pediatric-ai-scribe-v3/.env.example
Daniel 263bd1a1c7 Security hardening: PHI encryption, argon2, DOMPurify, SRI
- App-layer AES-256-GCM crypto helper (src/utils/crypto.js)
- Nextcloud tokens encrypted at rest; transparent migration on next use
- Audio backups encrypted at rest (version byte 0x01 envelope); legacy
  rows still decrypt as-is until overwritten
- argon2id password hashing via src/utils/passwords.js with bcrypt
  fallback; bcrypt hashes rehashed to argon2id on next successful login.
  argon2 package is optional — server keeps running with bcrypt only
  until npm install adds the native dep
- PHI redactor for audit log details (src/utils/redact.js) — strips SSN,
  phone, email, DoB, long IDs; caps at 500 chars; detects note bodies
- DOMPurify (cdnjs, SRI-pinned) replaces custom regex sanitizer in
  Learning Hub content rendering
- SRI integrity hashes added for Font Awesome CSS and Chart.js
- Magic-byte file-type verification on document uploads
  (src/utils/fileType.js)
- Generic 500 error responses via src/utils/errors.js applied to
  nextcloud and audioBackups; full detail still logged server-side
- DATA_ENCRYPTION_KEY env documented in .env.example

Deploy: requires rebuild of the container image to pick up the new
files and `npm install` (adds argon2). Existing users keep working
because bcrypt stays available and crypto helpers pass through
plaintext when the key is not yet set in dev.
2026-04-14 02:49:38 +02:00

