feat(cli): add assistant db repair with integrity-check step

[vellum-apollo-bot]

What

Adds assistant db repair — the second piece of the assistant db
recovery surface, after db status (#32606).

This PR ships a step-runner framework + the first repair step
(integrity check). Subsequent PRs append more steps to the sequence;
the wiring here is structured so they don't need to touch anything
besides adding their step to the STEPS array.

What this command does

Walks every page in the assistant SQLite database and reports
corruption.

$ assistant db repair
[1/1] integrity-check — starting
        Walk every database page and verify b-tree consistency
[1/1] integrity-check — ok  no corruption detected  (340.6s)
        scanned 993,829 pages

Done. 1 step ran: 1 ok, 0 failed

Runs PRAGMA integrity_check on a read-only handle. Full scan (not
quick_check) — a user typing repair is opting in to a thorough
probe.

Output paths:

• Healthy DB → exit 0, page count detail line
• Corrupt DB → exit 1, integrity violations surfaced verbatim (capped
  at 20 lines in human mode; full list in --json)
• Severely malformed DB (pragma throws before yielding rows) →
  exit 1, normalized into the same corruption signal rather than
  being flagged as a step bug
• Missing DB → exit 1, loud stderr error pointing at backup list
• --json → single RepairReport payload with dbPath, okCount,
  errorCount, halted, and per-step result.data for scripting

Step-runner framework

Each step is a RepairStep with name, description, and run(ctx).
The runner:

• Runs steps sequentially (later steps may depend on earlier ones)
• Captures StepResult (ok or error) for each step
• Continues past non-halting failures (best-effort repair — a corrupt
  DB shouldn't block conversation backfill from disk)
• Stops the sequence only when a step explicitly returns halt: true
• Never throws — uncaught errors from a step are captured as a
  synthetic error result with detail "step threw an unexpected
  error — this is a bug"
• Records durationMs per step

That gives PR 3 (conversation backfill) and beyond a stable interface:
add a RepairStep to STEPS and the runner does the rest.

Risk

assistant db repair registered as medium in the gateway risk
registry. The integrity-check step is strictly read-only, but the
description is accurate because future steps in the sequence will
mutate the database to recover state. Approving the path once gates
the whole future surface.

Description fix (review feedback on #32606)

@dvargasfuertes called out that the parent db description's
"(read-only by default)" qualifier had no referent — there's no flag
to flip it writable, and the parent has both read-only (status) and
mutating (repair) subcommands. Dropped the qualifier; description is
now just "Inspect and repair the assistant SQLite database". Lesson
absorbed into the software-engineering skill's cli-design.md.

Testing

11 unit tests, all using real bun:sqlite databases in tmp dirs (the
integrity check needs to walk actual pages — mocking would defeat the
point):

• Healthy DB → integrity check passes, exit 0
• Healthy DB → --json shape correct (steps, okCount, durationMs)
• Corrupt DB → corruption surfaced, exit 1, not flagged as a bug
• Corrupt DB → --json carries full error list
• Missing DB → loud stderr, exit 1
• Missing DB → --json carries missing: true
• Runner: sequential order
• Runner: continues past non-halting failures
• Runner: stops on halt: true
• Runner: captures thrown errors as synthetic error results
• Runner: records non-negative durationMs

Smoke-tested against the live ~4 GB workspace DB:

[1/1] integrity-check — ok  no corruption detected  (340.6s)
        scanned 993,829 pages
Done. 1 step ran: 1 ok, 0 failed

5m44s wall-clock for ~994K pages on a ~4 GB DB. Acceptable for a
command the user only runs when they suspect trouble.

--json and missing-DB paths verified manually too.

What's next

PR 3: conversation-backfill step that replays
/workspace/conversations into SQLite. Reuses the logic from
migration 028 (already does meta + jsonl → SQLite with
conversation-level idempotency). Goal: a fresh DB after a wipe can be
rebuilt from the on-disk view.

After PR 3: write up the remaining ~95 tables and propose other
recovery steps (memory consolidation, lost-and-found triage, etc.).

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 17459e48d9

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Handle database open failures as repair errors

When the file exists but SQLite cannot open it at all (for example an unreadable/root-owned file or assistant.db being a directory), this constructor throws before the inner try around PRAGMA integrity_check, so the generic runner reports step threw an unexpected error — this is a bug instead of an actionable repair/open diagnostic. Since this recovery command is meant for damaged local databases and db status already treats open failures as user-facing errors, catch open failures here and return a normal status: "error" result.

Useful? React with 👍 / 👎.

[dvargasfuertes]

Delete references to pr or the future in comments