example42 · alvagante · Mar 11, 2026 · Mar 10, 2026 · Mar 11, 2026 · Mar 14, 2026
diff --git a/.env.docker b/.env.docker
@@ -1,52 +1,183 @@
-# Sample .env file for a docker setup where all the needed
-# files are in your $(cwd)/pabawi dir which is mounted to /pabawi in the container
+# =============================================================================
+# Pabawi v1.0.0 — Docker Environment Configuration
+# =============================================================================
+# Copy this file to .env and customize for your Docker deployment.
+# All configuration is loaded from this file at startup (.env is the single
+# source of truth — there are no database-stored config overrides).
+#
+# Paths below use container-internal locations. If you mount host volumes,
+# make sure the container paths match your docker-compose volume mappings.
+# =============================================================================
 
+# -----------------------------------------------------------------------------
+# Application
+# -----------------------------------------------------------------------------
 PORT=3000
-HOST=localhost
+HOST=0.0.0.0
 LOG_LEVEL=info
-DATABASE_PATH=/pabawi/data/pabawi.db
+DATABASE_PATH=/data/pabawi.db
 
+# JWT Secret for authentication (REQUIRED in production)
+# Generate with: openssl rand -base64 32
+JWT_SECRET=your-secure-random-secret-here  # pragma: allowlist secret
+
+# CORS allowed origins (comma-separated)
+# CORS_ALLOWED_ORIGINS=http://localhost:5173,http://localhost:3000
+
+# -----------------------------------------------------------------------------
+# Command Execution
+# -----------------------------------------------------------------------------
+COMMAND_WHITELIST_ALLOW_ALL=false
+COMMAND_WHITELIST=["ls","pwd","whoami","uptime"]
+# COMMAND_WHITELIST_MATCH_MODE=exact
+BOLT_EXECUTION_TIMEOUT=300000
+# Bolt project files — can be the control repo or a separate directory
+BOLT_PROJECT_PATH=/bolt-project
+
+# Provisioning safety — set to true to allow destructive actions
+# (e.g., Proxmox VM/LXC destroy, AWS EC2 terminate)
+ALLOW_DESTRUCTIVE_PROVISIONING=false
+
+# -----------------------------------------------------------------------------
 # PuppetDB integration
-PUPPETDB_ENABLED=true
-PUPPETDB_SERVER_URL=https://puppet.example.com
-PUPPETDB_PORT=8081
-PUPPETDB_TOKEN=
-PUPPETDB_SSL_ENABLED=true
-# You can generate certs for pabawi using scripts/generate-pabawi-cert.sh
-PUPPETDB_SSL_CA=/pabawi/certs/ca.pem
-PUPPETDB_SSL_CERT=/pabawi/certs/pabawi.pem
-PUPPETDB_SSL_KEY=/pabawi/certs/pabawi-key.pem
-PUPPETDB_SSL_REJECT_UNAUTHORIZED=true
+# -----------------------------------------------------------------------------
+PUPPETDB_ENABLED=false
+# PUPPETDB_SERVER_URL=https://puppet.example.com
+# PUPPETDB_PORT=8081
+# PUPPETDB_TOKEN=
+# PUPPETDB_SSL_ENABLED=true
+# You can generate certs for Pabawi using scripts/generate-pabawi-cert.sh
+# PUPPETDB_SSL_CA=/certs/ca.pem
+# PUPPETDB_SSL_CERT=/certs/pabawi.pem
+# PUPPETDB_SSL_KEY=/certs/pabawi-key.pem
+# PUPPETDB_SSL_REJECT_UNAUTHORIZED=true
+# PUPPETDB_TIMEOUT=30000
+# PUPPETDB_RETRY_ATTEMPTS=3
+# PUPPETDB_RETRY_DELAY=1000
+# PUPPETDB_CACHE_TTL=300000
+# PUPPETDB_CIRCUIT_BREAKER_THRESHOLD=5
+# PUPPETDB_CIRCUIT_BREAKER_TIMEOUT=60000
+# PUPPETDB_CIRCUIT_BREAKER_RESET_TIMEOUT=30000
 
