/** * Per-environment configuration for the SPA, per ADR-0018. * * This file holds the **dev defaults** and is the one checked in. * Per-environment siblings (`environment.staging.ts`, * `environment.prod.ts`) land alongside this file later; the * production / staging build configurations in `project.json` declare * a `fileReplacements` entry that swaps this file for the target one * at build time. * * Constraint: every sibling must export an `environment` object of * the same shape. TypeScript will catch missing keys at the * consuming site once a sibling exists. * * Nothing here is a secret. The SPA is a static bundle; secrets that * ever needed to live here would, by definition, be public. Per-user * / per-tenant secrets live in the BFF session payload (ADR-0010). */ export const environment = { /** * Prefix of the BFF HTTP API. The SPA prepends this to every * backend call (`${bffApiBaseUrl}/health`, etc.) and derives the * OTel trace-header propagation pattern from its resolved origin * (see `observability/tracing.ts`). * * Relative path: the Angular dev-server proxies `/api/*` to the * BFF (see `proxy.conf.js`, BFF target overridable via the * `BFF_TARGET` env var — set by the ADR-0030 `apps` Compose * profile to `http://portal-bff:3000`). This keeps every BFF call * same-origin in the browser, so the SPA works whether it is * accessed via `localhost:4200`, the VM IP, or any other host — * and the BFF's `CORS_ALLOWED_ORIGINS` no longer has to enumerate * every developer-side hostname. Production siblings * (`environment.prod.ts`, etc.) may set an absolute origin when * the SPA and BFF live on different hosts; `tracing.ts` resolves * either form against `window.location.origin`. */ bffApiBaseUrl: '/api', /** * Name of the BFF's CSRF cookie. Mirrors the BFF's * `csrfCookieName()` convention: `__Host-portal_csrf` in * production (Secure-required, hence excluded from HTTP dev), * `portal_csrf` otherwise. Read by the `csrfInterceptor` to * echo the value back in the `X-CSRF-Token` request header. */ bffCsrfCookieName: 'portal_csrf', /** * OTLP/HTTP traces endpoint. Targets the Collector in * `infra/local/dev.compose.yml`. CORS is enabled there — see * `infra/local/otel-collector.yaml`. */ otlpEndpoint: 'http://localhost:4318/v1/traces', /** * Origin of the sibling `portal-admin` SPA — driver of the * cross-app "Open Portal Admin" entry in the user menu (gated on * `CapabilitiesService.canAccessAdmin`). Per ADR-0020 the two * SPAs live on distinct origins / cookies / sessions, so this is * a raw cross-origin `` jump, not an Angular route. * Per-env siblings override the host. */ adminAppUrl: 'http://localhost:4300', };