# Database
POSTGRES_PASSWORD=your_secure_password_here

# JWT
JWT_SECRET=your_jwt_secret_key_min_32_chars
JWT_EXPIRES_IN=1h
JWT_REFRESH_EXPIRES_IN=7d

# LLM Configuration
LLM_PROVIDER=openrouter
LLM_API_KEY=sk-or-v1-...
LLM_MODEL=openai/gpt-4o

# Embedding Configuration (Local HuggingFace by default)
EMBEDDING_PROVIDER=local
EMBEDDING_MODEL=Xenova/all-MiniLM-L6-v2
EMBEDDING_DIMENSION=384
EMBEDDING_DEVICE=cpu

# HuggingFace API (optional - if not using local embeddings)
# HUGGINGFACE_API_KEY=hf_...

# Keycloak (External) Configuration
# Enable Keycloak authentication
KEYCLOAK_ENABLED=false
KEYCLOAK_URL=http://your-keycloak-server:8080
KEYCLOAK_REALM=dreamchat
KEYCLOAK_CLIENT_ID=dreamchat-backend
KEYCLOAK_CLIENT_SECRET=your_keycloak_secret

# Keycloak Authorization Settings
# Require specific group/role/attribute for access
# Set at least one of these to enforce authorization checks

# Required Keycloak group (e.g., "dreamchat-users")
KEYCLOAK_REQUIRED_GROUP=

# Required Keycloak realm role (e.g., "dreamchat-access")
KEYCLOAK_REQUIRED_ROLE=

# Required Keycloak client role (e.g., "user")
KEYCLOAK_REQUIRED_CLIENT_ROLE=

# Required Keycloak user attribute (format: "attribute_name:attribute_value")
# Examples:
#   KEYCLOAK_REQUIRED_ATTRIBUTE=department:engineering
#   KEYCLOAK_REQUIRED_ATTRIBUTE=approved:true
KEYCLOAK_REQUIRED_ATTRIBUTE=

# Auto-create users on first Keycloak login
# If true, users will be automatically created in the database
# If false, only existing users can log in via Keycloak
KEYCLOAK_AUTO_CREATE_USER=true

# Default role for auto-created Keycloak users
KEYCLOAK_DEFAULT_USER_ROLE=USER