# ── Postgres ────────────────────────────────────────────────
POSTGRES_USER=shoplist
POSTGRES_PASSWORD=change_me_in_prod
POSTGRES_DB=shoplist

# ── Backend ─────────────────────────────────────────────────
# DATABASE_URL is built from the values above inside docker-compose.
DATABASE_URL=postgres://shoplist:change_me_in_prod@localhost:5432/shoplist
BACKEND_HOST=0.0.0.0
BACKEND_PORT=8080
# 64+ hex chars. Generate: openssl rand -hex 32
SESSION_SECRET=please_generate_a_long_random_secret_at_least_64_chars_xxxxxxxxxx
# Public URL of the frontend, used to build verification/reset links.
# Prod: https://consume.narl.io
PUBLIC_APP_URL=http://localhost:5173
# Comma-separated allowed CORS origins.
# Prod (same-origin behind Caddy): https://consume.narl.io
CORS_ORIGINS=http://localhost:5173
# Mark the session cookie Secure (HTTPS-only). Auto-on when PUBLIC_APP_URL is
# https; override here. Must be true in production, false for plain-http dev.
# COOKIE_SECURE=true

# ── SMTP (mail notifications + verification) ────────────────
SMTP_HOST=smtp.example.com
SMTP_PORT=587
SMTP_USERNAME=postmaster@example.com
SMTP_PASSWORD=change_me
SMTP_FROM="Shopping List <no-reply@example.com>"
# starttls | tls | none  (none = dev only)
SMTP_SECURITY=starttls

# ── Frontend ────────────────────────────────────────────────
# Base origin the browser uses to reach the backend (no trailing /api).
# Prod (same-origin behind Caddy): https://consume.narl.io
PUBLIC_API_BASE=http://localhost:8080