feat(pro): add micasa pro encrypted multi-device sync (#791)

## Summary

- **ULID primary keys**: migrate all entities from auto-increment uint
to ULID strings for sync compatibility
- **Oplog**: change tracking via `sync_oplog_entries` table with GORM
hooks for create/update/delete/restore
- **Encryption**: NaCl secretbox (XSalsa20-Poly1305) envelope encryption
with household key generation and NaCl box key exchange
- **Relay server** (`cmd/relay`): full HTTP relay with PgStore, SHA-256
token auth, invite flow with FOR UPDATE locking, blob storage
(upload/download/dedup/quota), Stripe webhook verification, graceful
shutdown
- **Sync engine** (`internal/sync`): pull/push with LWW conflict
resolution, blob upload/download with encryption, `blob_ref` stripping
in apply
- **CLI**: `pro init`, `pro join`, `pro status`, `pro storage`, `pro
sync`, `pro invite`, `pro devices`, `pro conflicts` commands
- **TUI background sync**: indicator (synced/syncing/offline/conflict
glyphs), debounce on mutations, deferred reload during form editing
- **Self-hosted relay**: `SELF_HOSTED=true` mode with subscription
bypass, configurable blob quota, Docker Compose stack (postgres + relay
+ optional Caddy TLS)
- **CASCADE oplog safety**: `HardDeleteMaintenance` with proper oplog
entries for child ServiceLogEntries and document detachment, TUI
hard-delete extended to maintenance tab
- **~18.7k lines** across 118 files, ~1:1 production-to-test ratio

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: cpcloud

.github/workflows/ci.yml

@@ -157,6 +157,50 @@ jobs:
           files: coverage.txt
           token: ${{ secrets.CODECOV_TOKEN }}
 
+  pgtest:
+    name: Postgres Integration
+    needs: changes
+    if: needs.changes.outputs.go == 'true'
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ci-pgtest-${{ github.ref }}
+      cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+    services:
+      postgres:
+        image: postgres:17
+        env:
+          POSTGRES_USER: micasa
+          POSTGRES_PASSWORD: testpass
+          POSTGRES_DB: micasa_test
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd "pg_isready -U micasa"
+          --health-interval 5s
+          --health-timeout 5s
+          --health-retries 5
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        with:
+          go-version: "1.26"
+
+      - name: Test relay (with Postgres)
+        env:
+          CGO_ENABLED: "1"
+          RELAY_POSTGRES_DSN: "postgres://micasa:testpass@localhost:5432/micasa_test?sslmode=disable"
+        run: go test -race -shuffle on -timeout 5m -coverprofile coverage-pg.txt ./internal/relay/
+
+      - name: Upload coverage
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        with:
+          files: coverage-pg.txt
+          flags: postgres
+          token: ${{ secrets.CODECOV_TOKEN }}
+
   benchmarks:
     name: Benchmarks (smoke)
     needs: changes
@@ -249,7 +293,7 @@ jobs:
   result:
     name: CI Result
     if: always()
-    needs: [changes, test, benchmarks, nix-build, docs, semantic-release-dry-run]
+    needs: [changes, test, pgtest, benchmarks, nix-build, docs, semantic-release-dry-run]
     runs-on: ubuntu-latest
     steps:
       - run: exit 1

.gitignore

@@ -8,6 +8,7 @@
 *.so
 *.dylib
 /micasa
+/relay
 
 # Test binary, built with `go test -c`
 *.test

AGENTS.md

@@ -288,6 +288,13 @@ details; do not duplicate that detail here.
   cascading defaults across sections, no "this overrides that unless the
   other thing is set." If two pipelines need the same setting, they each
   get their own independent copy.
+- **No defensive casing variants**: We control the serialization protocol.
+  Every struct that can appear in a JSON payload (oplog entries, API
+  requests/responses) MUST have explicit `json:"snake_case"` tags on every
+  field. Never write code that handles multiple casings of the same key
+  (e.g. `delete(m, "id"); delete(m, "ID")`) -- that papers over an
+  inconsistency instead of fixing it. If you see ambiguity, fix the
+  source struct's tags.
 - **Deterministic ordering requires tiebreakers**: Every `ORDER BY` that
   could tie MUST include a tiebreaker (typically `id DESC`).
 - **Audit new deps before adding**: Review source for security issues