# ============================================================================
# Master Secrets Template — ALL keys used across the workspace
# ============================================================================
# Copy to .env (repo root) or .env.master (local only). Fill values; NEVER commit.
# See: docs/04-configuration/MASTER_SECRETS.md for where each is used.
# ============================================================================

# --- Proxmox ---
PROXMOX_ML110=
PROXMOX_R630_01=
PROXMOX_R630_02=
PROXMOX_HOST=
PROXMOX_PORT=
PROXMOX_USER=
PROXMOX_TOKEN_NAME=
PROXMOX_TOKEN_VALUE=
PROXMOX_ALLOW_ELEVATED=

# --- Cloudflare ---
# Prefer CLOUDFLARE_API_TOKEN scoped to Zone:DNS:Edit on the zones you use (avoid global Account API key when possible).
# Bulk DNS script: scripts/update-all-dns-to-public-ip.sh — use --dry-run and --zone-only=sankofa.nexus (etc.) before wide updates.
CLOUDFLARE_API_TOKEN=
# Set to 1 if token has no DNS:Edit and you need Global API key for scripts/cloudflare/provision-d-bis-mail-dns-and-npmplus.sh etc.
CLOUDFLARE_DNS_PREFER_GLOBAL_KEY=
CLOUDFLARE_EMAIL=
CLOUDFLARE_API_KEY=
CLOUDFLARE_ZONE_ID=
CLOUDFLARE_ZONE_ID_D_BIS_ORG=
CLOUDFLARE_ZONE_ID_MIM4U_ORG=
CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS=
CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO=
CLOUDFLARE_TUNNEL_TOKEN=
CLOUDFLARE_TUNNEL_ID=
CLOUDFLARE_TUNNEL_ID_ALLTRA_HYBX=
CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02=
CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02=
CLOUDFLARE_ORIGIN_CA_KEY=
CLOUDFLARE_ACCOUNT_ID=

# --- ClouDNS ---
CLOUDNS_AUTH_ID=
CLOUDNS_AUTH_PASSWORD=

# --- NPM / NPMplus ---
# For scripts/verify/backup-npmplus.sh: NPM_EMAIL and NPM_PASSWORD are both required
# (no in-script defaults); see AGENTS.md operator / backup row.
# PMG (LXC 100) web UI — optional: run scripts/operator/sync-pmg-webui-password-to-dotenv.sh to pull from /root/PMG_WEBUI_password.txt
PMG_WEBUI_PASSWORD=
NPM_URL=
NPM_EMAIL=
NPM_PASSWORD=
NPM_HOST=
NPM_PROXMOX_HOST=
NPMPLUS_HOST=
NPM_VMID=
NPMPLUS_VMID=
NPMPLUS_ALLTRA_HYBX_VMID=
IP_NPMPLUS_ALLTRA_HYBX=
NPM_URL_MIFOS=

# --- Fastly ---
FASTLY_API_TOKEN=

# --- Network / UniFi / Omada ---
PUBLIC_IP=
PROXMOX_HOST_FOR_TEST=
UNIFI_UDM_URL=
UNIFI_API_KEY=
UNIFI_API_MODE=
UNIFI_SITE_ID=
UNIFI_VERIFY_SSL=
OMADA_API_KEY=
OMADA_CLIENT_SECRET=

# --- Gitea ---
GITEA_URL=
GITEA_TOKEN=
GITEA_ORG=

# --- Database & app auth ---
DATABASE_URL=
JWT_SECRET=
JWT_REFRESH_SECRET=
JWT_EXPIRES_IN=
JWT_REFRESH_EXPIRES_IN=
SESSION_SECRET=
ADMIN_CENTRAL_API_KEY=
DBIS_CENTRAL_URL=
ADMIN_JWT_SECRET=

# --- Storage (AWS / Azure) ---
STORAGE_TYPE=
STORAGE_PATH=
AWS_REGION=
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_S3_BUCKET=
AZURE_STORAGE_CONNECTION_STRING=
AZURE_STORAGE_CONTAINER=

