-- federation_partners: trusted external identity providers whose tokens this IdP will accept.
-- A partner is identified by its issuer URL. Its JWKS are fetched from jwks_uri and cached.
-- allowed_organizations is an optional allowlist of organization_id values from the partner's tokens.
-- An empty array means all organizations from this partner are accepted.
CREATE TABLE IF NOT EXISTS federation_partners (
  id                   UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  name                 VARCHAR(255) NOT NULL,
  issuer               VARCHAR(512) NOT NULL UNIQUE,
  jwks_uri             VARCHAR(512) NOT NULL,
  allowed_organizations JSONB NOT NULL DEFAULT '[]',
  status               VARCHAR(32) NOT NULL DEFAULT 'active', -- 'active' | 'suspended' | 'expired'
  created_at           TIMESTAMPTZ NOT NULL DEFAULT NOW(),
  updated_at           TIMESTAMPTZ NOT NULL DEFAULT NOW(),
  expires_at           TIMESTAMPTZ                            -- NULL means never expires
);
CREATE INDEX IF NOT EXISTS idx_federation_partners_issuer ON federation_partners(issuer);
CREATE INDEX IF NOT EXISTS idx_federation_partners_status ON federation_partners(status);