# ============================================================================
# Master Secrets Template — ALL keys used across the workspace
# ============================================================================
# Copy to .env (repo root) or .env.master (local only). Fill values; NEVER commit.
# See: docs/04-configuration/MASTER_SECRETS.md for where each is used.
# ============================================================================

# --- Proxmox ---
PROXMOX_ML110=
PROXMOX_R630_01=
PROXMOX_R630_02=
PROXMOX_HOST=
PROXMOX_PORT=
PROXMOX_USER=
PROXMOX_TOKEN_NAME=
PROXMOX_TOKEN_VALUE=
PROXMOX_ALLOW_ELEVATED=

# --- Cloudflare ---
# Prefer CLOUDFLARE_API_TOKEN scoped to Zone:DNS:Edit on the zones you use (avoid global Account API key when possible).
# Bulk DNS script: scripts/update-all-dns-to-public-ip.sh — use --dry-run and --zone-only=sankofa.nexus (etc.) before wide updates.
CLOUDFLARE_API_TOKEN=
CLOUDFLARE_EMAIL=
CLOUDFLARE_API_KEY=
CLOUDFLARE_ZONE_ID=
CLOUDFLARE_ZONE_ID_D_BIS_ORG=
CLOUDFLARE_ZONE_ID_MIM4U_ORG=
CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS=
CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO=
CLOUDFLARE_TUNNEL_TOKEN=
CLOUDFLARE_TUNNEL_ID=
CLOUDFLARE_TUNNEL_ID_ALLTRA_HYBX=
CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02=
CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02=
CLOUDFLARE_ORIGIN_CA_KEY=
CLOUDFLARE_ACCOUNT_ID=
# Turnstile (Captcha) for IRU marketplace inquiry — Dashboard → Turnstile; NOT the DNS API key
CLOUDFLARE_TURNSTILE_SECRET_KEY=
# dbis_core Vite marketplace: VITE_CLOUDFLARE_TURNSTILE_SITE_KEY=
# Sankofa portal Next.js (sibling repo): NEXT_PUBLIC_CLOUDFLARE_TURNSTILE_SITE_KEY=

# --- ClouDNS ---
CLOUDNS_AUTH_ID=
CLOUDNS_AUTH_PASSWORD=

# --- NPM / NPMplus ---
NPM_URL=
NPM_EMAIL=
NPM_PASSWORD=
NPM_HOST=
NPM_PROXMOX_HOST=
NPMPLUS_HOST=
NPM_VMID=
NPMPLUS_VMID=
NPMPLUS_ALLTRA_HYBX_VMID=
IP_NPMPLUS_ALLTRA_HYBX=
NPM_URL_MIFOS=

# --- Keycloak Admin API (optional) ---
# For scripts/deployment/keycloak-sankofa-ensure-client-redirects.sh — merge portal/admin redirect URIs.
# KEYCLOAK_URL=https://keycloak.sankofa.nexus
# KEYCLOAK_REALM=master
# KEYCLOAK_CLIENT_ID=sankofa-portal
# KEYCLOAK_ADMIN=admin
# KEYCLOAK_ADMIN_PASSWORD=

# --- Fastly ---
FASTLY_API_TOKEN=

# --- Network / UniFi / Omada ---
PUBLIC_IP=
PROXMOX_HOST_FOR_TEST=
UNIFI_UDM_URL=
UNIFI_API_KEY=
UNIFI_API_MODE=
UNIFI_SITE_ID=
UNIFI_VERIFY_SSL=
OMADA_API_KEY=
OMADA_CLIENT_SECRET=

# --- Gitea ---
GITEA_URL=
GITEA_TOKEN=
GITEA_ORG=

# --- Database & app auth ---
DATABASE_URL=
JWT_SECRET=
JWT_REFRESH_SECRET=
JWT_EXPIRES_IN=
JWT_REFRESH_EXPIRES_IN=
SESSION_SECRET=
ADMIN_CENTRAL_API_KEY=
DBIS_CENTRAL_URL=
ADMIN_JWT_SECRET=

# --- Storage (AWS / Azure) ---
STORAGE_TYPE=
STORAGE_PATH=
AWS_REGION=
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_S3_BUCKET=
AZURE_STORAGE_CONNECTION_STRING=
AZURE_STORAGE_CONTAINER=