# --- Blockchain / SMOM-DBIS-138 (use smom-dbis-138/.env for PRIVATE_KEY) ---
PRIVATE_KEY=
DEPLOYER_ADDRESS=
RPC_URL_138=
RPC_URL_138_PUBLIC=
ETHEREUM_MAINNET_RPC=
DBIS_CORE_URL=
CC_PAYMENT_ADAPTERS_URL=
CC_AUDIT_LEDGER_URL=
CC_SHARED_EVENTS_URL=
CC_SHARED_SCHEMAS_URL=
FIN_GATEWAY_URL=
ALLIANCE_ACCESS_URL=
CHAIN138_CI_RPC_URL=
ALL_MAINNET_RPC=
CHAIN_651940_RPC_URL=
CHAIN_1_UNISWAP_V2_FACTORY=0x5C69bEe701ef814a2B6a3EDD4B1652CB9cc5aA6f
CHAIN_1_UNISWAP_V2_ROUTER=0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D
CHAIN_1_UNISWAP_V2_START_BLOCK=0
CHAIN_10_UNISWAP_V2_FACTORY=0x0c3c1c532F1e39EdF36BE9Fe0bE1410313E074Bf
CHAIN_10_UNISWAP_V2_ROUTER=0x4A7b5Da61326A6379179b40d00F57E5bbDC962c2
CHAIN_10_UNISWAP_V2_START_BLOCK=0
CHAIN_25_UNISWAP_V2_FACTORY=0x3B44B2a187a7b3824131F8db5a74194D0a42Fc15
CHAIN_25_UNISWAP_V2_ROUTER=0x145863Eb42Cf62847A6Ca784e6416C1682b1b2Ae
CHAIN_25_UNISWAP_V2_START_BLOCK=0
CHAIN_56_UNISWAP_V2_FACTORY=0xcA143Ce32Fe78f1f7019d7d551a6402fC5350c73
CHAIN_56_UNISWAP_V2_ROUTER=0x10ED43C718714eb63d5aA57B78B54704E256024E
CHAIN_56_UNISWAP_V2_START_BLOCK=0
CHAIN_100_UNISWAP_V2_FACTORY=0xc35DADB65012eC5796536bD9864eD8773aBc74C4
CHAIN_100_UNISWAP_V2_ROUTER=0x1b02dA8Cb0d097eB8D57A175b88c7D8b47997506
CHAIN_100_UNISWAP_V2_START_BLOCK=0
CHAIN_137_UNISWAP_V2_FACTORY=0x5757371414417b8C6CAad45bAeF941aBc7d3Ab32
CHAIN_137_UNISWAP_V2_ROUTER=0xa5E0829CaCEd8fFDD4De3c43696c57F7D7A678ff
CHAIN_137_UNISWAP_V2_START_BLOCK=0
CHAIN_42220_UNISWAP_V2_FACTORY=0x62d5b84bE28a183aBB507E125B384122D2C25fAE
CHAIN_42220_UNISWAP_V2_ROUTER=0xE3D8bd6Aed4F159bc8000a9cD47CffDb95F96121
CHAIN_42220_UNISWAP_V2_START_BLOCK=0
CHAIN_43114_UNISWAP_V2_FACTORY=0x9Ad6C38BE94206cA50bb0d90783181662f0Cfa10
CHAIN_43114_UNISWAP_V2_ROUTER=0x60aE616a2155Ee3d9A68541Ba4544862310933d4
CHAIN_43114_UNISWAP_V2_START_BLOCK=0
CHAIN_8453_UNISWAP_V2_FACTORY=0x02a84c1b3BBD7401a5f7fa98a384EBC70bB5749E
CHAIN_8453_UNISWAP_V2_ROUTER=0x8cFe327CEc66d1C090Dd72bd0FF11d690C33a2Eb
CHAIN_8453_UNISWAP_V2_START_BLOCK=0
CHAIN_42161_UNISWAP_V2_FACTORY=0x02a84c1b3BBD7401a5f7fa98a384EBC70bB5749E
CHAIN_42161_UNISWAP_V2_ROUTER=0x8cFe327CEc66d1C090Dd72bd0FF11d690C33a2Eb
CHAIN_42161_UNISWAP_V2_START_BLOCK=0
# Optional / scaffold-only until Wemix UniV2 routing is promoted
CHAIN_1111_UNISWAP_V2_FACTORY=
CHAIN_1111_UNISWAP_V2_ROUTER=
CHAIN_1111_UNISWAP_V2_START_BLOCK=0
ETHERLINK_RPC_URL=
TEZOS_RPC_URL=
ETHERSCAN_API_KEY=
WEMIXSCAN_API_KEY=
ETHERLINK_CCIP_SELECTOR=
TEZOS_BRIDGE_ENABLED=
ETHERLINK_BRIDGE_ENABLED=
TEZOS_RELAY_ORACLE_KEY=
ETHERLINK_RELAY_BRIDGE=
ETHERLINK_RELAY_PRIVATE_KEY=
JUMPER_API_KEY=
ONEINCH_API_KEY=
MOONPAY_API_KEY=
MOONPAY_SECRET_KEY=
RAMP_NETWORK_API_KEY=
ONRAMPER_API_KEY=

