- App-layer AES-256-GCM crypto helper (src/utils/crypto.js) - Nextcloud tokens encrypted at rest; transparent migration on next use - Audio backups encrypted at rest (version byte 0x01 envelope); legacy rows still decrypt as-is until overwritten - argon2id password hashing via src/utils/passwords.js with bcrypt fallback; bcrypt hashes rehashed to argon2id on next successful login. argon2 package is optional — server keeps running with bcrypt only until npm install adds the native dep - PHI redactor for audit log details (src/utils/redact.js) — strips SSN, phone, email, DoB, long IDs; caps at 500 chars; detects note bodies - DOMPurify (cdnjs, SRI-pinned) replaces custom regex sanitizer in Learning Hub content rendering - SRI integrity hashes added for Font Awesome CSS and Chart.js - Magic-byte file-type verification on document uploads (src/utils/fileType.js) - Generic 500 error responses via src/utils/errors.js applied to nextcloud and audioBackups; full detail still logged server-side - DATA_ENCRYPTION_KEY env documented in .env.example Deploy: requires rebuild of the container image to pick up the new files and `npm install` (adds argon2). Existing users keep working because bcrypt stays available and crypto helpers pass through plaintext when the key is not yet set in dev.
166 lines
6.4 KiB
Text
166 lines
6.4 KiB
Text
# ============================================================
|
|
# AI PROVIDER (choose one)
|
|
# ============================================================
|
|
|
|
# Option 1: OpenRouter (default, cheapest, NOT HIPAA)
|
|
AI_PROVIDER=openrouter
|
|
OPENROUTER_API_KEY=sk-or-v1-your-key
|
|
|
|
# Option 2: AWS Bedrock (HIPAA compliant with BAA)
|
|
# AI_PROVIDER=bedrock
|
|
# AWS_BEDROCK_REGION=us-east-1
|
|
# AWS_ACCESS_KEY_ID=AKIA...
|
|
# AWS_SECRET_ACCESS_KEY=...
|
|
# (Or use IAM role — no keys needed if running on EC2/ECS)
|
|
|
|
# Option 3: Azure OpenAI (HIPAA compliant with BAA)
|
|
# AI_PROVIDER=azure
|
|
# AZURE_OPENAI_ENDPOINT=https://your-resource.openai.azure.com
|
|
# AZURE_OPENAI_API_KEY=your-key
|
|
# AZURE_DEPLOYMENT_NAME=gpt-4o-mini
|
|
# AZURE_OPENAI_API_VERSION=2024-02-01
|
|
|
|
# Option 4: Google Vertex AI (HIPAA compliant with BAA)
|
|
# AI_PROVIDER=vertex
|
|
# GOOGLE_VERTEX_PROJECT=your-gcp-project-id
|
|
# GOOGLE_VERTEX_LOCATION=us-central1
|
|
# GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json
|
|
# (Or use default credentials if running on GCE/GKE/Cloud Run)
|
|
#
|
|
# Google STT — Gemini inline audio (auto-detected when GOOGLE_VERTEX_PROJECT set)
|
|
# TRANSCRIBE_PROVIDER=google
|
|
# GOOGLE_STT_MODEL=gemini-2.0-flash # or gemini-2.5-flash for better accuracy
|
|
#
|
|
# Google TTS — Google Cloud Text-to-Speech (auto-detected when GOOGLE_VERTEX_PROJECT set)
|
|
# TTS_PROVIDER=google
|
|
# GOOGLE_TTS_VOICE=en-US-Journey-F # female | en-US-Journey-D = male
|
|
# Other options: en-US-Studio-O, en-US-Neural2-C, en-US-Neural2-J
|
|
|
|
# Option 5: LiteLLM Proxy (self-hosted, routes to any provider)
|
|
# AI_PROVIDER=litellm
|
|
# LITELLM_API_BASE=http://localhost:4000
|
|
# LITELLM_API_KEY=sk-litellm-your-key
|
|
# Admin can discover available models via the admin panel
|
|
#
|
|
# LiteLLM Speech-to-Text
|
|
# TRANSCRIBE_PROVIDER=litellm
|
|
# LITELLM_STT_MODEL=whisper-1 # Use the model name from your LiteLLM model_list
|
|
# If your LiteLLM config uses full paths as model names, use the full path:
|
|
# LITELLM_STT_MODEL=openai/whisper-1
|
|
# NOTE: vertex_ai/chirp does NOT work via LiteLLM audio proxy.
|
|
# For Vertex AI speech, use TRANSCRIBE_PROVIDER=google (Gemini inline audio).
|
|
#
|
|
# LiteLLM TTS
|
|
# TTS_PROVIDER=litellm (auto-detected when LITELLM_API_BASE set)
|
|
# LITELLM_TTS_MODEL=tts-1 # Use model name from your LiteLLM model_list
|
|
# If your config uses full paths: LITELLM_TTS_MODEL=vertex_ai/google-tts
|
|
# LITELLM_TTS_VOICE=en-US-Journey-F # Google Cloud voice name (or alloy/nova for OpenAI)
|
|
|
|
# ============================================================
|
|
# TRANSCRIPTION (speech-to-text)
|
|
# ============================================================
|
|
|
|
# Option A: OpenAI Whisper (default if no AWS configured)
|
|
