feat(coderd/database): add boundary_sessions and boundary_logs tables (#25441)

RFC: [Bridge ↔ Boundaries Correlation
RFC](https://www.notion.so/coderhq/Gateway-and-Firewall-Correlation-RFC-31ad579be592803aa8b3d48348ccdde9)

Add up/down migrations and matching sqlc queries for persisting Boundary
audit events, as specified in the Bridge/Boundaries Correlation RFC.

**Tables:**
- `boundary_sessions`: session metadata with `workspace_agent_id` FK,
`confined_process_name`, and timestamps (`started_at`, `updated_at`). ID
is externally supplied by the Boundary process (no DB-side default).
Created lazily when the first log for a session arrives.
- `boundary_logs`: individual audit events with `session_id` FK,
`sequence_number` (INT, primary ordering key), protocol/method/detail
fields, and `matched_rule` (nullable; non-NULL implies allowed).

**Indexes (per RFC):**
- `(session_id, sequence_number)` for the ordering query path
- `(captured_at)` for the retention purge path

**Queries:**
- `InsertBoundarySession` / `GetBoundarySessionByID`
- `InsertBoundaryLog` / `GetBoundaryLogByID`
- `ListBoundaryLogsBySessionID` with nullable `seq_after`/`seq_before`
exclusive bounds for fetching events between two known interception
sequence numbers
- `DeleteOldBoundaryLogs` with row limit to avoid long-running
transactions

**Also includes:** dbgen helpers (`BoundarySession`, `BoundaryLog`),
dbauthz implementations (reads gated on `ResourceAuditLog`, deletes on
`ResourceSystem`), and all generated wrappers (dbmock, dbmetrics).

No callers yet. A follow-up PR will add the dedicated `boundary_log`
RBAC resource type.

> Generated by Coder Agents

coderd/database/models.go

@@ -4510,6 +4510,41 @@ type AuditLog struct {
 	ResourceIcon     string          `db:"resource_icon" json:"resource_icon"`
 }
 
+// Persisted boundary audit events. Each row is a single audit event processed by a Boundary proxy.
+type BoundaryLog struct {
+	ID uuid.UUID `db:"id" json:"id"`
+	// The session ID generated by the Boundary process on startup. Groups all events from one invocation.
+	SessionID uuid.UUID `db:"session_id" json:"session_id"`
+	// Monotonically increasing integer assigned by Boundary, starting at 0 per session. Primary ordering key when Boundary is in use.
+	SequenceNumber int32 `db:"sequence_number" json:"sequence_number"`
+	// When the log was sent to the DB.
+	CapturedAt time.Time `db:"captured_at" json:"captured_at"`
+	// When the event happened on the workspace.
+	CreatedAt time.Time `db:"created_at" json:"created_at"`
+	// The protocol of the audited action. e.g. http, dns, git, fs.
+	Proto string `db:"proto" json:"proto"`
+	// The operation within the protocol. e.g. GET/POST for http, clone for git, A for dns, read/write for fs.
+	Method string `db:"method" json:"method"`
+	// Protocol-specific detail. e.g. the full URL for http, the hostname for dns, the path for fs.
+	Detail string `db:"detail" json:"detail"`
+	// The allow-list rule that matched. NULL when the request was denied; non-NULL implies the request was allowed.
+	MatchedRule sql.NullString `db:"matched_rule" json:"matched_rule"`
+}
+
+// Boundary session metadata. Each row represents a single invocation of a Boundary process wrapping a confined agent.
+type BoundarySession struct {
+	// The unique session ID generated by the Boundary process on startup.
+	ID uuid.UUID `db:"id" json:"id"`
+	// The workspace agent that this Boundary session is associated with.
+	WorkspaceAgentID uuid.UUID `db:"workspace_agent_id" json:"workspace_agent_id"`
+	// Name of the confined process (e.g. claude-code, codex, copilot).
+	ConfinedProcessName string `db:"confined_process_name" json:"confined_process_name"`
+	// Time when the first log for this session was received by coderd.
+	StartedAt time.Time `db:"started_at" json:"started_at"`
+	// Time when the session was last updated.
+	UpdatedAt time.Time `db:"updated_at" json:"updated_at"`
+}
+
 // Per-replica boundary usage statistics for telemetry aggregation.
 type BoundaryUsageStat struct {
 	// The unique identifier of the replica reporting stats.