feat(discovery+runtime): restore static-site wizard discovery + close /sites/[id] feature parity

Two-stage feature arc closing the gaps left by the hard legacy cutover.
The static-site creation wizard regains its auto-discovery + connection-test
flow; /apps/[id] grows the runtime/storage/lifecycle surface the legacy
/sites/[id] page used to expose.

Backend (Go)
- internal/api/discovery.go: six admin-gated endpoints wrapping
  staticsite.GitProvider — POST /api/discovery/git/{detect-provider,
  test-connection,repos,branches,tree} + GET /api/discovery/image/conflicts.
  Identifier validation (validateGitIdent / validateGitBranch) at the
  boundary so provider URL interpolation cannot be hijacked via `..`.
  Upstream errors scrubbed: detailed slog on the server, generic 502 to
  the client (mitigates token-reflection-in-error-page).
- internal/api/workload_runtime.go: four endpoints —
  GET /api/workloads/{id}/runtime-state decodes containers.extra_json for
  static workloads; GET /api/workloads/{id}/storage execs `du -sb /app/data`
  with a 30s in-process cache (storageProbeCache) so polling can't turn
  into per-request execs; POST /api/workloads/{id}/{stop,start} iterate
  ListContainersByWorkload and call docker.StopContainer / StartContainer,
  returning 200 / 409 (nothing to act on) / 502 (all failed).
- internal/staticsite/safehttp.go: NewSafeHTTPClient + ValidateBaseURL +
  blockReason. DialContext re-resolves hostnames and refuses loopback /
  link-local / multicast / unspecified addresses. RFC1918 + ULA explicitly
  allowed (self-hosted Gitea on LAN is the dominant deployment).
  Replaced four raw &http.Client{} constructions in the provider files.
- internal/staticsite/gitlab_provider.go: url.PathEscape each segment in
  the raw-file URL builder for parity with projectPath().
- Test coverage: 26 cases in discovery_test.go (image-tag stripping,
  source-config decoding, conflict scenarios, validator boundaries,
  scheme rejection), 14 in workload_runtime_test.go (404 / 409 / nil-docker
  / probe-cache), 16 in safehttp_test.go (URL validation + block-reason
  policy matrix + live dial against loopback + AWS metadata literals).

Frontend (Svelte 5 + runes)
- web/src/lib/api.ts: typed wrappers for every endpoint, AbortSignal
  threaded through post(); ApiError exported so callers can narrow on
  e.status; new DetectedGitProvider narrow union.
- web/src/routes/apps/new/+page.svelte: static-form discovery controls
  (auto-detect provider, test connection, repo / branch / folder
  EntityPickers, Deno auto-detect); image-form conflict panel with
  debounced lookup + double-click submit guard ("Forge anyway") + Inspect
  button that pre-fills port/healthcheck; English error fallbacks routed
  through apps.new.errors.* (en + ru).
- web/src/routes/apps/[id]/+page.svelte: runtime-state panel + storage
  panel + Stop / Start / Open-site toolbar; universal live-state badge
  in the hero lede for image/compose/static (RUNNING / TRANSITIONING /
  STOPPED / NOT DEPLOYED / MIXED · n/m RUNNING); ContainerStats panel
  per row (auto-collapsing native <details> when N > 2); read-only
  webhook bindings summary card; responsive toolbar overflow with native
  <details> at <640px (z-index 100 above sticky nav).
- web/src/app.css: project-wide .forge-btn-ghost:focus-visible outline.

Hardening from go-reviewer + security-reviewer + typescript-reviewer +
frontend-design UI/UX subagents (0 CRITICAL, all HIGH/BLOCKER addressed
inline, IMPORTANT applied before commit):
- AbortController + per-call sequence tokens on every long-running
  fetch (loadRuntimeState / loadStorage / loadTriggerMeta / inspectImage /
  listImageConflicts) plus onDestroy cleanup so late resolves cannot
  mutate dead component state.
- doStop / doStart snapshot and restore `error` across the finally-block
  reload so a load()-cleared message doesn't hide a real failure.
- triggersById refreshed after inline trigger creation so the webhook
  card doesn't silently exclude the just-created trigger.
- Live-state badge wraps in role=status / aria-live=polite (no redundant
  aria-label).
- Webhook row has a single click target (was two pointing at the same URL).
- Empty webhook section hides entirely.
- Dropped role=menu / role=menuitem from the overflow menu (they would
  promise arrow-key nav we don't wire; native Tab + ESC carry it).

