agentgate/.env.example at main · EaCognitive/agentgate · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# AgentGate Docker Compose Environment Variables
# Copy this file to .env and fill in with secure values
# NEVER commit .env to version control

# Database Configuration
POSTGRES_USER=agentgate
POSTGRES_PASSWORD=generate-secure-password-here
POSTGRES_DB=agentgate

# Backend Configuration
# Generate SECRET_KEY with: openssl rand -hex 32
SECRET_KEY=your-secret-key-here

# Identity provider mode
# local | descope | custom_oidc | hybrid_migration
IDENTITY_PROVIDER_MODE=local
# Allow local password auth in non-local modes
ALLOW_LOCAL_PASSWORD_AUTH=false
# Production-only local mode override
ALLOW_PRODUCTION_LOCAL_AUTH=false
# Legacy role alias compatibility (operator -> approver)
ROLE_OPERATOR_ALIAS_ENABLED=true
# API reference access mode: public | authenticated | admin_mcp
API_REFERENCE_ACCESS_MODE=public
# Roles allowed for MCP-privileged surfaces
MCP_PRIVILEGED_ROLES=admin
# Required scopes when MCP scope enforcement is active
MCP_REQUIRED_SCOPES=mcp:admin,mcp:access
# Optional override for scope enforcement (true/false)
MCP_REQUIRE_SCOPE=false
# API key scope governance
API_KEY_WILDCARD_ROLES=admin,security_admin
API_KEY_MCP_SCOPE_ROLES=admin,security_admin,developer
API_KEY_ALLOWED_CUSTOM_SCOPES=mcp:read,mcp:write,mcp:access,mcp:admin

# Descope OIDC validation
DESCOPE_JWKS_URL=
DESCOPE_ISSUER=
DESCOPE_AUDIENCE=

# Generic OIDC validation
OIDC_JWKS_URL=
OIDC_ISSUER=
OIDC_AUDIENCE=

# CORS Configuration (production only)
# Comma-separated list of allowed origins
ALLOWED_ORIGINS=http://localhost:3000

# Environment (development or production)
AGENTGATE_ENV=development

# Redis Configuration (for distributed rate limiting)
REDIS_URL=redis://redis:6379/0

# Distributed health monitoring (optional)
# Enable periodic checks for API/dashboard/distributed targets.
AGENTGATE_DISTRIBUTED_HEALTH_MONITOR_ENABLED=false
# Comma-separated targets:
#   name=url
#   name|url|expected_substring
# Example:
# AGENTGATE_DISTRIBUTED_HEALTH_MONITOR_TARGETS=api=http://server:8000/api/health,dashboard|http://dashboard:3000|<html
AGENTGATE_DISTRIBUTED_HEALTH_MONITOR_TARGETS=
AGENTGATE_DISTRIBUTED_HEALTH_MONITOR_TARGETS_JSON=
AGENTGATE_DISTRIBUTED_HEALTH_MONITOR_INTERVAL_SECONDS=30
AGENTGATE_DISTRIBUTED_HEALTH_MONITOR_TIMEOUT_SECONDS=5
AGENTGATE_DISTRIBUTED_HEALTH_MONITOR_FAILURE_THRESHOLD=2
AGENTGATE_HEALTH_MONITOR_INCLUDE_DASHBOARD=false
AGENTGATE_DASHBOARD_HEALTH_URL=http://dashboard:3000

# HMAC secret for policy integrity signatures
# Generate with: openssl rand -hex 32
AGENTGATE_HMAC_SECRET=

# Security alert delivery channels
SECURITY_ALERT_LOG_MIN_PRIORITY=low
SECURITY_ALERT_WEBHOOK_URL=
SECURITY_ALERT_WEBHOOK_HEADERS_JSON=
SECURITY_ALERT_WEBHOOK_MIN_PRIORITY=high
SECURITY_ALERT_WEBHOOK_TIMEOUT_SECONDS=10
SECURITY_ALERT_SLACK_WEBHOOK_URL=
SECURITY_ALERT_SLACK_CHANNEL=
SECURITY_ALERT_SLACK_MIN_PRIORITY=high
SECURITY_ALERT_WINDOW_SECONDS=60
SECURITY_ALERT_MAX_PER_WINDOW=10
SECURITY_ALERT_COOLDOWN_SECONDS=300
SECURITY_ALERT_MAX_DURING_COOLDOWN=1
SECURITY_ALERT_DEDUP_WINDOW_SECONDS=300

# Dashboard Configuration
NEXTAUTH_URL=http://localhost:3000
# Generate NEXTAUTH_SECRET with: openssl rand -hex 32
NEXTAUTH_SECRET=your-nextauth-secret-here
API_URL=http://server:8000
# Required for the dashboard playground chat route
OPENAI_API_KEY=

# Default Admin (OPTIONAL - only for first startup)
# Leave empty to skip auto-creation (recommended for production)
# DEFAULT_ADMIN_EMAIL=admin@yourcompany.com
# DEFAULT_ADMIN_PASSWORD=your-secure-password-here

# hCaptcha Configuration (for login protection)
# Get keys from: https://www.hcaptcha.com/
# Required for production to prevent brute force attacks
HCAPTCHA_SECRET=your_hcaptcha_secret_key_here
HCAPTCHA_SITE_KEY=your_hcaptcha_site_key_here