# ── SERVER ───────────────────────────────────────────────────────────────────
PORT=9000
DEV_AUTH_BYPASS=false
AI_LOCK_EXPIRY_HOURS=168

# Azure AD — server app registration (validates incoming JWTs)
AZURE_CLIENT_ID=<server-app-registration-client-id>
AZURE_TENANT_ID=<azure-ad-tenant-id>

# Graph — app-only calendar access (client credentials, independent of user auth)
# App Registration → API permissions → Graph → Calendars.Read (Application) → grant admin consent
# App Registration → Certificates & secrets → New client secret
AZURE_GRAPH_CLIENT_ID=<graph-app-registration-client-id>
AZURE_GRAPH_CLIENT_SECRET=<graph-client-secret-value>
# Fallback email when auth provides no email (e.g. API key login)
CALENDAR_USER_EMAIL=<your-email@domain.com>
# IANA timezone for calendar event times (default: Europe/Berlin)
CALENDAR_TIMEZONE=Europe/Berlin

# ── VISION / INVENTORY ───────────────────────────────────────────────────────
# AES-256-GCM key for encrypting user Vision API keys in DB
SETTINGS_ENCRYPTION_KEY=<random-32-char-secret>
# Max Vision API calls per user per day (default: 100)
VISION_RATE_LIMIT=100

# ── CLIENT (Vite — copy relevant lines to client/.env) ───────────────────────
# VITE_AZURE_CLIENT_ID=<frontend-app-registration-client-id>
# VITE_AZURE_TENANT_ID=<azure-ad-tenant-id>
# VITE_DEV_AUTH_BYPASS=true   # DEV ONLY — never set in production