-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.production.example
More file actions
303 lines (233 loc) · 11.3 KB
/
.env.production.example
File metadata and controls
303 lines (233 loc) · 11.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
# =============================================================================
# Sardis Production Environment Configuration
# =============================================================================
# Copy to .env and fill in values before deploying to production.
# NEVER commit .env or any file with real secrets to version control.
#
# Legend:
# [REQUIRED] — must be set for production to start/function
# [REQUIRED*] — required for live chain mode (on-chain transactions)
# [OPTIONAL] — enhances functionality but not required for launch
#
# For Cloud Run: secrets are managed via GCP Secret Manager.
# For local: set directly in .env file.
# =============================================================================
# =============================================================================
# CORE CONFIGURATION
# =============================================================================
# [REQUIRED] Environment identifier — enables strict checks, fail-closed defaults
SARDIS_ENVIRONMENT=prod
# [REQUIRED] Chain execution mode
SARDIS_CHAIN_MODE=live
SARDIS_EXECUTION_MODE=production_live
# [REQUIRED] API server binding
SARDIS_API_HOST=0.0.0.0
SARDIS_API_PORT=8000
SARDIS_API_BASE_URL=https://api.sardis.sh
# [REQUIRED] Default chain for API calls and health checks
SARDIS_DEFAULT_CHAIN=base
SARDIS_HEALTH_CHAIN=base
# =============================================================================
# DATABASE
# =============================================================================
# [REQUIRED] PostgreSQL connection string (Neon serverless recommended)
# Example: postgresql://user:password@ep-xxx.us-east-2.aws.neon.tech/sardis?sslmode=require
DATABASE_URL=
# [OPTIONAL] Read replica for dashboard/analytics queries
# SARDIS_DATABASE_REPLICA_URL=
# [OPTIONAL] Connection pool tuning (defaults are fine for Neon)
# SARDIS_DB_POOL_MIN_NEON=2
# SARDIS_DB_POOL_MAX_NEON=15
# =============================================================================
# SECRETS & AUTH
# =============================================================================
# [REQUIRED] Application secret key — generate: python -c "import secrets; print(secrets.token_urlsafe(32))"
SARDIS_SECRET_KEY=
# [REQUIRED] JWT signing secret for dashboard sessions (HS256)
# Generate: python -c "import secrets; print(secrets.token_hex(32))"
JWT_SECRET_KEY=
# [REQUIRED] Admin password (strong, unique)
SARDIS_ADMIN_PASSWORD=
# [OPTIONAL] JWT token lifetime
# JWT_EXPIRATION_HOURS=24
# [OPTIONAL] OAuth (Google sign-in for dashboard)
# GOOGLE_CLIENT_ID=
# GOOGLE_CLIENT_SECRET=
# =============================================================================
# CORS & NETWORK
# =============================================================================
# [REQUIRED] Allowed origins (production domains only)
SARDIS_ALLOWED_ORIGINS=https://sardis.sh,https://www.sardis.sh,https://app.sardis.sh,https://dashboard.sardis.sh,https://checkout.sardis.sh
