forked from Priyanshu-byte-coder/devtrack
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
112 lines (97 loc) · 5.1 KB
/
Copy path.env.example
File metadata and controls
112 lines (97 loc) · 5.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# -------------------------------------------------------
# Supabase
# Project Settings → API → Project URL
NEXT_PUBLIC_SUPABASE_URL=https://<project-ref>.supabase.co
# Project Settings → API → anon / public key
NEXT_PUBLIC_SUPABASE_ANON_KEY=your_supabase_anon_key
# ⚠️ CRITICAL SECURITY WARNING ⚠️
# Project Settings → API → service_role secret (server-side only)
#
# This key bypasses ALL Supabase Row Level Security (RLS) policies.
# An attacker with access to this key has unrestricted read/write/delete access
# to every user's data in the database.
#
# SECURITY REQUIREMENTS:
# 1. NEVER use this in client-side code (React components, browser scripts)
# 2. NEVER commit this to version control
# 3. NEVER expose it via environment variables with NEXT_PUBLIC_ prefix
# 4. Store only in server-side .env.local (not in git)
# 5. Use only in server-side API routes (@/src/app/api/*)
# 6. If leaked, rotate the key immediately in Supabase dashboard
#
# Leaked/compromised keys → Full database compromise (all user data at risk)
SUPABASE_SERVICE_ROLE_KEY=your_supabase_service_role_key
# -------------------------------------------------------
# NextAuth
# MUST match the deployed origin exactly (no trailing slash).
# Local: http://localhost:3000
# Production: https://devtrack-delta.vercel.app (set this in Vercel env vars)
# Wrong value causes OAuth callback URL mismatch → error=github on sign-in.
NEXTAUTH_URL=http://localhost:3000
# Public app URL (optional — only needed if your deployment platform sets
# NEXTAUTH_URL to something other than the canonical public origin).
# Must not have a trailing slash.
# NEXT_PUBLIC_APP_URL=https://devtrack-delta.vercel.app
# -------------------------------------------------------
# CSRF Allowed Origins (optional — used by CSRF middleware to validate Origin/Referer
# headers on state-changing POST/PUT/PATCH/DELETE API requests).
# Comma-separated list of origins that are allowed to make cross-origin requests.
# NEXTAUTH_URL and NEXT_PUBLIC_APP_URL are included automatically — you only need
# to add this if you have additional allowed origins (e.g. staging, custom domains).
# Example: ALLOWED_ORIGINS=https://staging.devtrack.app,https://devtrack.example.com
# ALLOWED_ORIGINS=
# Generate with: openssl rand -base64 32
NEXTAUTH_SECRET=your_nextauth_secret
# -------------------------------------------------------
# GitHub OAuth App
# github.com/settings/applications/new → Client ID
GITHUB_ID=your_github_oauth_client_id
# github.com/settings/applications/new → Client Secret
GITHUB_SECRET=your_github_oauth_client_secret
# -------------------------------------------------------
# GitHub Webhook (optional — enables real-time metric refresh on push)
# Generate with: openssl rand -hex 32
GITHUB_WEBHOOK_SECRET=your_github_webhook_secret
# -------------------------------------------------------
# GitHub Personal Access Token (optional — increases API rate limits)
# github.com/settings/tokens → Fine-grained or classic PAT
GITHUB_TOKEN=your_github_personal_access_token
# -------------------------------------------------------
# Encryption key — required for OAuth token encryption in src/lib/crypto.ts
# Without this the app crashes on first OAuth callback
# Generate with: openssl rand -hex 32
ENCRYPTION_KEY=your_32_byte_hex_encryption_key
# -------------------------------------------------------
# Upstash Redis (optional — used for caching; app degrades gracefully without it)
# upstash.com → Create Database → REST API
UPSTASH_REDIS_REST_URL=your_upstash_redis_rest_url
UPSTASH_REDIS_REST_TOKEN=your_upstash_redis_rest_token
# -------------------------------------------------------
# Anthropic (optional — enables the "Generate Summary" button in the weekly
# digest card, which produces a 2-3 sentence natural-language summary of the
# user's week using claude-haiku-4-5-20251001).
# Without this key the button is hidden and the rest of the widget functions
# normally. Rate limited to one generation per user per 24 hours.
# console.anthropic.com -> API Keys
# ANTHROPIC_API_KEY=sk-ant-...
# -------------------------------------------------------
# Groq API Key (optional — enables AI-generated weekly summaries in the
# AI Mentor widget using Llama-3).
# console.groq.com → API Keys
GROQ_API_KEY=your_groq_api_key
# -------------------------------------------------------
# Leaderboard Configuration
# Controls concurrent user fetches during leaderboard builds
# Safe range: 1-100 (default: 5)
# Higher values = faster builds but more resource usage
# WARNING: Do not exceed 100 without load testing — risks memory exhaustion
LEADERBOARD_USER_CONCURRENCY=5
# -------------------------------------------------------
# Cron / Scheduled-sync endpoints
# Shared secret supplied by the scheduler (e.g. Vercel Cron) in every request:
# Authorization: Bearer <CRON_SECRET>
# Required in ALL environments - cron routes fail closed when this is absent.
# Local development: set any non-empty value and pass the matching header when
# calling a sync endpoint manually (e.g. curl -H "Authorization: Bearer ...").
# Generate with: openssl rand -hex 32
CRON_SECRET=your_cron_secret