# ── Jandex — include apix-common in the index so bean validation constraints work ──
quarkus.index-dependency.apix-common.group-id=org.botstandards
quarkus.index-dependency.apix-common.artifact-id=apix-common

# ── Datasource ────────────────────────────────────────────────────────────────
quarkus.datasource.db-kind=postgresql
quarkus.datasource.jdbc.url=${QUARKUS_DATASOURCE_JDBC_URL:jdbc:postgresql://localhost:5432/apix}
quarkus.datasource.username=${QUARKUS_DATASOURCE_USERNAME:apix}
quarkus.datasource.password=${QUARKUS_DATASOURCE_PASSWORD:apix}

# ── ORM ───────────────────────────────────────────────────────────────────────
# Liquibase owns schema creation; Hibernate must not touch DDL
quarkus.hibernate-orm.database.generation=none

# ── Liquibase ─────────────────────────────────────────────────────────────────
quarkus.liquibase.migrate-at-start=true
quarkus.liquibase.change-log=db/changelog/db.changelog-master.xml

# ── HTTP ──────────────────────────────────────────────────────────────────────
quarkus.http.port=8180

# ── Registry identity — used by IndexResource for HATEOAS links ───────────────
apix.registry.base-url=${APIX_REGISTRY_BASE_URL:http://localhost:8180}
apix.registry.name=${APIX_REGISTRY_NAME:APIX Registry}
apix.portal.base-url=${APIX_PORTAL_BASE_URL:https://www.api-index.org}
apix.registry.description=${APIX_REGISTRY_DESCRIPTION:The open autonomous agent service discovery registry. Follow _links.services to browse, or _links.servicesSearch to filter by capability.}

# ── Security — API key for write endpoints ───────────────────────────────────
apix.api-key=${APIX_API_KEY:dev-insecure-key-change-in-prod}

# ── Verification ──────────────────────────────────────────────────────────────
apix.dns.doh-url=${APIX_DOH_URL:https://dns.google/resolve}
apix.gleif.api-url=${GLEIF_API_URL:https://api.gleif.org/api/v1}
apix.opencorporates.api-key=${OPENCORPORATES_API_KEY:}
apix.opencorporates.api-url=${OPENCORPORATES_API_URL:https://api.opencorporates.com/v0.4}
apix.hygiene.security-txt-url-template=${APIX_SECURITY_TXT_TEMPLATE:https://{domain}/.well-known/security.txt}
apix.verification.http-timeout-ms=${APIX_VERIFICATION_TIMEOUT_MS:5000}
apix.org.tan.expose-in-response=false

# ── Mail signing (Ed25519) ────────────────────────────────────────────────────
# PKCS#8 private key and SubjectPublicKeyInfo public key, Base64 standard encoding.
# If blank, an ephemeral key pair is generated at startup (dev/test only).
apix.mail.signing.private-key-base64=${APIX_MAIL_SIGNING_PRIVATE_KEY:}
apix.mail.signing.public-key-base64=${APIX_MAIL_SIGNING_PUBLIC_KEY:}
# Key ID published in signed payloads and the /mail-signing-keys endpoint.
# Convention: YYYY-MM, rotated every 6 months.
apix.mail.signing.kid=${APIX_MAIL_SIGNING_KID:dev}
apix.sanctions.cache-path=${SANCTIONS_CACHE_PATH:./sanctions-cache}

# ── Cache ─────────────────────────────────────────────────────────────────────
# registry-index: caches GET / response. 60s TTL is acceptable — agents read the
# root for navigation links which are static; counts are informational only.
# CDN layer sits in front for edge caching. CDN choice is a governance decision:
# no founding member candidate may operate infrastructure over the registry.
# - Bunny.net (primary): European (Slovenia), 100+ PoPs, Africa + Asia-Pacific
#   coverage, privacy values align with Swiss Stiftung model. No AI/agent play.
# - Fastly (secondary/fallback): independent US public company, no AI/agent play,
#   built for API/JSON caching, used by GitHub and npm, strong developer trust.
# - DO NOT use Cloudflare (founding member target) or AWS CloudFront (AWS is a
#   founding member target): operational infrastructure = governance leverage,
#   regardless of what the founding charter says.
quarkus.cache.caffeine.registry-index.expire-after-write=60S
quarkus.cache.caffeine.registry-index.initial-capacity=1
quarkus.cache.caffeine.registry-index.maximum-size=1

# ── Logging ───────────────────────────────────────────────────────────────────
quarkus.log.level=${LOG_LEVEL:DEBUG}
quarkus.log.console.json=false

# ── Health ────────────────────────────────────────────────────────────────────
quarkus.smallrye-health.root-path=/q/health

# ── Observability ─────────────────────────────────────────────────────────────
# HTTP server request metrics (http_server_requests_seconds histogram) are
# auto-instrumented by quarkus-micrometer. Prometheus scrapes /q/metrics.
quarkus.micrometer.enabled=true
quarkus.micrometer.export.prometheus.enabled=true
# Without match-patterns, the uri label is the raw request path and UUIDs create
# unbounded cardinality. Order matters: specific sub-paths before the catch-all.
quarkus.micrometer.binder.http-server.match-patterns=\
  /services/[0-9a-f-]+/replacements=/services/{id}/replacements,\
  /services/[0-9a-f-]+/history=/services/{id}/history,\
  /services/[0-9a-f-]+/olevel=/services/{id}/olevel,\
  /services/[0-9a-f-]+=/services/{id},\
  /organizations/[0-9a-f-]+/verify=/organizations/{id}/verify,\
  /organizations/[0-9a-f-]+/request-upgrade=/organizations/{id}/request-upgrade,\
  /organizations/[0-9a-f-]+/earned-level=/organizations/{id}/earned-level,\
  /organizations/[0-9a-f-]+/temp-grant=/organizations/{id}/temp-grant,\
  /organizations/[0-9a-f-]+/rotate-key=/organizations/{id}/rotate-key,\
  /organizations/[0-9a-f-]+/request-tan=/organizations/{id}/request-tan,\
  /organizations/[0-9a-f-]+/rotate-key-with-tan=/organizations/{id}/rotate-key-with-tan,\
  /organizations/[0-9a-f-]+/rotate-key-dns=/organizations/{id}/rotate-key-dns,\
  /organizations/[0-9a-f-]+/confirm-key-rotation-dns=/organizations/{id}/confirm-key-rotation-dns,\
  /organizations/[0-9a-f-]+/notify-key-rotation-fraud=/organizations/{id}/notify-key-rotation-fraud,\
  /organizations/[0-9a-f-]+/fraud-lock=/organizations/{id}/fraud-lock,\
  /organizations/[0-9a-f-]+/audit-log=/organizations/{id}/audit-log,\
  /organizations/[0-9a-f-]+/event-feed=/organizations/{id}/event-feed,\
  /organizations/[0-9a-f-]+=/organizations/{id}