166 lines
6.4 KiB
Text

# ============================================================
# AI PROVIDER (choose one)
# ============================================================
# Option 1: OpenRouter (default, cheapest, NOT HIPAA)
AI_PROVIDER=openrouter
OPENROUTER_API_KEY=sk-or-v1-your-key
# Option 2: AWS Bedrock (HIPAA compliant with BAA)
# AI_PROVIDER=bedrock
# AWS_BEDROCK_REGION=us-east-1
# AWS_ACCESS_KEY_ID=AKIA...
# AWS_SECRET_ACCESS_KEY=...
# (Or use IAM role — no keys needed if running on EC2/ECS)
# Option 3: Azure OpenAI (HIPAA compliant with BAA)
# AI_PROVIDER=azure
# AZURE_OPENAI_ENDPOINT=https://your-resource.openai.azure.com
# AZURE_OPENAI_API_KEY=your-key
# AZURE_DEPLOYMENT_NAME=gpt-4o-mini
# AZURE_OPENAI_API_VERSION=2024-02-01
# Option 4: Google Vertex AI (HIPAA compliant with BAA)
# AI_PROVIDER=vertex
# GOOGLE_VERTEX_PROJECT=your-gcp-project-id
# GOOGLE_VERTEX_LOCATION=us-central1
# GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json
# (Or use default credentials if running on GCE/GKE/Cloud Run)
#
# Google STT — Gemini inline audio (auto-detected when GOOGLE_VERTEX_PROJECT set)
# TRANSCRIBE_PROVIDER=google
# GOOGLE_STT_MODEL=gemini-2.0-flash # or gemini-2.5-flash for better accuracy
#
# Google TTS — Google Cloud Text-to-Speech (auto-detected when GOOGLE_VERTEX_PROJECT set)
# TTS_PROVIDER=google
# GOOGLE_TTS_VOICE=en-US-Journey-F # female | en-US-Journey-D = male
# Other options: en-US-Studio-O, en-US-Neural2-C, en-US-Neural2-J
# Option 5: LiteLLM Proxy (self-hosted, routes to any provider)
# AI_PROVIDER=litellm
# LITELLM_API_BASE=http://localhost:4000
# LITELLM_API_KEY=sk-litellm-your-key
# Admin can discover available models via the admin panel
#
# LiteLLM Speech-to-Text
# TRANSCRIBE_PROVIDER=litellm
# LITELLM_STT_MODEL=whisper-1 # Use the model name from your LiteLLM model_list
# If your LiteLLM config uses full paths as model names, use the full path:
# LITELLM_STT_MODEL=openai/whisper-1
# NOTE: vertex_ai/chirp does NOT work via LiteLLM audio proxy.
# For Vertex AI speech, use TRANSCRIBE_PROVIDER=google (Gemini inline audio).
#
# LiteLLM TTS
# TTS_PROVIDER=litellm (auto-detected when LITELLM_API_BASE set)
# LITELLM_TTS_MODEL=tts-1 # Use model name from your LiteLLM model_list
# If your config uses full paths: LITELLM_TTS_MODEL=vertex_ai/google-tts
# LITELLM_TTS_VOICE=en-US-Journey-F # Google Cloud voice name (or alloy/nova for OpenAI)
# ============================================================
# TRANSCRIPTION (speech-to-text)
# ============================================================
# Option A: OpenAI Whisper (default if no AWS configured)
OPENAI_API_KEY=sk-your-openai-key
# Option B: Amazon Transcribe (HIPAA eligible, no S3 needed)
# Uses same AWS credentials as Bedrock above.
# Set TRANSCRIBE_PROVIDER=aws to force AWS even if OPENAI_API_KEY is set.
# Leave unset to auto-detect (uses AWS when AWS_BEDROCK_REGION is configured).
# TRANSCRIBE_PROVIDER=aws
# Option C: Local Whisper (privacy-first, no cloud API needed)
# Requires whisper.cpp or faster-whisper installed on the server.
# TRANSCRIBE_PROVIDER=local
# WHISPER_MODEL_SIZE=small # tiny, base, small, medium, large
# WHISPER_BINARY=whisper-cpp # or: whisper, faster-whisper
# WHISPER_MODEL_PATH= # custom path to .bin model file
# WHISPER_LANGUAGE=en
# WHISPER_THREADS=4 # defaults to CPU count - 1
# Amazon Transcribe Medical — better accuracy for clinical dictation
# Knows drug names, diagnoses, procedures, SOAP terminology
# HIPAA eligible (ensure your AWS account has a BAA)
# AWS_TRANSCRIBE_MEDICAL=true
# AWS_TRANSCRIBE_SPECIALTY=PRIMARYCARE
# Other options: CARDIOLOGY, NEUROLOGY, ONCOLOGY, RADIOLOGY, UROLOGY
# Optional
ELEVENLABS_API_KEY=
# Push Notifications (ntfy — self-hosted, optional)
# NTFY_URL=https://ntfy.yourdomain.com
# NTFY_TOKEN=tk_your_token_here
# App
PORT=3000
APP_URL=https://your-domain.com
# Cloudflare Turnstile (anti-bot on registration, optional)
# TURNSTILE_SITE_KEY=your-site-key
# TURNSTILE_SECRET_KEY=your-secret-key
JWT_SECRET=generate-a-random-64-char-string-here
# Application-layer encryption key for PHI at rest (Nextcloud tokens, audio backups)
# Generate with: openssl rand -hex 32
# REQUIRED in production. Rotating invalidates existing encrypted data.
DATA_ENCRYPTION_KEY=generate-with-openssl-rand-hex-32
# Email (for verification & password reset)
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USER=your-email@gmail.com
SMTP_PASS=your-app-password
SMTP_FROM=noreply@yourdomain.com
# Nextcloud (optional)
NEXTCLOUD_URL=https://cloud.yourdomain.com
# S3 Document Storage (optional — works with AWS S3, Backblaze B2, MinIO)
# S3_BUCKET=your-bucket-name
# S3_REGION=us-east-1
# S3_PREFIX=documents/
#
# For AWS S3: uses same AWS credentials as Bedrock above, or set S3-specific keys:
# S3_ACCESS_KEY_ID=...
# S3_SECRET_ACCESS_KEY=...
#
# For Backblaze B2:
# S3_ENDPOINT=https://s3.us-west-004.backblazeb2.com
# S3_REGION=us-west-004
# S3_ACCESS_KEY_ID=your-b2-application-key-id
# S3_SECRET_ACCESS_KEY=your-b2-application-key
#
# For MinIO (self-hosted):
# S3_ENDPOINT=http://minio:9000
# S3_REGION=us-east-1
# S3_ACCESS_KEY_ID=minio-access-key
# S3_SECRET_ACCESS_KEY=minio-secret-key
# S3_FORCE_PATH_STYLE=true
# ============================================================
# EMBEDDINGS (for Learning Hub semantic search)
# ============================================================
# Enables vector-based semantic search in Learning Hub
# Requires pgvector extension: apt-get install postgresql-16-pgvector
# Default model (Vertex AI text-embedding-005, 768 dims, English + code optimized)
EMBEDDING_MODEL=vertex_ai/text-embedding-005
EMBEDDING_DIMENSIONS=768
# Other Vertex AI embedding models:
# - vertex_ai/text-embedding-005 → 768 dims, English + code (recommended)
# - vertex_ai/gemini-embedding-001 → up to 3072 dims, multilingual + code
# - vertex_ai/text-multilingual-embedding-002 → 768 dims, multilingual focus
#
# LiteLLM usage (if using LiteLLM proxy):
# EMBEDDING_MODEL=text-embedding-005 # LiteLLM will route to configured provider
#
# OpenAI fallback (NOT HIPAA-eligible):
# Uses text-embedding-3-small if OPENAI_API_KEY is set and no Vertex/LiteLLM configured
# ============================================================
# DATABASE
# ============================================================
DATABASE_URL=postgresql://pedscribe:pedscribe_secret_change_me@postgres:5432/pedscribe
DB_PASSWORD=pedscribe_secret_change_me