@ -7,7 +7,6 @@ import (
 
 	"github.com/go-chi/chi/v5"
 
-	"github.com/alexei/docker-watcher/internal/crypto"
 	"github.com/alexei/docker-watcher/internal/events"
 	"github.com/alexei/docker-watcher/internal/stale"
 	"github.com/alexei/docker-watcher/internal/store"
@@ -121,18 +120,10 @@ func (s *Server) cleanupInstance(r *http.Request, inst store.Instance) error {
 		}
 	}
 
-	// Delete NPM proxy host if present.
-	if inst.NpmProxyID > 0 {
-		settings, err := s.store.GetSettings()
-		if err == nil {
-			npmPassword, err := crypto.Decrypt(s.encKey, settings.NpmPassword)
-			if err == nil {
-				if authErr := s.npm.Authenticate(ctx, settings.NpmEmail, npmPassword); authErr == nil {
-					if delErr := s.npm.DeleteProxyHost(ctx, inst.NpmProxyID); delErr != nil {
-						slog.Warn("stale cleanup: delete proxy host", "proxy_id", inst.NpmProxyID, "error", delErr)
-					}
-				}
-			}
+	// Delete proxy route if present.
+	if inst.ProxyRouteID != "" {
+		if err := s.proxyProvider.DeleteRoute(ctx, inst.ProxyRouteID); err != nil {
+			slog.Warn("stale cleanup: delete proxy route", "route_id", inst.ProxyRouteID, "error", err)
 		}
 	}