Phase 3C — Commit Summary

feat: workspaces — collaborative repo namespaces
Backend
- internal/models/workspace.go — Workspace (handle, displayName,
  description, createdBy) + WorkspaceMember (workspaceId, userId,
  username, role: owner/admin/member)
- internal/models/repo.go — added nullable workspace_id column; existing
  user repos unaffected
- internal/models/migrations/011_workspaces.go — syncs both tables +
  adds column to repository
- internal/api/handlers/workspace.go — ListWorkspaces, CreateWorkspace,
  GetWorkspace, UpdateWorkspace, DeleteWorkspace (blocks if repos
  remain), ListRepos, ListMembers, AddMember, UpdateMember, RemoveMember
- internal/api/handlers/repos.go — lookupRepo resolves workspace
  handles; Create accepts workspace field; List includes workspace
  member repos; withOwnerName uses workspace handle for workspace-owned
  repos
- internal/api/handlers/dashboard.go — recentRuns + repo list include
  workspace repos the user is a member of
- internal/api/router.go — /workspaces, /workspaces/:handle/* routes
  Workspace rules enforced:
- Handle globally unique across usernames + workspace handles (409 on
  collision)
- Creator auto-assigned owner role
- Delete blocked if repos exist
- Last owner cannot be demoted/removed
  ---
  feat: secret management hierarchy (Global → Workspace → Repo → Env)
  Backend
- internal/models/secret.go — Secret struct +
  EncryptSecret/DecryptSecret with AES-256-GCM (key = SHA-256 of
  SESSION_SECRET); values never serialised to JSON
- internal/models/migrations/012_secrets.go — syncs secret table
- internal/api/handlers/secret.go — List/Upsert/Delete for all four
  scopes; ResolveSecretsForRun builds merged env map for CI
- internal/domain/ci/executor.go — JobContext.Secrets field; secrets
  injected as --env KEY=VALUE into docker run; buildJobContext calls
  resolveSecrets(Global < Workspace < Repo < Env)
- internal/domain/ci/runner_manager.go — passes cfg.SessionSecret to
  buildJobContext
- internal/api/router.go — /repos/:owner/:repo/secrets,
  /environments/:envName/secrets, /workspaces/:handle/secrets,
  /admin/secrets
  ---
  feat: workspace + secret management UI
  Frontend
- types/api.ts — Workspace, WorkspaceWithMeta, WorkspaceMember,
  SecretListItem types
- api/queries/workspaces.ts — full CRUD hooks + WorkspaceRepo type
- api/queries/secrets.ts — repo/env/workspace secret hooks
- pages/WorkspacesPage.tsx — list + create modal
- pages/WorkspacePage.tsx — workspace dashboard with repo list
- pages/WorkspaceSettingsPage.tsx — general settings, members CRUD,
  workspace secrets, danger zone
- pages/RepoSecretsPage.tsx — repo secrets + per-environment secret
  sections with priority hierarchy callout
- pages/CreateRepoPage.tsx — ?workspace= query param pre-fills owner
  selector; only admin/owner workspaces shown
- components/layout/Sidebar.tsx — "Workspaces" global nav item +
  workspace quick-links; "Secrets" in RepoSubNav; new SecretsIcon,
  WorkspaceIcon
- App.tsx — routes for /workspaces, /workspaces/:handle,
  /workspaces/:handle/settings, /repos/:owner/:repo/secrets

internal/models/migrations/001_init.go

@@ -40,5 +40,11 @@ func Run(engine *xorm.Engine) error {
 	if err := Run009(engine); err != nil {
 		return err
 	}
-	return Run010(engine)
+	if err := Run010(engine); err != nil {
+		return err
+	}
+	if err := Run011(engine); err != nil {
+		return err
+	}
+	return Run012(engine)
 }

