sample.env

# Copy to .env (see README).
# Backend accepts both M8FLOW_BACKEND_* and SPIFFWORKFLOW_BACKEND_* for mapped vars (see extensions/env_var_mapper.py).
#
# --- Postgres (required for m8flow-db; set POSTGRES_PASSWORD). ---
POSTGRES_USER=postgres
POSTGRES_PASSWORD=postgres
POSTGRES_DB=postgres

# --- Flask / Backend ---
FLASK_DEBUG=1
FLASK_ENV=development
FLASK_APP=app.py
# Use a random secret (32+ chars).
FLASK_SESSION_SECRET_KEY=123456789abcdef0123456789abcdef

M8FLOW_BACKEND_ENV=local_development
M8FLOW_BACKEND_LOG_LEVEL=INFO
WATCHFILES_FORCE_POLLING=true

# --- Database (SQLAlchemy URI) ---
M8FLOW_BACKEND_DATABASE_TYPE=postgres
M8FLOW_BACKEND_DATABASE_URI=postgresql://postgres:postgres@localhost:1111/postgres
# M8FLOW and Spiff DB migrations on startup.
M8FLOW_BACKEND_UPGRADE_DB=true
M8FLOW_BACKEND_SW_UPGRADE_DB=true


# --- Ports / URLs ---
# M8FLOW_FRONTEND_PORT=7001  # default; matches start_dev.sh and docker/m8flow-docker-compose.yml
M8FLOW_BACKEND_PORT=7000
M8FLOW_BACKEND_URL=http://localhost:7000
M8FLOW_BACKEND_URL_FOR_FRONTEND=http://localhost:7001
SPIFFWORKFLOW_BACKEND_API_PATH_PREFIX=/v1.0
# CORS: comma-separated frontend origins (host:port).
M8FLOW_BACKEND_CORS_ALLOW_ORIGINS=localhost:7001,localhost:5173,127.0.0.1:7001,localhost:7001

# BPMN and templates paths (container or host).
M8FLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR=./process_models
M8FLOW_TEMPLATES_STORAGE_DIR=./templates

# --- Auth (OIDC / Keycloak) ---
# KEYCLOAK_HOSTNAME=http://localhost:7002  # URL used to reach Keycloak; set to http://<host>:7002 when accessing from another machine
# KEYCLOAK_HOSTNAME_URL=http://localhost:7002  # Public Keycloak base URL; tokens use this as issuer (iss)
# With Docker Compose, KEYCLOAK_URL is set to http://keycloak-proxy:7002 so the backend uses the proxy.
M8FLOW_KEYCLOAK_URL=http://localhost:7002
M8FLOW_BACKEND_OPEN_ID_SERVER_URL=http://localhost:7002/realms/spiffworkflow
M8FLOW_BACKEND_OPEN_ID_CLIENT_ID=spiffworkflow-backend
M8FLOW_BACKEND_OPEN_ID_CLIENT_SECRET_KEY=
M8FLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS=true
KEYCLOAK_ENABLE_CLIENT_AUTH=false
# Tenant JWT / tenant login: PKCS#12 keystore (optional).
M8FLOW_KEYCLOAK_SPOKE_CLIENT_ID=spiffworkflow-backend
M8FLOW_KEYCLOAK_SPOKE_KEYSTORE_P12=extensions/m8flow-backend/keystore.p12
# Keystore password; required for tenant login flow when using spoke keystore.
M8FLOW_KEYCLOAK_SPOKE_KEYSTORE_PASSWORD=