OPENAI_API_KEY=sk-your-openai-key
|
|
|
|
# Option B: Amazon Transcribe (HIPAA eligible, no S3 needed)
|
|
# Uses same AWS credentials as Bedrock above.
|
|
# Set TRANSCRIBE_PROVIDER=aws to force AWS even if OPENAI_API_KEY is set.
|
|
# Leave unset to auto-detect (uses AWS when AWS_BEDROCK_REGION is configured).
|
|
# TRANSCRIBE_PROVIDER=aws
|
|
|
|
# Option C: Local Whisper (privacy-first, no cloud API needed)
|
|
# Requires whisper.cpp or faster-whisper installed on the server.
|
|
# TRANSCRIBE_PROVIDER=local
|
|
# WHISPER_MODEL_SIZE=small # tiny, base, small, medium, large
|
|
# WHISPER_BINARY=whisper-cpp # or: whisper, faster-whisper
|
|
# WHISPER_MODEL_PATH= # custom path to .bin model file
|
|
# WHISPER_LANGUAGE=en
|
|
# WHISPER_THREADS=4 # defaults to CPU count - 1
|
|
|
|
# Amazon Transcribe Medical — better accuracy for clinical dictation
|
|
# Knows drug names, diagnoses, procedures, SOAP terminology
|
|
# HIPAA eligible (ensure your AWS account has a BAA)
|
|
# AWS_TRANSCRIBE_MEDICAL=true
|
|
# AWS_TRANSCRIBE_SPECIALTY=PRIMARYCARE
|
|
# Other options: CARDIOLOGY, NEUROLOGY, ONCOLOGY, RADIOLOGY, UROLOGY
|
|
|
|
# Optional
|
|
ELEVENLABS_API_KEY=
|
|
|
|
# Push Notifications (ntfy — self-hosted, optional)
|
|
# NTFY_URL=https://ntfy.yourdomain.com
|
|
# NTFY_TOKEN=tk_your_token_here
|
|
|
|
# App
|
|
PORT=3000
|
|
APP_URL=https://your-domain.com
|
|
|
|
# Cloudflare Turnstile (anti-bot on registration, optional)
|
|
# TURNSTILE_SITE_KEY=your-site-key
|
|
# TURNSTILE_SECRET_KEY=your-secret-key
|
|
JWT_SECRET=generate-a-random-64-char-string-here
|
|
|
|
# Application-layer encryption key for PHI at rest (Nextcloud tokens, audio backups)
|
|
# Generate with: openssl rand -hex 32
|
|
# REQUIRED in production. Rotating invalidates existing encrypted data.
|
|
DATA_ENCRYPTION_KEY=generate-with-openssl-rand-hex-32
|
|
|
|
# Email (for verification & password reset)
|
|
SMTP_HOST=smtp.gmail.com
|
|
SMTP_PORT=587
|
|
SMTP_USER=your-email@gmail.com
|
|
SMTP_PASS=your-app-password
|
|
SMTP_FROM=noreply@yourdomain.com
|
|
|
|
# Nextcloud (optional)
|
|
NEXTCLOUD_URL=https://cloud.yourdomain.com
|
|
|
|
# S3 Document Storage (optional — works with AWS S3, Backblaze B2, MinIO)
|
|
# S3_BUCKET=your-bucket-name
|
|
# S3_REGION=us-east-1
|
|
# S3_PREFIX=documents/
|
|
#
|
|
# For AWS S3: uses same AWS credentials as Bedrock above, or set S3-specific keys:
|
|
# S3_ACCESS_KEY_ID=...
|
|
# S3_SECRET_ACCESS_KEY=...
|
|
#
|
|
# For Backblaze B2:
|
|
# S3_ENDPOINT=https://s3.us-west-004.backblazeb2.com
|
|
# S3_REGION=us-west-004
|
|
# S3_ACCESS_KEY_ID=your-b2-application-key-id
|
|
# S3_SECRET_ACCESS_KEY=your-b2-application-key
|
|
#
|
|
# For MinIO (self-hosted):
|
|
# S3_ENDPOINT=http://minio:9000
|
|
# S3_REGION=us-east-1
|
|
# S3_ACCESS_KEY_ID=minio-access-key
|
|
# S3_SECRET_ACCESS_KEY=minio-secret-key
|
|
# S3_FORCE_PATH_STYLE=true
|
|
|
|
# ============================================================
|
|
# EMBEDDINGS (for Learning Hub semantic search)
|
|
# ============================================================
|
|
# Enables vector-based semantic search in Learning Hub
|
|
# Requires pgvector extension: apt-get install postgresql-16-pgvector
|
|
|
|
# Default model (Vertex AI text-embedding-005, 768 dims, English + code optimized)
|
|
EMBEDDING_MODEL=vertex_ai/text-embedding-005
|
|
EMBEDDING_DIMENSIONS=768
|
|
|
|
# Other Vertex AI embedding models:
|
|
# - vertex_ai/text-embedding-005 → 768 dims, English + code (recommended)
|
|
# - vertex_ai/gemini-embedding-001 → up to 3072 dims, multilingual + code
|
|
# - vertex_ai/text-multilingual-embedding-002 → 768 dims, multilingual focus
|
|
#
|
|
# LiteLLM usage (if using LiteLLM proxy):
|
|
# EMBEDDING_MODEL=text-embedding-005 # LiteLLM will route to configured provider
|
|
#
|
|
# OpenAI fallback (NOT HIPAA-eligible):
|
|
# Uses text-embedding-3-small if OPENAI_API_KEY is set and no Vertex/LiteLLM configured
|
|
|
|
# ============================================================
|
|
# DATABASE
|
|
# ============================================================
|
|
DATABASE_URL=postgresql://pedscribe:pedscribe_secret_change_me@postgres:5432/pedscribe
|
|
DB_PASSWORD=pedscribe_secret_change_me
|