.env.example

# ==============================================
# SERVER-ONLY VARIABLES (NOT exposed to client)
# ==============================================

# Authentication secrets (server-side only)
# Generate with: node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"
AUTH_SECRET=your_random_secret_for_jwt_signing

# Encryption key for token storage (32 bytes, base64)
# Generate with: node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"
ENCRYPTION_KEY=__REPLACE_WITH_32_BYTE_BASE64_KEY__

# MongoDB URI for persistent token storage (optional - falls back to in-memory)
MONGODB_URI=mongodb://localhost:27017
MONGODB_DB=genbooth

# ==============================================
# AI API KEYS (Server-side only for security)
# ==============================================
# These can be configured per-user via the UI, or set globally here
GOOGLE_API_KEY=your_google_api_key_here
GEMINI_API_KEY=your_gemini_api_key_here
OPENAI_API_KEY=your_openai_api_key_here
CLAUDE_API_KEY=your_claude_api_key_here

# Meshy AI (for 3D character auto-rigging in CharacterLab)
# Get your API key at: https://www.meshy.ai/
# Test mode key (instant completions, no credits): msy_dummy_api_key_for_test_mode_12345678
MESHY_API_KEY=your_meshy_api_key_here

# ==============================================
# LOCAL-FIRST MODE CONFIGURATION
# ==============================================
# Master switch for local-first operation
# When enabled, the system will prefer local Tier 3 services (MLX, RAG) over cloud APIs
# Default: false (uses cloud providers like Gemini/OpenAI)
LOCAL_MODE=false

# Use local MLX server instead of cloud LLM providers (Gemini, OpenAI, Claude)
# Requires mlx-openai-server-lab running at MLX_URL (default: http://localhost:8080)
# Default: false (uses GOOGLE_API_KEY/GEMINI_API_KEY for chat completions)
PREFER_LOCAL_LLM=false

# Use local MLX embeddings instead of cloud embedding providers
# Requires mlx-openai-server-lab running with embedding model loaded
# Default: false (uses Gemini text-embedding-004 via GOOGLE_API_KEY)
PREFER_LOCAL_EMBEDDINGS=false

# Use local RAG provider for semantic search instead of in-memory search
# Requires mlx-rag-lab running at RAG_URL (default: http://localhost:8090)
# Default: false (uses in-memory MongoDB cosine similarity search)
PREFER_LOCAL_RAG=false

# Fall back to cloud providers when local services are unreachable
# When true: If MLX/RAG servers are down, automatically fall back to Gemini/OpenAI
# When false: Return error if local services unavailable (recommended for testing)
# Default: false (fail fast to catch configuration issues)
FALLBACK_TO_CLOUD=false

# Tier 3 service URLs (local compute fabric)
# MLX Server (LLM + Embeddings) - OpenAI-compatible API
# Default port: 8000 (as used in mlx-openai-server-lab)

# RAG Server (Vector DB + Semantic Search) - Custom RAG API
# Default port: 5100 (as used in mlx-rag-lab)

# Smart Campus Server (Room & Entity Context) - Custom API
# Provides spatial and IoT context for campus-aware AI prompts
# Default port: 5200 (as used in Smart Campus service)
SMART_CAMPUS_URL=http://localhost:5200

# ==============================================
# OAUTH PROVIDER CREDENTIALS
# ==============================================
# Server-side: Client secrets (NEVER commit real values)
# Client-side: Client IDs (safe to expose via VITE_ prefix)

# Google OAuth (for login + Google services: Drive, Photos, Calendar, Gmail)
# Redirect URIs: http://localhost:8081/api/services/{googleDrive,googlePhotos,googleCalendar,gmail}/callback
GOOGLE_CLIENT_ID=__REPLACE_WITH_YOUR_GOOGLE_CLIENT_ID__
GOOGLE_CLIENT_SECRET=__REPLACE_WITH_YOUR_GOOGLE_CLIENT_SECRET__
VITE_GOOGLE_CLIENT_ID=__REPLACE_WITH_YOUR_GOOGLE_CLIENT_ID__

# GitHub OAuth
# Redirect URI: http://localhost:8081/api/services/github/callback
GITHUB_CLIENT_ID=__REPLACE_WITH_YOUR_GITHUB_CLIENT_ID__
GITHUB_CLIENT_SECRET=__REPLACE_WITH_YOUR_GITHUB_CLIENT_SECRET__
VITE_GITHUB_CLIENT_ID=__REPLACE_WITH_YOUR_GITHUB_CLIENT_ID__

