feat(server): Phase 0: add control version history and soft-delete unusable legacy controls

[lan17]

Summary

This is the first step in the control lifecycle work. It introduces version history for controls and cleans up legacy rows that no longer satisfy the control contract, so later phases can build on a consistent base.

Design doc and implementation plan: https://gist.github.com/lan17/6a08282243576f096626bb10996c024b

What changed

The migration adds controls.deleted_at, replaces the old global name uniqueness constraint with an active-only unique index, and creates the new control_versions table. Every existing control is backfilled into version history as version 1.

During that backfill, we validate each existing control against the shapes we still support today: normal control definitions and unrendered templates. Controls that are empty, corrupted, or otherwise unusable are automatically soft-deleted. Before tombstoning them, the migration removes any policy, agent, or store associations so we do not leave active references behind.

At runtime, active control lookups now consistently ignore soft-deleted rows. GET /api/v1/controls/{id} no longer returns a successful response with data: null; if an active row is corrupted, we surface that as corrupted data instead. Deletes now tombstone the control rather than hard-deleting it, which keeps the newly backfilled version history intact.

The shared API model and generated SDK surfaces were updated to match that tighter contract, and the server tests now cover migration backfill, automatic legacy cleanup, and soft-delete filtering across the affected paths.

Why this shape

We want later phases to assume a clean, explicit control lifecycle instead of carrying around {} controls and other invalid legacy cases. Doing that cleanup here keeps the follow-on work simpler and makes the new version table immediately trustworthy.

Reviewer notes

The migration is the part worth the closest look. In particular:

• backfill snapshots and version numbering for existing rows
• automatic cleanup for unusable legacy controls
• soft-delete filtering across control reads, listings, and agent/policy associations
• the non-null GetControlResponse.data contract

Validation

• make check
• make openapi-spec-check
• make sdk-ts-generate
• make sdk-ts-overlay-test
• make sdk-ts-name-check
• fresh review-loop pass against origin/main with no findings

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!