feat(ai-chat): per-user AI agent backend — LLM config, read-only agent, provenance schema

WIP checkpoint of the gitmost AI-chat backend (plan stages A + B1 + B3a).
The agent acts under the requesting user's JWT (Docmost CASL enforces page
access); the external service-account /mcp endpoint is untouched.

LLM provider config (A2-A4):
- integrations/crypto: AES-256-GCM SecretBoxService (key derived from APP_SECRET,
  per-record salt/iv; clear error on rotation instead of crashing).
- ai_provider_credentials table/repo/types: encrypted API key stored outside
  workspace settings/baseFields, write-only (never returned by any endpoint).
- integrations/ai: per-workspace AI SDK v6 provider driver (openai/gemini/ollama),
  admin-gated GET(masked)/PATCH(write-only key)/Test endpoints; settings.ai.provider
  holds non-secret config incl. systemPrompt. Removed unused AI_* env getters (DB is
  the single source of truth).

Chat module (A1, A5-A8):
- ai_chats/ai_chat_messages repos (workspace-scoped, soft-delete, tsv never selected).
- core/ai-chat: CRUD + POST /ai-chat/stream (Fastify hijack + AI SDK v6
  pipeUIMessageStreamToResponse, abort on disconnect, persist user/assistant msgs).
- Agent loop: streamText + stepCountIs(8); read tools searchPages/getPage via a
  per-request DocmostClient over loopback REST under the user's minted access token.
- Gate settings.ai.chat (+ 503 when provider unconfigured); buildSystemPrompt with a
  non-removable safety/anti-prompt-injection framework. Per-user rate limit.

Per-user auth (B1):
- @docmost/mcp DocmostClient gains an additive getToken variant (carry a user JWT,
  re-fetch on 401) and exports DocmostClient; the email/password service-account path
  (external /mcp, stdio) is unchanged.

Agent-edit provenance backbone (B3a):
- Migration: pages/page_history (last_updated_source, last_updated_ai_chat_id) and
  comments (created_source, ai_chat_id, resolved_source).
- Signed actor/aiChatId claim in the collab token; onAuthenticate propagates it,
  onStoreDocument writes it with a sticky agent marker, saveHistory copies it.

Migrations auto-run on boot (additive). Write tools, frontend, RAG and external MCP
servers are not in this checkpoint.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

apps/server/src/database/migrations/20260616T120000-ai-provider-credentials.ts

@@ -0,0 +1,30 @@
+import { type Kysely, sql } from 'kysely';
+
+export async function up(db: Kysely<any>): Promise<void> {
+  await db.schema
+    .createTable('ai_provider_credentials')
+    .ifNotExists()
+    .addColumn('id', 'uuid', (col) =>
+      col.primaryKey().defaultTo(sql`gen_uuid_v7()`),
+    )
+    .addColumn('workspace_id', 'uuid', (col) =>
+      col.references('workspaces.id').onDelete('cascade').notNull(),
+    )
+    .addColumn('driver', 'varchar', (col) => col.notNull())
+    .addColumn('api_key_enc', 'text', (col) => col)
+    .addColumn('created_at', 'timestamptz', (col) =>
+      col.notNull().defaultTo(sql`now()`),
+    )
+    .addColumn('updated_at', 'timestamptz', (col) =>
+      col.notNull().defaultTo(sql`now()`),
+    )
+    .addUniqueConstraint('uq_ai_provider_credentials_workspace_driver', [
+      'workspace_id',
+      'driver',
+    ])
+    .execute();
+}
+
+export async function down(db: Kysely<any>): Promise<void> {
+  await db.schema.dropTable('ai_provider_credentials').execute();
+}

apps/server/src/database/migrations/20260616T130000-agent-provenance.ts

@@ -0,0 +1,66 @@
+import { type Kysely, sql } from 'kysely';
+
+/**
+ * Agent-edit provenance backbone (§5.2 / §6.6 / §15 C2,H2).
+ *
+ * Additive provenance markers so an edit "by the agent" is recorded on the page
+ * and its history snapshot, plus analogous comment columns for a later unit.
+ * `last_updated_by_id` still names the responsible human author; these columns
+ * only annotate the source. `'user' | 'agent'` is stored as a short varchar to
+ * stay forward-compatible without an enum migration.
+ */
+export async function up(db: Kysely<any>): Promise<void> {
+  // pages: provenance of the current state (mirrors last_updated_by_id semantics)
+  await db.schema
+    .alterTable('pages')
+    .addColumn('last_updated_source', 'varchar(20)', (col) =>
+      col.notNull().defaultTo('user'),
+    )
+    .addColumn('last_updated_ai_chat_id', 'uuid', (col) =>
+      col.references('ai_chats.id').onDelete('set null'),
+    )
+    .execute();
+
+  // page_history: provenance snapshot, copied from the page at save time.
+  // Nullable (no default) — historical rows predate the marker.
+  await db.schema
+    .alterTable('page_history')
+    .addColumn('last_updated_source', 'varchar(20)', (col) => col)
+    .addColumn('last_updated_ai_chat_id', 'uuid', (col) =>
+      col.references('ai_chats.id').onDelete('set null'),
+    )
+    .execute();
+
+  // comments: analogous markers for a later unit (create + resolve provenance).
+  await db.schema
+    .alterTable('comments')
+    .addColumn('created_source', 'varchar(20)', (col) =>
+      col.notNull().defaultTo('user'),
+    )
+    .addColumn('ai_chat_id', 'uuid', (col) =>
+      col.references('ai_chats.id').onDelete('set null'),
+    )
+    .addColumn('resolved_source', 'varchar(20)', (col) => col)
+    .execute();
+}
+
+export async function down(db: Kysely<any>): Promise<void> {
+  await db.schema
+    .alterTable('comments')
+    .dropColumn('created_source')
+    .dropColumn('ai_chat_id')
+    .dropColumn('resolved_source')
+    .execute();
+
+  await db.schema
+    .alterTable('page_history')
+    .dropColumn('last_updated_source')
+    .dropColumn('last_updated_ai_chat_id')
+    .execute();
+
+  await db.schema
+    .alterTable('pages')
+    .dropColumn('last_updated_source')
+    .dropColumn('last_updated_ai_chat_id')
+    .execute();
+}