-
Notifications
You must be signed in to change notification settings - Fork 71
Expand file tree
/
Copy path.env.example
More file actions
292 lines (253 loc) · 9.12 KB
/
.env.example
File metadata and controls
292 lines (253 loc) · 9.12 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
## Local quickstart
# You can start locally with zero config:
# docker compose up --build
#
# For a real site, the main knob you usually need is ALLOWED_HOSTS.
# Everything below has safe local defaults unless noted otherwise.
APP_ENV=development
API_PORT=8000
NOVNC_PORT=6080
VNC_PORT=5900
API_BEARER_TOKEN=
BROWSER_WIDTH=1280
BROWSER_HEIGHT=800
BROWSER_URL=about:blank
BROWSER_WS_ENDPOINT_FILE=/data/browser-profile/browser-ws-endpoint.txt
TAKEOVER_URL=http://127.0.0.1:6080/vnc.html?autoconnect=true&resize=scale
REMOTE_ACCESS_INFO_PATH=/data/tunnels/reverse-ssh.json
REMOTE_ACCESS_STALE_AFTER_SECONDS=45
ALLOWED_HOSTS=example.com,localhost,127.0.0.1,::1
MAX_SESSIONS=1
REQUIRE_APPROVAL_FOR_UPLOADS=true
ENABLE_TRACING=true
TYPING_DELAY_MS=20
ACTION_TIMEOUT_MS=15000
REQUEST_RATE_LIMIT_ENABLED=true
REQUEST_RATE_LIMIT_REQUESTS=120
REQUEST_RATE_LIMIT_WINDOW_SECONDS=60
REQUEST_RATE_LIMIT_MAX_BUCKETS=4096
REQUEST_RATE_LIMIT_EXEMPT_PATHS=/healthz,/readyz,/docs,/openapi.json,/redoc,/artifacts,/metrics
