.env.example

# Wairz Environment Configuration
#
# SECURITY:
# - POSTGRES_PASSWORD and FIRMAE_DB_PASSWORD are REQUIRED. docker-compose
#   will fail to start if they are unset (enforced via ${VAR:?...} syntax).
# - API_KEY is REQUIRED when BACKEND_HOST_BIND is non-loopback (see
#   README.md "Security" section).
# - Never commit this file with real secrets — keep real .env out of git
#   (.gitignore already covers it). Use .env.example as a template.
# - To rotate credentials: edit .env, run `docker compose up -d` to
#   recreate affected containers, then reload the browser.
#
# For production: consider Docker secrets or an external secret manager
# (HashiCorp Vault, AWS Secrets Manager, SOPS-encrypted files).

# Database — REQUIRED credentials. Generate a strong random password:
#   python3 -c 'import secrets; print(secrets.token_urlsafe(32))'
POSTGRES_USER=wairz
POSTGRES_PASSWORD=changeme-use-a-strong-random-password
POSTGRES_DB=wairz
DATABASE_URL=postgresql+asyncpg://wairz:changeme-use-a-strong-random-password@localhost:5432/wairz

# FirmAE sidecar — REQUIRED when the system-emulation service runs.
# FirmAE's internal postgres uses this password.
FIRMAE_DB_PASSWORD=changeme-firmae-password

# Redis (for task queue)
REDIS_URL=redis://localhost:6379/0

# Host port mappings — change these if the defaults conflict with existing
# services on your machine. Only affects host-side access (psql, redis-cli);
# internal Docker networking is unaffected.
POSTGRES_HOST_PORT=5432
REDIS_HOST_PORT=6379

# Host-port binding for backend + frontend. Defaults to 127.0.0.1 to
# prevent LAN exposure of the unauthenticated /ws WebSocket endpoint.
# Set to 0.0.0.0 only after API_KEY is set AND the /ws endpoint is
# auth-gated.
BACKEND_HOST_BIND=127.0.0.1
BACKEND_HOST_PORT=8000
FRONTEND_HOST_BIND=127.0.0.1
FRONTEND_HOST_PORT=3000

# PostgreSQL backup directory (host path, bind-mounted into pg-backup
# service). Nightly pg_dump archives land here; 30-day retention is
# enforced inside the pg-backup container.
BACKUP_DIR=./backups

# Docker socket GID — run: stat -c %g /var/run/docker.sock
DOCKER_GID=999

# Firmware storage location (relative paths resolved from backend/)
STORAGE_ROOT=./data/firmware

# Upload limits (applies to both backend and frontend nginx)
MAX_UPLOAD_SIZE_MB=2048

# Firmware retention — leave unset (= None) to keep firmware forever.
# When set to an integer N, reconcile_firmware_storage (daily @05:00)
# will include N-day-old rows in its log output. Auto-delete is disabled
# in v1; treat the log output as operator-actionable signal.
# FIRMWARE_RETENTION_DAYS=

# Tool output limits
MAX_TOOL_OUTPUT_KB=30
MAX_TOOL_ITERATIONS=25

# Ghidra headless path (inside container)
GHIDRA_PATH=/opt/ghidra
GHIDRA_SCRIPTS_PATH=/opt/ghidra_scripts
GHIDRA_TIMEOUT=300

# Fuzzing (AFL++)
FUZZING_IMAGE=wairz-fuzzing
FUZZING_TIMEOUT_MINUTES=120
FUZZING_MAX_CAMPAIGNS=1
FUZZING_MEMORY_LIMIT_MB=2048
FUZZING_CPU_LIMIT=2.0
FUZZING_DATA_DIR=/data/fuzzing

# UART Bridge (host-side serial bridge for live device access)
UART_BRIDGE_HOST=host.docker.internal
UART_BRIDGE_PORT=9999
UART_COMMAND_TIMEOUT=30

# Device Acquisition Bridge (host-side ADB bridge)
DEVICE_BRIDGE_HOST=host.docker.internal
DEVICE_BRIDGE_PORT=9998

# Vulnerability scanning
NVD_API_KEY=
VULNERABILITY_BACKEND=grype

# Threat intelligence (all optional)
VIRUSTOTAL_API_KEY=
ABUSECH_AUTH_KEY=
CLAMAV_HOST=clamav
CLAMAV_PORT=3310

# API authentication — REQUIRED when BACKEND_HOST_BIND is non-loopback.
# Generate a strong key:
#   python3 -c 'import secrets; print(secrets.token_urlsafe(32))'
API_KEY=

# Logging
LOG_LEVEL=INFO