.env.example (5343B)
1 MYC_PATHS_PROFILE=service_host 2 # repo-owned local runs should prefer the root .env.local control plane, which derives 3 # MYC_PATHS_PROFILE=repo_local and MYC_PATHS_REPO_LOCAL_ROOT automatically 4 # or pass `--env-file` to point at a specific config artifact 5 MYC_SERVICE_INSTANCE_NAME=myc 6 MYC_LOGGING_FILTER=info,myc=info 7 MYC_LOGGING_STDOUT=true 8 MYC_CUSTODY_EXTERNAL_COMMAND_TIMEOUT_SECS=10 9 10 # The canonical control plane is profile/root selection: 11 # MYC_PATHS_PROFILE selects interactive_user, service_host, or repo_local 12 # MYC_PATHS_REPO_LOCAL_ROOT selects the repo-local root when profile=repo_local 13 # The leaf path keys below remain supported as config-file compatibility 14 # overrides for fixture, migration, and break-glass use; do not export them as 15 # the normal process-env control plane. 16 # service_host defaults are derived by the shared runtime path resolver. 17 # leave explicit leaf path variables commented unless this config artifact is 18 # intentionally overriding a profile-derived location 19 MYC_IDENTITY_SIGNER_BACKEND=encrypted_file 20 # shared backends: encrypted_file, host_vault, external_command, plaintext_file 21 # runtime-specific custody mode: managed_account 22 # encrypted_file and plaintext_file: identity file path 23 # host_vault: set *_KEYRING_ACCOUNT_ID and *_KEYRING_SERVICE_NAME 24 # managed_account: account store file path layered over host-vault-backed custody primitives 25 # external_command: signer helper executable path 26 # MYC_IDENTITY_SIGNER_PATH= 27 MYC_IDENTITY_SIGNER_KEYRING_ACCOUNT_ID= 28 # host_vault and managed_account both require a non-empty keyring service name 29 MYC_IDENTITY_SIGNER_KEYRING_SERVICE_NAME=org.radroots.myc.signer 30 MYC_IDENTITY_SIGNER_PROFILE_PATH= 31 MYC_IDENTITY_USER_BACKEND=encrypted_file 32 # shared backends: encrypted_file, host_vault, external_command, plaintext_file 33 # runtime-specific custody mode: managed_account 34 # encrypted_file and plaintext_file: identity file path 35 # host_vault: set *_KEYRING_ACCOUNT_ID and *_KEYRING_SERVICE_NAME 36 # managed_account: account store file path layered over host-vault-backed custody primitives 37 # external_command: signer helper executable path 38 # MYC_IDENTITY_USER_PATH= 39 MYC_IDENTITY_USER_KEYRING_ACCOUNT_ID= 40 MYC_IDENTITY_USER_KEYRING_SERVICE_NAME=org.radroots.myc.user 41 MYC_IDENTITY_USER_PROFILE_PATH= 42 43 # production path: use sqlite for both backends 44 # legacy local/dev path: keep json_file + jsonl_file 45 MYC_PERSISTENCE_SIGNER_STATE_BACKEND=json_file 46 MYC_PERSISTENCE_RUNTIME_AUDIT_BACKEND=jsonl_file 47 48 MYC_AUDIT_DEFAULT_READ_LIMIT=200 49 MYC_AUDIT_MAX_ACTIVE_FILE_BYTES=262144 50 MYC_AUDIT_MAX_ARCHIVED_FILES=8 51 52 MYC_OBSERVABILITY_ENABLED=false 53 MYC_OBSERVABILITY_BIND_ADDR=127.0.0.1:9460 54 55 MYC_DISCOVERY_ENABLED=true 