feat(deployer): configurable per-workload deploy strategy (blue-green for built sources)

Add a deploy_strategy field to each source's config blob — "" (default),
"recreate", or "blue-green" — validated in each source's Validate and read on
the deploy path. No new DB column, no migration: the field rides inside the
existing SourceConfig JSON and every existing workload decodes "" to its
historical behavior (image -> blue-green, others -> recreate).

The real gap this closes: dockerfile and static stopped the old container
before creating the new one on every redeploy — a downtime window image never
had. Their blue-green branch now:
- names the new "green" container with a unique suffix so it coexists with the
  still-serving blue (plumbed into both the container name AND the proxy
  forwardHost);
- skips the collision teardown that destroyed blue early;
- gates green — an HTTP readiness probe (deps.Health.Check) when a healthcheck
  is configured, else the existing liveness window;
- swaps the route via a pure upsert (no pre-DeleteRoute) so NPM repoints in
  place with no gap;
- persists green into the single runtime-state row BEFORE reaping blue, so a
  crash mid-swap can never orphan green or leave the row pointing at a removed
  container (state.go/teardown.go/reconcile.go stay untouched).

image honors explicit "recreate" (reap existing containers after pull, before
cutover); its default blue-green path is unchanged. compose stays
stack-managed and rejects "blue-green" at Validate so the contract is honest.
static forces recreate for storage-backed deno sites — blue-green would mount
the same RW volume into both containers at once.

Shared helper internal/workload/plugin/strategy.go (ValidateStrategy +
BuildGreenName). Backend-only (phase 1); the field is usable today via the
app's advanced-JSON editor — a friendly toggle + i18n follow in phase 2.
Tests: ValidateStrategy matrix, per-source Validate (incl. the empty-key
backward-compat lock), and effectiveStrategy defaults + the deno gate. Design
+ adversarial review: docs/plans/DEPLOY_STRATEGY_PLAN.md.

internal/workload/plugin/source/static/deploy.go

@@ -44,6 +44,12 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 		return fmt.Errorf("static source: decode config: %w", err)
 	}
 
+	// bg selects the zero-downtime path: a unique green name so the new
+	// container coexists with the still-serving blue, an in-place route
+	// upsert, and blue reaped only AFTER green is persisted + routed.
+	// effectiveStrategy forces recreate for storage-backed deno sites.
+	bg := effectiveStrategy(cfg) == plugin.StrategyBlueGreen
+
 	prev, prevContainer, err := loadState(deps, w)
 	if err != nil {
 		return err
@@ -238,6 +244,13 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 	}
 
 	containerName := containerNameFor(w)
+	if bg {
+		// Unique green name so the new container coexists with the still-
+		// serving blue one — the deterministic name would collide on
+		// Docker's per-daemon unique-name constraint. This name is also the
+		// proxy forwardHost below, so green receives traffic after cutover.
+		containerName = plugin.BuildGreenName(containerName, time.Now())
+	}
 
 	var mounts []mount.Mount
 	if cfg.StorageEnabled && mode == "deno" {
@@ -283,8 +296,16 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 
 	containerID, err := deps.Docker.CreateContainer(ctx, cc)
 	if err != nil {
-		// Container with this name might already exist — best-effort
-		// cleanup of any prior container by ID and by name, then retry.
+		if bg {
+			// Green has a unique name, so this is a genuine create failure, not
+			// a name conflict — must NOT remove the still-serving blue.
+			updateStatus(deps, w, "failed", latestSHA,
+				sanitizeError(fmt.Sprintf("create container: %v", err), token))
+			return fmt.Errorf("create container: %w", err)
+		}
+		// recreate: the deterministic name might still be held by the prior
+		// container — best-effort cleanup (by ID, then by name) and one retry.
+		// This is the recreate downtime window.
 		if prevContainerID != "" {
 			deps.Docker.StopContainer(ctx, prevContainerID, 10)
 			deps.Docker.RemoveContainer(ctx, prevContainerID, true)
@@ -353,7 +374,11 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 	// place so traffic shifts atomically.
 	proxyRouteID := prevProxyRouteID
 	if domain != "" {
-		if prevProxyRouteID != "" {
+		// Blue-green relies on ConfigureRoute being an upsert-by-FQDN (NPM
+		// repoints the host in place, gap-free), so we must NOT delete blue's
+		// route first. recreate already removed blue, so the pre-delete is
+		// harmless there but kept to preserve its exact prior behavior.
+		if !bg && prevProxyRouteID != "" {
 			deps.Proxy.DeleteRoute(ctx, prevProxyRouteID)
 		}
 		routeID, rerr := deps.Proxy.ConfigureRoute(ctx, domain, forwardHost, forwardPort, proxy.RouteOptions{
@@ -371,8 +396,12 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 		}
 	}
 
-	// Drop the old container if a fresh one was created (different ID).
-	if prevContainerID != "" && prevContainerID != containerID {
+	// recreate: drop the old container now that the new one is healthy +
+	// routed. Blue-green DEFERS this until AFTER saveState (below) so the
+	// persisted single row always points at a running container — a crash
+	// between cutover and saveState must not orphan green or leave the row
+	// pointing at a reaped blue (which the reconciler would then flag failed).
+	if !bg && prevContainerID != "" && prevContainerID != containerID {
 		deps.Docker.StopContainer(ctx, prevContainerID, 10)
 		deps.Docker.RemoveContainer(ctx, prevContainerID, true)
 	}
@@ -409,6 +438,14 @@ func deploy(ctx context.Context, deps plugin.Deps, w plugin.Workload, intent plu
 		return fmt.Errorf("persist deploy state: %w", err)
 	}
 