# [OPTIONAL] Trusted proxy IPs for rate-limiter source IP extraction
SARDIS_TRUSTED_PROXIES=
# =============================================================================
# REDIS / CACHE
# =============================================================================
# [REQUIRED] Redis URL — required for rate limiting, dedup, and replay cache in production
# Example: rediss://default:xxx@xxx.upstash.io:6379
SARDIS_REDIS_URL=
# =============================================================================
# MPC / CUSTODY (Required for live chain mode)
# =============================================================================
# [REQUIRED*] MPC provider — must be "turnkey" for non-custodial production
SARDIS_MPC__NAME=turnkey
SARDIS_MPC__API_BASE=https://api.turnkey.com
# [REQUIRED*] Turnkey API credentials
TURNKEY_API_PUBLIC_KEY=
TURNKEY_API_PRIVATE_KEY=
TURNKEY_ORGANIZATION_ID=
# =============================================================================
# RPC ENDPOINTS (Required for live chain mode)
# =============================================================================
# Use dedicated RPC providers (Alchemy, Infura, QuickNode) — not public endpoints.
# [REQUIRED*] Base mainnet (primary chain)
SARDIS_BASE_RPC_URL=https://base-mainnet.g.alchemy.com/v2/YOUR_KEY
# [OPTIONAL] Additional chain RPCs (enable as needed)
# SARDIS_POLYGON_RPC_URL=https://polygon-mainnet.g.alchemy.com/v2/YOUR_KEY
# SARDIS_ETHEREUM_RPC_URL=https://eth-mainnet.g.alchemy.com/v2/YOUR_KEY
# SARDIS_ARBITRUM_RPC_URL=https://arb-mainnet.g.alchemy.com/v2/YOUR_KEY
# SARDIS_OPTIMISM_RPC_URL=https://opt-mainnet.g.alchemy.com/v2/YOUR_KEY
# [REQUIRED*] Tempo mainnet
SARDIS_TEMPO_RPC_URL=https://rpc.tempo.xyz
# [OPTIONAL] Tempo testnet (for staging/testing)
# SARDIS_TEMPO_TESTNET_RPC_URL=https://rpc.testnet.tempo.xyz
# =============================================================================
# SMART CONTRACT ADDRESSES — BASE MAINNET
# =============================================================================
# Set after deploying with: ./scripts/deploy-mainnet-contracts.sh
# See contracts/deployments/base.json for lifecycle status.
# [REQUIRED*] Core contracts (deploy with scripts/deploy-mainnet-contracts.sh)
SARDIS_BASE_LEDGER_ANCHOR_ADDRESS=
SARDIS_BASE_REFUND_PROTOCOL_ADDRESS=
# [REQUIRED*] ERC-8183 contracts
SARDIS_ERC8183_ENABLED=true
SARDIS_ERC8183_CONTRACT_ADDRESS=
SARDIS_BASE_JOB_REGISTRY_ADDRESS=
SARDIS_BASE_JOB_MANAGER_ADDRESS=
# Pre-deployed (do not change unless upgrading)
# Zodiac Roles (policy module): 0x9646fDAD06d3e24444381f44362a3B0eB343D337
# Circle Paymaster: 0x0578cFB241215b77442a541325d6A4E6dFE700Ec
# Safe ProxyFactory: 0xa6B71E26C5e0845f74c812102Ca7114b6a896AB2
# Base USDC: 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913
# =============================================================================
# SMART CONTRACT ADDRESSES — TEMPO MAINNET (already deployed)
# =============================================================================
# All 7 contracts deployed on Tempo Presto mainnet (chain ID 4217).
# Deployer: 0x99085505f506576c5C5342cAFEf14d6be43e0E9C
# SARDIS_TEMPO_LEDGER_ANCHOR_ADDRESS=0x9a5D2a6c81414FD1E6a2c9b55306c6D0b954b98B
# SARDIS_TEMPO_REFUND_PROTOCOL_ADDRESS=0x801ea29ca523ea16475e3def938002d6be985e9d
# SARDIS_TEMPO_IDENTITY_REGISTRY_ADDRESS=0xc5a3eb812bef4b883a2e890865de9d51818ac90a
# SARDIS_TEMPO_JOB_REGISTRY_ADDRESS=0x19eeeb6b349cfd4025cc75fa99bb36f6b8bec62d
# SARDIS_TEMPO_JOB_MANAGER_ADDRESS=0x758114d2229d3da2a8629b96b0394a3e8319fbb0
# SARDIS_TEMPO_REPUTATION_REGISTRY_ADDRESS=0x127ac64f6ddf7292e8dee43e39f4e66af859e704
# SARDIS_TEMPO_VALIDATION_REGISTRY_ADDRESS=0xc95e58f9e1df9c3df4593632846eb2a02cf73d6b
# =============================================================================
# CCTP V2 (same addresses across all EVM chains)
# =============================================================================
CCTP_TOKEN_MESSENGER_V2=0x28b5a0e9C621a5BadaA536219b3a228C8168cf5d
CCTP_MESSAGE_TRANSMITTER_V2=0x81D40F21F12A8F0E3252Bccb954D722d4c464B64
# =============================================================================
# PAYMASTER
# =============================================================================
# [REQUIRED*] Circle Paymaster (permissionless, no API key needed)
SARDIS_PAYMASTER_PROVIDER=circle
