feat: scaffold labd — master daemon with CockroachDB + Prisma

New @lab/labd workspace package:
- Fastify HTTP server + WebSocket for agent connections
- Prisma schema (CockroachDB): Server, Agent, User, Role, Permission,
  UserRole, JoinToken, AuditLog, PulumiRun, Cluster models
- Health endpoint with DB connectivity check
- Server listing with cloud/env/status filters
- Auth routes: agent enrollment, join token management
- Placeholder mTLS auth middleware
- Dev stack: CockroachDB single-node in docker-compose
- 32 tests passing (2 new for labd health)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

bastion/stack/.env.example

@@ -31,3 +31,6 @@ DHCP_RANGE_END=
 
 # Path to SSH keys directory on host (mounted read-only)
 SSH_KEY_PATH=~/.ssh
+
+# CockroachDB connection (used by labd)
+DATABASE_URL=postgresql://root@localhost:26257/labctl?sslmode=disable

bastion/stack/docker-compose.yml

@@ -15,6 +15,18 @@ services:
       - NET_ADMIN
       - NET_RAW
 
+  cockroachdb:
+    image: cockroachdb/cockroach:latest-v24.3
+    command: start-single-node --insecure --store=type=mem,size=256MiB
+    ports:
+      - "26257:26257"
+      - "8081:8080"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/health?ready=1"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
 volumes:
   bastion-state:
   bastion-tftp: