-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathsample.env
More file actions
213 lines (187 loc) · 9.53 KB
/
Copy pathsample.env
File metadata and controls
213 lines (187 loc) · 9.53 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
# SPDX-FileCopyrightText: 2026 AOT Technologies
#
# SPDX-License-Identifier: Apache-2.0
# Epic FHIR
EPIC_FHIR_BASE_URL=https://fhir.epic.com/interconnect-fhir-oauth/api/FHIR/R4
EPIC_TOKEN_URL=https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token
EPIC_CLIENT_ID=your-epic-client-id
EPIC_KID=your-epic-kid
EPIC_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"
# Cerner FHIR
CERNER_FHIR_BASE_URL=https://fhir-ehr-code.cerner.com/r4/your-tenant-id
CERNER_TOKEN_URL=https://authorization.cerner.com/tenants/your-tenant-id/protocols/oauth2/profiles/smart-v1/token
CERNER_CLIENT_ID=your-cerner-client-id
CERNER_KID=your-cerner-kid
CERNER_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"
CERNER_SCOPES="system/Patient.read system/Encounter.read system/DocumentReference.read system/DocumentReference.write"
# Google Drive
GOOGLE_DRIVE_SA_JSON=/absolute/path/to/service-account.json
GOOGLE_DRIVE_FOLDER_ID=your-google-drive-folder-id
# Auth profile: service_account (default) or upstream_bearer (MCP OIDC per-user Drive)
# GOOGLE_DRIVE_AUTH_PROVIDER=service_account
# GOOGLE_DRIVE_AUTH_PROVIDER=upstream_bearer
# SMTP
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USE_TLS=true
SMTP_USERNAME=your-email@gmail.com
SMTP_PASSWORD=your-gmail-app-password
# Optional production allowlist: only these relay hostnames are permitted (comma-separated).
# NW_SMTP_ALLOWED_HOSTS=smtp.gmail.com,sandbox.smtp.mailtrap.io
# Stripe (optional / legacy demo)
STRIPE_API_KEY=sk_test_your_key_here
# Slack
NW_SLACK_API_BASE_URL =https://slack.com/api
NW_SLACK_SKIP_RESOLVE=true
# Bot Token from https://api.slack.com/apps (Bot Token Scopes: chat:write, files:write, im:write)
SLACK_BOT_TOKEN=xoxb-your-token-here
# Optional: sandboxed directory for filesystem-based file uploads (default /slack_attachments)
# NW_SLACK_ATTACHMENTS_DIR=/slack_attachments
# Optional: per-file upload size cap in MB (default 50, hard max 100)
# NW_SLACK_UPLOAD_LIMIT_MB=50
# Outbound MCP OAuth (node-wire as OAuth client to remote HTTP MCP servers)
# When NW_MCP_OAUTH_ENABLED=true, ToolHive/playground use McpOAuthClient instead of static tokens.
# NW_MCP_OAUTH_ENABLED=false
# NW_MCP_SERVER_URL=https://mcp.example.com/mcp
# NW_MCP_OAUTH_USER_ID=default-user
# NW_MCP_OAUTH_SCOPES=
# NW_MCP_OAUTH_CLIENT_ID=
# NW_MCP_OAUTH_CLIENT_SECRET=
# NW_MCP_OAUTH_REDIRECT_MODE=loopback
# Production: HTTPS configured-url only (disables HTTP loopback)
# NW_MCP_OAUTH_PRODUCTION=true
# NW_MCP_OAUTH_REDIRECT_MODE=configured-url
# NW_MCP_OAUTH_REDIRECT_URL=https://app.example.com/oauth/mcp/callback
# NW_MCP_OAUTH_TOKEN_STORE=os-keychain
# Legacy static token bypasses OAuth when set:
# TOOLHIVE_MCP_BEARER_TOKEN=...
# ToolHive
# Single-server (backward compatible)
TOOLHIVE_MCP_URL=http://localhost:PORT/mcp
# Multi-server (preferred for per-connector MCP servers)
TOOLHIVE_MCP_URLS=
# Optional MCP auth credentials sent by the ToolHive client to MCP server
# TOOLHIVE_MCP_API_KEY=replace-with-your-mcp-api-key
# TOOLHIVE_MCP_BEARER_TOKEN=replace-with-jwt-or-api-key
# When false (recommended for demos), proxy errors are returned to UI directly.
# Set true to allow proxy failure fallback to local stdio MCP.
PLAYGROUND_AGENT_PROXY_FALLBACK_TO_STDIO=false
