# ─── Required ───────────────────────────────────────────────────────────────
# PostgreSQL connection string
DATABASE_URL=postgres://forgebucket:password@localhost:5432/forgebucket?sslmode=disable

# Session cookie signing key — must be at least 32 characters
# Generate: openssl rand -hex 32
SESSION_SECRET=f54c1aac0320e75febc068d6f4c67daae1d7de97cf9e1f1027ccae25f85d3efb

# CSRF protection key — must be exactly 32 characters
# Generate: openssl rand -hex 16
CSRF_SECRET=a5458481e4903286e26f4332751a9446

# ─── Server ──────────────────────────────────────────────────────────────────
PORT=8080

# Absolute path where bare git repositories are stored on disk
REPO_ROOT=/tmp/forgebucket/repos

# NATS event bus (used for CI and real-time WebSocket push)
NATS_URL=nats://localhost:4222

# ─── Federation (ActivityPub) ─────────────────────────────────────────────────
# Public URL of this instance (no trailing slash)
INSTANCE_URL=https://forgebucket.asgardlabs.net
INSTANCE_NAME=ForgeBucket

# ─── OIDC / OAuth2 (optional) ────────────────────────────────────────────────
# OIDC_ISSUER=https://accounts.google.com
# OIDC_CLIENT_ID=
# OIDC_CLIENT_SECRET=

# ─── Dev only ─────────────────────────────────────────────────────────────────
# Set to true to disable Secure cookies and enable verbose logging
DEBUG=true

# PEM-encoded ECDSA P-256 private key.  If empty, an ephemeral key is generated
# at startup (signatures will not survive restart).  Generate with:
#   openssl ecparam -genkey -name prime256v1 -noout -out signing-key.pem
ARTIFACT_SIGNING_KEY="-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIKGMjCu0NdczHQ7BRDeo0hTOLauF9vOenWl0HlyN4bzToAoGCCqGSM49
AwEHoUQDQgAE+VL1HhQ1us0QfNH+5Var8lo5Oww83B+QDQ2obzHL4JZl0UM3kVAB
SePwUlkfdW6u4a0KYMYf3Op6wsXTp0kA2g==
-----END EC PRIVATE KEY-----"

# ─── OCI Registry (Phase 4) ───────────────────────────────────────────────────
# Root directory for the OCI Distribution Spec blob and upload storage.
OCI_ROOT=/var/lib/forgebucket/oci