-- v1.1.7: encrypted per-app secrets.
--
-- Operational config (API keys, OAuth tokens, webhook signing keys)
-- encrypted at rest with the process master key (AES-256-GCM). Both the
-- ciphertext (16-byte GCM auth tag appended) and the 12-byte nonce are
-- stored; the master key itself never lives in the database. See
-- `picloud_shared::crypto` + `manager-core::secrets_service`.
--
-- This is the user-facing `secrets::*` store. It is intentionally
-- separate from `app_secrets` (the one-row-per-app realtime signing
-- key, 0022): different cardinality (many named rows per app), and the
-- realtime key is encrypted in place by migration 0025.

CREATE TABLE secrets (
    app_id          UUID NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
    name            TEXT NOT NULL,
    encrypted_value BYTEA NOT NULL,    -- ciphertext incl. 16-byte GCM auth tag
    nonce           BYTEA NOT NULL,    -- 12 bytes
    created_at      TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated_at      TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    PRIMARY KEY (app_id, name)
);

CREATE INDEX idx_secrets_app ON secrets (app_id);