feat(den): add provider credential contract base

[pascalandr]

Summary

Extracts the smallest provider credential contract/model base from the prior OpenCode OAuth provider work.

This PR adds only the shared storage/response contract needed by follow-up stacked provider credential work:

• credentialKind on LLM providers, defaulting to api_key.
• encrypted opencodeAuth storage for OAuth-backed provider credentials.
• migration 0019_llm_provider_opencode_oauth and journal entry after upstream 0018_invited_org_members.
• passive Den API credential redaction/flags so the new field is not leaked by existing provider responses.

Scope intentionally excluded

• OpenAI device flow routes.
• Den Web OAuth UI.
• desktop/provider import behavior for OAuth-backed providers.
• Den→worker managed provider sync behavior (feat(den): sync managed providers to workers #1901).
• Docker/runbook/version/seed/static/Entra/dirty-preference/workflow artifact changes.

Verification

• pnpm --filter @openwork-ee/den-db build — PASS.
• From ee/apps/den-api: pnpm exec tsc -p tsconfig.json --noEmit — PASS.

Stack

This is PR1 for the provider credential stack. #1901 should be based on this branch so reviewers can inspect worker sync separately from the credential contract base.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
openwork-landing	Ready	Preview, Comment, Open in v0	May 23, 2026 4:27pm

[vercel]

@pascalandr is attempting to deploy a commit to the Different AI Team on Vercel.

A member of the Team first needs to authorize it.

[pascalandr]

Closing in favor of rebuilding this work as isolated stacked PRs on the Pagecran fork.