feat(db): add closed_state_consistency CHECK to execution_workspaces (SHA-2492)

[Mlaz-code]

Summary

Adds a CHECK constraint to execution_workspaces making the contradictory state representationally impossible: closed_at IS NULL OR status IN ('archived', 'cleanup_failed'). Companion to PR #12 (PATCH route normalize-on-reopen).

Without this DB-level invariant, every cleanup author has to remember to pair closed_at = now() with a closed status. Historically that's failed in multiple places (stale_7d_SHA-{1835,2221}, source_issue_terminal recipe, and a Coordinator manual PATCH) — see SHA-2492 for the full forensic.

Why NOT VALID

There are 1037 existing violator rows on the prod paperclip DB. ADD CONSTRAINT ... CHECK ... NOT VALID skips the table-scan-and-validate step at migration time, so the deploy is fast and lock-free. The constraint takes effect for all INSERTs and UPDATEs immediately. Validating against the existing data happens as a separate manual step:

ALTER TABLE execution_workspaces
  VALIDATE CONSTRAINT execution_workspaces_closed_state_consistency;

…which must run after the violator rows are backfilled. Pre-audit on the prod DB confirmed 0 violator rows have a non-terminal source issue, so the backfill is safe:

UPDATE execution_workspaces
SET status = 'archived', updated_at = now()
WHERE closed_at IS NOT NULL
  AND status NOT IN ('archived', 'cleanup_failed');
-- expected: UPDATE 1037

Deploy / rollout order

1. Merge PR fix(execution-workspaces): clear closed_at on reopen via PATCH (SHA-2492) #12 (PATCH route normalize-on-reopen) first. Without it, the new CHECK will reject any reopen that didn't clear closed_at.
2. Merge this PR. Migration 0077_workspace_closed_state_consistency.sql ships the NOT VALID constraint.
3. Manual backfill on prod paperclip DB (Board approval needed): the UPDATE above (1037 rows). Pre-audit attached in SHA-2492 confirms safety.
4. Manual VALIDATE CONSTRAINT on prod paperclip DB (Board approval needed): proves no violators remain forever.

Changes

• packages/db/src/schema/execution_workspaces.ts — add check() constraint to the drizzle schema for consistency with the SQL migration.
• packages/db/src/migrations/0077_workspace_closed_state_consistency.sql — hand-rolled migration with NOT VALID (drizzle-kit would generate a validating ADD which would reject on the existing 1037 violators).
• packages/db/src/migrations/meta/_journal.json — register migration 77.

Companion work

• ✅ /shared-tmp/worktree-cleanup.sh (the recurring worktree-cleanup.timer job that was producing contradictory rows daily) was patched 2026-05-12 to write status='archived'. Verified live on the 2026-05-13 04:33 EDT timer fire.
• 🟦 PR fix(execution-workspaces): clear closed_at on reopen via PATCH (SHA-2492) #12 — PATCH route normalize-on-reopen.

Test plan

• Schema TS + SQL match (both write the same constraint name and predicate).
• Journal JSON validates.
• CI runs migration apply against a test DB.
• After merge + manual backfill + manual VALIDATE: SELECT count(*) FROM execution_workspaces WHERE closed_at IS NOT NULL AND status NOT IN ('archived','cleanup_failed') → 0 forever.