# =============================================================================
# 4minds Platform — Customer Values (helm-native install template)
#
#   helm install 4minds . -n 4minds -f my-values.yaml     (run from the chart dir)
#
# Fill in the fields below for YOUR deployment. Everything not listed here has a
# sensible default in the chart — you only override what is specific to you.
#
# LEGEND:  [REQUIRED] must set   ·   [OPTIONAL] set only if you use that feature
#
# Cluster prerequisites (create BEFORE helm install — the chart does not).
# See INSTALL-GUIDE.md "Prerequisites checklist" (steps 1-7) for the commands:
#   • EKS cluster with OIDC (needed for IRSA)
#   • A default StorageClass + EBS CSI driver (EKS gp2/gp3, etc.)
#   • ingress-nginx controller installed
#   • Namespace  4minds  (kubectl create namespace 4minds)
#   • Secret  frontend-tls  (kubernetes.io/tls) for your hostname
#   • Image pull: on AWS Marketplace the EKS node IAM role pulls from the
#     Marketplace ECR — no pull secret needed. Only create one if you mirror
#     images into your own private registry (see global.imagePullSecrets).
#   • (kms seal only) A KMS key + IRSA role — see INSTALL-GUIDE.md prereq 7.
# =============================================================================

global:
  # [REQUIRED] The public DNS name your users reach the platform on.
  # EVERYTHING derives from this: backend API URL, frontend, websocket (wss),
  # symi, CORS origins, cookie domain, and ALL OAuth redirect URIs.
  # Set this correctly and you rarely need to touch any other URL below.
  hostname: "4minds.your-company.com"

  namespace: 4minds

  # Image pull auth:
  # On AWS Marketplace the images live in the Marketplace ECR and your EKS
  # NODES pull them via their IAM role (AmazonEC2ContainerRegistryReadOnly) —
  # NO imagePullSecrets needed. Leave this empty (the chart omits the field).
  #
  # ONLY set this if you mirror the images into your OWN private registry that
  # needs a docker-registry pull secret; then create the secret first and list
  # its name here:
  #   kubectl -n 4minds create secret docker-registry my-pull-secret ...
  imagePullSecrets: []
  # imagePullSecrets:
  #   - name: my-pull-secret

  security:
    allowInsecureImages: true

# -----------------------------------------------------------------------------
# Ingress + TLS  (nginx). The host and the TLS block are derived automatically
# from global.hostname above — you do NOT repeat the hostname here. You only
# provide the TLS secret: create `frontend-tls` (kubernetes.io/tls) for your
# hostname before installing (see INSTALL-GUIDE.md, prereq 5).
#
# Advanced: to serve extra hosts or use a different secret per host, set an
# explicit `tls:` list here — it overrides the auto-derived single-host block.
# -----------------------------------------------------------------------------
frontend-backend:
  ingress:
    enabled: true
    className: nginx
    tlsSecretName: frontend-tls    # host + TLS auto-derive from global.hostname

# -----------------------------------------------------------------------------
# OpenBao seal mode  —  configure it HERE, under `openbao.seal`.
# (The install/bootstrap reads ONLY `openbao.seal.mode`; there is no separate
#  top-level `seal:` to keep in sync.)
#   lab  = Shamir keys, auto-generated & stored in-cluster (simplest)
#   kms  = cloud KMS auto-unseal (recommended on AWS/GCP/Azure via IRSA/WI)
# -----------------------------------------------------------------------------
openbao:
  seal:
    mode: lab                  # lab | kms
    # [OPTIONAL] Fill only when mode: kms. Set the block for YOUR cloud; the
    # chart renders the matching seal stanza and (AWS) wires IRSA for you.
    # kms:
    #   provider: aws          # aws | azure | gcp
    #   # --- AWS: KMS key + IRSA role (recommended on EKS) ---
    #   region: us-east-1
    #   keyId: alias/4minds-openbao
    #   roleArn: arn:aws:iam::<acct>:role/4minds-openbao-irsa   # chart annotates
    #                                                           # the OpenBao SA
    #   # --- Azure Key Vault: tenantId + vaultName + keyName ---
    #   # --- GCP KMS: projectId + locationId + keyRing + cryptoKey ---
  # OpenBao data is persisted to a 2Gi PVC by default (needs a default
  # StorageClass — INSTALL-GUIDE prereq 2). Override only if needed:
  # storage:
  #   size: 5Gi
  #   storageClass: gp3