Doc
- docs/CODEMAPS/INDEX.md + new docs/CODEMAPS/discovery-and-runtime.md
  map the endpoint surface, security posture, frontend integration
  patterns, and an "add a new probe" recipe.

Verification
- svelte-check: 0 errors, 3 pre-existing a11y warnings.
- go build + go vet + go test ./...: all green.
- i18n parity: en + ru at 1413 keys each.
- Live smoke against :8090: 404 / 409 / 502 envelopes correct, discovery
  sanity passes, ProbeError surfaces on no-container path.

internal/api/workload_runtime_test.go

@@ -0,0 +1,295 @@
+package api
+
+import (
+	"encoding/json"
+	"net/http"
+	"testing"
+
+	"github.com/alexei/tinyforge/internal/store"
+)
+
+// =============================================================================
+// GET /api/workloads/{id}/runtime-state
+// =============================================================================
+
+func TestGetWorkloadRuntimeState_NotFound_404(t *testing.T) {
+	e := newAPITestEnv(t)
+	resp := e.do(t, http.MethodGet, "/api/workloads/does-not-exist/runtime-state", nil)
+	if resp.StatusCode != http.StatusNotFound {
+		_ = decodeEnvelope(t, resp, nil)
+		t.Fatalf("status = %d, want 404", resp.StatusCode)
+	}
+}
+
+func TestGetWorkloadRuntimeState_NonStaticSource_ReturnsBareKind(t *testing.T) {
+	e := newAPITestEnv(t)
+	wl, err := e.store.CreateWorkload(store.Workload{
+		Kind:         string(store.WorkloadKindProject),
+		Name:         "img-app",
+		SourceKind:   "image",
+		SourceConfig: `{"image":"nginx:1.25"}`,
+	})
+	if err != nil {
+		t.Fatalf("seed: %v", err)
+	}
+	resp := e.do(t, http.MethodGet, "/api/workloads/"+wl.ID+"/runtime-state", nil)
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("status = %d, want 200", resp.StatusCode)
+	}
+	var got runtimeStatePayload
+	if errMsg := decodeEnvelope(t, resp, &got); errMsg != "" {
+		t.Fatalf("envelope error: %q", errMsg)
+	}
+	if got.SourceKind != "image" {
+		t.Errorf("SourceKind = %q, want image", got.SourceKind)
+	}
+	if got.HasState {
+		t.Errorf("HasState = true, want false for non-static source")
+	}
+}
+
+func TestGetWorkloadRuntimeState_StaticSourceNeverDeployed_HasStateFalse(t *testing.T) {
+	e := newAPITestEnv(t)
+	wl, err := e.store.CreateWorkload(store.Workload{
+		Kind:         string(store.WorkloadKindSite),
+		Name:         "pages",
+		SourceKind:   "static",
+		SourceConfig: `{"provider":"gitea"}`,
+	})
+	if err != nil {
+		t.Fatalf("seed: %v", err)
+	}
+	resp := e.do(t, http.MethodGet, "/api/workloads/"+wl.ID+"/runtime-state", nil)
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("status = %d, want 200", resp.StatusCode)
+	}
+	var got runtimeStatePayload
+	if errMsg := decodeEnvelope(t, resp, &got); errMsg != "" {
+		t.Fatalf("envelope error: %q", errMsg)
+	}
+	if got.HasState {
+		t.Errorf("HasState = true, want false (never deployed)")
+	}
+}
+
+func TestGetWorkloadRuntimeState_StaticSourceDeployed_DecodesExtraJSON(t *testing.T) {
+	e := newAPITestEnv(t)
+	wl, err := e.store.CreateWorkload(store.Workload{
+		Kind:         string(store.WorkloadKindSite),
+		Name:         "pages",
+		SourceKind:   "static",
+		SourceConfig: `{"provider":"gitea"}`,
+	})
+	if err != nil {
+		t.Fatalf("seed workload: %v", err)
+	}
+	extra, _ := json.Marshal(map[string]any{
+		"status":          "deployed",
+		"last_commit_sha": "abc1234",
+		"last_sync_at":    "2026-05-16T10:00:00Z",
+		"last_error":      "",
+		// An unknown key — confirms decoding is lenient.
+		"unknown_future_field": "ignored",
+	})
+	if err := e.store.UpsertContainer(store.Container{
+		ID:           wl.ID + ":site",
+		WorkloadID:   wl.ID,
+		WorkloadKind: string(store.WorkloadKindSite),
+		Host:         "local",
+		ContainerID:  "abcdef1234",