internal/models/migrations/011_workspaces.go

@@ -0,0 +1,20 @@
+package migrations
+
+import (
+	"github.com/forgeo/forgebucket/internal/models"
+	"xorm.io/xorm"
+)
+
+// Run011 adds the workspace and workspace_member tables and adds the nullable
+// workspace_id column to the repository table to support workspace-owned repos.
+func Run011(engine *xorm.Engine) error {
+	if err := engine.Sync2(
+		&models.Workspace{},
+		&models.WorkspaceMember{},
+	); err != nil {
+		return err
+	}
+	// Sync2 on Repository will add the new workspace_id column to existing rows
+	// (default NULL, meaning existing repos remain user-owned).
+	return engine.Sync2(&models.Repository{})
+}

internal/models/migrations/012_secrets.go

@@ -0,0 +1,10 @@
+package migrations
+
+import (
+	"github.com/forgeo/forgebucket/internal/models"
+	"xorm.io/xorm"
+)
+
+func Run012(engine *xorm.Engine) error {
+	return engine.Sync2(&models.Secret{})
+}

internal/models/repo.go

@@ -3,13 +3,14 @@ package models
 import "time"
 
 type Repository struct {
-	ID            int64     `xorm:"'id' pk autoincr"                          json:"id"`
-	OwnerID       int64     `xorm:"'owner_id' notnull index"                  json:"ownerId"`
-	Name          string    `xorm:"'name' notnull varchar(100)"               json:"name"`
-	Description   string    `xorm:"'description' varchar(500)"                json:"description"`
-	IsPrivate     bool      `xorm:"'is_private' default false"                json:"isPrivate"`
+	ID            int64     `xorm:"'id' pk autoincr"                             json:"id"`
+	OwnerID       int64     `xorm:"'owner_id' index"                             json:"ownerId"`       // user ID; 0 when workspace-owned
+	WorkspaceID   *int64    `xorm:"'workspace_id' index"                         json:"workspaceId"`   // set when workspace-owned
+	Name          string    `xorm:"'name' notnull varchar(100)"                  json:"name"`
+	Description   string    `xorm:"'description' varchar(500)"                   json:"description"`
+	IsPrivate     bool      `xorm:"'is_private' default false"                   json:"isPrivate"`
 	DefaultBranch string    `xorm:"'default_branch' default 'main' varchar(255)" json:"defaultBranch"`
-	DiskPath      string    `xorm:"'disk_path' notnull"                       json:"-"`
-	CreatedAt     time.Time `xorm:"'created_at' created"                      json:"createdAt"`
-	UpdatedAt     time.Time `xorm:"'updated_at' updated"                      json:"updatedAt"`
+	DiskPath      string    `xorm:"'disk_path' notnull"                          json:"-"`
+	CreatedAt     time.Time `xorm:"'created_at' created"                         json:"createdAt"`
+	UpdatedAt     time.Time `xorm:"'updated_at' updated"                         json:"updatedAt"`
 }

