main
example 184 lines 7.91 KB
Raw
1 # =============================================================================
2 # siGit si — Environment Variables
3 # Copy this file to .env and fill in the values before running the app.
4 #
5 # cp .env.example .env
6 #
7 # .env is git-ignored. Never commit real secrets.
8 # =============================================================================
9
10
11 # -----------------------------------------------------------------------------
12 # smbCloud Auth (required)
13 # Register your application at https://smbcloud.xyz to obtain these values.
14 # -----------------------------------------------------------------------------
15
16 # Your smbCloud app identifier
17 SMBCLOUD_APP_ID=your-app-id-here
18
19 # Your smbCloud app secret
20 SMBCLOUD_APP_SECRET=your-app-secret-here
21
22 # Auth environment: "production" (default) or "dev" (local smbCloud Auth server)
23 SMBCLOUD_ENVIRONMENT=production
24
25 # "Continue with GitHub" for the code.sigit.si SPA: origins allowed to receive
26 # the brokered access_token from GET /api/v1/auth/github (comma-separated). The
27 # request's redirect_uri must match one of these or the start is rejected.
28 # Defaults to the production SPA + the local vite dev server when unset.
29 CODE_CLOUD_ALLOWED_ORIGINS=https://code.sigit.si,http://localhost:5180
30
31
32 # -----------------------------------------------------------------------------
33 # Onde Cloud (inference for the siGit clients)
34 # The siGit platform is an Onde Cloud customer. sigit-si authenticates the user,
35 # then forwards OpenAI-compatible chat completions to Onde Cloud using these app
36 # credentials, so the client never holds them. The model provider lives behind
37 # Onde Cloud. POST /api/v1/chat/completions uses these.
38 # -----------------------------------------------------------------------------
39
40 ONDE_CLOUD_APP_ID=your-onde-app-id-here
41 ONDE_CLOUD_APP_SECRET=your-onde-app-secret-here
42 # Optional; defaults to https://cloud.ondeinference.com/v1
43 # ONDE_CLOUD_BASE_URL=https://cloud.ondeinference.com/v1
44
45
46 # -----------------------------------------------------------------------------
47 # Web search (the MCP web_search tool)
48 # Search runs server-side so signed-in siGit Code users need no search API key
49 # of their own. Without a key the tool answers with an in-band error telling
50 # the operator to set this; nothing else breaks.
51 # -----------------------------------------------------------------------------
52
53 # Which provider adapter WebSearchService uses. Optional; defaults to "brave".
54 # SEARCH_PROVIDER=brave
55
56 # Brave Search API subscription token (https://api-dashboard.search.brave.com/)
57 # BRAVE_SEARCH_API_KEY=your-brave-search-api-key
58
59
60 # -----------------------------------------------------------------------------
61 # Stripe — siGit Code Pro/Team billing (the /billing page + Checkout/Portal).
62 # Separate from Onde Cloud billing. Billing is a no-op unless STRIPE_SECRET_KEY
63 # is set. Use sk_test_… in dev; sk_live_… in production. Rotating the key in the
64 # Stripe dashboard revokes the old one, so update this value too or Checkout
65 # fails with "Expired API Key".
66 # -----------------------------------------------------------------------------
67
68 STRIPE_SECRET_KEY=sk_test_your-stripe-secret-key
69 # Signing secret for the /stripe/webhooks endpoint (Stripe CLI or dashboard).
70 STRIPE_WEBHOOK_SECRET=whsec_your-webhook-signing-secret
71
72
73 # -----------------------------------------------------------------------------
74 # GitHub App — siGit Code automatic PR reviews (the hosted bot). Register the
75 # App and find these values per docs/github-app-reviews.md. In production,
76 # prefer Rails credentials (github_app.*) — the private key is multi-line.
77 # POST /github/webhooks uses these.
78 # -----------------------------------------------------------------------------
79
80 GITHUB_APP_ID=123456
81
82 # Webhook signing secret set on the GitHub App.
83 GITHUB_APP_WEBHOOK_SECRET=your-github-webhook-secret
84
85 # The App's private key PEM with literal \n escapes in place of newlines.
86 GITHUB_APP_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"
87
88 # Kill switch: set to "false" to stop automatic reviews (new webhooks AND the
89 # queued backlog). Reviews are on by default when the App is configured.