+		State:        "running",
+		ExtraJSON:    string(extra),
+	}); err != nil {
+		t.Fatalf("seed container: %v", err)
+	}
+
+	resp := e.do(t, http.MethodGet, "/api/workloads/"+wl.ID+"/runtime-state", nil)
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("status = %d, want 200", resp.StatusCode)
+	}
+	var got runtimeStatePayload
+	if errMsg := decodeEnvelope(t, resp, &got); errMsg != "" {
+		t.Fatalf("envelope error: %q", errMsg)
+	}
+	if !got.HasState {
+		t.Fatalf("HasState = false, want true")
+	}
+	if got.ContainerID != "abcdef1234" || got.State != "running" {
+		t.Errorf("container fields = (%q,%q), want (abcdef1234, running)", got.ContainerID, got.State)
+	}
+	if got.Status != "deployed" || got.LastCommitSHA != "abc1234" || got.LastSyncAt == "" {
+		t.Errorf("runtime fields = %+v, want deployed/abc1234/non-empty", got)
+	}
+}
+
+func TestGetWorkloadRuntimeState_MalformedExtraJSON_ReturnsContainerFieldsOnly(t *testing.T) {
+	e := newAPITestEnv(t)
+	wl, _ := e.store.CreateWorkload(store.Workload{
+		Kind:         string(store.WorkloadKindSite),
+		Name:         "pages",
+		SourceKind:   "static",
+		SourceConfig: `{"provider":"gitea"}`,
+	})
+	if err := e.store.UpsertContainer(store.Container{
+		ID:           wl.ID + ":site",
+		WorkloadID:   wl.ID,
+		WorkloadKind: string(store.WorkloadKindSite),
+		Host:         "local",
+		ContainerID:  "abc",
+		State:        "running",
+		ExtraJSON:    `{this is not json`,
+	}); err != nil {
+		t.Fatalf("seed: %v", err)
+	}
+	resp := e.do(t, http.MethodGet, "/api/workloads/"+wl.ID+"/runtime-state", nil)
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("status = %d, want 200 (decode is non-fatal)", resp.StatusCode)
+	}
+	var got runtimeStatePayload
+	_ = decodeEnvelope(t, resp, &got)
+	if !got.HasState || got.ContainerID != "abc" {
+		t.Errorf("expected HasState + container id present, got %+v", got)
+	}
+	if got.Status != "" || got.LastCommitSHA != "" {
+		t.Errorf("expected typed fields empty on decode failure, got %+v", got)
+	}
+}
+
+// =============================================================================
+// GET /api/workloads/{id}/storage
+// =============================================================================
+
+func TestGetWorkloadStorage_NonStaticSource_EmptyPayload(t *testing.T) {
+	e := newAPITestEnv(t)
+	wl, _ := e.store.CreateWorkload(store.Workload{
+		Kind:         string(store.WorkloadKindProject),
+		Name:         "img-app",
+		SourceKind:   "image",
+		SourceConfig: `{"image":"nginx"}`,
+	})
+	resp := e.do(t, http.MethodGet, "/api/workloads/"+wl.ID+"/storage", nil)
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("status = %d, want 200", resp.StatusCode)
+	}
+	var got storageUsagePayload
+	_ = decodeEnvelope(t, resp, &got)
+	if got.Enabled || got.UsedBytes != 0 {
+		t.Errorf("expected empty payload for non-static, got %+v", got)
+	}
+}
+
+func TestGetWorkloadStorage_StaticDisabled_ReturnsLimitButNoUsage(t *testing.T) {
+	e := newAPITestEnv(t)
+	wl, _ := e.store.CreateWorkload(store.Workload{
+		Kind:         string(store.WorkloadKindSite),
+		Name:         "pages",
+		SourceKind:   "static",
+		SourceConfig: `{"provider":"gitea","storage_enabled":false,"storage_limit_mb":0}`,
+	})
+	resp := e.do(t, http.MethodGet, "/api/workloads/"+wl.ID+"/storage", nil)
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("status = %d, want 200", resp.StatusCode)
+	}
+	var got storageUsagePayload
+	_ = decodeEnvelope(t, resp, &got)
+	if got.Enabled {
+		t.Errorf("Enabled = true, want false")
+	}
+}
+
+func TestGetWorkloadStorage_StaticEnabledNoDockerClient_ReturnsZeroUsage(t *testing.T) {
+	// docker is nil in the test env — the handler must still return
