-- 20260511000000_user_api_keys.sql
--
-- Stores user-provisioned AI provider API keys.
-- Service role only — the web backend verifies the user JWT before
-- reading or writing. No public or anon access.

CREATE TABLE IF NOT EXISTS public.user_api_keys (
    id          uuid         DEFAULT gen_random_uuid() PRIMARY KEY,
    user_id     uuid         NOT NULL,
    provider    text         NOT NULL,  -- 'openai' | 'anthropic' | 'gemini' | 'grok'
    key_value   text         NOT NULL DEFAULT '',
    created_at  timestamptz  DEFAULT now(),
    updated_at  timestamptz  DEFAULT now(),
    UNIQUE(user_id, provider)
);

ALTER TABLE public.user_api_keys ENABLE ROW LEVEL SECURITY;
DROP POLICY IF EXISTS "service only" ON public.user_api_keys;
CREATE POLICY "service only" ON public.user_api_keys USING (false);