# --- Required ---

# Secret used by Auth.js to sign session JWTs. Generate with:
#   openssl rand -base64 32
AUTH_SECRET=change-me-please

# Public URL of the portal. In dev this is the Caddy-served URL.
NEXTAUTH_URL=https://ai.klas.chat

# --- Dev access (Credentials provider) ---
# Single-password gate used while Microsoft Entra is not yet provisioned.
# Leave empty in production to disable the password fallback.
DEV_PORTAL_PASSWORD=

# --- Microsoft Entra ID (production) ---
# Fill these once an admin provisions an app registration in Entra.
# Leaving them empty hides the "Continue with Microsoft" button.
AUTH_MICROSOFT_ENTRA_ID_ID=
AUTH_MICROSOFT_ENTRA_ID_SECRET=
# Tenant-specific issuer, e.g. https://login.microsoftonline.com/<tenant-id>/v2.0
AUTH_MICROSOFT_ENTRA_ID_ISSUER=

# --- Langfuse (optional, only when you uncomment the langfuse services) ---
# LANGFUSE_DB_PASSWORD=
# LANGFUSE_NEXTAUTH_SECRET=
# LANGFUSE_SALT=