refactor(workload): plugin architecture wave + apps UI + volume scopes

Completes the workload-first refactor's plugin layer:

- internal/workload/plugin/ — Source/Trigger plugin contract,
  registry, types (Workload, DeploymentIntent, InboundEvent,
  PublicFace). Self-registering init() pattern + blank-import
  in cmd/server/main.go.
- Source plugins: image (blue-green with multi-face proxy routing),
  compose, static. Trigger plugins: registry, git, manual.
- internal/deployer/dispatch.go — DispatchPlugin/Teardown/Reconcile
  seam routing the legacy deployer through plugins.
- internal/api/workload_*.go — REST surface: workloads, env,
  volumes, chain (parent/children), promote-from. hooks.go
  serves /api/hooks/kinds/{kind}/schema for the wizard.
- internal/store: workload_env (encrypt-at-rest secrets) and
  workload_volumes tables, keyed on workload_id.
- cmd/server/static_backend.go — phantom-row adapter delegating
  the static source plugin to the legacy staticsite.Manager
  (deleted at hard cutover once the static inline port lands).
- web/src/routes/apps/ — /apps list + /apps/new wizard +
  /apps/[id] detail with kind-aware compose / image / static
  forms (Advanced JSON toggle), env panel, volumes panel,
  webhook panel, chain panel, manual deploy.

Volume scope generalization (v2 resolver):

- internal/volume.ResolveWorkloadPath (workload-keyed, sits
  next to legacy ResolvePath). Honors all VolumeScope values:
  absolute, ephemeral, instance, stage, project, project_named,
  named. internal/workload/plugin/source/image/image.go
  computeMounts wires settings + imageTag through. Coverage in
  internal/volume/resolver_test.go (portable Linux/Windows via
  t.TempDir).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/volume/resolver.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"path/filepath"
+	"regexp"
 	"strings"
 
