# =============================================================================
# ONEX Infrastructure Runtime - Environment Configuration
# =============================================================================
# Copy this file to .env and customize for your environment.
# All values shown are defaults - uncomment and modify as needed.
#
# ⚠️ SECURITY WARNING:
#   - ALL placeholder values (marked __REPLACE_WITH_*__) MUST be changed
#   - NEVER use these placeholders in ANY environment (dev/staging/prod)
#   - Generate secure random passwords using: openssl rand -hex 32
#   - Keep .env file out of version control (already in .gitignore)
#
# Usage:
#   cp .env.example .env
#   # Edit .env with your secure values (replace ALL __REPLACE_WITH_*__ placeholders)
#   docker compose -f docker/docker-compose.infra.yml up -d              # Infrastructure only
#   docker compose -f docker/docker-compose.infra.yml --profile runtime up -d  # With runtime
# =============================================================================

# =============================================================================
# Runtime Version
# =============================================================================
# Version tag for container labels (used for tracking deployments)
# RUNTIME_VERSION=0.1.0

# =============================================================================
# Network Configuration
# =============================================================================
# Docker network name for inter-service communication.
# Must match the network created by omninode-bridge infrastructure.
# DOCKER_NETWORK=omninode-bridge-network

# =============================================================================
# Kafka / Redpanda Event Bus Configuration
# =============================================================================
# Bootstrap servers for Kafka/Redpanda connection.
# ⚠️ IMPORTANT: If omniclaude publishes to the remote broker
# (omninode-bridge-redpanda, i.e. 192.168.86.200 via /etc/hosts),
# you MUST set this to the same broker. Otherwise the runtime consumes from the
# local Docker Redpanda (redpanda:9092) while omniclaude publishes to the remote
# one — two separate brokers, messages never cross.
#
# Remote broker (shared with omniclaude — recommended for development):
# ⚠️  The hostname omninode-bridge-redpanda requires a /etc/hosts entry
#     resolving to 192.168.86.200. Without it you will get DNS resolution
#     failures at container startup.
#     Add to /etc/hosts:  192.168.86.200 omninode-bridge-redpanda
# ⚠️  Uncomment the line below ONLY after adding the /etc/hosts entry above.
#     New developers: copy .env.example to .env, then uncomment and verify
#     DNS resolution before starting containers.
# KAFKA_BOOTSTRAP_SERVERS=omninode-bridge-redpanda:9092
# Local broker (self-contained, no external dependencies):
# KAFKA_BOOTSTRAP_SERVERS=redpanda:9092

# =============================================================================
# PostgreSQL Database Configuration
# =============================================================================
# REQUIRED - SECURITY: Must be set explicitly, no default value allowed.
# The postgres container init script uses POSTGRES_PASSWORD to bootstrap the
# superuser. Generate a URI-safe password: openssl rand -hex 32
# NOTE: Use -hex (not -base64) because base64 output includes '/' and '+'
# which break URI parsing.
# NEVER use 'changeme' or similar weak passwords in any environment.
POSTGRES_PASSWORD=__REPLACE_WITH_SECURE_PASSWORD__

# Per-service database URL used by the ONEX runtime inside Docker.
# The hostname "postgres" refers to the docker-compose service name.
# NOTE: .env files do NOT perform variable interpolation.
# To use this, uncomment and replace YOUR_PASSWORD_HERE with the actual password:
# OMNIBASE_INFRA_DB_URL=postgresql://postgres:YOUR_PASSWORD_HERE@postgres:5432/omnibase_infra

# =============================================================================
# Per-Service Database Roles (DB-SPLIT-05 / OMN-2056)
# =============================================================================
# Each service gets its own database and restricted role.
#
# Databases provisioned:
#   omnibase_infra       -> role_omnibase
#   omniintelligence     -> role_omniintelligence
#   omniclaude           -> role_omniclaude
#   omnimemory           -> role_omnimemory
#   omninode_cloud       -> role_omninode
#   omnidash_analytics   -> role_omnidash
#
# Uncomment and set each password to activate per-service role creation.
# Roles are only created when the corresponding password is set.
# Generate each with: openssl rand -hex 32
# ROLE_OMNIBASE_PASSWORD=
# ROLE_OMNICLAUDE_PASSWORD=
# ROLE_OMNIDASH_PASSWORD=
# ROLE_OMNIINTELLIGENCE_PASSWORD=
# ROLE_OMNIMEMORY_PASSWORD=
# ROLE_OMNINODE_PASSWORD=

