# App
NODE_ENV=development
PORT=8080
CORS_ORIGIN=http://localhost:5173
CORS_ORIGINS=http://localhost:5173,http://127.0.0.1:5173,https://skymoneybudget.com
AUTH_DISABLED=false
ALLOW_INSECURE_AUTH_FOR_DEV=false
SEED_DEFAULT_BUDGET=false
ROLLOVER_SCHEDULE_CRON=0 6 * * *
APP_ORIGIN=http://localhost:5173

# Database (app runtime)
POSTGRES_DB=skymoney
POSTGRES_USER=skymoney_app
POSTGRES_PASSWORD=change-me
DATABASE_URL=postgres://skymoney_app:change-me@postgres:5432/skymoney

# Database (backup/restore on host)
BACKUP_DATABASE_URL=postgres://skymoney_app:change-me@127.0.0.1:5432/skymoney
RESTORE_DATABASE_URL=postgres://skymoney_app:change-me@127.0.0.1:5432/skymoney_restore_test
ADMIN_DATABASE_URL=postgres://postgres:change-me@127.0.0.1:5432/postgres
TEST_DATABASE_URL=postgres://skymoney_app:change-me@127.0.0.1:5432/skymoney_test
EXPECTED_PROD_DB_HOST=postgres
EXPECTED_PROD_DB_NAME=skymoney
EXPECTED_BACKUP_DB_HOST=127.0.0.1
EXPECTED_BACKUP_DB_NAME=skymoney
PROTECTED_DB_NAMES=skymoney,postgres,template0,template1
REQUIRE_TEST_DB_NAME=1
PROD_DB_VOLUME_NAME=skymoney_pgdata
ALLOW_EMPTY_PROD_VOLUME=0
ARCHIVE_EXISTING_RESTORE_DB=1
RESTORE_ARCHIVE_DIR=./backups/restore-archives

# Auth secrets (min 32 chars)
JWT_SECRET=replace-with-32+-chars
JWT_ISSUER=skymoney-api
JWT_AUDIENCE=skymoney-web
COOKIE_SECRET=replace-with-32+-chars
# Leave unset for local development. Set for production (example: skymoneybudget.com).
# COOKIE_DOMAIN=skymoneybudget.com
EMAIL_VERIFY_DEV_CODE_EXPOSE=false
BREAK_GLASS_VERIFY_ENABLED=false
BREAK_GLASS_VERIFY_CODE=replace-with-very-long-secret-32+-chars
UNDER_CONSTRUCTION_ENABLED=false
AUTH_MAX_FAILED_ATTEMPTS=5
AUTH_LOCKOUT_WINDOW_MS=900000
PASSWORD_RESET_TTL_MINUTES=30
PASSWORD_RESET_RATE_LIMIT_PER_MINUTE=5
PASSWORD_RESET_CONFIRM_RATE_LIMIT_PER_MINUTE=10
UPDATE_NOTICE_VERSION=3
UPDATE_NOTICE_TITLE=SkyMoney Update
UPDATE_NOTICE_BODY=We shipped account security improvements, including a new password reset flow and stronger session protections.

# Email (verification + delete confirmation)
SMTP_HOST=smtp.example.com
SMTP_PORT=587
SMTP_REQUIRE_TLS=true
SMTP_TLS_REJECT_UNAUTHORIZED=true
SMTP_USER=apikey-or-username
SMTP_PASS=change-me
EMAIL_FROM=SkyMoney <support@skymoneybudget.com>
EMAIL_BOUNCE_FROM=bounces@skymoneybudget.com
EMAIL_REPLY_TO=support@skymoneybudget.com