# /etc/lakehouse/auth.env — inter-service auth token per ADR-006.
#
# Mode 0600, owned by the lakehouse user (or root if systemd reads it
# before dropping privileges via User=). Loaded by every daemon's
# systemd unit via EnvironmentFile=-/etc/lakehouse/auth.env (the `-`
# prefix means "missing file is OK" so loopback-only deploys can skip
# this entirely).
#
# When the daemon binds non-loopback (anything other than 127.0.0.0/8
# or ::1), AUTH_TOKEN MUST be set — otherwise shared.Run refuses to
# start (R-001 + R-007 mechanical gate). Loopback-only deploys can
# leave this empty.
#
# Token rotation (ADR-006 Decision 6.5):
#   1. Generate new secret
#   2. Set AUTH_SECONDARY_TOKEN to new secret while AUTH_TOKEN stays
#      on old (lakehouse.toml [auth].secondary_tokens reads this)
#   3. Update every caller to use new secret
#   4. Promote: AUTH_TOKEN=<new>, clear AUTH_SECONDARY_TOKEN
#   5. Restart daemons (or SIGHUP once hot-reload lands)

AUTH_TOKEN=
# AUTH_SECONDARY_TOKEN=  # only set during rotation windows