feat(integrations): add GitLab as alternative SCM provider

[suda]

Summary

Adds GitLab as a second SCM integration alongside GitHub, following the existing IntegrationModule/SCMIntegration architecture. Projects can now be configured to use GitLab as their SCM provider, with full webhook processing, trigger dispatch, agent execution, and dashboard management.

Core module (src/gitlab/):

• API client via @gitbeaker/rest with AsyncLocalStorage-scoped credentials
• Dual-persona model (implementer/reviewer tokens) with cached identity resolution
• GitLabSCMIntegration implementing the SCMIntegration interface

Router & webhook layer:

• /gitlab/webhook route with X-Gitlab-Token signature verification
• GitLabRouterAdapter implementing RouterPlatformAdapter
• GitLabJob queue type, worker dispatch, CASCADE_SCM_PROVIDER env var injection

9 trigger handlers (src/triggers/gitlab/):

• MR opened, pipeline success/failure, MR approval, reviewer added, comment mention, merged, conflict detected, ready to merge
• Pipeline triggers auto-resolve MR from branch via API when merge_request is null (branch push pipelines)
• Loop prevention only blocks implementer persona (reviewer persona = human is allowed)

11 GitLab gadgets (src/gadgets/gitlab/):

• CreateMR, GetMRDetails, GetMRDiff, GetMRNotes, PostMRNote, UpdateMRNote, CreateMRReview, ApproveMR, GetPipelineStatus, GetFailedPipelineJobs (with full job log output), MergeMR

SCM-provider-aware agent runtime:

• Context pipeline (fetchPRContextStep, fetchPRConversationStep) uses GitLab API for GitLab projects
• Tool manifests show GitLab tools (CreateMR, GetMRDetails, etc.) when CASCADE_SCM_PROVIDER=gitlab
• System prompt mentions GitLab/MR terminology, blocks glab CLI like gh
• All 10 cascade-tools scm CLI commands dispatch to GitLab gadgets at runtime
• Auto-resolved --owner/--repo params hidden from agent tool guidance (no more complex sed)
• extractPRUrl/extractPRNumber support both /pull/NNN and /merge_requests/NNN
• Post-execution work-item linking works for GitLab MR URLs

Credential resolution fix:

• getIntegrationCredential now looks up the project's configured provider before resolving env var keys (previously always returned GitHub keys when both providers were registered)

Frontend & CLI:

• SCM tab with GitHub/GitLab provider selector
• GitLab credential slots and webhook management section
• GitLab webhook CRUD via API (gitlabCreateWebhook, gitlabDeleteWebhook)
• CLI webhook commands with --gitlab-only support
• Webhook logs dropdown includes GitLab source

Infrastructure:

• DB migration 0049_add_gitlab_scm_provider.sql — adds 'gitlab' to the CHECK constraint
• glab CLI v1.52.0 installed in worker Docker image
• Agent YAML definitions updated with providers: [github, gitlab]
• Agent prompts reference both GitHub and GitLab tool names

Test Plan

• Unit tests pass (npm test) — 7109 passing, 100 new GitLab tests
• Linter passes (npm run lint)
• Type check passes (npm run typecheck)
• Tested manually:
  • Configured GitLab project in dashboard with implementer/reviewer tokens
  • Pipeline failure webhook → respond-to-ci agent ran, fetched CI job logs, fixed formatting issue
  • Pipeline success webhook → review agent triggered
  • MR reviewer added → review agent triggered (after loop prevention fix)
  • MR comment @mention → respond-to-pr-comment agent triggered
  • Agent successfully cloned repo, fetched MR context from GitLab API, posted MR notes
  • cascade-tools scm commands work in GitLab worker context

New test files (100 tests):

• tests/unit/gitlab/personas.test.ts (16 tests)
• tests/unit/triggers/gitlab/types.test.ts (19 tests)
• tests/unit/triggers/gitlab/pipeline-success.test.ts (12 tests)
• tests/unit/triggers/gitlab/pipeline-failure.test.ts (13 tests)
• tests/unit/triggers/gitlab/mr-opened.test.ts (11 tests)
• tests/unit/triggers/gitlab/mr-reviewer-added.test.ts (12 tests)
• tests/unit/router/adapters/gitlab.test.ts (17 tests)

Known Issues

The npm audit CI step fails with 6 moderate-severity vulnerabilities. These are pre-existing — they exist on dev as well and are not introduced by this PR:

• @anthropic-ai/sdk 0.79.0-0.80.0 (memory tool path validation) — fix requires breaking @anthropic-ai/claude-agent-sdk downgrade
• esbuild ≤0.24.2 (dev server request bypass) — fix requires breaking drizzle-kit downgrade

The hono, @hono/node-server, and axios vulnerabilities were fixed by npm audit fix in this PR.

Checklist

• My code follows the project's code style
• I have added tests for new functionality
• I have updated documentation if needed
• My commits follow Conventional Commits

[suda]

@zbigniewsobiecki thank you for open sourcing this tool! It's exactly what I was looking for. Given that we use mostly Gitlab, together with Claude we added support for it across the repo. All agents are working/being triggered correctly: