# Core
DB_PASSWORD=mastermind
DATABASE_URL=postgres://mastermind:${DB_PASSWORD}@db:5432/mastermind

# Public base URL (set to https://... when live)
BASE_URL=http://localhost:3005

# REQUIRED in production (>=24 chars). Generate with: openssl rand -base64 48
SESSION_SECRET=change-this-to-a-long-random-string

# If running behind a reverse proxy (Traefik/Nginx/Caddy), enable this so req.ip and secure cookies work
TRUST_PROXY=true

# If public site is HTTPS, set COOKIE_SECURE=true (or just make BASE_URL https://...)
COOKIE_SECURE=false

# One-time bootstrap local owner (only used if there are no local identities yet)
BOOTSTRAP_OWNER_EMAIL=owner@local
BOOTSTRAP_OWNER_PASSWORD=owner

# Google OAuth (optional)
GOOGLE_CLIENT_ID=
GOOGLE_CLIENT_SECRET=

# Microsoft OAuth (optional)
MICROSOFT_CLIENT_ID=
MICROSOFT_CLIENT_SECRET=