feat(apps): per-app deploy/activity timeline

Every deploy across all four source kinds now writes a workload-scoped
event via a shared plugin.EmitDeployEvent helper (replacing the inline
emit duplicated in static/dockerfile, standardizing static's metadata
key site_id->workload_id, and adding emission to image+compose which
were silent). New indexed event_log.workload_id column, EventLogFilter
.WorkloadID, and GET /api/workloads/{id}/events (id pinned from path).

Frontend: a forge "Activity" panel on /apps/[id] reusing EventLogEntry,
live SSE prepend filtered by workload_id, load-more pagination, an
All/Errors severity filter, and a shared toEventLogEntry mapper. en/ru
i18n parity.

Security: compose's failure status emits a generic reason instead of raw
`docker compose up` output, which can echo app secrets and egresses to
operator webhooks (NotificationURL + event-trigger actions); full detail
stays only in the returned error. Rune-safe 256-rune status cap.

Reviewed: go + typescript APPROVE; security HIGH fixed.

web/src/lib/api.ts

@@ -765,6 +765,19 @@ export function fetchEventLogStats(signal?: AbortSignal): Promise<EventLogStats>
 	return get<EventLogStats>('/api/events/log/stats', signal);
 }
 
+export function fetchWorkloadEvents(
+	id: string,
+	params?: { severity?: string; limit?: number; offset?: number },
+	signal?: AbortSignal
+): Promise<EventLogEntry[]> {
+	const query = new URLSearchParams();
+	if (params?.severity) query.set('severity', params.severity);
+	if (params?.limit) query.set('limit', String(params.limit));
+	if (params?.offset) query.set('offset', String(params.offset));
+	const qs = query.toString();
+	return get<EventLogEntry[]>(`/api/workloads/${id}/events${qs ? `?${qs}` : ''}`, signal);
+}
+
 export function deleteEvent(id: number): Promise<{ status: string }> {
 	return del<{ status: string }>(`/api/events/log/${id}`);
 }