# Cap MCP tool JSON size sent back to the LLM (Groq on-demand TPM); default 12000
# TOOLHIVE_MAX_TOOL_RESULT_CHARS=12000
# Stream buffering window in milliseconds (default: 0 = no buffering).
# Set to e.g. 2000 for a 2-second batching window on streamed results.
NW_STREAM_BUFFER_MS=0
# Native MCP Transport (for agents.mcp_entrypoint and per-connector MCP servers)
# -----------------------------------------------------------------------------
# NW_MCP_TRANSPORT: Selects the communication layer.
# - stdio: (Default) Required for ToolHive proxying and Claude Desktop.
# - streamable-http: Native HTTP/SSE transport for direct web integration.
NW_MCP_TRANSPORT=streamable-http
# NW_MCP_HOST defaults to 127.0.0.1 in code; set 0.0.0.0 only when exposing beyond localhost.
NW_MCP_HOST=127.0.0.1
NW_MCP_PATH=/mcp
# NW_MCP_PORT: The port used only when NW_MCP_TRANSPORT=streamable-http.
# - Default: 8081 in local demos. Ensure it does not conflict with REST API (port 8000).
NW_MCP_PORT=8081
# LLM Provider
LLM_PROVIDER=groq
# Groq (recommended default — fast & free tier available)
GROQ_API_KEY=your-groq-api-key
GROQ_MODEL=llama3-8b-8192
# OpenAI (optional)
OPENAI_API_KEY=your-openai-api-key
OPENAI_MODEL=gpt-4o-mini
# Google Gemini (optional)
GEMINI_API_KEY=your-gemini-api-key
GEMINI_MODEL=gemini-2.5-flash
# Anthropic / Claude (optional)
ANTHROPIC_API_KEY=your-anthropic-api-key
ANTHROPIC_MODEL=claude-3-5-haiku-20241022
# MCP auth — NW_MCP_AUTH_DISABLED=true disables auth (local dev only), matching
# NW_REST_AUTH_DISABLED / NW_GRPC_AUTH_DISABLED. The default (unset) ENFORCES auth.
# For production, omit this and set NW_MCP_API_KEY (and/or NW_MCP_JWT_SECRET).
# (The legacy NW_MCP_AUTH_ENABLED flag is deprecated; it now honours its literal
# meaning — NW_MCP_AUTH_ENABLED=false disables auth — and logs a warning.)
# NW_MCP_AUTH_DISABLED=true
NW_MCP_API_KEY=replace-with-strong-random-value
# API key scopes (JSON array or space/comma-separated). Empty = no scopes; use "*" only for explicit full access.
# Wildcard API keys intentionally bypass per-action scope checks.
# NW_MCP_API_KEY_SCOPES=["mcp:smtp.send_email","mcp:http_generic.request"]
# NW_MCP_API_KEY_SCOPES=mcp:smtp.send_email mcp:http_generic.request
NW_MCP_JWT_SECRET=replace-with-hs256-secret
# Required when any binding uses a JWT secret (MCP / REST / gRPC). Tokens must include exp, iat, aud, iss.
NW_JWT_AUDIENCE=node-wire
NW_JWT_ISSUER=https://your-idp.example.com
# Optional per-tool scope map; when unset, scope enforcement uses default mode below.
# NW_MCP_ACTION_SCOPE_MAP_JSON={"smtp.send_email":"mcp:smtp.send_email"}
# Code default is deny when NW_MCP_SCOPE_POLICY_DEFAULT is unset (fail-closed).
# Recommended production baseline (explicit):
NW_MCP_SCOPE_POLICY_DEFAULT=deny
# Optional strict guardrail: fail startup if scope policy would be effectively disabled.
# NW_MCP_SCOPE_POLICY_STRICT=true
# Use allow only for local experimentation:
# NW_MCP_SCOPE_POLICY_DEFAULT=allow
# Example for FHIR + Google Drive policy gating:
# NW_MCP_ACTION_SCOPE_MAP_JSON={"fhir_epic.read_patient":"mcp:fhir.read_patient","fhir_cerner.read_patient":"mcp:fhir.read_patient","google_drive.files.upload":"mcp:gdrive.files.upload"}
