.env.example

# Backend Environment Variables
PORT=8000
NODE_ENV=production
# Database provider: sqlite or postgresql
DATABASE_PROVIDER=sqlite
DATABASE_URL=file:/app/prisma/dev.db
FRONTEND_URL=http://localhost:6767
# Keep disabled unless traffic always comes through a trusted reverse proxy.
TRUST_PROXY=false
AUTH_MODE=local
JWT_SECRET=change-this-secret-in-production-min-32-chars
CSRF_SECRET=change-this-secret-in-production

# Optional Feature Flags
# Set to "true" or "1" to enable:
# ENABLE_PASSWORD_RESET=false
# ENABLE_REFRESH_TOKEN_ROTATION=true
# ENABLE_AUDIT_LOGGING=false

# Migration control
# For SQLite in Kubernetes, prefer running migrations once via a Job/init container
# and set RUN_MIGRATIONS=false on the main Deployment to avoid concurrent migrates.
# RUN_MIGRATIONS=true
# MIGRATION_LOCK_TIMEOUT_SECONDS=120

# Upgrade safety
# If true, disables the production onboarding gate that blocks API usage until
# "Choose Authentication Mode" is completed. Not recommended.
# DISABLE_ONBOARDING_GATE=true

# Update notifier (GitHub release checks)
# If false, disables outbound requests to the GitHub API (update checks will be unavailable).
# UPDATE_CHECK_OUTBOUND=true
# Optional GitHub token to increase API rate limits (public repo scopes are fine).
# UPDATE_CHECK_GITHUB_TOKEN=

# One-time bootstrap setup code (first admin registration)
# BOOTSTRAP_SETUP_CODE_TTL_MS=900000
# BOOTSTRAP_SETUP_CODE_MAX_ATTEMPTS=10

# OIDC Configuration (required when AUTH_MODE=hybrid or AUTH_MODE=oidc_enforced)
# OIDC_PROVIDER_NAME=Authentik
# OIDC_ISSUER_URL=https://auth.example.com/application/o/excalidash/
# OIDC_CLIENT_ID=your-client-id
# OIDC_CLIENT_SECRET=your-client-secret
# OIDC_REDIRECT_URI=https://excalidash.example.com/api/auth/oidc/callback
# OIDC_SCOPES=openid profile email
# OIDC_EMAIL_CLAIM=email
# OIDC_EMAIL_VERIFIED_CLAIM=email_verified
# OIDC_REQUIRE_EMAIL_VERIFIED=true
# OIDC_JIT_PROVISIONING=true
# OIDC_FIRST_USER_ADMIN=true