125 lines
5.3 KiB
Plaintext
125 lines
5.3 KiB
Plaintext
# === Server Port ===
|
|
# Port the Next.js server listens on (dev and production)
|
|
# PORT=3000
|
|
|
|
# === Authentication ===
|
|
# On first run, visit http://localhost:3000/setup to create your admin account.
|
|
# Alternatively, set AUTH_USER/AUTH_PASS to seed an admin from env (useful for CI/automation).
|
|
# AUTH_USER=admin
|
|
# AUTH_PASS=your-strong-password-here
|
|
# If your password includes "#", use base64: AUTH_PASS_B64=<base64-encoded-password>
|
|
# Example: echo -n 'my#password' | base64
|
|
|
|
# API key for headless/external access (x-api-key header)
|
|
# Auto-generated on first run if not set. Persisted to .data/.auto-generated.
|
|
# API_KEY=
|
|
|
|
# Primary gateway defaults (used by /api/gateways seeding if DB is empty)
|
|
MC_DEFAULT_GATEWAY_NAME=primary
|
|
|
|
# Session cookie behavior
|
|
# - In production, cookies default to secure=true unless overridden.
|
|
# - SameSite defaults to "strict".
|
|
MC_COOKIE_SECURE=
|
|
MC_COOKIE_SAMESITE=strict
|
|
|
|
# Network access control (middleware)
|
|
# In production, access is blocked unless the host is explicitly allowed.
|
|
# Patterns supported:
|
|
# - Exact hosts: "app.example.com"
|
|
# - Subdomains: "*.example.com"
|
|
# - Prefix wildcard: "100.*" (useful for Tailscale IPs)
|
|
MC_ALLOW_ANY_HOST=
|
|
MC_ALLOWED_HOSTS=localhost,127.0.0.1
|
|
|
|
# Trusted reverse proxy / header authentication
|
|
# When set, Mission Control reads the named header for the authenticated username
|
|
# and resolves (or auto-provisions) the MC user without requiring a password.
|
|
# Only enable this when MC is deployed behind a trusted gateway that injects the
|
|
# header from a verified identity (e.g. Envoy OIDC claimToHeaders: email → X-User-Email).
|
|
# MC users must be created with their email address as the username.
|
|
# MC_PROXY_AUTH_HEADER=X-User-Email
|
|
# Role assigned to auto-provisioned users (viewer | operator | admin). Leave unset
|
|
# to require an admin to create accounts manually before users can access via proxy auth.
|
|
# MC_PROXY_AUTH_DEFAULT_ROLE=viewer
|
|
|
|
# Google OAuth client IDs for Google Sign-In approval workflow
|
|
# Create in Google Cloud Console (Web application) and set authorized origins/redirects
|
|
GOOGLE_CLIENT_ID=
|
|
NEXT_PUBLIC_GOOGLE_CLIENT_ID=
|
|
|
|
# Legacy cookie auth (backward compat, can be removed once all clients use session auth)
|
|
# Auto-generated on first run if not set. Persisted to .data/.auto-generated.
|
|
# AUTH_SECRET=
|
|
|
|
# Coordinator identity (used for coordinator chat status replies and comms UI)
|
|
MC_COORDINATOR_AGENT=coordinator
|
|
NEXT_PUBLIC_COORDINATOR_AGENT=coordinator
|
|
|
|
# === 1Password Integration (optional) ===
|
|
# Vault name for 1Password CLI pulls (used by Integrations panel)
|
|
OP_VAULT_NAME=default
|
|
|
|
# === OpenClaw Integration ===
|
|
# Path to .openclaw home directory (required for memory browser, gateway config, logs)
|
