# Variables publiques (exposées au client)
NEXT_PUBLIC_SITE_URL=https://your-domain.com
NEXT_PUBLIC_API_BASE=https://your-api-gateway.amazonaws.com/default
NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=your-anon-key

# Variables privées (serveur uniquement)
SUPABASE_SERVICE_ROLE_KEY=your-service-role-key
SUPABASE_URL=https://your-project.supabase.co
AWS_REGION=eu-west-3
AWS_SES_FROM="Your App <noreply@yourapp.com>"

# PDFMonkey Configuration
PDFMONKEY_URL=https://api.pdfmonkey.io/api/v1/documents
PDFMONKEY_API_KEY=your-pdfmonkey-api-key

# AWS S3 Configuration pour upload PDF
AWS_ACCESS_KEY_ID=your-aws-access-key
AWS_SECRET_ACCESS_KEY=your-aws-secret-key
AWS_REGION=eu-west-3
AWS_ACCESS_KEY_ID=your-access-key
AWS_SECRET_ACCESS_KEY=your-secret-key
STRUCTURE_API_TOKEN=your-api-token
UPSTREAM_API_BASE=https://your-api-gateway.amazonaws.com/default
UPSTREAM_API_PREFIX=

# DocuSeal direct API (recommended)
DOCUSEAL_API_BASE=https://api.docuseal.com
DOCUSEAL_TOKEN=your-docuseal-token

# Optional: DocuSeal proxy via Lambda/API Gateway (fallback)
DOCUSEAL_PROXY_BASE=https://your-api-gateway.amazonaws.com/default/docuseal

# Development only
AUTH_BYPASS=0
DEBUG_UPSTREAM=0

# Lambda API Authentication
# Used by AWS Lambda to authenticate API calls to Espace Paie
# Generate with: openssl rand -hex 32
LAMBDA_API_KEY=your-lambda-api-key-64-chars-hex

# Lambda Functions URLs
LAMBDA_PDF_TO_IMAGES_URL=https://your-lambda-url.lambda-url.eu-west-3.on.aws/

# Odentas Sign - Lambda PAdES Seal
# Lambda pour sceller les PDFs avec signature électronique qualifiée (PAdES)
LAMBDA_PADES_URL=https://to6vdbnrcencifu3rlg5rygrua0hhdqc.lambda-url.eu-west-3.on.aws/

# Odentas Sign - Lambda TSA Timestamp
# Lambda pour horodater les documents signés (RFC 3161)
LAMBDA_TSA_URL=https://fs5drdovby3tye4i3fmb27b3gi0zfqyw.lambda-url.eu-west-3.on.aws/

# Odentas Sign - KMS Key ID
# Clé KMS AWS pour chiffrer les signatures
KMS_KEY_ID=arn:aws:kms:eu-west-3:292468105557:key/4d08be1d-a871-486e-bf70-f651f18c5f19

# Odentas Sign - TSA Timestamp Authority
# URL du serveur d'horodatage (Sectigo par défaut)
TSA_URL=https://timestamp.sectigo.com