-- Hammerhead Workspace - Patch 2: Two-Factor Auth + System Settings
-- Safe to re-run (uses IF NOT EXISTS / ON DUPLICATE KEY UPDATE).

ALTER TABLE `superadmins`
  ADD COLUMN IF NOT EXISTS `two_factor_enabled` tinyint(1) NOT NULL DEFAULT 0,
  ADD COLUMN IF NOT EXISTS `two_factor_secret` varchar(64) DEFAULT NULL;

ALTER TABLE `managers`
  ADD COLUMN IF NOT EXISTS `two_factor_enabled` tinyint(1) NOT NULL DEFAULT 0,
  ADD COLUMN IF NOT EXISTS `two_factor_secret` varchar(64) DEFAULT NULL;

ALTER TABLE `employees`
  ADD COLUMN IF NOT EXISTS `two_factor_enabled` tinyint(1) NOT NULL DEFAULT 0,
  ADD COLUMN IF NOT EXISTS `two_factor_secret` varchar(64) DEFAULT NULL;

CREATE TABLE IF NOT EXISTS `system_settings` (
  `setting_key` varchar(100) NOT NULL,
  `setting_value` longtext DEFAULT NULL,
  `updated_at` timestamp NOT NULL DEFAULT current_timestamp() ON UPDATE current_timestamp(),
  PRIMARY KEY (`setting_key`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

INSERT INTO `system_settings` (`setting_key`, `setting_value`) VALUES
  ('app_name', 'Hammerhead Workspace'),
  ('require_2fa_for_admins', '0'),
  ('session_timeout_minutes', '120'),
  ('max_login_attempts', '5')
ON DUPLICATE KEY UPDATE `setting_value` = `setting_value`;
