.env.example

# Backend API URL (used by the frontend to connect to the Express server)
VITE_API_URL=http://localhost:3000

# Deployment base path
# Cloudflare / local dev: / (default — no need to set this)
# GitHub Pages: /global-anti-ccp-resistance-hub/ (set automatically in deploy.yml)
# Override manually if needed:
# VITE_BASE_PATH=/

# Site URL (used for OG tags, sitemap, robots.txt)
# Update when deploying to custom domain
VITE_SITE_URL=https://stan2032.github.io/global-anti-ccp-resistance-hub

# ─── Supabase ────────────────────────────────────────────────────────
# Get these from: Supabase Dashboard → Settings → API
#
# ⚠️  IMPORTANT: Use the "anon / public" key — NOT the "service_role / secret" key!
#     The service_role key bypasses Row Level Security and must NEVER be in client code.
#     If you use the wrong key you'll get: "Forbidden use of secret API key in browser"
#
# The anon key is safe to expose in client code (RLS protects your data).
# Leave blank to run the site in static-only mode (no database).
VITE_SUPABASE_URL=https://YOUR_PROJECT_ID.supabase.co
VITE_SUPABASE_ANON_KEY=your-anon-public-key-here

# ─── Client-Side Encryption (optional, recommended) ─────────────────
# RSA public key in JWK format, base64-encoded.
# When set, PII fields (emails, names, messages) are encrypted in the
# browser BEFORE being sent to Supabase. Only the admin with the
# corresponding private key can decrypt submissions.
# Generate keys: See BACKEND_GUIDE.md for instructions.
# Leave blank to store data unencrypted (Supabase still encrypts at rest).
VITE_ENCRYPTION_PUBLIC_KEY=

# ─── Web Push Notifications (optional) ───────────────────────────────
# VAPID public key for Web Push API.
# Generate with: npx web-push generate-vapid-keys --json
# The public key goes here; the private key goes in Cloudflare Workers secrets.
# Leave blank to disable push notification subscriptions.
# See guides/WEB_PUSH_SETUP.md for full setup instructions.
VITE_VAPID_PUBLIC_KEY=