tests(server): UserAgent bootstrap token auth flow test

server/crates/arbiter-server/migrations/2026-02-14-171124-0000_init/up.sql

@@ -0,0 +1,31 @@
+create table if not exists aead_encrypted (
+    id INTEGER not null PRIMARY KEY,
+    current_nonce integer not null default(1), -- if re-encrypted, this should be incremented
+    ciphertext blob not null,
+    tag blob not null,
+    schema_version integer not null default(1) -- server would need to reencrypt, because this means that we have changed algorithm
+) STRICT;
+
+-- This is a singleton
+create table if not exists arbiter_settings (
+    id INTEGER not null PRIMARY KEY CHECK (id = 1), -- singleton row, id must be 1
+    root_key_id integer references aead_encrypted (id) on delete RESTRICT, -- if null, means wasn't bootstrapped yet
+    cert_key blob not null,
+    cert blob not null
+) STRICT;
+
+create table if not exists useragent_client (
+    id integer not null primary key,
+    nonce integer not null default (1), -- used for auth challenge
+    public_key blob not null,
+    created_at integer not null default(unixepoch ('now')),
+    updated_at integer not null default(unixepoch ('now'))
+) STRICT;
+
+create table if not exists program_client (
+    id integer not null primary key,
+    nonce integer not null default (1), -- used for auth challenge
+    public_key blob not null,
+    created_at integer not null default(unixepoch ('now')),
+    updated_at integer not null default(unixepoch ('now'))
+) STRICT;