# Mistral API key — server-only, never exposed to the browser.
MISTRAL_KEY=

# Port the Express server binds to.
PORT=3001

# Comma-separated CORS whitelist. Empty/missing = deny all browser origins.
ALLOWED_ORIGINS=http://localhost:5173

# 'development' enables ?debug=1; 'production' strips _debug unconditionally.
NODE_ENV=development

# SSRF guard. Set to 1 ONLY in local dev if you want to scan localhost services.
ALLOW_PRIVATE_HOSTS=0

# Required for /admin to function. Leave empty to disable admin endpoints entirely.
# Generate with: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
ADMIN_TOKEN=

# Monitoring providers — optional. When a key is missing, that provider
# transparently falls back to the deterministic `mock` provider, labelled
# e.g. "openai (mock)" in the UI. Zero-key dev works end-to-end.
OPENAI_KEY=
PERPLEXITY_KEY=
ANTHROPIC_KEY=

# SQLite path. Defaults to server/data/visigine.db. Override for tests:
#   DB_PATH=/tmp/visigine-test.db
DB_PATH=