# ============================================================================
# K-Template Configuration
# ============================================================================
# Copy this file to .env and adjust values for your environment.

# ============================================================================
# Server
# ============================================================================
HOST=127.0.0.1
PORT=3000

# ============================================================================
# Database
# ============================================================================
# SQLite (default)
DATABASE_URL=sqlite:data.db?mode=rwc

# PostgreSQL (requires postgres feature flag)
# DATABASE_URL=postgres://user:password@localhost:5432/mydb

DB_MAX_CONNECTIONS=5
DB_MIN_CONNECTIONS=1

# ============================================================================
# Cookie Secret
# ============================================================================
# Used to encrypt the OIDC state cookie (CSRF token, PKCE verifier, nonce).
# Must be at least 64 characters in production.
COOKIE_SECRET=your-cookie-secret-key-must-be-at-least-64-characters-long-for-security!!

# Set to true when serving over HTTPS
SECURE_COOKIE=false

# ============================================================================
# JWT
# ============================================================================
# Must be at least 32 characters in production.
JWT_SECRET=your-jwt-secret-key-at-least-32-chars

# Optional: embed issuer/audience claims in tokens
# JWT_ISSUER=your-app-name
# JWT_AUDIENCE=your-app-audience

# Token lifetime in hours (default: 24)
JWT_EXPIRY_HOURS=24

# ============================================================================
# OIDC (optional — requires auth-oidc feature flag)
# ============================================================================
# OIDC_ISSUER=https://your-oidc-provider.com
# OIDC_CLIENT_ID=your-client-id
# OIDC_CLIENT_SECRET=your-client-secret
# OIDC_REDIRECT_URL=http://localhost:3000/api/v1/auth/callback
# OIDC_RESOURCE_ID=your-resource-id   # optional audience claim to verify

# ============================================================================
# CORS
# ============================================================================
CORS_ALLOWED_ORIGINS=http://localhost:5173,http://localhost:3000

# ============================================================================
# Production Mode
# ============================================================================
# Set to true/production/1 to enforce minimum secret lengths and other checks.
PRODUCTION=false