# -----------------------------------------------------------------------------
# [REQUIRED] Email — transactional email (signup verification, invites, reset).
#
# Choose the provider that fits YOUR company — all three are first-class:
#   provider: smtp      → any standard SMTP server (Gmail, O365, SES-SMTP, ...)
#   provider: sendgrid  → SendGrid API
#   provider: azure     → Azure Communication Services
#
# 1) set `provider` to your choice
# 2) fill the SAME-named block below (leave the others empty/removed)
# 3) set senderEmail / senderName
#
# If you do NOT want email verification at all (e.g. internal PoC), set
# disableVerification: "true" and you can leave the provider blocks empty.
# -----------------------------------------------------------------------------
email:
  provider: "smtp"                       # smtp | sendgrid | azure
  senderEmail: "noreply@your-company.com"
  senderName: "Your Company"
  disableVerification: "false"           # "true" to skip signup email verification

  # --- Option A: SMTP (standard mail server) ---
  smtp:
    host: "smtp.your-company.com"
    port: "587"
    user: "noreply@your-company.com"
    password: ""
    useTls: "true"

  # --- Option B: SendGrid ---
  sendgrid:
    apiKey: ""

  # --- Option C: Azure Communication Services ---
  azure:
    connectionString: ""

# -----------------------------------------------------------------------------
# [REQUIRED] Embedding endpoint (your BGE-M3 / embedding server). mlai uses it.
# -----------------------------------------------------------------------------
mlai:
  sslVerifyCertificates: "true"   # set "false" only for self-signed inference endpoints
  embedding:
    endpointUrl: "https://embeddings.your-company.com"
    modelName: "BAAI/bge-m3"
    dimension: "1024"
  # [OPTIONAL] Vision OCR / Vision-Language / image-gen endpoints
  visionOcr:
    enabled: "true"
    endpoint: "https://vlm.your-company.com/v1/chat/completions"
  vlm:
    enabled: "true"
    endpoint: "https://vlm.your-company.com/v1/chat/completions"
  flux:
    apiUrl: ""                    # leave empty to disable image generation

# -----------------------------------------------------------------------------
# [REQUIRED] LLM endpoints (your inference stack — vLLM / any OpenAI-compatible)
# -----------------------------------------------------------------------------
llm:
  historyEndpoint:       "https://llm.your-company.com/v1/chat/completions"
  crossEncoderEndpoint:  "https://reranker.your-company.com/rerank"
  summarizationEndpoint: "https://llm.your-company.com/v1/completions"
  models:
    # Map model keys to your served endpoints. gpt_oss_120b is used broadly
    # (mlai watchdog, finetuning registry, wren-ai text-to-SQL) — set it.
    # Unused ones can be left "".
    gpt_oss_120b:    "https://llm.your-company.com/v1"
    gpt_oss_20b:     ""
    qwen25_72b:      ""
    qwen3_30b:       ""
    qwen3_14b:       ""
    gemma3_12b:      ""
    nemotron_3_nano: ""
    llama4_scout:    ""
    minimax_m2:      ""

# -----------------------------------------------------------------------------
# [REQUIRED] Symi gateway LLM (the assistant). Works with ANY OpenAI-compatible
# endpoint (vLLM, your own gateway, etc.).
#   baseUrl     — your OpenAI-compatible chat endpoint (REQUIRED for Symi)
#   llmModel    — the model id served there
#   llmProvider — a free-form internal label (used as "<provider>/<model>");
#                 leave it or set to anything, e.g. "openai", "vllm". Not a vendor.
# apiKey: leave empty → Symi shares the backend's auto-generated SYMI_API_KEY.
# -----------------------------------------------------------------------------
symi-gateway:
  config:
    apiKey: ""
    llm:
      baseUrl:  "https://llm.your-company.com/v1"
      llmModel: "your-model"
      llmProvider: "internal"

# -----------------------------------------------------------------------------
# [REQUIRED] Wren-AI (natural-language → SQL for structured/analytics queries).
# It calls an OpenAI-compatible chat endpoint to generate SQL. Point llmEndpoint
# at your LLM (the OpenAI-compatible BASE url — code appends /chat/completions;
# same endpoint as llm.models.gpt_oss_120b). Empty → text-to-SQL returns 503.
# -----------------------------------------------------------------------------
wren-ai:
  config:
    llmEndpoint: "https://llm.your-company.com/v1"

