rdev/internal/db/migrations/001_create_api_keys.sql

-- API Keys table for rdev authentication
CREATE TABLE IF NOT EXISTS api_keys (
    id           UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    name         VARCHAR(255) NOT NULL,
    key_hash     VARCHAR(64) NOT NULL UNIQUE,
    key_prefix   VARCHAR(8) NOT NULL,
    scopes       TEXT[] NOT NULL DEFAULT '{}',
    project_ids  TEXT[] DEFAULT NULL,
    created_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    expires_at   TIMESTAMPTZ,
    last_used_at TIMESTAMPTZ,
    revoked_at   TIMESTAMPTZ,
    created_by   VARCHAR(255)
);

-- Index for key lookup (most common operation)
CREATE INDEX IF NOT EXISTS idx_api_keys_key_hash ON api_keys(key_hash);

-- Index for listing active keys
CREATE INDEX IF NOT EXISTS idx_api_keys_active ON api_keys(revoked_at) WHERE revoked_at IS NULL;

-- Index for cleanup of expired keys
CREATE INDEX IF NOT EXISTS idx_api_keys_expires ON api_keys(expires_at) WHERE expires_at IS NOT NULL;

COMMENT ON TABLE api_keys IS 'API keys for authenticating rdev API requests';
COMMENT ON COLUMN api_keys.key_hash IS 'SHA-256 hash of the full API key';
COMMENT ON COLUMN api_keys.key_prefix IS 'First 8 chars of key for identification (rdev_sk_XXXXXXXX)';
COMMENT ON COLUMN api_keys.scopes IS 'Array of permission scopes: projects:read, projects:execute, keys:read, keys:write, admin';
COMMENT ON COLUMN api_keys.project_ids IS 'NULL = all projects, otherwise array of allowed project IDs';
COMMENT ON COLUMN api_keys.created_by IS 'admin or UUID of key that created this key';