fix: comprehensive security, performance, and quality hardening

Security: apply AdminOnly middleware to mutating routes, require
ENCRYPTION_KEY and ADMIN_PASSWORD (no insecure defaults), restrict
CORS to same-origin, fix OIDC token delivery via cookie instead of
URL query param, add rate limiting on login, add MaxBytesReader,
validate volume paths against traversal, add security headers,
validate user roles, add Secure flag to OIDC cookie.

Performance: set SQLite MaxOpenConns(1) to prevent SQLITE_BUSY,
add FK indexes on 8 columns, track notifier goroutines with
WaitGroup for graceful shutdown, use GetRegistryByName instead of
GetAllRegistries in deployer, pass basePath param to avoid redundant
settings query, return empty slices from store to remove reflection.

Quality: refactor TriggerDeploy to delegate to runDeploy (~100 lines
removed), consolidate duplicated utilities (extractPort, boolToInt,
now, isTerminalStatus) into shared exports, migrate all log.Printf
to slog structured logging, use consistent webhook response envelope,
remove dead code (parseEnvVars, duplicate auth types).

UX: clean up NPM proxy on instance removal via API, add README with
quickstart guide, add .env.example, require ADMIN_PASSWORD in
docker-compose, document staging-net prerequisite.

internal/store/deploys.go

@@ -11,7 +11,7 @@ import (
 // CreateDeploy inserts a new deploy record.
 func (s *Store) CreateDeploy(d Deploy) (Deploy, error) {
 	d.ID = uuid.New().String()
-	d.StartedAt = now()
+	d.StartedAt = Now()
 	if d.Status == "" {
 		d.Status = "pending"
 	}
@@ -73,9 +73,9 @@ func (s *Store) GetRecentDeploys(limit int) ([]Deploy, error) {
 
 // UpdateDeployStatus sets the status (and optionally error and finished_at) on a deploy.
 func (s *Store) UpdateDeployStatus(id string, status string, deployErr string) error {
-	ts := now()
+	ts := Now()
 	var finishedAt string
-	if isTerminalDeployStatus(status) {
+	if IsTerminalDeployStatus(status) {
 		finishedAt = ts
 	}
 
@@ -113,7 +113,7 @@ func (s *Store) AppendDeployLog(deployID string, message string, level string) e
 	}
 	_, err := s.db.Exec(
 		`INSERT INTO deploy_logs (deploy_id, message, level, created_at) VALUES (?, ?, ?, ?)`,
-		deployID, message, level, now(),
+		deployID, message, level, Now(),
 	)
 	if err != nil {
 		return fmt.Errorf("append deploy log: %w", err)
@@ -132,7 +132,7 @@ func (s *Store) GetDeployLogs(deployID string) ([]DeployLog, error) {
 	}
 	defer rows.Close()
 
-	var logs []DeployLog
+	logs := []DeployLog{}
 	for rows.Next() {
 		var l DeployLog
 		if err := rows.Scan(&l.ID, &l.DeployID, &l.Message, &l.Level, &l.CreatedAt); err != nil {
@@ -145,7 +145,7 @@ func (s *Store) GetDeployLogs(deployID string) ([]DeployLog, error) {
 
 // scanDeploys is a helper that scans deploy rows from a cursor.
 func scanDeploys(rows *sql.Rows) ([]Deploy, error) {
-	var deploys []Deploy
+	deploys := []Deploy{}
 	for rows.Next() {
 		var d Deploy
 		if err := rows.Scan(&d.ID, &d.ProjectID, &d.StageID, &d.InstanceID, &d.ImageTag, &d.Status, &d.StartedAt, &d.FinishedAt, &d.Error); err != nil {
@@ -156,8 +156,8 @@ func scanDeploys(rows *sql.Rows) ([]Deploy, error) {
 	return deploys, rows.Err()
 }
 
-// isTerminalDeployStatus returns true if the status indicates the deploy is finished.
-func isTerminalDeployStatus(status string) bool {
+// IsTerminalDeployStatus returns true if the status indicates the deploy is finished.
+func IsTerminalDeployStatus(status string) bool {
 	switch status {
 	case "success", "failed", "rolled_back":
 		return true
@@ -165,3 +165,17 @@ func isTerminalDeployStatus(status string) bool {
 		return false
 	}
 }
+
+// CleanupOldDeploys removes deploy records and their logs older than the given
+// number of days. Returns the number of deploys removed.
+func (s *Store) CleanupOldDeploys(retentionDays int) (int64, error) {
+	cutoff := fmt.Sprintf("-%d days", retentionDays)
+	result, err := s.db.Exec(
+		`DELETE FROM deploys WHERE started_at < datetime('now', ?)`, cutoff,
+	)
+	if err != nil {
+		return 0, fmt.Errorf("cleanup old deploys: %w", err)
+	}
+	n, _ := result.RowsAffected()
+	return n, nil
+}