|
OPENCLAW_HOME=
|
|
# Optional: explicitly point at openclaw.json
|
|
# OPENCLAW_CONFIG_PATH=
|
|
|
|
# Gateway connection (used by frontend WebSocket)
|
|
OPENCLAW_GATEWAY_HOST=127.0.0.1
|
|
OPENCLAW_GATEWAY_PORT=18789
|
|
# Optional: token used by server-side gateway calls
|
|
OPENCLAW_GATEWAY_TOKEN=
|
|
# Tools profile used when Mission Control spawns sessions via sessions_spawn.
|
|
# OpenClaw 2026.3.2+ defaults to "messaging" if omitted.
|
|
OPENCLAW_TOOLS_PROFILE=coding
|
|
|
|
# Frontend env vars (NEXT_PUBLIC_ prefix = available in browser)
|
|
NEXT_PUBLIC_GATEWAY_HOST=
|
|
NEXT_PUBLIC_GATEWAY_PORT=18789
|
|
NEXT_PUBLIC_GATEWAY_PROTOCOL=
|
|
NEXT_PUBLIC_GATEWAY_URL=
|
|
# Do not expose gateway tokens via NEXT_PUBLIC_* variables.
|
|
# Keep gateway auth secrets server-side only (OPENCLAW_GATEWAY_TOKEN / GATEWAY_TOKEN).
|
|
# Gateway client id used in websocket handshake (role=operator UI client).
|
|
NEXT_PUBLIC_GATEWAY_CLIENT_ID=openclaw-control-ui
|
|
# Gateway optional mode: set to 'true' if deploying on VPS with firewall blocking WebSocket ports.
|
|
# In optional mode, Mission Control runs standalone; core CRUD features work but live gateway events do not.
|
|
# NEXT_PUBLIC_GATEWAY_OPTIONAL=false
|
|
|
|
# === Data Paths (all optional, defaults to .data/ in project root) ===
|
|
# MISSION_CONTROL_DATA_DIR=.data
|
|
# MISSION_CONTROL_DB_PATH=.data/mission-control.db
|
|
# MISSION_CONTROL_TOKENS_PATH=.data/mission-control-tokens.json
|
|
|
|
# === OpenClaw Paths (derived from OPENCLAW_HOME if not set) ===
|
|
# OPENCLAW_LOG_DIR=/path/to/.openclaw/logs
|
|
# OPENCLAW_MEMORY_DIR=/path/to/.openclaw/memory
|
|
#
|
|
# NOTE: OpenClaw does NOT store agent memory markdown files under OPENCLAW_HOME/memory/.
|
|
# That directory does not exist by default. Agent memory lives in each agent's workspace
|
|
# (e.g. ~/clawd-agents/{agent}/memory/). Point this at your agents root to make the
|
|
# Memory Browser useful:
|
|
# OPENCLAW_MEMORY_DIR=/home/you/clawd-agents
|
|
# OPENCLAW_SOUL_TEMPLATES_DIR=/path/to/.openclaw/templates/souls
|
|
# OPENCLAW_BIN=openclaw
|
|
|
|
# === Super Admin / Provisioning (optional) ===
|
|
# Path to this repo root, needed if you use the super-admin provisioning helpers.
|
|
# MISSION_CONTROL_REPO_ROOT=/path/to/mission-control
|
|
# Template openclaw.json used to seed new tenant state (required for tenant bootstrap).
|
|
# MC_SUPER_TEMPLATE_OPENCLAW_JSON=/path/to/openclaw.json
|
|
# Base path used for provisioned linux user homes (default: /home)
|
|
# MC_TENANT_HOME_ROOT=/home
|
|
# Workspace directory name under each tenant user home (default: workspace)
|
|
# MC_TENANT_WORKSPACE_DIRNAME=workspace
|
|
|
|
# === Data Retention (days, 0 = keep forever) ===
|
|
# MC_RETAIN_ACTIVITIES_DAYS=90
|
|
# MC_RETAIN_AUDIT_DAYS=365
|
|
# MC_RETAIN_LOGS_DAYS=30
|
|
# MC_RETAIN_NOTIFICATIONS_DAYS=60
|
|
# MC_RETAIN_PIPELINE_RUNS_DAYS=90
|
|
# MC_RETAIN_TOKEN_USAGE_DAYS=90
|