.env.production

# CodePark v2.0.0 - Production Environment Configuration
# Date: December 20, 2025
# SECURITY: DO NOT STORE ACTUAL SECRETS IN THIS FILE
# NEVER COMMIT THIS FILE WITH REAL SECRETS
#
# All secrets are injected via:
#   - GitHub Secrets (CI/CD)
#   - Kubernetes Secrets (Container Orchestration)
#   - AWS Secrets Manager (AWS Deployments)
#   - Environment variables in production environment

# Application
NODE_ENV=production
PORT=3000
HOST=0.0.0.0

# Logging (production-grade)
LOG_LEVEL=warn
LOG_BUFFER_SIZE=5000
LOG_FILE=/var/log/codepark/app.log
LOG_FILE_MAX_SIZE=52428800
LOG_FILE_MAX_FILES=30
LOG_HTTP_ENDPOINT=https://logs.example.com/api/logs
LOG_HTTP_HEADERS={"Authorization":"Bearer ${LOG_API_KEY}"}

# CORS Configuration (production)
CORS_ORIGINS=https://example.com,https://www.example.com,https://api.example.com

# Database (production cluster)
# INJECTED VIA SECRETS MANAGER - NEVER HARDCODE
# Kubernetes: kubectl create secret generic codepark-secrets --from-literal=MONGODB_URI=...
# GitHub Actions: ${{ secrets.PROD_MONGODB_URI }}
# AWS Secrets Manager: codepark/production
MONGODB_URI=${MONGODB_URI}

# Redis (production cluster)
REDIS_HOST=redis-prod.example.com
REDIS_PORT=6380
REDIS_PASSWORD=${REDIS_PASSWORD}
REDIS_DB=0
REDIS_TLS=true

# IP Whitelisting (production)
IP_WHITELIST_MODE=whitelist
IP_WHITELIST=10.0.0.0/8
MAX_REQUESTS_PER_IP=1000

# Caching (aggressive production settings)
CACHE_TTL=600000
CACHE_MAX_SIZE=50000
CACHE_BACKEND=redis

# Compression (maximum compression)
COMPRESSION_LEVEL=9
COMPRESSION_MIN_SIZE=512

# Health Check
HEALTH_CHECK_TIMEOUT=5000
HEALTH_CHECK_THRESHOLD=3

# API Keys (INJECTED VIA SECRETS MANAGER)
API_KEY_PRODUCTION=${API_KEY_PRODUCTION}

# Feature Flags (all enabled in production)
FEATURE_RATE_LIMITING=true
FEATURE_CACHING=true
FEATURE_COMPRESSION=true
FEATURE_HEALTH_CHECKS=true

# Security
SECURE_COOKIES=true
HSTSMaxAge=31536000
HSTSIncludeSubDomains=true

# Monitoring
METRICS_ENDPOINT=https://prometheus.example.com/push
ALERT_EMAIL=alerts@example.com

# Performance
NODE_OPTIONS=--max-old-space-size=2048

# No debug in production
DEBUG=

# ================================
# ⚠️  CRITICAL SECURITY NOTES
# ================================
#
# 1. NEVER hardcode secrets in this file
# 2. NEVER commit actual passwords, keys, or tokens
# 3. ALL secrets MUST be injected at deployment time
#
# 4. HOW TO SET PRODUCTION SECRETS:
#
#    Option A: GitHub Actions (RECOMMENDED)
#    ---
#    1. Go to: Repository Settings → Secrets and Variables → Actions
#    2. Create secrets:
#       - PROD_MONGODB_URI
#       - PROD_REDIS_PASSWORD
#       - PROD_LOG_API_KEY
#       - PROD_API_KEY
#    3. In deploy workflow, inject:
#       - Run: echo "MONGODB_URI=${{ secrets.PROD_MONGODB_URI }}" >> .env.production
#
#    Option B: Kubernetes Secrets
#    ---
#    1. Create: kubectl create secret generic codepark-prod-secrets \
#                 --from-literal=MONGODB_URI="..." \
#                 --from-literal=REDIS_PASSWORD="..." \
#                 -n production
#    2. In deployment.yaml, reference:
#       envFrom:
#         - secretRef:
#             name: codepark-prod-secrets
#
#    Option C: AWS Secrets Manager
#    ---
#    1. Create: aws secretsmanager create-secret \
#                 --name codepark/production \
#                 --secret-string '{...secrets...}'
#    2. Application reads: getSecret('codepark/production')
#
#    Option D: Environment Variables
#    ---
#    1. Set on production server:
#       export MONGODB_URI="mongodb+srv://..."
#       export REDIS_PASSWORD="..."
#    2. Application reads from process.env
#
# 5. VERIFICATION
#    - Grep repository: grep -r "mongodb+srv://" .
#    - Grep for passwords: grep -r "password:" .
#    - Scan with git-secrets: git-secrets --scan
#
# ================================