# -----------------------------------------------------------------------------
# [OPTIONAL] SSO + connector integrations. ALL optional — enable ONLY the ones
# you use. None is required: users can always sign up / sign in with
# email + password.
#
# To enable a provider, UNCOMMENT the `oauth:` block below AND the specific
# provider line(s) you need. Put clientId here; the clientSecret goes in the
# `secrets:` block. redirectUri auto-derives from global.hostname (leave it
# out unless you need a custom one). Register the derived URI in each provider:
#   sign-in:      https://<hostname>/auth/<provider>/callback
#   integrations: https://<hostname>/api/v1/integrations/<provider>/oauth/callback
#
# IMPORTANT: if you uncomment `oauth:`, you MUST uncomment at least one child
# line under it (a bare `oauth:` with no children is invalid YAML/null). If you
# use NO SSO/integrations, leave this whole block commented — the chart's
# defaults apply and everything works.
# -----------------------------------------------------------------------------
# oauth:
#   # --- Sign-in / SSO providers ---
#   microsoft: { clientId: "" }
#   google:    { clientId: "" }
#   github:    { clientId: "" }
#   okta:      { clientId: "" }
#   # --- Data / connector integrations ---
#   sharepoint:  { clientId: "", scopes: "", tenant: "" }
#   office365:   { clientId: "", scopes: "", tenant: "" }
#   googleDrive: { clientId: "" }
#   gsuite:      { clientId: "" }
#   bigquery:    { clientId: "" }
#   vertexai:    { clientId: "" }
#   hubspot:     { clientId: "" }
#   slack:       { clientId: "" }
#   box:         { clientId: "" }
#   dropbox:     { clientId: "" }
#   dropboxWrite: { clientId: "" }
#   salesforce:  { clientId: "" }
#   supabase:    { clientId: "" }
#   servicenow:  {}                     # client_id/secret entered per-user in UI
#   gong:        { clientId: "", apiBaseUrl: "" }
#   databricks:  { clientId: "", accountId: "", m2mClientId: "" }
#   fabric:      { clientId: "" }
#   azureBlob:   { clientId: "" }
#   huggingface: { clientId: "" }
#   foundry:     { clientId: "", scopes: "", tenant: "" }

# -----------------------------------------------------------------------------
# Bundled datastores. Keep enabled unless you point at external services.
# -----------------------------------------------------------------------------
qdrant:
  enabled: true

# -----------------------------------------------------------------------------
# [OPTIONAL] Object storage. By DEFAULT the platform uses the bundled MinIO and
# you set NOTHING here. To use EXTERNAL S3 (AWS S3 or any S3-compatible store),
# uncomment `storage:` below and add s3AccessKey/s3SecretKey to the single
# `secrets:` block further down.
# -----------------------------------------------------------------------------
# storage:
#   endpoint: "https://s3.us-east-1.amazonaws.com"   # empty = bundled MinIO
#   region: us-east-1
#   bucketName: 4minds-uploads
#   useAzure: "false"          # "true" for Azure Blob (set secrets.azureStorageAccountKey)

# -----------------------------------------------------------------------------
# [OPTIONAL] Secrets — ONE block for ALL of them: OAuth client secrets for the
# integrations you enabled, plus external-S3 / Azure storage keys. The
# PG/Redis/MinIO/encryption keys are AUTO-GENERATED by the chart — do NOT set
# them here. For production prefer external-secrets / sealed-secrets over
# plaintext.
#
# IMPORTANT: keep this a SINGLE `secrets:` block. YAML has no key merging — a
# second `secrets:` anywhere in the file silently overrides the first. Uncomment
# `secrets:` + at least one child (a bare `secrets:` is invalid/null YAML).
# -----------------------------------------------------------------------------
# secrets:
#   # --- External object storage (only if storage.endpoint / useAzure set above) ---
#   s3AccessKey: ""                      # external S3 access key (empty = bundled MinIO)
#   s3SecretKey: ""                      # external S3 secret key
#   azureStorageAccountKey: ""           # when storage.useAzure: "true"
#   # --- OAuth client secrets (only for the providers you enabled above) ---
#   microsoftAuthClientSecret: ""
#   googleOauthClientSecret: ""
#   githubOauthClientSecret: ""
#   oktaOauthClientSecret: ""
#   sharepointOauthClientSecret: ""
#   office365OauthClientSecret: ""
#   hubspotAuthClientSecret: ""
#   slackClientSecret: ""
#   boxOauthClientSecret: ""
#   dropboxClientSecret: ""
#   dropboxWriteClientSecret: ""
#   bigqueryOauthClientSecret: ""
#   vertexaiOauthClientSecret: ""
#   salesforceAuthClientSecret: ""
#   supabaseAuthClientSecret: ""
#   gongOauthClientSecret: ""
#   databricksAuthClientSecret: ""
#   databricksM2mClientSecret: ""
#   fabricAuthClientSecret: ""
#   azureBlobOauthClientSecret: ""
#   hfOauthClientSecret: ""
#   hfApiToken: ""                       # HuggingFace API token (private datasets)

# -----------------------------------------------------------------------------
# [OPTIONAL] Images — DEFAULT to the official 4minds registry (do NOT override
# for a real install). Only set this if you mirror images into your own
# registry. NOTE: this belongs under the SAME top-level `global:` block at the
# top of this file — move it there rather than adding a second `global:` key.
# -----------------------------------------------------------------------------
# global:
#   imageRegistry: "your-registry.example.com/4minds"
