/** * Per-environment configuration for the SPA, per ADR-0018. * * This file holds the **dev defaults** and is the one checked in. * Per-environment siblings (`environment.staging.ts`, * `environment.prod.ts`) land alongside this file later; the * production / staging build configurations in `project.json` declare * a `fileReplacements` entry that swaps this file for the target one * at build time. * * Constraint: every sibling must export an `environment` object of * the same shape. TypeScript will catch missing keys at the * consuming site once a sibling exists. * * Nothing here is a secret. The SPA is a static bundle; secrets that * ever needed to live here would, by definition, be public. Per-user * / per-tenant secrets live in the BFF session payload (ADR-0010). */ export const environment = { /** * Origin + prefix of the BFF HTTP API. The SPA prepends this to * every backend call (`${bffApiBaseUrl}/health`, etc.) and derives * the OTel trace-header propagation pattern from its origin (see * `observability/tracing.ts`). */ bffApiBaseUrl: 'http://localhost:3000/api', /** * Name of the BFF's CSRF cookie. Mirrors the BFF's * `csrfCookieName()` convention: `__Host-portal_csrf` in * production (Secure-required, hence excluded from HTTP dev), * `portal_csrf` otherwise. Read by the `csrfInterceptor` to * echo the value back in the `X-CSRF-Token` request header. */ bffCsrfCookieName: 'portal_csrf', /** * OTLP/HTTP traces endpoint. Targets the Collector in * `infra/local/dev.compose.yml`. CORS is enabled there — see * `infra/local/otel-collector.yaml`. */ otlpEndpoint: 'http://localhost:4318/v1/traces', /** * Origin of the sibling `portal-admin` SPA — driver of the * cross-app "Open Portal Admin" entry in the user menu (gated on * `CapabilitiesService.canAccessAdmin`). Per ADR-0020 the two * SPAs live on distinct origins / cookies / sessions, so this is * a raw cross-origin `` jump, not an Angular route. * Per-env siblings override the host. */ adminAppUrl: 'http://localhost:4300', };