-- OIDC config: single-row table holding the runtime-mutable
-- OpenID Connect provider settings. Updated via the dialectic-cli
-- `config oidc` subcommand, NOT via env. Env-only config (OIDCIssuer /
-- OIDCClientID in config.go) is kept as fallback for first-boot
-- bootstrap but the DB row wins when present + enabled.
--
-- Mirrors Fabric.Backend.Center's oidc_configs table — same fields,
-- same semantics. One row enforced by id='singleton'.

CREATE TABLE oidc_config (
  id                  VARCHAR(16)  NOT NULL PRIMARY KEY DEFAULT 'singleton',
  issuer              VARCHAR(255) NOT NULL DEFAULT '',
  client_id           VARCHAR(255) NOT NULL DEFAULT '',
  client_secret       TEXT         NOT NULL,
  redirect_uri        VARCHAR(255) NOT NULL DEFAULT '',
  post_login_redirect VARCHAR(255) NOT NULL DEFAULT '',
  scopes              VARCHAR(255) NOT NULL DEFAULT 'openid email profile',
  enabled             TINYINT(1)   NOT NULL DEFAULT 0,
  created_at          TIMESTAMP    NOT NULL DEFAULT CURRENT_TIMESTAMP,
  updated_at          TIMESTAMP    NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

INSERT INTO oidc_config (id, client_secret) VALUES ('singleton', '');