-- 0002_host_credentials.sql
--
-- Repo credentials carried on the enrollment token, then promoted to
-- a per-host row on consume. Pulled forward from Phase 2 so the
-- "Add host" flow is genuinely one-shot — operator supplies repo
-- creds at token-mint time, agent receives them via config.update on
-- first WS connect.
--
-- See spec.md §7.3 for the threat model and tasks.md P1-32 for the
-- end-to-end flow.

-- Token row optionally carries an AEAD-encrypted JSON blob of
-- {repo_url, repo_username, repo_password}. AEAD additional-data
-- binds it to the token_hash so swap attacks between rows fail.
ALTER TABLE enrollment_tokens
  ADD COLUMN enc_repo_creds TEXT;

-- Per-host repo credential, replaces the blob from the token row on
-- ConsumeEnrollmentToken. AEAD additional-data binds it to host_id.
-- One row per host; absence means "no creds set yet, agent will
-- refuse backup jobs until the operator sets them via the UI."
CREATE TABLE host_credentials (
  host_id        TEXT PRIMARY KEY REFERENCES hosts(id) ON DELETE CASCADE,
  enc_repo_creds TEXT NOT NULL,
  updated_at     TEXT NOT NULL
);