P1-32: server-side encrypted repo creds + push-on-hello

Operator-minted enrollment tokens now carry the repo URL/username/
password as one AEAD blob bound (via additional-data) to the token
hash. ConsumeEnrollmentToken re-encrypts under host_id and writes a
host_credentials row in the same tx as token-burn, so the binding
moves with the credential.

PUT /api/hosts/{id}/repo-credentials lets an operator edit creds
post-enrollment; merges with the existing blob, audits, and pushes
config.update if the agent is connected.

WS handler grows an OnHello hook that the HTTP layer wires to send
the host's decrypted creds as a config.update immediately after the
hello succeeds — synchronously, so a racing command.run lands after
the agent has its repo password.

Schema: 0002_host_credentials.sql adds enc_repo_creds to
enrollment_tokens and a host_credentials table (PK = host_id, FK
ON DELETE CASCADE).

Tests: round-trip token → consume → host_credentials with AAD swap
detection; no-creds path stays compatible.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/server/ws/handler.go

@@ -21,6 +21,11 @@ import (
 type HandlerDeps struct {
 	Hub   *Hub
 	Store *store.Store
+	// OnHello is called once per successful hello, after the host row
+	// has been touched and the conn registered. Used by the HTTP
+	// layer to push host_credentials down as a config.update before
+	// the agent starts asking for jobs. Optional; nil = no-op.
+	OnHello func(ctx context.Context, hostID string, conn *Conn)
 }
 
 // AgentHandler is the http.Handler that owns /ws/agent. Agents
@@ -136,6 +141,12 @@ func runAgentLoop(ctx context.Context, c *Conn, hostID string, deps HandlerDeps)
 		"agent_version", helloPayload.AgentVersion,
 		"protocol_version", helloPayload.ProtocolVersion)
 
+	if deps.OnHello != nil {
+		// Run synchronously so the config.update lands before any
+		// command.run an operator might race in.
+		deps.OnHello(ctx, hostID, c)
+	}
+
 	// Stage 2: main read loop.
 	for {
 		env, err := c.Read(ctx)