feat(server): v2 secure-session-core Task 1 - schema + per-agent keys

SPEC-002 Phase 1 Task 1 (specs/v2-secure-session-core), code-reviewed APPROVED.

Migration 004 (idempotent, server-applied): tenants + seeded default tenant,
connect_agent_keys (hash-only, revocable, FK->connect_machines), nullable
tenant_id on all scoped tables (tenancy-ready, not tenant-yet), connect_sessions
is_managed/source/consent_state, connect_support_codes consumed_at. New db
modules agent_keys.rs (stores only key_hash) + tenancy.rs (DEFAULT_TENANT_ID,
Phase-4 switch point). Struct/query updates across machines/sessions/
support_codes/events/users. Runtime sqlx throughout (GC db layer already uses
it - no compile-time macros).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

specs/v2-secure-session-core/plan.md

@@ -1,7 +1,7 @@
 # v2 Secure Session Core — Implementation Plan
 
 > Spec created: 2026-05-29
-> Status: not started
+> Status: in progress — Task 1 (schema) DONE 2026-05-29; Task 2 (auth) next
 > Parent: `docs/specs/SPEC-002-v2-modernization-architecture.md` (Phase 1)
 > Keystone: Tasks 1–4 are the "get-right-first" secure auth/session core — every audit CRITICAL/HIGH
 > is closed there. Tasks 5–7 deliver the product capability on top. Do them in order.
@@ -19,7 +19,11 @@ Do not start Task 1 until this commit exists.
 
 ---
 
-## Task 1 (KEYSTONE): v2 schema — per-agent keys + tenancy-ready tables
+## Task 1 (KEYSTONE) [DONE 2026-05-29]: v2 schema — per-agent keys + tenancy-ready tables
+
+> [DONE] migration `004_v2_secure_session_core.sql` + `db/agent_keys.rs` + `db/tenancy.rs` + struct/query
+> updates across machines/sessions/support_codes/events/users. Code-reviewed APPROVED. Note: GC's db
+> layer already uses runtime `sqlx::query()` (no macros) — the v2 "switch to runtime" was already true.
 
 Files touched: `server/migrations/` (new v2 migration files), `server/src/db/` (rebuilt modules:
 `agent_keys.rs` [new], `sessions.rs`, `machines.rs`, `support_codes.rs`, `events.rs`, `users.rs`,