# Mainnet: 0x0578cFB241215b77442a541325d6A4E6dFE700Ec
# Testnet: 0x3BA9A96eE3eFf3A69E2B18886AcF52027EFF8966
# =============================================================================
# TAP (Trust Anchor Protocol)
# =============================================================================
# [REQUIRED] Enable TAP request verification in production
SARDIS_TAP_ENFORCEMENT=enabled
# [REQUIRED] JWKS URL for TAP signature verification
SARDIS_TAP_JWKS_URL=
# [OPTIONAL] TAP timing controls
# SARDIS_TAP_MAX_TIME_WINDOW=300
# SARDIS_TAP_NONCE_TTL=600
# =============================================================================
# PLATFORM FEES & TREASURY
# =============================================================================
# [OPTIONAL] Platform fee in basis points (50 = 0.50%)
SARDIS_PLATFORM_FEE_BPS=50
# [OPTIONAL] Fee collection wallet address on Base
SARDIS_TREASURY_ADDRESS=
# [OPTIONAL] Skip fee for amounts under this threshold (USD)
SARDIS_FEE_MIN_AMOUNT=1.00
# =============================================================================
# BILLING (Stripe)
# =============================================================================
# [OPTIONAL] Enable billing via Stripe
# SARDIS_BILLING_BILLING_ENABLED=true
# SARDIS_BILLING_STRIPE_SECRET_KEY=
# SARDIS_BILLING_STRIPE_WEBHOOK_SECRET=
# SARDIS_BILLING_STRIPE_PRICE_STARTER=
# SARDIS_BILLING_STRIPE_PRICE_GROWTH=
# =============================================================================
# COMPLIANCE
# =============================================================================
# [OPTIONAL] Persona KYC
# PERSONA_API_KEY=
# PERSONA_TEMPLATE_ID=
# PERSONA_WEBHOOK_SECRET=
# [OPTIONAL] Elliptic sanctions screening
# ELLIPTIC_API_KEY=
# ELLIPTIC_API_SECRET=
# ELLIPTIC_RISK_THRESHOLD=0.7
# =============================================================================
# VIRTUAL CARDS
# =============================================================================
# [OPTIONAL] Primary card provider: lithic | stripe_issuing
# SARDIS_CARDS_PRIMARY_PROVIDER=stripe_issuing
# STRIPE_SECRET_KEY=
# STRIPE_WEBHOOK_SECRET=
# =============================================================================
# FIAT ON/OFF-RAMP
# =============================================================================
# [OPTIONAL] Coinbase Onramp (hosted, free)
# COINBASE_APP_ID=
# COINBASE_CDP_API_KEY_NAME=
# COINBASE_CDP_API_KEY_PRIVATE_KEY=
# =============================================================================
# MONITORING & OBSERVABILITY
# =============================================================================
# [OPTIONAL] Sentry error tracking
# SENTRY_DSN=
# SENTRY_ENVIRONMENT=production
# [OPTIONAL] PostHog analytics
# POSTHOG_API_KEY=
# [OPTIONAL] OpenTelemetry distributed tracing
# SARDIS_OTEL_ENABLED=true
# SARDIS_OTEL_SERVICE_NAME=sardis-api
# SARDIS_OTEL_EXPORTER=sentry
# SARDIS_OTEL_SAMPLE_RATE=0.1
# =============================================================================
# NOTIFICATIONS
# =============================================================================
# [OPTIONAL] Email (Resend or SMTP)
# SMTP_HOST=smtp.resend.com
# SMTP_PORT=465
# SMTP_USER=resend
# SMTP_PASSWORD=re_xxx
# SMTP_FROM_EMAIL=noreply@sardis.sh
# SMTP_USE_TLS=true
# [OPTIONAL] Slack alerts
# SLACK_WEBHOOK_URL=
# DISCORD_WEBHOOK_URL=
# =============================================================================
# FEATURE FLAGS
# =============================================================================
# [OPTIONAL] Public signup (set false for invite-only launch)
SARDIS_ALLOW_PUBLIC_SIGNUP=false
# [OPTIONAL] KYA enforcement
# SARDIS_KYA_ENFORCEMENT_ENABLED=true
# SARDIS_KYA_STRICT_REGISTRATION=true
# [OPTIONAL] AGIT fail-closed (default in production)
# SARDIS_AGIT_FAIL_OPEN=false
# =============================================================================
# TRANSACTION CAPS (safety rails)
# =============================================================================
# [OPTIONAL] Global daily transaction cap (USD)
SARDIS_GLOBAL_DAILY_CAP=100000
# [OPTIONAL] Per-organization daily cap (USD)
SARDIS_DEFAULT_ORG_DAILY_CAP=10000
# [OPTIONAL] Per-agent per-transaction cap (USD)
SARDIS_DEFAULT_AGENT_TX_CAP=1000