.env.example

# Gittensory — sample environment file
#
# Copy to `.dev.vars` (local) or set as worker vars/secrets (deployed). This file
# lists every operator-facing GITTENSORY_REVIEW_* feature flag plus the names of
# the secrets the worker reads. It contains NO real values — fill secrets in via
# `wrangler secret put NAME`; never commit real secret values.
#
# Feature flags: every flag defaults OFF. "Truthy" = one of 1 / true / yes / on
# (case-insensitive); unset, empty, or `false` is OFF. When a flag is OFF its
# code path is fully inert — the review behaves as if the feature did not exist.
#
# See docs/review-configuration.md for the full reference (flags, per-repo
# `.gittensory.yml` settings, and secret descriptions).

# =============================================================================
# 1. Review feature flags (GITTENSORY_REVIEW_*)
# =============================================================================

# --- Scope (per-repo cutover allowlist) -------------------------------------

# Comma-separated owner/repo names allowed to run the per-PR review features
# (SAFETY, GROUNDING, RAG, REPUTATION, UNIFIED_COMMENT). A per-PR feature runs on
# a repo only if its own flag is ON *and* the repo is listed here. Empty = no
# repos, so every per-PR feature stays dormant regardless of the flags below.
# Case-insensitive, trimmed; stray commas ignored.
# Example: GITTENSORY_REVIEW_REPOS="JSONbored/gittensory,JSONbored/awesome-claude"
GITTENSORY_REVIEW_REPOS=

# Instance-wide write kill switch for the cloud→self-host parallel-run migration. When set to "dry-run"
# (or "disabled"), EVERY GitHub write from this instance is suppressed regardless of per-repo settings —
# the instance can receive webhooks and compute verdicts but posts NOTHING (no check-run/comment/label/
# merge), so it can shadow the live cloud App safely until cutover. "dry-run" audits as completed-shadow;
# "disabled" audits as denied. Leave empty (= live) for normal operation. Flip to live only at cutover.
# SELFHOST_DEPLOYMENT_MODE=dry-run

# --- Per-PR capabilities (also require the repo in GITTENSORY_REVIEW_REPOS) ---

# Safety scan: defangs untrusted PR title/body/diff (prompt-injection
# neutralization) and scans the diff for leaked secrets (secret_leak blocker).
GITTENSORY_REVIEW_SAFETY=false

# Grounds the AI-reviewer prompt with the PR's finished CI status + the full
# post-change content of the changed files, so claims are verified against reality.
GITTENSORY_REVIEW_GROUNDING=false

# Retrieval-augmented context: appends semantically related code/docs from the
# codebase vector index to the reviewer prompt. Inert until a VECTORIZE index exists.
GITTENSORY_REVIEW_RAG=false

# Submitter-reputation spend control (internal-only): downgrades new/burst/low-rep
# submitters to a deterministic-only review. Never surfaced publicly.
GITTENSORY_REVIEW_REPUTATION=false

# Renders the public PR comment as one in-place unified comment instead of the
# legacy multi-panel comment. OFF keeps the legacy comment byte-identical.
GITTENSORY_REVIEW_UNIFIED_COMMENT=false

# --- Global capabilities (NOT scoped by GITTENSORY_REVIEW_REPOS) -------------

# Observability (read-only): cron anomaly scan over the gate-block ledger emits
# ops_anomaly logs, plus a bearer-gated GET /v1/internal/ops/stats aggregate.
GITTENSORY_REVIEW_OPS=false

# Self-improvement / auto-tune loop: computes tuning recommendations, shadow-soaks
# strictly-tightening ones, and auto-promotes only after the soak passes. Tightening-only.
GITTENSORY_REVIEW_SELFTUNE=false

# Parity readiness (shadow, record-only): shadow-records each finalized gate
# decision and serves a readiness report at GET /v1/internal/parity. Changes no behavior.
GITTENSORY_REVIEW_PARITY_AUDIT=false

# Content-review lane: routes content repos (curated lists, registries) through the
# dedicated content lane (dedup, source-evidence, scope, registry grounding).
GITTENSORY_REVIEW_CONTENT_LANE=false

# Public draft-submission flow: enables the /v1/drafts endpoints (contributor draft
# -> GitHub OAuth -> fork PR). OFF every draft endpoint 404s. Needs draft secrets below.
GITTENSORY_REVIEW_DRAFT=false

# =============================================================================
# 2. Secrets (names only — set with `wrangler secret put NAME`)
# =============================================================================
# Do NOT put real values here. Set each via `wrangler secret put NAME` (deployed)
# or in `.dev.vars` (local, git-ignored). Listed by name so operators know what
# the worker reads.

