fix(coolify): strip is_build_time from env writes; add reveal + GCS

Coolify v4's POST/PATCH /applications/{uuid}/envs only accepts key,
value, is_preview, is_literal, is_multiline, is_shown_once. Sending
is_build_time triggers a 422 "This field is not allowed." — it's now
a derived read-only flag (is_buildtime) computed from Dockerfile ARG
usage. Breaks agents trying to upsert env vars.

Three-layer fix so this can't regress:
  - lib/coolify.ts: COOLIFY_ENV_WRITE_FIELDS whitelist enforced at the
    network boundary, regardless of caller shape
  - app/api/workspaces/[slug]/apps/[uuid]/envs: stops forwarding the
    field; returns a deprecation warning when callers send it; GET
    reads both is_buildtime and is_build_time for version parity
  - app/api/mcp/route.ts: same treatment in the MCP dispatcher;
    AI_CAPABILITIES.md doc corrected

Also bundles (not related to the above):
  - Workspace API keys are now revealable from settings. New
    key_encrypted column stores AES-256-GCM(VIBN_SECRETS_KEY, token).
    POST /api/workspaces/[slug]/keys/[keyId]/reveal returns plaintext
    for session principals only; API-key principals cannot reveal
    siblings. Legacy keys stay valid for auth but can't reveal.
  - P5.3 Object storage: lib/gcp/storage.ts + lib/workspace-gcs.ts
    idempotently provision a per-workspace GCS bucket, service
    account, IAM binding and HMAC key. New POST /api/workspaces/
    [slug]/storage/buckets endpoint. Migration script + smoke test
    included. Proven end-to-end against prod master-ai-484822.

Made-with: Cursor

lib/auth/workspace-auth.ts

@@ -14,6 +14,7 @@
 import { createHash, randomBytes } from 'crypto';
 import { NextResponse } from 'next/server';
 import { authSession } from '@/lib/auth/session-server';
+import { encryptSecret, decryptSecret } from '@/lib/auth/secret-box';
 import { query, queryOne } from '@/lib/db-postgres';
 import {
   type VibnWorkspace,
@@ -167,17 +168,24 @@ export async function mintWorkspaceApiKey(opts: {
   const token = `${KEY_PREFIX}${random}`;
   const hash = hashKey(token);
   const prefix = token.slice(0, 12); // e.g. "vibn_sk_AbCd"
+  // AES-256-GCM encrypt the plaintext so session-authenticated users can
+  // reveal the key later (see revealWorkspaceApiKey). Encryption uses
+  // VIBN_SECRETS_KEY — same envelope as Gitea bot PATs and GCS HMAC
+  // secrets. If that env var isn't set we'd rather fail loudly here
+  // than silently mint unrevealable keys.
+  const encrypted = encryptSecret(token);
 
   const inserted = await query<{ id: string; created_at: Date }>(
     `INSERT INTO vibn_workspace_api_keys
-       (workspace_id, name, key_prefix, key_hash, scopes, created_by)
-     VALUES ($1, $2, $3, $4, $5::jsonb, $6)
+       (workspace_id, name, key_prefix, key_hash, key_encrypted, scopes, created_by)
+     VALUES ($1, $2, $3, $4, $5, $6::jsonb, $7)
      RETURNING id, created_at`,
     [
       opts.workspaceId,
       opts.name,
       prefix,
       hash,
+      encrypted,
       JSON.stringify(opts.scopes ?? ['workspace:*']),
       opts.createdBy,
     ]
@@ -193,6 +201,46 @@ export async function mintWorkspaceApiKey(opts: {
   };
 }
 
+/**
+ * Return the plaintext for an active key belonging to the workspace, if
+ * we have it stored encrypted. Returns `null` when:
+ *   - the key doesn't exist or is in another workspace
+ *   - the key is revoked
+ *   - the key predates the revealability migration (key_encrypted is NULL)
+ *   - decryption fails (VIBN_SECRETS_KEY rotated without re-provisioning)
+ *
+ * Intentionally agnostic to auth — the caller MUST have already checked
+ * that the principal is a session user for this workspace. Never call
+ * this behind an API-key principal, or a compromised key could exfiltrate
+ * its siblings.
+ */
+export async function revealWorkspaceApiKey(
+  workspaceId: string,
+  keyId: string,
+): Promise<{ id: string; name: string; prefix: string; token: string } | null> {
+  const row = await queryOne<{
+    id: string;
+    name: string;
+    key_prefix: string;
+    key_encrypted: string | null;
+    revoked_at: Date | null;
+  }>(
+    `SELECT id, name, key_prefix, key_encrypted, revoked_at
+       FROM vibn_workspace_api_keys
+      WHERE id = $1 AND workspace_id = $2
+      LIMIT 1`,
+    [keyId, workspaceId],
+  );
+  if (!row || row.revoked_at || !row.key_encrypted) return null;
+  try {
+    const token = decryptSecret(row.key_encrypted);
+    return { id: row.id, name: row.name, prefix: row.key_prefix, token };
+  } catch (err) {
+    console.error('[reveal] decrypt failed for key', keyId, err);
+    return null;
+  }
+}
+
 export async function listWorkspaceApiKeys(workspaceId: string): Promise<Array<{
   id: string;
   name: string;
@@ -202,6 +250,7 @@ export async function listWorkspaceApiKeys(workspaceId: string): Promise<Array<{
   last_used_at: Date | null;
   revoked_at: Date | null;
   created_at: Date;
+  revealable: boolean;
 }>> {
   const rows = await query<{
     id: string;
@@ -212,8 +261,10 @@ export async function listWorkspaceApiKeys(workspaceId: string): Promise<Array<{
     last_used_at: Date | null;
     revoked_at: Date | null;
     created_at: Date;
+    revealable: boolean;
   }>(
-    `SELECT id, name, key_prefix, scopes, created_by, last_used_at, revoked_at, created_at
+    `SELECT id, name, key_prefix, scopes, created_by, last_used_at, revoked_at, created_at,
+            (key_encrypted IS NOT NULL) AS revealable
        FROM vibn_workspace_api_keys
       WHERE workspace_id = $1
       ORDER BY created_at DESC`,
@@ -228,6 +279,7 @@ export async function listWorkspaceApiKeys(workspaceId: string): Promise<Array<{
     last_used_at: r.last_used_at,
     revoked_at: r.revoked_at,
     created_at: r.created_at,
+    revealable: r.revealable,
   }));
 }