# AZ-688: dev-only environment for the Jetson e2e harness.
# Jetson-only test policy (2026-05-20) — see _docs/LESSONS.md.
#
# Copy this file to `.env.test` and customize. NEVER commit `.env.test`
# (gitignored). Sourced by `scripts/run-tests-jetson.sh` before
# `docker compose up`.

# Suite JWT contract — see ../_docs/10_auth.md. The same secret signs the
# dev JWT (AZ-690) and validates it at the satellite-provider boundary.
# MUST be ≥ 32 bytes UTF-8. Generate a fresh value with:
#   openssl rand -hex 32
JWT_SECRET=DEV-ONLY-REPLACE-WITH-OPENSSL-RAND-HEX-32-OUTPUT-XXXXXXX

# JWT issuer / audience claims. Dev-only values that ONLY validate against
# the dev secret above. Production deploys MUST use real values provided
# by the admin team (the admin API stamps `iss`; satellite-provider
# validates `aud`).
JWT_ISSUER=DEV-ONLY-iss-admin-azaion-local
JWT_AUDIENCE=DEV-ONLY-aud-satellite-provider

# Google Maps Platform key. Left empty: AZ-689 seeds local fixture tiles
# instead, so the hermetic Derkachi e2e flow never calls GoogleMaps. If
# you need to exercise the real GMaps tile-download path, set this to a
# valid key.
GOOGLE_MAPS_API_KEY=

# AZ-777: Bearer token C11 sends to satellite-provider as
# `Authorization: Bearer <token>`. The token is a JWT signed with
# JWT_SECRET above and stamped with the same iss/aud the provider
# validates. Mint a dev token with:
#   python scripts/mint_dev_jwt.py
# Production deploys retrieve this from the admin API and rotate per
# operator session — never commit a real one.
SATELLITE_PROVIDER_API_KEY=PASTE-MINTED-JWT-HERE

# SECURITY: development-only TLS bypass for the parent-suite
# satellite-provider self-signed dev cert. The compose env block sets
# SATELLITE_PROVIDER_TLS_INSECURE=1 — it stays inside the Jetson e2e
# harness, never in production. Production deploys MUST use a real
# CA-issued cert (or your own internal CA) and leave this unset (or
# set to "0"). C11 logs a single WARNING at startup whenever the
# insecure flag is active so the operator can audit it.