# --- Core (required for the worker to run) -----------------------------------
# GITHUB_WEBHOOK_SECRET=
# GITHUB_APP_ID=
# GITHUB_APP_PRIVATE_KEY=
# GITHUB_APP_SLUG=
# GITTENSOR_REGISTRY_URL=
# GITTENSORY_API_TOKEN=
# GITTENSORY_MCP_TOKEN=
# INTERNAL_JOB_TOKEN=

# --- Optional (capability-gated; degrade safely when absent) -----------------
# GITHUB_OAUTH_CLIENT_ID=            # GitHub OAuth (dashboard sign-in, draft flow)
# GITHUB_OAUTH_CLIENT_SECRET=        # GitHub OAuth; also required by the draft flow
# GITHUB_PUBLIC_TOKEN=               # unauthenticated public-GitHub reads (.gittensory.yml fetch)
# TOKEN_ENCRYPTION_SECRET=           # AES-256-GCM master secret for maintainer BYOK keys at rest
# DRAFT_TOKEN_ENCRYPTION_SECRET=     # AES-256-GCM secret for the contributor OAuth token (draft flow)
# GITTENSORY_REVIEW_STATS_TOKEN=     # bearer token guarding the stats data endpoint
# GITTENSORY_DRIFT_ISSUE_TOKEN=      # token for auto-filing drift issues
# GITTENSORY_CONTRIBUTOR_ISSUE_TOKEN=  # token for contributor-issue automation
# PRODUCT_USAGE_HASH_SALT=           # salt for hashing product-usage identifiers

# =============================================================================
# 3. Self-host (Docker) — runtime config  (#980)
# =============================================================================
# For `docker compose up` self-hosting (NOT the Cloudflare Worker deploy). Copy this file to `.env`
# (gitignored), UNCOMMENT + fill the required Core secrets in section 2, then add the runtime values below.
# Every value here is a SAMPLE placeholder — never commit real secrets.

# PUBLIC_API_ORIGIN=https://reviews.example.com  # REQUIRED before the first-run setup wizards (GET /setup and
#                                            #   GET /orb/setup). The wizard embeds this origin in the GitHub App
#                                            #   manifest's redirect_url; without it the wizard returns 400. Use the
#                                            #   EXACT public URL operators browse to (scheme + host [+ port]).
#                                            #   Deriving it from the request Host header would let an attacker
#                                            #   redirect the App-creation callback, so it must be set explicitly.
#                                            #   Not needed once the App credentials are configured.
# SELFHOST_SETUP_TOKEN=change-this-long-random-value  # REQUIRED to unlock the first-run /setup wizard. Without it
#                                            #   /setup returns 400; with it, /setup needs ?token=<value> (or an
#                                            #   x-setup-token / Bearer header) so a freshly-booted, not-yet-configured
#                                            #   instance can't be driven through App creation by a random visitor.
# PORT=8787
# DATABASE_PATH=/data/gittensory.sqlite     # SQLite file on the mounted data volume; all migrations auto-apply
# DATABASE_URL=                              # set to postgres://user:pw@host:5432/db to use Postgres instead of
#                                            #   SQLite (shared DB → multi-instance). Overrides DATABASE_PATH.
# REDIS_URL=                                 # set to redis://host:6379 for distributed rate limiting + webhook dedup
#                                            #   cache (prevents double-processing of GitHub retries). Off when unset.
# QDRANT_URL=                                # set to http://qdrant:6333 to use Qdrant as the RAG vector store
#                                            #   (--profile qdrant). Overrides the built-in sqlite-vec / pgvector.
# DISCORD_WEBHOOK_URL=                        # one Discord channel for per-action notifications (merged/closed/
#                                            #   manual) on ANY repo you review. Unset = no Discord notifications.
#                                            #   Collection and schema are auto-created at startup. Off when unset.
# QDRANT_API_KEY=                            # Bearer token for an authenticated Qdrant (cloud / on-prem). Omit for
#                                            #   the local --profile qdrant container (unauthenticated).
# QDRANT_DIM=1024                            # vector dimension of the collection (default 1024 = bge-m3); set to
#                                            #   match your AI_EMBED_MODEL if it differs.
# MIGRATIONS_DIR=/app/migrations
# CRON_INTERVAL_MS=120000                    # maintain/sweep + sync cadence (default ~2 min)

