Add web-based architecture plan with Supabase, Railway, and Cloudflare Pages (multi-user MCP support)

.env.example

@@ -0,0 +1,166 @@
+# TinyBrain Environment Configuration Template
+# Copy this file to .env.local for development
+
+# =============================================================================
+# SUPABASE CONFIGURATION
+# =============================================================================
+# Get these from: https://app.supabase.com/project/_/settings/api
+
+# Supabase project URL
+SUPABASE_URL=https://xxxxxxxxxxxxx.supabase.co
+
+# Supabase anonymous/public key (safe to expose in frontend)
+SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
+
+# Supabase service role key (keep secret! server-side only)
+SUPABASE_SERVICE_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
+
+# =============================================================================
+# DATABASE CONFIGURATION
+# =============================================================================
+# Direct PostgreSQL connection (for migrations, backups, etc.)
+# Get from: https://app.supabase.com/project/_/settings/database
+
+DATABASE_URL=postgresql://postgres:[PASSWORD]@db.xxxxxxxxxxxxx.supabase.co:5432/postgres
+
+# Connection pool settings
+DB_MAX_CONNECTIONS=20
+DB_IDLE_CONNECTIONS=5
+DB_MAX_LIFETIME=300s
+
+# =============================================================================
+# SERVER CONFIGURATION
+# =============================================================================
+
+# HTTP server bind address
+# Local: 127.0.0.1:8090
+# Railway: 0.0.0.0:$PORT (Railway sets PORT automatically)
+TINYBRAIN_HTTP=127.0.0.1:8090
+
+# Environment (development, staging, production)
+TINYBRAIN_ENV=development
+
+# Log level (debug, info, warn, error)
+LOG_LEVEL=info
+
+# =============================================================================
+# AUTHENTICATION & SECURITY
+# =============================================================================
+
+# JWT secret for additional API tokens (min 32 characters)
+# Generate with: openssl rand -base64 32
+JWT_SECRET=your-super-secret-jwt-key-min-32-chars-please-change-this
+
+# CORS allowed origins (comma-separated)
+CORS_ALLOWED_ORIGINS=http://localhost:3000,http://localhost:8090
+
+# API rate limiting (requests per minute)
+RATE_LIMIT_RPM=100
+
+# Session duration (hours)
+SESSION_DURATION=24
+
+# =============================================================================
+# FEATURE FLAGS
+# =============================================================================
+
+# Enable real-time features
+ENABLE_REAL_TIME=true
+
+# Enable MCP protocol adapter (for backward compatibility)
+ENABLE_MCP_ADAPTER=true
+
+# Enable semantic search (requires embedding generation)
+ENABLE_SEMANTIC_SEARCH=false
+
+# Enable file attachments
+ENABLE_FILE_UPLOADS=true
+
+# Enable team features
+ENABLE_TEAMS=true
+
+# =============================================================================
+# EXTERNAL SERVICES (OPTIONAL)
+# =============================================================================
+
+# OpenAI API key (for embeddings and semantic search)
+OPENAI_API_KEY=sk-...
+
+# OpenAI model for embeddings
+OPENAI_EMBEDDING_MODEL=text-embedding-3-small
+
+# Redis URL (for caching and rate limiting)
+# REDIS_URL=redis://localhost:6379
+
+# Sentry DSN (for error tracking)
+# SENTRY_DSN=https://...
+
+# =============================================================================
+# SECURITY DATA SOURCES (OPTIONAL)
+# =============================================================================
+
+# NVD API key (for vulnerability data updates)
+# Get from: https://nvd.nist.gov/developers/request-an-api-key
+# NVD_API_KEY=your-nvd-api-key
+
+# =============================================================================
+# CLOUDFLARE (FOR FRONTEND)
+# =============================================================================
+
+# These are used by the frontend (web app)
+# Prefix with NEXT_PUBLIC_ for Next.js
+
+# API endpoint (Railway backend URL)
+NEXT_PUBLIC_API_URL=http://localhost:8090
+
+# Supabase (same as above, but for client-side)
+NEXT_PUBLIC_SUPABASE_URL=https://xxxxxxxxxxxxx.supabase.co
+NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
+
+# Feature flags for frontend
+NEXT_PUBLIC_ENABLE_REAL_TIME=true
+NEXT_PUBLIC_ENABLE_ANALYTICS=false
+
+# =============================================================================
+# DEVELOPMENT TOOLS
+# =============================================================================
+
+# Enable development mode features
+DEV_MODE=true
+
+# Enable debug logging
+DEBUG=false
+
+# Enable profiling endpoints
+ENABLE_PROFILING=false
+
+# =============================================================================
+# RAILWAY SPECIFIC (SET IN RAILWAY DASHBOARD)
+# =============================================================================
+# These are set automatically by Railway or configured in dashboard:
+# - PORT (set by Railway)
+# - RAILWAY_ENVIRONMENT (production, staging, etc.)
+# - RAILWAY_SERVICE_NAME
+# - RAILWAY_DEPLOYMENT_ID
+
+# =============================================================================
+# NOTES
+# =============================================================================
+# 
+# Development Setup:
+# 1. Copy this file to .env.local
+# 2. Update Supabase credentials from your project
+# 3. Update JWT_SECRET with a secure random string
+# 4. Adjust CORS_ALLOWED_ORIGINS for your local frontend
+# 
+# Production Setup:
+# 1. Set all variables in Railway dashboard
+# 2. Use strong, unique secrets for JWT_SECRET
+# 3. Configure appropriate CORS origins
+# 4. Enable monitoring and error tracking (Sentry)
+# 
+# Security:
+# - NEVER commit .env.local to git
+# - Rotate secrets regularly
+# - Use different secrets for each environment
+# - Keep SUPABASE_SERVICE_KEY strictly server-side