# CKBunker base URL.
# - For Tailscale/private ingress use http://<tailnet-ip>:9823
# - For public Cloudflare-fronted deployment use https://your.hostname
# Tailscale is strongly preferred for this harness because Cloudflare Access
# with service tokens does not pass the WebSocket upgrade cleanly.
CKBUNKER_URL=http://100.80.63.14:9823

# Cloudflare Access service token (only needed if hitting a CF-Access-protected URL).
# Leave blank when talking to the Tailscale IP directly.
CF_ACCESS_CLIENT_ID=
CF_ACCESS_CLIENT_SECRET=

# TOTP shared secret for the HSM user.
# Issued by `ckcc user -t -q <username>` during enrolment (base32 string).
# The harness uses this to auto-generate codes for Rule #1 tests.
TOTP_SECRET=

# HSM user that matches the user named in the Coldcard's policy (typically the
# one TOTP is bound to).
HSM_USER=mineracks

# Path to a pre-crafted "small" PSBT whose value is <= your auto-approve cap
# (Rule #2 equivalent). See fixtures/README.md for how to generate this.
SMALL_PSBT_PATH=fixtures/small.psbt

# Path to a pre-crafted "large" PSBT whose value exceeds the auto-approve cap
# but fits inside the 2FA-authorised cap (Rule #1 equivalent).
LARGE_PSBT_PATH=fixtures/large.psbt

# Optional: Sparrow/Bitcoin Core address to verify a signed test message against.
# Must match the derivation path below and belong to the Coldcard seed.
MESSAGE_SIGN_ADDRESS=
MESSAGE_SIGN_PATH=m/84'/0'/0'/1