-- 082_create_api_keys.sql
-- User API keys for developer portal (v0.102 Lot C)
-- Distinct from webhook API keys (whk_); user keys use vza_ prefix

CREATE TABLE IF NOT EXISTS public.api_keys (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    user_id UUID NOT NULL REFERENCES public.users(id) ON DELETE CASCADE,

    name VARCHAR(100) NOT NULL,
    prefix VARCHAR(16) NOT NULL,
    hashed_key VARCHAR(128) NOT NULL,

    scopes TEXT[] NOT NULL DEFAULT ARRAY['read'],

    last_used_at TIMESTAMPTZ,
    expires_at TIMESTAMPTZ,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

CREATE INDEX IF NOT EXISTS idx_api_keys_prefix ON public.api_keys(prefix);
CREATE INDEX IF NOT EXISTS idx_api_keys_user_id ON public.api_keys(user_id);
CREATE INDEX IF NOT EXISTS idx_api_keys_expires_at ON public.api_keys(expires_at) WHERE expires_at IS NOT NULL;

COMMENT ON TABLE public.api_keys IS 'User API keys for developer portal (X-API-Key auth)';
COMMENT ON COLUMN public.api_keys.prefix IS 'First 8 chars of key for display (e.g. vza_abc1)';
COMMENT ON COLUMN public.api_keys.hashed_key IS 'SHA-256 hash of full key, never stored in plaintext';
COMMENT ON COLUMN public.api_keys.scopes IS 'Array of scopes: read, write, admin';