Phase 3C — Commit Summary

feat: workspaces — collaborative repo namespaces
Backend
- internal/models/workspace.go — Workspace (handle, displayName,
  description, createdBy) + WorkspaceMember (workspaceId, userId,
  username, role: owner/admin/member)
- internal/models/repo.go — added nullable workspace_id column; existing
  user repos unaffected
- internal/models/migrations/011_workspaces.go — syncs both tables +
  adds column to repository
- internal/api/handlers/workspace.go — ListWorkspaces, CreateWorkspace,
  GetWorkspace, UpdateWorkspace, DeleteWorkspace (blocks if repos
  remain), ListRepos, ListMembers, AddMember, UpdateMember, RemoveMember
- internal/api/handlers/repos.go — lookupRepo resolves workspace
  handles; Create accepts workspace field; List includes workspace
  member repos; withOwnerName uses workspace handle for workspace-owned
  repos
- internal/api/handlers/dashboard.go — recentRuns + repo list include
  workspace repos the user is a member of
- internal/api/router.go — /workspaces, /workspaces/:handle/* routes
  Workspace rules enforced:
- Handle globally unique across usernames + workspace handles (409 on
  collision)
- Creator auto-assigned owner role
- Delete blocked if repos exist
- Last owner cannot be demoted/removed
  ---
  feat: secret management hierarchy (Global → Workspace → Repo → Env)
  Backend
- internal/models/secret.go — Secret struct +
  EncryptSecret/DecryptSecret with AES-256-GCM (key = SHA-256 of
  SESSION_SECRET); values never serialised to JSON
- internal/models/migrations/012_secrets.go — syncs secret table
- internal/api/handlers/secret.go — List/Upsert/Delete for all four
  scopes; ResolveSecretsForRun builds merged env map for CI
- internal/domain/ci/executor.go — JobContext.Secrets field; secrets
  injected as --env KEY=VALUE into docker run; buildJobContext calls
  resolveSecrets(Global < Workspace < Repo < Env)
- internal/domain/ci/runner_manager.go — passes cfg.SessionSecret to
  buildJobContext
- internal/api/router.go — /repos/:owner/:repo/secrets,
  /environments/:envName/secrets, /workspaces/:handle/secrets,
  /admin/secrets
  ---
  feat: workspace + secret management UI
  Frontend
- types/api.ts — Workspace, WorkspaceWithMeta, WorkspaceMember,
  SecretListItem types
- api/queries/workspaces.ts — full CRUD hooks + WorkspaceRepo type
- api/queries/secrets.ts — repo/env/workspace secret hooks
- pages/WorkspacesPage.tsx — list + create modal
- pages/WorkspacePage.tsx — workspace dashboard with repo list
- pages/WorkspaceSettingsPage.tsx — general settings, members CRUD,
  workspace secrets, danger zone
- pages/RepoSecretsPage.tsx — repo secrets + per-environment secret
  sections with priority hierarchy callout
- pages/CreateRepoPage.tsx — ?workspace= query param pre-fills owner
  selector; only admin/owner workspaces shown
- components/layout/Sidebar.tsx — "Workspaces" global nav item +
  workspace quick-links; "Secrets" in RepoSubNav; new SecretsIcon,
  WorkspaceIcon
- App.tsx — routes for /workspaces, /workspaces/:handle,
  /workspaces/:handle/settings, /repos/:owner/:repo/secrets

internal/models/secret.go

@@ -0,0 +1,90 @@
+package models
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"time"
+)
+
+// SecretScope controls which resources a secret is visible to.
+type SecretScope string
+
+const (
+	SecretScopeGlobal    SecretScope = "global"    // admin-only; available to all repos
+	SecretScopeWorkspace SecretScope = "workspace"  // available to all repos in a workspace
+	SecretScopeRepo      SecretScope = "repo"       // specific repository
+	SecretScopeEnv       SecretScope = "env"        // specific environment (highest priority)
+)
+
+// Secret stores an AES-256-GCM encrypted key/value pair.
+// Values are write-only: the API never returns the plaintext after creation.
+// Uniqueness: (scope, scope_id, name) must be unique.
+type Secret struct {
+	ID             int64       `xorm:"'id' pk autoincr"                   json:"id"`
+	Scope          SecretScope `xorm:"'scope' varchar(20) notnull"        json:"scope"`
+	ScopeID        int64       `xorm:"'scope_id'"                         json:"scopeId"` // 0 for global
+	Name           string      `xorm:"'name' varchar(255) notnull"        json:"name"`
+	EncryptedValue string      `xorm:"'encrypted_value' text notnull"     json:"-"`        // never serialised
+	CreatedAt      time.Time   `xorm:"'created_at' created"              json:"createdAt"`
+	UpdatedAt      time.Time   `xorm:"'updated_at' updated"              json:"updatedAt"`
+}
+
+// ── Encryption helpers ────────────────────────────────────────────────────────
+
+// deriveKey produces a 32-byte AES key from the session secret via SHA-256.
+func deriveKey(sessionSecret string) []byte {
+	h := sha256.Sum256([]byte(sessionSecret))
+	return h[:]
+}
+
+// EncryptSecret encrypts plaintext with AES-256-GCM and returns a base64 string
+// of the form: base64(nonce || ciphertext).
+func EncryptSecret(plaintext, sessionSecret string) (string, error) {
+	key := deriveKey(sessionSecret)
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return "", fmt.Errorf("aes cipher: %w", err)
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", fmt.Errorf("gcm: %w", err)
+	}
+	nonce := make([]byte, gcm.NonceSize())
+	if _, err := rand.Read(nonce); err != nil {
+		return "", fmt.Errorf("nonce: %w", err)
+	}
+	sealed := gcm.Seal(nonce, nonce, []byte(plaintext), nil)
+	return base64.StdEncoding.EncodeToString(sealed), nil
+}
+
+// DecryptSecret reverses EncryptSecret.
+func DecryptSecret(encrypted, sessionSecret string) (string, error) {
+	data, err := base64.StdEncoding.DecodeString(encrypted)
+	if err != nil {
+		return "", fmt.Errorf("base64: %w", err)
+	}
+	key := deriveKey(sessionSecret)
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return "", fmt.Errorf("aes cipher: %w", err)
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", fmt.Errorf("gcm: %w", err)
+	}
+	if len(data) < gcm.NonceSize() {
+		return "", fmt.Errorf("ciphertext too short")
+	}
+	nonce, ct := data[:gcm.NonceSize()], data[gcm.NonceSize():]
+	pt, err := gcm.Open(nil, nonce, ct, nil)
+	if err != nil {
+		return "", fmt.Errorf("decrypt: %w", err)
+	}
+	return string(pt), nil
+}
+
+