"""portfolio_sync: opt-in encrypted backup of a user's pie.

The plaintext pie is encrypted client-side with a PIN-derived AES-GCM
key; the server wraps the ciphertext again with a key derived from
PORTFOLIO_SYNC_PEPPER + user_id. We only store the outer-wrapped bytes
plus a small rate-limit window pair for GET throttling.

Revision ID: 0015
Revises: 0014
Create Date: 2026-05-23
"""
from typing import Sequence, Union

import sqlalchemy as sa
from alembic import op


revision: str = "0015"
down_revision: Union[str, None] = "0014"
branch_labels: Union[str, Sequence[str], None] = None
depends_on: Union[str, Sequence[str], None] = None


def upgrade() -> None:
    op.create_table(
        "portfolio_sync",
        sa.Column(
            "user_id", sa.Integer(),
            sa.ForeignKey("users.id", ondelete="CASCADE"),
            primary_key=True, nullable=False,
        ),
        sa.Column("outer_ciphertext", sa.LargeBinary(), nullable=False),
        sa.Column("outer_nonce", sa.LargeBinary(), nullable=False),
        sa.Column("version", sa.SmallInteger(), nullable=False, server_default="1"),
        sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
        sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),
        sa.Column("fetch_window_start", sa.DateTime(timezone=True), nullable=True),
        sa.Column("fetch_count", sa.Integer(), nullable=False, server_default="0"),
    )


def downgrade() -> None:
    op.drop_table("portfolio_sync")