# ============================================================================
# Production environment template for Legal Case Tracker
# Copy to ".env" on production host and replace ALL placeholder values.
# Never commit real secrets.
# ============================================================================

# ----------------------------------------------------------------------------
# Core
# ----------------------------------------------------------------------------
APP_ENV=prod
PRODUCTION_ENFORCE_SECURE_SETTINGS=true
APP_NAME=legal-case-tracker

# ----------------------------------------------------------------------------
# JWT / Cookies / Origin checks
# ----------------------------------------------------------------------------
PUBLIC_JWT_TTL_DAYS=7
ADMIN_JWT_TTL_MINUTES=240
ADMIN_JWT_SECRET=REPLACE_WITH_LONG_RANDOM_ADMIN_JWT_SECRET_64PLUS
PUBLIC_JWT_SECRET=REPLACE_WITH_LONG_RANDOM_PUBLIC_JWT_SECRET_64PLUS
PUBLIC_COOKIE_NAME=public_jwt
PUBLIC_COOKIE_SECURE=true
PUBLIC_COOKIE_SAMESITE=lax
PUBLIC_STRICT_ORIGIN_CHECK=true
PUBLIC_ALLOWED_WEB_ORIGINS=https://ruakb.online,https://www.ruakb.online
CORS_ORIGINS=https://ruakb.online,https://www.ruakb.online
CORS_ALLOW_METHODS=GET,POST,PUT,PATCH,DELETE,OPTIONS
CORS_ALLOW_HEADERS=Authorization,Content-Type,X-Requested-With,X-Request-ID
CORS_ALLOW_CREDENTIALS=true

# ----------------------------------------------------------------------------
# Database / Redis
# Keep DATABASE_URL and POSTGRES_* password in sync.
# ----------------------------------------------------------------------------
POSTGRES_USER=postgres
POSTGRES_PASSWORD=REPLACE_WITH_STRONG_POSTGRES_PASSWORD
POSTGRES_DB=legal
DATABASE_URL=postgresql+psycopg://postgres:REPLACE_WITH_STRONG_POSTGRES_PASSWORD@db:5432/legal
REDIS_URL=redis://redis:6379/0

# ----------------------------------------------------------------------------
# Storage (S3 / MinIO)
# ----------------------------------------------------------------------------
S3_ENDPOINT=https://minio:9000
S3_ACCESS_KEY=REPLACE_WITH_STRONG_MINIO_ACCESS_KEY
S3_SECRET_KEY=REPLACE_WITH_STRONG_MINIO_SECRET_KEY
S3_BUCKET=legal-files
S3_REGION=us-east-1
S3_USE_SSL=true
S3_VERIFY_SSL=true
S3_CA_CERT_PATH=/etc/ssl/minio/ca.crt
MAX_FILE_MB=25
MAX_CASE_MB=250
MINIO_ROOT_USER=REPLACE_WITH_NON_DEFAULT_MINIO_USER
MINIO_ROOT_PASSWORD=REPLACE_WITH_STRONG_MINIO_ROOT_PASSWORD
MINIO_TLS_ENABLED=true

# ----------------------------------------------------------------------------
# Data encryption
# ----------------------------------------------------------------------------
DATA_ENCRYPTION_ACTIVE_KID=k202603
DATA_ENCRYPTION_KEYS=k202603=REPLACE_WITH_LONG_RANDOM_DATA_KID_SECRET_64PLUS
CHAT_ENCRYPTION_ACTIVE_KID=k202603
CHAT_ENCRYPTION_KEYS=k202603=REPLACE_WITH_LONG_RANDOM_CHAT_KID_SECRET_64PLUS
DATA_ENCRYPTION_SECRET=REPLACE_WITH_LONG_RANDOM_DATA_ENCRYPTION_SECRET_64PLUS
CHAT_ENCRYPTION_SECRET=REPLACE_WITH_LONG_RANDOM_CHAT_ENCRYPTION_SECRET_64PLUS
INTERNAL_SERVICE_TOKEN=REPLACE_WITH_LONG_RANDOM_INTERNAL_SERVICE_TOKEN_64PLUS

# ----------------------------------------------------------------------------
# OTP / Public auth mode
# PUBLIC_AUTH_MODE: sms | email | sms_or_email | totp
# ----------------------------------------------------------------------------
PUBLIC_AUTH_MODE=sms_or_email
OTP_DEV_MODE=false
OTP_AUTOTEST_FORCE_MOCK_SMS=true
OTP_RATE_LIMIT_WINDOW_SECONDS=300
OTP_SEND_RATE_LIMIT=8
OTP_VERIFY_RATE_LIMIT=20

# ----------------------------------------------------------------------------
# SMS provider
# SMS_PROVIDER: dummy | smsaero
# ----------------------------------------------------------------------------
SMS_PROVIDER=smsaero
SMSAERO_EMAIL=REPLACE_WITH_SMSAERO_ACCOUNT_EMAIL
SMSAERO_API_KEY=REPLACE_WITH_SMSAERO_API_KEY
OTP_SMS_TEMPLATE=Ваш код подтверждения: {code}
OTP_SMS_MIN_BALANCE=20

# ----------------------------------------------------------------------------
# Email OTP / fallback
# EMAIL_PROVIDER: dummy | smtp | service
# ----------------------------------------------------------------------------
EMAIL_PROVIDER=service
EMAIL_SERVICE_URL=http://email-service:8010
OTP_EMAIL_FALLBACK_ENABLED=true
OTP_EMAIL_SUBJECT_TEMPLATE=Код подтверждения: {code}
OTP_EMAIL_TEMPLATE=Ваш код подтверждения: {code}

# SMTP mode settings (only if EMAIL_PROVIDER=smtp)
SMTP_HOST=smtp.example.com
SMTP_PORT=587
SMTP_USER=no-reply@example.com
SMTP_PASSWORD=REPLACE_WITH_SMTP_PASSWORD
SMTP_FROM=no-reply@example.com
SMTP_USE_TLS=true
SMTP_USE_SSL=false

# ----------------------------------------------------------------------------
# Admin auth / bootstrap
# ADMIN_BOOTSTRAP_ENABLED must be false in production.
# ----------------------------------------------------------------------------
ADMIN_AUTH_MODE=password_totp_required
TOTP_ISSUER=Правовой Трекер
ADMIN_BOOTSTRAP_ENABLED=false
ADMIN_BOOTSTRAP_EMAIL=admin@example.com
ADMIN_BOOTSTRAP_PASSWORD=REPLACE_WITH_TEMP_BOOTSTRAP_PASSWORD
ADMIN_BOOTSTRAP_NAME=Администратор системы

# ----------------------------------------------------------------------------
# Telegram notifications
# ----------------------------------------------------------------------------
TELEGRAM_BOT_TOKEN=REPLACE_WITH_TELEGRAM_BOT_TOKEN
TELEGRAM_CHAT_ID=REPLACE_WITH_TELEGRAM_CHAT_ID

# ----------------------------------------------------------------------------
# Attachment security scan (ClamAV)
# ----------------------------------------------------------------------------
ATTACHMENT_SCAN_ENABLED=true
ATTACHMENT_SCAN_ENFORCE=true
ATTACHMENT_ALLOWED_MIME_TYPES=application/pdf,image/jpeg,image/png,video/mp4,text/plain
CLAMAV_ENABLED=true
CLAMAV_HOST=clamav
CLAMAV_PORT=3310
CLAMAV_TIMEOUT_SECONDS=20