# Bridge service — variables d'environnement
# Copier vers .env et remplir avec valeurs reelles.

# Server
NODE_ENV=development
PORT=4000
LOG_LEVEL=debug

# Baserow API
BASEROW_API_URL=http://baserow:80/api
BASEROW_API_TOKEN=

# Docmost API
DOCMOST_API_URL=http://docmost:3000/api
DOCMOST_API_TOKEN=

# Redis (cache + idempotence webhooks + lookup Personne)
REDIS_URL=redis://docmost-redis:6379

# Webhooks Baserow signature secret (HMAC-SHA256, header X-Baserow-Signature)
BASEROW_WEBHOOK_SECRET=

# Webhooks Docmost signature secret (HMAC-SHA256, header X-Docmost-Signature)
# Stub Bloc 7b — handlers metier viennent en Bloc 8 (Tiptap node-views)
DOCMOST_WEBHOOK_SECRET=

# Auth tokens bridge — JSON serialise (Phase 2 simple)
# Format: [{"token":"brg_xxx","name":"label","scopes":["read:personnes",...]}]
# Phase 3 : migration vers DB dediee
BRIDGE_API_TOKENS=

# Authentik OIDC (optional — laisse vide pour mode local-only avec service tokens)
# Active uniquement si AUTHENTIK_ISSUER + AUTHENTIK_JWKS_URI + AUTHENTIK_AUDIENCE sont set.
# AUTHENTIK_ISSUER=https://auth.acadenice.com/application/o/formation-hub/
# AUTHENTIK_JWKS_URI=https://auth.acadenice.com/application/o/formation-hub/jwks/
# AUTHENTIK_AUDIENCE=formation-hub-bridge
# AUTH_GROUPS_SCOPES_MAP={"formation-hub-formateurs":["formation:read","intervention:write"],"formation-hub-admins":["admin:*"]}
# AUTH_STRICT_MAPPING=true   # false -> autorise les emails OIDC sans Personne (scopes des groups uniquement)

# Rate limiting (par token + endpoint)
RATE_LIMIT_READ_PER_MIN=600
RATE_LIMIT_WRITE_PER_MIN=60
RATE_LIMIT_WEBHOOK_PER_MIN=1000