Some checks failed
CI / build (push) Failing after 2s
Previously: jwt_secret defaulted to dev-secret-CHANGE-ME so a missing env var in production would silently boot with a known-public dev HMAC key — an instant auth bypass for any service verifying JWTs. Now: - Field(...) with no default → missing env raises ValidationError at boot - min_length=32 enforces minimum entropy (rejects dev placeholder too) - field_validator rejects the literal dev-secret-CHANGE-ME in ENVIRONMENT=prod as belt-and-suspenders in case min_length is loosened later Verified behavior: - no env, no .env -> ValidationError: Field required - ENVIRONMENT=prod, no JWT_SECRET -> ValidationError: Field required - prod, JWT_SECRET=dev-secret-... -> ValidationError: string_too_short - prod, JWT_SECRET=short -> ValidationError: string_too_short - prod, JWT_SECRET=<64 hex> -> OK, len=64 .env.example updated to show the placeholder + generation hint. Refs AUDIT-2026-Q3.md P1.5.
65 lines
No EOL
3.1 KiB
Text
65 lines
No EOL
3.1 KiB
Text
# RMI Backend — Environment Variables
|
|
# Copy this to .env and fill in real values for local dev.
|
|
# DO NOT commit .env — it's in .gitignore.
|
|
|
|
# ── Runtime ──────────────────────────────────────────────────────
|
|
ENVIRONMENT=dev
|
|
LOG_LEVEL=INFO
|
|
PORT=8000
|
|
|
|
# ── Database / Cache ────────────────────────────────────────────
|
|
DATABASE_URL=postgresql+asyncpg://rmi:rmi@localhost/rmi
|
|
REDIS_URL=redis://localhost:6379/0
|
|
|
|
# ── Auth ────────────────────────────────────────────────────────
|
|
JWT_SECRET= # MANDATORY in production — generate with: openssl rand -hex 32
|
|
JWT_ALGORITHM=HS256
|
|
JWT_EXPIRE_MINUTES=1440
|
|
|
|
# ── CORS ────────────────────────────────────────────────────────
|
|
CORS_ORIGINS=["*"]
|
|
|
|
# ── Rate limiting ───────────────────────────────────────────────
|
|
RATE_LIMIT_PER_MINUTE=100
|
|
|
|
# ── AI providers ────────────────────────────────────────────────
|
|
OLLAMA_URL=http://localhost:11434
|
|
OPENROUTER_API_KEY=
|
|
HUGGINGFACE_TOKEN=
|
|
DEEPSEEK_API_KEY=
|
|
OLLAMA_API_KEY=
|
|
|
|
# ── Langfuse v4 (observability) ─────────────────────────────────
|
|
LANGFUSE_PUBLIC_KEY=
|
|
LANGFUSE_SECRET_KEY=
|
|
LANGFUSE_HOST=http://localhost:3002
|
|
|
|
# ── External APIs ───────────────────────────────────────────────
|
|
COINGECKO_API_KEY=
|
|
ETHERSCAN_API_KEY=
|
|
BIRDEYE_API_KEY=
|
|
GOPLUS_API_KEY=
|
|
BASESCAN_API_KEY=
|
|
|
|
# ── Supabase (vector embeddings) ────────────────────────────────
|
|
SUPABASE_URL=
|
|
SUPABASE_SERVICE_KEY=
|
|
|
|
# ── Telegram Bot ────────────────────────────────────────────────
|
|
RUGMUNCH_BOT_TOKEN=
|
|
TELEGRAM_ALLOWED_USERS=7075336557
|
|
RMI_BACKEND_URL=http://localhost:8000
|
|
BOT_DB_PATH=/root/backend/data/bot_users.db
|
|
|
|
# ── Scan rate limits ─────────────────────────────────────────────
|
|
FREE_SCAN_LIMIT=5
|
|
PRO_SCAN_LIMIT=100
|
|
ELITE_SCAN_LIMIT=0
|
|
RMI_INTERNAL_KEY=rmi-internal-2026
|
|
|
|
# ── Apify ────────────────────────────────────────────────────────
|
|
APIFY_API_TOKEN=
|
|
|
|
# ── RAG ──────────────────────────────────────────────────────────
|
|
RAG_EMBEDDING_DIM=0
|
|
RAG_TABLE_DIM=640 |