AZURE_CLIENT_ID=<app-registration-client-id>
AZURE_TENANT_ID=<azure-ad-tenant-id>

# Set to true for local dev to skip JWT verification (never use in production)
# DEV_AUTH_BYPASS=true

# AI lock duration in hours (default: 24, use 168 for 7 days)
# AI_LOCK_EXPIRY_HOURS=168

# Graph API calendar integration (OBO flow)
# AZURE_CLIENT_SECRET=<client-secret-value>
# AZURE_OBO_CLIENT_ID=<client-id of the app registration the frontend uses>
# Only needed if VITE_AZURE_CLIENT_ID != AZURE_CLIENT_ID (separate frontend/backend registrations).
# The OBO assertion token's audience must match this client_id.
# Required: App Registration → API permissions → Microsoft Graph → Calendars.Read (delegated) → Grant admin consent
# Then: Certificates & secrets → New client secret → copy value here

# Client needs VITE_ prefix — create client/.env with:
# VITE_AZURE_CLIENT_ID=<same as above>
# VITE_AZURE_TENANT_ID=<same as above>
# VITE_DEV_AUTH_BYPASS=true   ← DEV ONLY: skips MS login in browser (never set in production)