.env.example

# ipfs-gate v0.1 — environment configuration
# Copy this file to .env and fill in the real values. NEVER commit .env.

# ─── Identity + payment ──────────────────────────────────────────────────────
# Dedicated Hive account for ipfs-gate. Should NOT be shared with v4call's
# SERVER_HIVE_ACCOUNT or ESCROW_ACCOUNT — separate accounting + security blast
# radius. Operators: create a new Hive account, fund it with a few HBD for
# refunds + Resource Credit headroom.
IPFS_GATE_HIVE_ACCOUNT=

# Active private key for the above account. Used to issue refunds (v1: pro-rata
# refund-on-cancel broadcasts with this key). KEY-OPTIONAL: if left blank the
# gate still boots — refunds are recorded `pending` in the refund ledger and the
# operator settles them manually (transfer + POST /admin/log-refund). Set it to
# enable automatic on-chain refunds.
# CRITICAL: never log, never commit, never share.
IPFS_GATE_ACTIVE_KEY=

# Password for /admin/* endpoints. Send as `Authorization: Bearer <key>`.
# Example: openssl rand -hex 32
ADMIN_KEY=change-me-to-something-random

# ─── Pricing (v1 — claim-based MB-hour) ──────────────────────────────────────
# v1 replaces the flat per-upload fee with a per-claim quote computed at /reserve:
#   total = ceil(MB) × max(ceil(hours),1) × rate × copies        (decimal MB)
# The rate is locked onto the claim at purchase (never retro-billed) and drives
# both the charge and the pro-rata refund. See PRICING-V1-DESIGN-NOTES.md.
PAYMENT_CURRENCY=CNOOBS
# coins (of PAYMENT_CURRENCY) per MB per hour. TEST placeholder is 1; tune from
# real data. NOTE: the design placeholder currency is the valueless TEST token.
PRICE_RATE_PER_MB_HOUR=1
# 1-hour minimum (the billable_hrs floor — also the implicit anti-spam floor).
PRICE_MIN_HOURS=1
# Decimal MB: bytes / 1,000,000. Confirmed (PRICING-V1 §9). Don't change lightly.
MB_DIVISOR=1000000
# Number of storage nodes — caps the copies selector (1..NODE_COUNT). v1 = 1
# (single Kubo node). Raise only when an IPFS Cluster with N peers is live.
NODE_COUNT=1
# IPFS-Cluster self-heal leeway: replication_factor_min = copies − leeway (≥1),
# so a brief peer blip doesn't trigger a repin storm. Only matters when NODE_COUNT>1.
REPLICATION_LEEWAY=2
# Below this refund amount, don't auto-refund (dust / RC drain).
MIN_REFUND=0.05
# Universal precision floor (the v4call lesson) — the gate must be able to
# actually charge/refund at the precision it quotes. Derives the rounding places.
RATE_FLOOR=0.001
# Dormant-backstop cancel fee (anti-churn). Charged only on a user-initiated
# dormant cancel; admin-forced voids charge nothing.
BACKSTOP_CANCEL_FEE_PCT=1
# Default OFFENDER refund policy on an admin takedown/ban when the request omits
# one: none = forfeit, prorata = unused time back. Innocent backstoppers are
# always refunded in full regardless of this.
REFUND_POLICY=prorata

# DEFAULT_TTL_DAYS — in v1 this is only the DEFAULT duration when a /reserve omits
# hours_requested (the authoritative timer is the claim's expiry_ts). Accepts
# FRACTIONS (parseFloat) for fast sweeper testing. 1440 minutes in a day:
#   0.001 day  ≈ 1.44 min   (good for sweeper test, sweeper runs every 60s)
#   0.01 day   ≈ 14.4 min
#   0.5 day    = 12 hours
#   7          = production default
DEFAULT_TTL_DAYS=7
MAX_FILE_SIZE_MB=10

# ─── Backend selection (v0.1 = kubo only) ────────────────────────────────────
BACKEND=kubo
KUBO_API_URL=http://kubo:5001

# Kubo DHT mode. v0.1 default = 'none' (private hosting, CID not announced to
# public IPFS network — only ipfs-gate's gateway serves it). Trade-off:
# more privacy, less resilience. Set to 'client' or 'server' to enable DHT.
KUBO_DHT_MODE=none

# ─── Quota ───────────────────────────────────────────────────────────────────
DISK_LIMIT_GB=5
RESERVATION_TTL_MIN=5
RESERVATION_PER_ACCOUNT_MAX=3

# ─── Network ─────────────────────────────────────────────────────────────────
PORT=3001
# BIND_HOST must be 0.0.0.0 when running under docker-compose so the nginx
# container can reach ipfs-gate over the internal docker network.
# 127.0.0.1 only works if you're running outside Docker (e.g. local dev).
# The container is still isolated — only nginx can reach it; the outside world
# only sees ports 80/443 from nginx.
BIND_HOST=0.0.0.0
# v0.1 allows any origin (public API). Tighten in v0.2 to e.g. v4call.com.
CORS_ORIGIN=*

# Public-facing base URL of the gateway. Returned to clients in the /upload
# response's gateway_url field. MUST be the URL that v4call (or any other
# client) renders for end-users to fetch the ciphertext via /ipfs/<cid>.
# REQUIRED in production — without this you get https://ipfs.localhost in
# client bubbles, which downloads nothing.
PUBLIC_GATEWAY_BASE=https://ipfs.your-domain.com

# v0.1.4 — Cache-Control max-age (seconds) on /ipfs/:cid responses. Browsers
# honour this; during dev/testing keep it short (e.g. 3600 = 1h) so pin expiry
# is observable without incognito tricks. Production default 86400 (1 day).
# Don't go higher than your shortest expected TTL — otherwise users see stale
# (already-expired) content from cache.
GATEWAY_CACHE_MAX_AGE=86400

# ─── Hive API ────────────────────────────────────────────────────────────────
# Blank uses the built-in fallback list:
#   api.hive.blog, api.deathwing.me, hive-api.arcange.eu,
#   api.openhive.network, techcoderx.com
HIVE_API=
PAYMENT_VERIFY_RETRIES=5
PAYMENT_VERIFY_DELAY_MS=3000
SIDECHAIN_CONFIRM_DELAY_MS=5000

# ─── Rate limiting ───────────────────────────────────────────────────────────
RATE_LIMIT_RESERVE_PER_MIN=30
RATE_LIMIT_UPLOAD_PER_MIN=30
# v0.2 — signed user-API endpoints (/uploads/by-user, /uploads/delete)
RATE_LIMIT_USER_API_PER_MIN=60

# ─── Signed user requests (v0.2 uploads tab) ─────────────────────────────────
# Freshness window (seconds) for the timestamp embedded in signed list/delete
# requests. Requests outside ±this are rejected as replay. 300 = 5 min.
SIGNED_REQUEST_MAX_SKEW_SEC=300

# ─── Database ────────────────────────────────────────────────────────────────
DB_PATH=/app/data/ipfs-gate.db