# --- Alerts & monitoring ---
SLACK_WEBHOOK_URL=
PAGERDUTY_INTEGRATION_KEY=
EMAIL_ALERT_API_URL=
EMAIL_ALERT_RECIPIENTS=
SENTRY_DSN=

# --- Legal / e-signature ---
E_SIGNATURE_BASE_URL=

# --- OTC / exchanges (dbis_core) ---
CRYPTO_COM_API_KEY=
CRYPTO_COM_API_SECRET=
CRYPTO_COM_ENVIRONMENT=
BINANCE_API_KEY=
BINANCE_API_SECRET=
KRAKEN_API_KEY=
KRAKEN_PRIVATE_KEY=
OANDA_API_KEY=
OANDA_ACCOUNT_ID=
OANDA_ENVIRONMENT=
FXCM_API_TOKEN=

# --- Price / market data ---
COINGECKO_API_KEY=
COINDESK_API_KEY=
COINMARKETCAP_API_KEY=
DEXSCREENER_API_KEY=

# --- Mifos / Fineract / OMNL ---
MIFOS_BASE_URL=
MIFOS_TENANT=
MIFOS_USER=
MIFOS_PASSWORD=
MIFOS_INSECURE=
OMNL_FINERACT_BASE_URL=
OMNL_FINERACT_TENANT=
OMNL_FINERACT_USER=
OMNL_FINERACT_PASSWORD=

# --- Phoenix / Sankofa / OMNIS backend ---
SANKOFA_PHOENIX_API_URL=
SANKOFA_PHOENIX_CLIENT_ID=
SANKOFA_PHOENIX_CLIENT_SECRET=
SANKOFA_PHOENIX_TENANT_ID=

# --- Frontend / MetaMask / Explorer ---
VITE_WALLETCONNECT_PROJECT_ID=
VITE_THIRDWEB_CLIENT_ID=
VITE_ETHERSCAN_API_KEY=
VITE_SENTRY_DSN=
VITE_API_URL=
VITE_API_BASE_URL=
NEXT_PUBLIC_API_URL=
NEXT_PUBLIC_CHAIN_ID=
METAMASK_API_KEY=
THIRDWEB_SECRET_KEY=
NPM_ACCESS_TOKEN=

# --- DeFi aggregators (alltra-lifi-settlement) ---
PARASWAP_API_KEY=
ZEROX_API_KEY=

# --- ProxmoxVE API (MongoDB) ---
MONGO_USER=
MONGO_PASSWORD=
MONGO_IP=
MONGO_PORT=
MONGO_DATABASE=

# --- Chain138 RPC (config) ---
CHAIN138_RPC_URL=
RPC_URL_138_FIREBLOCKS=
WS_URL_138_FIREBLOCKS=
CHAIN_ID_138=

# --- Phoenix deploy API ---
PORT=
GITEA_TOKEN=

# --- Optional / per-service ---
MARKET_REPORTING_API_KEY=
E_FILING_ENABLED=
NODE_ENV=