# Optional: SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS for Keycloak (identifier should match frontend cookie).
# For master-realm super-admin browser access, add a second config: identifier=master, uri=.../realms/master.
# If you also use API-style admin-cli tokens, add additional_valid_client_ids=admin-cli; the backend can map
# matching M8Flow realm roles from realm_access.roles when no groups claim is present.
SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__identifier=spiffworkflow-local
SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__label=Keycloak
SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__uri=http://localhost:7002/realms/spiffworkflow-local
SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__client_id=spiffworkflow-backend
SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__client_secret=JXeQExm0JhQPLumgHtIIqf52bDalHz0q
SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__1__identifier=master
SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__1__uri=http://localhost:7002/realms/master
SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__1__client_id=spiffworkflow-backend
SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__1__client_secret=JXeQExm0JhQPLumgHtIIqf52bDalHz0q
SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__1__additional_valid_client_ids=admin-cli
SPIFFWORKFLOW_BACKEND_OPEN_ID_ADDITIONAL_VALID_ISSUERS=http://localhost:7002/realms/master,http://localhost:7002/realms/m8flow
# Optional local-development bootstrap for the master realm browser client and global admin user.
# M8FLOW_KEYCLOAK_MASTER_CLIENT_SECRET=JXeQExm0JhQPLumgHtIIqf52bDalHz0q
# KEYCLOAK_SUPER_ADMIN_USER=super-admin
# KEYCLOAK_SUPER_ADMIN_PASSWORD=super-admin

# --- Celery / Redis ---
M8FLOW_BACKEND_CELERY_ENABLED=true
M8FLOW_BACKEND_CELERY_BROKER_URL=redis://localhost:6379/0
M8FLOW_BACKEND_CELERY_RESULT_BACKEND=redis://localhost:6379/0
# Backend/API should be false; the worker/flower launchers override this inside their own containers.
# M8FLOW_BACKEND_RUNNING_IN_CELERY_WORKER=false
M8FLOW_BACKEND_RUN_BACKGROUND_SCHEDULER_IN_CREATE_APP=true
M8FLOW_BACKEND_CELERY_ENABLE_EVENTS=true
M8FLOW_BACKEND_CELERY_FLOWER_PORT=5555
M8FLOW_BACKEND_CELERY_AUTOSCALE_MIN=2
M8FLOW_BACKEND_CELERY_AUTOSCALE_MAX=4
# optional
# M8FLOW_BACKEND_CELERY_POOL=prefork
# M8FLOW_BACKEND_CELERY_CONCURRENCY=2

# ---Flower ---
# Optional basic auth for Flower, format user:password (empty disables auth).
M8FLOW_BACKEND_CELERY_FLOWER_BASIC_AUTH=admin:admin
# Optional worker/flower mount overrides.
# M8FLOW_BACKEND_CELERY_PROCESS_MODELS_MOUNT_SOURCE=process_models_cache


# --- Connector proxy ---
CONNECTOR_PROXY_PORT=8004
M8FLOW_BACKEND_CONNECTOR_PROXY_URL=http://localhost:8004
# --- M8Flow Connector: SMTP ---
# Local directory for connector to map attachments to.
M8FLOW_CONNECTOR_SMTP_ATTACHMENTS_DIR=../email_attachments
# Mapped volume name for attachments directory. Users will select files from this directory when attaching files in the service task. E.g.: "/email_attachments/file.pdf".
M8FLOW_CONNECTOR_SMTP_ATTACHMENTS_USER_ACCESS_DIR=/email_attachments
M8FLOW_CONNECTOR_SMTP_ATTACHMENTS_LIMIT_IN_MB=10
M8FLOW_CONNECTOR_SMTP_TIMEOUT_SECONDS=300

# --- M8Flow Connector: Slack ---
# Local directory for connector to map Slack attachments from (host path for sync).
M8FLOW_CONNECTOR_SLACK_ATTACHMENTS_DIR=../slack_attachments
# Mapped volume path for attachments directory. Users select files from this path when attaching in the service task. E.g.: "/slack_attachments/sample.txt".
M8FLOW_CONNECTOR_SLACK_ATTACHMENTS_USER_ACCESS_DIR=/slack_attachments
M8FLOW_CONNECTOR_SLACK_UPLOAD_FILE_LIMIT_MB=50
# --- Permissions ---
M8FLOW_BACKEND_PERMISSIONS_FILE_ABSOLUTE_PATH=./extensions/m8flow-backend/src/m8flow_backend/config/permissions/m8flow.yml
#M8FLOW_BACKEND_PERMISSIONS_FILE_NAME=m8flow.yml