 	"github.com/alexei/tinyforge/internal/store"
@@ -106,3 +107,122 @@ func parseAllowedPaths(jsonStr string) ([]string, error) {
 func ParseAllowedPaths(jsonStr string) ([]string, error) {
 	return parseAllowedPaths(jsonStr)
 }
+
+// ResolveWorkloadParams holds the parameters needed to resolve a
+// workload-volume's host path. Unlike ResolveParams it is keyed on the
+// workload identity (name + id) rather than the legacy project/stage
+// dual-key, so it survives the Workload-first cutover.
+type ResolveWorkloadParams struct {
+	BasePath           string
+	WorkloadID         string
+	WorkloadName       string
+	ImageTag           string // required for "instance" scope only
+	AllowedVolumePaths string // JSON array of allowed absolute paths
+}
+
+// ResolveWorkloadPath returns the absolute host path for a WorkloadVolume.
+// Scope semantics map onto the workload-first model:
+//
+//   - absolute   — host bind, must lie under settings.AllowedVolumePaths.
+//   - ephemeral  — caller renders this as tmpfs; the function returns an
+//     error because there is no host path.
+//   - instance   — per-tag isolation under <workload>/instance-<tag>/<source>.
+//     Useful for blue-green when each running instance needs its own dir.
+//   - stage, project — both legacy names collapse to "shared across all
+//     instances of this workload" under <workload>/<source>. Two names
+//     for one shape is intentional: it lets legacy data migrate without
+//     a path rewrite.
+//   - project_named — workload-scoped named volume under
+//     <workload>/_named/<name>/<source>.
+//   - named         — globally-scoped named volume under
+//     _named/<name>/<source>.
+//
+// The <workload> directory segment is `<sanitized-name>-<short-id>`. The
+// short-id suffix prevents collisions when two workloads share a name
+// (the workloads table only enforces uniqueness on (kind, ref_id)).
+func ResolveWorkloadPath(vol store.WorkloadVolume, params ResolveWorkloadParams) (string, error) {
+	scope := vol.Scope
+	if scope == "" {
+		return "", fmt.Errorf("workload volume: scope is required")
+	}
+	if scope == string(store.VolumeScopeEphemeral) {
+		return "", fmt.Errorf("ephemeral volumes have no host path")
+	}
+	if scope == string(store.VolumeScopeAbsolute) {
+		return resolveAbsolute(vol.Source, params.AllowedVolumePaths)
+	}
+	if params.BasePath == "" {
+		return "", fmt.Errorf("workload volume: base path is required for scope %q", scope)
+	}
+
+	workloadDir, err := workloadPathSegment(params.WorkloadName, params.WorkloadID)
+	if err != nil {
+		return "", err
+	}
+
+	switch scope {
+	case string(store.VolumeScopeInstance):
+		if params.ImageTag == "" {
+			return "", fmt.Errorf("instance scope requires image tag")
+		}
+		tag := sanitizePathSegment(params.ImageTag)
+		if tag == "" {
+			return "", fmt.Errorf("instance scope requires non-empty image tag")
+		}
+		return filepath.Join(params.BasePath, workloadDir, "instance-"+tag, vol.Source), nil
+	case string(store.VolumeScopeStage), string(store.VolumeScopeProject):
+		return filepath.Join(params.BasePath, workloadDir, vol.Source), nil
+	case string(store.VolumeScopeProjectNamed):
+		name := sanitizePathSegment(vol.Name)
+		if name == "" {
+			return "", fmt.Errorf("project_named scope requires name")
+		}
+		return filepath.Join(params.BasePath, workloadDir, "_named", name, vol.Source), nil
+	case string(store.VolumeScopeNamed):
+		name := sanitizePathSegment(vol.Name)
+		if name == "" {
+			return "", fmt.Errorf("named scope requires name")
+		}
+		return filepath.Join(params.BasePath, "_named", name, vol.Source), nil
+	default:
+		return "", fmt.Errorf("unknown volume scope %q", scope)
+	}
+}
+
+// pathSegmentSanitizer collapses anything outside the [a-zA-Z0-9_.-] set
+// to a single dash. The character set matches Docker's permissive segment
+// rules; the additional Trim afterward keeps the segment from starting
+// or ending with a separator.
+var pathSegmentSanitizer = regexp.MustCompile(`[^a-zA-Z0-9_.-]+`)
+
+func sanitizePathSegment(s string) string {
+	s = strings.TrimSpace(s)
+	if s == "" {
+		return ""
+	}
+	return strings.Trim(pathSegmentSanitizer.ReplaceAllString(s, "-"), "-")
+}
+
+// workloadPathSegment builds the per-workload directory name. The
+// 8-char id-short suffix disambiguates same-named workloads — only
+// (kind, ref_id) is unique at the DB level, so names alone are unsafe.
+// Returns an error when both identity fields are empty, since the
+// resulting path would not be workload-scoped.
+func workloadPathSegment(name, id string) (string, error) {
+	cleanName := sanitizePathSegment(name)
+	idShort := id
+	if len(idShort) > 8 {
+		idShort = idShort[:8]
+	}
+	idShort = sanitizePathSegment(idShort)
+	if cleanName == "" && idShort == "" {
+		return "", fmt.Errorf("workload volume: workload id or name required")
+	}
+	if cleanName == "" {
+		return idShort, nil
+	}
+	if idShort == "" {
+		return cleanName, nil
+	}
+	return cleanName + "-" + idShort, nil
+}