# Per-service DSN templates (for reference — used by each repo's own .env)
# Note: "postgres:5432" is the Docker Compose internal service name + port.
# From the host, use ${POSTGRES_HOST}:${POSTGRES_EXTERNAL_PORT} instead.
# OMNIBASE_INFRA_DB_URL=postgresql://role_omnibase:${ROLE_OMNIBASE_PASSWORD}@postgres:5432/omnibase_infra
# docker-compose.infra.yml provides a dev-mode default for OMNIINTELLIGENCE_DB_URL
# using the postgres superuser. For production, set ROLE_OMNIINTELLIGENCE_PASSWORD
# and uncomment the role-based DSN below. PluginIntelligence activates only when
# OMNIINTELLIGENCE_DB_URL is set to a non-empty value.
# OMNIINTELLIGENCE_DB_URL=postgresql://role_omniintelligence:${ROLE_OMNIINTELLIGENCE_PASSWORD}@postgres:5432/omniintelligence
# OMNICLAUDE_DB_URL=postgresql://role_omniclaude:${ROLE_OMNICLAUDE_PASSWORD}@postgres:5432/omniclaude
# OMNIMEMORY_DB_URL=postgresql://role_omnimemory:${ROLE_OMNIMEMORY_PASSWORD}@postgres:5432/omnimemory
# OMNINODE_CLOUD_DB_URL=postgresql://role_omninode:${ROLE_OMNINODE_PASSWORD}@postgres:5432/omninode_cloud
# OMNIDASH_ANALYTICS_DB_URL=postgresql://role_omnidash:${ROLE_OMNIDASH_PASSWORD}@postgres:5432/omnidash_analytics

# =============================================================================
# Consul Service Discovery Configuration
# =============================================================================
# Consul agent connection for service registration and discovery.
# CONSUL_HOST=omninode-bridge-consul
# CONSUL_PORT=8500
# CONSUL_SCHEME=http

# =============================================================================
# Infisical Secret Management Configuration (Optional)
# =============================================================================
# Infisical is used for secrets management when running with --profile secrets
# INFISICAL_ADDR=http://infisical:8080

# Infisical site URL (for redirects)
# INFISICAL_SITE_URL=http://localhost:8880

# =============================================================================
# Valkey Cache Configuration
# =============================================================================
# Valkey connection for caching and pub/sub operations.
# VALKEY_HOST=valkey

# Valkey password authentication (optional for local development)
# When set, enables password authentication for Valkey connections.
# Leave empty or commented for local development without authentication.
# For production, generate a URI-safe password: openssl rand -hex 32
# VALKEY_PASSWORD=

# VALKEY_PORT=6379

# =============================================================================
# ONEX Runtime Configuration
# =============================================================================
# Log level: DEBUG, INFO, WARNING, ERROR, CRITICAL
# ONEX_LOG_LEVEL=INFO

# Environment name: development, staging, production
# ONEX_ENVIRONMENT=development

# HTTP port for health check server inside the container.
# This is the internal port the runtime listens on (default: 8085).
# Note: RUNTIME_MAIN_PORT below maps this to the host.
# ONEX_HTTP_PORT=8085

# Host address to bind the health server to.
# Use 0.0.0.0 for Docker containers (allows external health checks).
# Use 127.0.0.1 for local development (restricts to localhost only).
# RUNTIME_BIND_HOST=0.0.0.0

# =============================================================================
# Main Runtime Service Configuration
# =============================================================================
# Host port mapping for the main runtime service
# RUNTIME_MAIN_PORT=8085

