# claudemesh — production env template
# Copy to .env.production and fill in real values. NEVER commit .env.production.
# Generate secrets with: openssl rand -base64 32

# ── Database (managed by Coolify or external) ────────────────────────────────
DATABASE_URL=postgres://claudemesh:CHANGE_ME@db:5432/claudemesh

# ── Broker ───────────────────────────────────────────────────────────────────
BROKER_PORT=7900
STATUS_TTL_SECONDS=60
HOOK_FRESH_WINDOW_SECONDS=30
# Hardening caps (see apps/broker/DEPLOY_SPEC.md)
MAX_CONNECTIONS_PER_MESH=100
MAX_MESSAGE_BYTES=65536
HOOK_RATE_LIMIT_PER_MIN=30

# ── Auth (BetterAuth) ────────────────────────────────────────────────────────
BETTER_AUTH_SECRET=CHANGE_ME_openssl_rand_base64_32
BETTER_AUTH_URL=https://claudemesh.com
BETTER_AUTH_TRUSTED_ORIGINS=https://claudemesh.com,https://dashboard.claudemesh.com,https://ic.claudemesh.com

# ── OAuth providers ──────────────────────────────────────────────────────────
GITHUB_CLIENT_ID=
GITHUB_CLIENT_SECRET=
GOOGLE_CLIENT_ID=
GOOGLE_CLIENT_SECRET=

# ── Image refs (set by CI/CD after docker push) ──────────────────────────────
BROKER_IMAGE=registry.claudemesh.com/claudemesh/broker:latest
WEB_IMAGE=registry.claudemesh.com/claudemesh/web:latest