Create table for macOS local admin account (#43168)

Adds the `host_managed_local_account_passwords` table to persist encrypted managed local admin account passwords and track MDM delivery status for ADE-enrolled macOS hosts (#42942).

server/datastore/mysql/migrations/tables/20260408175311_CreateHostManagedLocalAccountPasswords.go

@@ -0,0 +1,33 @@
+package tables
+
+import (
+	"database/sql"
+	"fmt"
+)
+
+func init() {
+	MigrationClient.AddMigration(Up_20260408175311, Down_20260408175311)
+}
+
+func Up_20260408175311(tx *sql.Tx) error {
+	if _, err := tx.Exec(`
+		CREATE TABLE host_managed_local_account_passwords (
+			host_uuid          VARCHAR(255) COLLATE utf8mb4_unicode_ci NOT NULL,
+			encrypted_password BLOB NOT NULL,
+			command_uuid       VARCHAR(127) COLLATE utf8mb4_unicode_ci NOT NULL,
+			status             VARCHAR(20)  COLLATE utf8mb4_unicode_ci DEFAULT NULL,
+			created_at         TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
+			updated_at         TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6),
+			PRIMARY KEY (host_uuid),
+			KEY idx_hmlap_command_uuid (command_uuid),
+			CONSTRAINT fk_hmlap_status FOREIGN KEY (status) REFERENCES mdm_delivery_status (status) ON UPDATE CASCADE
+		)
+	`); err != nil {
+		return fmt.Errorf("creating host_managed_local_account_passwords table: %w", err)
+	}
+	return nil
+}
+
+func Down_20260408175311(tx *sql.Tx) error {
+	return nil
+}

server/datastore/mysql/migrations/tables/20260408175311_CreateHostManagedLocalAccountPasswords_test.go

@@ -0,0 +1,84 @@
+package tables
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestUp_20260408175311(t *testing.T) {
+	db := applyUpToPrev(t)
+
+	// Apply current migration.
+	applyNext(t, db)
+
+	// INSERT with NULL status (pending).
+	_, err := db.Exec(`
+		INSERT INTO host_managed_local_account_passwords
+			(host_uuid, encrypted_password, command_uuid, status)
+		VALUES (?, ?, ?, NULL)`,
+		"host-uuid-1", []byte("encrypted-pw-1"), "cmd-uuid-1",
+	)
+	require.NoError(t, err)
+
+	// INSERT with valid status.
+	_, err = db.Exec(`
+		INSERT INTO host_managed_local_account_passwords
+			(host_uuid, encrypted_password, command_uuid, status)
+		VALUES (?, ?, ?, ?)`,
+		"host-uuid-2", []byte("encrypted-pw-2"), "cmd-uuid-2", "verified",
+	)
+	require.NoError(t, err)
+
+	// FK constraint rejects invalid status.
+	_, err = db.Exec(`
+		INSERT INTO host_managed_local_account_passwords
+			(host_uuid, encrypted_password, command_uuid, status)
+		VALUES (?, ?, ?, ?)`,
+		"host-uuid-3", []byte("encrypted-pw-3"), "cmd-uuid-3", "bogus_status",
+	)
+	require.Error(t, err)
+
+	// Upsert via ON DUPLICATE KEY UPDATE.
+	_, err = db.Exec(`
+		INSERT INTO host_managed_local_account_passwords
+			(host_uuid, encrypted_password, command_uuid, status)
+		VALUES (?, ?, ?, ?)
+		ON DUPLICATE KEY UPDATE
+			encrypted_password = VALUES(encrypted_password),
+			command_uuid = VALUES(command_uuid),
+			status = VALUES(status)`,
+		"host-uuid-1", []byte("new-encrypted-pw"), "cmd-uuid-new", "verified",
+	)
+	require.NoError(t, err)
+
+	// Verify the upsert updated the row.
+	var (
+		encPw   []byte
+		cmdUUID string
+		status  *string
+	)
+	err = db.QueryRow(`
+		SELECT encrypted_password, command_uuid, status
+		FROM host_managed_local_account_passwords
+		WHERE host_uuid = ?`, "host-uuid-1",
+	).Scan(&encPw, &cmdUUID, &status)
+	require.NoError(t, err)
+	assert.Equal(t, []byte("new-encrypted-pw"), encPw)
+	assert.Equal(t, "cmd-uuid-new", cmdUUID)
+	require.NotNil(t, status)
+	assert.Equal(t, "verified", *status)
+
+	// Timestamps auto-populate.
+	var createdAt, updatedAt time.Time
+	err = db.QueryRow(`
+		SELECT created_at, updated_at
+		FROM host_managed_local_account_passwords
+		WHERE host_uuid = ?`, "host-uuid-2",
+	).Scan(&createdAt, &updatedAt)
+	require.NoError(t, err)
+	assert.False(t, createdAt.IsZero())
+	assert.False(t, updatedAt.IsZero())
+}