-- H1 Security Fix: password_version for JWT invalidation on password change
-- When password changes, password_version increments, invalidating all existing JWTs

ALTER TABLE accounts ADD COLUMN IF NOT EXISTS password_version INTEGER NOT NULL DEFAULT 1;

-- Failed login tracking for account lockout (M2)
ALTER TABLE accounts ADD COLUMN IF NOT EXISTS failed_login_count INTEGER NOT NULL DEFAULT 0;
ALTER TABLE accounts ADD COLUMN IF NOT EXISTS locked_until TIMESTAMPTZ;