fix: align ticket provider credentials and fix settings status check

[nethi]

Problem

GitHub ticket providers created outside the setup wizard (via Settings page or new repository flow) were missing dedicated credential secrets, causing "Secret not found" and "No GitHub token available" errors during background ticket sync.

Additionally, the Settings page showed a false-negative "No token configured" message even when a workspace-scoped GitHub token was available.

Solution

1. Workspace-aware status check (github-token.ts)

   • Fixed GET /api/github-token/status to pass req.user.workspaceId to retrieveSecret()
   • Settings page now correctly reflects the workspace-scoped token status

2. Auto-resolve credentials on provider creation (tickets.ts)

   • When creating a GitHub ticket provider without an explicit token:
     • Attempts to resolve a token via getGitHubToken({ server: true, workspaceId })
     • Stores it as a provider-specific secret
     • Returns 400 Bad Request if no token is available (prevents creating "broken" providers)
   • Aligns Settings flow with Setup Wizard behavior

3. Enable ticket integration during repo creation (repos/new/page.tsx)

   • Added checkbox to enable GitHub Issues integration in the new repository flow
   • Automatically creates ticket provider with optio label filter

4. Test coverage (request-input-validation.test.ts)

   • Added validation test ensuring provider creation fails gracefully when no token is available

Testing

• ✅ All existing tests pass (2070 tests)
• ✅ New test validates error handling for missing credentials
• ✅ Manual testing confirmed:
  • Settings page correctly shows token status
  • Creating ticket provider via Settings auto-resolves credentials
  • New repo flow can enable ticket integration in one step

Files Changed

• apps/api/src/routes/github-token.ts - Workspace-aware token status
• apps/api/src/routes/tickets.ts - Auto-resolve credentials on provider creation
• apps/api/src/routes/request-input-validation.test.ts - Test coverage for error handling
• apps/web/src/app/repos/new/page.tsx - Ticket integration toggle in new repo flow

[jonwiggins]

Three coordination asks here:

1. This is the read side of the same bug as #522. Both PRs touch apps/api/src/routes/github-token.ts (different lines, no merge conflict — but same AAD/decryption issue). If #523 lands without #522 first, the status endpoint will read a workspace-scoped row using the wrong AAD and fail decryption silently. Suggest either combining them or landing #522 first and rebasing this on top.

2. Title under-describes the change. The diff includes a brand-new "Enable GitHub Issues integration" checkbox in apps/web/src/app/repos/new/page.tsx (~36 lines of UI). That's a feature, not a fix. Could the title be reframed as feat(repos): GitHub Issues toggle in new repo wizard + fix: ...? Not blocking, just makes future archaeology easier.

3. (Small) The auto-resolve success path isn't covered by a test. The 400-error path is — could you mirror it for the success branch? Mocking getGitHubToken should be straightforward.

Once #522's full audit lands, this one is otherwise ready.