feat: add environment variables db schema and queries

go/pkg/db/queries/deployment_insert.sql

@@ -11,10 +11,10 @@ INSERT INTO `deployments` (
     git_commit_message,
     git_commit_author_handle,
     git_commit_author_avatar_url,
-    git_commit_timestamp, -- Unix epoch milliseconds
+    git_commit_timestamp,
     openapi_spec,
+    secrets_config,
     status,
-    gateway_config,
     created_at,
     updated_at
 )
@@ -32,8 +32,8 @@ VALUES (
     sqlc.arg(git_commit_author_avatar_url),
     sqlc.arg(git_commit_timestamp),
     sqlc.arg(openapi_spec),
+    sqlc.arg(secrets_config),
     sqlc.arg(status),
-    sqlc.arg(gateway_config),
     sqlc.arg(created_at),
     sqlc.arg(updated_at)
 );

go/pkg/db/queries/environment_variables_find_by_environment_id.sql

@@ -0,0 +1,4 @@
+-- name: FindEnvironmentVariablesByEnvironmentId :many
+SELECT `key`, value
+FROM environment_variables
+WHERE environment_id = sqlc.arg(environment_id);

go/pkg/db/schema.sql

@@ -316,6 +316,21 @@ CREATE TABLE `environments` (
 	CONSTRAINT `environments_project_id_slug_idx` UNIQUE(`project_id`,`slug`)
 );
 
+CREATE TABLE `environment_variables` (
+	`id` varchar(128) NOT NULL,
+	`workspace_id` varchar(256) NOT NULL,
+	`environment_id` varchar(128) NOT NULL,
+	`key` varchar(256) NOT NULL,
+	`value` varchar(4096) NOT NULL,
+	`type` enum('recoverable','writeonly') NOT NULL,
+	`description` varchar(255),
+	`delete_protection` boolean DEFAULT false,
+	`created_at` bigint NOT NULL,
+	`updated_at` bigint,
+	CONSTRAINT `environment_variables_id` PRIMARY KEY(`id`),
+	CONSTRAINT `environment_id_key` UNIQUE(`environment_id`,`key`)
+);
+
 CREATE TABLE `clickhouse_workspace_settings` (
 	`workspace_id` varchar(256) NOT NULL,
 	`username` varchar(256) NOT NULL,
@@ -363,6 +378,7 @@ CREATE TABLE `deployments` (
 	`runtime_config` json NOT NULL,
 	`gateway_config` longblob NOT NULL,
 	`openapi_spec` longblob,
+	`secrets_config` longblob NOT NULL,
 	`status` enum('pending','building','deploying','network','ready','failed') NOT NULL DEFAULT 'pending',
 	`created_at` bigint NOT NULL,
 	`updated_at` bigint,

internal/db/src/schema/deployments.ts

@@ -46,6 +46,10 @@ export const deployments = mysqlTable(
     // OpenAPI specification
     openapiSpec: longblob("openapi_spec"),
 
+    // Environment variables snapshot (protobuf: ctrl.v1.SecretsBlob)
+    // Encrypted values from environment_variables at deploy time
+    secretsConfig: longblob("secrets_config").notNull(),
+
     // Deployment status
     status: mysqlEnum("status", ["pending", "building", "deploying", "network", "ready", "failed"])
       .notNull()

internal/db/src/schema/environment_variables.ts

@@ -5,6 +5,7 @@ import { lifecycleDates } from "./util/lifecycle_dates";
 import { workspaces } from "./workspaces";
 
 import { environments } from "./environments";
+
 export const environmentVariables = mysqlTable(
   "environment_variables",
   {
@@ -15,9 +16,14 @@ export const environmentVariables = mysqlTable(
     }).notNull(),
 
     key: varchar("key", { length: 256 }).notNull(),
-    // Either the plaintext value or a vault encrypted response
-    value: varchar("value", { length: 1024 }).notNull(),
-    type: mysqlEnum("type", ["plaintext", "secret"]).notNull(),
+
+    // Always encrypted via vault (contains keyId, nonce, ciphertext in the blob)
+    value: varchar("value", { length: 4096 }).notNull(),
+
+    // Both types are encrypted in the database
+    // - recoverable: can be decrypted and shown in the UI
+    // - writeonly: cannot be read back after creation
+    type: mysqlEnum("type", ["recoverable", "writeonly"]).notNull(),
 
     description: varchar("description", { length: 255 }),
 

internal/db/src/schema/index.ts

@@ -10,6 +10,7 @@ export * from "./identity";
 export * from "./quota";
 export * from "./audit_logs";
 export * from "./environments";
+export * from "./environment_variables";
 export * from "./clickhouse_workspace_settings";
 
 // Deployment platform tables