store: P2R-10 schema for source-group + host-default hooks (migration 0010)

Adds pre_hook/post_hook BLOB columns to source_groups and
pre_hook_default/post_hook_default to hosts. Bytes stored verbatim
(AEAD encrypt/decrypt happens at the HTTP layer where the AEAD key
lives). Round-trip tests cover set/clear semantics on both tables.

internal/store/migrations/0010_hooks.sql

@@ -0,0 +1,25 @@
+-- 0010_hooks.sql
+--
+-- P2R-10: pre/post hooks on source groups + host-wide defaults.
+--
+-- Hook bodies are stored as AEAD ciphertext (existing crypto.AEAD)
+-- because operators do put credentials in shell snippets — even
+-- though we tell them not to. NULL means "no hook configured".
+--
+-- Hooks fire only for kind=backup jobs. forget/prune/check/unlock
+-- skip them per spec.md §14.3 (P2R-11 enforces this in the agent
+-- dispatcher).
+--
+-- Resolution order at dispatch time:
+--   source_group.<phase>_hook  (per-group override, AEAD blob)
+--   host.<phase>_hook_default  (host default, AEAD blob)
+--   none → no hook runs
+--
+-- All four columns are added in-place via ALTER TABLE ADD COLUMN.
+-- Per CLAUDE.md the table-rebuild pattern is unsafe with FK cascades.
+
+ALTER TABLE source_groups ADD COLUMN pre_hook  BLOB;
+ALTER TABLE source_groups ADD COLUMN post_hook BLOB;
+
+ALTER TABLE hosts ADD COLUMN pre_hook_default  BLOB;
+ALTER TABLE hosts ADD COLUMN post_hook_default BLOB;