-- web_sessions: browser "passwordless re-login". The opaque cookie token is -- never stored; id holds its SHA-256, so a DB leak yields no usable cookie. -- refresh_token is AES-256-GCM ciphertext (key lives in the container env, not -- the DB). 7-day sliding window: every refresh rotates the token and pushes -- expires_at forward; idle sessions are reaped by DeleteExpiredWebSessions. -- name: CreateWebSession :exec INSERT INTO web_sessions (id, user_id, refresh_token, device_name, user_agent, created_at, last_used_at, expires_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?); -- name: GetWebSession :one SELECT id, user_id, refresh_token, device_name, user_agent, created_at, last_used_at, expires_at FROM web_sessions WHERE id = ?; -- name: RotateWebSession :exec UPDATE web_sessions SET refresh_token = ?, last_used_at = ?, expires_at = ? WHERE id = ?; -- name: SetWebSessionDevice :exec UPDATE web_sessions SET device_name = ? WHERE id = ?; -- name: DeleteWebSession :exec DELETE FROM web_sessions WHERE id = ?; -- name: DeleteExpiredWebSessions :execrows DELETE FROM web_sessions WHERE expires_at < ?;