.example.env

# ============================================================================
# GhostClass Environment Variables
# ============================================================================
# Copy this file to `.env` and fill in your actual values.
# NEVER commit the `.env` file to version control!
#
# Required variables are marked with ⚠️
# Optional variables are marked with ℹ️
#
# HOW CONFIGURATION WORKS
# ─────────────────────────────────────────────────────────────────────────────
#
#  🔨 Build-time  →  GitHub Actions Variable or Secret  →  docker build --build-arg
#     Baked into the Docker image at build time; requires a new image build to change.
#     Non-sensitive (public) values → Variables tab
#       (Settings → Secrets and variables → Actions → Variables)
#     Sensitive values (e.g. SENTRY_AUTH_TOKEN) → Secrets tab
#     NEXT_PUBLIC_* vars are compiled into the JS bundle; changing them
#     requires a new image build and re-deploy.
#
#  🚀 Runtime     →  Server Env Var         →  docker run / container ENV
#     Injected into the running container by your server at startup.
#     Add to: Your server → Your App → Environment Variables
#     NEVER baked into the image — a container restart is enough to apply
#     changes (no rebuild needed). All server-only secrets live here.
#
# ─────────────────────────────────────────────────────────────────────────────

# ============================================================================
# 🔨 BUILD-TIME  (GitHub Actions Variables / Secrets → baked into Docker image)
# ============================================================================

# ----------------------------------------------------------------------------
# App identity
# ----------------------------------------------------------------------------

# ⚠️ Application name displayed in UI and emails
# 🔨 Build-time (GitHub Actions Variable)
NEXT_PUBLIC_APP_NAME=GhostClass

# ⚠️ App version displayed in footer and health checks
# NOT a GitHub Secret — the release pipeline derives this from the git tag
# (calculate-version job). A GitHub Secret here would always be stale after
# an auto-version bump. Keep in sync with package.json for local dev only.
# 🔨 Build-time (auto-derived from git tag by pipeline — not a GitHub Secret)
NEXT_PUBLIC_APP_VERSION=3.0.7

# ⚠️ Your production domain WITHOUT https://
# All URL-based variables are derived from this.
# 🔨 Build-time (GitHub Actions Variable)
NEXT_PUBLIC_APP_DOMAIN=ghostclass.devakesu.com

# ℹ️ Fallback domain (optional, for multi-environment deployments)
# Only needed when deploying to multiple environments without per-env config.
# Falls back to this when NEXT_PUBLIC_APP_DOMAIN is not set.
# 🔨 Build-time (GitHub Actions Variable — optional)
NEXT_PUBLIC_DEFAULT_DOMAIN=

# ℹ️ Author / maintainer information
# 🔨 Build-time (GitHub Actions Variable)
NEXT_PUBLIC_AUTHOR_NAME=@deva.kesu
NEXT_PUBLIC_AUTHOR_URL=https://devakesu.com

# ℹ️ GitHub repository URL
# 🔨 Build-time (GitHub Actions Variable)
NEXT_PUBLIC_GITHUB_URL=https://github.com/devakesu/GhostClass

# ℹ️ Donation / sponsor link shown in footer (optional)
# Examples: https://github.com/sponsors/username  |  https://ko-fi.com/username
# 🔨 Build-time (GitHub Actions Variable — optional)
NEXT_PUBLIC_DONATE_URL=

# ----------------------------------------------------------------------------
# Derived URL variables (auto-generated from NEXT_PUBLIC_APP_DOMAIN)
# Do NOT set these manually — the pipeline constructs them automatically.
# 🔨 Build-time (auto-constructed by release pipeline)
# ----------------------------------------------------------------------------
NEXT_PUBLIC_APP_URL=https://${NEXT_PUBLIC_APP_DOMAIN}
NEXT_PUBLIC_SITEMAP_URL=https://${NEXT_PUBLIC_APP_DOMAIN}/sitemap.xml
NEXT_PUBLIC_APP_EMAIL=@${NEXT_PUBLIC_APP_DOMAIN}
NEXT_PUBLIC_LEGAL_EMAIL=legal@${NEXT_PUBLIC_APP_DOMAIN}

