feat: expanded health checks, deploy filtering, per-project notifications, error sanitization, and audit trail

- Expand health endpoint to check DB, Docker, and NPM connectivity (FUNC-M4)
- Add project_id, stage_id, offset query params to deploys endpoint (FUNC-M5, FUNC-M6)
- Add notification_url field to Stage model for per-project overrides (FUNC-M2)
- Add NPM Ping method for health checking
- Sanitize all internal error messages in API handlers (SEC-M4)
- Add audit trail events for admin actions (FUNC-M3)
- Add EventLog event type to event bus

internal/store/deploys.go

@@ -4,6 +4,7 @@ import (
 	"database/sql"
 	"errors"
 	"fmt"
+	"strings"
 
 	"github.com/google/uuid"
 )
@@ -166,6 +167,36 @@ func IsTerminalDeployStatus(status string) bool {
 	}
 }
 
+// GetDeploys returns deploys with optional filtering by project and stage, with pagination.
+func (s *Store) GetDeploys(projectID, stageID string, limit, offset int) ([]Deploy, error) {
+	query := `SELECT id, project_id, stage_id, instance_id, image_tag, status, started_at, finished_at, error FROM deploys`
+	var args []any
+	var conditions []string
+
+	if projectID != "" {
+		conditions = append(conditions, "project_id = ?")
+		args = append(args, projectID)
+	}
+	if stageID != "" {
+		conditions = append(conditions, "stage_id = ?")
+		args = append(args, stageID)
+	}
+
+	if len(conditions) > 0 {
+		query += " WHERE " + strings.Join(conditions, " AND ")
+	}
+	query += " ORDER BY started_at DESC LIMIT ? OFFSET ?"
+	args = append(args, limit, offset)
+
+	rows, err := s.db.Query(query, args...)
+	if err != nil {
+		return nil, fmt.Errorf("query deploys: %w", err)
+	}
+	defer rows.Close()
+
+	return scanDeploys(rows)
+}
+
 // CleanupOldDeploys removes deploy records and their logs older than the given
 // number of days. Returns the number of deploys removed.
 func (s *Store) CleanupOldDeploys(retentionDays int) (int64, error) {

internal/store/models.go

@@ -25,9 +25,10 @@ type Stage struct {
 	Confirm      bool   `json:"confirm"`
 	EnableProxy  bool   `json:"enable_proxy"`
 	PromoteFrom  string `json:"promote_from"`
-	Subdomain    string `json:"subdomain"`
-	CreatedAt    string `json:"created_at"`
-	UpdatedAt    string `json:"updated_at"`
+	Subdomain       string `json:"subdomain"`
+	NotificationURL string `json:"notification_url"`
+	CreatedAt       string `json:"created_at"`
+	UpdatedAt       string `json:"updated_at"`
 }
 
 // Registry represents a container image registry.

internal/store/stages.go

@@ -8,7 +8,7 @@ import (
 	"github.com/google/uuid"
 )
 
-const stageColumns = `id, project_id, name, tag_pattern, auto_deploy, max_instances, confirm, enable_proxy, promote_from, subdomain, created_at, updated_at`
+const stageColumns = `id, project_id, name, tag_pattern, auto_deploy, max_instances, confirm, enable_proxy, promote_from, subdomain, notification_url, created_at, updated_at`
 
 // CreateStage inserts a new stage for a project.
 func (s *Store) CreateStage(st Stage) (Stage, error) {
@@ -17,9 +17,9 @@ func (s *Store) CreateStage(st Stage) (Stage, error) {
 	st.UpdatedAt = st.CreatedAt
 
 	_, err := s.db.Exec(
-		`INSERT INTO stages (`+stageColumns+`) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+		`INSERT INTO stages (`+stageColumns+`) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
 		st.ID, st.ProjectID, st.Name, st.TagPattern, BoolToInt(st.AutoDeploy), st.MaxInstances,
-		BoolToInt(st.Confirm), BoolToInt(st.EnableProxy), st.PromoteFrom, st.Subdomain, st.CreatedAt, st.UpdatedAt,
+		BoolToInt(st.Confirm), BoolToInt(st.EnableProxy), st.PromoteFrom, st.Subdomain, st.NotificationURL, st.CreatedAt, st.UpdatedAt,
 	)
 	if err != nil {
 		return Stage{}, fmt.Errorf("insert stage: %w", err)
@@ -55,7 +55,7 @@ func (s *Store) GetStageByID(id string) (Stage, error) {
 	err := s.db.QueryRow(
 		`SELECT `+stageColumns+` FROM stages WHERE id = ?`, id,
 	).Scan(&st.ID, &st.ProjectID, &st.Name, &st.TagPattern, &autoDeploy, &st.MaxInstances,
-		&confirm, &enableProxy, &st.PromoteFrom, &st.Subdomain, &st.CreatedAt, &st.UpdatedAt)
+		&confirm, &enableProxy, &st.PromoteFrom, &st.Subdomain, &st.NotificationURL, &st.CreatedAt, &st.UpdatedAt)
 	if errors.Is(err, sql.ErrNoRows) {
 		return Stage{}, fmt.Errorf("stage %s: %w", id, ErrNotFound)
 	}
@@ -72,10 +72,10 @@ func (s *Store) GetStageByID(id string) (Stage, error) {
 func (s *Store) UpdateStage(st Stage) error {
 	st.UpdatedAt = Now()
 	result, err := s.db.Exec(
-		`UPDATE stages SET name=?, tag_pattern=?, auto_deploy=?, max_instances=?, confirm=?, enable_proxy=?, promote_from=?, subdomain=?, updated_at=?
+		`UPDATE stages SET name=?, tag_pattern=?, auto_deploy=?, max_instances=?, confirm=?, enable_proxy=?, promote_from=?, subdomain=?, notification_url=?, updated_at=?
 		 WHERE id=?`,
 		st.Name, st.TagPattern, BoolToInt(st.AutoDeploy), st.MaxInstances,
-		BoolToInt(st.Confirm), BoolToInt(st.EnableProxy), st.PromoteFrom, st.Subdomain, st.UpdatedAt, st.ID,
+		BoolToInt(st.Confirm), BoolToInt(st.EnableProxy), st.PromoteFrom, st.Subdomain, st.NotificationURL, st.UpdatedAt, st.ID,
 	)
 	if err != nil {
 		return fmt.Errorf("update stage: %w", err)
@@ -113,7 +113,7 @@ func scanStage(rows *sql.Rows) (Stage, error) {
 	var st Stage
 	var autoDeploy, confirm, enableProxy int
 	err := rows.Scan(&st.ID, &st.ProjectID, &st.Name, &st.TagPattern, &autoDeploy, &st.MaxInstances,
-		&confirm, &enableProxy, &st.PromoteFrom, &st.Subdomain, &st.CreatedAt, &st.UpdatedAt)
+		&confirm, &enableProxy, &st.PromoteFrom, &st.Subdomain, &st.NotificationURL, &st.CreatedAt, &st.UpdatedAt)
 	if err != nil {
 		return Stage{}, fmt.Errorf("scan stage: %w", err)
 	}