# Kafka topics for main runtime
# ONEX_INPUT_TOPIC=requests
# ONEX_OUTPUT_TOPIC=responses

# Consumer group ID for main runtime
# ONEX_GROUP_ID=onex-runtime-main

# =============================================================================
# Effects Runtime Service Configuration
# =============================================================================
# Host port mapping for the effects runtime service
# RUNTIME_EFFECTS_PORT=8086

# Kafka topics for effects runtime
# ONEX_EFFECTS_INPUT_TOPIC=effect-requests
# ONEX_EFFECTS_OUTPUT_TOPIC=effect-responses

# Consumer group ID for effects runtime
# ONEX_EFFECTS_GROUP_ID=onex-runtime-effects

# =============================================================================
# Worker Runtime Service Configuration
# =============================================================================
# Number of worker replicas (for horizontal scaling)
# WORKER_REPLICAS=2

# Kafka topics for worker runtime
# ONEX_WORKER_INPUT_TOPIC=worker-requests
# ONEX_WORKER_OUTPUT_TOPIC=worker-responses

# Consumer group ID for workers
# ONEX_WORKER_GROUP_ID=onex-runtime-workers

# =============================================================================
# ONEX Handler Configuration (Optional)
# =============================================================================
# HTTP handler settings for request/response processing.
# ONEX_HTTP_TIMEOUT=30.0                 # Range: 0.1-3600.0 seconds (default: 30.0)
# ONEX_HTTP_MAX_REQUEST_SIZE=10485760    # Range: 1-1073741824 bytes (default: 10MB)
# ONEX_HTTP_MAX_RESPONSE_SIZE=52428800   # Range: 1-1073741824 bytes (default: 50MB)

# Database handler settings for query execution.
# ONEX_DB_POOL_SIZE=5                    # Range: 1-100 (default: 5)
# ONEX_DB_TIMEOUT=30.0                   # Range: 0.1-3600.0 seconds (default: 30.0)

# =============================================================================
# Circuit Breaker Configuration (Optional)
# =============================================================================
# Global circuit breaker settings for external service integrations.
# These defaults can be overridden per-service (e.g., KAFKA_CIRCUIT_BREAKER_*).
#
# Maximum consecutive failures before opening circuit (default: 5)
# When reached, the circuit opens and fails fast without attempting calls.
# ONEX_CB_THRESHOLD=5                    # Range: 1+ (minimum 1)

# Seconds before automatic transition from OPEN to HALF_OPEN (default: 60.0)
# After this timeout, the circuit allows a test request through.
# ONEX_CB_RESET_TIMEOUT=60.0             # Range: 0+ seconds

# =============================================================================
# Idempotency Store Configuration (Optional)
# =============================================================================
# Settings for the idempotency store used to prevent duplicate processing.
# The store tracks processed event IDs with automatic cleanup of old records.
#
# Time-to-live for idempotency records in seconds (default: 86400 = 24 hours)
# Records older than this are eligible for cleanup.
# ONEX_IDEMPOTENCY_TTL_SECONDS=86400     # Range: 60-2592000 (1 min to 30 days)

# Interval between cleanup runs in seconds (default: 3600 = 1 hour)
# Controls how frequently the background cleanup task runs.
# ONEX_IDEMPOTENCY_CLEANUP_INTERVAL=3600 # Range: 60-86400 (1 min to 24 hours)

# Number of records to delete per cleanup batch (default: 10000)
# Limits memory and transaction size during cleanup operations.
# ONEX_IDEMPOTENCY_BATCH_SIZE=10000      # Range: 100-100000

# Connection pool settings for idempotency operations.
# ONEX_IDEMPOTENCY_POOL_MIN_SIZE=1       # Range: 1-100 (min connections)
# ONEX_IDEMPOTENCY_POOL_MAX_SIZE=5       # Range: 1-100 (max connections)
# ONEX_IDEMPOTENCY_COMMAND_TIMEOUT=30.0  # Range: 1.0-300.0 seconds

# Clock skew tolerance in seconds (default: 60)
# Buffer added to TTL during cleanup to prevent premature deletion.
# ONEX_IDEMPOTENCY_CLOCK_SKEW_TOLERANCE=60  # Range: 0-3600 (0 to 1 hour)

