# ── SERVER ───────────────────────────────────────────────────────────────────
PORT=9000
DEV_AUTH_BYPASS=false
AI_LOCK_EXPIRY_HOURS=168

# Azure AD — server app registration (validates incoming JWTs)
AZURE_CLIENT_ID=<server-app-registration-client-id>
AZURE_TENANT_ID=<azure-ad-tenant-id>

# Graph / OBO — required for calendar integration
# App Registration → API permissions → Graph → Calendars.Read (delegated) → grant admin consent
# App Registration → Certificates & secrets → New client secret
AZURE_CLIENT_SECRET=<client-secret-value>
# aud of client token must match this. Only needed if frontend uses a different app registration.
AZURE_OBO_CLIENT_ID=<frontend-app-registration-client-id>

# ── CLIENT (Vite — copy relevant lines to client/.env) ───────────────────────
# VITE_AZURE_CLIENT_ID=<frontend-app-registration-client-id>
# VITE_AZURE_TENANT_ID=<azure-ad-tenant-id>
# VITE_DEV_AUTH_BYPASS=true   # DEV ONLY — never set in production