.env.production.template

# PRODUCTION ENVIRONMENT CONFIGURATION
# Copy this file to .env.production and fill in all required secrets
# NEVER commit .env.production to version control

# ============================================================================
# CRITICAL: Generate strong secrets before deploying
# Run: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
# Or: openssl rand -hex 32
# ============================================================================

# Database (REQUIRED)
DATABASE_URL=postgresql://USER:PASSWORD@HOST:5432/wildfire_ops
POSTGRES_HOST=
POSTGRES_PORT=5432
POSTGRES_DB=wildfire_ops
POSTGRES_USER=
POSTGRES_PASSWORD=  # GENERATE: openssl rand -base64 32

# Redis (REQUIRED)
REDIS_HOST=
REDIS_PORT=6379
REDIS_PASSWORD=  # GENERATE: openssl rand -base64 32

# MQTT (REQUIRED)
MQTT_BROKER=
MQTT_PORT=1883
MQTT_USERNAME=
MQTT_PASSWORD=  # GENERATE: openssl rand -base64 32
EMQX_USERNAME=admin
EMQX_PASSWORD=  # GENERATE: openssl rand -base64 32

# API Gateway (REQUIRED)
API_GATEWAY_HOST=0.0.0.0
API_GATEWAY_PORT=8000
GRPC_PORT=50051

# Console (REQUIRED)
NEXT_PUBLIC_API_URL=https://api.yourdomain.com
NEXT_PUBLIC_MQTT_WS_URL=wss://mqtt.yourdomain.com/mqtt

# Authentication & Security (REQUIRED)
SECRET_KEY=  # GENERATE: openssl rand -hex 32
JWT_SECRET=  # GENERATE: openssl rand -hex 32
JWT_REFRESH_SECRET=  # GENERATE: openssl rand -hex 32
ENCRYPTION_KEY=  # GENERATE: openssl rand -hex 32

# CORS & Security (REQUIRED)
# Comma-separated list of allowed origins
ALLOWED_ORIGINS=https://console.yourdomain.com,https://admin.yourdomain.com
# Comma-separated list of allowed hosts (DO NOT USE *)
ALLOWED_HOSTS=api.yourdomain.com,yourdomain.com

# External Integrations (OPTIONAL but recommended)
ARCGIS_URL=
ARCGIS_TOKEN=
CAD_WEBHOOK_URL=
TWILIO_ACCOUNT_SID=
TWILIO_AUTH_TOKEN=
SES_ACCESS_KEY=
SES_SECRET_KEY=

# Summit.OS Integration (REQUIRED for mission dispatch)
SUMMIT_API_URL=
SUMMIT_API_KEY=  # GENERATE: openssl rand -hex 32
SUMMIT_WEBHOOK_SECRET=  # GENERATE: openssl rand -hex 32

# Monitoring & Observability (OPTIONAL)
LOG_LEVEL=INFO
OTEL_ENDPOINT=
PROMETHEUS_PASSWORD=  # GENERATE: openssl rand -base64 24
GRAFANA_ADMIN_PASSWORD=  # GENERATE: openssl rand -base64 24
ALERT_WEBHOOK_URL=
SMTP_PASSWORD=

# Cloud Infrastructure (if using AWS/Azure)
AWS_REGION=us-west-2
AWS_ACCOUNT_ID=
S3_BUCKET_BACKUPS=wildfire-ops-backups
S3_ACCESS_KEY=
S3_SECRET_KEY=
AZURE_STORAGE_KEY=

# Emergency Contacts (REQUIRED)
EMERGENCY_NOTIFICATION_KEY=  # GENERATE: openssl rand -hex 32
SMS_API_KEY=

# Environment
NODE_ENV=production
PYTHONPATH=/app

# Mission Dispatcher Configuration
MQTT_URL=mqtt://MQTT_BROKER:1883
ALERTS_TOPIC=wildfire/alerts
TRIANGULATION_TOPIC=wildfire/triangulations
DISPATCHER_MISSIONS_TOPIC=missions/updates
TRIANGULATE_PORT=8101
PREDICT_PORT=8102
DISPATCHER_MIN_CONFIDENCE=0.8
DISPATCHER_REQUIRE_CONFIRM=true
DISPATCHER_ASSETS=drone-001,drone-002,drone-003
DISPATCHER_LOITER_RADIUS_M=200
DISPATCHER_ALT_M=120

# Policy Gates
SENTRY_MODEL_PATH=/app/models/smoke_detection.onnx
SENTRY_CONF_THRESHOLD=0.80
SENTRY_NMS_THRESHOLD=0.45
SENTRY_FRAME_STRIDE=3
GEOFENCE_BBOX=-180,-90,180,90
WX_MAX_WIND_MPS=12
WX_MIN_VIS_KM=1

# ============================================================================
# DEPLOYMENT CHECKLIST
# ============================================================================
# [ ] All REQUIRED fields filled
# [ ] All secrets generated using crypto-secure method
# [ ] ALLOWED_ORIGINS set to actual production domains
# [ ] ALLOWED_HOSTS does NOT contain "*"
# [ ] DATABASE_URL uses strong password
# [ ] File permissions set to 0600 (chmod 600 .env.production)
# [ ] File NOT committed to git
# [ ] Secrets stored in vault/secrets manager (recommended)
# ============================================================================