# Postgres connection string used by the web + worker binaries (and `just migrate`).
DATABASE_URL=postgres://xtablo:xtablo@localhost:5432/xtablo?sslmode=disable

# Postgres connection string used by integration tests (auth, session, etc.).
# Falls back to DATABASE_URL if unset; tests skip if neither is set.
# The test harness creates an isolated schema per test run and drops it on cleanup.
# DEV/TEST ONLY — do NOT include TEST_DATABASE_URL in .env.prod (not used at runtime).
TEST_DATABASE_URL=postgres://xtablo:xtablo@localhost:5432/xtablo?sslmode=disable

# Session secret — 32 random bytes hex-encoded. Used as the CSRF authentication key.
# Generate a new value with: openssl rand -hex 32
# MUST be persistent across restarts (changing it invalidates all active CSRF tokens).
SESSION_SECRET=

# ---------------------------------------------------------------------------
# Social sign-in providers (optional in local/dev)
# ---------------------------------------------------------------------------

# Google OAuth/OIDC. Leave blank to render a disabled Google button locally.
GOOGLE_CLIENT_ID=
GOOGLE_CLIENT_SECRET=
GOOGLE_REDIRECT_URL=http://localhost:8080/auth/google/callback

# HTTP port for cmd/web.
PORT=8080

# Environment selector: "development" enables the slog text handler; "production" switches to JSON.
ENV=development

# ---------------------------------------------------------------------------
# S3-compatible object storage (Cloudflare R2 in production, MinIO in dev)
# ---------------------------------------------------------------------------

# S3 endpoint URL.
# Dev (MinIO):        http://localhost:9000
# Production (R2):    https://<account-id>.r2.cloudflarestorage.com  (D-06)
S3_ENDPOINT=http://localhost:9000

# S3 bucket name.
S3_BUCKET=xtablo-dev

# S3 region. Cloudflare R2 accepts "auto" or a standard region token; "us-east-1" is safe default.
S3_REGION=us-east-1

# S3 access key. Dev (MinIO default): minioadmin — CHANGE for production R2.
S3_ACCESS_KEY=your-access-key-id

# S3 secret key. Dev (MinIO default): minioadmin — CHANGE for production R2.
S3_SECRET_KEY=your-secret-access-key

# Use path-style S3 URLs.
# true  — for MinIO and other self-hosted S3 (path-style: http://host/bucket/key).
# false — for Cloudflare R2 (virtual-hosted-style: https://bucket.host/key).
S3_USE_PATH_STYLE=true

# Maximum file upload size in megabytes. Default 25 if unset.
MAX_UPLOAD_SIZE_MB=25

# ---------------------------------------------------------------------------
# Production domain (used in docker-compose.prod.yaml for Caddy TLS — D-04)
# ---------------------------------------------------------------------------

# Uncomment and set to your domain in .env.prod.
# DOMAIN=app.yourdomain.com