# portal — local dev environment.
# Copy to .env.local (gitignored).

# Tenant Registry — see platform/tenant-registry. Run `make dev` there.
TENANT_REGISTRY_URL=http://localhost:8090

# Keycloak (dev stack from platform/orca-platform/dev).
KEYCLOAK_ISSUER=http://localhost:8080/realms/breakpilot-dev
KEYCLOAK_CLIENT_ID=dev-portal
# Public PKCE client — secret is structurally required by Auth.js but unused
# at the OAuth code-exchange step. Any non-empty placeholder works in dev.
KEYCLOAK_CLIENT_SECRET=unused-public-client

# Auth.js v5 — required for JWT signing.
# Generate with: openssl rand -base64 32
AUTH_SECRET=dev-secret-change-me-do-not-ship-replace-with-32-byte-random
AUTH_URL=http://localhost:3000

# In prod we'd set AUTH_TRUST_HOST=true behind orca-proxy; dev is loopback so leave unset.