# Notion OAuth
# Redirect URI: http://localhost:8081/api/services/notion/callback
NOTION_CLIENT_ID=__REPLACE_WITH_YOUR_NOTION_CLIENT_ID__
NOTION_CLIENT_SECRET=__REPLACE_WITH_YOUR_NOTION_CLIENT_SECRET__
VITE_NOTION_CLIENT_ID=__REPLACE_WITH_YOUR_NOTION_CLIENT_ID__

# Figma OAuth
# Redirect URI: http://localhost:8081/api/services/figma/callback
FIGMA_CLIENT_ID=__REPLACE_WITH_YOUR_FIGMA_CLIENT_ID__
FIGMA_CLIENT_SECRET=__REPLACE_WITH_YOUR_FIGMA_CLIENT_SECRET__
VITE_FIGMA_CLIENT_ID=__REPLACE_WITH_YOUR_FIGMA_CLIENT_ID__

# ==============================================
# CLIENT-SAFE VARIABLES (exposed to frontend via VITE_)
# ==============================================

# Application Configuration
VITE_API_BASE_URL=http://localhost:8081
VITE_APP_NAME=GenBooth Idea Lab
VITE_APP_VERSION=1.0.0

# Environment-specific settings
VITE_NODE_ENV=development
VITE_ENABLE_DEBUG=true

# ==============================================
# SERVER CONFIGURATION
# ==============================================
PORT=8081
NODE_ENV=development

# Base URLs (used for OAuth redirect URIs)
# In production, set DOMAIN to your public domain
DOMAIN=
BACKEND_URL=
FRONTEND_URL=http://localhost:3000

# CORS origin (defaults to FRONTEND_URL if not set)
CLIENT_ORIGIN=http://localhost:3000

# ==============================================
# DEVELOPMENT-ONLY
# ==============================================
# Authentication
# ==============================================
# By default authentication is required. Set these to "false" only if you
# intentionally want to bypass auth with the demo user in local development.
# REQUIRE_AUTH=true
# VITE_REQUIRE_AUTH=true

# Disable authentication for local development/testing (requires REQUIRE_AUTH=false)
# WARNING: Only use this in development environments!
# When enabled, the app will use a default demo user instead of requiring Google OAuth
#
# Option 1 (legacy): Set to "1"
# AUTH_BYPASS=1
# VITE_AUTH_BYPASS=1
#
# Option 2 (new): Set to "true"
# DISABLE_AUTH=true
# VITE_DISABLE_AUTH=true
#
# Both options work and can be used interchangeably

# ==============================================
# AWS S3 STORAGE (Character Lab 3D Models)
# ==============================================
# AWS S3 is used for scalable storage of rigged 3D character models
# Sign up: https://aws.amazon.com/s3/
# Create bucket: https://s3.console.aws.amazon.com/s3/bucket/create
# Create IAM user: https://console.aws.amazon.com/iam/home#/users

AWS_ACCESS_KEY_ID=your_aws_access_key_id_here
AWS_SECRET_ACCESS_KEY=your_aws_secret_access_key_here
AWS_REGION=eu-north-1
AWS_S3_BUCKET_NAME=your-s3-bucket-name-here

# Recommended S3 bucket settings:
# - Region: Choose closest to your users (eu-north-1 = Stockholm)
# - Public access: BLOCK (we use signed URLs for security)
# - Versioning: ENABLED (optional, for backup)
# - Lifecycle: Set to delete incomplete uploads after 7 days
# - CORS: Allow GET/HEAD from your domain for model-viewer

# Required IAM permissions for the AWS user:
# {
#   "Version": "2012-10-17",
#   "Statement": [
#     {
#       "Effect": "Allow",
#       "Action": [
#         "s3:PutObject",
#         "s3:GetObject",
#         "s3:DeleteObject",
#         "s3:ListBucket",
#         "s3:HeadObject"
#       ],
#       "Resource": [
#         "arn:aws:s3:::your-bucket-name/*",
#         "arn:aws:s3:::your-bucket-name"
#       ]
#     }
#   ]
# }

# S3 bucket CORS configuration (paste in Bucket > Permissions > CORS):
# [
#   {
#     "AllowedHeaders": ["*"],
#     "AllowedMethods": ["GET", "HEAD"],
#     "AllowedOrigins": ["http://localhost:3000", "https://yourdomain.com"],
#     "ExposeHeaders": ["ETag"],
#     "MaxAgeSeconds": 3000
#   }
# ]

# ==============================================
# DATABASE & STORAGE
# ==============================================
# MongoDB (for user data, module knowledge, conversations)
MONGODB_URI=mongodb://localhost:27017
MONGODB_DB=genbooth

# MLX Service Locations (Tier 3)
MLX_LLM_BASE_URL=http://localhost:8080
MLX_RAG_BASE_URL=http://localhost:8011
MLX_AUDIO_BASE_URL=http://localhost:7001