Add secrets infrastructure: DB tables, shared types, env binding model, and migration improvements

Introduce company_secrets and company_secret_versions tables for
encrypted secret storage. Add EnvBinding discriminated union (plain vs
secret_ref) to replace raw string env values in adapter configs. Add
hiddenAt column to issues for soft-hiding. Improve migration system
with journal-ordered application and manual fallback when Drizzle
migrator can't reconcile history.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

packages/db/src/schema/company_secret_versions.ts

@@ -0,0 +1,23 @@
+import { pgTable, uuid, text, timestamp, integer, jsonb, index, uniqueIndex } from "drizzle-orm/pg-core";
+import { agents } from "./agents.js";
+import { companySecrets } from "./company_secrets.js";
+
+export const companySecretVersions = pgTable(
+  "company_secret_versions",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    secretId: uuid("secret_id").notNull().references(() => companySecrets.id, { onDelete: "cascade" }),
+    version: integer("version").notNull(),
+    material: jsonb("material").$type<Record<string, unknown>>().notNull(),
+    valueSha256: text("value_sha256").notNull(),
+    createdByAgentId: uuid("created_by_agent_id").references(() => agents.id, { onDelete: "set null" }),
+    createdByUserId: text("created_by_user_id"),
+    createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
+    revokedAt: timestamp("revoked_at", { withTimezone: true }),
+  },
+  (table) => ({
+    secretIdx: index("company_secret_versions_secret_idx").on(table.secretId, table.createdAt),
+    valueHashIdx: index("company_secret_versions_value_sha256_idx").on(table.valueSha256),
+    secretVersionUq: uniqueIndex("company_secret_versions_secret_version_uq").on(table.secretId, table.version),
+  }),
+);

packages/db/src/schema/company_secrets.ts

@@ -0,0 +1,25 @@
+import { pgTable, uuid, text, timestamp, integer, index, uniqueIndex } from "drizzle-orm/pg-core";
+import { companies } from "./companies.js";
+import { agents } from "./agents.js";
+
+export const companySecrets = pgTable(
+  "company_secrets",
+  {
+    id: uuid("id").primaryKey().defaultRandom(),
+    companyId: uuid("company_id").notNull().references(() => companies.id),
+    name: text("name").notNull(),
+    provider: text("provider").notNull().default("local_encrypted"),
+    externalRef: text("external_ref"),
+    latestVersion: integer("latest_version").notNull().default(1),
+    description: text("description"),
+    createdByAgentId: uuid("created_by_agent_id").references(() => agents.id, { onDelete: "set null" }),
+    createdByUserId: text("created_by_user_id"),
+    createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
+    updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow(),
+  },
+  (table) => ({
+    companyIdx: index("company_secrets_company_idx").on(table.companyId),
+    companyProviderIdx: index("company_secrets_company_provider_idx").on(table.companyId, table.provider),
+    companyNameUq: uniqueIndex("company_secrets_company_name_uq").on(table.companyId, table.name),
+  }),
+);

packages/db/src/schema/index.ts

@@ -16,3 +16,5 @@ export { costEvents } from "./cost_events.js";
 export { approvals } from "./approvals.js";
 export { approvalComments } from "./approval_comments.js";
 export { activityLog } from "./activity_log.js";
+export { companySecrets } from "./company_secrets.js";
+export { companySecretVersions } from "./company_secret_versions.js";

packages/db/src/schema/issues.ts

@@ -35,6 +35,7 @@ export const issues = pgTable(
     startedAt: timestamp("started_at", { withTimezone: true }),
     completedAt: timestamp("completed_at", { withTimezone: true }),
     cancelledAt: timestamp("cancelled_at", { withTimezone: true }),
+    hiddenAt: timestamp("hidden_at", { withTimezone: true }),
     createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
     updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow(),
   },