# Maximum cleanup iterations (default: 100)
# ONEX_IDEMPOTENCY_CLEANUP_MAX_ITERATIONS=100  # Range: 1-1000

# =============================================================================
# Compute Registry Configuration (Optional)
# =============================================================================
# Semver LRU cache size for plugin version resolution.
# Increase for large deployments with many unique version strings.
# ONEX_COMPUTE_REGISTRY_CACHE_SIZE=128   # Range: 1-10000 (default: 128)

# =============================================================================
# OpenTelemetry Observability Configuration (Optional)
# =============================================================================
# OTLP exporter endpoint for traces and metrics
# OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317

# Service name for tracing identification
# OTEL_SERVICE_NAME=omninode-runtime

# Exporter types: otlp, console, none
# OTEL_TRACES_EXPORTER=otlp
# OTEL_METRICS_EXPORTER=otlp

# =============================================================================
# Agent Actions Consumer Configuration (Observability Profile)
# =============================================================================
# The agent actions consumer is part of the observability profile. It consumes
# agent action events from Kafka and persists them to PostgreSQL for traceability.
#
# Host port mapping for the agent actions consumer health check endpoint
# AGENT_ACTIONS_CONSUMER_PORT=8087

# Batch size for database inserts (messages buffered before insert)
# Range: 1-1000
# Default: 100
# Example: 100 (balanced), 50 (low latency), 500 (high throughput)
# AGENT_ACTIONS_BATCH_SIZE=100

# Batch timeout in milliseconds (max wait before flushing partial batch)
# Range: 100-60000
# Default: 1000 (1 second)
# Example: 1000 (balanced), 500 (low latency), 5000 (high throughput)
# AGENT_ACTIONS_BATCH_TIMEOUT_MS=1000

# =============================================================================
# Infrastructure Compose Configuration (docker-compose.infra.yml)
# =============================================================================
# These settings control the infrastructure services (postgres, redpanda, valkey).
# Use docker-compose.infra.yml to start infrastructure locally instead of
# connecting to remote 192.168.86.200.

# External port mappings for infrastructure services
# These map host ports to internal container ports
# POSTGRES_EXTERNAL_PORT=5436
# REDPANDA_EXTERNAL_PORT=29092
# REDPANDA_PANDAPROXY_PORT=18082
# REDPANDA_SCHEMA_REGISTRY_PORT=18081
# VALKEY_EXTERNAL_PORT=16379
# CONSUL_EXTERNAL_PORT=28500
# INFISICAL_EXTERNAL_PORT=8880

# =============================================================================
# Infisical Secrets Management Configuration (secrets profile)
# =============================================================================
# Infisical is an open-source secrets management platform.
# Enable with: docker compose -f docker-compose.infra.yml --profile secrets up -d
#
# ⚠️ SECURITY WARNING:
#   - These values are required only when using the 'secrets' or 'full' profile
#   - Generate secure values before deployment
#   - NEVER use placeholder values in any environment

# REQUIRED for secrets profile - Infisical encryption key (hex-encoded)
# Infisical accepts either:
#   - 16 bytes (128-bit AES): 32 hex characters, generate with: openssl rand -hex 16
#   - 32 bytes (256-bit AES): 64 hex characters, generate with: openssl rand -hex 32
# Recommended: Use 256-bit (openssl rand -hex 32) for strongest encryption.
INFISICAL_ENCRYPTION_KEY=<REPLACE_BEFORE_USE_openssl_rand_hex_32>

# REQUIRED for secrets profile - JWT signing secret
# Generate with: openssl rand -hex 32
INFISICAL_AUTH_SECRET=<REPLACE_BEFORE_USE_openssl_rand_hex_32>

# Site URL for Infisical web interface
# Default is localhost, update for production deployments
# INFISICAL_SITE_URL=http://localhost:8880

# Redis URL for Infisical connection to Valkey
# Default: redis://valkey:6379 (no password)
# When VALKEY_PASSWORD is set, replace YOUR_PASSWORD below with the actual value
# (Docker .env files do not support nested variable expansion like ${VALKEY_PASSWORD})
# INFISICAL_REDIS_URL=redis://:YOUR_PASSWORD@valkey:6379