90 # SIGIT_GITHUB_REVIEWS_ENABLED=true
91
92 # Onde tier used for reviews; defaults to onde-large.
93 # SIGIT_GITHUB_REVIEWS_MODEL=onde-large
94
95
96 # -----------------------------------------------------------------------------
97 # Database (PostgreSQL)
98 # The defaults below work with a local Postgres.app installation.
99 # -----------------------------------------------------------------------------
100
101 # Full connection URL takes precedence over individual vars when set.
102 # DATABASE_URL=postgres://sigitsi:password@localhost/sigitsi_development
103
104 # Individual vars (used when DATABASE_URL is not set)
105 # DB_HOST=localhost
106 # DB_PORT=5432
107 # DB_USERNAME=sigitsi
108 # DB_PASSWORD=
109
110
111 # -----------------------------------------------------------------------------
112 # Git repository storage
113 # Bare repos are stored under this directory, organised as:
114 # <SIGITSI_REPOS_PATH>/<username>/<reponame>.git
115 #
116 # Defaults to Rails.root/repos when not set.
117 # -----------------------------------------------------------------------------
118
119 # SIGITSI_REPOS_PATH=/var/sigitsi/repos
120
121 # Public base URL of this siGit install. Used to build absolute links (repo,
122 # pull request, and comment URLs) for API/MCP clients that have no request
123 # context of their own. Defaults to https://sigit.si when not set.
124 # SIGITSI_URL=https://sigit.si
125
126
127 # -----------------------------------------------------------------------------
128 # Import from GitHub (mirror + migrate)
129 # A GitHub OAuth App used ONLY for importing repos — separate from the smbCloud
130 # "Continue with GitHub" sign-in above. Register one at
131 # https://github.com/settings/developers with the callback:
132 # <SIGITSI_URL>/import/github/callback
133 # Without these, import-by-URL (public repos) still works; GitHub repo listing /
134 # private import does not.
135 # -----------------------------------------------------------------------------
136
137 # GITHUB_IMPORT_CLIENT_ID=your-github-oauth-app-client-id
138 # GITHUB_IMPORT_CLIENT_SECRET=your-github-oauth-app-client-secret
139
140 # Shared secret for the GitHub push webhook (POST /webhooks/github) that triggers
141 # immediate mirror syncs. Set the same value in the repo/org webhook config.
142 # GITHUB_WEBHOOK_SECRET=a-long-random-string
143
144 # Import guardrails (all optional; sensible defaults shown).
145 # IMPORT_MAX_REPO_SIZE_KB=2000000 # per-repo cap (~2 GB)
146 # IMPORT_MAX_USER_VOLUME_KB=10000000 # per-user in-flight cap (~10 GB)
147 # IMPORT_MAX_ACTIVE_PER_USER=10 # concurrent imports per user
148 # IMPORT_GIT_TIMEOUT=1800 # seconds a single clone/push may run
149 # MIRROR_SYNC_TIMEOUT=900 # seconds a single mirror fetch may run
150 # MIRROR_SYNC_INTERVAL_SECONDS=3600 # how stale a mirror may get before re-sync
151
152
153 # -----------------------------------------------------------------------------
154 # Active Record Encryption (required in production)
155 # Encrypts tokens at rest: the GitHub import OAuth token and any private mirror
156 # upstream credential. Generate a set with: bin/rails db:encryption:init
157 # In development/test these are derived from SECRET_KEY_BASE if unset (never used
158 # for real user data).
159 # -----------------------------------------------------------------------------
160
161 # ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=
162 # ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=
163 # ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=
164
165
166 # -----------------------------------------------------------------------------
167 # Rails
168 # -----------------------------------------------------------------------------
169
170 # Must be set to a long random string in production.
171 # Generate one with: bin/rails secret
172 SECRET_KEY_BASE=
173
174 # "development", "test", or "production"
175 RAILS_ENV=development
176
177 # Number of Puma threads (also controls DB connection pool size)
178 RAILS_MAX_THREADS=5
179
180 # Set to "1" to serve static files from public/ in production
181 # RAILS_SERVE_STATIC_FILES=1
182
183 # Set to "1" to write logs to stdout in production (recommended for containers)
184 # RAILS_LOG_TO_STDOUT=1