fix: permanent owner password persistence with SeedAudit guard

Root cause: Dual-source architecture for owner password (Gitea secret
ENV_OWNER_PASSWORD vs host .env OWNER_PASSWORD) caused drift when
the DB was ever re-seeded or the volume recreated.

Changes:
- Add SeedAudit entity + migration to track one-time seed operations
- EnsureDatabaseAsync checks SeedAudit BEFORE seeding — owner is never
  re-created even if the Users table is wiped
- Deploy and rollback workflows now read OWNER_PASSWORD from the host's
  persistent .env (single source of truth) instead of Gitea secrets
- compose.yaml documented: OWNER_PASSWORD only used during initial seed
- Cleanup: .gitignore extended for core dumps, changelog/deployment.md
  updated with 2026-06-20 session notes

After this fix the DB is the single source of truth for the owner
password after initial seed. The host .env is the single reference
for the initial value.

.gitea/workflows/deploy.yaml

@@ -67,8 +67,10 @@ jobs:
       ENV_TMPFILE: /tmp/nexus-deploy-env
       ENV_POSTGRES_PASSWORD: ${{ secrets.ENV_POSTGRES_PASSWORD }}
       ENV_JWT_KEY: ${{ secrets.ENV_JWT_KEY }}
-      ENV_OWNER_PASSWORD: ${{ secrets.ENV_OWNER_PASSWORD }}
       ENV_OPENCLAW_TOKEN: ${{ secrets.ENV_OPENCLAW_TOKEN }}
+      # OWNER_PASSWORD is read from the host's persistent .env — NOT from a Gitea secret.
+      # This ensures the password stays consistent across deploys and the DB is the
+      # single source of truth after initial seed (enforced by SeedAudit guard).
 
     steps:
       # ═══════════════════════════════════════════════════
@@ -127,20 +129,37 @@ jobs:
           echo "mutated_main=false" >> "$GITEA_OUTPUT"
 
       # ═══════════════════════════════════════════════════
-      # Step 4: Build .env from secrets (SAFE)
+      # Step 4: Build .env from secrets + host .env (SAFE)
       #
       # Secrets are written to /tmp/nexus-deploy-env — NEVER
       # to a file inside the workspace that gets rsync'd to
       # the host. The temp file is deleted immediately after
       # compose operations complete.
+      #
+      # OWNER_PASSWORD is read from the host's persistent .env
+      # to ensure it stays the single source of truth.  Other
+      # secrets (POSTGRES_PASSWORD, JWT_KEY, OPENCLAW_TOKEN)
+      # come from Gitea secrets.
       # ═══════════════════════════════════════════════════
-      - name: Prepare .env (secrets → temp file)
+      - name: Prepare .env (secrets + host .env → temp file)
         run: |
           set -euo pipefail
 
+          # Read OWNER_PASSWORD from the host's persistent .env
+          HOST_OWNER_PASSWORD=""
+          if [ -f "${DEPLOY_PATH}/.env" ]; then
+            HOST_OWNER_PASSWORD=$(grep '^OWNER_PASSWORD=' "${DEPLOY_PATH}/.env" | cut -d= -f2- || true)
+          fi
+          if [ -z "${HOST_OWNER_PASSWORD}" ]; then
+            echo "❌ OWNER_PASSWORD not found in ${DEPLOY_PATH}/.env"
+            echo "   The host .env is the single source of truth for the owner password."
+            echo "   Ensure OWNER_PASSWORD is set in the deploy-path .env before deploying."
+            exit 1
+          fi
+
           cat > "${ENV_TMPFILE}" <<EOF
           # Nexus Production Environment — auto-generated by CD pipeline
-          # Managed via Gitea Secrets → do NOT edit manually on the host.
+          # Managed via Gitea Secrets + host .env → do NOT edit manually on the host.
           # This file lives in /tmp and is removed after deploy completes.
           POSTGRES_DB=nexus
           POSTGRES_USER=nexus
@@ -149,7 +168,7 @@ jobs:
           JWT_ISSUER=nexus
           JWT_AUDIENCE=nexus-web
           OWNER_EMAIL=vmbao62@hotmail.de
-          OWNER_PASSWORD=${ENV_OWNER_PASSWORD}
+          OWNER_PASSWORD=${HOST_OWNER_PASSWORD}
           OWNER_DISPLAY_NAME=
           OPENCLAW_BASE_URL=http://host.docker.internal:18789
           OPENCLAW_GATEWAY_TOKEN=${ENV_OPENCLAW_TOKEN}

.gitea/workflows/rollback.yaml

@@ -43,7 +43,6 @@ jobs:
       ENV_TMPFILE: /tmp/nexus-rollback-env
       ENV_POSTGRES_PASSWORD: ${{ secrets.ENV_POSTGRES_PASSWORD }}
       ENV_JWT_KEY: ${{ secrets.ENV_JWT_KEY }}
-      ENV_OWNER_PASSWORD: ${{ secrets.ENV_OWNER_PASSWORD }}
       ENV_OPENCLAW_TOKEN: ${{ secrets.ENV_OPENCLAW_TOKEN }}
 
     steps:
@@ -95,12 +94,22 @@ jobs:
           fi
 
       # ═══════════════════════════════════════════════════
-      # Step 3: Prepare .env from secrets (safe temp file)
+      # Step 3: Prepare .env from secrets + host .env (safe temp file)
       # ═══════════════════════════════════════════════════
-      - name: Prepare .env (secrets → temp file)
+      - name: Prepare .env (secrets + host .env → temp file)
         run: |
           set -euo pipefail
 
+          # Read OWNER_PASSWORD from the host's persistent .env
+          HOST_OWNER_PASSWORD=""
+          if [ -f "${DEPLOY_PATH}/.env" ]; then
+            HOST_OWNER_PASSWORD=$(grep '^OWNER_PASSWORD=' "${DEPLOY_PATH}/.env" | cut -d= -f2- || true)
+          fi
+          if [ -z "${HOST_OWNER_PASSWORD}" ]; then
+            echo "❌ OWNER_PASSWORD not found in ${DEPLOY_PATH}/.env"
+            exit 1
+          fi
+
           cat > "${ENV_TMPFILE}" <<EOF
           # Nexus Production Environment — auto-generated by CD pipeline
           POSTGRES_DB=nexus
@@ -110,7 +119,7 @@ jobs:
           JWT_ISSUER=nexus
           JWT_AUDIENCE=nexus-web
           OWNER_EMAIL=vmbao62@hotmail.de
-          OWNER_PASSWORD=${ENV_OWNER_PASSWORD}
+          OWNER_PASSWORD=${HOST_OWNER_PASSWORD}
           OWNER_DISPLAY_NAME=
           OPENCLAW_BASE_URL=http://host.docker.internal:18789
           OPENCLAW_GATEWAY_TOKEN=${ENV_OPENCLAW_TOKEN}