SentinelID/.env.example at main · IgnazioDS/SentinelID · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# ---------------------------------------------------------------------------
# Edge runtime
# ---------------------------------------------------------------------------
EDGE_ENV=dev
EDGE_HOST=127.0.0.1
EDGE_PORT=8787
EDGE_AUTH_TOKEN=devtoken
LOG_FORMAT=text
LOG_LEVEL=INFO
ALLOW_FALLBACK_EMBEDDINGS=0
SENTINELID_LOCKOUT_STATE_PATH=.sentinelid/lockout_state.json

TELEMETRY_ENABLED=false
# In EDGE_ENV=prod, non-loopback CLOUD_INGEST_URL must use https://
CLOUD_INGEST_URL=http://127.0.0.1:8000/v1/ingest/events
TELEMETRY_TLS_CA_BUNDLE_PATH=
TELEMETRY_MTLS_CERT_PATH=
TELEMETRY_MTLS_KEY_PATH=
# Optional comma-separated SHA-256 server certificate fingerprints (hex).
TELEMETRY_TLS_CERT_SHA256_PINS=
# In production with pinning enabled, require overlapping pins by default.
TELEMETRY_TLS_MIN_PIN_COUNT_PROD=2
# Set to 1 only for controlled bootstrap windows.
TELEMETRY_TLS_ALLOW_SINGLE_PIN_PROD=0
# Optional startup preflight for live telemetry TLS/pinning checks.
TELEMETRY_TRANSPORT_PREFLIGHT_ON_START=0
TELEMETRY_TRANSPORT_PREFLIGHT_TIMEOUT_SECONDS=5.0
TELEMETRY_SENT_RETENTION_DAYS=30
TELEMETRY_RETENTION_SWEEP_INTERVAL_SECONDS=3600

# ---------------------------------------------------------------------------
# Cloud admin auth (required in cloud service)
# ---------------------------------------------------------------------------
ADMIN_API_TOKEN=dev-admin-token
CLOUD_BIND_HOST=127.0.0.1

# ---------------------------------------------------------------------------
# Admin dashboard server auth
# ---------------------------------------------------------------------------
ADMIN_UI_USERNAME=admin
# Dev-safe defaults below map to ADMIN_UI_PASSWORD=admin123! so a fresh clone can
# follow the runbook without hand-editing auth secrets first. Keep direct bcrypt
# hashes single-quoted in .env to avoid docker compose interpolation of "$" segments.
# example: cd apps/admin && node -e "const b=require('bcryptjs'); console.log(b.hashSync('admin123!', 12));"
ADMIN_UI_PASSWORD_HASH='$2a$12$bBcV9Ds2tcdutyB7gyXLf.GGxhg0Fwgu.MnQ7EAdAqRqCPqjMRanu'
# Docker Compose-safe variant (base64 of the bcrypt hash above)
# example: cd apps/admin && node -e "const b=require('bcryptjs'); process.stdout.write(Buffer.from(b.hashSync('admin123!', 12), 'utf8').toString('base64'));"
ADMIN_UI_PASSWORD_HASH_B64=JDJhJDEyJGJCY1Y5RHMydGNkdXR5QjdneVhMZi5HR3hoZzBGd2d1Lk1uUTdFQWRBcVJxQ1Bxak1SYW51
ADMIN_UI_SESSION_SECRET=dev-admin-session-secret-change-me
ADMIN_UI_SESSION_TTL_MINUTES=480
ADMIN_UI_SESSION_SECURE=0
# Used by smoke/demo scripts for local login automation only.
ADMIN_UI_PASSWORD=admin123!
NEXT_PUBLIC_DEMO_MODE=1

# ---------------------------------------------------------------------------
# Desktop support bundle integration (optional)
# ---------------------------------------------------------------------------
VITE_CLOUD_BASE_URL=http://127.0.0.1:8000
VITE_ADMIN_TOKEN=dev-admin-token
VITE_ADMIN_UI_URL=http://127.0.0.1:3000/support