.env.example

NODE_ENV=development
PORT=8545
HOST=127.0.0.1

# Transport mode: http (default) or https
KEYRING_TRANSPORT=http

# TLS cert/key are required when KEYRING_TRANSPORT=https
# KEYRING_TLS_CERT_PATH=./certs/server.crt
# KEYRING_TLS_KEY_PATH=./certs/server.key

# Require mutual TLS client cert validation (production)
# If true, KEYRING_TRANSPORT must be https and KEYRING_TLS_CA_PATH is required
KEYRING_MTLS_REQUIRED=false
# KEYRING_TLS_CA_PATH=./certs/ca.crt

# In NODE_ENV=production:
# - KEYRING_TRANSPORT must be https
# - KEYRING_MTLS_REQUIRED must be true
# - KEYRING_ALLOW_INSECURE_IN_PROCESS_KEYS_IN_PRODUCTION must be true
#   (temporary explicit acknowledgement until external KMS/HSM signer mode is enabled)
KEYRING_ALLOW_INSECURE_IN_PROCESS_KEYS_IN_PRODUCTION=false

LOG_LEVEL=info

# Backward-compatible single-client HMAC secret
# (ignored when KEYRING_AUTH_CLIENTS_JSON is set)
# Use at least 32 random bytes (64 hex chars) from a CSPRNG.
# Example: openssl rand -hex 32
KEYRING_HMAC_SECRET=change_me

# Default client id used when request omits X-Keyring-Client-Id
KEYRING_DEFAULT_AUTH_CLIENT_ID=default

# Preferred multi-client config:
# KEYRING_AUTH_CLIENTS_JSON=[{"clientId":"mcp-default","hmacSecret":"not-a-real-hmac-secret-change-me-0001","allowedKeyIds":["default"]},{"clientId":"mcp-ops","hmacSecret":"not-a-real-hmac-secret-change-me-0002","allowedKeyIds":["ops"]}]
KEYRING_AUTH_CLIENTS_JSON=

# Maximum allowed clock skew in milliseconds for signed requests
KEYRING_MAX_SKEW_MS=30000

# Nonce replay window in milliseconds
KEYRING_NONCE_TTL_MS=120000

# Replay store backend: memory (dev/single-node) or redis (prod/multi-node)
KEYRING_REPLAY_STORE=memory

# Required when KEYRING_REPLAY_STORE=redis
# In production use rediss:// (TLS) and authenticated Redis.
# KEYRING_REDIS_URL=rediss://localhost:6379
KEYRING_REDIS_NONCE_PREFIX=starknet-keyring-proxy:nonce:

# Rate limiting (recommended for production)
KEYRING_RATE_LIMIT_ENABLED=false
# memory or redis
KEYRING_RATE_LIMIT_BACKEND=memory
KEYRING_RATE_LIMIT_WINDOW_MS=60000
KEYRING_RATE_LIMIT_MAX_REQUESTS=120
KEYRING_REDIS_RATE_LIMIT_PREFIX=starknet-keyring-proxy:ratelimit:

# Leak scanner (recommended for production)
KEYRING_LEAK_SCANNER_ENABLED=false
# block or warn
KEYRING_LEAK_SCANNER_ACTION=block

# Maximum allowed validUntil horizon (seconds from now)
KEYRING_MAX_VALIDITY_WINDOW_SEC=86400

# Optional comma-separated chain-id allowlist (hex or decimal felt values)
# Example Sepolia + Mainnet:
# KEYRING_ALLOWED_CHAIN_IDS=0x534e5f5345504f4c4941,0x534e5f4d41494e
KEYRING_ALLOWED_CHAIN_IDS=

# Signer profile and provider mode
KEYRING_SECURITY_PROFILE=flex
KEYRING_SIGNER_PROVIDER=local
KEYRING_SIGNER_FALLBACK_PROVIDER=none
KEYRING_SESSION_SIGNATURE_MODE=v2_snip12

# DFNS signer mode (required when KEYRING_SIGNER_PROVIDER=dfns)
# KEYRING_DFNS_SIGNER_URL=https://dfns-signer.internal/sign
# KEYRING_DFNS_AUTH_TOKEN=replace-me
# KEYRING_DFNS_USER_ACTION_SIGNATURE=replace-me
# KEYRING_DFNS_TIMEOUT_MS=7000
# Fail-closed key pinning by keyId
# KEYRING_DFNS_PINNED_PUBKEYS_JSON={"default":"0x...","ops":"0x..."}
# Optional startup preflight (recommended in production)
# KEYRING_DFNS_PREFLIGHT_ON_STARTUP=true
# KEYRING_DFNS_PREFLIGHT_TIMEOUT_MS=3000

# Default key id when request payload omits `keyId`
KEYRING_DEFAULT_KEY_ID=default

# Preferred multi-key config:
# KEYRING_SIGNING_KEYS_JSON=[{"keyId":"default","privateKey":"0x1"},{"keyId":"ops","privateKey":"0x2"}]
KEYRING_SIGNING_KEYS_JSON=

# Backward-compatible single key mode (used if KEYRING_SIGNING_KEYS_JSON is empty)
# Generate with a secure wallet/HSM flow; do not commit real keys.
# SESSION_PRIVATE_KEY=0x...
SESSION_PRIVATE_KEY=0x1

# Optional explicit public key assertion (hex 0x...)
# SESSION_PUBLIC_KEY=0x0