447daf7fa8
A multi-agent audit of every doc against the code surfaced ~50 stale/missing
items (the roadmap/status docs and the backlog had fallen behind the code).
This catches them up:
- CLAUDE.md: phase status was ~3 phases stale ("Phase 1 is next" while Phase 1 +
chunks of 2 & 4 shipped). Rewrote the status list; added a model-provider
tech-stack entry; updated repo-layout (integrations objectstore/models,
deploy backup.sh/dev compose).
- ARCHITECTURE.md: §6 privacy engine described 3 visibility levels — corrected to
the shipped 4 (adds site_members); documented per-tree AI policy on Tree,
LLMProvider/EmbeddingProvider split + registry, ChangeProposal origin/status/
operations, verified-email session gate, instance-owner role, schema-drift
guard, and the env_file config model.
- PRD.md: 4-level visibility in US-040/§5.5, instance-owner role (§5.1/§5.11),
per-tree AI policy (§5.8), §8 sequencing annotated with shipped status, header
date/status bumped.
- README.md: 4-level privacy; softened "Full GEDCOM 7" to the 5.5.1/7 common
subset; noted backups + instance-owner admin; moved property/land to an
explicit "where it's headed" (no property models exist yet).
- BACKLOG.md: flipped ~15 shipped-but-open rows to Have (ChangeProposal, provider
abstraction, GEDCOM citation export, membership management, operator backup,
email-verification gate, per-tree AI policy, instance owner, the whole
visibility/public-viewing/child-resource-redaction cluster #41-#51/#46), and
reconciled the executive summary, "current defects" list, quick wins, and
differentiators. Left genuinely-open items (citation/source redaction, sitemap,
per-tree noindex, scoped-token API) accurately open.
- .env.example: dropped "SMTP wired in a later phase"; documented the worker
purge knobs, S3_PRESIGN_TTL, COOKIE_NAME; removed a stray duplicate line.
- design/: tree-visibility.md and change-proposal.md marked Shipped; corrected
the redaction approach (reuses member schemas, not a separate PublicPersonRead)
and the apply() rollback claim (v1 is not cross-op transactional), and marked
rate-limiting/sitemap/noindex as deferred.
No code changes.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Justin Paul <justin@jpaul.me>