# ----------------------------------------------------------------------------
# Legal & compliance
# ----------------------------------------------------------------------------

# ℹ️ Effective date shown in Terms of Service and Privacy Policy
# 🔨 Build-time (GitHub Actions Variable)
NEXT_PUBLIC_LEGAL_EFFECTIVE_DATE=March 6, 2026

# ----------------------------------------------------------------------------
# EzyGo integration
# ----------------------------------------------------------------------------

# ⚠️ EzyGo API base URL
# Set to the Cloudflare egress Worker URL in production (recommended) to route
# traffic through Cloudflare's edge IPs and avoid per-IP rate-limit blocks.
# Example (CF Worker):  https://ezygo-proxy.<your-cf-username>.workers.dev/api/v1/Xcr45_salt
# Example (direct):     https://production.api.ezygo.app/api/v1/Xcr45_salt
# 🔨 Build-time (GitHub Actions Variable)
NEXT_PUBLIC_BACKEND_URL=https://production.api.ezygo.app/api/v1/Xcr45_salt

# ----------------------------------------------------------------------------
# Supabase (public / client-side keys)
# Get credentials at: https://supabase.com → Project Settings → API
# ----------------------------------------------------------------------------

# ⚠️ Supabase project URL
# Always set this to the REAL supabase.co URL — used by the Next.js server,
# image optimisation, and CSP. Never change this to the proxy URL.
# Example: https://abcdefghijklmnop.supabase.co
# 🔨 Build-time (GitHub Actions Variable)
NEXT_PUBLIC_SUPABASE_URL=

# ℹ️ Supabase browser proxy — Tier 1: Cloudflare Worker (ISP bypass, optional)
# Deploy workers/supabase-proxy/index.js as a CF Worker, then set this to the
# worker URL. The browser client tries CF first, falls back to AWS (Tier 2),
# then falls back to direct supabase.co. Leave blank for direct connections.
# Example: https://ghostclass-supabase-proxy.<your-cf-username>.workers.dev
# 🔨 Build-time (GitHub Actions Variable)
NEXT_PUBLIC_SUPABASE_CF_PROXY_URL=

# ℹ️ Supabase browser proxy — Tier 2: AWS Lambda (ISP bypass fallback, optional)
# Deploy workers/supabase-proxy-aws/index.mjs as a Lambda + HTTP API Gateway,
# then set this to the API Gateway invoke URL. Used when the CF Worker fails or
# quota is exceeded. Leave blank to skip this tier.
# Example: https://<api-gw-id>.execute-api.ap-south-1.amazonaws.com
# 🔨 Build-time (GitHub Actions Variable)
NEXT_PUBLIC_SUPABASE_AWS_PROXY_URL=

# ⚠️ Supabase Anonymous (public) key — safe to expose to the browser
# Starts with: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
# 🔨 Build-time (GitHub Actions Variable)
NEXT_PUBLIC_SUPABASE_ANON_KEY=

# ----------------------------------------------------------------------------
# Cloudflare Turnstile (public site key)
# Get keys at: https://dash.cloudflare.com/ → Turnstile
# ----------------------------------------------------------------------------

# ⚠️ Turnstile Site Key — visible in browser, used on login/contact forms
# Testing key (always passes, dev only): 1x00000000000000000000AA
# 🚨 Replace with a real production key before deploying!
# 🔨 Build-time (GitHub Actions Variable)
NEXT_PUBLIC_TURNSTILE_SITE_KEY=1x00000000000000000000AA

# ----------------------------------------------------------------------------
# Sentry — build-time portion (source map upload during docker build)
# Get credentials at: https://sentry.io/settings/
# ----------------------------------------------------------------------------

# ⚠️ Sentry organisation slug (e.g. "devakesu" from sentry.io/organizations/devakesu/)
# 🔨 Build-time (GitHub Actions Variable — used by `next build` to upload source maps)
SENTRY_ORG=devakesu

# ⚠️ Sentry project slug (e.g. "ghostclass")
# 🔨 Build-time (GitHub Actions Variable — used by `next build` to upload source maps)
SENTRY_PROJECT=ghostclass

