.env.example

###### REQUIRED ######

ENVIRONMENT='development'

# Orthogonal to ENVIRONMENT. Use to distinguish deployments that behave like prod but need minor logic
# differences (e.g. staging). Defaults to 'production'. Values: 'development' | 'staging' | 'production'.
# STAGE='production'

# SFDC API VERSION TO USE
NX_SFDC_API_VERSION='63.0'

# trace, debug (default), info, warn, error, fatal, silent
LOG_LEVEL='trace'

# If true, will print out logs in a more human readable format instead of JSON (only in dev mode)
PRETTY_LOGS='true'

# Default value for email two-factor authentication for new users
JETSTREAM_AUTH_2FA_EMAIL_DEFAULT_VALUE='false'
# Session signing secret - minimum of 32 characters
# Generate using: `openssl rand -base64 32`
JETSTREAM_SESSION_SECRET=''
# Backup key to allow session rotation
JETSTREAM_SESSION_SECRET_BACKUP=''
# Auth secret - used to sign encrypt CSRF tokens for authentication pages
# Generate using: `openssl rand -base64 32`
JETSTREAM_AUTH_SECRET=''
# Secret used to encrypt OTP tokens for storage in the database
JETSTREAM_AUTH_OTP_SECRET=''
# Secret used to encrypt SSO secrets (OIDC client secret, SAML private key) in database
# Generate using: `openssl rand -base64 32`
JETSTREAM_AUTH_SSO_SECRET=''

# JETSTREAM URLS
# If developing, then these will be localhost
# If running locally but not developing the platform, use port `:3333` for all of these
JETSTREAM_CLIENT_URL='http://localhost:4200/app'
JETSTREAM_SERVER_DOMAIN='localhost:3333'
JETSTREAM_SERVER_URL='http://localhost:3333'
JETSTREAM_POSTGRES_DBURI='postgres://postgres@localhost:5432/postgres'

# Used in landing page to redirect to the correct URL
# If running locally but not developing the platform, use port `:3333` for all of these
NX_PUBLIC_CLIENT_URL='http://localhost:4200/app'
NX_PUBLIC_SERVER_URL='http://localhost:3333'

# OAUTH FOR LOGGING IN TO THE APP
# You must provide your own keys by creating a connected app in your dev or production org.
# Salesforce - Scopes: email, profile, openid
AUTH_SFDC_CLIENT_ID=''
AUTH_SFDC_CLIENT_SECRET=''

# Google - Scopes: email, profile, openid
AUTH_GOOGLE_CLIENT_ID=''
AUTH_GOOGLE_CLIENT_SECRET=''
# SAML Service Provider Configuration
# Use URN format for the entity ID prefix (e.g. urn:jetstream:prod, urn:jetstream:staging)
# The team ID will be appended with a colon: urn:jetstream:{env}:{teamId}
JETSTREAM_SAML_SP_ENTITY_ID_PREFIX='urn:jetstream:env'

# Generate using `openssl rand -base64 32`
JWT_ENCRYPTION_KEY=''

# SALESFORCE CONFIGURATION
# You must provide your own keys by creating a connected app in your dev or production org.
# Scopes: api, web, refresh_token
SFDC_CALLBACK_URL='http://localhost:3333/oauth/sfdc/callback'
SFDC_CONSUMER_KEY=''
# Generate using `openssl rand -base64 32`
SFDC_ENCRYPTION_KEY=''

# Secret used to derive per-user encryption keys for desktop org files.
# This value must be set explicitly and does not fall back to SFDC_ENCRYPTION_KEY.
# Rotating this invalidates all existing portable-encrypted org files.
# Generate using `openssl rand -base64 32`
DESKTOP_ORG_ENCRYPTION_SECRET=''


###### OPTIONAL ######

# PLAYWRIGHT INTEGRATION TEST LOGIN (JWT bearer flow)
E2E_LOGIN_USERNAME='integration@jetstream.app.e2e'
E2E_LOGIN_URL='https://jetstream-e2e-dev-ed.develop.my.salesforce.com'
SFDC_CI_CONSUMER_KEY=''
# Base64-encoded private key: cat server.key | base64
SFDC_CI_PRIVATE_KEY_BASE64=''

# If set to true, then authentication will be bypassed
# You will use a test account instead of a real account - only works if running locally
EXAMPLE_USER_OVERRIDE='true'
EXAMPLE_USER_PASSWORD='EXAMPLE_123!'

# Deferred response - prevents Cloudflare 524 timeouts on slow Salesforce requests
# Set to true to enable chunked keepalive responses on SF API routes
DEFERRED_RESPONSE_ENABLED='false'
# DEFERRED_RESPONSE_THRESHOLD_MS='75000'
# DEFERRED_RESPONSE_KEEPALIVE_MS='25000'

# Set to true to enable test endpoints (e.g. /api/test/deferred-response)
# ENABLE_TEST_ENDPOINTS='false'

# Better Stack error tracking — FRONTEND project DSN (client bundle, public).
# This is a SEPARATE Better Stack project from SENTRY_DSN below. Create two projects
# in Better Stack (one for the web/client, one for the backend/node) and wire each
# DSN here. The NX_PUBLIC_ prefix is required for Vite to inline at build time.
NX_PUBLIC_SENTRY_DSN=''
NX_PUBLIC_AMPLITUDE_KEY=''

# Credentials for sending emails
# If you are not using the example user, then you may need to configure this for MFA
MAILGUN_API_KEY=''
JETSTREAM_EMAIL_DOMAIN=''
JETSTREAM_EMAIL_FROM_NAME=''
JETSTREAM_EMAIL_REPLY_TO=''

# Used to generate blog when building landing page
CONTENTFUL_HOST='cdn.contentful.com'
CONTENTFUL_SPACE=''
CONTENTFUL_TOKEN=''

# Required to use Google within application
GOOGLE_APP_ID=''
GOOGLE_API_KEY=''
GOOGLE_CLIENT_ID=''
GOOGLE_CLIENT_SECRET=''
GOOGLE_REDIRECT_URI='http://localhost:3333/oauth/google/callback'

# UPLOAD_SOURCEMAPS=false
SENTRY_DSN=''
SENTRY_ORG=''
SENTRY_PROJECT_FRONTEND=''
SENTRY_URL_FRONTEND=''
SENTRY_AUTH_TOKEN=''

# Kill switch to silence Sentry/Better Stack reporting (e.g. during staging pen tests).
# Backend reads DISABLE_ERROR_REPORTING; client bundle reads NX_PUBLIC_DISABLE_ERROR_REPORTING (build-time).
# DISABLE_ERROR_REPORTING=false
# NX_PUBLIC_DISABLE_ERROR_REPORTING=false

# Algolia API key - used to index docs pages
ALGOLIA_APPLICATION_ID=''
ALGOLIA_API_KEY=''


# Nx 18 enables using plugins to infer targets by default
# This is disabled for existing workspaces to maintain compatibility
# For more info, see: https://nx.dev/concepts/inferred-tasks
NX_ADD_PLUGINS=false

# Billing related keys
NX_PUBLIC_BILLING_ENABLED=''
NX_PUBLIC_STRIPE_PUBLIC_KEY=''

BASIC_AUTH_USERNAME='api'
BASIC_AUTH_PASSWORD='test'