# ============================================================ # MedOS HuggingFace Space — full backend configuration # ============================================================ # # All values below are *bootstrap defaults*. Once the Space is running, # every secret marked (admin-rotatable) can also be edited from # Admin -> Server in the UI and is then persisted to /data/medos-config.json, # which survives restarts. # ============================================================ # --- LLM providers --- # # Fallback chain (lib/providers/index.ts): # 1. Groq — primary. Sub-second TTFT, llama-3.3-70b-versatile. # 2. OllaBridge — secondary. Multi-provider gateway with its own # Groq/Gemini/OpenRouter/HF/local-ollama routing. # 3. HF Inference — tertiary. Mostly 402 on the free tier today; kept # as a last resort. # Set at least one (Groq is recommended). All three may be set. # Groq — get a key at https://console.groq.com/keys (free tier). GROQ_API_KEY= # admin-rotatable GROQ_MODEL=llama-3.3-70b-versatile # optional override OLLABRIDGE_URL=https://ruslanmv-ollabridge.hf.space OLLABRIDGE_API_KEY=sk-ollabridge-your-key-here # admin-rotatable HF_TOKEN=hf_your-token-here # admin-rotatable DEFAULT_MODEL=free-best # --- Database (SQLite, persistent on HF Spaces /data/) --- # SQLite is the fallback driver. To run against Postgres (production), set # DATABASE_URL below — SQLite at DB_PATH is then ignored. DB_PATH=/data/medos.db # --- Database (Postgres, production primary) --- # When set and starting with postgres:// or postgresql://, the runtime # uses Postgres instead of SQLite. Neon: use the pooler endpoint. # Example: # postgresql://USER:PASS@ep-xxx-pooler.region.aws.neon.tech/neondb?sslmode=require # # Unset → SQLite at DB_PATH (development). # Unset AND NODE_ENV=production → the server refuses to start. # # No other DB knobs are needed; SSL, pool size, and statement timeout # all have sensible defaults baked in. DATABASE_URL= # --- Admin seed --- # First-run admin user. seedAdmin() creates this account on first boot. # Do NOT leave ADMIN_PASSWORD at the legacy "admin123456" default in # production. ADMIN_EMAIL=admin@medos.health ADMIN_PASSWORD= # --- Email (verification + password reset) --- # Pick ONE transport. They're tried in this order at runtime: # 1. RESEND_API_KEY → Resend HTTP API (recommended on serverless) # 2. SMTP_HOST + SMTP_USER + SMTP_PASS → nodemailer SMTP # 3. (nothing) → emails are logged to stdout only — they never # reach a real inbox. Useful for local dev, NEVER # leave this state in production (this is the # exact state that causes "Account created! Check # your email" with no email ever arriving). # # Resend setup: https://resend.com → API Keys → create → paste below. # Until you verify a sending domain, FROM_EMAIL must use onboarding@resend.dev # (Resend rejects other senders for unverified domains). RESEND_API_KEY= FROM_EMAIL=MedOS # SMTP fallback (only used if RESEND_API_KEY is unset). # SMTP_HOST=smtp.sendgrid.net # SMTP_PORT=587 # SMTP_USER=apikey # SMTP_PASS= # Verify the active transport at runtime by hitting (as an admin): # GET /api/admin/email-status # Used in the password-reset email's "Reset password" link. Set to the # canonical user-facing URL of your deployment (Vercel domain or HF Space URL). APP_URL=https://ruslanmv-medibot.hf.space # --- CORS (comma-separated Vercel frontend origins) --- ALLOWED_ORIGINS=https://your-vercel-app.vercel.app,http://localhost:3000 # --- Medicine Scanner proxy --- # Token with "Make calls to Inference Providers" permission. # Used SERVER-SIDE ONLY by /api/scan — never exposed to the browser, never # returned in any HTTP response body. Per-user quota and audit are enforced # server-side; see docs/USER_ISOLATION.md. # Create at: # https://huggingface.co/settings/tokens/new?ownUserPermissions=inference.serverless.write&tokenType=fineGrained HF_TOKEN_INFERENCE=hf_your-inference-token-here # admin-rotatable SCANNER_URL=https://ruslanmv-medicine-scanner.hf.space # admin-rotatable NEARBY_URL=https://ruslanmv-metaengine-nearby.hf.space # admin-rotatable # --- At-rest encryption key (for BYO user tokens, audit fields, etc.) --- # Strongly recommended in production. If unset, falls back to a key derived # from ADMIN_PASSWORD (development convenience only — NOT for production). # Generate with: openssl rand -hex 32 # ENCRYPTION_KEY= # --- Application --- NODE_ENV=production PORT=7860 # --- Grounded RAG (Phase 1 & 2) --- # All default OFF / safe. The keyword KB stays the fallback until the # corpus is ingested (scripts/ingest-corpus.ts or POST /api/admin/ingest). # See docs/RAG-PRODUCTION-DESIGN.md. RAG_HYBRID= # "true" -> retrieve from the versioned corpus (vector+FTS5) RAG_REQUIRE_EVIDENCE= # "true" -> defer clinical answers with no corpus hit RAG_FAITHFULNESS= # "true" -> risk-gated LLM faithfulness check RAG_FAITHFULNESS_MIN_RISK=R2 # minimum risk class to run the faithfulness check RAG_EMBED_MODEL=intfloat/multilingual-e5-base # HF feature-extraction model (768-dim, multilingual) RAG_TOPK=6 # chunks retrieved per turn RAG_MIN_SIM=0.72 # cosine floor for "real evidence" (e5-tuned) CORPUS_DIR= # override corpus dir (default ./data/corpus) CORPUS_VERSION= # explicit corpus version label (default UTC datestamp) INGEST_SECRET= # shared secret for POST /api/admin/ingest (unset = endpoint disabled)