-- 012_disk_encryption.sql: Disk Encryption Detection plugin (全盘加密检测)

-- BitLocker / encryption status per device drive
CREATE TABLE IF NOT EXISTS disk_encryption_status (
    id              INTEGER PRIMARY KEY AUTOINCREMENT,
    device_uid      TEXT NOT NULL,
    drive_letter    TEXT NOT NULL,          -- e.g. "C:", "D:"
    volume_name     TEXT,
    encryption_method TEXT,                 -- "BitLocker", "None", "Unknown"
    protection_status TEXT NOT NULL DEFAULT 'Unknown', -- "On", "Off", "Unknown"
    encryption_percentage REAL NOT NULL DEFAULT 0,
    lock_status     TEXT NOT NULL DEFAULT 'Unknown',    -- "Locked", "Unlocked"
    reported_at     TEXT NOT NULL DEFAULT (datetime('now')),
    updated_at      TEXT NOT NULL DEFAULT (datetime('now')),
    FOREIGN KEY (device_uid) REFERENCES devices(device_uid),
    UNIQUE(device_uid, drive_letter)
);

-- Compliance alerts when unencrypted drives detected
CREATE TABLE IF NOT EXISTS encryption_alerts (
    id              INTEGER PRIMARY KEY AUTOINCREMENT,
    device_uid      TEXT NOT NULL,
    drive_letter    TEXT NOT NULL,
    alert_type      TEXT NOT NULL DEFAULT 'not_encrypted', -- "not_encrypted", "encryption_paused", "decrypted"
    status          TEXT NOT NULL DEFAULT 'open',           -- "open", "acknowledged", "resolved"
    created_at      TEXT NOT NULL DEFAULT (datetime('now')),
    resolved_at     TEXT,
    FOREIGN KEY (device_uid) REFERENCES devices(device_uid)
);