CLEANUP_ON_STARTUP=true
CLEANUP_INTERVAL_SECONDS=3600
ARTIFACT_RETENTION_HOURS=168
UPLOAD_RETENTION_HOURS=168
AUTH_RETENTION_HOURS=168
CONNECT_RETRIES=60
CONNECT_RETRY_DELAY_SECONDS=1
MODEL_REQUEST_TIMEOUT_SECONDS=60
MODEL_MAX_RETRIES=2
MODEL_RETRY_BACKOFF_SECONDS=1
APPROVAL_ROOT=/data/approvals
AUDIT_ROOT=/data/audit
WITNESS_ROOT=/data/witness
STATE_DB_PATH=
AUDIT_MAX_EVENTS=10000
JOB_STORE_ROOT=/data/jobs
SESSION_STORE_ROOT=/data/sessions
REDIS_URL=
SESSION_STORE_REDIS_PREFIX=auto_browser:sessions
AGENT_JOB_WORKER_COUNT=1
AUTH_STATE_ENCRYPTION_KEY=
REQUIRE_AUTH_STATE_ENCRYPTION=false
AUTH_STATE_MAX_AGE_HOURS=72
WITNESS_ENABLED=true
WITNESS_PROTECTION_MODE_DEFAULT=normal
WITNESS_REMOTE_URL=
WITNESS_REMOTE_API_KEY=
WITNESS_REMOTE_TENANT_ID=
WITNESS_REMOTE_TIMEOUT_SECONDS=0.75
WITNESS_REMOTE_VERIFY_TLS=true
WITNESS_REMOTE_REQUIRED_FOR_CONFIDENTIAL=false
OCR_ENABLED=true
OCR_LANGUAGE=eng
OCR_MAX_BLOCKS=20
OCR_TEXT_LIMIT=1200
OPERATOR_ID_HEADER=X-Operator-Id
OPERATOR_NAME_HEADER=X-Operator-Name
REQUIRE_OPERATOR_ID=false
MCP_ALLOWED_ORIGINS=
CONTROLLER_ALLOWED_HOSTS=localhost,127.0.0.1,::1
MCP_TOOL_PROFILE=curated
METRICS_ENABLED=true
SESSION_ISOLATION_MODE=shared_browser_node
ISOLATED_BROWSER_IMAGE=auto-browser-browser-node:latest
ISOLATED_BROWSER_CONTAINER_PREFIX=browser-session
ISOLATED_BROWSER_WAIT_TIMEOUT_SECONDS=45
ISOLATED_BROWSER_KEEP_CONTAINERS=false
ISOLATED_BROWSER_BIND_HOST=127.0.0.1
ISOLATED_TAKEOVER_HOST=127.0.0.1
ISOLATED_TAKEOVER_SCHEME=http
ISOLATED_TAKEOVER_PATH=/vnc.html?autoconnect=true&resize=scale
ISOLATED_BROWSER_NETWORK=
ISOLATED_HOST_DATA_ROOT=
ISOLATED_DOCKER_HOST=
ISOLATED_TUNNEL_ENABLED=false
ISOLATED_TUNNEL_HOST=
ISOLATED_TUNNEL_PORT=22
ISOLATED_TUNNEL_USER=
ISOLATED_TUNNEL_KEY_PATH=/data/ssh/id_ed25519
ISOLATED_TUNNEL_KNOWN_HOSTS_PATH=/data/ssh/known_hosts
ISOLATED_TUNNEL_STRICT_HOST_KEY_CHECKING=yes
ISOLATED_TUNNEL_REMOTE_BIND_ADDRESS=127.0.0.1
ISOLATED_TUNNEL_REMOTE_PORT_START=16181
ISOLATED_TUNNEL_REMOTE_PORT_END=16240
ISOLATED_TUNNEL_SERVER_ALIVE_INTERVAL=30
ISOLATED_TUNNEL_SERVER_ALIVE_COUNT_MAX=3
ISOLATED_TUNNEL_INFO_INTERVAL_SECONDS=10
ISOLATED_TUNNEL_STARTUP_GRACE_SECONDS=1
ISOLATED_TUNNEL_ACCESS_MODE=private
ISOLATED_TUNNEL_PUBLIC_HOST=
ISOLATED_TUNNEL_PUBLIC_SCHEME=http
# Optional override. By default the controller tunnels directly to the isolated
# browser container over the Docker network instead of hairpinning through a host-published port.
ISOLATED_TUNNEL_LOCAL_HOST=host.docker.internal
ISOLATED_TUNNEL_INFO_ROOT=/data/tunnels/sessions
OPENAI_API_KEY=
OPENAI_BASE_URL=https://api.openai.com/v1
OPENAI_MODEL=gpt-4.1-mini
OPENAI_AUTH_MODE=api
OPENAI_CLI_PATH=codex
OPENAI_CLI_MODEL=
OPENAI_HOST_BRIDGE_SOCKET=/data/host-bridge/codex.sock
ANTHROPIC_API_KEY=
ANTHROPIC_BASE_URL=https://api.anthropic.com/v1
ANTHROPIC_VERSION=2023-06-01
CLAUDE_MODEL=claude-sonnet-4-20250514
VISION_MODEL=claude-haiku-4-5-20251001
CLAUDE_AUTH_MODE=api
CLAUDE_CLI_PATH=claude
CLAUDE_CLI_MODEL=
GEMINI_API_KEY=
GEMINI_BASE_URL=https://generativelanguage.googleapis.com/v1beta
GEMINI_MODEL=gemini-2.5-flash
GEMINI_AUTH_MODE=api
GEMINI_CLI_PATH=gemini
GEMINI_CLI_MODEL=
CLI_HOME=/data/cli-home
# Optional: when using docker-compose.host-subscriptions.yml, point this at the
# host home that already contains your signed-in CLI state.
CLI_HOST_HOME=/home/youruser
# Optional reverse-SSH profile for private remote access.
# Start with: docker compose --profile reverse-ssh up --build
# The controller will read REMOTE_ACCESS_INFO_PATH and automatically prefer the
# tunnel's public_takeover_url/public_api_url when that metadata file exists.
REVERSE_SSH_HOST=
REVERSE_SSH_PORT=22
REVERSE_SSH_USER=
REVERSE_SSH_KEY_PATH=/ssh/id_ed25519
REVERSE_SSH_KNOWN_HOSTS_PATH=/ssh/known_hosts
REVERSE_SSH_STRICT_HOST_KEY_CHECKING=yes
REVERSE_SSH_REMOTE_BIND_ADDRESS=127.0.0.1
REVERSE_SSH_REMOTE_API_PORT=18000
REVERSE_SSH_REMOTE_NOVNC_PORT=16080
REVERSE_SSH_SERVER_ALIVE_INTERVAL=30
REVERSE_SSH_SERVER_ALIVE_COUNT_MAX=3
REVERSE_SSH_INFO_INTERVAL_SECONDS=15