+# -----------------------------------------------------------------------------
 # Puppetserver integration
-PUPPETSERVER_ENABLED=true
-PUPPETSERVER_SERVER_URL=https://puppet.example.com
-PUPPETSERVER_PORT=8140
-PUPPETSERVER_TOKEN=
-PUPPETSERVER_SSL_ENABLED=true
-# You can use the same cert used for PuppetBD or a different one
-PUPPETSERVER_SSL_CA=/pabawi/certs/ca.pem
-PUPPETSERVER_SSL_CERT=/pabawi/certs/pabawi.pem
-PUPPETSERVER_SSL_KEY=/pabawi/certs/pabawi-key.pem
-PUPPETSERVER_SSL_REJECT_UNAUTHORIZED=true
+# -----------------------------------------------------------------------------
+PUPPETSERVER_ENABLED=false
+# PUPPETSERVER_SERVER_URL=https://puppet.example.com
+# PUPPETSERVER_PORT=8140
+# PUPPETSERVER_TOKEN=
+# PUPPETSERVER_SSL_ENABLED=true
+# PUPPETSERVER_SSL_CA=/certs/ca.pem
+# PUPPETSERVER_SSL_CERT=/certs/pabawi.pem
+# PUPPETSERVER_SSL_KEY=/certs/pabawi-key.pem
+# PUPPETSERVER_SSL_REJECT_UNAUTHORIZED=true
+# PUPPETSERVER_TIMEOUT=30000
+# PUPPETSERVER_RETRY_ATTEMPTS=3
+# PUPPETSERVER_RETRY_DELAY=1000
+# PUPPETSERVER_INACTIVITY_THRESHOLD=3600
+# PUPPETSERVER_CACHE_TTL=300000
+# PUPPETSERVER_CIRCUIT_BREAKER_THRESHOLD=5
+# PUPPETSERVER_CIRCUIT_BREAKER_TIMEOUT=60000
+# PUPPETSERVER_CIRCUIT_BREAKER_RESET_TIMEOUT=30000
 
+# -----------------------------------------------------------------------------
 # Hiera integration
-HIERA_ENABLED=true
-HIERA_CONTROL_REPO_PATH=/pabawi/control-repo
-HIERA_CONFIG_PATH=hiera.yaml
+# -----------------------------------------------------------------------------
+HIERA_ENABLED=false
+# HIERA_CONTROL_REPO_PATH=/control-repo
+# HIERA_CONFIG_PATH=hiera.yaml
+# HIERA_ENVIRONMENTS=["production","staging"]
+# HIERA_FACT_SOURCE_PREFER_PUPPETDB=true
+# HIERA_FACT_SOURCE_LOCAL_PATH=
+# HIERA_CATALOG_COMPILATION_ENABLED=false
+# HIERA_CATALOG_COMPILATION_TIMEOUT=60000
+# HIERA_CATALOG_COMPILATION_CACHE_TTL=300000
+# HIERA_CACHE_ENABLED=true
+# HIERA_CACHE_TTL=300000
+# HIERA_CACHE_MAX_ENTRIES=10000
+# HIERA_CODE_ANALYSIS_ENABLED=true
+# HIERA_CODE_ANALYSIS_LINT_ENABLED=true
+# HIERA_CODE_ANALYSIS_MODULE_UPDATE_CHECK=true
+# HIERA_CODE_ANALYSIS_INTERVAL=3600000
+# HIERA_CODE_ANALYSIS_EXCLUSION_PATTERNS=[]
 