# Scope hook applies to MCP, REST, and gRPC when caller identity is present.
# Missing identity on scoped actions is denied (no bypass). Local dev with auth disabled
# should set NW_MCP_SCOPE_POLICY_DEFAULT=allow or grant scopes on dev API keys.
# ToolHive bearer token is sent to MCP as Authorization + X-API-Key + _meta aliases.
# TOOLHIVE_MCP_BEARER_TOKEN=<jwt-with-required-scopes>
# REST auth for Playground demo (disable for local UI testing)
# NW_REST_AUTH_DISABLED=true
NW_REST_LOAD_DOTENV=true
# REST API key scopes (same format as NW_MCP_API_KEY_SCOPES). Empty = no scopes unless JWT carries scopes.
# NW_REST_API_KEY_SCOPES=["mcp:smtp.send_email"]
# REST JWTs (NW_REST_JWT_SECRET): claims sub, tenant_id, scopes propagate to connector.run(..., principal, tenant_id, scopes) for ScopePolicyHook
# gRPC auth (MODE=GRPC)
# NW_GRPC_API_KEY=replace-with-strong-random-value
# NW_GRPC_API_KEY_SCOPES=["mcp:smtp.send_email"]
# NW_GRPC_JWT_SECRET=replace-with-hs256-secret
# NW_GRPC_AUTH_DISABLED=true
# NW_GRPC_TLS_CERT_PATH=/path/to/cert.pem
# NW_GRPC_TLS_KEY_PATH=/path/to/key.pem
# NW_GRPC_REQUIRE_TLS=true
# Bind host: defaults to 127.0.0.1 (local only), matching NW_MCP_HOST. Set to
# :: (or 0.0.0.0) to expose gRPC on all interfaces for remote access.
# NW_GRPC_HOST=::
# MCP contract (optional; Google Drive legacy payload `action: "upload"`)
# NODE_WIRE_LEGACY_GDRIVE_ACTION_UPLOAD=warn
# NODE_WIRE_LEGACY_GDRIVE_ACTION_UPLOAD=reject
NW_REST_RATE_LIMIT_ENABLED=true
NW_REST_RATE_LIMIT_MAX_REQUESTS=120
NW_REST_RATE_LIMIT_WINDOW_SECONDS=60
# Cap distinct per-identity buckets and evict idle keys (prevents unbounded memory growth).
NW_REST_RATE_LIMIT_MAX_TRACKED_KEYS=10000
NW_REST_RATE_LIMIT_KEY_TTL_SECONDS=3600
# Honor X-Forwarded-For only when set to trusted reverse-proxy depth (0 = ignore XFF).
NW_REST_TRUSTED_PROXY_HOPS=0
# NW_REST_TRUSTED_PROXY_HOPS=1
# NW_REST_MAX_BODY_BYTES=10485760
# Resilience & Timeout Configurations
# NW_TIMEOUT=30.0
# AOT_CIRCUIT_BREAKER_FAIL_MAX=5
# AOT_CIRCUIT_BREAKER_RESET_TIMEOUT=30
# Plugin allowlist (fail-closed secure default)
# Add connector entry point names here to allow them to be loaded.
NW_ALLOWED_CONNECTORS=fhir_cerner,fhir_epic,google_drive,http_generic,salesforce,slack,smtp,stripe
# Salesforce CRM
SALESFORCE_INSTANCE_URL=https://your-instance.my.salesforce.com
SALESFORCE_TOKEN_URL=https://login.salesforce.com/services/oauth2/token
SALESFORCE_CLIENT_ID=your-client-id
SALESFORCE_CLIENT_SECRET=your-client-secret
SALESFORCE_REFRESH_TOKEN=your-refresh-token
# Playwright playground headed execution - set to "true" to view the browser and its activities
PLAYGROUND_HEADED=false
# -----------------------------------------------------------------------------
# Playground Integration Tests (pytest tests/playground/)
# -----------------------------------------------------------------------------
# Google Drive Playground Tests
GDRIVE_TEST_RECIPIENT_EMAIL=your-gdrive-test-recipient-email
# Stripe Playground Tests
STRIPE_TEST_CUSTOMER_ID=your-stripe-test-customer-id
STRIPE_TEST_PRICE_ID=your-stripe-test-price-id
# Slack Playground Tests
SLACK_TEST_CHANNEL=#your-slack-test-channel
SLACK_TEST_USER_ID=your-slack-test-user-id
SLACK_TEST_CHANNEL_ID=your-slack-test-channel-id