internal/volume/resolver_test.go

@@ -0,0 +1,229 @@
+package volume
+
+import (
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/alexei/tinyforge/internal/store"
+)
+
+func TestResolveWorkloadPath(t *testing.T) {
+	// Use real-OS absolute paths so the suite is portable Linux/Windows.
+	allowedDir := t.TempDir()
+	allowedJSON := `["` + filepath.ToSlash(allowedDir) + `"]`
+	bindSource := filepath.Join(allowedDir, "db")
+	outsideSource := filepath.Join(t.TempDir(), "passwd")
+
+	const base = "/var/forge/volumes"
+
+	type tc struct {
+		name    string
+		vol     store.WorkloadVolume
+		params  ResolveWorkloadParams
+		want    string
+		wantErr string // substring match; empty = no error
+	}
+
+	cases := []tc{
+		{
+			name: "absolute allowed",
+			vol:  store.WorkloadVolume{Source: bindSource, Scope: "absolute"},
+			params: ResolveWorkloadParams{
+				BasePath:           base,
+				WorkloadID:         "01abcdef1234",
+				WorkloadName:       "api",
+				AllowedVolumePaths: allowedJSON,
+			},
+			want: filepath.Clean(bindSource),
+		},
+		{
+			name: "absolute outside allow-list",
+			vol:  store.WorkloadVolume{Source: outsideSource, Scope: "absolute"},
+			params: ResolveWorkloadParams{
+				BasePath:           base,
+				WorkloadID:         "01abcdef1234",
+				AllowedVolumePaths: allowedJSON,
+			},
+			wantErr: "not under any allowed",
+		},
+		{
+			name: "absolute requires non-empty source",
+			vol:  store.WorkloadVolume{Source: "", Scope: "absolute"},
+			params: ResolveWorkloadParams{
+				BasePath:           base,
+				AllowedVolumePaths: allowedJSON,
+			},
+			wantErr: "absolute scope requires a source path",
+		},
+		{
+			name: "ephemeral has no host path",
+			vol:  store.WorkloadVolume{Scope: "ephemeral"},
+			params: ResolveWorkloadParams{
+				BasePath: base, WorkloadID: "01abcdef", WorkloadName: "api",
+			},
+			wantErr: "ephemeral",
+		},
+		{
+			name: "instance uses tag suffix",
+			vol:  store.WorkloadVolume{Source: "data", Scope: "instance"},
+			params: ResolveWorkloadParams{
+				BasePath: base, WorkloadID: "01abcdef1234", WorkloadName: "api", ImageTag: "v1.2.3",
+			},
+			want: filepath.Join(base, "api-01abcdef", "instance-v1.2.3", "data"),
+		},
+		{
+			name: "instance scope requires tag",
+			vol:  store.WorkloadVolume{Source: "data", Scope: "instance"},
+			params: ResolveWorkloadParams{
+				BasePath: base, WorkloadID: "01abcdef", WorkloadName: "api",
+			},
+			wantErr: "instance scope requires image tag",
+		},
+		{
+			name: "stage and project collapse to workload dir",
+			vol:  store.WorkloadVolume{Source: "shared", Scope: "stage"},
+			params: ResolveWorkloadParams{
+				BasePath: base, WorkloadID: "01abcdef1234", WorkloadName: "api",
+			},
+			want: filepath.Join(base, "api-01abcdef", "shared"),
+		},
+		{
+			name: "project scope",
+			vol:  store.WorkloadVolume{Source: "shared", Scope: "project"},
+			params: ResolveWorkloadParams{
+				BasePath: base, WorkloadID: "01abcdef1234", WorkloadName: "api",
+			},
+			want: filepath.Join(base, "api-01abcdef", "shared"),
+		},
+		{
+			name: "project_named requires name",
+			vol:  store.WorkloadVolume{Source: "data", Scope: "project_named"},
+			params: ResolveWorkloadParams{
+				BasePath: base, WorkloadID: "01abcdef1234", WorkloadName: "api",
+			},
+			wantErr: "project_named scope requires name",
+		},
+		{
+			name: "project_named",
+			vol:  store.WorkloadVolume{Source: "data", Scope: "project_named", Name: "cache"},
