buildmymcpserver/.env.production.example

# ============================================================================
# Production environment for buildmymcp.com
# Copy to .env.production on the server and fill every value marked CHANGE-ME.
# Never commit the filled file — .env.production is gitignored.
#
# Used two ways by docker-compose.prod.yml:
#   1. compose interpolation  -> docker compose --env-file .env.production ...
#   2. container env          -> env_file: .env.production
# ============================================================================

# ---- Core ----
NODE_ENV=production

# ---- Postgres (the compose file owns the container) ----
POSTGRES_USER=bmm
POSTGRES_PASSWORD=CHANGE-ME-strong-db-password
POSTGRES_DB=bmm
POSTGRES_PORT=5440

# ---- Redis ----
REDIS_PORT=6390

# ---- Connection strings (host-networked services reach the DBs on loopback) ----
DATABASE_URL=postgresql://bmm:CHANGE-ME-strong-db-password@127.0.0.1:5440/bmm
REDIS_URL=redis://127.0.0.1:6390

# ---- API ----
PORT=4000

# ---- Public URLs (must match the Cloudflare DNS records) ----
NEXT_PUBLIC_APP_URL=https://buildmymcp.com
NEXT_PUBLIC_API_URL=https://api.buildmymcp.com
# Used to build the Google OAuth redirect URI and as the JWKS origin.
CONTROL_PLANE_PUBLIC_URL=https://api.buildmymcp.com
# Reachable by generated MCP containers — must be public so they can resolve it.
CONTROL_PLANE_URL=https://api.buildmymcp.com
OAUTH_ISSUER=https://api.buildmymcp.com

# ---- Crypto ----
# REQUIRED in production. The API refuses to boot on the all-zero placeholder.
# Generate with: openssl rand -hex 32
SECRETS_ENCRYPTION_KEY=CHANGE-ME-run-openssl-rand-hex-32

# ---- Admin bootstrap (upserted idempotently on API boot) ----
ADMIN_EMAIL=marco.frangiskatos@gmail.com
ADMIN_PASSWORD=CHANGE-ME-strong-admin-password
ADMIN_NAME=Marco Frangiskatos

# ---- Anthropic (empty = mock generation; set for real Claude generation) ----
ANTHROPIC_API_KEY=

# ---- Google OAuth ("Continue with Google") ----
# Google Cloud Console -> APIs & Services -> Credentials -> OAuth client (Web).
# Authorized redirect URI must be EXACTLY:
#   https://api.buildmymcp.com/v1/auth/google/callback
GOOGLE_OAUTH_ID=
GOOGLE_OAUTH_SECRET=

# ---- OAuth signing keys (RS256 JWKS) ----
# Auto-generated on first boot into this dir; persisted in the bmm_keys volume.
OAUTH_KEY_DIR=./keys

# ---- Runner / Generator ----
# Host used in a generated server's public URL (http://RUNNER_HOST:<port>).
# Generated MCP containers bind host ports in RUNNER_PORT_RANGE_*.
# NOTE: per-server subdomain routing through the proxy is not wired yet — a
# generated server is currently reachable at the host port directly. Treat
# public exposure of generated servers as a follow-up before GA. See DEPLOY.md.
RUNNER_HOST=buildmymcp.com
RUNNER_PORT_RANGE_START=4100
RUNNER_PORT_RANGE_END=4999

# ---- Observability (optional) ----
SENTRY_DSN=
OTEL_EXPORTER_OTLP_ENDPOINT=
feat(deploy): production Dockerfiles, compose stack, and runbook - Multi-stage Dockerfiles for web/api/generator (pnpm workspace install, tsx runtime — workspace packages are raw TS, same model as runner-template). - docker-compose.prod.yml: postgres + redis + the three app services. api/generator/web use host networking so the generator's host-port probe is correct and every service shares one address space; api + generator mount the Docker socket. Binds nothing on 80/443 — safe beside other apps. - Optional Traefik reverse proxy in infra/traefik/ (heavily gated — only if the box has no existing proxy). - .env.production.example, .dockerignore, DEPLOY.md (Cloudflare zone, GoDaddy nameserver switch, server deploy, Google Cloud Console OAuth app). - api/generator `start` now runs via tsx; `node dist/index.js` could never resolve the raw-TS workspace imports. All three images verified building clean; the API container boots under tsx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-21 00:37:02 +02:00			`# ============================================================================`
			`# Production environment for buildmymcp.com`
			`# Copy to .env.production on the server and fill every value marked CHANGE-ME.`
			`# Never commit the filled file — .env.production is gitignored.`
			`#`
			`# Used two ways by docker-compose.prod.yml:`
			`# 1. compose interpolation -> docker compose --env-file .env.production ...`
			`# 2. container env -> env_file: .env.production`
			`# ============================================================================`