# --- Continuous backup (optional; the Litestream sidecar in docker-compose.yml) ---
# LITESTREAM_ACCESS_KEY_ID=
# LITESTREAM_SECRET_ACCESS_KEY=
# LITESTREAM_ENDPOINT=                        # e.g. s3.us-west-002.backblazeb2.com (omit for AWS S3)
# LITESTREAM_REGION=us-east-1

# --- Queue worker (#977/#1201) ---
# QUEUE_CONCURRENCY=1                        # max concurrent job-processing loops per instance (default 1)

# --- Caddy HTTPS terminator (#1203; requires --profile caddy) ---
# DOMAIN=gittensory.example.com             # fully-qualified domain; Caddy auto-obtains a Let's Encrypt cert

# --- Tailscale sidecar (#1204; requires --profile tailscale) ---
# TS_AUTHKEY=                                # Tailscale auth key (generate at tailscale.com/admin/settings/keys)
# TS_EXTRA_ARGS=                             # extra tailscale up flags, e.g. --advertise-tags=tag:self-host

# --- Self-hosted GitHub Actions runner (#1205; requires --profile runners) ---
# RUNNER_TOKEN=                              # runner registration token (Settings → Actions → Runners → New)
# RUNNER_REPO_URL=https://github.com/org/repo
# RUNNER_ACCESS_TOKEN=                       # PAT with repo scope (alternative to RUNNER_TOKEN)
# RUNNER_SCOPE=repo                          # repo | org | enterprise
# RUNNER_NAME=gittensory-runner
# RUNNER_LABELS=self-hosted,linux

# --- Observability: metrics + alerts + logs (#1206; requires --profile observability) ---
# The observability profile starts Prometheus (scrapes /metrics) + Alertmanager (alert rules in
# prometheus/rules/, routing in alertmanager/alertmanager.yml — silent until you fill in a receiver) +
# Loki + Promtail (ship every container's logs to Loki) + Grafana (dashboards for metrics AND logs).
# GRAFANA_ADMIN_PASSWORD=changeme            # REQUIRED when using --profile observability; compose fails if unset
#
# Maintainer dashboards (in addition to the infra dashboard):
#   • "Reviews & PRs (maintainer)" — per-repo + combined PR/review analytics (SQLite data source over the app DB).
#   • "Claude usage (OTEL)" — cost/tokens/model/effort from the review CLI's OpenTelemetry export (see below).
#   • "Resource hub" — links to every integrated service.
#
# Claude usage telemetry → OTEL collector → Prometheus → the Claude usage dashboard. OFF by default.
# CLAUDE_CODE_ENABLE_TELEMETRY=1             # enable; needs --profile observability (starts the otel-collector)
# OTEL_METRIC_EXPORT_INTERVAL=10000          # ms between metric exports (default 10s here; CLI default is 60s)
# OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector:4318   # override only for an external collector
#
# Live upstream PR/issue census (the GitHub data source). Install is automatic (GF_INSTALL_PLUGINS); add the
# data source after Grafana is up with: ./scripts/setup-github-datasource.sh  (reads GITHUB_TOKEN below).
# GITHUB_TOKEN=github_pat_xxx                # read-only fine-grained PAT: Pull requests:read, Issues:read, Contents:read
#
# Discord notifications. Alertmanager → Discord (system/stack alerts) is configured in alertmanager/alertmanager.yml.
# The ENGINE posts a per-repo review summary when it publishes a review — set a per-repo map and/or a global fallback:
# DISCORD_WEBHOOK_URL=https://discord.com/api/webhooks/...           # global fallback for any repo without its own
# DISCORD_REPO_WEBHOOKS={"owner/repoA":"https://discord.com/api/webhooks/...","owner/repoB":"https://..."}  # per-repo

