Phase 3C — Commit Summary

feat: workspaces — collaborative repo namespaces
Backend
- internal/models/workspace.go — Workspace (handle, displayName,
  description, createdBy) + WorkspaceMember (workspaceId, userId,
  username, role: owner/admin/member)
- internal/models/repo.go — added nullable workspace_id column; existing
  user repos unaffected
- internal/models/migrations/011_workspaces.go — syncs both tables +
  adds column to repository
- internal/api/handlers/workspace.go — ListWorkspaces, CreateWorkspace,
  GetWorkspace, UpdateWorkspace, DeleteWorkspace (blocks if repos
  remain), ListRepos, ListMembers, AddMember, UpdateMember, RemoveMember
- internal/api/handlers/repos.go — lookupRepo resolves workspace
  handles; Create accepts workspace field; List includes workspace
  member repos; withOwnerName uses workspace handle for workspace-owned
  repos
- internal/api/handlers/dashboard.go — recentRuns + repo list include
  workspace repos the user is a member of
- internal/api/router.go — /workspaces, /workspaces/:handle/* routes
  Workspace rules enforced:
- Handle globally unique across usernames + workspace handles (409 on
  collision)
- Creator auto-assigned owner role
- Delete blocked if repos exist
- Last owner cannot be demoted/removed
  ---
  feat: secret management hierarchy (Global → Workspace → Repo → Env)
  Backend
- internal/models/secret.go — Secret struct +
  EncryptSecret/DecryptSecret with AES-256-GCM (key = SHA-256 of
  SESSION_SECRET); values never serialised to JSON
- internal/models/migrations/012_secrets.go — syncs secret table
- internal/api/handlers/secret.go — List/Upsert/Delete for all four
  scopes; ResolveSecretsForRun builds merged env map for CI
- internal/domain/ci/executor.go — JobContext.Secrets field; secrets
  injected as --env KEY=VALUE into docker run; buildJobContext calls
  resolveSecrets(Global < Workspace < Repo < Env)
- internal/domain/ci/runner_manager.go — passes cfg.SessionSecret to
  buildJobContext
- internal/api/router.go — /repos/:owner/:repo/secrets,
  /environments/:envName/secrets, /workspaces/:handle/secrets,
  /admin/secrets
  ---
  feat: workspace + secret management UI
  Frontend
- types/api.ts — Workspace, WorkspaceWithMeta, WorkspaceMember,
  SecretListItem types
- api/queries/workspaces.ts — full CRUD hooks + WorkspaceRepo type
- api/queries/secrets.ts — repo/env/workspace secret hooks
- pages/WorkspacesPage.tsx — list + create modal
- pages/WorkspacePage.tsx — workspace dashboard with repo list
- pages/WorkspaceSettingsPage.tsx — general settings, members CRUD,
  workspace secrets, danger zone
- pages/RepoSecretsPage.tsx — repo secrets + per-environment secret
  sections with priority hierarchy callout
- pages/CreateRepoPage.tsx — ?workspace= query param pre-fills owner
  selector; only admin/owner workspaces shown
- components/layout/Sidebar.tsx — "Workspaces" global nav item +
  workspace quick-links; "Secrets" in RepoSubNav; new SecretsIcon,
  WorkspaceIcon
- App.tsx — routes for /workspaces, /workspaces/:handle,
  /workspaces/:handle/settings, /repos/:owner/:repo/secrets

internal/api/router.go

@@ -60,6 +60,8 @@ func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, bus even
 	runnerH     := handlers.NewRunnerHandler(engine)
 	envH        := handlers.NewEnvironmentHandler(engine, bus)
 	timelineH   := handlers.NewTimelineHandler(engine, cfg.RepoRoot)
+	workspaceH  := handlers.NewWorkspaceHandler(engine, cfg)
+	secretH     := handlers.NewSecretHandler(engine, cfg.SessionSecret)
 
 	// ── Git smart-HTTP transport ───────────────────────────────────────────────
 	// Regex constraint ensures only *.git paths match, so asset/SPA URLs
@@ -108,6 +110,30 @@ func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, bus even
 			r.Get("/audit", auditH.List)
 			r.Get("/pipelines/runs", pipeH.ListRecentRuns)
 
+			// Workspace routes
+			r.Get("/workspaces", workspaceH.ListWorkspaces)
+			r.With(csrf).Post("/workspaces", workspaceH.CreateWorkspace)
+			r.Route("/workspaces/{handle}", func(r chi.Router) {
+				r.Get("/", workspaceH.GetWorkspace)
+				r.With(csrf).Patch("/", workspaceH.UpdateWorkspace)
+				r.With(csrf).Delete("/", workspaceH.DeleteWorkspace)
+				r.Get("/repos", workspaceH.ListRepos)
+				r.Route("/members", func(r chi.Router) {
+					r.Get("/", workspaceH.ListMembers)
+					r.With(csrf).Post("/", workspaceH.AddMember)
+					r.With(csrf).Patch("/{username}", workspaceH.UpdateMember)
+					r.With(csrf).Delete("/{username}", workspaceH.RemoveMember)
+				})
+				r.Get("/secrets", secretH.ListWorkspaceSecrets)
+				r.With(csrf).Post("/secrets", secretH.UpsertWorkspaceSecret)
+				r.With(csrf).Delete("/secrets/{name}", secretH.DeleteWorkspaceSecret)
+			})
+
+			// Global secrets (admin)
+			r.Get("/admin/secrets", secretH.ListGlobalSecrets)
+			r.With(csrf).Post("/admin/secrets", secretH.UpsertGlobalSecret)
+			r.With(csrf).Delete("/admin/secrets/{name}", secretH.DeleteGlobalSecret)
+
 			r.Route("/admin", func(r chi.Router) {
 				r.Get("/runners", runnerH.List)
 				r.With(csrf).Post("/runners/register", runnerH.Register)
@@ -208,6 +234,9 @@ func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, bus even
 				r.Get("/excluded-files", prSettingsH.GetExcludedFiles)
 				r.With(csrf).Put("/excluded-files", prSettingsH.UpdateExcludedFiles)
 				r.Get("/timeline", timelineH.GetTimeline)
+				r.Get("/secrets", secretH.ListRepoSecrets)
+				r.With(csrf).Post("/secrets", secretH.UpsertRepoSecret)
+				r.With(csrf).Delete("/secrets/{name}", secretH.DeleteRepoSecret)
 				r.Get("/lfs-settings", lfsH.Get)
 				r.With(csrf).Put("/lfs-settings", lfsH.Update)
 				r.Route("/environments", func(r chi.Router) {
@@ -222,6 +251,9 @@ func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, bus even
 							r.With(csrf).Post("/", envH.CreateDeployment)
 							r.With(csrf).Patch("/{deployID}/status", envH.UpdateDeploymentStatus)
 						})
+						r.Get("/secrets", secretH.ListEnvSecrets)
+						r.With(csrf).Post("/secrets", secretH.UpsertEnvSecret)
+						r.With(csrf).Delete("/secrets/{name}", secretH.DeleteEnvSecret)
 					})
 				})
 			})