-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
168 lines (158 loc) · 8.51 KB
/
Copy path.env.example
File metadata and controls
168 lines (158 loc) · 8.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
## Optional for AI-assisted workflow and assistant features.
OPENAI_API_KEY=
OPENAI_MODEL_DEFAULT=gpt-5.4-mini
OPENAI_MODEL_HIGH_TRUST=gpt-5.4
OPENAI_MODEL_MID_TIER=gpt-5.4-mini
OPENAI_MODEL_PRODUCT_HELP=gpt-5.4-mini
OPENAI_MODEL_APPLICATION_QA=gpt-5.4
OPENAI_REASONING_DEFAULT=medium
OPENAI_REASONING_HIGH_TRUST=high
OPENAI_REASONING_PROFILE=medium
OPENAI_REASONING_JOB=medium
OPENAI_REASONING_FIT=medium
OPENAI_REASONING_TAILORING=medium
OPENAI_REASONING_STRATEGY=medium
OPENAI_REASONING_REVIEW=high
OPENAI_REASONING_RESUME_GENERATION=high
OPENAI_REASONING_PRODUCT_HELP=medium
OPENAI_REASONING_APPLICATION_QA=high
## Optional app base URL. Used as the default auth redirect URL when no
## explicit SUPABASE_AUTH_REDIRECT_URL is provided.
APP_BASE_URL=http://localhost:3000
## Required for the current login-first resume workflow, Google sign-in,
## persisted saved-workspace reload, and account-level quotas.
SUPABASE_URL=
SUPABASE_ANON_KEY=
## Service-role key used ONLY by the cached_jobs writer
## (/admin/refresh-cache) and reader (/jobs/search). Bypasses RLS —
## never send to the frontend, never use for user-scoped tables.
SUPABASE_SERVICE_ROLE_KEY=
SUPABASE_AUTH_REDIRECT_URL=http://localhost:3000/workspace
SUPABASE_APP_USERS_TABLE=app_users
SUPABASE_USAGE_EVENTS_TABLE=usage_events
SUPABASE_SAVED_WORKSPACES_TABLE=saved_workspaces
SUPABASE_SAVED_JOBS_TABLE=saved_jobs
SUPABASE_RESUME_BUILDER_SESSIONS_TABLE=resume_builder_sessions
SUPABASE_CACHED_JOBS_TABLE=cached_jobs
SAVED_WORKSPACE_TTL_HOURS=24
## Shared secret guarding /admin/refresh-cache. Set the same value in
## the Supabase pg_cron job's HTTP headers so the cron can include
## it. Rotate if leaked.
REFRESH_CACHE_SECRET=
## Optional job-search backend settings. Keep ENABLE_JOB_SEARCH_BACKEND=false
## until the separate backend service is available in the target environment.
ENABLE_JOB_SEARCH_BACKEND=false
JOB_BACKEND_BASE_URL=http://localhost:8000
JOB_BACKEND_HOSTPORT=
# Comma-separated lists of board / site identifiers. Each is the
# {token} in https://boards-api.greenhouse.io/v1/boards/{token}/jobs
# or the {site} in https://api.lever.co/v0/postings/{site}. The
# /admin/refresh-cache endpoint pulls every active job from each.
# Bad tokens surface as "error" in the refresh report's
# providers.greenhouse.errors[] (or .lever) — trim them from your
# env after the first refresh shows which ones failed.
#
# Validated seed list ~58 Greenhouse + 6 Lever = ~8.7K active jobs.
# Companies that previously used Greenhouse/Lever and migrated to
# Ashby (Linear, Vercel, Netlify, Supabase, OpenAI, ...) were
# trimmed after the first refresh — they 404'd. Add your own and
# they'll either show up as "ok" or "error" in the next refresh
# report.
GREENHOUSE_BOARD_TOKENS=databricks,stripe,mongodb,anthropic,cloudflare,datadog,waymo,okta,samsara,zscaler,roblox,airbnb,brex,sofi,gitlab,scaleai,intercom,affirm,gleanwork,figma,fivetran,pinterest,elastic,reddit,twilio,robinhood,boxinc,lyft,smartsheet,asana,instacart,cresta,motional,dropbox,nuro,zoominfo,discord,moloco,gusto,wayve,faire,classpass,chime,fastly,amplitude,monzo,twitch,peloton,opendoor,mercury,mozilla,qualtrics,sumologic,pagerduty,launchdarkly,mixpanel,marqeta,wikimedia,algolia,triplelift,airtable,descript,calendly,typeface,narvar,glossier,placerlabs,modernhealth,lastpass,honeycomb,udacity,bitwarden,assemblyai,coursera,planetscale,inflectionai,kayak,allbirds,hubspot
LEVER_SITE_NAMES=dnb,plaid,mistral,palantir,netflix,attentive
## Ashby boards. Modern AI/dev-tools tier (Linear, Cursor, Replit,
## Vercel, Cohere, Mistral, Sierra, Decagon, ...) — companies that
## migrated off Greenhouse/Lever in 2023-2025. Endpoint:
## https://api.ashbyhq.com/posting-api/job-board/{token}
ASHBY_BOARD_TOKENS=mistral,notion,elevenlabs,cohere,sierra,ramp,decagon,plaid,cursor,replit,lovable,perplexity,deepgram,gamma,writer,supabase,n8n,workos,exa,linear,render,substack,character,posthog,poolside,column,railway,warp,statsig,pinecone,weaviate,stytch,pika,runway,nylas,clerk
