-- 20260416_06_employee_google_oauth.sql
-- Per-user Google OAuth (SSO + Calendar + Drive). Refresh tokens encrypted at rest (application layer).

CREATE TABLE IF NOT EXISTS employee_google_oauth (
  employee_id VARCHAR(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL,
  google_sub VARCHAR(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL,
  refresh_token_enc TEXT CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL,
  scopes_json JSON NOT NULL,
  updated_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
  PRIMARY KEY (employee_id),
  UNIQUE KEY uq_employee_google_oauth_sub (google_sub),
  CONSTRAINT fk_employee_google_oauth_employee FOREIGN KEY (employee_id) REFERENCES employees (id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;