chore(migrations): renumber 014/015/016 -> 015/016/017 to avoid collision with master 014_card_files

backend/migrations/017_mcp_tokens.sql

@@ -0,0 +1,26 @@
+-- Per-user MCP access tokens. Users mint tokens from the settings UI and
+-- paste them into their local Claude (`claude mcp add --transport http ...`).
+-- The plaintext token is shown ONCE at creation time; we only store the hash.
+--
+-- token_hash is a SHA-256 hex digest of the plaintext token. Lookup on
+-- incoming requests: hash the bearer, look up the row, accept if not revoked.
+--
+-- revoked_at is NULL for active tokens. Tokens are never deleted (audit
+-- trail); revocation is a soft delete.
+CREATE TABLE IF NOT EXISTS mcp_tokens (
+    id            TEXT PRIMARY KEY,
+    user_id       TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    token_hash    TEXT NOT NULL UNIQUE,
+    name          TEXT NOT NULL DEFAULT '',
+    created_at    TEXT NOT NULL,
+    last_used_at  TEXT,
+    revoked_at    TEXT
+);
+
+CREATE INDEX IF NOT EXISTS idx_mcp_tokens_user_active
+    ON mcp_tokens(user_id)
+    WHERE revoked_at IS NULL;
+
+CREATE INDEX IF NOT EXISTS idx_mcp_tokens_hash_active
+    ON mcp_tokens(token_hash)
+    WHERE revoked_at IS NULL;