c5631d3eab
Provenance had no system-level owner: ownership was only per-tree (TreeMembership), so a self-hosted instance had no operator account and no instance-admin surface. This adds one, declared by environment per the project's twelve-factor rule. - OWNER_EMAIL (comma-separated): the account(s) named here are instance owners. Derived at request time — no DB column, no migration, can't drift from the env, survives DB resets. is_instance_owner()/InstanceOwner dependency in api/deps.py. - Ownership requires a VERIFIED email (independent of REQUIRE_EMAIL_VERIFICATION). Registration is open, so without this an attacker could seize the role by registering the owner address first; verification ties it to inbox control. - GET /api/v1/admin/instance (owner-only): operational status — version, env, user/tree counts, configured AI providers. Deliberately exposes no tree data or PII: instance ownership is an operator role, NOT a privacy-engine bypass. - /users/me reports is_instance_owner; frontend gains an owner-only /admin page and a conditional sidebar link (server-enforced, not just client-hidden). Found-and-fixed by an adversarial security review before merge: the verified-email land-grab (above) and a frontend null-deref where the admin page crashed on 401/5xx instead of failing closed. Docs: .env.example + ARCHITECTURE (notes the not-a-privacy-bypass boundary and the verified-email requirement). Tests: owner matching, the land-grab guard, /users/me, and owner-only /admin. Suite 96 passing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Justin Paul <justin@jpaul.me>
103 lines
4.0 KiB
Bash
103 lines
4.0 KiB
Bash
# Provenance configuration — copy to `.env` and fill in. Never commit `.env`.
|
|
# Everything is twelve-factor; no endpoints or secrets live in code.
|
|
|
|
# --- Core ---
|
|
APP_ENV=development
|
|
|
|
# Instance owner / operator. The account(s) whose email is named here get
|
|
# instance-admin rights (the owner-only /admin surface, instance-wide settings).
|
|
# Comma-separated for several owners. Leave empty for an instance with no
|
|
# designated operator. Derived at request time — no migration, takes effect on
|
|
# restart. Set this to YOUR account email on a real deployment.
|
|
#
|
|
# The named account must have a VERIFIED email to be recognized as owner — this
|
|
# stops someone from claiming the owner address by registering it before you do.
|
|
# Register this email and verify it (via SMTP, or the link the console mailer
|
|
# prints to the backend logs) — ideally before exposing registration publicly.
|
|
OWNER_EMAIL=
|
|
|
|
# --- Images (pulled from git.jpaul.io; CI pushes to the LAN registry) ---
|
|
# test-main = current main build; or pin a semver / test-sha-<sha> for rollback.
|
|
IMAGE_TAG=test-main
|
|
|
|
# --- Database (Postgres) ---
|
|
POSTGRES_USER=provenance
|
|
POSTGRES_PASSWORD=change-me
|
|
POSTGRES_DB=provenance
|
|
# Backend connection string (async driver). Host 'postgres' = compose service.
|
|
DATABASE_URL=postgresql+asyncpg://provenance:change-me@postgres:5432/provenance
|
|
|
|
# --- Object storage (S3-compatible / MinIO) ---
|
|
MINIO_ROOT_USER=provenance
|
|
MINIO_ROOT_PASSWORD=change-me-too
|
|
S3_ENDPOINT_URL=http://minio:9000
|
|
S3_BUCKET=provenance
|
|
S3_ACCESS_KEY=provenance
|
|
S3_SECRET_KEY=change-me-too
|
|
S3_REGION=us-east-1
|
|
|
|
# --- Edge (Caddy) ---
|
|
# Local: ':80' (http://localhost). Production: 'provenance.example.com' for auto-HTTPS.
|
|
# Behind a Cloudflare Tunnel, keep ':80' — Cloudflare terminates TLS and the
|
|
# tunnel forwards plain HTTP to caddy:80.
|
|
PROVENANCE_SITE_ADDRESS=:80
|
|
|
|
# --- Deploy-host services (optional, selected via COMPOSE_PROFILES) ---
|
|
# 'tunnel' -> cloudflared connector (needs CLOUDFLARE_TUNNEL_TOKEN; public hostname -> http://caddy:80)
|
|
# Auto-deploy is handled by the host's global Watchtower (watches the
|
|
# watchtower-enabled backend/frontend labels) — no profile needed here.
|
|
CLOUDFLARE_TUNNEL_TOKEN=
|
|
COMPOSE_PROFILES=
|
|
|
|
# --- Auth / sessions ---
|
|
SESSION_TTL_DAYS=30
|
|
TOKEN_TTL_HOURS=24
|
|
# Set false for local http; true (default) behind TLS.
|
|
COOKIE_SECURE=false
|
|
# Base URL used to build links in outbound email.
|
|
APP_BASE_URL=http://localhost
|
|
# Mailer: 'console' logs links to stdout (dev); 'smtp' uses the SMTP settings below.
|
|
MAILER=console
|
|
# Require a verified email before an account has an active session. Leave false
|
|
# until SMTP works and existing accounts are verified, or you will lock users out.
|
|
REQUIRE_EMAIL_VERIFICATION=false
|
|
|
|
# --- Email (SMTP) — wired in a later phase ---
|
|
SMTP_HOST=
|
|
SMTP_PORT=587
|
|
SMTP_USERNAME=
|
|
SMTP_PASSWORD=
|
|
SMTP_FROM=
|
|
|
|
# --- Model providers (AI assistant + embeddings) -----------------------------
|
|
# Configure as many as you like — each turns on when its key is set. The
|
|
# default_* vars pick which one is used by default; the app can also select any
|
|
# configured provider by name. LLM and embeddings are independent (Anthropic has
|
|
# no embeddings endpoint). Leave the defaults 'null' to keep AI off.
|
|
DEFAULT_LLM_PROVIDER=null # null | anthropic | openai | xai | ollama
|
|
DEFAULT_EMBEDDING_PROVIDER=null # null | openai | ollama
|
|
LLM_MAX_TOKENS=4096
|
|
EMBEDDING_DIMENSIONS=1536 # must match the embedding model + pgvector column
|
|
|
|
# Anthropic (LLM)
|
|
ANTHROPIC_API_KEY=
|
|
ANTHROPIC_MODEL=claude-opus-4-8
|
|
|
|
# OpenAI (LLM + embeddings)
|
|
OPENAI_API_KEY=
|
|
OPENAI_BASE_URL=https://api.openai.com/v1
|
|
OPENAI_MODEL=gpt-4o
|
|
OPENAI_EMBEDDING_MODEL=text-embedding-3-small
|
|
|
|
# xAI / Grok — OpenAI-compatible (LLM)
|
|
XAI_API_KEY=
|
|
XAI_BASE_URL=https://api.x.ai/v1
|
|
XAI_MODEL=grok-2-latest # set to your account's current Grok model
|
|
|
|
# Ollama — local, OpenAI-compatible, no key (LLM + embeddings)
|
|
OLLAMA_ENABLED=false
|
|
OLLAMA_BASE_URL=http://localhost:11434/v1
|
|
OLLAMA_MODEL=llama3.1
|
|
OLLAMA_EMBEDDING_MODEL=nomic-embed-text
|
|
# XAI_API_KEY=
|