# 本機開發設定範例（可安全提交）
# 複製為本機專用檔（勿提交）：
#   cp etc/gateway.dev.example.yaml etc/gateway.dev.yaml
# 再依本機環境修改 Port、Mongo、Redis、SMTP/SES/Mitake 帳密等

Name: gateway
Host: 0.0.0.0
Port: 8888

Mongo:
  Schema: mongodb
  Host: 127.0.0.1
  Port: 27017
  Database: gateway
  AuthSource: ""
  ReplicaName: ""
  TLS: false
  MaxPoolSize: 30
  MinPoolSize: 10
  MaxConnIdleTime: 30m

Redis:
  Host: localhost:6379
  Type: node

Notification:
  DefaultLocale: zh-tw
  Email:
    Provider: mock
    From: noreply@example.com
    SMTP:
      Enable: false
      Sort: 1
      Host: localhost
      Port: 1025
      Username: ""
      Password: ""
    SES:
      Enable: false
      Sort: 2
      Region: ap-northeast-1
      AccessKey: ""
      SecretKey: ""
      SessionToken: ""
  SMS:
    Provider: mock
    Mitake:
      Enable: false
      Sort: 1
      User: ""
      Password: ""
  Async:
    QueueRedisKey: notification:queue
    Worker: 2
    MaxRetry: 5
    BackoffSeconds: [1, 5, 30, 300, 1800]
  RatePerTenant:
    Email: 100
    SMS: 50

Member:
  OTP:
    Length: 6
    TTLSeconds: 300
    MaxAttempts: 5
    ResendCooldownSeconds: 60
    DailyVerifyLimit: 10
  TOTP:
    Issuer: CloudEP
    Algorithm: SHA1
    Digits: 6
    PeriodSeconds: 30
    Window: 1
    BackupCodeCount: 10
    BackupCodeLength: 12
    EnrollTTLSeconds: 600
    ReplayTTLSeconds: 90
    # 32-byte key encoded as hex (64 chars) or base64; leave empty to disable TOTP.
    # Dev-only placeholder for local totp-test; replace in production.
    SecretKEK: "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
  Registration:
    RequireInviteCode: true
    TrustSocialEmailVerified: true

Auth:
  AccessExpire: 900
  RefreshExpire: 604800
  ActiveKID: v1
  # Dev-only placeholders; override via env JWT_ACCESS_SECRET / JWT_REFRESH_SECRET in production.
  AccessSecret: "dev-access-secret-32-bytes-min!!"
  RefreshSecret: "dev-refresh-secret-32-bytes-min!"
  RegistrationSessionTTLSeconds: 600

# ZITADEL identity backend (auth register/login — PR 1+)
# ServiceUserToken: export ZITADEL_SERVICE_TOKEN=...
# OAuthClientSecret: export ZITADEL_OAUTH_CLIENT_SECRET=...
Zitadel:
  Issuer: ""          # e.g. https://zitadel.example.com
  ServiceUserToken: ""
  DefaultOrgID: ""
  OAuthClientID: ""
  OAuthClientSecret: ""
  GoogleClientID: ""
  GoogleClientSecret: ""
  GoogleIdPID: ""
  JWKSUrl: ""
  TimeoutSeconds: 15