# ⚠️ Sentry Auth Token — uploaded via BuildKit secret mount, never baked into image layers
# Create at: https://sentry.io/settings/account/api/auth-tokens/
# Required scopes: project:read, project:releases, org:read  |  Starts with: sntrys_...
# 🔨 Build-time (GitHub Actions Secret — BuildKit secret mount during `docker build`)
SENTRY_AUTH_TOKEN=

# ⚠️ Sentry DSN (Data Source Name) — public key for browser error reporting
# Found at: Sentry → Project Settings → Client Keys (DSN)
# Example: https://abc123@o123456.ingest.sentry.io/7654321
# 🔨 Build-time (GitHub Actions Variable — compiled into JS bundle)
NEXT_PUBLIC_SENTRY_DSN=

# ℹ️ Sentry Session Replay sample rate (0.0–1.0, default: 0 = disabled)
# Example: 0.1 = 10% of sessions. Warning: increases bandwidth and Sentry quota.
# 🔨 Build-time (GitHub Actions Variable — optional)
NEXT_PUBLIC_SENTRY_REPLAY_RATE=0

# ----------------------------------------------------------------------------
# Google Analytics (Measurement ID — public)
# Get from: https://analytics.google.com/
# ----------------------------------------------------------------------------

# ℹ️ GA4 Measurement ID (optional)
# Format: G-XXXXXXXXXX  |  Get from: GA4 Admin → Data Streams → Measurement ID
# 🔨 Build-time (GitHub Actions Variable — optional)
NEXT_PUBLIC_GA_ID=

# ----------------------------------------------------------------------------
# User settings defaults
# ----------------------------------------------------------------------------

# ℹ️ Minimum attendance target percentage users can set (default: 75, range: 1–100)
# Adjust to match your institution's minimum attendance requirement.
# 🔨 Build-time (GitHub Actions Variable — optional)
NEXT_PUBLIC_ATTENDANCE_TARGET_MIN=75

# ----------------------------------------------------------------------------
# CSP / build flags
# ----------------------------------------------------------------------------

# ℹ️ Force production-like CSP in development — client-side flag (optional)
# Valid: "true", "1", "yes". See FORCE_STRICT_CSP in the Runtime section for
# the server-side counterpart (kept separate so the runtime flag can be toggled
# without a rebuild).
# ⚠️ 'unsafe-eval' is still present in dev even with this set; Next.js HMR
#    requires it. Use `npm run build && npm start` to test a fully strict CSP.
# 🔨 Build-time (GitHub Actions Variable — optional)
NEXT_PUBLIC_FORCE_STRICT_CSP=

# ℹ️ (Deprecated — no longer used) Previously controlled public source map serving.
# productionBrowserSourceMaps is now always true in production so Sentry can embed
# sourcesContent in uploaded maps. Maps are deleted from the build output after upload
# (deleteSourcemapsAfterUpload: true in withSentryConfig) and are never publicly served.
# 🔨 Build-time (GitHub Actions Variable — optional)
#ENABLE_PUBLIC_BROWSER_SOURCEMAPS=

# ℹ️ Enable service worker in development mode (optional, dev only, default: false)
# Set "true" to test service worker behaviour locally with hot reload.
# 🔨 Build-time (GitHub Actions Variable — optional)
NEXT_PUBLIC_ENABLE_SW_IN_DEV=

# ----------------------------------------------------------------------------
# Build reproducibility (auto-set by pipeline — do not change manually)
# ----------------------------------------------------------------------------

# ⚠️ Unix timestamp pinning the build output for reproducible Docker images
# Auto-derived at build time from the git commit timestamp (git log -1 --format=%ct).
# Same commit tag → same epoch → same image digest. NOT a GitHub Variable or Secret.
# The value below is a local-dev fallback only; the pipeline never reads it.
# 🔨 Build-time (auto-derived from git commit by release pipeline)
SOURCE_DATE_EPOCH=1767225600

