import { defineNitroConfig } from "nitropack/config";

export default defineNitroConfig({
  compatibilityDate: "latest",
  srcDir: "server",
  preset: "node-server",

  // Static-Assets explizit: GoTrue lädt Mail-Templates von
  // https://api.staging.rebreak.org/templates/*.html → kommt aus public/templates/.
  // Default-publicAssets greift nicht zuverlässig wenn srcDir auf "server" zeigt.
  publicAssets: [{ baseURL: "/", dir: "../public", maxAge: 60 * 60 }],

  // Supabase als external dep — nicht bundlen
  externals: {
    inline: [/^(?!@supabase\/supabase-js)/],
  },

  imports: {
    dirs: ["db", "db/**", "utils", "utils/**"],
    exclude: ["**/node_modules/**"],
  },

  runtimeConfig: {
    // ─── Database / Core ─────────────────────────────────────────────────
    databaseUrl:
      process.env.DATABASE_URL ?? process.env.NUXT_DATABASE_URL ?? "",
    encryptionKey: process.env.ENCRYPTION_KEY ?? "",

    // ─── Admin / Cron ────────────────────────────────────────────────────
    adminSecret: process.env.ADMIN_SECRET ?? "",
    cronSecret: process.env.CRON_SECRET ?? "",
    // Shared secret for AdGuard→Backend DoH-handshake (POST /api/devices/protected/handshake).
    // Set in Infisical as HANDSHAKE_SECRET before enabling AdGuard webhook.
    handshakeSecret: process.env.HANDSHAKE_SECRET ?? "",

    // ─── LLM-Provider ────────────────────────────────────────────────────
    // Infisical staging hat NUXT_*-prefix für openrouter+groq, andere ohne.
    openrouterApiKey:
      process.env.OPENROUTER_API_KEY ??
      process.env.NUXT_OPENROUTER_API_KEY ??
      "",
    openaiApiKey:
      process.env.OPENAI_API_KEY ?? process.env.NUXT_OPENAI_API_KEY ?? "",
    groqApiKey: process.env.GROQ_API_KEY ?? process.env.NUXT_GROQ_API_KEY ?? "",
    googleAiApiKey: process.env.GOOGLE_AI_API_KEY ?? "",
    geminiApiKey: process.env.GEMINI_API_KEY ?? "",

    // ─── TTS-Provider ────────────────────────────────────────────────────
    googleApiKey:
      process.env.GOOGLE_API_KEY ?? process.env.NUXT_GOOGLE_API_KEY ?? "",
    deepgramApiKey:
      process.env.DEEPGRAM_API_KEY ?? process.env.NUXT_DEEPGRAM_API_KEY ?? "",
    azureTtsKey: process.env.AZURE_TTS_KEY ?? "",
    azureTtsRegion: process.env.AZURE_TTS_REGION ?? "",
    // NEU im backend/-Layout (existieren in nuxt.config.ts NICHT, aber backend code liest sie)
    cartesiaApiKey: process.env.CARTESIA_API_KEY ?? "",
    cartesiaVoiceId: process.env.CARTESIA_VOICE_ID ?? "",
    elevenlabsApiKey: process.env.ELEVENLABS_API_KEY ?? "",
    elevenlabsVoiceId: process.env.ELEVENLABS_VOICE_ID ?? "",

    // ─── Supabase (Server-only) ──────────────────────────────────────────
    // Im alten Nuxt-Layout via @nuxtjs/supabase auto-injected. In standalone Nitro
    // explizit deklarieren, damit auth/middleware nicht 500't.
    // server/utils/auth.ts:32 liest `config.public.supabase ?? config.supabase`,
    // also beide Pfade müssen existieren.
    // Infisical staging-Namen: SUPABASE_KEY (nicht ANON_KEY), SUPABASE_SERVICE_KEY
    // (nicht SERVICE_ROLE_KEY). NIE umbenennen ohne Infisical-secret-rotation.
    supabaseUrl: process.env.SUPABASE_URL ?? "https://db-staging.rebreak.org",
    supabaseAnonKey:
      process.env.SUPABASE_KEY ?? process.env.SUPABASE_ANON_KEY ?? "",
    supabaseServiceKey:
      process.env.SUPABASE_SERVICE_KEY ??
      process.env.SUPABASE_SERVICE_ROLE_KEY ??
      "",

    // ─── Voice-Calls / TURN (coturn, self-hosted) ───────────────────────
    // Ephemere TURN-Credentials werden vom Backend per HMAC aus TURN_SECRET
    // gemintet (coturn `use-auth-secret`). Host = coturn-Domain, Realm = coturn-
    // realm. In Infisical setzen, BEVOR /api/calls/ice-servers genutzt wird:
    //   TURN_HOST   (z.B. turn.rebreak.org)
    //   TURN_SECRET (shared secret, identisch zu coturn static-auth-secret)
    //   TURN_REALM  (z.B. rebreak.org)
    turnHost: process.env.TURN_HOST ?? "",
    turnSecret: process.env.TURN_SECRET ?? "",
    turnRealm: process.env.TURN_REALM ?? "rebreak.org",

