-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
95 lines (74 loc) · 4.51 KB
/
.env.example
File metadata and controls
95 lines (74 loc) · 4.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# .env.example
# All required environment variables for pactum backend v0.1
# Copy to .env and fill in your actual values
SOLANA_RPC_URL=https://api.mainnet-beta.solana.com
SOLANA_WS_URL=wss://api.mainnet-beta.solana.com
PROGRAM_ID=<pactum_program_pubkey>
JWT_SECRET=<random_256bit_hex>
JWT_ACCESS_EXPIRY_SECONDS=900 # 15 minutes — short window limits leaked token exposure
JWT_REFRESH_EXPIRY_SECONDS=604800 # 7 days — stored in PG, revocable on logout
ENCRYPTION_KEY=<random_256bit_hex> # AES-256 key for PII
ENCRYPTION_INDEX_KEY=<random_256bit_hex> # HMAC key for blind email index
# OAuth providers — all free except Apple ($99/yr Apple Developer Program)
GOOGLE_CLIENT_ID=<google_oauth_client_id>
GOOGLE_CLIENT_SECRET=<google_oauth_client_secret>
GOOGLE_REDIRECT_URI=https://api.pactum.app/auth/oauth/google/callback
MICROSOFT_CLIENT_ID=<azure_app_client_id>
MICROSOFT_CLIENT_SECRET=<azure_app_client_secret>
MICROSOFT_REDIRECT_URI=https://api.pactum.app/auth/oauth/microsoft/callback
MICROSOFT_TENANT=common # 'common' allows personal + work accounts
RESEND_API_KEY=<resend_api_key>
EMAIL_FROM=noreply@pactum.app
INVITE_BASE_URL=https://app.pactum.app/invite # Base URL for party invitation links
INVITE_EXPIRY_SECONDS=604800 # 7 days — invitation link validity (must be < expires_in_secs)
INVITE_REMINDER_AFTER_SECONDS=259200 # 3 days — send reminder if no response by then
# Payment
PLATFORM_FEE_USD_CENTS=199 # Per-agreement fee: $1.99 (stored as cents, no float)
PLATFORM_FEE_FREE_TIER=3 # Lifetime free agreements per user
PLATFORM_NONREFUNDABLE_FEE_CENTS=10 # $0.10 kept on cancel/expire after upload
# Platform keypairs — TWO separate hot wallets with distinct roles and blast radii
# See §11.5 for security model, secret loading procedure, and rotation runbook.
# Vault keypair — funds MintVault + pays gas for create_agreement / expire_agreement
# Holds SOL only. No stablecoin ATAs owned by this key.
# Target float: 1–2 SOL (≈ 200–400 agreements). Top up daily from cold wallet.
PLATFORM_VAULT_PUBKEY=<vault_pubkey> # stored separately for startup validation
PLATFORM_VAULT_KEYPAIR_PATH=/run/secrets/vault_keypair.json # never raw base58 in env
# Treasury keypair — owns stablecoin ATAs; signs refund SPL transfers only
# Holds stablecoin float only. Does NOT hold SOL beyond dust for rent.
# Target float: $50 per token. Sweep excess daily to cold wallet.
PLATFORM_TREASURY_PUBKEY=<treasury_pubkey> # stored separately for startup validation
PLATFORM_TREASURY_KEYPAIR_PATH=/run/secrets/treasury_keypair.json
# Hot wallet safety thresholds
VAULT_MIN_SOL_ALERT=0.5 # alert ops when vault SOL drops below this
VAULT_MIN_SOL_CIRCUIT_BREAKER=0.1 # halt server if vault drops below this
VAULT_FUNDING_RATE_LIMIT_PER_HOUR=50 # circuit breaker: max vault fundings per hour
TREASURY_MIN_USDC_ALERT=20000000 # alert when USDC ATA < $20 (6 decimals)
TREASURY_FLOAT_PER_TOKEN=50000000 # keep $50 per token in hot wallet; sweep rest
TREASURY_SWEEP_DEST=<cold_wallet_pubkey> # cold wallet or Squads multisig address
# Supported stablecoins — all have 6 decimals; $1.99 = 1_990_000 base units
# Initialize one ATA per token before go-live (owner = PLATFORM_TREASURY_PUBKEY):
# spl-token create-account <MINT> --owner <TREASURY_PUBKEY>
STABLECOIN_USDC_MINT=EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v
STABLECOIN_USDC_ATA=<platform_usdc_ata>
STABLECOIN_USDT_MINT=Es9vMFrzaCERmJfrF4H2FYD4KCoNkY11McCe8BenwNYB
STABLECOIN_USDT_ATA=<platform_usdt_ata>
STABLECOIN_PYUSD_MINT=2b1kV6DkPAnxd5ixfnxCpjxmKwqjjaYmCZfHsFu24GXo
STABLECOIN_PYUSD_ATA=<platform_pyusd_ata>
# SOL payment removed — stablecoins only for v0.1
# Credit card (Stripe) — deferred to future version
# STRIPE_SECRET_KEY=
# STRIPE_WEBHOOK_SECRET=
# Pinata IPFS Configuration (V3 API)
# Get your JWT from: https://app.pinata.cloud/keys
# Create a new key, then copy the JWT value
PINATA_JWT=<your_pinata_jwt>
# Pinata Gateway Domain (for accessing pinned files)
# Found at: https://app.pinata.cloud/gateways
# Format: example-llama-3000.mypinata.cloud
PINATA_GATEWAY_DOMAIN=gateway.pinata.cloud # default, replace with your custom domain
ARWEAVE_WALLET_PATH=./arweave-wallet.json # Arweave upload keypair
# DEPRECATED: These legacy variables are no longer used
# IPFS_API_URL=https://api.pinata.cloud
# IPFS_JWT=<pinata_jwt>
SERVER_PORT=8080
SERVER_HOST=0.0.0.0