feat(docker-watcher): phase 13 - volumes & environment

Per-stage env var overrides with encryption for secrets.
Volume mounts with shared/isolated modes (isolated appends
/{stage}-{tag}/ to source path). Store CRUD, API endpoints,
and frontend editors for both. Env merge during deploy.

PLAN.md

@@ -287,7 +287,7 @@ Full dashboard for visibility, manual control, and configuration.
 22. **Embed in Go** ✅ — build SvelteKit to static, embed with `go:embed`, serve from Go
 23. **Real-time updates** ✅ — SSE for deploy progress and instance status changes
 
-### Phase 4: Volumes & Environment
+### Phase 4: Volumes & Environment (Phase 13) -- COMPLETED
 
 Persistent storage and app-specific configuration for deployed containers.
 
@@ -298,6 +298,21 @@ Persistent storage and app-specific configuration for deployed containers.
 28. **Isolated volumes** — each instance gets its own subdirectory: `{source}/{stage}-{tag}/` → `{target}` (for stateful apps with local DBs/files)
 29. **UI for volumes & env** — project settings page with key/value editor, volume list, shared/isolated toggle, per-stage override support
 
+#### Phase 13 Handoff Notes
+
+- New tables: `stage_env` (id, stage_id, key, value, encrypted, timestamps), `volumes` (id, project_id, source, target, mode, timestamps)
+- `stage_env` has UNIQUE(stage_id, key) constraint to prevent duplicate keys per stage
+- Volume mode is either "shared" or "isolated"; default is "shared"
+- Encrypted env values are encrypted with `crypto.Encrypt` before storage and decrypted at deploy time
+- API masks encrypted env values as "••••••••" in responses
+- Env merge order in deployer: project-level JSON `env` field parsed first, then stage-level `stage_env` records overlay (stage wins on key conflict)
+- `computeVolumeMounts` appends `/{stage}-{tag}/` to source for isolated volumes
+- Docker `ContainerConfig` now has `Mounts []mount.Mount` field, passed to `HostConfig.Mounts`
+- Both `executeDeploy` and `blueGreenDeploy` updated to use `mergeEnvVars` and `computeVolumeMounts`
+- API routes: GET/POST `/api/projects/{id}/stages/{stage}/env`, PUT/DELETE `.../env/{envId}`, GET/POST `/api/projects/{id}/volumes`, PUT/DELETE `.../volumes/{volId}`
+- Frontend pages: `/projects/[id]/env` (per-stage env editor with inherited/overridden indicators), `/projects/[id]/volumes` (volume editor with shared/isolated toggle)
+- Project detail page now has navigation links to env and volumes pages
+
 Volume config per project:
 ```yaml
 env:
@@ -405,6 +420,18 @@ POST   /api/projects/:id/stages                         — add stage to project
 PUT    /api/projects/:id/stages/:stage                   — update stage config
 DELETE /api/projects/:id/stages/:stage                   — delete stage + its instances
 
+# Stage Env Overrides
+GET    /api/projects/:id/stages/:stage/env                 — list stage env vars (secrets masked)
+POST   /api/projects/:id/stages/:stage/env                 — create stage env var
+PUT    /api/projects/:id/stages/:stage/env/:envId          — update stage env var
+DELETE /api/projects/:id/stages/:stage/env/:envId          — delete stage env var
+
+# Project Volumes
+GET    /api/projects/:id/volumes                           — list project volumes
+POST   /api/projects/:id/volumes                           — create project volume
+PUT    /api/projects/:id/volumes/:volId                    — update project volume
+DELETE /api/projects/:id/volumes/:volId                    — delete project volume
+
 # Instances (running containers)
 GET    /api/projects/:id/stages/:stage/instances          — list instances for stage
 POST   /api/projects/:id/stages/:stage/instances          — deploy new instance (pick tag)