+	// Blue-green: green is now persisted in the single row AND serving behind
+	// the swapped route — only now is it safe to reap blue. (recreate already
+	// removed blue before saveState.)
+	if bg && prevContainerID != "" && prevContainerID != containerID {
+		deps.Docker.StopContainer(ctx, prevContainerID, 10)
+		deps.Docker.RemoveContainer(ctx, prevContainerID, true)
+	}
+
 	publishEvent(deps, w, "deployed")
 
 	// updateStatus normally fires the terminal-state notification; the

internal/workload/plugin/source/static/static.go

@@ -41,6 +41,30 @@ type Config struct {
 	// git provider as a commit status (pending/success/failure) on the
 	// deployed SHA. Best-effort — a reporting failure never fails a deploy.
 	ReportCommitStatus bool `json:"report_commit_status"`
+
+	// DeployStrategy selects how a redeploy cuts over. "" (default) and
+	// "recreate" stop the old container before the new one comes up (a brief
+	// downtime window). "blue-green" starts the new container alongside the
+	// old, gates it, swaps the proxy route in place, then reaps the old —
+	// zero-downtime under NPM. Validated via plugin.ValidateStrategy.
+	DeployStrategy string `json:"deploy_strategy,omitempty"`
+}
+
+// effectiveStrategy resolves the configured strategy for the static source.
+// Empty maps to recreate — the source's historical behavior. Storage-backed
+// deno sites are forced to recreate even when blue-green is requested: a
+// blue-green overlap would mount the same RW named volume into BOTH
+// containers at once (a concurrent-writer window recreate never has, since
+// recreate stops blue before green starts).
+func effectiveStrategy(cfg Config) string {
+	s := cfg.DeployStrategy
+	if s == "" {
+		s = plugin.StrategyRecreate
+	}
+	if s == plugin.StrategyBlueGreen && cfg.StorageEnabled && cfg.Mode == "deno" {
+		return plugin.StrategyRecreate
+	}
+	return s
 }
 
 type source struct{}
@@ -78,6 +102,9 @@ func (*source) Validate(cfg json.RawMessage) error {
 	if c.Mode != "" && c.Mode != "static" && c.Mode != "deno" {
 		return fmt.Errorf("static source: mode must be \"static\" or \"deno\"")
 	}
+	if err := plugin.ValidateStrategy(c.DeployStrategy, true); err != nil {
+		return fmt.Errorf("static source: %w", err)
+	}
 	return nil
 }
 

internal/workload/plugin/source/static/strategy_test.go

@@ -0,0 +1,58 @@
+package static
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/alexei/tinyforge/internal/workload/plugin"
+)
+
+func validCfg(extra map[string]any) json.RawMessage {
+	m := map[string]any{"repo_owner": "o", "repo_name": "r"}
+	for k, v := range extra {
+		m[k] = v
+	}
+	b, _ := json.Marshal(m)
+	return b
+}
+
+func TestValidate_Strategy(t *testing.T) {
+	cases := []struct {
+		strategy string
+		wantErr  bool
+	}{
+		{"", false},
+		{"recreate", false},
+		{"blue-green", false},
+		{"rolling", true},
+		{"junk", true},
+	}
+	for _, c := range cases {
+		t.Run("strategy="+c.strategy, func(t *testing.T) {
+			err := (&source{}).Validate(validCfg(map[string]any{"deploy_strategy": c.strategy}))
+			if (err != nil) != c.wantErr {
+				t.Fatalf("Validate(strategy=%q) err=%v, wantErr=%v", c.strategy, err, c.wantErr)
+			}
+		})
+	}
+}
+
+func TestEffectiveStrategy_DefaultAndDenoGate(t *testing.T) {
+	if got := effectiveStrategy(Config{}); got != plugin.StrategyRecreate {
+		t.Fatalf("empty strategy = %q, want recreate", got)
+	}
+	if got := effectiveStrategy(Config{DeployStrategy: plugin.StrategyBlueGreen}); got != plugin.StrategyBlueGreen {
+		t.Fatalf("plain blue-green = %q, want blue-green", got)
+	}
+	// Storage-backed deno site requesting blue-green is forced to recreate to
+	// avoid a concurrent-writer overlap on the shared /app/data volume.
+	denoStorage := Config{DeployStrategy: plugin.StrategyBlueGreen, StorageEnabled: true, Mode: "deno"}
+	if got := effectiveStrategy(denoStorage); got != plugin.StrategyRecreate {
+		t.Fatalf("deno+storage blue-green = %q, want recreate (forced)", got)
+	}
+	// A deno site WITHOUT storage may use blue-green.
+	denoNoStorage := Config{DeployStrategy: plugin.StrategyBlueGreen, Mode: "deno"}
+	if got := effectiveStrategy(denoNoStorage); got != plugin.StrategyBlueGreen {
+		t.Fatalf("deno (no storage) blue-green = %q, want blue-green", got)
+	}
+}