# --- Pinata (IPFS pinning; token logos) ---
# Dashboard: https://app.pinata.cloud — API Keys → JWT or key/secret.
# scripts/upload-token-logos-to-ipfs.sh uses PINATA_JWT only (Bearer for pinFileToIPFS).
PINATA_JWT=
PINATA_API_KEY=
PINATA_API_SECRET=

# --- Blockchain / SMOM-DBIS-138 (use smom-dbis-138/.env for PRIVATE_KEY) ---
PRIVATE_KEY=
RPC_URL_138=
RPC_URL_138_PUBLIC=
# XDC Zero — second relayer pair (XDC Network mainnet <-> Chain 138). See docs/03-deployment/CHAIN138_XDC_ZERO_BRIDGE_RUNBOOK.md and config/xdc-zero/
# Use XDC mainnet JSON-RPC only (chain id 50), not Ethereum L1. Default:
XDC_PARENTNET_URL=https://rpc.xinfin.network
# Testnet (Apothem): https://rpc.apothem.network
# Optional alias for 138 side (defaults to RPC_URL_138 in preflight if unset):
XDC_ZERO_PEER_RPC_URL=

# Ethereum L1 — used for dual-anchor attestation with scripts/omnl/omnl-chain138-attestation-tx.sh (consumes ETH gas). Alias: RPC_URL_MAINNET.
ETHEREUM_MAINNET_RPC=
CHAIN_651940_RPC_URL=
ETHERLINK_RPC_URL=
TEZOS_RPC_URL=
ETHERSCAN_API_KEY=
ETHERLINK_CCIP_SELECTOR=
TEZOS_BRIDGE_ENABLED=
ETHERLINK_BRIDGE_ENABLED=
TEZOS_RELAY_ORACLE_KEY=
ETHERLINK_RELAY_BRIDGE=
ETHERLINK_RELAY_PRIVATE_KEY=
JUMPER_API_KEY=
ONEINCH_API_KEY=
MOONPAY_API_KEY=
MOONPAY_SECRET_KEY=
RAMP_NETWORK_API_KEY=
ONRAMPER_API_KEY=

# --- GRU Transport / cW hard-peg bridge controls (Chain 138 -> public chains) ---
# Canonical L1 bridge env used by the GRU transport overlay and token-aggregation.
CHAIN138_L1_BRIDGE=
# Legacy alias still used by some deployment helpers.
CW_L1_BRIDGE_CHAIN138=
CW_BRIDGE_MAINNET=
CW_BRIDGE_CRONOS=
CW_BRIDGE_BSC=
CW_BRIDGE_POLYGON=
CW_BRIDGE_GNOSIS=
CW_BRIDGE_AVALANCHE=
CW_BRIDGE_BASE=
CW_BRIDGE_ARBITRUM=
CW_BRIDGE_OPTIMISM=
CW_RESERVE_VERIFIER_CHAIN138=
CW_STABLECOIN_RESERVE_VAULT=
CW_RESERVE_SYSTEM=
CW_ATTACH_VERIFIER_TO_L1=1
CW_REQUIRE_VAULT_BACKING=
CW_REQUIRE_RESERVE_SYSTEM_BALANCE=
CW_REQUIRE_TOKEN_OWNER_MATCH_VAULT=
CW_CANONICAL_USDT=
CW_CANONICAL_USDC=
CW_USDT_RESERVE_ASSET=
CW_USDC_RESERVE_ASSET=
CW_MAX_OUTSTANDING_USDT_MAINNET=
CW_MAX_OUTSTANDING_USDC_MAINNET=
CW_MAX_OUTSTANDING_USDT_CRONOS=
CW_MAX_OUTSTANDING_USDC_CRONOS=
CW_MAX_OUTSTANDING_USDT_BSC=
CW_MAX_OUTSTANDING_USDC_BSC=
CW_MAX_OUTSTANDING_USDT_POLYGON=
CW_MAX_OUTSTANDING_USDC_POLYGON=
CW_MAX_OUTSTANDING_USDT_GNOSIS=
CW_MAX_OUTSTANDING_USDC_GNOSIS=
CW_MAX_OUTSTANDING_USDT_AVALANCHE=
CW_MAX_OUTSTANDING_USDC_AVALANCHE=
CW_MAX_OUTSTANDING_USDT_BASE=
CW_MAX_OUTSTANDING_USDC_BASE=
CW_MAX_OUTSTANDING_USDT_ARBITRUM=
CW_MAX_OUTSTANDING_USDC_ARBITRUM=
CW_MAX_OUTSTANDING_USDT_OPTIMISM=
CW_MAX_OUTSTANDING_USDC_OPTIMISM=
CW_FREEZE_AVAX_L2_CONFIG=

