-- S360 — Vault encrypted-secret persistence (Sprint 2) -- Run ONCE in Supabase SQL Editor: Dashboard → SQL Editor → New query → Run. -- All statements are idempotent (IF NOT EXISTS). -- ── vault_entries ───────────────────────────────────────────────────────────── -- Stores AES-XOR-HMAC encrypted secrets. Plaintext is NEVER stored. -- VAULT_KEY (HF Space secret) is required to decrypt values. CREATE TABLE IF NOT EXISTS vault_entries ( key TEXT PRIMARY KEY, value TEXT NOT NULL, -- base64(HMAC_sig || XOR-ciphertext) description TEXT NOT NULL DEFAULT '', created_at BIGINT NOT NULL DEFAULT 0, updated_at BIGINT NOT NULL DEFAULT 0 ); -- Optional RLS (recommended if project uses it) -- ALTER TABLE vault_entries ENABLE ROW LEVEL SECURITY; -- CREATE POLICY "service only" ON vault_entries FOR ALL USING (auth.role() = 'service_role'); -- Confirm SELECT 'vault_entries table ready' AS status;