56 MYC_DISCOVERY_DOMAIN=myc.radroots.org 57 MYC_DISCOVERY_HANDLER_IDENTIFIER=myc 58 MYC_IDENTITY_DISCOVERY_APP_BACKEND= 59 # shared backends: encrypted_file, host_vault, external_command, plaintext_file 60 # runtime-specific custody mode: managed_account 61 # encrypted_file and plaintext_file: identity file path 62 # host_vault: set *_KEYRING_ACCOUNT_ID and *_KEYRING_SERVICE_NAME 63 # managed_account: account store file path layered over host-vault-backed custody primitives 64 # external_command: signer helper executable path 65 # MYC_IDENTITY_DISCOVERY_APP_PATH= 66 MYC_IDENTITY_DISCOVERY_APP_KEYRING_ACCOUNT_ID= 67 MYC_IDENTITY_DISCOVERY_APP_KEYRING_SERVICE_NAME=org.radroots.myc.discovery 68 MYC_IDENTITY_DISCOVERY_APP_PROFILE_PATH= 69 MYC_DISCOVERY_PUBLIC_RELAY_URLS=ws://127.0.0.1:8080 70 MYC_DISCOVERY_PUBLISH_RELAY_URLS=ws://127.0.0.1:8080 71 MYC_DISCOVERY_NOSTR_CONNECT_URL_TEMPLATE=https://myc.radroots.org/connect?uri=<nostrconnect> 72 # MYC_DISCOVERY_NIP05_OUTPUT_PATH= 73 MYC_DISCOVERY_METADATA_NAME=myc 74 MYC_DISCOVERY_METADATA_DISPLAY_NAME=Radroots Signer 75 MYC_DISCOVERY_METADATA_ABOUT=Radroots NIP-46 signer 76 MYC_DISCOVERY_METADATA_WEBSITE=https://radroots.org 77 MYC_DISCOVERY_METADATA_PICTURE= 78 79 MYC_POLICY_CONNECTION_APPROVAL=explicit_user 80 # comma-separated nostr pubkeys that should auto-connect 81 # MYC_POLICY_TRUSTED_CLIENT_PUBKEYS= 82 # comma-separated nostr pubkeys that should always be denied 83 # MYC_POLICY_DENIED_CLIENT_PUBKEYS= 84 # comma-separated permission ceiling, for example: nip44_encrypt,sign_event:1 85 # MYC_POLICY_PERMISSION_CEILING= 86 # comma-separated sign_event kinds allowed by policy, for example: 1,7 87 # MYC_POLICY_ALLOWED_SIGN_EVENT_KINDS= 88 # set MYC_POLICY_AUTH_URL to enable automatic auth challenge policy for trusted sessions 89 # MYC_POLICY_AUTH_URL=https://myc.radroots.org/auth/challenge 90 MYC_POLICY_AUTH_PENDING_TTL_SECS=900 91 # set these when automatic auth challenge policy should expire trusted sessions 92 # MYC_POLICY_AUTHORIZED_TTL_SECS=3600 93 # MYC_POLICY_REAUTH_AFTER_INACTIVITY_SECS=600 94 # optional per-client connect attempt throttle 95 # MYC_POLICY_CONNECT_RATE_LIMIT_WINDOW_SECS=60 96 # MYC_POLICY_CONNECT_RATE_LIMIT_MAX_ATTEMPTS=5 97 # optional per-client automatic auth challenge issuance throttle 98 # MYC_POLICY_AUTH_CHALLENGE_RATE_LIMIT_WINDOW_SECS=120 99 # MYC_POLICY_AUTH_CHALLENGE_RATE_LIMIT_MAX_ATTEMPTS=3 100 101 MYC_TRANSPORT_ENABLED=true 102 MYC_TRANSPORT_CONNECT_TIMEOUT_SECS=10 103 MYC_TRANSPORT_RELAY_URLS=ws://127.0.0.1:8080 104 MYC_TRANSPORT_DELIVERY_POLICY=any 105 # set MYC_TRANSPORT_DELIVERY_QUORUM when MYC_TRANSPORT_DELIVERY_POLICY=quorum 106 # MYC_TRANSPORT_DELIVERY_QUORUM=2 107 MYC_TRANSPORT_PUBLISH_MAX_ATTEMPTS=1 108 MYC_TRANSPORT_PUBLISH_INITIAL_BACKOFF_MS=250 109 MYC_TRANSPORT_PUBLISH_MAX_BACKOFF_MS=2000