fix(db): make Secret.backendId default to empty string for rollout migration

Why: `prisma db push` refused to add the required `backendId` column on
clusters with pre-existing Secret rows — it can't assign NOT NULL without a
default, and the cluster DB had 9 live rows. The mcpd pod crash-looped
during the Phase 0 rollout because of this.

Empty-string default lets the schema apply cleanly; `bootstrapSecretBackends`
(which runs on every startup) then rewrites those empty values to the
seeded `default` plaintext backend's id. New writes via SecretService always
carry a real FK immediately, so the empty-string state only exists during
the one-shot migration window.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/db/prisma/schema.prisma

@@ -142,7 +142,12 @@ model SecretBackend {
 model Secret {
   id          String   @id @default(cuid())
   name        String   @unique
-  backendId   String                                  // FK to SecretBackend — dispatches read/write
+  // FK to SecretBackend. Default empty string lets `prisma db push` add the
+  // column to pre-existing rows without a data-loss reset; `bootstrapSecretBackends`
+  // then points any empty-string values at the seeded `default` plaintext backend
+  // on next mcpd startup. New rows written by SecretService always carry a
+  // valid FK immediately.
+  backendId   String   @default("")
   data        Json     @default("{}")                 // populated by plaintext backend only
   externalRef String   @default("")                   // populated by non-plaintext backends (e.g. "mount/path#v3")
   version     Int      @default(1)