Autonomous run dashboard

BasicAuth enforcement variant lights up end-to-end. New secret_put_bcrypt RPC bcrypt-hashes the plain password in-process at cost 14 (CF Access default), drops the SecretString before any further async work, stores the hash as Secret::BcryptHash { hash, cost }, and yields exactly BcryptStored { secret_key } on the event stream — plain password never serializes, never logs, never round-trips through describe/reveal. Caddy renderer's Enforcement::BasicAuth arm now emits basicauth { operator $2a$14$… } with optional realm; bcrypt hash comes from a BasicAuthSecrets map the orchestrator pre-resolves from the SecretStore (renderer stays sync). New [site.protect] TOML section parses into the existing Enforcement tagged enum. backend_add_from_repo for a BasicAuth-protected backend pre-flights the secret at config_load — wrong variant or missing surfaces BackendRollback with a clear secret_put_bcrypt --tenant {} --secret-key {} remediation hint, BEFORE any image build / DNS / Caddy work. CaddyDeployer::deploy trait widened to take the secret map; all three call sites (add, rollback strip, remove) updated. 4 new builder tests + 2 config tests + 2 hub tests + 3 integration tests in tests/backend_basic_auth.rs; render_basic_auth_never_contains_plain_password_substring + happy_path_renders_basic_auth_block_with_hash_and_never_plain pin the no-leak contract. 519 → 529 (+10), all green.

Backend deploys land behind Caddy. backend_add_from_repo's phase chain extends to ... -> UnitCreated -> CaddySiteAdded -> HealthCheckProbing -> BackendDeployed; backend_remove strips the Caddy site block FIRST, then stops the container, then drops DNS. Per-VPS tokio::sync::Mutex at the orchestrator level serializes concurrent backend adds against the same VPS so the read-modify-write of the persisted CaddyDeploymentRecord stays consistent. New BackendStatus::BehindCaddyOnVps { vps, hostname } variant; new LocalPlatform::{put,get,remove}_caddy_deployment accessors (state file schema bumped v5 -> v6); new BackendEvent variants CaddySiteAdded / CaddySiteRemoved / EnforcementVariantNotImplemented / RemoveStepFailed. Enforcement::None is the only V1 variant; BasicAuth/CfAccess/PomeriumOnVps emit a clear "not yet implemented in PLATFORM-37" event and refuse to add (PLATFORM-38/34/35 land them). 5 new integration tests in tests/backend_caddy_lifecycle.rs + 5 unit tests for status round-trip + caddy state persistence. 509 -> 519 (+10), all green.

vps_provision + vps_destroy streaming RPCs against the INFRA-2 hetzner-vps OpenTofu module: VpsProvisionInit -> TofuInitStarted -> SshKeyEnsured -> TofuPlanCompleted -> TofuApplyProgress* -> TofuApplyCompleted -> VpsRegistered -> VpsProvisioned. New TofuRunner trait + HetznerSshKeyBootstrap + typed VpsRecord persisted by LocalPlatform (schema bumped v4 -> v5). Apply-failure rolls back via reverse-LIFO: emits VpsProvisionRollback + drives a tofu destroy cleanup so we never leave paid-for cloud resources without state. Idempotent re-run short-circuits with VpsAlreadyExists. 7 integration tests + 35 unit tests, all green via MockTofuRunner + MockHetznerSshKey.

image_push streaming RPC ships local OCI images to a remote registry: ImagePushInit -> AuthCaptured -> TagApplied -> PushStarted -> PushProgress -> PushCompleted (or ImageAlreadyPushed when remote already carries the same digest). Sibling to OciBuildExecutor; new OciImagePusher trait + LocalPodmanImagePusher + MockImagePusher. Auth pre-flight reads X-OAuth-Scopes from api.github.com/user; missing write:packages raises typed error with gh auth refresh remediation. 19 new tests (14 unit + 5 integration), all green.

nixos_install streaming RPC wraps nixos-anywhere: init -> preflight -> flake_build -> kexec -> partition -> copy -> install -> reboot -> reachable -> completed. Idempotent re-run on already-NixOS short-circuits with idempotent: true. --validate-only emits FlakeBuilt + NixosReachable, no destructive ops. 24 new tests (16 unit + 8 integration), all green via MockNixosAnywhereRunner / MockSshExecutor / MockReachabilityProbe.

Originally failed Phase 4 on namecom credential shape. Unblocked by PLATFORM-25.1 hotfix; all three registrar calls now pass against real name.com.

Sibling-file convention for namecom credentials. namecom-username + namecom-token as separate files, matching every other provider. Legacy combined-line still works.

Redacted-by-default serde for SecretString + secret_describe / secret_reveal RPCs. Adversarial probe confirmed wire never carries token bytes without --confirm-reveal.

site_remove now does full provider teardown (detach domain → delete project → delete DNS → mark Removed). End-to-end verified: deploy throwaway → remove → 200→530 → project 404 → DNS empty.

38 httpmock wire-shape tests for CF Pages + DNS providers. Three regression-killer pins (GET upload-token, missing zone_id, apex CNAME full-domain). Zero production impl changes.

14 identifier newtypes validate at boundary. Live shell-injection probe — --tenant "foo; rm -rf /" — returns typed validation error, no shell exec. BackendName::new_unchecked deleted with Option<BackendName> widening.

Caddy reverse-proxy module — typed CaddyConfigBuilder + CaddyDeployer trait + LocalCaddyDeployer with SSH-driven upload, atomic swap, systemctl reload caddy, and .bak rollback on reload failure. Enforcement enum closed at definition (None renders today; BasicAuth/CfAccess/PomeriumOnVps error cleanly with EnforcementVariantNotImplemented for PLATFORM-34/35/38). 22 caddy tests + live caddy validate when on PATH. 412 → 436 tests.