			`# ---- Core ----`
			`NODE_ENV=production`

			`# ---- Postgres (the compose file owns the container) ----`
			`POSTGRES_USER=bmm`
			`POSTGRES_PASSWORD=CHANGE-ME-strong-db-password`
			`POSTGRES_DB=bmm`
			`POSTGRES_PORT=5440`

			`# ---- Redis ----`
			`REDIS_PORT=6390`

			`# ---- Connection strings (host-networked services reach the DBs on loopback) ----`
			`DATABASE_URL=postgresql://bmm:CHANGE-ME-strong-db-password@127.0.0.1:5440/bmm`
			`REDIS_URL=redis://127.0.0.1:6390`

			`# ---- API ----`
			`PORT=4000`

			`# ---- Public URLs (must match the Cloudflare DNS records) ----`
			`NEXT_PUBLIC_APP_URL=https://buildmymcp.com`
			`NEXT_PUBLIC_API_URL=https://api.buildmymcp.com`
			`# Used to build the Google OAuth redirect URI and as the JWKS origin.`
			`CONTROL_PLANE_PUBLIC_URL=https://api.buildmymcp.com`
			`# Reachable by generated MCP containers — must be public so they can resolve it.`
			`CONTROL_PLANE_URL=https://api.buildmymcp.com`
			`OAUTH_ISSUER=https://api.buildmymcp.com`

			`# ---- Crypto ----`
			`# REQUIRED in production. The API refuses to boot on the all-zero placeholder.`
			`# Generate with: openssl rand -hex 32`
			`SECRETS_ENCRYPTION_KEY=CHANGE-ME-run-openssl-rand-hex-32`

			`# ---- Admin bootstrap (upserted idempotently on API boot) ----`
			`ADMIN_EMAIL=marco.frangiskatos@gmail.com`
			`ADMIN_PASSWORD=CHANGE-ME-strong-admin-password`
			`ADMIN_NAME=Marco Frangiskatos`

			`# ---- Anthropic (empty = mock generation; set for real Claude generation) ----`
			`ANTHROPIC_API_KEY=`

			`# ---- Google OAuth ("Continue with Google") ----`
			`# Google Cloud Console -> APIs & Services -> Credentials -> OAuth client (Web).`
			`# Authorized redirect URI must be EXACTLY:`
			`# https://api.buildmymcp.com/v1/auth/google/callback`
			`GOOGLE_OAUTH_ID=`
			`GOOGLE_OAUTH_SECRET=`

			`# ---- OAuth signing keys (RS256 JWKS) ----`
			`# Auto-generated on first boot into this dir; persisted in the bmm_keys volume.`
			`OAUTH_KEY_DIR=./keys`

			`# ---- Runner / Generator ----`
			`# Host used in a generated server's public URL (http://RUNNER_HOST:<port>).`
			`# Generated MCP containers bind host ports in RUNNER_PORT_RANGE_*.`
			`# NOTE: per-server subdomain routing through the proxy is not wired yet — a`
			`# generated server is currently reachable at the host port directly. Treat`
			`# public exposure of generated servers as a follow-up before GA. See DEPLOY.md.`
			`RUNNER_HOST=buildmymcp.com`
			`RUNNER_PORT_RANGE_START=4100`
			`RUNNER_PORT_RANGE_END=4999`

			`# ---- Observability (optional) ----`
			`SENTRY_DSN=`
			`OTEL_EXPORTER_OTLP_ENDPOINT=`