## Workday tokens are tenant:host:site triples — each Fortune 500
## company runs its own Workday tenant on a numbered host
## (wd1.myworkdayjobs.com, wd5, etc) at a public site. Validated
## tenants below unlock ~14.5K jobs. The bulk-validation script in
## scripts/probe_workday.py (or a similar one-off) finds more —
## many big companies (AMD, Intel, Tesla, Cisco, IBM) require
## tenant-specific request shapes that the default body doesn't
## satisfy; those return 422 and are excluded.
WORKDAY_BOARD_TOKENS=micron:wd1:External,nvidia:wd5:NVIDIAExternalCareerSite,citi:wd5:2,walmart:wd5:WalmartExternal,hpe:wd5:Jobsathpe,adobe:wd5:external_experienced,boeing:wd1:EXTERNAL_CAREERS,disney:wd5:disneycareer,hp:wd5:ExternalCareerSite,blackrock:wd1:BlackRock_Professional,workday:wd5:Workday
## Frontend origin settings for the Next.js transition.
FRONTEND_APP_URL=http://localhost:3000
CORS_ALLOWED_ORIGINS=http://localhost:3000,http://127.0.0.1:3000
## Leave AUTH_COOKIE_DOMAIN empty on localhost. In production, set it to
## your parent domain (for example, .job-application-copilot.xyz) so the
## landing and workspace subdomains share the same HttpOnly session.
AUTH_COOKIE_DOMAIN=
AUTH_COOKIE_SECURE=false
AUTH_COOKIE_SAMESITE=lax
## AI-assisted workflow and the in-app assistant are login-required in the
## active UI. This flag controls whether the workflow button also enforces that.
AUTH_REQUIRED_FOR_ASSISTED_WORKFLOW=true
AUTH_DEFAULT_PLAN_TIER=free
AUTH_DEFAULT_ACCOUNT_STATUS=active
## Only internal unrestricted testing accounts belong here.
## Leave normal quota-test accounts out of this list so they stay on the free-tier path.
AUTH_INTERNAL_USER_EMAILS=
FREE_TIER_MAX_CALLS_PER_DAY=12
FREE_TIER_MAX_TOKENS_PER_DAY=60000
PAID_TIER_MAX_CALLS_PER_DAY=80
PAID_TIER_MAX_TOKENS_PER_DAY=400000
## Lemon Squeezy subscription integration.
##
## The backend uses these to validate webhook deliveries (HMAC over the
## raw body) and to mint customer portal URLs. The frontend uses the
## NEXT_PUBLIC_ values below to build the hosted checkout URL.
##
## Until these are populated the backend webhook returns 503 (with a
## Retry-After) on every delivery and the pricing CTA falls back to
## "Coming soon" for Pro / "Contact us" (mailto) for Business. This
## lets the integration ship to main without LS being live.
##
## Build against LS *sandbox* mode by default. Sandbox has its own
## webhook secret + API key; the dashboard URL is the same surface.
## See docs/lemon-squeezy.md for the full setup walkthrough.
AIJOBAGENT_LEMONSQUEEZY_API_KEY=
AIJOBAGENT_LEMONSQUEEZY_WEBHOOK_SECRET=
AIJOBAGENT_LEMONSQUEEZY_STORE_ID=
## LS variant_id values (numeric strings on the variant API resource).
## One per paid tier; mapping flows
## variant_id -> tier -> TIER_CAPS
## inside backend.webhooks.lemonsqueezy._tier_for_variant.
AIJOBAGENT_LEMONSQUEEZY_PRODUCT_VARIANT_PRO=
AIJOBAGENT_LEMONSQUEEZY_PRODUCT_VARIANT_BUSINESS=
## Public (frontend) LS env. NEXT_PUBLIC_ prefix gets these inlined
## into the JS bundle at build time. The store_id here is the
## subdomain piece (e.g. "yourstore" -> https://yourstore.lemonsqueezy.com).
## variant ids must match the AIJOBAGENT_* values above (same upstream
## resource, two views).
NEXT_PUBLIC_LEMONSQUEEZY_STORE_ID=
NEXT_PUBLIC_LEMONSQUEEZY_PRODUCT_VARIANT_PRO=
NEXT_PUBLIC_LEMONSQUEEZY_PRODUCT_VARIANT_BUSINESS=
## Observability — Sentry (error tracking + tracing + AI agents
## monitoring + Logs + Crons) + PostHog (product analytics +
## session replay + LLM analytics). All optional; the integrations
## are no-ops when their DSN / API key is empty, so dev environments
## and CI don't have to carry the secrets.
##
## Backend (server-only):
SENTRY_DSN=
SENTRY_TRACES_SAMPLE_RATE=0.1
SENTRY_PROFILES_SAMPLE_RATE=0.05
SENTRY_SEND_DEFAULT_PII=false
## Falls back to BackendSettings.service_version when unset.
SENTRY_RELEASE=
POSTHOG_API_KEY=
POSTHOG_HOST=https://eu.i.posthog.com
## Tag attached to every Sentry event + PostHog server-side event
## so dashboards can slice production from staging / preview deploys.
AIJOBAGENT_ENVIRONMENT=development
## Source-map upload via withSentryConfig (frontend/next.config.ts).
## Generate at Sentry -> Settings -> Auth Tokens with project:releases
## + project:read scopes. Vercel's Sentry integration auto-provisions
## this; if you install that, leave this blank.
SENTRY_AUTH_TOKEN=
## Frontend (Next.js inlines NEXT_PUBLIC_* into the JS bundle):
NEXT_PUBLIC_SENTRY_DSN=
NEXT_PUBLIC_SENTRY_ENVIRONMENT=development
NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE=0.1
NEXT_PUBLIC_SENTRY_REPLAYS_ON_ERROR_SAMPLE_RATE=1.0
NEXT_PUBLIC_POSTHOG_KEY=
NEXT_PUBLIC_POSTHOG_HOST=https://eu.i.posthog.com