# Auto-populated by GitHub Actions — do not set manually
# 🔨 Build-time (auto-generated by pipeline)
APP_COMMIT_SHA=<auto-generated-by-github-actions>
NEXT_PUBLIC_GIT_COMMIT_SHA=<auto-generated-by-github-actions>
#   Full commit SHA for footer display; auto-populated from git rev-parse HEAD.
#   APP_COMMIT_SHA is used for the provenance API endpoint.
#   NEXT_PUBLIC_GIT_COMMIT_SHA is exposed to the browser for footer display.
BUILD_TIMESTAMP=<auto-set-by-pipeline>
#   ISO 8601 timestamp of the Docker build; exposed by /api/provenance endpoint.
AUDIT_STATUS=<auto-set-by-pipeline>
#   Result of `npm audit` during build (e.g. "PASSED" or "FAILED-HIGH").
SIGNATURE_STATUS=<auto-set-by-pipeline>
#   Docker image signing state (e.g. "SLSA_PROVENANCE_GENERATED", "UNSIGNED").
IMAGE_DIGEST=<auto-set-by-pipeline>
#   sha256 digest of the published Docker image; exposed by /api/provenance.


# ============================================================================
# 🚀 RUNTIME  (Server Env Vars → injected into running container)
# ============================================================================

# Egress proxy chain — 3-tier failover for EzyGo API requests
# NEXT_PUBLIC_BACKEND_URL (above) is always the direct EzyGo URL.
# The tiers below are server-side only; configure in your server env at runtime.
#
# Tier 1: Cloudflare Worker (CF_PROXY_URL + CF_PROXY_SECRET)
#   CF_PROXY_URL: Your deployed CF Worker URL including the path prefix.
#     Example: https://ezygo-proxy.<username>.workers.dev/api/v1/Xcr45_salt
#     Leave empty to skip this tier (traffic goes directly to tier 2 or EzyGo).
#   CF_PROXY_SECRET: Shared secret the Worker validates (x-proxy-secret header).
#     Must match PROXY_SECRET in the CF Worker's encrypted settings.
#     Generate with: openssl rand -hex 32
#     UNIFIED NAMING: same variable in server env (runtime) AND GitHub Actions (CI/CD secret).
#     sync-secrets.js syncs both automatically.
# 🚀 Runtime (Server Env Var) + 🔑 GitHub Actions Secret (same name, same value)
CF_PROXY_URL=
CF_PROXY_SECRET=

# Tier 2: AWS Lambda + API Gateway (AWS_SECONDARY_URL + AWS_SECONDARY_SECRET)
#   AWS_SECONDARY_URL: API Gateway invoke URL for the Lambda proxy.
#     Get from: AWS API Gateway → your API → Invoke URL
#     Example: https://abc123.execute-api.ap-south-1.amazonaws.com
#     Leave empty to skip this tier.
#   AWS_SECONDARY_SECRET: DIFFERENT value from CF_PROXY_SECRET (key separation).
#     Must match PROXY_SECRET in the Lambda's environment variables.
#     Generate with: openssl rand -hex 32
#     UNIFIED NAMING: same variable in server env (runtime) AND GitHub Actions (CI/CD secret).
#     sync-secrets.js syncs both automatically.
# 🚀 Runtime (Server Env Var) + 🔑 GitHub Actions Secret (same name, same value)
AWS_SECONDARY_URL=
AWS_SECONDARY_SECRET=

# ----------------------------------------------------------------------------
# Encryption & signing secrets
# ----------------------------------------------------------------------------

# ⚠️ AES-256-GCM encryption key for tokens and auth credentials
# Must be exactly 64 hexadecimal characters (32 bytes).
# Generate: openssl rand -hex 32
# ⚠️ NEVER share — changing it invalidates all encrypted data.
# Used for: EzyGo token encryption, canonical password storage
# 🚀 Runtime (Server Env Var)
ENCRYPTION_KEY=

# ⚠️ Authorisation token for automated sync cron jobs
# Generate: openssl rand -base64 32  |  Used in: /api/cron/sync
# 🚀 Runtime (Server Env Var)
CRON_SECRET=

# ⚠️ Dedicated secret for request signature verification
# Must NOT be the same value as ENCRYPTION_KEY (key-separation principle).
# Generate: openssl rand -hex 32  |  Used for: API request anti-tampering
# 🚀 Runtime (Server Env Var)
REQUEST_SIGNING_SECRET=

