MediBot / .env.example
github-actions[bot]
Deploy MedOS Global from 956ae78f
e3e3e14
Raw
History Blame Contribute Delete
5.85 kB
# ============================================================
# MedOS HuggingFace Space — full backend configuration
# ============================================================
#
# All values below are *bootstrap defaults*. Once the Space is running,
# every secret marked (admin-rotatable) can also be edited from
# Admin -> Server in the UI and is then persisted to /data/medos-config.json,
# which survives restarts.
# ============================================================
# --- LLM providers ---
#
# Fallback chain (lib/providers/index.ts):
# 1. Groq — primary. Sub-second TTFT, llama-3.3-70b-versatile.
# 2. OllaBridge — secondary. Multi-provider gateway with its own
# Groq/Gemini/OpenRouter/HF/local-ollama routing.
# 3. HF Inference — tertiary. Mostly 402 on the free tier today; kept
# as a last resort.
# Set at least one (Groq is recommended). All three may be set.
# Groq — get a key at https://console.groq.com/keys (free tier).
GROQ_API_KEY= # admin-rotatable
GROQ_MODEL=llama-3.3-70b-versatile # optional override
OLLABRIDGE_URL=https://ruslanmv-ollabridge.hf.space
OLLABRIDGE_API_KEY=sk-ollabridge-your-key-here # admin-rotatable
HF_TOKEN=hf_your-token-here # admin-rotatable
DEFAULT_MODEL=free-best
# --- Database (SQLite, persistent on HF Spaces /data/) ---
# SQLite is the fallback driver. To run against Postgres (production), set
# DATABASE_URL below — SQLite at DB_PATH is then ignored.
DB_PATH=/data/medos.db
# --- Database (Postgres, production primary) ---
# When set and starting with postgres:// or postgresql://, the runtime
# uses Postgres instead of SQLite. Neon: use the pooler endpoint.
# Example:
# postgresql://USER:PASS@ep-xxx-pooler.region.aws.neon.tech/neondb?sslmode=require
#
# Unset → SQLite at DB_PATH (development).
# Unset AND NODE_ENV=production → the server refuses to start.
#
# No other DB knobs are needed; SSL, pool size, and statement timeout
# all have sensible defaults baked in.
DATABASE_URL=
# --- Admin seed ---
# First-run admin user. seedAdmin() creates this account on first boot.
# Do NOT leave ADMIN_PASSWORD at the legacy "admin123456" default in
# production.
ADMIN_EMAIL=admin@medos.health
ADMIN_PASSWORD=
# --- Email (verification + password reset) ---
# Pick ONE transport. They're tried in this order at runtime:
# 1. RESEND_API_KEY → Resend HTTP API (recommended on serverless)
# 2. SMTP_HOST + SMTP_USER + SMTP_PASS → nodemailer SMTP
# 3. (nothing) → emails are logged to stdout only — they never
# reach a real inbox. Useful for local dev, NEVER
# leave this state in production (this is the
# exact state that causes "Account created! Check
# your email" with no email ever arriving).
#
# Resend setup: https://resend.com → API Keys → create → paste below.
# Until you verify a sending domain, FROM_EMAIL must use onboarding@resend.dev
# (Resend rejects other senders for unverified domains).
RESEND_API_KEY=
FROM_EMAIL=MedOS <onboarding@resend.dev>
# SMTP fallback (only used if RESEND_API_KEY is unset).
# SMTP_HOST=smtp.sendgrid.net
# SMTP_PORT=587
# SMTP_USER=apikey
# SMTP_PASS=
# Verify the active transport at runtime by hitting (as an admin):
# GET /api/admin/email-status
# Used in the password-reset email's "Reset password" link. Set to the
# canonical user-facing URL of your deployment (Vercel domain or HF Space URL).
APP_URL=https://ruslanmv-medibot.hf.space
# --- CORS (comma-separated Vercel frontend origins) ---
ALLOWED_ORIGINS=https://your-vercel-app.vercel.app,http://localhost:3000
# --- Medicine Scanner proxy ---
# Token with "Make calls to Inference Providers" permission.
# Used SERVER-SIDE ONLY by /api/scan — never exposed to the browser, never
# returned in any HTTP response body. Per-user quota and audit are enforced
# server-side; see docs/USER_ISOLATION.md.
# Create at:
# https://huggingface.co/settings/tokens/new?ownUserPermissions=inference.serverless.write&tokenType=fineGrained
HF_TOKEN_INFERENCE=hf_your-inference-token-here # admin-rotatable
SCANNER_URL=https://ruslanmv-medicine-scanner.hf.space # admin-rotatable
NEARBY_URL=https://ruslanmv-metaengine-nearby.hf.space # admin-rotatable
# --- At-rest encryption key (for BYO user tokens, audit fields, etc.) ---
# Strongly recommended in production. If unset, falls back to a key derived
# from ADMIN_PASSWORD (development convenience only — NOT for production).
# Generate with: openssl rand -hex 32
# ENCRYPTION_KEY=
# --- Application ---
NODE_ENV=production
PORT=7860
# --- Grounded RAG (Phase 1 & 2) ---
# All default OFF / safe. The keyword KB stays the fallback until the
# corpus is ingested (scripts/ingest-corpus.ts or POST /api/admin/ingest).
# See docs/RAG-PRODUCTION-DESIGN.md.
RAG_HYBRID= # "true" -> retrieve from the versioned corpus (vector+FTS5)
RAG_REQUIRE_EVIDENCE= # "true" -> defer clinical answers with no corpus hit
RAG_FAITHFULNESS= # "true" -> risk-gated LLM faithfulness check
RAG_FAITHFULNESS_MIN_RISK=R2 # minimum risk class to run the faithfulness check
RAG_EMBED_MODEL=intfloat/multilingual-e5-base # HF feature-extraction model (768-dim, multilingual)
RAG_TOPK=6 # chunks retrieved per turn
RAG_MIN_SIM=0.72 # cosine floor for "real evidence" (e5-tuned)
CORPUS_DIR= # override corpus dir (default ./data/corpus)
CORPUS_VERSION= # explicit corpus version label (default UTC datestamp)
INGEST_SECRET= # shared secret for POST /api/admin/ingest (unset = endpoint disabled)