"""Add SSH host key columns to devices table.

Adds columns for SSH config backup support:
- ssh_port: SSH port override (default 22)
- ssh_host_key_fingerprint: TOFU host key fingerprint (SHA256:base64)
- ssh_host_key_first_seen: when the host key was first observed
- ssh_host_key_last_verified: when the host key was last verified

Grants UPDATE on SSH columns to poller_user for TOFU persistence.

Revision ID: 028
Revises: 027
Create Date: 2026-03-13
"""

revision = "028"
down_revision = "027"
branch_labels = None
depends_on = None

from alembic import op
import sqlalchemy as sa


def upgrade() -> None:
    conn = op.get_bind()

    conn.execute(sa.text(
        "ALTER TABLE devices ADD COLUMN ssh_port INTEGER DEFAULT 22"
    ))
    conn.execute(sa.text(
        "ALTER TABLE devices ADD COLUMN ssh_host_key_fingerprint TEXT"
    ))
    conn.execute(sa.text(
        "ALTER TABLE devices ADD COLUMN ssh_host_key_first_seen TIMESTAMPTZ"
    ))
    conn.execute(sa.text(
        "ALTER TABLE devices ADD COLUMN ssh_host_key_last_verified TIMESTAMPTZ"
    ))

    # Grant poller_user UPDATE on SSH columns for TOFU host key persistence
    conn.execute(sa.text(
        "GRANT UPDATE (ssh_host_key_fingerprint, ssh_host_key_first_seen, ssh_host_key_last_verified) ON devices TO poller_user"
    ))


def downgrade() -> None:
    conn = op.get_bind()

    conn.execute(sa.text(
        "REVOKE UPDATE (ssh_host_key_fingerprint, ssh_host_key_first_seen, ssh_host_key_last_verified) ON devices FROM poller_user"
    ))
    conn.execute(sa.text(
        "ALTER TABLE devices DROP COLUMN ssh_host_key_last_verified"
    ))
    conn.execute(sa.text(
        "ALTER TABLE devices DROP COLUMN ssh_host_key_first_seen"
    ))
    conn.execute(sa.text(
        "ALTER TABLE devices DROP COLUMN ssh_host_key_fingerprint"
    ))
    conn.execute(sa.text(
        "ALTER TABLE devices DROP COLUMN ssh_port"
    ))