# ℹ️ Maximum age for signed requests in seconds (default: 600 = 10 min)
# Prevents replay attacks. Valid range: 60–3600 seconds.
# 🚀 Runtime (Server Env Var — optional)
REQUEST_SIGNATURE_MAX_AGE=600

# ----------------------------------------------------------------------------
# CSP server-side flag
# ----------------------------------------------------------------------------

# ℹ️ Force production-like CSP in development — server-side flag (optional)
# Valid: "true", "1", "yes". See NEXT_PUBLIC_FORCE_STRICT_CSP for the
# client-side twin. Useful for staging environments without a rebuild.
# 🚀 Runtime (Server Env Var — optional)
FORCE_STRICT_CSP=

# ----------------------------------------------------------------------------
# Upstash Redis (rate limiting)
# Get credentials at: https://upstash.com  |  Free tier: 10,000 commands/day
# ----------------------------------------------------------------------------

# ⚠️ Upstash Redis REST API URL
# Example: https://your-redis-instance.upstash.io
# 🚀 Runtime (Server Env Var)
UPSTASH_REDIS_REST_URL=

# ⚠️ Upstash Redis REST API Token (starts with "A...")
# 🚀 Runtime (Server Env Var)
UPSTASH_REDIS_REST_TOKEN=

# ----------------------------------------------------------------------------
# Rate limiting (sliding window algorithm)
# Adjust based on server capacity and expected traffic.
# ----------------------------------------------------------------------------

# General endpoints (sync, contact, etc.) — recommended: 30 req / 10 s
# 🚀 Runtime (Server Env Var — optional)
RATE_LIMIT_REQUESTS=30       # Max requests per window
RATE_LIMIT_WINDOW=10         # Window size in seconds

# Auth endpoints — keep low to prevent brute-force attacks
# 🚀 Runtime (Server Env Var — optional)
AUTH_RATE_LIMIT_REQUESTS=5   # Max login attempts
AUTH_RATE_LIMIT_WINDOW=60    # Per 60 seconds

# ℹ️ Auth lock TTL in seconds during the save-token process (default: 20)
# Prevents race conditions when multiple login requests arrive simultaneously.
# Range: 15–60 seconds.
# 🚀 Runtime (Server Env Var — optional)
AUTH_LOCK_TTL=20

# ----------------------------------------------------------------------------
# Supabase — service role (admin key, server-side only)
# ----------------------------------------------------------------------------

# ⚠️ Supabase Service Role key — ADMIN ACCESS, NEVER expose to the browser!
# Used for server-side operations that bypass Row Level Security (RLS).
# Only used in API routes and server components.
# Starts with: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
# 🚀 Runtime (Server Env Var)
SUPABASE_SERVICE_ROLE_KEY=

# ----------------------------------------------------------------------------
# Cloudflare Turnstile — secret key (server-side)
# ----------------------------------------------------------------------------

# ⚠️ Turnstile Secret Key — server-side only, NEVER expose to the browser!
# Testing key (always passes, dev only): 1x0000000000000000000000000000000AA
# 🚨 Replace with a real production key before deploying!
# 🚀 Runtime (Server Env Var)
TURNSTILE_SECRET_KEY=1x0000000000000000000000000000000AA

# ----------------------------------------------------------------------------
# Email services (dual-provider failover)
# At least ONE provider must be configured for contact forms and notifications.
# ----------------------------------------------------------------------------

# ℹ️ SendPulse — Primary email provider
# Get credentials at: https://sendpulse.com/integrations/api
# 🚀 Runtime (Server Env Var — optional if Brevo is configured)
SENDPULSE_CLIENT_ID=
SENDPULSE_CLIENT_SECRET=

# ℹ️ Brevo (formerly Sendinblue) — Fallback email provider
# Get API key at: https://app.brevo.com/settings/keys/api  |  Free: 300 emails/day
# 🚀 Runtime (Server Env Var — optional if SendPulse is configured)
BREVO_API_KEY=

# ----------------------------------------------------------------------------
# Sentry — runtime portion (data redaction salt)
# ----------------------------------------------------------------------------

# ⚠️ Hash salt for redacting sensitive data (emails, IDs) in Sentry error reports
# Lazy-loaded at first use — NOT required at build time, only at runtime.
# Generate: openssl rand -base64 32  |  Treat like a database credential.
# 🚀 Runtime (Server Env Var)
SENTRY_HASH_SALT=