+			params: ResolveWorkloadParams{
+				BasePath: base, WorkloadID: "01abcdef1234", WorkloadName: "api",
+			},
+			want: filepath.Join(base, "api-01abcdef", "_named", "cache", "data"),
+		},
+		{
+			name: "named",
+			vol:  store.WorkloadVolume{Source: "data", Scope: "named", Name: "global-cache"},
+			params: ResolveWorkloadParams{
+				BasePath: base, WorkloadID: "01abcdef1234", WorkloadName: "api",
+			},
+			want: filepath.Join(base, "_named", "global-cache", "data"),
+		},
+		{
+			name: "named requires name",
+			vol:  store.WorkloadVolume{Source: "data", Scope: "named"},
+			params: ResolveWorkloadParams{
+				BasePath: base, WorkloadID: "01abcdef1234", WorkloadName: "api",
+			},
+			wantErr: "named scope requires name",
+		},
+		{
+			name: "empty scope rejected",
+			vol:  store.WorkloadVolume{Source: "data", Scope: ""},
+			params: ResolveWorkloadParams{
+				BasePath: base, WorkloadID: "01abcdef1234", WorkloadName: "api",
+			},
+			wantErr: "scope is required",
+		},
+		{
+			name: "unknown scope rejected",
+			vol:  store.WorkloadVolume{Source: "data", Scope: "weird"},
+			params: ResolveWorkloadParams{
+				BasePath: base, WorkloadID: "01abcdef1234", WorkloadName: "api",
+			},
+			wantErr: "unknown volume scope",
+		},
+		{
+			name: "id-only workload still resolves",
+			vol:  store.WorkloadVolume{Source: "data", Scope: "project"},
+			params: ResolveWorkloadParams{
+				BasePath: base, WorkloadID: "01abcdef1234",
+			},
+			want: filepath.Join(base, "01abcdef", "data"),
+		},
+		{
+			name: "name-only workload still resolves",
+			vol:  store.WorkloadVolume{Source: "data", Scope: "project"},
+			params: ResolveWorkloadParams{
+				BasePath: base, WorkloadName: "api",
+			},
+			want: filepath.Join(base, "api", "data"),
+		},
+		{
+			name: "name with unsafe chars sanitized",
+			vol:  store.WorkloadVolume{Source: "data", Scope: "project"},
+			params: ResolveWorkloadParams{
+				BasePath: base, WorkloadID: "01abcdef1234", WorkloadName: "api/../etc",
+			},
+			want: filepath.Join(base, "api-..-etc-01abcdef", "data"),
+		},
+		{
+			name: "no workload identity rejected",
+			vol:  store.WorkloadVolume{Source: "data", Scope: "project"},
+			params: ResolveWorkloadParams{
+				BasePath: base,
+			},
+			wantErr: "workload id or name required",
+		},
+		{
+			name: "non-absolute scope requires base path",
+			vol:  store.WorkloadVolume{Source: "data", Scope: "project"},
+			params: ResolveWorkloadParams{
+				WorkloadID: "01abcdef", WorkloadName: "api",
+			},
+			wantErr: "base path is required",
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			got, err := ResolveWorkloadPath(c.vol, c.params)
+			if c.wantErr != "" {
+				if err == nil {
+					t.Fatalf("want error containing %q, got nil (path=%q)", c.wantErr, got)
+				}
+				if !strings.Contains(err.Error(), c.wantErr) {
+					t.Fatalf("want error containing %q, got %q", c.wantErr, err.Error())
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if got != c.want {
+				t.Fatalf("path mismatch:\n  got  %q\n  want %q", got, c.want)
+			}
+		})
+	}
+}
+
+func TestSanitizePathSegment(t *testing.T) {
+	cases := []struct {
+		in, out string
+	}{
+		{"api", "api"},
+		{"  api  ", "api"},
+		{"api/../etc", "api-..-etc"},
+		{"my app v1", "my-app-v1"},
+		{"---", ""},
+		{"", ""},
+		{"v1.2.3", "v1.2.3"},
+	}
+	for _, c := range cases {
+		got := sanitizePathSegment(c.in)
+		if got != c.out {
+			t.Errorf("sanitize(%q) = %q, want %q", c.in, got, c.out)
+		}
+	}
+}