# {{project_name}} environment variables

# Required
LEAFMESH_LICENSE_KEY=your-license-key-here    # Get yours at https://leafcraft.ai
OPENAI_API_KEY=your-key-here
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_PASSWORD=

# Alternative LLM Providers (uncomment to use)
# ANTHROPIC_API_KEY=your-anthropic-key
# GOOGLE_API_KEY=your-google-key
# DEEPSEEK_API_KEY=your-deepseek-key

# Microsoft Foundry / Azure AI (uncomment to use)
# AZURE_FOUNDRY_API_KEY=your-foundry-api-key
# AZURE_FOUNDRY_TOKEN=your-entra-id-token          # Alternative: Entra ID bearer token

# External Integrations (uncomment when needed)
# COMPOSIO_API_KEY=your-composio-key
# ZAPIER_NLA_API_KEY=your-zapier-key
# N8N_BASE_URL=http://localhost:5678
# N8N_API_KEY=your-n8n-key
# CREWAI_API_KEY=your-crewai-key
# LANGGRAPH_API_URL=http://localhost:8123
# LANGGRAPH_API_KEY=your-langgraph-key

# Webhooks (for human agent interface)
# WEBHOOK_OUTBOUND_URL=https://your-webhook-endpoint.com
# WEBHOOK_TOKEN=your-webhook-token
# WEBHOOK_AUTH_TOKEN=your-inbound-auth-token

# API Server
# Default port is 18820. Change if running multiple projects locally.
# LEAFMESH_API_PORT=18820

# Observability
# Observability auto-enables with a valid LEAFMESH_LICENSE_KEY.
# LEAFMESH_ENV_TOKEN is your unique environment key (from https://leafcraft.ai).
LEAFMESH_ENV_TOKEN=your-env-token-here

# ────────────────────────────────────────────────────────────────────────
# Optional security / hardening knobs
# All have safe defaults — uncomment only when you need to tune them.
# ────────────────────────────────────────────────────────────────────────

# X-API-Key auth middleware. Default in the SDK is ON — every request to
# the API server must carry a valid X-API-Key header (validated against
# the LeafCraft auth backend). For LOCAL DEVELOPMENT WITHOUT INTERNET or
# without a real LeafCraft account yet, set to 0 to disable the middleware
# entirely (no header required, no backend call, requests pass through).
# Never set =0 in production.
# LEAFMESH_AUTH_STRICT=1

# Cookie SameSite policy for SSE auth (HITL / evolution / trace streams).
# Default Lax = cookie sent only on same-site requests. Set to None when
# your frontend lives on a different host than the SDK (ADK Studio at
# app.example.com → SDK at api.example.com, or local dev with frontend
# on localhost:5173 → SDK on 127.0.0.1:18820). The SDK auto-flips
# Secure=true with None; loopback HTTP works because browsers treat
# 127.0.0.1 / localhost as secure contexts.
# LEAFMESH_SSE_COOKIE_SAMESITE=None

# OTel — span attribute redaction. Default ON (user input/output replaced
# with `<redacted bytes:N>` before export). Set to 0 to ship raw content
# (only for self-hosted OTel collectors with strict access control).
# LEAFMESH_OTEL_REDACT_PII=1

# OTel content redaction toggle for the prompt-builder guardrail. Off-switch
# for the BEGIN/END_USER_MESSAGE / BEGIN/END_TOOL_RESULT delimiters.
# LEAFMESH_DISABLE_PROMPT_GUARDRAIL=0

# Webhook hardening (HMAC + replay protection).
# Set to 1 to keep accepting body-only HMAC during a migration window.
# LEAFMESH_WEBHOOK_ALLOW_LEGACY_HMAC=0
# LEAFMESH_WEBHOOK_REPLAY_SKEW_S=300
# LEAFMESH_WEBHOOK_RATE_LIMIT_MAX=60
# LEAFMESH_WEBHOOK_RATE_LIMIT_WINDOW_S=60
# LEAFMESH_WEBHOOK_MAX_PAYLOAD_BYTES=1048576    # 1 MiB

# Knowledge ingest / query caps.
# LEAFMESH_KNOWLEDGE_MAX_DOCS_PER_INGEST=1000
# LEAFMESH_KNOWLEDGE_MAX_DOC_BYTES=2097152      # 2 MiB
# LEAFMESH_KNOWLEDGE_MAX_INGEST_TOTAL_BYTES=52428800  # 50 MiB
# LEAFMESH_KNOWLEDGE_QUERY_RATE_LIMIT_MAX=120
# LEAFMESH_KNOWLEDGE_QUERY_RATE_LIMIT_WINDOW_S=60

# LLM hard timeout — prevents a stuck provider from pinning an agent slot.
# LEAFMESH_LLM_HARD_TIMEOUT_S=300

# Cron min-interval (seconds). Default 60s — schedules below this are rejected.
# LEAFMESH_CRON_MIN_INTERVAL_SECONDS=60

# MCP subprocess allowlist (comma-separated absolute paths or basenames).
# Empty = warn-only at startup. Set to "*" for "any command" with explicit
# operator opt-in. Anything else acts as a strict allowlist.
# LEAFMESH_MCP_COMMAND_ALLOWLIST=

# Teams adapter — fail-closed by default. Set to 1 only for local development
# behind a tunnel (production must wire a Bot Framework JWT validator).
# LEAFMESH_TEAMS_ALLOW_UNVERIFIED=0

# Conversation history hard byte cap (per session).
# LEAFMESH_MAX_SESSION_HISTORY_BYTES=5242880    # 5 MiB

# Security headers.
# LEAFMESH_HSTS_ENABLED=1
# LEAFMESH_REFERRER_POLICY=no-referrer
# LEAFMESH_CSP="default-src 'none'; frame-ancestors 'none'; base-uri 'none'"
