# HarborForge Backend Environment Variables (v0.4.0+ — wizard removed)

# --- Database (used by both the mysql container and the backend) -----------
MYSQL_ROOT_PASSWORD=harborforge_root
MYSQL_DATABASE=harborforge
MYSQL_USER=harborforge
MYSQL_PASSWORD=harborforge_pass
# Full DSN used by the backend container. Default points to a service
# named "mysql" on the same docker network. Override if your DB is elsewhere.
DATABASE_URL=mysql+pymysql://harborforge:harborforge_pass@mysql:3306/harborforge

# --- Application ----------------------------------------------------------
# Must be 32+ chars and not a placeholder; use: openssl rand -hex 32
SECRET_KEY=change-me-use-openssl-rand-hex-32
LOG_LEVEL=INFO

# When true: password login is disabled, all sign-in goes through OIDC,
# user creation ignores any password (passwordless users that can only
# authenticate via OIDC binding or API keys). Frontend hides password UI.
HARBORFORGE_OIDC_ONLY=false

# --- Discord wakeup (optional; previously in wizard config) ---------------
# Used by /agents/{id}/wakeup to spin a private Discord channel + DM.
HARBORFORGE_DISCORD_GUILD_ID=
HARBORFORGE_DISCORD_BOT_TOKEN=

# --- OIDC issuer / client_id / client_secret / redirect_uri ---------------
# NOT env vars in v0.4.0+. Configure via:
#   docker exec hf-backend hf-cli config oidc \
#     --issuer https://login.example.com/realms/foo \
#     --client-id harborforge --client-secret <s> \
#     --redirect-uri https://hf-api.example.com/auth/oidc/callback \
#     --post-login-redirect https://hf.example.com/oidc/callback \
#     --enabled true