.env.example

# Minimal startup configuration - only Supabase connection required
# All other settings (API keys, model choices, RAG flags) are managed via the Settings page

# Get your SUPABASE_URL from the Data API section of your Supabase project settings -
# https://supabase.com/dashboard/project/<your project ID>/settings/api
SUPABASE_URL=

# ⚠️ CRITICAL: You MUST use the SERVICE ROLE key, NOT the Anon key! ⚠️
# 
# COMMON MISTAKE: Using the anon (public) key will cause ALL saves to fail with "permission denied"!
#
# How to get the CORRECT key:
# 1. Go to: https://supabase.com/dashboard/project/<your project ID>/settings/api
# 2. In the Settings menu, click on "API keys" 
# 3. Find "Project API keys" section
# 4. You will see TWO keys - choose carefully:
#    ❌ anon (public): WRONG - This is shorter, starts with "eyJhbGc..." and contains "anon" in the JWT
#    ✅ service_role (secret): CORRECT - This is longer and contains "service_role" in the JWT
#
# The service_role key is typically much longer than the anon key.
# If you see errors like "Failed to save" or "Permission denied", you're using the wrong key!
#
# On the Supabase dashboard, it's labeled as "service_role" under "Project API keys"
SUPABASE_SERVICE_KEY=

# Optional: Set log level for debugging
LOGFIRE_TOKEN=
LOG_LEVEL=INFO

# Claude API Key (Required for Agent Work Orders)
# Get your API key from: https://console.anthropic.com/
# Required for the agent work orders service to execute Claude CLI commands
ANTHROPIC_API_KEY=
# Generate an OAUTH token in terminal and it will use your Claude OAUTH token from your subscription.
CLAUDE_CODE_OAUTH_TOKEN=


# GitHub Personal Access Token (Required for Agent Work Orders PR creation)
# Get your token from: https://github.com/settings/tokens
# Required scopes: repo, workflow
# The agent work orders service uses this for gh CLI authentication to create PRs
GITHUB_PAT_TOKEN=

# Service Ports Configuration
# These ports are used for external access to the services
HOST=localhost
ARCHON_SERVER_PORT=8181
ARCHON_MCP_PORT=8051
ARCHON_AGENTS_PORT=8052
# Agent Work Orders Port (Optional - only needed if feature is enabled)
# Leave unset or comment out if you don't plan to use agent work orders
AGENT_WORK_ORDERS_PORT=8053
ARCHON_UI_PORT=3737

# Agent Work Orders Feature (Optional)
# Enable the agent work orders microservice for automated task execution
# Default: false (feature disabled)
# Set to "true" to enable: ENABLE_AGENT_WORK_ORDERS=true
# When enabled, requires Claude API key and GitHub PAT (see above)
ENABLE_AGENT_WORK_ORDERS=true

# Agent Work Orders Service Configuration (Optional)
# Only needed if ENABLE_AGENT_WORK_ORDERS=true
# Set these if running agent work orders service independently
# SERVICE_DISCOVERY_MODE: Controls how services find each other
#   - "local": Services run on localhost with different ports
#   - "docker_compose": Services use Docker container names
SERVICE_DISCOVERY_MODE=local

# Service URLs (for agent work orders service to call other services)
# These are automatically configured based on SERVICE_DISCOVERY_MODE
# Only override if you need custom service URLs
# ARCHON_SERVER_URL=http://localhost:8181
# ARCHON_MCP_URL=http://localhost:8051

# Agent Work Orders Persistence
# STATE_STORAGE_TYPE: "memory" (default, ephemeral) or "file" (persistent)
# FILE_STATE_DIRECTORY: Directory for file-based state storage
STATE_STORAGE_TYPE=file
FILE_STATE_DIRECTORY=agent-work-orders-state

# MCP Server Monitoring (Security Configuration)
# Controls how archon-server monitors MCP server status
#
# HTTP Mode (Recommended - Default):
# - Secure: No Docker socket access required
# - Portable: Works in Docker, Kubernetes, bare metal
# - Set: ENABLE_DOCKER_SOCKET_MONITORING=false (or leave unset)
#
# Docker Socket Mode (Legacy - Security Risk):
# - Requires: Docker socket mounted (root-equivalent host access)
# - Security Risk: CVE-2025-9074 demonstrates container escape vulnerabilities
# - Only use if: You specifically need Docker container uptime details
# - Set: ENABLE_DOCKER_SOCKET_MONITORING=true
# - Also requires: Uncommenting Docker socket volume in docker-compose.yml (line 36)
#
# Default: false (HTTP mode, secure)
ENABLE_DOCKER_SOCKET_MONITORING=false

# MCP Health Check Timeout (seconds)
# Timeout for HTTP health check requests to MCP server
# Default: 5
MCP_HEALTH_CHECK_TIMEOUT=5

# Frontend Configuration
# VITE_ALLOWED_HOSTS: Comma-separated list of additional hosts allowed for Vite dev server
# Example: VITE_ALLOWED_HOSTS=192.168.1.100,myhost.local,example.com
# If not set, defaults to localhost, 127.0.0.1, ::1, and the HOST value above
VITE_ALLOWED_HOSTS=

# Development Tools
# VITE_SHOW_DEVTOOLS: Show TanStack Query DevTools (for developers only)
# Set to "true" to enable the DevTools panel in bottom right corner
# Defaults to "false" for end users
VITE_SHOW_DEVTOOLS=false

# When enabled, PROD mode will proxy ARCHON_SERVER_PORT through ARCHON_UI_PORT. This exposes both the 
# Archon UI and API through a single port. This is useful when deploying Archon behind a reverse 
# proxy where you want to expose the frontend on a single external domain.
PROD=false


# NOTE: All other configuration has been moved to database management!
# Run the credentials_setup.sql file in your Supabase SQL editor to set up the credentials table.
# Then use the Settings page in the web UI to manage:
# - OPENAI_API_KEY (encrypted)
# - OPENROUTER_API_KEY (encrypted, format: sk-or-v1-..., get from https://openrouter.ai/keys)
# - MODEL_CHOICE
# - TRANSPORT settings
# - RAG strategy flags (USE_CONTEXTUAL_EMBEDDINGS, USE_HYBRID_SEARCH, etc.)
# - Crawler settings:
#   * CRAWL_MAX_CONCURRENT (default: 10) - Max concurrent pages per crawl operation
#   * CRAWL_BATCH_SIZE (default: 50) - URLs processed per batch
#   * MEMORY_THRESHOLD_PERCENT (default: 80) - Memory % before throttling
#   * DISPATCHER_CHECK_INTERVAL (default: 0.5) - Memory check interval in seconds