# ─── Port Nimara CRM — PROD environment template ─────────────────────────────
#
# Production env contains ONLY the boot-time minimum: DB connection, auth
# secrets, encryption key, app URL, log level. Every integration credential
# (Documenso, OpenAI, SMTP, S3) is configured per-port in the admin UI after
# the first super-admin completes /setup. This keeps secrets out of the
# infrastructure layer (k8s ConfigMap, .env files, deploy logs).
#
# Generate fresh secrets:
#   openssl rand -hex 32      # for BETTER_AUTH_SECRET, CSRF_SECRET
#   openssl rand -hex 32      # for EMAIL_CREDENTIAL_KEY (must be 64 hex chars)

# ─── Required ────────────────────────────────────────────────────────────────

DATABASE_URL=postgresql://USER:PASS@HOST:5432/port_nimara_crm
REDIS_URL=redis://:PASS@HOST:6379

BETTER_AUTH_SECRET=GENERATE_OPENSSL_RAND_HEX_32
BETTER_AUTH_URL=https://crm.example.com
CSRF_SECRET=GENERATE_OPENSSL_RAND_HEX_32

# CRITICAL: rotating this orphans every encrypted credential in
# system_settings. Plan a re-keying flow before rotating.
EMAIL_CREDENTIAL_KEY=GENERATE_OPENSSL_RAND_HEX_32_PRODUCES_64_CHARS

APP_URL=https://crm.example.com
NEXT_PUBLIC_APP_URL=https://crm.example.com

NODE_ENV=production
LOG_LEVEL=info

# ─── Multi-node guard ────────────────────────────────────────────────────────
# Set true if running > 1 app instance. Forces the storage backend off
# filesystem onto S3-compatible (filesystem mode is single-node only).
MULTI_NODE_DEPLOYMENT=true

# ─── Sentry (highly recommended in prod) ─────────────────────────────────────
NEXT_PUBLIC_SENTRY_DSN=https://YOUR_KEY@YOUR_PROJECT.ingest.sentry.io/PROJECT_ID
SENTRY_ENVIRONMENT=production
SENTRY_TRACES_SAMPLE_RATE=0.1

# ─── Webhook intake from marketing site (deployment-shared) ──────────────────
# Must match the marketing site's CRM_INTAKE_SECRET. Min 16 chars.
WEBSITE_INTAKE_SECRET=GENERATE_OPENSSL_RAND_HEX_16

# ─── DO NOT SET in production ────────────────────────────────────────────────
# EMAIL_REDIRECT_TO     — Will fail boot validation (silently rewrites every
#                          outbound email recipient).
# SKIP_ENV_VALIDATION   — Bypasses safety checks. Internal use only.

# ─── Integration credentials live in /admin/<integration>, NOT here ──────────
# Once deployed:
#   1. Run `pnpm exec drizzle-kit push` (or your migration script)
#   2. Hit https://crm.example.com/setup to create the first super-admin
#   3. Log in → /admin/documenso, /admin/email, /admin/storage, /admin/ai
#   4. Configure each integration. AES-encrypted at rest.
#   5. Run `pnpm tsx scripts/encrypt-plaintext-credentials.ts` once to encrypt
#      any legacy plaintext rows from older deployments.