fold sql into dd.sql

README.md

@@ -111,9 +111,8 @@ X-FMSG-Act-As: @user_bot@example.com
 The requested address must be granted to the authenticated user and must exist
 in fmsgid.
 
-Apply [dd.sql](dd.sql) before enabling API-key auth. Existing
-deployments that already applied the earlier API-key table should apply
-[api_keys_delegation.sql](api_keys_delegation.sql).
+Apply [dd.sql](dd.sql) before enabling API-key auth. The file is idempotent and
+also upgrades deployments that previously applied the earlier API-key table.
 
 To set a custom per-owner grant limit, insert an owner config row:
 

dd.sql

@@ -31,6 +31,28 @@ CREATE TABLE IF NOT EXISTS fmsg_api_sub_account (
     CHECK (agent = '' OR agent NOT LIKE '%\_%' ESCAPE '\')
 );
 
+ALTER TABLE fmsg_api_sub_account
+    ADD COLUMN IF NOT EXISTS grant_type text NOT NULL DEFAULT 'derived_sub_account';
+
+ALTER TABLE fmsg_api_sub_account
+    ADD COLUMN IF NOT EXISTS display_name text;
+
+ALTER TABLE fmsg_api_sub_account
+    DROP CONSTRAINT IF EXISTS fmsg_api_sub_account_sub_addr_key;
+
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1
+        FROM pg_constraint
+        WHERE conname = 'fmsg_api_sub_account_grant_type_check'
+    ) THEN
+        ALTER TABLE fmsg_api_sub_account
+            ADD CONSTRAINT fmsg_api_sub_account_grant_type_check
+            CHECK (grant_type IN ('derived_sub_account', 'delegated_identity'));
+    END IF;
+END $$;
+
 CREATE INDEX IF NOT EXISTS fmsg_api_sub_account_owner_idx
     ON fmsg_api_sub_account ((lower(owner_addr)));