-- ============================================================================= -- VIBN P5.3 — per-workspace GCS storage columns on vibn_workspaces -- -- Adds the columns that ensureWorkspaceGcsProvisioned() persists into: -- -- gcp_service_account_email — workspace's dedicated GCP SA, e.g. -- vibn-ws-mark@master-ai-484822.iam.gserviceaccount.com -- gcp_service_account_key_enc — base64( secret-box(SA JSON keyfile) ). -- Currently only used for runtime auth from app -- code (env injection); control-plane auth still -- uses GOOGLE_SERVICE_ACCOUNT_KEY_B64. -- gcs_default_bucket_name — globally-unique GCS bucket created on first -- provision, e.g. vibn-ws-mark-a3f9c1. -- gcs_hmac_access_id — S3-compatible HMAC access key id (plain text; -- not a secret on its own). -- gcs_hmac_secret_enc — base64( secret-box(HMAC secret) ). Decrypted -- only when STORAGE_SECRET_ACCESS_KEY needs to be -- injected into a Coolify app. -- gcp_provision_status — independent of provision_status so a partial -- GCP failure does not flip the whole workspace. -- Values: 'pending' | 'partial' | 'ready' | 'error'. -- gcp_provision_error — last error message from the GCP provisioner. -- -- Safe to re-run. -- ============================================================================= ALTER TABLE vibn_workspaces ADD COLUMN IF NOT EXISTS gcp_service_account_email TEXT, ADD COLUMN IF NOT EXISTS gcp_service_account_key_enc TEXT, ADD COLUMN IF NOT EXISTS gcs_default_bucket_name TEXT, ADD COLUMN IF NOT EXISTS gcs_hmac_access_id TEXT, ADD COLUMN IF NOT EXISTS gcs_hmac_secret_enc TEXT, ADD COLUMN IF NOT EXISTS gcp_provision_status TEXT NOT NULL DEFAULT 'pending', ADD COLUMN IF NOT EXISTS gcp_provision_error TEXT; CREATE INDEX IF NOT EXISTS vibn_workspaces_gcp_status_idx ON vibn_workspaces (gcp_provision_status); SELECT 'P5.3 workspace-GCS migration complete' AS status;