codtrust/.env.example at main · nehaprasad-dev/codtrust · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# PostgreSQL (e.g. docker compose up -d)
DATABASE_URL="postgresql://codetrust:codetrust@localhost:5432/codetrust"

# Optional: async analysis (BullMQ). Start Redis and run `npm run worker`.
# REDIS_URL="redis://127.0.0.1:6379"
# USE_ASYNC_ANALYSIS="false"

# Optional: fetch PR files from GitHub (needs repo scope for private repos)
GITHUB_TOKEN=""

# Post analysis as a PR comment (default on). Set false to disable.
# GITHUB_POST_PR_COMMENT="false"

# When risky_block: open/update PR summary + inline comments only for RISKY or
# BLOCK (SAFE/INCONCLUSIVE skip new threads; reruns still update stored bot
# comment). Default all (comment every run).
# GITHUB_PR_COMMENT_POLICY="risky_block"

# Post a GitHub Check Run (Checks tab) with verdict + summary. Requires a
# token that can create check runs on the repo. Default off.
# GITHUB_POST_CHECK_RUN="true"

# Load CONTRIBUTING.md (+ first-level linked docs) for LLM context and
# optional guideline-based PR description checks. Default on; set false to skip.
# ENABLE_CONTRIBUTING_GUIDELINES="false"

# Deterministic PR title/body hygiene (empty title, generic title, empty
# description). Default on; set false to skip.
# ENABLE_PR_HYGIENE_CHECKS="false"

# Comma-separated substrings: if the PR body contains any (case-insensitive),
# the webhook skips auto-analyze (Jacquez-style "aside" escape hatch).
# Example: aside,noci
# GITHUB_WEBHOOK_SKIP_BODY_MARKERS=""

# Also attach each diff-line finding as an inline review comment on the PR
# (default on, requires GITHUB_TOKEN). Set false to suppress inline comments
# and only post the summary.
# GITHUB_POST_INLINE_REVIEW_COMMENTS="false"

# AI reasoning pass (second layer). Omit all three to run rules-only
# analysis (result page will show INCONCLUSIVE for clean PRs).
#
# Works with ANY OpenAI-compatible provider by setting OPENAI_BASE_URL.
# Pick whichever you can afford / get access to:
#
#   OpenAI (paid):
#     OPENAI_API_KEY="sk-..."
#     OPENAI_MODEL="gpt-4o-mini"   # default when no base URL
#
#   Groq (free tier, fast, recommended if you have no OpenAI budget):
#     OPENAI_API_KEY="gsk_..."     # from https://console.groq.com/keys
#     OPENAI_BASE_URL="https://api.groq.com/openai/v1"
#     # OPENAI_MODEL defaults to llama-3.3-70b-versatile on Groq
#
#   OpenRouter (some free models):
#     OPENAI_API_KEY="sk-or-..."
#     OPENAI_BASE_URL="https://openrouter.ai/api/v1"
#
#   Together AI (free tier):
#     OPENAI_API_KEY="..."
#     OPENAI_BASE_URL="https://api.together.xyz/v1"
#
# OPENAI_API_KEY=""
# OPENAI_BASE_URL=""
# OPENAI_MODEL=""
# ENABLE_LLM="false"

# GitHub OAuth (Sign in with GitHub). Callback: http://localhost:3000/api/auth/callback/github
# AUTH_SECRET=""
# AUTH_GITHUB_ID=""
# AUTH_GITHUB_SECRET=""
# AUTH_URL="http://localhost:3000"

# Webhook: POST /api/github/webhook — shared secret used to verify
# incoming deliveries from GitHub. Required for the "Auto-analyze"
# toggle on /connect: when a user flips it on, we install a webhook
# on their repo configured with this exact secret. Generate once:
#   node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
# GITHUB_WEBHOOK_SECRET=""

# Public URL of this deployment — used as the webhook target when we
# register hooks on user repos. On Vercel we auto-detect from
# VERCEL_PROJECT_PRODUCTION_URL; set APP_URL explicitly if you run
# behind a custom domain or in a non-Vercel host.
# APP_URL="https://codetrust.example.com"

# Rate limit for POST /api/analyze (per IP). Set false to disable.
# RATE_LIMIT_ENABLED="true"
# RATE_LIMIT_MAX="60"

# Max combined bytes of source fed into the analyzer. Default 1_500_000 (1.5 MB).
# Raise for very large PRs; clamped to 100_000 .. 50_000_000.
# ANALYZE_MAX_TOTAL_BYTES="1500000"