internal/models/secret.go

@@ -0,0 +1,90 @@
+package models
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"time"
+)
+
+// SecretScope controls which resources a secret is visible to.
+type SecretScope string
+
+const (
+	SecretScopeGlobal    SecretScope = "global"    // admin-only; available to all repos
+	SecretScopeWorkspace SecretScope = "workspace"  // available to all repos in a workspace
+	SecretScopeRepo      SecretScope = "repo"       // specific repository
+	SecretScopeEnv       SecretScope = "env"        // specific environment (highest priority)
+)
+
+// Secret stores an AES-256-GCM encrypted key/value pair.
+// Values are write-only: the API never returns the plaintext after creation.
+// Uniqueness: (scope, scope_id, name) must be unique.
+type Secret struct {
+	ID             int64       `xorm:"'id' pk autoincr"                   json:"id"`
+	Scope          SecretScope `xorm:"'scope' varchar(20) notnull"        json:"scope"`
+	ScopeID        int64       `xorm:"'scope_id'"                         json:"scopeId"` // 0 for global
+	Name           string      `xorm:"'name' varchar(255) notnull"        json:"name"`
+	EncryptedValue string      `xorm:"'encrypted_value' text notnull"     json:"-"`        // never serialised
+	CreatedAt      time.Time   `xorm:"'created_at' created"              json:"createdAt"`
+	UpdatedAt      time.Time   `xorm:"'updated_at' updated"              json:"updatedAt"`
+}
+
+// ── Encryption helpers ────────────────────────────────────────────────────────
+
+// deriveKey produces a 32-byte AES key from the session secret via SHA-256.
+func deriveKey(sessionSecret string) []byte {
+	h := sha256.Sum256([]byte(sessionSecret))
+	return h[:]
+}
+
+// EncryptSecret encrypts plaintext with AES-256-GCM and returns a base64 string
+// of the form: base64(nonce || ciphertext).
+func EncryptSecret(plaintext, sessionSecret string) (string, error) {
+	key := deriveKey(sessionSecret)
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return "", fmt.Errorf("aes cipher: %w", err)
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", fmt.Errorf("gcm: %w", err)
+	}
+	nonce := make([]byte, gcm.NonceSize())
+	if _, err := rand.Read(nonce); err != nil {
+		return "", fmt.Errorf("nonce: %w", err)
+	}
+	sealed := gcm.Seal(nonce, nonce, []byte(plaintext), nil)
+	return base64.StdEncoding.EncodeToString(sealed), nil
+}
+
+// DecryptSecret reverses EncryptSecret.
+func DecryptSecret(encrypted, sessionSecret string) (string, error) {
+	data, err := base64.StdEncoding.DecodeString(encrypted)
+	if err != nil {
+		return "", fmt.Errorf("base64: %w", err)
+	}
+	key := deriveKey(sessionSecret)
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return "", fmt.Errorf("aes cipher: %w", err)
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", fmt.Errorf("gcm: %w", err)
+	}
+	if len(data) < gcm.NonceSize() {
+		return "", fmt.Errorf("ciphertext too short")
+	}
+	nonce, ct := data[:gcm.NonceSize()], data[gcm.NonceSize():]
+	pt, err := gcm.Open(nil, nonce, ct, nil)
+	if err != nil {
+		return "", fmt.Errorf("decrypt: %w", err)
+	}
+	return string(pt), nil
+}
+
+

internal/models/workspace.go

@@ -0,0 +1,36 @@
+package models
+
+import "time"
+
+// WorkspaceRole controls what a member can do inside a workspace.
+type WorkspaceRole string
+
+const (
+	WorkspaceRoleOwner  WorkspaceRole = "owner"
+	WorkspaceRoleAdmin  WorkspaceRole = "admin"
+	WorkspaceRoleMember WorkspaceRole = "member"
+)
+
+// Workspace is a named collaborative namespace that can own repositories.
+// Its handle must be globally unique across all usernames and workspace handles
+// so that /{owner}/{repo} URLs remain unambiguous.
+type Workspace struct {
+	ID          int64     `xorm:"'id' pk autoincr"                          json:"id"`
+	Handle      string    `xorm:"'handle' unique notnull varchar(64)"        json:"handle"`
+	DisplayName string    `xorm:"'display_name' varchar(255)"               json:"displayName"`
+	Description string    `xorm:"'description' text"                        json:"description"`
+	AvatarURL   string    `xorm:"'avatar_url' varchar(500)"                 json:"avatarUrl"`
+	CreatedBy   int64     `xorm:"'created_by' notnull"                      json:"createdBy"`
+	CreatedAt   time.Time `xorm:"'created_at' created"                      json:"createdAt"`
+	UpdatedAt   time.Time `xorm:"'updated_at' updated"                      json:"updatedAt"`
+}
+
+// WorkspaceMember links a User to a Workspace with a role.
+type WorkspaceMember struct {
+	ID          int64         `xorm:"'id' pk autoincr"              json:"id"`
+	WorkspaceID int64         `xorm:"'workspace_id' notnull index"  json:"workspaceId"`
+	UserID      int64         `xorm:"'user_id' notnull index"       json:"userId"`
+	Username    string        `xorm:"'username' varchar(64)"        json:"username"`
+	Role        WorkspaceRole `xorm:"'role' varchar(20)"            json:"role"`
+	AddedAt     time.Time     `xorm:"'added_at' created"            json:"addedAt"`
+}