-# Bolt integration
-COMMAND_WHITELIST_ALLOW_ALL=false
-COMMAND_WHITELIST=["ls","pwd","whoami","uptime"]
-BOLT_EXECUTION_TIMEOUT=300000
-# Bolt project files can stay in the control repo or in a separate dir
-BOLT_PROJECT_PATH=/pabawi/control-repo
+# -----------------------------------------------------------------------------
+# Ansible integration
+# -----------------------------------------------------------------------------
+ANSIBLE_ENABLED=false
+# ANSIBLE_PROJECT_PATH=/ansible
+# ANSIBLE_INVENTORY_PATH=inventory/hosts
+# ANSIBLE_EXECUTION_TIMEOUT=300000
+
+# -----------------------------------------------------------------------------
+# SSH integration
+# -----------------------------------------------------------------------------
+SSH_ENABLED=false
+# SSH_CONFIG_PATH=/ssh/config
+# SSH_DEFAULT_USER=root
+# SSH_DEFAULT_PORT=22
+# SSH_DEFAULT_KEY=/ssh/id_rsa
+# SSH_HOST_KEY_CHECK=true
+# SSH_CONNECTION_TIMEOUT=30
+# SSH_COMMAND_TIMEOUT=300
+# SSH_MAX_CONNECTIONS=50
+# SSH_MAX_CONNECTIONS_PER_HOST=5
+# SSH_IDLE_TIMEOUT=300
+# SSH_CONCURRENCY_LIMIT=10
+# SSH_SUDO_ENABLED=false
+# SSH_SUDO_COMMAND=sudo
+# SSH_SUDO_PASSWORDLESS=true
+# SSH_SUDO_PASSWORD=  # pragma: allowlist secret
+# SSH_SUDO_USER=root
+# SSH_PRIORITY=50
+
+# -----------------------------------------------------------------------------
+# Proxmox integration
+# -----------------------------------------------------------------------------
+PROXMOX_ENABLED=false
+# PROXMOX_HOST=proxmox.example.com
+# PROXMOX_PORT=8006
+# Token authentication (recommended)
+# PROXMOX_TOKEN=user@realm!tokenid=token-value  # pragma: allowlist secret
+# Username/password authentication (alternative)
+# PROXMOX_USERNAME=root@pam
+# PROXMOX_PASSWORD=your-password-here  # pragma: allowlist secret
+# PROXMOX_REALM=pam
+# PROXMOX_SSL_REJECT_UNAUTHORIZED=true
+# PROXMOX_SSL_CA=/certs/proxmox-ca.pem
+# PROXMOX_SSL_CERT=/certs/proxmox-cert.pem
+# PROXMOX_SSL_KEY=/certs/proxmox-key.pem
+# PROXMOX_TIMEOUT=30000
+# PROXMOX_PRIORITY=7
+
+# -----------------------------------------------------------------------------
+# AWS integration
+# -----------------------------------------------------------------------------
+AWS_ENABLED=false
+# Use AWS profiles or IAM roles when possible instead of static keys.
+# If omitted, the AWS SDK default credential chain is used
+# (env vars, ~/.aws/credentials, instance profile, etc.)
+# AWS_ACCESS_KEY_ID=your-access-key-here  # pragma: allowlist secret
+# AWS_SECRET_ACCESS_KEY=your-secret-key-here  # pragma: allowlist secret
+# AWS_DEFAULT_REGION=us-east-1
+# Query multiple regions (JSON array or comma-separated)
+# AWS_REGIONS=["us-east-1","eu-west-1"]
+# AWS_SESSION_TOKEN=  # pragma: allowlist secret
+# AWS_PROFILE=default
+# AWS_ENDPOINT=
 
-# SSH integration configuration
-SSH_ENABLED=true
-SSH_CONFIG_PATH=/pabawi/ssh/config
-# SSH_DEFAULT_USER=al
+# -----------------------------------------------------------------------------
+# Streaming, Cache, and Queue (advanced — defaults are usually fine)
+# -----------------------------------------------------------------------------
+# STREAMING_BUFFER_MS=100
+# STREAMING_MAX_OUTPUT_SIZE=10485760
+# STREAMING_MAX_LINE_LENGTH=10000
+# CACHE_INVENTORY_TTL=30000
+# CACHE_FACTS_TTL=300000
+# CONCURRENT_EXECUTION_LIMIT=5
+# MAX_QUEUE_SIZE=50
 
-ANSIBLE_ENABLED=true
-ANSIBLE_PROJECT_PATH=/pabawi/ansible
-ANSIBLE_INVENTORY_PATH=inventory/hosts
+# -----------------------------------------------------------------------------
+# UI
+# -----------------------------------------------------------------------------
+# UI_SHOW_HOME_PAGE_RUN_CHART=true
diff --git a/.gitignore b/.gitignore
@@ -56,3 +56,5 @@ bolt-project/data/
 # Stress test generated files (large inventory files)
 samples/stresstest/ansible/inventory/
 samples/stresstest/bolt/inventory.yaml
+
+.claude