    // ─── Stripe ──────────────────────────────────────────────────────────
    stripeSecretKey: process.env.STRIPE_SECRET_KEY ?? "",
    stripeWebhookSecret: process.env.STRIPE_WEBHOOK_SECRET ?? "",

    // ─── Email / External APIs ───────────────────────────────────────────
    resendApiKey: process.env.RESEND_API_KEY ?? "",

    // ─── Brevo (Mail-Versand) ────────────────────────────────────────────
    // Auth-Hook (send-email.post.ts) → Brevo Transactional API.
    // BREVO_API_KEY ist Brevo REST API-Key (Format: xkeysib-...),
    // separater Key vom SMTP-Key der für GoTrue-Fallback genutzt wird.
    brevoApiKey: process.env.BREVO_API_KEY ?? "",
    // Send-Email-Hook Webhook-Secret (Standard-Webhooks Format).
    // Liste comma-separated: "v1,whsec_<base64>" (multi-secret für Rotation).
    // Muss IDENTISCH zu GOTRUE_HOOK_SEND_EMAIL_SECRETS im docker-compose sein.
    hookSendEmailSecrets: process.env.HOOK_SEND_EMAIL_SECRETS ?? "",
    // Sender-Email-Adresse im From-Header. Sender-Name wird pro Mail-Typ
    // dynamisch in templates.ts gesetzt.
    mailSenderEmail: process.env.MAIL_SENDER_EMAIL ?? "welcome@rebreak.org",

    // ─── AdGuard Home (RebreakMagic DNS-over-HTTPS) ──────────────────────
    // Base-URL für AdGuard Home REST API. Default: dns.rebreak.org (Hetzner).
    adguardBaseUrl: process.env.ADGUARD_BASE_URL ?? "https://dns.rebreak.org",
    // Basic-Auth Credentials für /control/clients/* API-Endpoints.
    // User + Password aus AdGuard-Settings → Users → Add User (Admin-Rechte).
    adguardUser: process.env.ADGUARD_USER ?? "",
    adguardPassword: process.env.ADGUARD_PASSWORD ?? "",

    // ─── Microsoft OAuth (PKCE, Public Client) ───────────────────────────────
    // Client-ID der Azure-App-Registrierung "Rebreak Mail Access".
    // Tenant: 'common' (Multi-Tenant + Personal-Accounts) — hardcoded im Code.
    // Kein client_secret: Public Client / PKCE-Flow (keine Client-Secret-Exposure).
    // Infisical secret name: MS_OAUTH_CLIENT_ID
    msOauthClientId:
      process.env.MS_OAUTH_CLIENT_ID ?? "427575e1-0ec5-4468-b4a2-7ae3ce99a154",

    // ─── Google OAuth (PKCE, Public Client / iOS Native) ────────────────────
    // Client-ID der Google Cloud Console App-Registrierung "Rebreak".
    // Typ: iOS-App (Native Client — kein client_secret, PKCE S256).
    // Scope: https://mail.google.com/ (IMAP-Vollzugriff für XOAUTH2).
    // KRITISCH: prompt=consent + access_type=offline in init.post.ts sind PFLICHT
    // damit Google ein refresh_token ausstellt. Ohne das: nur 1h access_token.
    // Infisical secret name: GOOGLE_OAUTH_CLIENT_ID
    googleOauthClientId:
      process.env.GOOGLE_OAUTH_CLIENT_ID ??
      "864178840836-i09oblmcel5q4rgggq9dids17mv9560u.apps.googleusercontent.com",

    // ─── Bot-User-IDs (DB-User-References für Lyra/Rebreak-Bot-Posts) ────
    lyraBotUserId: process.env.LYRA_BOT_USER_ID ?? "",
    rebreakBotUserId: process.env.REBREAK_BOT_USER_ID ?? "",

    // ─── Public (client-readable) ────────────────────────────────────────
    public: {
      stripePublishableKey: process.env.STRIPE_PUBLISHABLE_KEY ?? "",
      appUrl: process.env.APP_URL ?? "https://staging.rebreak.org",
      apiBase: process.env.API_BASE ?? "https://staging.rebreak.org",
      // server/utils/auth.ts liest config.public.supabase.{url,key}
      // — wenn das fehlt, 500-cascade auf allen authentifizierten Routes
      // (Incident 2026-05-06).
      supabase: {
        url: process.env.SUPABASE_URL ?? "https://db-staging.rebreak.org",
        key: process.env.SUPABASE_KEY ?? process.env.SUPABASE_ANON_KEY ?? "",
      },
    },
  },
});