# Environment Strategy

## Environments

| Environment | Purpose | Infrastructure | Data |
|-------------|---------|---------------|------|
| Development | Local developer workflow | docker-compose with mock services | Mock Loader serves test ONNX model; mock Annotations accepts all requests |
| Staging | Pre-production validation | Mirrors production topology (Docker or K8s) | Real Loader with test model; real Annotations with test database |
| Production | Live system | Docker with GPU (TensorRT) + reverse proxy | Real Loader, real Annotations, production model |

## Environment Variable Management

| Source | Environment | Method |
|--------|-------------|--------|
| `.env` file | Development | Loaded by docker-compose; git-ignored |
| `.env.example` | All | Template committed to VCS (no secrets) |
| Secret manager | Staging/Production | Inject via deployment scripts or K8s secrets |

All required variables are listed in `.env.example`. The application fails fast on missing `classes.json` (startup crash) but uses safe defaults for all other variables.

## Secrets Management

| Secret | Development | Staging | Production |
|--------|-------------|---------|------------|
| Container registry credentials | Local registry or none | CI/CD secret | CI/CD secret |
| SSH deploy key | N/A | CI/CD secret | CI/CD secret |
| Bearer tokens | Test tokens from mock | Real auth service | Real auth service |

**Rotation policy**: Registry credentials and deploy keys should be rotated every 90 days. Bearer tokens are per-request (no stored credentials in the service).

**No secrets stored by the service**: Detections is stateless — tokens come from client HTTP headers and are forwarded to the Annotations service. No database credentials, API keys, or encryption keys are needed.

## Configuration Per Environment

| Config | Development | Staging | Production |
|--------|-------------|---------|------------|
| LOADER_URL | http://mock-loader:8080 | http://loader:8080 | http://loader:8080 |
| ANNOTATIONS_URL | http://mock-annotations:8081 | http://annotations:8080 | http://annotations:8080 |
| GPU | Not required (ONNX CPU) | Optional | Required (TensorRT) |
| Log level | DEBUG (stdout) | INFO (file + stdout) | INFO (file) |
| TLS | None | Reverse proxy | Reverse proxy |
| Rate limiting | None | Reverse proxy (optional) | Reverse proxy (required) |