# Deployment Configuration Guide

## Environment Variables

For a secure production deployment, you must set the following environment variables.

### 1. Frontend (Next.js)
These variables should be set in your Vercel project settings or `.env.production`.

| Variable | Description | Example Value |
|----------|-------------|---------------|
| `NEXTAUTH_URL` | The canonical URL of your site | `https://your-app.com` |
| `NEXTAUTH_SECRET` | A random string used to hash tokens | `openssl rand -base64 32` |
| `GOOGLE_CLIENT_ID` | OAuth Client ID from Google Cloud | `123...apps.googleusercontent.com` |
| `GOOGLE_CLIENT_SECRET` | OAuth Client Secret from Google Cloud | `GOCSPX-...` |
| `INTERNAL_API_KEY` | **CRITICAL**: Shared secret to talk to Python backend | `long-random-string-shared-with-backend` |
| `PYTHON_API_URL` | URL of your deployed Python backend | `https://api.your-app.com` |
| `DATABASE_URL` | Connection string for your production DB (e.g., Postgres) | `postgresql://user:pass@host:5432/db` |

> **Note on Database**: Currently, the app uses SQLite (`file:./dev.db`). For production, you should switch the `provider` in `prisma/schema.prisma` to `postgresql` or `mysql` and use a real database URL.

### 2. Backend (Python / FastAPI)
These variables should be set in your backend hosting service (e.g., Railway, Render, AWS).

| Variable | Description | Example Value |
|----------|-------------|---------------|
| `INTERNAL_API_KEY` | **CRITICAL**: Must match the Frontend key exactly | `long-random-string-shared-with-backend` |
| `OPENAI_API_KEY` | For generating animation code | `sk-...` |
| `ELEVENLABS_API_KEY` | For generating voiceovers | `...` |
| `ANTHROPIC_API_KEY` | (Optional) If using Claude models | `sk-ant-...` |
| `CODE_GEN_MODEL` | Model to use for code generation | `gpt-4o` or `claude-3-5-sonnet-20240620` |

## Security Checklist

1.  [ ] **Generate a Strong `INTERNAL_API_KEY`**: Use `openssl rand -hex 32` to generate a secure key. Set this on BOTH frontend and backend.
2.  [ ] **HTTPS Everywhere**: Ensure both your frontend and backend are served over HTTPS.
3.  [ ] **Database**: Do not use SQLite in production if you have multiple server instances (serverless). Use a managed Postgres database (e.g., Supabase, Neon, Railway).
4.  [ ] **CORS**: In `api_server.py`, update `allow_origins` to only allow your production frontend domain, not `*` or `localhost`.