-- =====================================================================
-- IDENTITY SCHEMA — Part 22: external OAuth provider config (Google, …)
-- Admin-editable client credentials for social login. Read by identity at
-- login time; secrets never leave the server (masked in the admin API).
-- =====================================================================

SET search_path TO identity, public;

CREATE TABLE IF NOT EXISTS oauth_config (
    provider      TEXT PRIMARY KEY,            -- 'google' (extensible: 'github', …)
    client_id     TEXT,
    client_secret TEXT,
    redirect_uri  TEXT,                         -- must match the provider console
    enabled       BOOLEAN     NOT NULL DEFAULT FALSE,
    updated_at    TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

INSERT INTO oauth_config (provider) VALUES ('google')
ON CONFLICT (provider) DO NOTHING;