+	// a valid payload (enabled + limit) without panicking.
+	e := newAPITestEnv(t)
+	wl, _ := e.store.CreateWorkload(store.Workload{
+		Kind:         string(store.WorkloadKindSite),
+		Name:         "pages",
+		SourceKind:   "static",
+		SourceConfig: `{"provider":"gitea","storage_enabled":true,"storage_limit_mb":512}`,
+	})
+	resp := e.do(t, http.MethodGet, "/api/workloads/"+wl.ID+"/storage", nil)
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("status = %d, want 200", resp.StatusCode)
+	}
+	var got storageUsagePayload
+	_ = decodeEnvelope(t, resp, &got)
+	if !got.Enabled || got.LimitMB != 512 {
+		t.Errorf("got %+v, want enabled=true limit=512", got)
+	}
+	if got.UsedBytes != 0 {
+		t.Errorf("UsedBytes = %d, want 0 (no docker client)", got.UsedBytes)
+	}
+}
+
+// =============================================================================
+// POST /api/workloads/{id}/{stop,start}
+// =============================================================================
+
+func TestStopPluginWorkload_NotFound_404(t *testing.T) {
+	e := newAPITestEnv(t)
+	resp := e.do(t, http.MethodPost, "/api/workloads/missing/stop", nil)
+	if resp.StatusCode != http.StatusNotFound {
+		_ = decodeEnvelope(t, resp, nil)
+		t.Fatalf("status = %d, want 404", resp.StatusCode)
+	}
+}
+
+func TestStopPluginWorkload_NoDockerClient_503(t *testing.T) {
+	// The test env passes a nil dockerClient. The handler must refuse
+	// with 503 rather than panicking on a nil deref.
+	e := newAPITestEnv(t)
+	wl, _ := e.store.CreateWorkload(store.Workload{
+		Kind: string(store.WorkloadKindSite), Name: "x", SourceKind: "static",
+	})
+	resp := e.do(t, http.MethodPost, "/api/workloads/"+wl.ID+"/stop", nil)
+	if resp.StatusCode != http.StatusServiceUnavailable {
+		t.Fatalf("status = %d, want 503", resp.StatusCode)
+	}
+}
+
+func TestStartPluginWorkload_NoDockerClient_503(t *testing.T) {
+	e := newAPITestEnv(t)
+	wl, _ := e.store.CreateWorkload(store.Workload{
+		Kind: string(store.WorkloadKindSite), Name: "x", SourceKind: "static",
+	})
+	resp := e.do(t, http.MethodPost, "/api/workloads/"+wl.ID+"/start", nil)
+	if resp.StatusCode != http.StatusServiceUnavailable {
+		t.Fatalf("status = %d, want 503", resp.StatusCode)
+	}
+}
+
+// =============================================================================
+// stripImageTag-style behaviour assertions for the storage probe cache —
+// memoization wins on the second call within the TTL window.
+// =============================================================================
+
+func TestStorageProbeCache_SecondCallSkipsProbe(t *testing.T) {
+	// Clear the cache so a different test order doesn't pre-warm.
+	storageProbeMu.Lock()
+	storageProbeCache = map[string]storageProbeEntry{}
+	storageProbeMu.Unlock()
+
+	e := newAPITestEnv(t)
+	wl, _ := e.store.CreateWorkload(store.Workload{
+		Kind:         string(store.WorkloadKindSite),
+		Name:         "pages",
+		SourceKind:   "static",
+		SourceConfig: `{"provider":"gitea","storage_enabled":true,"storage_limit_mb":256}`,
+	})
+
+	// First call populates the cache (docker is nil, so it short-circuits
+	// before the probe and never writes a cache entry — this test is
+	// asserting that the no-docker path is well-behaved).
+	resp := e.do(t, http.MethodGet, "/api/workloads/"+wl.ID+"/storage", nil)
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("first call status = %d, want 200", resp.StatusCode)
+	}
+	resp.Body.Close()
+
+	// Second call should also return 200 — the path is idempotent.
+	resp = e.do(t, http.MethodGet, "/api/workloads/"+wl.ID+"/storage", nil)
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("second call status = %d, want 200", resp.StatusCode)
+	}
+	resp.Body.Close()
+}