{
  // ── Connection Strings ───────────────────────────────────────────────────
  // Override via docker-compose env var:
  //   ConnectionStrings__Sql=Server=10.10.99.212;Database=dbRegistration;...
  "ConnectionStrings": {
    "Sql": "Server=10.10.99.212;Database=dbRegistration;User Id=appAdPlatformReg;Password=CHANGE_ME;TrustServerCertificate=True;"
  },

  // ── Entra External ID (CIAM) ─────────────────────────────────────────────
  // Tenant:   Positive Spend Clients  (cbf8b7d7-1e13-486d-b5b0-287ba79fdf0b)
  // SPA App:  AdPlatform Client SPA   (c426967f-bfcc-46af-b4e5-d69dc01cbf75)
  //
  // This is the CLIENT-facing CIAM tenant — NOT the internal positivespend.com
  // org tenant used by the Management/Admin console (f56a3c51).
  //
  // Tokens are issued by PositiveSpendClients.ciamlogin.com.
  // Microsoft.Identity.Web validates issuer, audience, and signature automatically.
  //
  // Override via env vars (docker-compose .env):
  //   AzureAd__Instance=https://PositiveSpendClients.ciamlogin.com/
  //   AzureAd__TenantId=cbf8b7d7-1e13-486d-b5b0-287ba79fdf0b
  //   AzureAd__ClientId=c426967f-bfcc-46af-b4e5-d69dc01cbf75
  "AzureAd": {
    "Instance": "https://PositiveSpendClients.ciamlogin.com/",
    "TenantId": "cbf8b7d7-1e13-486d-b5b0-287ba79fdf0b",
    "ClientId": "c426967f-bfcc-46af-b4e5-d69dc01cbf75",
    "Audience": "c426967f-bfcc-46af-b4e5-d69dc01cbf75"
  },

  // ── CORS ─────────────────────────────────────────────────────────────────
  // Comma-separated allowed origins.
  // Override via env var: CORS__AllowedOrigins (already in docker-compose .env)
  "CORS": {
    "AllowedOrigins": "https://client.positivespend.com,https://portal.positivespend.com"
  },

  // ── Admin API Key ────────────────────────────────────────────────────────
  // Used by ApiKeyAuthFilter on admin endpoints (pending / item / reject / complete).
  // Replaces Azure Functions AuthorizationLevel.Function in self-hosted mode.
  // Must match Registration__FunctionKey in docker-compose .env.
  // Override via env var: Registration__FunctionKey
  "Registration": {
    "FunctionKey": ""
  },

  // ── Logging ──────────────────────────────────────────────────────────────
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning",
      "Microsoft.Identity": "Warning"
    }
  },

  "AllowedHosts": "*"
}