spring:
  application:
    name: devslab-kit-sample-app

  # Connect to the same Postgres / Redis that
  # devslab-kit-admin-ui's docker-compose stands up by default. Override the
  # DEVSLAB_* env vars when you need to point elsewhere (CI, staging, etc).
  datasource:
    url: ${DEVSLAB_DATASOURCE_URL:jdbc:postgresql://localhost:5432/devslab_kit}
    username: ${DEVSLAB_DATASOURCE_USERNAME:devslab}
    password: ${DEVSLAB_DATASOURCE_PASSWORD:devslab}
  data:
    redis:
      host: ${DEVSLAB_REDIS_HOST:localhost}
      port: ${DEVSLAB_REDIS_PORT:6379}

  jpa:
    open-in-view: false

devslab:
  kit:
    tenant:
      enabled: true
      mode: single
      default-tenant-id: default
      resolver: fixed

    identity:
      jwt:
        # 32+ byte key required by jjwt HS256. Override in prod via
        # DEVSLAB_JWT_SECRET — the default below is sufficient for local
        # development and the integration test setup, NOT for production.
        secret: ${DEVSLAB_JWT_SECRET:dev-only-32byte-jwt-key-please-override!}
        issuer: ${DEVSLAB_JWT_ISSUER:devslab-kit-sample}
        ttl: ${DEVSLAB_JWT_TTL:PT8H}

    audit:
      enabled: true
      async-queue-capacity: ${DEVSLAB_AUDIT_QUEUE:1024}

    menu:
      enabled: true

    # Pluggable cache (ADR 0002). Default in-memory (single-node). Flip type to
    # `redis` to use the Redis that docker-compose already starts — the per-user
    # menu tree and any of your own @Cacheable methods then cache as JSON across
    # replicas, with the kit owning serialization (no Serializable, no config).
    cache:
      type: ${DEVSLAB_CACHE_TYPE:in-memory}
      ttl: ${DEVSLAB_CACHE_TTL:PT10M}

    # First-admin bootstrap (ADR 0001). The starter's own runner provisions a
    # default tenant + PLATFORM_ADMIN role + admin.* permissions + admin user on
    # first boot, so the admin UI can log in immediately for end-to-end testing.
    #
    # This stands in for a local-dev profile: a fixed admin/admin with the
    # forced password change turned OFF so you log straight in. In staging /
    # production, inject DEVSLAB_BOOTSTRAP_ADMIN_PASSWORD (or leave it blank for
    # a random one logged once) and set must-change-password to true — or set
    # enabled=false and provision the first admin out-of-band.
    bootstrap:
      enabled: ${DEVSLAB_BOOTSTRAP_ENABLED:true}
      tenant-id: ${DEVSLAB_BOOTSTRAP_TENANT_ID:default}
      admin-login-id: ${DEVSLAB_BOOTSTRAP_ADMIN_LOGIN_ID:admin}
      admin-password: ${DEVSLAB_BOOTSTRAP_ADMIN_PASSWORD:admin}
      admin-email: ${DEVSLAB_BOOTSTRAP_ADMIN_EMAIL:admin@example.com}
      must-change-password: ${DEVSLAB_BOOTSTRAP_MUST_CHANGE_PASSWORD:false}