# BFF environment template # Copy to .env (which is gitignored) and fill in actual values for local development. # Production values are managed by the platform's secret manager (see future infrastructure ADR). # Postgres connection (per ADR-0006) # Local dev default: dockerised Postgres on port 5432, schema 'public'. DATABASE_URL="postgresql://portal:portal@localhost:5432/portal_dev?schema=public" # Future env vars introduced by upcoming phases / ADRs: # # Auth flow (ADR-0009): # ENTRA_TENANT_ID # ENTRA_CLIENT_ID # ENTRA_CLIENT_SECRET (or ENTRA_CLIENT_CERT_PATH) # ENTRA_ACCEPTED_TENANT_IDS # ENTRA_REDIRECT_URI # ENTRA_POST_LOGOUT_REDIRECT_URI # SESSION_SECRET # # Sessions (ADR-0010): # REDIS_URL (or REDIS_SENTINEL_HOSTS + REDIS_SENTINEL_NAME) # REDIS_PASSWORD # REDIS_TLS ('true' in prod) # SESSION_ENCRYPTION_KEY (32-byte base64) # SESSION_IDLE_TIMEOUT_SECONDS (default 1800) # SESSION_ABSOLUTE_TIMEOUT_SECONDS (default 43200) # # MFA (ADR-0011): # MFA_FRESHNESS_SECONDS (default 600) # # Observability (ADR-0012): # LOG_LEVEL ('info' in prod, 'debug' in dev) # LOG_USER_ID_SALT (per-environment salt) # OTEL_SERVICE_NAME ('portal-bff') # OTEL_SERVICE_VERSION # OTEL_RESOURCE_ATTRIBUTES # OTEL_EXPORTER_OTLP_ENDPOINT # OTEL_EXPORTER_OTLP_PROTOCOL ('http/protobuf') # OTEL_TRACES_SAMPLER ('always_on' in v1) # # Audit trail (ADR-0013): # AUDIT_DATABASE_URL (separate creds, role 'audit_writer') # AUDIT_ARCHIVER_DATABASE_URL (role 'audit_archiver', for the retention purge job) # AUDIT_RETENTION_DAYS (default 365) # # Downstream API access (ADR-0014): # OBO_CACHE_ENCRYPTION_KEY (32-byte base64, distinct from SESSION_ENCRYPTION_KEY) # BFF_JWKS_PRIVATE_KEY_PATH # BFF_JWKS_KID # _API_BASE_URL (per integrated downstream) # _TIMEOUT_MS (optional, defaults to 5000)