.env.example

# Supabase
NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=your-anon-key
SUPABASE_SERVICE_ROLE_KEY=your-service-role-key

# GitHub
GITHUB_APP_ID=123456
GITHUB_APP_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"
GITHUB_APP_INSTALLATION_ID=12345678
GITHUB_API_BASE_URL=https://api.github.com
GITHUB_ORG=craft-templates

# Vercel
VERCEL_TOKEN=xxxxxxxxxxxxx
VERCEL_TEAM_ID=team_xxxxxxxxxxxxx

# Stripe
STRIPE_PUBLIC_KEY=pk_test_xxxxxxxxxxxxx
STRIPE_SECRET_KEY=sk_test_xxxxxxxxxxxxx
STRIPE_WEBHOOK_SECRET=whsec_xxxxxxxxxxxxx

# Pricing (Price IDs from Stripe)
# These map directly to the pro and enterprise subscription tiers.
# Required at runtime — the app will throw on startup if either is missing.
# Set SKIP_PRICING_VALIDATION=true in .env.local to bypass during local dev.
NEXT_PUBLIC_STRIPE_PRICE_FREE=price_xxxxxxxxxxxxx
NEXT_PUBLIC_STRIPE_PRICE_PRO=price_xxxxxxxxxxxxx
NEXT_PUBLIC_STRIPE_PRICE_ENTERPRISE=price_xxxxxxxxxxxxx

# Set to "true" to skip Stripe pricing env validation at startup (local dev / CI only).
SKIP_PRICING_VALIDATION=false

# App
NEXT_PUBLIC_APP_URL=http://localhost:3000

# Rate Limiting
# Set to "true" in local development or CI to bypass auth rate limiting.
# Never set this in production.
RATE_LIMIT_DISABLED=false

# CORS
# Comma-separated list of allowed origins for cross-origin API requests.
# Example: ALLOWED_ORIGINS=https://craft.app,https://www.craft.app
# In development, http://localhost:3000 is always allowed regardless of this value.
# Webhook routes (/api/webhooks/*) are not affected by this setting.
ALLOWED_ORIGINS=https://craft.app

# Field-level encryption
# 64-character hex string (32 bytes) used to encrypt sensitive database columns.
# Generate: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
# See docs/field-encryption.md for key rotation procedure.
FIELD_ENCRYPTION_KEY=your_64_char_hex_key_here