disk:
  service: Disk
  root: <%= ENV['WORKDIR'] || '.' %>/attachments
  public: true

aws_s3:
  service: S3
  access_key_id: <%= ENV['AWS_ACCESS_KEY_ID'] %>
  secret_access_key: <%= ENV['AWS_SECRET_ACCESS_KEY'] %>
  region: <%= ENV['AWS_REGION'] || 'us-east-1' %>
  bucket: <%= ENV['S3_ATTACHMENTS_BUCKET'] %>
  public: <%= ENV['ACTIVE_STORAGE_PUBLIC'] == 'true' %>
  upload:
    cache_control: 'public, max-age=31536000'

# Secured storage service for completed documents (reuses ATS infrastructure)
# Uses IAM role for authentication in staging/production (no keys needed)
# Set SECURED_STORAGE_BUCKET and SECURED_STORAGE_REGION in Secrets Manager
aws_s3_secured:
  service: S3
  bucket: <%= ENV['SECURED_STORAGE_BUCKET'] %>
  region: <%= ENV['SECURED_STORAGE_REGION'] || 'us-east-1' %>
  public: false
  force_path_style: true

test:
  service: Disk
  root: <%= Rails.root.join("tmp/storage") %>
  public: true