# --- AI review backend (optional; without it reviews run deterministically) ---
# AI_SUMMARIES_ENABLED=true
# AI_PROVIDER=ollama                         # ollama | openai-compatible | openai | anthropic | claude-code |
#                                            #   codex. A COMMA-LIST of TWO providers is a DUAL reviewer pair
#                                            #   (e.g. "claude-code,codex") combined per AI_COMBINE below; for a
#                                            #   single provider it's just that one (extra entries are fallbacks).
# AI_COMBINE=synthesis                       # how two reviewers decide (#dual-ai-combiner): single | consensus |
#                                            #   synthesis. consensus = block only when BOTH flag a defect (lone
#                                            #   flag → hold). synthesis (default for two) = both review, then ONE
#                                            #   merged decision. single = one reviewer's verdict (auto when 1).
# AI_ON_MERGE=either                         # synthesis merge rule: either (block if EITHER reviewer flags) |
#                                            #   both (block only when both do). Ignored unless AI_COMBINE=synthesis.
# AI_BASE_URL=http://ollama:11434/v1         # OpenAI-compatible endpoint (Ollama default; or your provider's)
# AI_API_KEY=                                # generic key for the openai-compatible endpoint
# ANTHROPIC_API_KEY=                         # for AI_PROVIDER=anthropic (native Messages API, BYOK)
# OPENAI_API_KEY=                            # for AI_PROVIDER=openai
# CLAUDE_CODE_OAUTH_TOKEN=                   # for AI_PROVIDER=claude-code (subscription; from `claude setup-token`)
#
# Codex (ChatGPT subscription) reviewer is disabled by default for self-host PR review: `codex exec` stores its
# OAuth credential in auth.json on the same filesystem that prompt-influenced reviews can read. Do not mount or copy
# ~/.codex/auth.json into the app container; use claude-code, an API-key provider, or a local OpenAI-compatible model.
# AI_MODEL=llama3.1                          # the model for your provider (e.g. llama3.1 for Ollama, sonnet
#                                            #   for claude-code, gpt-5 for codex). REQUIRED for non-Ollama:
#                                            #   without it the adapter falls back to a provider default, never
#                                            #   the Cloudflare Workers-AI id the core would otherwise pass.
# AI_EMBED_MODEL=bge-m3                      # embedding model for RAG (openai-compatible /embeddings). MUST be
#                                            #   1024-dimensional (e.g. bge-m3 or mxbai-embed-large via Ollama).
#                                            #   Used only when RAG is enabled (GITTENSORY_REVIEW_RAG + allowlist).

# --- Gittensory Orb (#1255; ALWAYS-ON fleet-calibration telemetry) ---
# TELEMETRY NOTICE: running this self-hosted image contributes anonymized gate-calibration data to
# gittensory's central collector. This is ON BY DEFAULT and has no opt-out flag — it is part of the
# self-hosting contract: install the GitHub App, and your instance reports fleet-calibration signal so the
# gate can be tuned from real outcomes across all self-hosters. It activates automatically once your App is
# configured (no App = nothing is sent). There is NO separate Orb App and NO setup wizard.
#
# WHAT IS SENT (per resolved PR, hourly): the gate verdict, the realized outcome (merged/closed), a reversal
# flag, a bucketed reason category, and cycle time. NEVER sent: repo/owner/PR names, commit SHAs, code,
# diffs, comments, or logins. Repo/PR identifiers are HMAC-anonymized with a DEDICATED, randomly-generated
# per-instance secret created once and stored in your instance's own database (never your App private key or
# webhook secret) — and the collector never holds it, so even gittensory (running the collector) can never
# de-anonymize them.
# The export carries no shared key; the collector treats it as untrusted, rate-limited, aggregate-only data.
# ORB_AIR_GAP=false                          # air-gapped/OFFLINE deployments only: compute locally, never send
# ORB_ANONYMIZE=true                         # HMAC-hash repo/PR before export (default true; false = raw names)
# ORB_COLLECTOR_URL=https://gittensory-api.aethereal.dev/v1/orb/ingest  # gittensory's hosted collector (default; override for your own)
#
# Token broker (optional): get GitHub tokens from the central Orb (you installed the Orb App) instead of running
# your own GitHub App. Set the enrollment secret the operator issued for your install; unset = use your own App key.
# ORB_ENROLLMENT_SECRET=                      # one-time enrollment secret (a secret — keep it out of version control)
# ORB_BROKER_URL=https://gittensory-api.aethereal.dev  # the Orb broker base (default; override for a private deployment)