# --- Alerts & monitoring ---
SLACK_WEBHOOK_URL=
PAGERDUTY_INTEGRATION_KEY=
EMAIL_ALERT_API_URL=
EMAIL_ALERT_RECIPIENTS=
SENTRY_DSN=

# --- dbis_core IRU / marketplace outbound mail (optional; Proxmox Mail Proxy VMID 100 = 192.168.11.32) ---
# EMAIL_PROVIDER=smtp
# SMTP_HOST=192.168.11.32
# SMTP_PORT=587
# SMTP_SECURE=false
# SMTP_USER=
# SMTP_PASSWORD=
# EMAIL_FROM=
# EMAIL_FROM_NAME=SolaceNet
# DBIS_SALES_EMAIL=

# --- Legal / e-signature ---
E_SIGNATURE_BASE_URL=

# --- OTC / exchanges (dbis_core) ---
CRYPTO_COM_API_KEY=
CRYPTO_COM_API_SECRET=
CRYPTO_COM_ENVIRONMENT=
BINANCE_API_KEY=
BINANCE_API_SECRET=
KRAKEN_API_KEY=
KRAKEN_PRIVATE_KEY=
OANDA_API_KEY=
OANDA_ACCOUNT_ID=
OANDA_ENVIRONMENT=
FXCM_API_TOKEN=

# --- Price / market data ---
COINGECKO_API_KEY=
COINDESK_API_KEY=
COINMARKETCAP_API_KEY=
DEXSCREENER_API_KEY=

# --- Mifos / Fineract / OMNL ---
MIFOS_BASE_URL=
MIFOS_TENANT=
MIFOS_USER=
MIFOS_PASSWORD=
MIFOS_INSECURE=
OMNL_FINERACT_BASE_URL=
OMNL_FINERACT_TENANT=
OMNL_FINERACT_USER=
OMNL_FINERACT_PASSWORD=

# --- Phoenix / Sankofa / OMNIS backend ---
SANKOFA_PHOENIX_API_URL=
SANKOFA_PHOENIX_CLIENT_ID=
SANKOFA_PHOENIX_CLIENT_SECRET=
SANKOFA_PHOENIX_TENANT_ID=
# Corporate apex (sankofa.nexus) → CT 7806 when provisioned (default in ip-addresses stays portal until set)
# IP_SANKOFA_PUBLIC_WEB=192.168.11.63

# --- Frontend / MetaMask / Explorer ---
VITE_WALLETCONNECT_PROJECT_ID=
VITE_THIRDWEB_CLIENT_ID=
VITE_ETHERSCAN_API_KEY=
VITE_SENTRY_DSN=
VITE_API_URL=
VITE_API_BASE_URL=
NEXT_PUBLIC_API_URL=
NEXT_PUBLIC_CHAIN_ID=
METAMASK_API_KEY=
THIRDWEB_SECRET_KEY=
NPM_ACCESS_TOKEN=

# --- DeFi aggregators (alltra-lifi-settlement) ---
PARASWAP_API_KEY=
ZEROX_API_KEY=

# --- ProxmoxVE API (MongoDB) ---
MONGO_USER=
MONGO_PASSWORD=
MONGO_IP=
MONGO_PORT=
MONGO_DATABASE=

# --- Chain138 RPC (config) ---
CHAIN138_RPC_URL=
RPC_URL_138_FIREBLOCKS=
WS_URL_138_FIREBLOCKS=
CHAIN_ID_138=

# --- Phoenix deploy API ---
PORT=
GITEA_TOKEN=

# --- Optional / per-service ---
MARKET_REPORTING_API_KEY=
E_FILING_ENABLED=
NODE_ENV=