Add secrets infrastructure: DB tables, shared types, env binding model, and migration improvements

Introduce company_secrets and company_secret_versions tables for
encrypted secret storage. Add EnvBinding discriminated union (plain vs
secret_ref) to replace raw string env values in adapter configs. Add
hiddenAt column to issues for soft-hiding. Improve migration system
with journal-ordered application and manual fallback when Drizzle
migrator can't reconcile history.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

packages/shared/src/index.ts

@@ -10,6 +10,7 @@ export {
   PROJECT_STATUSES,
   APPROVAL_TYPES,
   APPROVAL_STATUSES,
+  SECRET_PROVIDERS,
   HEARTBEAT_INVOCATION_SOURCES,
   HEARTBEAT_RUN_STATUSES,
   WAKEUP_TRIGGER_DETAILS,
@@ -26,6 +27,7 @@ export {
   type ProjectStatus,
   type ApprovalType,
   type ApprovalStatus,
+  type SecretProvider,
   type HeartbeatInvocationSource,
   type HeartbeatRunStatus,
   type WakeupTriggerDetail,
@@ -57,6 +59,10 @@ export type {
   DashboardSummary,
   ActivityEvent,
   SidebarBadges,
+  EnvBinding,
+  AgentEnvConfig,
+  CompanySecret,
+  SecretProviderDescriptor,
 } from "./types/index.js";
 
 export {
@@ -107,6 +113,16 @@ export {
   type RequestApprovalRevision,
   type ResubmitApproval,
   type AddApprovalComment,
+  envBindingPlainSchema,
+  envBindingSecretRefSchema,
+  envBindingSchema,
+  envConfigSchema,
+  createSecretSchema,
+  rotateSecretSchema,
+  updateSecretSchema,
+  type CreateSecret,
+  type RotateSecret,
+  type UpdateSecret,
   createCostEventSchema,
   updateBudgetSchema,
   type CreateCostEvent,
@@ -122,10 +138,14 @@ export {
   databaseConfigSchema,
   loggingConfigSchema,
   serverConfigSchema,
+  secretsConfigSchema,
+  secretsLocalEncryptedConfigSchema,
   type PaperclipConfig,
   type LlmConfig,
   type DatabaseConfig,
   type LoggingConfig,
   type ServerConfig,
+  type SecretsConfig,
+  type SecretsLocalEncryptedConfig,
   type ConfigMeta,
 } from "./config-schema.js";