{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*",
  "Auth": {
    "AllowDevBypass": false,

    /*
     * STAFF IDENTITY — Entra External ID (dev) / Entra org tenant (prod)
     *
     * PRODUCTION MIGRATION: update these three environment variables only.
     * No code changes required.
     *
     *   Auth__Staff__Instance  →  https://login.microsoftonline.com/
     *   Auth__Staff__TenantId  →  new company org tenant ID
     *   Auth__Staff__ClientId  →  staff app registration in org tenant
     *
     * DEV: CIAM tenant used as placeholder (staff/client login looks identical).
     * The API-level audience isolation is real regardless of tenant.
     */
    "Staff": {
      "Instance": "https://usimclients.ciamlogin.com/",
      "TenantId": "891f98f1-ed34-42a1-9b6c-28b0554d92c2",
      "ClientId": "STAFF_APP_CLIENT_ID"
    }
  },

  /*
   * GRAPH API — app-only credentials for reading Entra org tenant users.
   * Used by AdminAccessController to list platform access users.
   *
   * TenantId and ClientId refer to the org tenant (thematrixpoint),
   * NOT the CIAM tenant. ClientSecret must be injected via env var:
   *   Graph__ClientSecret = <secret>   (Azure Container Apps env var)
   *
   * PREREQUISITES (one-time Entra portal steps):
   *   1. App registration: AdPlatform Staff (b0f29246-...)
   *   2. API permissions → Microsoft Graph → Application → User.Read.All
   *   3. Grant admin consent
   *   4. Create a client secret → copy value → set Graph__ClientSecret env var
   */
  "Graph": {
    "TenantId": "0be4c23a-6941-4bdb-b397-a4faf88de4b3",
    "ClientId": "b0f29246-91e7-4615-96db-5de9b6f8da2e",
    "ClientSecret": ""
  }
}