c5631d3eab
Provenance had no system-level owner: ownership was only per-tree (TreeMembership), so a self-hosted instance had no operator account and no instance-admin surface. This adds one, declared by environment per the project's twelve-factor rule. - OWNER_EMAIL (comma-separated): the account(s) named here are instance owners. Derived at request time — no DB column, no migration, can't drift from the env, survives DB resets. is_instance_owner()/InstanceOwner dependency in api/deps.py. - Ownership requires a VERIFIED email (independent of REQUIRE_EMAIL_VERIFICATION). Registration is open, so without this an attacker could seize the role by registering the owner address first; verification ties it to inbox control. - GET /api/v1/admin/instance (owner-only): operational status — version, env, user/tree counts, configured AI providers. Deliberately exposes no tree data or PII: instance ownership is an operator role, NOT a privacy-engine bypass. - /users/me reports is_instance_owner; frontend gains an owner-only /admin page and a conditional sidebar link (server-enforced, not just client-hidden). Found-and-fixed by an adversarial security review before merge: the verified-email land-grab (above) and a frontend null-deref where the admin page crashed on 401/5xx instead of failing closed. Docs: .env.example + ARCHITECTURE (notes the not-a-privacy-bypass boundary and the verified-email requirement). Tests: owner matching, the land-grab guard, /users/me, and owner-only /admin. Suite 96 passing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Justin Paul <justin@jpaul.me>
109 lines
4.4 KiB
Python
109 lines
4.4 KiB
Python
"""Application configuration.
|
|
|
|
Twelve-factor: everything is read from the environment. Defaults are
|
|
development-friendly; production supplies real values via the compose `.env`.
|
|
No secrets or endpoints are hard-coded.
|
|
"""
|
|
|
|
from functools import lru_cache
|
|
|
|
from pydantic import Field
|
|
from pydantic_settings import BaseSettings, SettingsConfigDict
|
|
|
|
|
|
class Settings(BaseSettings):
|
|
model_config = SettingsConfigDict(
|
|
env_file=".env",
|
|
env_file_encoding="utf-8",
|
|
extra="ignore",
|
|
)
|
|
|
|
app_name: str = "Provenance"
|
|
version: str = "0.0.0"
|
|
app_env: str = Field(default="development", description="development | production")
|
|
|
|
# --- Instance owner / operator ---
|
|
# Email(s) of the instance owner(s) — the operator(s) who run this server.
|
|
# The matching account(s) get instance-admin rights (instance-wide settings;
|
|
# see /api/v1/admin). Comma-separated for several. Empty = no designated
|
|
# owner (the instance has no operator account). Derived at request time, so
|
|
# changing it takes effect immediately with no migration or DB state.
|
|
owner_email: str = ""
|
|
|
|
def owner_emails(self) -> frozenset[str]:
|
|
"""Normalized (lowercased, trimmed) owner emails; empty if none set."""
|
|
return frozenset(e.strip().lower() for e in self.owner_email.split(",") if e.strip())
|
|
|
|
# SQLAlchemy async URL, e.g. postgresql+asyncpg://user:pass@host:5432/db
|
|
database_url: str = Field(
|
|
default="postgresql+asyncpg://provenance:provenance@localhost:5432/provenance",
|
|
)
|
|
|
|
# --- Auth / sessions ---
|
|
session_ttl_days: int = 30
|
|
token_ttl_hours: int = 24 # email-verify / password-reset token lifetime
|
|
cookie_name: str = "provenance_session"
|
|
cookie_secure: bool = True # set false for local http; true behind TLS
|
|
# Base URL used to build links in outbound email.
|
|
app_base_url: str = "http://localhost"
|
|
|
|
# --- Object storage (S3-compatible / MinIO) ---
|
|
s3_endpoint_url: str = "http://minio:9000"
|
|
s3_bucket: str = "provenance"
|
|
s3_access_key: str = "provenance"
|
|
s3_secret_key: str = "change-me-too"
|
|
s3_region: str = "us-east-1"
|
|
s3_presign_ttl: int = 3600 # seconds
|
|
|
|
# --- Worker ---
|
|
purge_interval_seconds: int = 3600 # how often to run the soft-delete purge
|
|
purge_after_days: int = 30 # soft-deleted rows older than this are purged
|
|
|
|
# --- Email (SMTP) ---
|
|
# When true, a user with no verified email gets no active session (login is
|
|
# refused and existing sessions stop resolving). Default false so self-hosts
|
|
# without SMTP — and accounts created before this gate existed — aren't
|
|
# locked out; operators turn it on once mail works and accounts are verified.
|
|
require_email_verification: bool = False
|
|
mailer: str = Field(default="console", description="console | smtp")
|
|
smtp_host: str | None = None
|
|
smtp_port: int = 587
|
|
smtp_username: str | None = None
|
|
smtp_password: str | None = None
|
|
smtp_from: str = "Provenance <no-reply@provenance.local>"
|
|
|
|
# --- Model providers (AI assistant + match-ranking embeddings) ---
|
|
# Configure as many as you like; each is enabled when its credentials are
|
|
# present. `default_*_provider` picks which one is used by default. LLM and
|
|
# embeddings are independent (Anthropic has no embeddings endpoint).
|
|
default_llm_provider: str = "null" # null | anthropic | openai | xai | ollama
|
|
default_embedding_provider: str = "null" # null | openai | ollama
|
|
llm_max_tokens: int = 4096
|
|
embedding_dimensions: int = 1536 # must match the embedding model + pgvector column
|
|
|
|
# Anthropic (LLM only)
|
|
anthropic_api_key: str | None = None
|
|
anthropic_model: str = "claude-opus-4-8"
|
|
|
|
# OpenAI (LLM + embeddings)
|
|
openai_api_key: str | None = None
|
|
openai_base_url: str = "https://api.openai.com/v1"
|
|
openai_model: str = "gpt-4o"
|
|
openai_embedding_model: str = "text-embedding-3-small"
|
|
|
|
# xAI / Grok — OpenAI-compatible (LLM)
|
|
xai_api_key: str | None = None
|
|
xai_base_url: str = "https://api.x.ai/v1"
|
|
xai_model: str = "grok-2-latest" # set to your account's current Grok model
|
|
|
|
# Ollama — local, OpenAI-compatible, no key (LLM + embeddings)
|
|
ollama_enabled: bool = False
|
|
ollama_base_url: str = "http://localhost:11434/v1"
|
|
ollama_model: str = "llama3.1"
|
|
ollama_embedding_model: str = "nomic-embed-text"
|
|
|
|
|
|
@lru_cache
|
|
def get_settings() -> Settings:
|
|
return Settings()
|