PORT=3000
NODE_ENV=development
DEBUG=false

# REQUIRED for production — generate with: openssl rand -hex 32
JWT_SECRET=CHANGEME_GENERATE_WITH_openssl_rand_hex_32

# Timezone (defaults to system timezone)
# TZ=UTC

# CORS — comma-separated origins (leave unset for same-origin in production, allow-all in development)
# ALLOWED_ORIGINS=https://trek.example.com

# Force HTTPS redirect (set to true behind TLS-terminating proxy)
# FORCE_HTTPS=true

# Trust proxy (set to number of proxy hops, e.g. 1 for single reverse proxy)
# TRUST_PROXY=1

# Application URL (used for OIDC callback validation)
# APP_URL=https://trek.example.com

# Demo mode (enables demo login, disables registration)
# DEMO_MODE=false

# --- OIDC / SSO ---
# OIDC_ISSUER=https://auth.example.com
# OIDC_CLIENT_ID=
# OIDC_CLIENT_SECRET=
# OIDC_DISPLAY_NAME=SSO
# OIDC_ONLY=false
# OIDC_ADMIN_CLAIM=groups
# OIDC_ADMIN_VALUE=app-trek-admins