-- Selector+verifier tokens: make verifyToken O(1) instead of an O(n) bcrypt scan
-- over every non-revoked token (code-review-2026-06-01.md / security-sweep HIGH).
-- The selector is a non-secret public lookup key; the verifier stays bcrypt-hashed
-- in token_hash. Legacy rows keep selector NULL and verify via the fallback path.
ALTER TABLE agent_tokens ADD COLUMN IF NOT EXISTS selector text;

-- One row per selector (partial: legacy NULLs are exempt).
CREATE UNIQUE INDEX IF NOT EXISTS idx_agent_tokens_selector
  ON agent_tokens(selector) WHERE selector IS NOT NULL;

-- The old hash index was useless — bcrypt hashes can't be looked up by value.
DROP INDEX IF EXISTS idx_agent_tokens_hash;