e85cfeb0f1
- Add field-encrypt dependency + config env vars (FIELD_ENCRYPT_*) - Create backend/src/lib/field-encrypt.ts encryptor singleton - Update notes repository: encrypt body on create/update, decrypt on read - Backward-compatible: isEncryptedField guard handles plaintext during migration - All 86 tests passing
25 lines
1.3 KiB
TypeScript
25 lines
1.3 KiB
TypeScript
import { z } from 'zod';
|
|
import { baseBackendConfigSchema } from '@bytelyst/backend-config';
|
|
import { PRODUCT_ID } from './product-config.js';
|
|
|
|
const envSchema = baseBackendConfigSchema.extend({
|
|
PORT: baseBackendConfigSchema.shape.PORT.default(4016),
|
|
SERVICE_NAME: baseBackendConfigSchema.shape.SERVICE_NAME.default('notelett-backend'),
|
|
DB_PROVIDER: baseBackendConfigSchema.shape.DB_PROVIDER.default('memory'),
|
|
JWT_SECRET: z.string().default('dev-secret-do-not-use-in-prod'),
|
|
COSMOS_DATABASE: baseBackendConfigSchema.shape.COSMOS_DATABASE.default('bytelyst'),
|
|
PRODUCT_ID: z.string().default(PRODUCT_ID),
|
|
PLATFORM_SERVICE_URL: z.string().default('http://localhost:4003'),
|
|
EXTRACTION_SERVICE_URL: z.string().default('http://localhost:4005'),
|
|
MCP_SERVER_URL: z.string().default('http://localhost:4007'),
|
|
TELEMETRY_ENABLED: z.coerce.boolean().default(false),
|
|
FEATURE_FLAGS_ENABLED: z.coerce.boolean().default(false),
|
|
// ── Field Encryption (@bytelyst/field-encrypt) ──
|
|
FIELD_ENCRYPT_KEY_PROVIDER: z.enum(['akv', 'env', 'memory']).default('memory'),
|
|
FIELD_ENCRYPT_KEY: z.string().default(''),
|
|
FIELD_ENCRYPT_MEK_NAME: z.string().default('notelett-mek'),
|
|
AZURE_KEYVAULT_URL: z.string().default(''),
|
|
});
|
|
|
|
export const config = envSchema.parse(process.env);
|