# Runtime environment
ENVIRONMENT=production

# Gitea OAuth/OIDC resource server
GITEA_URL=https://git.hiddenden.cafe

# OAuth mode (recommended and required for per-user repository isolation)
OAUTH_MODE=true
GITEA_OAUTH_CLIENT_ID=your-gitea-oauth-client-id
GITEA_OAUTH_CLIENT_SECRET=your-gitea-oauth-client-secret
# Optional explicit audience override; defaults to GITEA_OAUTH_CLIENT_ID
OAUTH_EXPECTED_AUDIENCE=
# OIDC discovery and JWKS cache TTL
OAUTH_CACHE_TTL_SECONDS=300

# MCP server configuration
MCP_HOST=127.0.0.1
MCP_PORT=8080
# Optional external URL used in OAuth metadata when running behind reverse proxies.
# Example: PUBLIC_BASE_URL=https://gitea-mcp.hiddenden.cafe
PUBLIC_BASE_URL=
ALLOW_INSECURE_BIND=false

# Logging / observability
LOG_LEVEL=INFO
AUDIT_LOG_PATH=/var/log/aegis-mcp/audit.log
METRICS_ENABLED=true
EXPOSE_ERROR_DETAILS=false
STARTUP_VALIDATE_GITEA=true

# Authentication failure controls
MAX_AUTH_FAILURES=5
AUTH_FAILURE_WINDOW=300

# Request rate limiting
RATE_LIMIT_PER_MINUTE=60
TOKEN_RATE_LIMIT_PER_MINUTE=120

# Tool output limits
MAX_FILE_SIZE_BYTES=1048576
MAX_TOOL_RESPONSE_ITEMS=200
MAX_TOOL_RESPONSE_CHARS=20000
REQUEST_TIMEOUT_SECONDS=30

# Security controls
SECRET_DETECTION_MODE=mask  # off|mask|block
POLICY_FILE_PATH=policy.yaml

# Write mode (disabled by default)
WRITE_MODE=false
WRITE_REPOSITORY_WHITELIST=
WRITE_ALLOW_ALL_TOKEN_REPOS=false

# Automation mode (disabled by default)
AUTOMATION_ENABLED=false
AUTOMATION_SCHEDULER_ENABLED=false
AUTOMATION_STALE_DAYS=30

# Legacy compatibility (not used for OAuth-protected MCP tool execution)
# GITEA_TOKEN=
# MCP_API_KEYS=
# AUTH_ENABLED=true