-- Audit log gets two new columns so the inspector can surface system
-- events alongside user actions on a single timeline.
--
--   severity: 'info' | 'warning' | 'error' | 'critical'
--             default 'info'. Most user actions are 'info'; a permission
--             denied is 'warning'; a webhook DLQ entry is 'error'; a
--             hard-delete or a CRITICAL alert is 'critical'.
--
--   source:   'user' | 'system' | 'auth' | 'webhook' | 'cron' | 'job'
--             default 'user'. Lets the UI filter "show me only the
--             system events" without grepping action names.
--
-- Both default-friendly + nullable-friendly so the back-history rows
-- retain their existing semantics ('user' / 'info').

ALTER TABLE audit_logs
  ADD COLUMN IF NOT EXISTS severity text NOT NULL DEFAULT 'info',
  ADD COLUMN IF NOT EXISTS source text NOT NULL DEFAULT 'user';

CREATE INDEX IF NOT EXISTS idx_al_severity ON audit_logs (port_id, severity, created_at);
CREATE INDEX IF NOT EXISTS idx_al_source ON audit_logs (port_id, source, created_at);