# ── Core ───────────────────────────────────────────────────────
PORT=3001
NODE_ENV=development
JWT_SECRET=your-super-secret-jwt-key-change-in-production
TZ=UTC
# info = concise user actions; debug = verbose admin-level details
LOG_LEVEL=info

# ── Networking ─────────────────────────────────────────────────
# Comma-separated origins for CORS and email links
# ALLOWED_ORIGINS=https://trek.example.com
# Redirect HTTP → HTTPS behind a TLS proxy
# FORCE_HTTPS=false
# Number of trusted proxies for X-Forwarded-For
# TRUST_PROXY=1

# ── OIDC / SSO ─────────────────────────────────────────────────
# OIDC_ISSUER=https://auth.example.com
# OIDC_CLIENT_ID=trek
# OIDC_CLIENT_SECRET=supersecret
# OIDC_DISPLAY_NAME=SSO
# Disable local password auth entirely (SSO only)
# OIDC_ONLY=false
# OIDC_ADMIN_CLAIM=groups
# OIDC_ADMIN_VALUE=app-trek-admins

# ── Demo ───────────────────────────────────────────────────────
# DEMO_MODE=false