-- Migration: file_asset_encryption columns
-- Phase 1.5 - Adds envelope encryption metadata to form_file_asset.

ALTER TABLE form_file_asset ADD COLUMN IF NOT EXISTS dek_wrapped BYTEA;
ALTER TABLE form_file_asset ADD COLUMN IF NOT EXISTS dek_alg VARCHAR(32);
ALTER TABLE form_file_asset ADD COLUMN IF NOT EXISTS nonce BYTEA;
ALTER TABLE form_file_asset ADD COLUMN IF NOT EXISTS kek_key_id VARCHAR(512);
ALTER TABLE form_file_asset ADD COLUMN IF NOT EXISTS kek_version VARCHAR(128);
ALTER TABLE form_file_asset ADD COLUMN IF NOT EXISTS wrap_alg VARCHAR(64);
ALTER TABLE form_file_asset ADD COLUMN IF NOT EXISTS encrypted BOOLEAN NOT NULL DEFAULT FALSE;

CREATE INDEX IF NOT EXISTS idx_form_file_asset_kek_version ON form_file_asset(kek_version);