# App — session sealing key for nuxt-auth-utils (must be ≥32 chars) NUXT_SESSION_PASSWORD=change-me-to-a-long-random-string-min-32-chars # Database (Postgres) — Coolify-managed in prod, docker-compose in dev DATABASE_URL=postgres://andon:andon@localhost:5432/andon # Credentials for the bundled Postgres service in docker-compose.yml POSTGRES_USER=andon POSTGRES_PASSWORD=andon POSTGRES_DB=andon # Google OAuth (Task 9) — nuxt-auth-utils reads these exact names. Access is # restricted server-side to verified @theodo.com emails (the `hd` claim is not # trusted on its own). REDIRECT_URL must match an Authorized redirect URI in the # Google Cloud console (defaults to /auth/google/callback if unset). NUXT_OAUTH_GOOGLE_CLIENT_ID= NUXT_OAUTH_GOOGLE_CLIENT_SECRET= NUXT_OAUTH_GOOGLE_REDIRECT_URL= # Web Push / VAPID (Task 10) — Nuxt binds these to runtimeConfig at runtime. # Generate the key pair with `pnpm vapid:keys`. The public key is sent to the # browser; the private key signs pushes server-side (T11) and must stay secret. NUXT_PUBLIC_VAPID_PUBLIC_KEY= NUXT_VAPID_PRIVATE_KEY= NUXT_VAPID_SUBJECT=mailto:example@theodo.com # Push notifications go to this single owner only (G3). Not secret — also gates # the client-side "Enable notifications" button. NUXT_PUBLIC_OWNER_EMAIL=