feat: CI orchestrator — Lambda dispatch + Fargate routing + cancel

dispatch: receives Gitea webhook, routes by runs-on label to Fargate
  tasks (go/node/docker/godot) or Lambda executor (deploy).
  Path filter evaluation, DynamoDB run tracking, cancel via StopTask.
exec: lightweight Lambda for deploy-only jobs (S3 sync, ECS update).
SAM template: API Gateway + 2 Lambdas + DynamoDB + cleanup cron.

orchestrator/README.md

@@ -0,0 +1,56 @@
+# tinqs/ci orchestrator
+
+Lambda-based CI dispatcher for Tinqs Studio. Receives Gitea webhooks and routes jobs to the right execution environment.
+
+## Architecture
+
+```
+Gitea push webhook
+       │
+       ▼
+  API Gateway POST /webhook
+       │
+       ▼
+  ci-dispatch Lambda
+       │
+       ├── runs-on: go/node/docker/godot
+       │     → Start Fargate task with matching image
+       │     → Track in DynamoDB for cancel
+       │
+       ├── runs-on: deploy
+       │     → Invoke ci-exec Lambda directly
+       │
+       └── runs-on: host
+             → Skip (handled by registered runner)
+```
+
+## Deploy
+
+Requires: AWS SAM CLI, AWS credentials, Gitea token.
+
+```bash
+# First time (interactive)
+GITEA_TOKEN=xxx make deploy-guided
+
+# Subsequent deploys
+GITEA_TOKEN=xxx SUBNETS=subnet-abc,subnet-def SECURITY_GROUP=sg-xxx make deploy
+```
+
+After deploy, configure the webhook URL as a Gitea **system webhook**:
+- URL: `https://<api-id>.execute-api.eu-west-1.amazonaws.com/prod/webhook`
+- Method: POST
+- Content type: application/json
+- Events: Push, Workflow Job (for cancel)
+
+## Cancel support
+
+When a user cancels a job in the Gitea UI, the `workflow_job` webhook fires with `action: cancelled`. The dispatcher looks up the Fargate task ARN in DynamoDB and calls `ecs:StopTask`.
+
+A cleanup cron (every 5 min) also kills Fargate tasks that have been running longer than 30 minutes.
+
+## Local testing
+
+```bash
+make build
+make test-local  # requires SAM CLI + Docker
+```