Add secrets infrastructure: DB tables, shared types, env binding model, and migration improvements

Introduce company_secrets and company_secret_versions tables for
encrypted secret storage. Add EnvBinding discriminated union (plain vs
secret_ref) to replace raw string env values in adapter configs. Add
hiddenAt column to issues for soft-hiding. Improve migration system
with journal-ordered application and manual fallback when Drizzle
migrator can't reconcile history.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

packages/shared/src/validators/secret.ts

@@ -0,0 +1,47 @@
+import { z } from "zod";
+import { SECRET_PROVIDERS } from "../constants.js";
+
+export const envBindingPlainSchema = z.object({
+  type: z.literal("plain"),
+  value: z.string(),
+});
+
+export const envBindingSecretRefSchema = z.object({
+  type: z.literal("secret_ref"),
+  secretId: z.string().uuid(),
+  version: z.union([z.literal("latest"), z.number().int().positive()]).optional(),
+});
+
+// Backward-compatible union that accepts legacy inline values.
+export const envBindingSchema = z.union([
+  z.string(),
+  envBindingPlainSchema,
+  envBindingSecretRefSchema,
+]);
+
+export const envConfigSchema = z.record(envBindingSchema);
+
+export const createSecretSchema = z.object({
+  name: z.string().min(1),
+  provider: z.enum(SECRET_PROVIDERS).optional(),
+  value: z.string().min(1),
+  description: z.string().optional().nullable(),
+  externalRef: z.string().optional().nullable(),
+});
+
+export type CreateSecret = z.infer<typeof createSecretSchema>;
+
+export const rotateSecretSchema = z.object({
+  value: z.string().min(1),
+  externalRef: z.string().optional().nullable(),
+});
+
+export type RotateSecret = z.infer<typeof rotateSecretSchema>;
+
+export const updateSecretSchema = z.object({
+  name: z.string().min(1).optional(),
+  description: z.string().optional().nullable(),
+  externalRef: z.string().optional().nullable(),
+});
+
+export type UpdateSecret = z.infer<typeof updateSecretSchema>;