-- v1.1.6: per-app secret material. Currently holds the HMAC signing key
-- used to mint + verify realtime subscriber tokens
-- (pubsub::subscriber_token → SSE /realtime/topics handshake).
--
-- The key is:
--   * stable across restarts (issued tokens stay valid until expiry),
--   * per-app (a token signed by app A is rejected by app B),
--   * never script-accessible (scripts can't print/exfiltrate it — the
--     SDK only mints tokens, it never returns the key).
--
-- The row is created lazily on the first pubsub::subscriber_token call
-- for an app (32 random bytes). This table is the natural home for
-- v1.1.7's encrypted per-app secrets work.
CREATE TABLE app_secrets (
    app_id                UUID PRIMARY KEY REFERENCES apps(id) ON DELETE CASCADE,
    realtime_signing_key  BYTEA NOT NULL,   -- 32 random bytes
    created_at            TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated_at            TIMESTAMPTZ NOT NULL DEFAULT NOW()
);