| # ============================================================ | |
| # MedOS HuggingFace Space — full backend configuration | |
| # ============================================================ | |
| # | |
| # All values below are *bootstrap defaults*. Once the Space is running, | |
| # every secret marked (admin-rotatable) can also be edited from | |
| # Admin -> Server in the UI and is then persisted to /data/medos-config.json, | |
| # which survives restarts. | |
| # ============================================================ | |
| # --- LLM providers --- | |
| # | |
| # Fallback chain (lib/providers/index.ts): | |
| # 1. Groq — primary. Sub-second TTFT, llama-3.3-70b-versatile. | |
| # 2. OllaBridge — secondary. Multi-provider gateway with its own | |
| # Groq/Gemini/OpenRouter/HF/local-ollama routing. | |
| # 3. HF Inference — tertiary. Mostly 402 on the free tier today; kept | |
| # as a last resort. | |
| # Set at least one (Groq is recommended). All three may be set. | |
| # Groq — get a key at https://console.groq.com/keys (free tier). | |
| GROQ_API_KEY= # admin-rotatable | |
| GROQ_MODEL=llama-3.3-70b-versatile # optional override | |
| OLLABRIDGE_URL=https://ruslanmv-ollabridge.hf.space | |
| OLLABRIDGE_API_KEY=sk-ollabridge-your-key-here # admin-rotatable | |
| HF_TOKEN=hf_your-token-here # admin-rotatable | |
| DEFAULT_MODEL=free-best | |
| # --- Database (SQLite, persistent on HF Spaces /data/) --- | |
| # SQLite is the fallback driver. To run against Postgres (production), set | |
| # DATABASE_URL below — SQLite at DB_PATH is then ignored. | |
| DB_PATH=/data/medos.db | |
| # --- Database (Postgres, production primary) --- | |
| # When set and starting with postgres:// or postgresql://, the runtime | |
| # uses Postgres instead of SQLite. Neon: use the pooler endpoint. | |
| # Example: | |
| # postgresql://USER:PASS@ep-xxx-pooler.region.aws.neon.tech/neondb?sslmode=require | |
| # | |
| # Unset → SQLite at DB_PATH (development). | |
| # Unset AND NODE_ENV=production → the server refuses to start. | |
| # | |
| # No other DB knobs are needed; SSL, pool size, and statement timeout | |
| # all have sensible defaults baked in. | |
| DATABASE_URL= | |
| # --- Admin seed --- | |
| # First-run admin user. seedAdmin() creates this account on first boot. | |
| # Do NOT leave ADMIN_PASSWORD at the legacy "admin123456" default in | |
| # production. | |
| ADMIN_EMAIL=admin@medos.health | |
| ADMIN_PASSWORD= | |
| # --- Email (verification + password reset) --- | |
| # Pick ONE transport. They're tried in this order at runtime: | |
| # 1. RESEND_API_KEY → Resend HTTP API (recommended on serverless) | |
| # 2. SMTP_HOST + SMTP_USER + SMTP_PASS → nodemailer SMTP | |
| # 3. (nothing) → emails are logged to stdout only — they never | |
| # reach a real inbox. Useful for local dev, NEVER | |
| # leave this state in production (this is the | |
| # exact state that causes "Account created! Check | |
| # your email" with no email ever arriving). | |
| # | |
| # Resend setup: https://resend.com → API Keys → create → paste below. | |
| # Until you verify a sending domain, FROM_EMAIL must use onboarding@resend.dev | |
| # (Resend rejects other senders for unverified domains). | |
| RESEND_API_KEY= | |
| FROM_EMAIL=MedOS <onboarding@resend.dev> | |
| # SMTP fallback (only used if RESEND_API_KEY is unset). | |
| # SMTP_HOST=smtp.sendgrid.net | |
| # SMTP_PORT=587 | |
| # SMTP_USER=apikey | |
| # SMTP_PASS= | |
| # Verify the active transport at runtime by hitting (as an admin): | |
| # GET /api/admin/email-status | |
| # Used in the password-reset email's "Reset password" link. Set to the | |
| # canonical user-facing URL of your deployment (Vercel domain or HF Space URL). | |
| APP_URL=https://ruslanmv-medibot.hf.space | |
| # --- CORS (comma-separated Vercel frontend origins) --- | |
| ALLOWED_ORIGINS=https://your-vercel-app.vercel.app,http://localhost:3000 | |
| # --- Medicine Scanner proxy --- | |
| # Token with "Make calls to Inference Providers" permission. | |
| # Used SERVER-SIDE ONLY by /api/scan — never exposed to the browser, never | |
| # returned in any HTTP response body. Per-user quota and audit are enforced | |
| # server-side; see docs/USER_ISOLATION.md. | |
| # Create at: | |
| # https://huggingface.co/settings/tokens/new?ownUserPermissions=inference.serverless.write&tokenType=fineGrained | |
| HF_TOKEN_INFERENCE=hf_your-inference-token-here # admin-rotatable | |
| SCANNER_URL=https://ruslanmv-medicine-scanner.hf.space # admin-rotatable | |
| NEARBY_URL=https://ruslanmv-metaengine-nearby.hf.space # admin-rotatable | |
| # --- At-rest encryption key (for BYO user tokens, audit fields, etc.) --- | |
| # Strongly recommended in production. If unset, falls back to a key derived | |
| # from ADMIN_PASSWORD (development convenience only — NOT for production). | |
| # Generate with: openssl rand -hex 32 | |
| # ENCRYPTION_KEY= | |
| # --- Application --- | |
| NODE_ENV=production | |
| PORT=7860 | |
| # --- Grounded RAG (Phase 1 & 2) --- | |
| # All default OFF / safe. The keyword KB stays the fallback until the | |
| # corpus is ingested (scripts/ingest-corpus.ts or POST /api/admin/ingest). | |
| # See docs/RAG-PRODUCTION-DESIGN.md. | |
| RAG_HYBRID= # "true" -> retrieve from the versioned corpus (vector+FTS5) | |
| RAG_REQUIRE_EVIDENCE= # "true" -> defer clinical answers with no corpus hit | |
| RAG_FAITHFULNESS= # "true" -> risk-gated LLM faithfulness check | |
| RAG_FAITHFULNESS_MIN_RISK=R2 # minimum risk class to run the faithfulness check | |
| RAG_EMBED_MODEL=intfloat/multilingual-e5-base # HF feature-extraction model (768-dim, multilingual) | |
| RAG_TOPK=6 # chunks retrieved per turn | |
| RAG_MIN_SIM=0.72 # cosine floor for "real evidence" (e5-tuned) | |
| CORPUS_DIR= # override corpus dir (default ./data/corpus) | |
| CORPUS_VERSION= # explicit corpus version label (default UTC datestamp) | |
| INGEST_SECRET= # shared secret for POST /api/admin/ingest (unset = endpoint disabled) | |