# ----------------------------------------------------------------------------
# Google Analytics — API secret (server-side)
# ----------------------------------------------------------------------------

# ⚠️ GA4 API Secret — server-side only, NEVER expose to the browser
# Used for server-side event tracking via GA4 Measurement Protocol.
# Get from: GA4 Admin → Data Streams → Measurement Protocol API secrets
# Format: random alphanumeric string (e.g. abc123DEF456ghi789JKL)
# 🚀 Runtime (Server Env Var — required if NEXT_PUBLIC_GA_ID is set)
GA_API_SECRET=


# ============================================================================
# 🔑 CI/CD-ONLY  (synced to GitHub Actions by `node scripts/sync-secrets.js`)
# These are NOT server/Docker runtime env vars — never inject them into the container.
# Set values here and run sync-secrets.js once; re-run whenever values change.
# ============================================================================
#
# NOTE ON PROXY SECRETS: CF_PROXY_SECRET and AWS_SECONDARY_SECRET are defined
# in the EzyGo section above. They serve double duty — server runtime AND GitHub
# Actions CI/CD secret — using the same name so no duplication is required.
#
# NOTE ON EZYGO API URL: CF Worker and AWS Lambda both use NEXT_PUBLIC_BACKEND_URL
# (already a GitHub Actions Variable) as their upstream EZYGO_API_URL target.
# No separate CF_EZYGO_API_URL or AWS_EZYGO_API_URL variables are needed.

# ── Release automation ────────────────────────────────────────────────────────
# BOT_PAT: Classic PAT (repo + workflow scopes) so auto-version-bump commits
# trigger downstream CI (GITHUB_TOKEN cannot trigger other workflows).
# Create at: Settings → Developer settings → Personal access tokens → Classic
BOT_PAT=

# GPG signing key for commits and tags.
# Generate: gpg --batch --gen-key  |  Export: gpg --armor --export-secret-keys KEY_ID
# If your key uses %no-protection, leave GPG_PASSPHRASE empty / omit it entirely.
GPG_PRIVATE_KEY=
GPG_PASSPHRASE=

# ── Server deployment trigger ────────────────────────────────────────────────
COOLIFY_BASE_URL=
COOLIFY_APP_ID=
COOLIFY_API_TOKEN=

# ── Cloudflare egress Worker auto-deploy ─────────────────────────────────────
# API token scopes required: Workers Scripts:Edit, Account Settings:Read
# CF_PROXY_SECRET → see EzyGo section (runtime + CI/CD, same name)
CLOUDFLARE_API_TOKEN=
CLOUDFLARE_ACCOUNT_ID=
# Synced as GitHub Actions Variables (non-sensitive)
CF_WORKER_NAME=ghostclass-backend
# Name of the Supabase browser proxy CF Worker (ISP block workaround)
# workers/supabase-proxy/index.js is deployed under this name
CF_SUPABASE_PROXY_WORKER_NAME=ghostclass-supabase-proxy

# ── AWS Lambda egress proxy auto-deploy ──────────────────────────────────────
# IAM permissions: lambda:GetFunctionConfiguration, lambda:UpdateFunctionConfiguration,
#                  lambda:UpdateFunctionCode, lambda:PublishVersion (scoped to function ARN)
# AWS_SECONDARY_SECRET → see EzyGo section (runtime + CI/CD, same name)
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
# Synced as GitHub Actions Variables (non-sensitive)
AWS_REGION=ap-south-1
AWS_LAMBDA_FUNCTION_NAME=ghostclass-ezygo-backend
# Name of the Supabase browser proxy Lambda (ISP block workaround)
# workers/supabase-proxy-aws/index.mjs is deployed under this function name
AWS_SUPABASE_LAMBDA_FUNCTION_NAME=ghostclass-supabase-proxy


