refactor(workload): plugin architecture wave + apps UI + volume scopes

Completes the workload-first refactor's plugin layer:

- internal/workload/plugin/ — Source/Trigger plugin contract,
  registry, types (Workload, DeploymentIntent, InboundEvent,
  PublicFace). Self-registering init() pattern + blank-import
  in cmd/server/main.go.
- Source plugins: image (blue-green with multi-face proxy routing),
  compose, static. Trigger plugins: registry, git, manual.
- internal/deployer/dispatch.go — DispatchPlugin/Teardown/Reconcile
  seam routing the legacy deployer through plugins.
- internal/api/workload_*.go — REST surface: workloads, env,
  volumes, chain (parent/children), promote-from. hooks.go
  serves /api/hooks/kinds/{kind}/schema for the wizard.
- internal/store: workload_env (encrypt-at-rest secrets) and
  workload_volumes tables, keyed on workload_id.
- cmd/server/static_backend.go — phantom-row adapter delegating
  the static source plugin to the legacy staticsite.Manager
  (deleted at hard cutover once the static inline port lands).
- web/src/routes/apps/ — /apps list + /apps/new wizard +
  /apps/[id] detail with kind-aware compose / image / static
  forms (Advanced JSON toggle), env panel, volumes panel,
  webhook panel, chain panel, manual deploy.

Volume scope generalization (v2 resolver):

- internal/volume.ResolveWorkloadPath (workload-keyed, sits
  next to legacy ResolvePath). Honors all VolumeScope values:
  absolute, ephemeral, instance, stage, project, project_named,
  named. internal/workload/plugin/source/image/image.go
  computeMounts wires settings + imageTag through. Coverage in
  internal/volume/resolver_test.go (portable Linux/Windows via
  t.TempDir).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/store/static_sites.go

@@ -18,6 +18,54 @@ const staticSiteCols = `id, name, provider, gitea_url, repo_owner, repo_name, br
 	notification_url, notification_secret,
 	created_at, updated_at`
 
+// UpsertStaticSiteWithID inserts or replaces a static site, keeping the
+// caller-supplied ID. Used by the plugin static-source Backend adapter
+// to keep a phantom row keyed on the workload ID so staticsite.Manager
+// (which reads from this table) can serve plugin-native workloads
+// without being refactored. Skips workload-row sync since the caller
+// already owns the workload row.
+func (s *Store) UpsertStaticSiteWithID(site StaticSite) error {
+	if site.ID == "" {
+		return fmt.Errorf("UpsertStaticSiteWithID: id is required")
+	}
+	if site.WebhookSecret == "" {
+		site.WebhookSecret = generateWebhookSecret()
+	}
+	if site.SyncTrigger == "" {
+		site.SyncTrigger = "manual"
+	}
+	if site.Mode == "" {
+		site.Mode = "static"
+	}
+	if site.Branch == "" {
+		site.Branch = "main"
+	}
+	if site.Status == "" {
+		site.Status = "idle"
+	}
+	now := Now()
+	site.UpdatedAt = now
+	if site.CreatedAt == "" {
+		site.CreatedAt = now
+	}
+	_, err := s.db.Exec(
+		`INSERT OR REPLACE INTO static_sites (`+staticSiteCols+`)
+		 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+		site.ID, site.Name, site.Provider, site.GiteaURL, site.RepoOwner, site.RepoName,
+		site.Branch, site.FolderPath, site.AccessToken, site.Domain, site.Mode,
+		BoolToInt(site.RenderMarkdown), site.SyncTrigger, site.TagPattern,
+		site.ContainerID, site.ProxyRouteID, site.Status, site.LastSyncAt,
+		site.LastCommitSHA, site.Error, BoolToInt(site.StorageEnabled), site.StorageLimitMB,
+		site.WebhookSecret, site.WebhookSigningSecret, BoolToInt(site.WebhookRequireSignature),
+		site.NotificationURL, site.NotificationSecret,
+		site.CreatedAt, site.UpdatedAt,
+	)
+	if err != nil {
+		return fmt.Errorf("upsert static site: %w", err)
+	}
+	return nil
+}
+
 // CreateStaticSite inserts a new static site and returns it. A webhook secret
 // is generated automatically if one is not already set on the input. Site row
 // + matching workload row are written in a single transaction.