# Application
APP_ENVIRONMENT=development
APP_VERSION=0.1.0
APP_DATA_DIRECTORY=./data

# Server
SERVER_HOST=0.0.0.0
SERVER_PORT=8000
SERVER_READ_TIMEOUT=30s
SERVER_WRITE_TIMEOUT=30s
SERVER_IDLE_TIMEOUT=60s
SERVER_SHUTDOWN_TIMEOUT=10s

# ============================================================================
# Cassandra Database Configuration
# ============================================================================
# Default: Docker development (task dev)
# For running OUTSIDE Docker (./maplefile-backend daemon):
#   Change to: DATABASE_HOSTS=localhost:9042
# Note: Uses shared infrastructure at monorepo/cloud/infrastructure/development
# The shared dev cluster has 3 nodes: cassandra-1, cassandra-2, cassandra-3
DATABASE_HOSTS=cassandra-1,cassandra-2,cassandra-3
DATABASE_KEYSPACE=maplefile
DATABASE_CONSISTENCY=QUORUM
DATABASE_USERNAME=
DATABASE_PASSWORD=
DATABASE_MIGRATIONS_PATH=./migrations
DATABASE_AUTO_MIGRATE=true
DATABASE_CONNECT_TIMEOUT=10s
DATABASE_REQUEST_TIMEOUT=5s
DATABASE_REPLICATION=3
DATABASE_MAX_RETRIES=3
DATABASE_RETRY_DELAY=1s

# ============================================================================
# Redis Cache Configuration
# ============================================================================
# Default: Docker development (task dev)
# For running OUTSIDE Docker (./maplefile-backend daemon):
#   Change to: CACHE_HOST=localhost
# Note: Uses shared infrastructure at monorepo/cloud/infrastructure/development
CACHE_HOST=redis
CACHE_PORT=6379
CACHE_PASSWORD=
CACHE_DB=0

# ============================================================================
# S3 Object Storage Configuration (SeaweedFS)
# ============================================================================
# Default: Docker development (task dev) with SeaweedFS
# For running OUTSIDE Docker with SeaweedFS:
#   Change to: S3_ENDPOINT=http://localhost:8333
# For AWS S3:
#   S3_ENDPOINT can be left empty or set to https://s3.amazonaws.com
# For S3-compatible services (DigitalOcean Spaces, MinIO, etc.):
#   S3_ENDPOINT should be the service endpoint
# Note: Uses shared infrastructure at monorepo/cloud/infrastructure/development
# SeaweedFS development settings (accepts any credentials):
# Using nginx-s3-proxy on port 8334 for CORS-enabled access from frontend
S3_ENDPOINT=http://seaweedfs:8333
S3_PUBLIC_ENDPOINT=http://localhost:8334
S3_ACCESS_KEY=any
S3_SECRET_KEY=any
S3_BUCKET=maplefile
S3_REGION=us-east-1
S3_USE_SSL=false
# S3_USE_PATH_STYLE: true for SeaweedFS/MinIO (dev), false for DigitalOcean Spaces/AWS S3 (prod)
S3_USE_PATH_STYLE=true

# JWT Authentication
JWT_SECRET=change-me-in-production
JWT_ACCESS_TOKEN_DURATION=15m
# JWT_REFRESH_TOKEN_DURATION: Default 168h (7 days). For enhanced security, consider 24h-48h.
# Shorter durations require more frequent re-authentication but limit token exposure window.
JWT_REFRESH_TOKEN_DURATION=168h
JWT_SESSION_DURATION=24h
JWT_SESSION_CLEANUP_INTERVAL=1h

# Email (Mailgun)
MAILGUN_API_KEY=
MAILGUN_DOMAIN=
MAILGUN_API_BASE=https://api.mailgun.net/v3
MAILGUN_FROM_EMAIL=noreply@maplefile.app
MAILGUN_FROM_NAME=MapleFile
MAILGUN_FRONTEND_URL=http://localhost:3000
MAILGUN_MAINTENANCE_EMAIL=your@email_address.com
MAILGUN_FRONTEND_DOMAIN=127.0.0.1:3000
MAILGUN_BACKEND_DOMAIN=127.0.0.1:8000

# Observability
OBSERVABILITY_ENABLED=true
OBSERVABILITY_PORT=9090
OBSERVABILITY_HEALTH_TIMEOUT=5s
OBSERVABILITY_METRICS_ENABLED=true
OBSERVABILITY_HEALTH_ENABLED=true
OBSERVABILITY_DETAILED_HEALTH=false

# Logging
LOG_LEVEL=info
LOG_FORMAT=json
LOG_STACKTRACE=false
LOG_CALLER=true

# Security
SECURITY_GEOLITE_DB_PATH=./data/GeoLite2-Country.mmdb
SECURITY_BANNED_COUNTRIES=
SECURITY_RATE_LIMIT_ENABLED=true
SECURITY_IP_BLOCK_ENABLED=true

# ============================================================================
# Leader Election Configuration
# ============================================================================
# Enable leader election for multi-instance deployments (load balancer)
# When enabled, only ONE instance becomes the leader and executes scheduled tasks
# Uses Redis for distributed coordination (no additional infrastructure needed)
LEADER_ELECTION_ENABLED=true
LEADER_ELECTION_LOCK_TTL=10s
LEADER_ELECTION_HEARTBEAT_INTERVAL=3s
LEADER_ELECTION_RETRY_INTERVAL=2s

# ============================================================================
# Invite Email Configuration
# ============================================================================
# Maximum invitation emails a user can send per day to non-registered users
# Conservative limit to protect email domain reputation
MAPLEFILE_INVITE_MAX_EMAILS_PER_DAY=3

# ============================================================================
# Login Rate Limiting Configuration
# ============================================================================
# Controls brute-force protection for login attempts
# IP-based: Limits total login attempts from a single IP address
# Account-based: Limits failed attempts per account before lockout
#
# Development: More lenient limits (50 attempts per IP)
# Production: Consider stricter limits (10-20 attempts per IP)
LOGIN_RATE_LIMIT_MAX_ATTEMPTS_PER_IP=50
LOGIN_RATE_LIMIT_IP_WINDOW=15m
LOGIN_RATE_LIMIT_MAX_FAILED_PER_ACCOUNT=10
LOGIN_RATE_LIMIT_LOCKOUT_DURATION=30m