113 lines
4.3 KiB
Bash
113 lines
4.3 KiB
Bash
# Provenance configuration — copy to `.env` and fill in. Never commit `.env`.
|
|
# Everything is twelve-factor; no endpoints or secrets live in code.
|
|
|
|
# --- Core ---
|
|
APP_ENV=development
|
|
|
|
# Instance owner / operator. The account(s) whose email is named here get
|
|
# instance-admin rights (the owner-only /admin surface, instance-wide settings).
|
|
# Comma-separated for several owners. Leave empty for an instance with no
|
|
# designated operator. Derived at request time — no migration, takes effect on
|
|
# restart. Set this to YOUR account email on a real deployment.
|
|
#
|
|
# The named account must have a VERIFIED email to be recognized as owner — this
|
|
# stops someone from claiming the owner address by registering it before you do.
|
|
# Register this email and verify it (via SMTP, or the link the console mailer
|
|
# prints to the backend logs) — ideally before exposing registration publicly.
|
|
OWNER_EMAIL=
|
|
|
|
# --- Images (pulled from git.jpaul.io; CI pushes to the LAN registry) ---
|
|
# test-main = current main build; or pin a semver / test-sha-<sha> for rollback.
|
|
IMAGE_TAG=test-main
|
|
|
|
# --- Database (Postgres) ---
|
|
POSTGRES_USER=provenance
|
|
POSTGRES_PASSWORD=change-me
|
|
POSTGRES_DB=provenance
|
|
# Backend connection string (async driver). Host 'postgres' = compose service.
|
|
DATABASE_URL=postgresql+asyncpg://provenance:change-me@postgres:5432/provenance
|
|
|
|
# --- Object storage (S3-compatible / MinIO) ---
|
|
MINIO_ROOT_USER=provenance
|
|
MINIO_ROOT_PASSWORD=change-me-too
|
|
S3_ENDPOINT_URL=http://minio:9000
|
|
S3_BUCKET=provenance
|
|
S3_ACCESS_KEY=provenance
|
|
S3_SECRET_KEY=change-me-too
|
|
S3_REGION=us-east-1
|
|
# Presigned media URL lifetime in seconds.
|
|
S3_PRESIGN_TTL=3600
|
|
|
|
# --- Edge (Caddy) ---
|
|
# Local: ':80' (http://localhost). Production: 'provenance.example.com' for auto-HTTPS.
|
|
# Behind a Cloudflare Tunnel, keep ':80' — Cloudflare terminates TLS and the
|
|
# tunnel forwards plain HTTP to caddy:80.
|
|
PROVENANCE_SITE_ADDRESS=:80
|
|
|
|
# --- Deploy-host services (optional, selected via COMPOSE_PROFILES) ---
|
|
# 'tunnel' -> cloudflared connector (needs CLOUDFLARE_TUNNEL_TOKEN; public hostname -> http://caddy:80)
|
|
# Auto-deploy is handled by the host's global Watchtower (watches the
|
|
# watchtower-enabled backend/frontend labels) — no profile needed here.
|
|
CLOUDFLARE_TUNNEL_TOKEN=
|
|
COMPOSE_PROFILES=
|
|
|
|
# --- Auth / sessions ---
|
|
SESSION_TTL_DAYS=30
|
|
TOKEN_TTL_HOURS=24
|
|
# Name of the session cookie.
|
|
COOKIE_NAME=provenance_session
|
|
# Set false for local http; true (default) behind TLS.
|
|
COOKIE_SECURE=false
|
|
# Base URL used to build links in outbound email.
|
|
APP_BASE_URL=http://localhost
|
|
# Mailer: 'console' logs links to stdout (dev); 'smtp' uses the SMTP settings below.
|
|
MAILER=console
|
|
# Require a verified email before an account has an active session. Leave false
|
|
# until SMTP works and existing accounts are verified, or you will lock users out.
|
|
REQUIRE_EMAIL_VERIFICATION=false
|
|
|
|
# --- Email (SMTP) ---
|
|
# Active when MAILER=smtp (above) and SMTP_HOST is set.
|
|
SMTP_HOST=
|
|
SMTP_PORT=587
|
|
SMTP_USERNAME=
|
|
SMTP_PASSWORD=
|
|
SMTP_FROM=
|
|
|
|
# --- Worker (soft-delete purge) ---
|
|
# How often the purge job runs, and how old a soft-deleted row must be before it
|
|
# is permanently removed (and its media objects cleaned up).
|
|
PURGE_INTERVAL_SECONDS=3600
|
|
PURGE_AFTER_DAYS=30
|
|
|
|
# --- Model providers (AI assistant + embeddings) -----------------------------
|
|
# Configure as many as you like — each turns on when its key is set. The
|
|
# default_* vars pick which one is used by default; the app can also select any
|
|
# configured provider by name. LLM and embeddings are independent (Anthropic has
|
|
# no embeddings endpoint). Leave the defaults 'null' to keep AI off.
|
|
DEFAULT_LLM_PROVIDER=null # null | anthropic | openai | xai | ollama
|
|
DEFAULT_EMBEDDING_PROVIDER=null # null | openai | ollama
|
|
LLM_MAX_TOKENS=4096
|
|
EMBEDDING_DIMENSIONS=1536 # must match the embedding model + pgvector column
|
|
|
|
# Anthropic (LLM)
|
|
ANTHROPIC_API_KEY=
|
|
ANTHROPIC_MODEL=claude-opus-4-8
|
|
|
|
# OpenAI (LLM + embeddings)
|
|
OPENAI_API_KEY=
|
|
OPENAI_BASE_URL=https://api.openai.com/v1
|
|
OPENAI_MODEL=gpt-4o
|
|
OPENAI_EMBEDDING_MODEL=text-embedding-3-small
|
|
|
|
# xAI / Grok — OpenAI-compatible (LLM)
|
|
XAI_API_KEY=
|
|
XAI_BASE_URL=https://api.x.ai/v1
|
|
XAI_MODEL=grok-2-latest # set to your account's current Grok model
|
|
|
|
# Ollama — local, OpenAI-compatible, no key (LLM + embeddings)
|
|
OLLAMA_ENABLED=false
|
|
OLLAMA_BASE_URL=http://localhost:11434/v1
|
|
OLLAMA_MODEL=llama3.1
|
|
OLLAMA_EMBEDDING_MODEL=nomic-embed-text
|