rmi-backend/.env.example
opencode 9c62549b50
Some checks failed
CI / build (push) Failing after 2s
fix(rmi-backend,audit): jwt_secret is required, fail-fast in prod (P1.5)
Previously: jwt_secret defaulted to dev-secret-CHANGE-ME so a missing
env var in production would silently boot with a known-public dev HMAC
key — an instant auth bypass for any service verifying JWTs.

Now:
- Field(...) with no default → missing env raises ValidationError at boot
- min_length=32 enforces minimum entropy (rejects dev placeholder too)
- field_validator rejects the literal dev-secret-CHANGE-ME in ENVIRONMENT=prod
  as belt-and-suspenders in case min_length is loosened later

Verified behavior:
- no env, no .env                 -> ValidationError: Field required
- ENVIRONMENT=prod, no JWT_SECRET -> ValidationError: Field required
- prod, JWT_SECRET=dev-secret-... -> ValidationError: string_too_short
- prod, JWT_SECRET=short          -> ValidationError: string_too_short
- prod, JWT_SECRET=<64 hex>       -> OK, len=64

.env.example updated to show the placeholder + generation hint.

Refs AUDIT-2026-Q3.md P1.5.
2026-07-06 17:53:49 +02:00

65 lines
No EOL
3.1 KiB
Text

# RMI Backend — Environment Variables
# Copy this to .env and fill in real values for local dev.
# DO NOT commit .env — it's in .gitignore.
# ── Runtime ──────────────────────────────────────────────────────
ENVIRONMENT=dev
LOG_LEVEL=INFO
PORT=8000
# ── Database / Cache ────────────────────────────────────────────
DATABASE_URL=postgresql+asyncpg://rmi:rmi@localhost/rmi
REDIS_URL=redis://localhost:6379/0
# ── Auth ────────────────────────────────────────────────────────
JWT_SECRET= # MANDATORY in production — generate with: openssl rand -hex 32
JWT_ALGORITHM=HS256
JWT_EXPIRE_MINUTES=1440
# ── CORS ────────────────────────────────────────────────────────
CORS_ORIGINS=["*"]
# ── Rate limiting ───────────────────────────────────────────────
RATE_LIMIT_PER_MINUTE=100
# ── AI providers ────────────────────────────────────────────────
OLLAMA_URL=http://localhost:11434
OPENROUTER_API_KEY=
HUGGINGFACE_TOKEN=
DEEPSEEK_API_KEY=
OLLAMA_API_KEY=
# ── Langfuse v4 (observability) ─────────────────────────────────
LANGFUSE_PUBLIC_KEY=
LANGFUSE_SECRET_KEY=
LANGFUSE_HOST=http://localhost:3002
# ── External APIs ───────────────────────────────────────────────
COINGECKO_API_KEY=
ETHERSCAN_API_KEY=
BIRDEYE_API_KEY=
GOPLUS_API_KEY=
BASESCAN_API_KEY=
# ── Supabase (vector embeddings) ────────────────────────────────
SUPABASE_URL=
SUPABASE_SERVICE_KEY=
# ── Telegram Bot ────────────────────────────────────────────────
RUGMUNCH_BOT_TOKEN=
TELEGRAM_ALLOWED_USERS=7075336557
RMI_BACKEND_URL=http://localhost:8000
BOT_DB_PATH=/root/backend/data/bot_users.db
# ── Scan rate limits ─────────────────────────────────────────────
FREE_SCAN_LIMIT=5
PRO_SCAN_LIMIT=100
ELITE_SCAN_LIMIT=0
RMI_INTERNAL_KEY=rmi-internal-2026
# ── Apify ────────────────────────────────────────────────────────
APIFY_API_TOKEN=
# ── RAG ──────────────────────────────────────────────────────────
RAG_EMBEDDING_DIM=0
RAG_TABLE_DIM=640