REVERSE_SSH_STALE_AFTER_SECONDS=45
REVERSE_SSH_ALLOW_NONLOCAL_BIND=false
REVERSE_SSH_ACCESS_MODE=private
REVERSE_SSH_PUBLIC_HOST=
REVERSE_SSH_PUBLIC_SCHEME=http
REVERSE_SSH_PUBLIC_API_URL=
REVERSE_SSH_PUBLIC_TAKEOVER_URL=
# Interaction pacing
HUMAN_TYPING_MIN_DELAY_MS=40
HUMAN_TYPING_MAX_DELAY_MS=130
# Proxy routing (optional — per-session override also supported in POST /sessions)
# DEFAULT_PROXY_SERVER=http://proxy-host:port
# DEFAULT_PROXY_USERNAME=user
# DEFAULT_PROXY_PASSWORD=pass
# Storage roots (rarely need changing when using docker-compose volumes)
# ARTIFACT_ROOT=/data/artifacts
# UPLOAD_ROOT=/data/uploads
# AUTH_ROOT=/data/auth
# Viewport defaults for new sessions
# DEFAULT_VIEWPORT_WIDTH=1280
# DEFAULT_VIEWPORT_HEIGHT=800
# Approval workflow
# APPROVAL_TTL_MINUTES=15
# MCP session persistence
# MCP_SESSION_STORE_PATH=/data/mcp/sessions.json
# Browser fingerprint / stealth
# STEALTH_ENABLED=true
# USER_AGENT_POOL=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36...
# Approval webhooks (optional — called when a tool needs human approval)
# APPROVAL_WEBHOOK_URL=https://your-server.example.com/hooks/approval
# APPROVAL_WEBHOOK_SECRET=your-hmac-secret
# Perception preset for /observe (fast | normal | rich)
# PERCEPTION_PRESET_DEFAULT=normal
# SSE keepalive interval in seconds (prevents proxy timeouts)
# SSE_KEEPALIVE_SECONDS=15.0
# Proxy persona file — JSON map of named proxy configs
# PROXY_PERSONA_FILE=/data/proxy-personas.json
# PII scrubbing (all on by default)
# PII_SCRUB_ENABLED=true
# PII_SCRUB_SCREENSHOT=true
# PII_SCRUB_NETWORK=true
# PII_SCRUB_CONSOLE=true
# PII_SCRUB_PATTERNS= # blank = all 16 built-in pattern classes
# PII_SCRUB_REPLACEMENT=[REDACTED]
# PII_SCRUB_AUDIT_REPORT=true
# Network inspector
# NETWORK_INSPECTOR_ENABLED=true
# NETWORK_INSPECTOR_MAX_ENTRIES=500
# NETWORK_INSPECTOR_CAPTURE_BODIES=true
# NETWORK_INSPECTOR_BODY_MAX_BYTES=16384
# CDP connect mode — attach to an existing Chrome (--remote-debugging-port)
# CDP_CONNECT_URL=http://localhost:9222
# Shadow browsing — allow flipping headless→headed mid-session for debugging
# SHADOW_BROWSE_ENABLED=true
# Cron / webhook trigger store
# CRON_STORE_PATH=/data/crons/crons.json
# CRON_MAX_JOBS=50
# Shared session links (HMAC-signed observer tokens)
# SHARE_TOKEN_SECRET=your-secret-here
# SHARE_TOKEN_TTL_MINUTES=60
# ── New settings ────────────────────────────────────────────
# Logging
LOG_LEVEL=INFO # DEBUG, INFO, WARNING, ERROR
# Compliance Templates
# COMPLIANCE_TEMPLATE=HIPAA # HIPAA | SOC2 | GDPR | PCI-DSS
# COMPLIANCE_MANIFEST_PATH=/data/compliance-manifest.json
# Agent Memory Profiles
MEMORY_ROOT=/data/memory
MEMORY_ENABLED=true
# ── auto-browser 1.0 ─────────────────────────────────────────────────────────
# Mesh (peer-to-peer delegation; off by default)
# MESH_ENABLED=false
# MESH_IDENTITY_DIR=/data/mesh/identity
# MESH_PEERS_PATH=/data/mesh/peers.json
# MESH_TIMESTAMP_WINDOW=30
# Stealth (humanized browser actions; off by default)
# off — raw Playwright speed
# light — timing jitter + Bézier mouse (recommended)
# aggressive — full fingerprint noise + tight human mimicry
# STEALTH_PROFILE=off
# Workflow engine
# WORKFLOWS_ROOT=/data/workflows
# Skills Curator
# CURATOR_PROVIDER=claude # claude | openai | gemini
# CURATOR_MODEL= # override default model per provider
# SKILLS_STAGING_ROOT=/data/skills-staging
# Set one of these to enable curator synthesis; otherwise curator runs in raw-skill passthrough mode.
# ANTHROPIC_API_KEY=
# OPENAI_API_KEY=
# GEMINI_API_KEY=
# Social platform clients (API-based; leave blank to disable)
# YOUTUBE_CLIENT_ID=
# YOUTUBE_CLIENT_SECRET=
# YOUTUBE_REFRESH_TOKEN=
# INSTAGRAM_ACCESS_TOKEN=
# INSTAGRAM_USER_ID=
# REDDIT_CLIENT_ID=
# REDDIT_CLIENT_SECRET=
# REDDIT_USERNAME=
# REDDIT_PASSWORD=
# X_API_KEY=
# X_API_SECRET=
# X_ACCESS_TOKEN=
# X_ACCESS_SECRET=
# Veo 3 (Vertex AI video generation; requires gcloud CLI auth)
# GOOGLE_CLOUD_PROJECT=
# VERTEX_LOCATION=us-central1
# GOOGLE_APPLICATION_CREDENTIALS=