# ============================================================================
# QUICK START GUIDE
# ============================================================================
#
# 1. Copy this file:
#    cp .example.env .env
#
# 2. Generate security keys:
#    openssl rand -hex 32      # ENCRYPTION_KEY and REQUEST_SIGNING_SECRET (64-char hex)
#    openssl rand -base64 32   # CRON_SECRET and SENTRY_HASH_SALT
#
# 3. Set up Supabase:
#    - Create project at https://supabase.com
#    - Run: npx supabase link --project-ref <your-project-id>
#    - Run: npx supabase db push
#    - Copy API keys from Project Settings → API
#
# 4. Set up Upstash Redis:
#    - Create database at https://upstash.com
#    - Copy REST URL and Token
#
# 5. Set up Cloudflare Turnstile:
#    - Get production keys from https://dash.cloudflare.com/ → Turnstile
#    - Replace testing keys with real production keys
#
# 6. (Optional) Set up email providers:
#    - Configure at least one: SendPulse OR Brevo
#    - Both can be active simultaneously for automatic failover
#
# 7. (Optional) Set up monitoring:
#    - Sentry for error tracking
#    - Google Analytics for usage stats
#
# 8. GitHub Variables and Secrets (🔨 Build-time + CI/CD-only):
#    Repository → Settings → Secrets and variables → Actions
#    a) Variables tab — all non-sensitive 🔨 Build-time items tagged
#       "GitHub Actions Variable" in this file:
#       NEXT_PUBLIC_* vars, SENTRY_ORG, SENTRY_PROJECT
#    b) Secrets tab — sensitive items only:
#       Build-time secret:   SENTRY_AUTH_TOKEN
#       CI/CD-only secrets:  BOT_PAT, GPG_PRIVATE_KEY, GPG_PASSPHRASE,
#                            COOLIFY_BASE_URL, COOLIFY_APP_ID, COOLIFY_API_TOKEN,
#                            CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID,
#                            CF_PROXY_SECRET, AWS_SECONDARY_SECRET,
#                            AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
#       ✔ Run `node scripts/sync-secrets.js` to push all the above from .env automatically.
#    - NOTE: NEXT_PUBLIC_APP_VERSION is NOT a Variable (derived from git tag)
#    - NOTE: CF_SUPABASE_PROXY_WORKER_NAME and AWS_SUPABASE_LAMBDA_FUNCTION_NAME
#      are GitHub Actions Variables (non-sensitive). Add them in the Variables tab.
#
# 9. Server Env Vars (🚀 Runtime):
#    - Your server → Your App → Environment Variables
#    - Add all 🚀 Runtime variables listed above
#    - Changes take effect on container restart — no rebuild needed
#
# ============================================================================
# SECURITY CHECKLIST
# ============================================================================
# ✅ .env file is in .gitignore
# ✅ ENCRYPTION_KEY is exactly 64 hex characters
# ✅ REQUEST_SIGNING_SECRET differs from ENCRYPTION_KEY (key-separation)
# ✅ CF_PROXY_SECRET differs from AWS_SECONDARY_SECRET (key-separation)
# ✅ NEXT_PUBLIC_SUPABASE_CF_PROXY_URL + NEXT_PUBLIC_SUPABASE_AWS_PROXY_URL set if ISP blocks supabase.co
# ✅ CF_SUPABASE_PROXY_WORKER_NAME + AWS_SUPABASE_LAMBDA_FUNCTION_NAME set in GH Actions Variables
# ✅ Turnstile keys are PRODUCTION keys (not 1x00...)
# ✅ SUPABASE_SERVICE_ROLE_KEY is never exposed to the browser
# ✅ All secrets are stored in environment variables (not hardcoded)
# ✅ Production secrets differ from development secrets
# ✅ GitHub Variables configured for all non-sensitive 🔨 Build-time vars (NEXT_PUBLIC_*, etc.)
# ✅ GitHub Secrets configured for SENTRY_AUTH_TOKEN and CI/CD-only secrets
# ✅ Server Env Vars configured for all 🚀 Runtime vars
# ✅ BOT_PAT (Classic PAT, repo + workflow scopes) set for auto-version workflow
# ✅ CF_PROXY_SECRET / AWS_SECONDARY_SECRET use same name in .env (server) and
#    GitHub Actions — no duplicate variable names, sync-secrets.js handles both
# ✅ Derived URL variables (APP_URL, SITEMAP_URL, etc.) auto-constructed by pipeline
# ============================================================================