import { z } from 'zod';

const defaultSecret = /change[-_ ]?me/i;

export const ApiEnv = z.object({
  NODE_ENV: z.enum(['development', 'test', 'production']).default('development'),
  PORT: z.coerce.number().int().positive().default(3001),
  DATABASE_URL: z.string().min(1, 'DATABASE_URL is required'),
  JWT_SECRET: z
    .string()
    .min(32, 'JWT_SECRET must be at least 32 characters')
    .refine((v) => !defaultSecret.test(v), {
      message: 'JWT_SECRET still matches the default placeholder — generate a real secret',
    }),
  CLIENT_ORIGIN: z.string().url().default('http://localhost:5173'),
  // Whether to mark auth + CSRF cookies Secure. Must be false for plain-HTTP
  // deployments (browsers silently drop Secure cookies over http://). Leave
  // unset to fall back to NODE_ENV === 'production'.
  COOKIE_SECURE: z
    .preprocess((v) => (typeof v === 'string' ? v === 'true' : v), z.boolean().optional()),
});
export type ApiEnv = z.infer<typeof ApiEnv>;