# Datenbank (PostgreSQL via PgBouncer)
DATABASE_URI=postgresql://payload:YOUR_PASSWORD@127.0.0.1:6432/payload_db
PAYLOAD_SECRET=YOUR_SECRET_HERE
PAYLOAD_PUBLIC_SERVER_URL=http://localhost:3000
NEXT_PUBLIC_SERVER_URL=http://localhost:3000
NODE_ENV=development
PORT=3000

# E-Mail (Global Fallback)
SMTP_HOST=smtp.example.com
SMTP_PORT=587
SMTP_SECURE=false
SMTP_USER=user@example.com
SMTP_PASS=your-password
SMTP_FROM_ADDRESS=noreply@example.com
SMTP_FROM_NAME=Payload CMS

# Redis Cache (optional, In-Memory-Fallback)
REDIS_URL=redis://localhost:6379

# Security
CSRF_SECRET=your-csrf-secret
TRUST_PROXY=true
BLOCKED_IPS=
SEND_EMAIL_ALLOWED_IPS=
GENERATE_PDF_ALLOWED_IPS=
ADMIN_ALLOWED_IPS=
WEBHOOK_ALLOWED_IPS=

# YouTube OAuth (optional)
GOOGLE_CLIENT_ID=your-client-id
GOOGLE_CLIENT_SECRET=your-client-secret
YOUTUBE_REDIRECT_URI=http://localhost:3000/api/youtube/callback

# Meta OAuth (optional)
META_APP_ID=your-app-id
META_APP_SECRET=your-app-secret
META_REDIRECT_URI=http://localhost:3000/api/auth/meta/callback

# Cron Jobs (required in production)
CRON_SECRET=your-64-char-hex
CRON_LOCK_TTL_MS=600000
CRON_IDEMPOTENCY_TTL_MS=900000

# PDF Security
PDF_ALLOWED_HOSTS=example.com,.example.com
# Nur in non-production und nur falls zwingend notwendig aktivieren:
PDF_ALLOW_HTTP_URLS=false

# Scheduler
# In Production standardmäßig deaktiviert, um Doppel-Ausführungen in Multi-Instance-Deployments zu vermeiden
ENABLE_IN_PROCESS_SCHEDULER=false
SCHEDULER_MODE=external

# Security Observability
SECURITY_METRICS_WINDOW_MS=300000
SECURITY_ALERT_COOLDOWN_MS=900000
SECURITY_ALERT_THRESHOLD_DEFAULT=25
SECURITY_ALERT_THRESHOLD_CRON_AUTH_REJECTED=10
SECURITY_ALERT_THRESHOLD_PDF_SSRF_BLOCKED=5
SECURITY_ALERT_THRESHOLD_RATE_LIMIT_BLOCKED=50

# Secret Lifecycle Monitoring
SECRET_EXPIRY_WARNING_DAYS=14
SECRET_ROTATION_MAX_DAYS=90
PAYLOAD_SECRET_ROTATED_AT=2026-02-01T00:00:00Z
PAYLOAD_SECRET_EXPIRES_AT=2026-08-01T00:00:00Z
CRON_SECRET_ROTATED_AT=2026-02-01T00:00:00Z
CRON_SECRET_EXPIRES_AT=2026-08-01T00:00:00Z

# Tests
EMAIL_DELIVERY_DISABLED=false