.env.example

# Local development placeholders only. Do not commit real secrets.
ISSUER_DID=did:example:issuer
ISSUER_PRIVATE_JWK_JSON='{"kty":"EC","crv":"P-256","x":"<x>","y":"<y>","d":"<private-d>"}'
ISSUER_PUBLIC_JWK_JSON='{"kty":"EC","crv":"P-256","x":"<x>","y":"<y>"}'
DB_PATH=attestations.sqlite
DATABASE_URL="file:./prisma/dev.db"
# Supabase aliases for apps/api Postgres (optional)
SUPABASE_DB_URL=postgresql://postgres.<project-ref>:[password]@aws-0-<region>.pooler.supabase.com:6543/postgres?sslmode=require
SUPABASE_POOLER_URL=postgresql://postgres.<project-ref>:[password]@aws-0-<region>.pooler.supabase.com:6543/postgres?sslmode=require
SUPABASE_DIRECT_URL=postgresql://postgres:[password]@db.<project-ref>.supabase.co:5432/postgres?sslmode=require
# Optional helper if using Supabase CLI pooler URL discovery from `supabase/.temp/pooler-url`.
SUPABASE_DB_PASSWORD=replace-with-supabase-db-password
PORT=3000

# apps/api security controls
# Comma-separated API keys allowed to call protected routes.
API_KEYS=example_local_key_id
# Optional per-key scope mapping. Scopes: verify|read|anchor|revoke
# Format: key1=verify|read;key2=read|revoke
API_KEY_SCOPES=example_local_key_id=verify|read|anchor|revoke
# Optional default scopes applied when a key is omitted in API_KEY_SCOPES.
API_KEY_DEFAULT_SCOPES=verify,read,anchor,revoke

# Revocation signature verification.
# Format: issuer-id=0xIssuerAddress;issuer-2=0xAnotherAddress
REVOCATION_ISSUERS=issuer-dev=0x0000000000000000000000000000000000000000
# Allowed timestamp skew (milliseconds) for x-signature-timestamp on revoke requests.
REVOCATION_SIGNATURE_MAX_SKEW_MS=300000

# CORS and rate limiting hardening.
# Comma-separated browser origins allowed by CORS.
CORS_ALLOWLIST=http://localhost:3000
RATE_LIMIT_WINDOW=1 minute
RATE_LIMIT_GLOBAL_MAX=600
RATE_LIMIT_API_KEY_MAX=120

# Free registry adapter sources (optional overrides)
OFAC_SDN_URL=https://www.treasury.gov/ofac/downloads/sdn.csv
OFAC_SLS_URL=https://www.treasury.gov/ofac/downloads/non-sdn.csv
OFAC_SSI_URL=https://www.treasury.gov/ofac/downloads/ssi.csv
OIG_LEIE_URL=https://oig.hhs.gov/exclusions/downloadables/UPDATED.csv
SAM_EXCLUSIONS_URL=https://api.sam.gov/entity-information/v2/entities
SAM_API_KEY=replace-with-sam-api-key
UK_SANCTIONS_CSV_URL=https://sanctionslist.fcdo.gov.uk/docs/UK-Sanctions-List.csv
BIS_ENTITY_LIST_URL=https://media.bis.gov/sites/default/files/documents/entity-list.csv
BIS_UNVERIFIED_LIST_URL=https://media.bis.gov/sites/default/files/documents/unverified-list.csv
BIS_MEU_LIST_URL=https://media.bis.gov/sites/default/files/documents/military-end-user-list.csv
US_CSL_CSV_URL=https://data.trade.gov/downloadable_consolidated_screening_list/v1/consolidated.csv
NPPES_NPI_API_URL=https://npiregistry.cms.hhs.gov/api/
SEC_EDGAR_TICKERS_URL=https://www.sec.gov/files/company_tickers.json
FDIC_BANKFIND_URL=https://banks.data.fdic.gov/api/institutions
REGISTRY_USER_AGENT=TrustSignal-RegistryAdapter/1.0 (compliance@trustsignal.dev)
REGISTRY_FETCH_TIMEOUT_MS=15000
REGISTRY_PROVIDER_COOLDOWN_MS=300
ZK_ORACLE_URL=https://zk-oracle.internal/registry-jobs

# TrustSignal Fastify API auth + Polygon Mumbai anchor
# Single active key (legacy compatibility).
TRUSTSIGNAL_JWT_SECRET=replace-with-strong-random-secret
# Key rotation list, comma-separated, newest key first.
TRUSTSIGNAL_JWT_SECRETS=replace-with-active-key,replace-with-previous-key
# ZKP backend selection. Use `external` in production with an isolated prover/verifier binary.
TRUSTSIGNAL_ZKP_BACKEND=dev-only
# Optional zero-trust prover/verifier process hooks used when TRUSTSIGNAL_ZKP_BACKEND=external.
# Current bootstrap binary: `circuits/non_mem_gadget/target/release/zkp_service`
TRUSTSIGNAL_ZKP_PROVER_BIN=
TRUSTSIGNAL_ZKP_VERIFIER_BIN=
LOG_LEVEL=info
POLYGON_MUMBAI_RPC_URL=https://rpc-mumbai.maticvigil.com
POLYGON_MUMBAI_PRIVATE_KEY=0xyour_mumbai_testnet_private_key