# Copy to `.env` and fill in real values. Never commit `.env`.

# === Runtime mode ===
# `dev` allows the placeholder secrets below (only on a workstation).
# Anything else (`prod`, `staging`) forces strong values — the API refuses to boot otherwise.
APP_ENV=dev

# === Postgres ===
POSTGRES_DB=metamorph
POSTGRES_USER=metamorph
POSTGRES_PASSWORD=change-me-strong
POSTGRES_HOST=db
POSTGRES_PORT=5432

# === Backend (Flask API) ===
# Generate with: python -c "import secrets; print(secrets.token_urlsafe(64))"
JWT_SECRET=change-me-to-a-long-random-string
LOG_LEVEL=INFO
# Comma-separated list of allowed origins for CORS (no trailing slash)
FRONT_ORIGIN=http://localhost:8080
# Where uploaded evidence files are stored inside the api container
EVIDENCE_DIR=/data/evidence

# === Frontend (build-time) ===
# Base URL the front uses to reach the API. In compose the nginx of the front
# proxies /api/* to the api service, so an empty/relative value is fine.
VITE_API_BASE_URL=/api/v1

# === Compose port mappings (host side) ===
HOST_API_PORT=8000
HOST_FRONT_PORT=8080