block · tlongwell-block · Mar 9, 2026 · Mar 6, 2026 · Mar 9, 2026 · Mar 9, 2026
@@ -0,0 +1,98 @@
+# =============================================================================
+# Sprout Backend — Local Development Environment
+# =============================================================================
+# Copy this file to .env and adjust as needed:
+#   cp .env.example .env
+#
+# All defaults here work with `docker compose up` out of the box.
+#
+# Service ports (defaults):
+#   MySQL       → localhost:3306
+#   Redis       → localhost:6379
+#   Typesense   → localhost:8108
+#   Adminer     → localhost:8082  (DB browser UI)
+#
+# Note: If port 8082 conflicts, change the adminer port in docker-compose.yml
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Database (MySQL 8.0)
+# -----------------------------------------------------------------------------
+DATABASE_URL=mysql://sprout:sprout_dev@localhost:3306/sprout
+MYSQL_ROOT_PASSWORD=sprout_dev
+MYSQL_USER=sprout
+MYSQL_PASSWORD=sprout_dev
+MYSQL_DATABASE=sprout
+
+# -----------------------------------------------------------------------------
+# Redis 7
+# -----------------------------------------------------------------------------
+REDIS_URL=redis://localhost:6379
+
+# -----------------------------------------------------------------------------
+# Typesense (search)
+# -----------------------------------------------------------------------------
+TYPESENSE_API_KEY=sprout_dev_key
+TYPESENSE_URL=http://localhost:8108
+
+# -----------------------------------------------------------------------------
+# Relay (WebSocket server)
+# -----------------------------------------------------------------------------
+# Bind address for the relay (host:port)
+SPROUT_BIND_ADDR=0.0.0.0:3000
+# Public WebSocket URL — used in NIP-42 auth challenges
+RELAY_URL=ws://localhost:3000
+# Set to true in production to require bearer token authentication
+SPROUT_REQUIRE_AUTH_TOKEN=false
+
+# -----------------------------------------------------------------------------
+# Auth
+# -----------------------------------------------------------------------------
+# Set to false for dev (accepts NIP-42 without JWT, allows X-Pubkey header).
+# Set to true in production to require bearer token authentication.
+SPROUT_REQUIRE_AUTH_TOKEN=false
+
+# JWKS endpoint for verifying JWT access tokens.
+# Claim that carries the user's Nostr public key (hex, 32 bytes).
+OKTA_PUBKEY_CLAIM=nostr_pubkey
+
+# ── Keycloak (local OAuth testing — stands in for Okta in prod) ──────────────
+# Keycloak is NOT a production dependency. It lets you test the full OAuth
+# flow locally without needing an Okta tenant. Run `docker compose up -d`
+# then `./scripts/setup-keycloak.sh` to create the realm, client, and users.
+#
+# Admin UI: http://localhost:8180  (admin / admin)
+# Get a token:
+#   curl -s -X POST http://localhost:8180/realms/sprout/protocol/openid-connect/token \
+#     -d 'client_id=sprout-desktop&grant_type=password&username=tyler&password=password123' \
+#     | jq -r .access_token
+OKTA_JWKS_URI=http://localhost:8180/realms/sprout/protocol/openid-connect/certs
+OKTA_ISSUER=http://localhost:8180/realms/sprout
+OKTA_AUDIENCE=sprout-desktop
+
+# ── Okta (production / staging) ──────────────────────────────────────────────
+# Uncomment and fill in when deploying against a real Okta tenant.
+# OKTA_JWKS_URI=https://dev-example.okta.com/oauth2/default/v1/keys
+# OKTA_ISSUER=https://dev-example.okta.com/oauth2/default
+# OKTA_AUDIENCE=sprout-api
+# OKTA_PUBKEY_CLAIM=nostr_pubkey
+
+# -----------------------------------------------------------------------------
+# Logging / Tracing
+# -----------------------------------------------------------------------------
+RUST_LOG=sprout_relay=debug,sprout_db=debug,sprout_auth=debug,sprout_pubsub=debug,tower_http=debug
+
+# OTLP tracing endpoint (optional — leave unset to disable)
+# OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317
+
+# -----------------------------------------------------------------------------
+# sqlx (offline mode for Docker builds — set to true in CI/Docker)
+# -----------------------------------------------------------------------------
+SQLX_OFFLINE=false
+
+# -----------------------------------------------------------------------------
+# Huddle (LiveKit integration)
+# -----------------------------------------------------------------------------
+# LIVEKIT_API_KEY=devkey
+# LIVEKIT_API_SECRET=devsecret
+# LIVEKIT_URL=ws://localhost:7880
@@ -0,0 +1,26 @@
+name: CI
+on:
+  push:
+    branches: [main, release]
+  pull_request:
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
+        with:
+          components: rustfmt, clippy
+      - uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db # v2
+      - run: cargo fmt --all -- --check
+      - run: cargo clippy --workspace --all-targets -- -D warnings
+      - run: cargo test --workspace
+      - run: cargo install cargo-audit --locked
+      - run: cargo audit --ignore RUSTSEC-2023-0071 --ignore RUSTSEC-2024-0384
+      - run: cargo install cargo-deny --locked
+      - run: cargo deny check
@@ -0,0 +1,33 @@
+# Build artifacts
+/target/
+
+# Environment files (may contain secrets)
+.env
+.env.local
+.env.*.local
+
+# Editor / IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+.*.sw?
+
+# OS artifacts
+.DS_Store
+Thumbs.db
+
+# Scratch / working files (AI reviews, notes, drafts)
+.scratch/
+
+# sqlx offline query data (generated, not portable)
+.sqlx/
+
+# Docker volumes (if mounted locally)
+mysql-data/
+typesense-data/
+
+# Hermit (toolchain manager cache)
+.hermit/
+doc/