# Server
PUBLIC_PORT=3000
INTERNAL_PORT=3001
INTERNAL_HOST=127.0.0.1

# Database
DATABASE_URL=postgresql://user:password@localhost:5432/halobestie

# Valkey / Redis
VALKEY_URL=redis://localhost:6379

# Control center origin (for CORS + refresh-cookie). Comma-separated list allowed.
CC_ORIGIN=http://localhost:5173

# --- Auth (Phase 3.4) ---

# JWT access token signing key (HS256). Must be >= 32 chars.
AUTH_JWT_SECRET=replace-with-strong-random-32+char-secret
ACCESS_TOKEN_TTL_SECONDS=3600
REFRESH_TOKEN_TTL_DAYS=30

# Fazpass (OTP provider — TBD real values once docs are available)
FAZPASS_API_KEY=
FAZPASS_BASE_URL=
FAZPASS_WEBHOOK_SECRET=

# Google OAuth — comma-separated list of valid audience client IDs (Android, iOS).
GOOGLE_OAUTH_CLIENT_IDS=

# Apple Sign In
APPLE_SERVICES_ID=
APPLE_TEAM_ID=
APPLE_KEY_ID=
APPLE_PRIVATE_KEY=

# First super-admin (used by seed script)
ADMIN_EMAIL=admin@halobestie.com
ADMIN_PASSWORD=ChangeMe123!

# --- FCM (kept — only Messaging is used; Auth is self-managed) ---
# Path to Firebase service-account JSON (falls back to backend/firebase-service-account.json)
FIREBASE_SERVICE_ACCOUNT_PATH=

# --- Phase 5: Xendit (dev-safe defaults: integration disabled) ---
#
# Flip XENDIT_ENABLED=true in staging/prod once secret + webhook token are populated.
# When false, payment.service.js skips invoice creation and the dev/Maestro stub
# /internal/_test/force-confirm-payment plays the role of the webhook.
# See requirement/phase5-xendit-plan.md.
XENDIT_ENABLED=false
XENDIT_SECRET_KEY=
XENDIT_WEBHOOK_TOKEN=
XENDIT_SUCCESS_REDIRECT_URL=
XENDIT_FAILURE_REDIRECT_URL=