refactor(workload): extract Instance entirely; Container is canonical

End-to-end extraction of the Instance concept. After this commit:

  * internal/store/instances.go — DELETED
  * internal/store/models.go — Instance struct gone, ProxyRoute moved here
  * containers table is the single source of truth for project/stack/site
    container state. instances table is dropped via DROP TABLE migration
    (idempotent; re-runnable on every boot).
  * Legacy tinyforge.project / tinyforge.stage / tinyforge.instance-id
    Docker labels are no longer emitted; only tinyforge.workload.{id,kind},
    tinyforge.role, and tinyforge.managed are stamped on new containers.

Backend rewrites:
  - internal/deployer:        executeDeploy + blueGreenDeploy + rollback +
                              promote use store.Container natively. New
                              removeContainer() replaces removeInstance().
                              enforceMaxInstances reads via
                              ListContainersByStageID.
  - internal/reconciler:      legacy tinyforge.instance-id dispatch removed;
                              upsertByWorkloadLabel now finds existing rows
                              by docker container ID first and falls back to
                              the deterministic workloadID:role key.
  - internal/stale/scanner:   Scan + new FindStaleContainers walk the
                              containers table; emit StaleContainer JSON.
  - internal/stats/collector: ListContainers replaces ListAllInstances.
  - internal/webhook/handler: workload-secret lookup tried first; falls back
                              to project / static_site secret column.
  - internal/api: instances.go, stale.go, stats.go, stats_history.go,
                  projects.go, settings.go, docker.go, dns.go all read /
                  write through Container.

Docker layer:
  - ManagedContainer exposes WorkloadID/Kind/Role from the canonical labels.
  - ListContainers filters by tinyforge.managed=true.
  - Network creation uses LabelManaged instead of LabelProject.

Frontend:
  - Instance type is now a Container alias; .status → .state,
    .last_alive_at → .last_seen_at.
  - InstanceCard takes stageId as a prop (no longer derived from Instance).
  - StaleContainer JSON shape rewritten: { container, workload_name, role,
    days_stale }. StaleContainerCard + /containers/stale page updated.
  - ProjectCard / homepage / SystemHealthCard filter by .state.

The migration loop now tolerates "no such table" alongside "duplicate
column" / "already exists" so obsolete ALTER TABLE entries targeting the
dropped instances table no-op cleanly on first boot.

Tests: store + deployer + reconciler + webhook + staticsite + notify all
still pass. Frontend svelte-check: zero errors.

internal/store/containers.go

@@ -135,6 +135,77 @@ func (s *Store) GetContainerByDockerID(dockerID string) (Container, error) {
 	return c, nil
 }
 
+// ListProxyRoutes returns proxy-enabled project containers joined with
+// project + stage names. Reads from the normalized containers index. Stage
+// ID is resolved through a (project_id, role=stage_name) join, which is
+// uniquely indexed via UNIQUE(project_id, name) on stages.
+//
+// Source is reported as "instance" for back-compat with the Proxies page
+// filter (the frontend keys off the literal string).
+func (s *Store) ListProxyRoutes(domain string) ([]ProxyRoute, error) {
+	rows, err := s.db.Query(`
+		SELECT c.id, p.id, p.name, s.id, s.name,
+		       c.image_tag, c.subdomain, c.container_id, c.port,
+		       c.proxy_route_id, c.npm_proxy_id, c.state, c.created_at
+		FROM containers c
+		JOIN workloads w ON w.id = c.workload_id AND w.kind = 'project'
+		JOIN projects   p ON p.id = w.ref_id
+		JOIN stages     s ON s.project_id = p.id AND s.name = c.role
+		WHERE c.subdomain != '' AND (c.proxy_route_id != '' OR c.npm_proxy_id > 0)
+		ORDER BY p.name, s.name, c.created_at DESC`,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("query proxy routes: %w", err)
+	}
+	defer rows.Close()
+
+	routes := []ProxyRoute{}
+	for rows.Next() {
+		var r ProxyRoute
+		if err := rows.Scan(
+			&r.InstanceID, &r.ProjectID, &r.ProjectName, &r.StageID, &r.StageName,
+			&r.ImageTag, &r.Subdomain, &r.ContainerID, &r.Port,
+			&r.ProxyRouteID, &r.NpmProxyID, &r.Status, &r.CreatedAt,
+		); err != nil {
+			return nil, fmt.Errorf("scan proxy route: %w", err)
+		}
+		r.Source = "instance"
+		if domain != "" && r.Subdomain != "" {
+			r.Domain = r.Subdomain + "." + domain
+		}
+		routes = append(routes, r)
+	}
+	return routes, rows.Err()
+}
+
+// ListContainersByStageID returns project containers for the given stage,
+// newest first. Resolves stage → project_id → workload(kind=project) →
+// containers with role = stage.name. Replaces GetInstancesByStageID for
+// callers in the deployer / API layer.
+func (s *Store) ListContainersByStageID(stageID string) ([]Container, error) {
+	rows, err := s.db.Query(`
+		SELECT `+prefixCols(containerColumns, "c.")+`
+		FROM containers c
+		JOIN workloads w ON w.id = c.workload_id AND w.kind = 'project'
+		JOIN stages    s ON s.project_id = w.ref_id AND s.name = c.role
+		WHERE s.id = ?
+		ORDER BY c.created_at DESC`, stageID)
+	if err != nil {
+		return nil, fmt.Errorf("query containers by stage: %w", err)
+	}
+	defer rows.Close()
+
+	out := []Container{}
+	for rows.Next() {
+		c, err := scanContainer(rows)
+		if err != nil {
+			return nil, fmt.Errorf("scan container: %w", err)
+		}
+		out = append(out, c)
+	}
+	return out, rows.Err()
+}
+
 // ListContainersByWorkload returns all containers for a given workload, newest first.
 func (s *Store) ListContainersByWorkload(workloadID string) ([]Container, error) {
 	rows, err := s.db.Query(