# Multitenant: true = tenant selection at / and /tenants/check; false = single-tenant.
MULTI_TENANT_ON=false

# --- SQLAlchemy Logs ---
M8FLOW_SQLALCHEMY_ECHO=false

# --- Encryption (sensitive data at rest) ---
M8FLOW_BACKEND_ENCRYPTION_LIB=cryptography
M8FLOW_BACKEND_ENCRYPTION_KEY=0123456789abcdef0123456789abcdef

# --- Tenancy ---
# Default tenant id; one Keycloak realm per tenant.
M8FLOW_DEFAULT_TENANT_ID=default
M8FLOW_ALLOW_MISSING_TENANT_CONTEXT=true
# JWT claim name for tenant id. Default: m8flow_tenant_id
# M8FLOW_TENANT_CLAIM=m8flow_tenant_id

# --- Keycloak ---
KEYCLOAK_ADMIN=admin
# Keycloak admin app: URL, realm, admin user. Backend accepts KEYCLOAK_URL (or M8FLOW_KEYCLOAK_URL).
# Set KEYCLOAK_HOSTNAME to the URL users/browser use to reach Keycloak so the backend accepts the token iss claim (e.g. http://localhost:7002 or http://localhost:7002). Required when using Docker or a proxy.
KEYCLOAK_HOSTNAME=http://localhost:7002
# When Keycloak and the app are on different hosts, set M8FLOW_APP_PUBLIC_BASE_URL (e.g. https://app.example.com or http://localhost:7001). When not set, KEYCLOAK_HOSTNAME is used.
# M8FLOW_APP_PUBLIC_BASE_URL=
KEYCLOAK_URL=http://localhost:7002
KEYCLOAK_REALM=tenant-a
KEYCLOAK_ADMIN_USER=admin
# Admin password for create-realm API (KEYCLOAK_ADMIN_PASSWORD or M8FLOW_KEYCLOAK_ADMIN_PASSWORD).
KEYCLOAK_ADMIN_PASSWORD=admin
KEYCLOAK_CLIENT_ID=my-backend-app
KEYCLOAK_CLIENT_SECRET=
# Optional mTLS: KEYCLOAK_CERT_FILE, KEYCLOAK_KEY_FILE.
# KEYCLOAK_CERT_FILE=
# KEYCLOAK_KEY_FILE=
# Keycloak DB (used by docker/m8flow-docker-compose.yml for keycloak-db and keycloak service)
KEYCLOAK_DB_NAME=keycloak
KEYCLOAK_DB_USER=keycloak
KEYCLOAK_DB_PASSWORD=keycloak
KC_DB_URL=jdbc:postgresql://keycloak-db:5432/keycloak
KC_DB_USERNAME=keycloak
KC_DB_PASSWORD=keycloak
KC_HTTP_PORT=8080
KC_HOSTNAME_STRICT=false


# --- MinIO ---
MINIO_ROOT_USER=minioadmin
MINIO_ROOT_PASSWORD=minioadmin

# --- Diagnostics ---
M8FLOW_STARTUP_DIAGNOSTICS=false

# --- NATS / Event Driven Architecture ---
M8FLOW_NATS_ENABLED=false
M8FLOW_NATS_URL=nats://localhost:4222
M8FLOW_NATS_STREAM_NAME=M8FLOW_EVENTS
M8FLOW_NATS_SUBJECT=m8flow.events.>
M8FLOW_NATS_DURABLE_NAME=m8flow-engine-consumer
M8FLOW_NATS_FETCH_BATCH=10
M8FLOW_NATS_FETCH_TIMEOUT=2.0
M8FLOW_NATS_DEDUP_BUCKET=m8flow-dedup
M8FLOW_NATS_DEDUP_TTL=86400
# NATS Token Salt
M8FLOW_NATS_TOKEN_SALT=changeme_nats_salt