Files
provenance/deploy/.env.example
T
justin c5631d3eab Add an instance owner/operator role (env-declared via OWNER_EMAIL)
Provenance had no system-level owner: ownership was only per-tree
(TreeMembership), so a self-hosted instance had no operator account and no
instance-admin surface. This adds one, declared by environment per the project's
twelve-factor rule.

- OWNER_EMAIL (comma-separated): the account(s) named here are instance owners.
  Derived at request time — no DB column, no migration, can't drift from the env,
  survives DB resets. is_instance_owner()/InstanceOwner dependency in api/deps.py.
- Ownership requires a VERIFIED email (independent of REQUIRE_EMAIL_VERIFICATION).
  Registration is open, so without this an attacker could seize the role by
  registering the owner address first; verification ties it to inbox control.
- GET /api/v1/admin/instance (owner-only): operational status — version, env,
  user/tree counts, configured AI providers. Deliberately exposes no tree data
  or PII: instance ownership is an operator role, NOT a privacy-engine bypass.
- /users/me reports is_instance_owner; frontend gains an owner-only /admin page
  and a conditional sidebar link (server-enforced, not just client-hidden).

Found-and-fixed by an adversarial security review before merge: the
verified-email land-grab (above) and a frontend null-deref where the admin page
crashed on 401/5xx instead of failing closed.

Docs: .env.example + ARCHITECTURE (notes the not-a-privacy-bypass boundary and
the verified-email requirement). Tests: owner matching, the land-grab guard,
/users/me, and owner-only /admin. Suite 96 passing.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Justin Paul <justin@jpaul.me>
2026-06-09 23:16:45 -04:00

103 lines
4.0 KiB
Bash

# Provenance configuration — copy to `.env` and fill in. Never commit `.env`.
# Everything is twelve-factor; no endpoints or secrets live in code.
# --- Core ---
APP_ENV=development
# Instance owner / operator. The account(s) whose email is named here get
# instance-admin rights (the owner-only /admin surface, instance-wide settings).
# Comma-separated for several owners. Leave empty for an instance with no
# designated operator. Derived at request time — no migration, takes effect on
# restart. Set this to YOUR account email on a real deployment.
#
# The named account must have a VERIFIED email to be recognized as owner — this
# stops someone from claiming the owner address by registering it before you do.
# Register this email and verify it (via SMTP, or the link the console mailer
# prints to the backend logs) — ideally before exposing registration publicly.
OWNER_EMAIL=
# --- Images (pulled from git.jpaul.io; CI pushes to the LAN registry) ---
# test-main = current main build; or pin a semver / test-sha-<sha> for rollback.
IMAGE_TAG=test-main
# --- Database (Postgres) ---
POSTGRES_USER=provenance
POSTGRES_PASSWORD=change-me
POSTGRES_DB=provenance
# Backend connection string (async driver). Host 'postgres' = compose service.
DATABASE_URL=postgresql+asyncpg://provenance:change-me@postgres:5432/provenance
# --- Object storage (S3-compatible / MinIO) ---
MINIO_ROOT_USER=provenance
MINIO_ROOT_PASSWORD=change-me-too
S3_ENDPOINT_URL=http://minio:9000
S3_BUCKET=provenance
S3_ACCESS_KEY=provenance
S3_SECRET_KEY=change-me-too
S3_REGION=us-east-1
# --- Edge (Caddy) ---
# Local: ':80' (http://localhost). Production: 'provenance.example.com' for auto-HTTPS.
# Behind a Cloudflare Tunnel, keep ':80' — Cloudflare terminates TLS and the
# tunnel forwards plain HTTP to caddy:80.
PROVENANCE_SITE_ADDRESS=:80
# --- Deploy-host services (optional, selected via COMPOSE_PROFILES) ---
# 'tunnel' -> cloudflared connector (needs CLOUDFLARE_TUNNEL_TOKEN; public hostname -> http://caddy:80)
# Auto-deploy is handled by the host's global Watchtower (watches the
# watchtower-enabled backend/frontend labels) — no profile needed here.
CLOUDFLARE_TUNNEL_TOKEN=
COMPOSE_PROFILES=
# --- Auth / sessions ---
SESSION_TTL_DAYS=30
TOKEN_TTL_HOURS=24
# Set false for local http; true (default) behind TLS.
COOKIE_SECURE=false
# Base URL used to build links in outbound email.
APP_BASE_URL=http://localhost
# Mailer: 'console' logs links to stdout (dev); 'smtp' uses the SMTP settings below.
MAILER=console
# Require a verified email before an account has an active session. Leave false
# until SMTP works and existing accounts are verified, or you will lock users out.
REQUIRE_EMAIL_VERIFICATION=false
# --- Email (SMTP) — wired in a later phase ---
SMTP_HOST=
SMTP_PORT=587
SMTP_USERNAME=
SMTP_PASSWORD=
SMTP_FROM=
# --- Model providers (AI assistant + embeddings) -----------------------------
# Configure as many as you like — each turns on when its key is set. The
# default_* vars pick which one is used by default; the app can also select any
# configured provider by name. LLM and embeddings are independent (Anthropic has
# no embeddings endpoint). Leave the defaults 'null' to keep AI off.
DEFAULT_LLM_PROVIDER=null # null | anthropic | openai | xai | ollama
DEFAULT_EMBEDDING_PROVIDER=null # null | openai | ollama
LLM_MAX_TOKENS=4096
EMBEDDING_DIMENSIONS=1536 # must match the embedding model + pgvector column
# Anthropic (LLM)
ANTHROPIC_API_KEY=
ANTHROPIC_MODEL=claude-opus-4-8
# OpenAI (LLM + embeddings)
OPENAI_API_KEY=
OPENAI_BASE_URL=https://api.openai.com/v1
OPENAI_MODEL=gpt-4o
OPENAI_EMBEDDING_MODEL=text-embedding-3-small
# xAI / Grok — OpenAI-compatible (LLM)
XAI_API_KEY=
XAI_BASE_URL=https://api.x.ai/v1
XAI_MODEL=grok-2-latest # set to your account's current Grok model
# Ollama — local, OpenAI-compatible, no key (LLM + embeddings)
OLLAMA_ENABLED=false
OLLAMA_BASE_URL=http://localhost:11434/v1
OLLAMA_MODEL=llama3.1
OLLAMA_EMBEDDING_MODEL=nomic-embed-text
# XAI_API_KEY=