"""
Producao: sempre com DEBUG=False; chaves obrigatorias via ambiente.

Atras de Nginx (reverse proxy), use SECURE_SSL_REDIRECT=True apenas quando HTTPS
estiver ativo no Nginx; antes do certificado, use SECURE_SSL_REDIRECT=False para
testar por HTTP (ex.: IP publico).
"""

from django.core.exceptions import ImproperlyConfigured
from decouple import Csv, config

from .base import *  # noqa: F403


DEBUG = False
ALLOWED_HOSTS = config("ALLOWED_HOSTS", cast=Csv())

# Nginx deve enviar X-Forwarded-Proto: https quando o cliente acessa por HTTPS.
SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
SECURE_SSL_REDIRECT = config("SECURE_SSL_REDIRECT", default=True, cast=bool)
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_HSTS_SECONDS = config("SECURE_HSTS_SECONDS", default=31536000, cast=int)
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
X_FRAME_OPTIONS = "DENY"

if SECRET_KEY == "unsafe-development-secret-key":  # noqa: F405
    raise ImproperlyConfigured("DJANGO_SECRET_KEY must be set in production.")

if INTERNAL_API_KEY in ("change-me", "test-internal-key"):  # noqa: F405
    raise ImproperlyConfigured(
        "INTERNAL_API_KEY must be set to a strong secret in production (not the default dev key)."
    )

if not OPENAI_API_KEY:  # noqa: F405
    raise ImproperlyConfigured("OPENAI_API_KEY must be set in production.")

if not USE_POSTGRES:  # noqa: F405
    raise ImproperlyConfigured(
        "USE_POSTGRES must be True in production. Configure POSTGRES_* no ambiente "
        "(o app nao grava dados de negocio no chat, mas o Django precisa do banco para "
        "auth/sessions/admin)."
    )

# Atras de Nginx com proxy_set_header Host $host; normalmente False.
USE_X_FORWARDED_HOST = config("USE_X_FORWARDED_HOST", default=False, cast=bool)