From 0ce1752aed8cbdd20d70fb4d11b5fd7eb87849cd Mon Sep 17 00:00:00 2001
From: David <darnaud2@myges.fr>
Date: Fri, 13 Mar 2026 13:43:09 +0100
Subject: [PATCH] fix public repo

---
 .env.example        |  48 ++++++++++++++++
 .gitignore          |  59 ++++++++++++--------
 config.yaml.example | 131 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 214 insertions(+), 24 deletions(-)
 create mode 100644 .env.example
 create mode 100644 config.yaml.example

diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..dac6d9c
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,48 @@
+# ─────────────────────────────────────────────────────────────────────────────
+# Veylant IA — Environment variables
+# Copy this file to .env and fill in the values.
+# All VEYLANT_* vars override the corresponding key in config.yaml.
+# ─────────────────────────────────────────────────────────────────────────────
+
+# ── Server ────────────────────────────────────────────────────────────────────
+VEYLANT_SERVER_ENV=development
+VEYLANT_SERVER_TENANT_NAME=My Organisation
+VEYLANT_SERVER_ALLOWED_ORIGINS=http://localhost:3000
+
+# ── Auth (JWT) ────────────────────────────────────────────────────────────────
+# Generate: openssl rand -hex 32
+VEYLANT_AUTH_JWT_SECRET=change-me-in-production
+VEYLANT_AUTH_JWT_TTL_HOURS=24
+
+# ── Database ──────────────────────────────────────────────────────────────────
+VEYLANT_DATABASE_URL=postgres://veylant:veylant_dev@localhost:5432/veylant?sslmode=disable
+
+# ── Redis ─────────────────────────────────────────────────────────────────────
+VEYLANT_REDIS_URL=redis://localhost:6379
+
+# ── ClickHouse ────────────────────────────────────────────────────────────────
+VEYLANT_CLICKHOUSE_DSN=clickhouse://veylant:veylant_dev@localhost:9000/veylant_logs
+
+# ── Cryptography ──────────────────────────────────────────────────────────────
+# AES-256-GCM key for prompt encryption. Generate: openssl rand -base64 32
+VEYLANT_CRYPTO_AES_KEY_BASE64=
+
+# ── LLM Provider API Keys ─────────────────────────────────────────────────────
+VEYLANT_PROVIDERS_OPENAI_API_KEY=sk-...
+VEYLANT_PROVIDERS_ANTHROPIC_API_KEY=sk-ant-...
+VEYLANT_PROVIDERS_MISTRAL_API_KEY=
+VEYLANT_PROVIDERS_AZURE_API_KEY=
+VEYLANT_PROVIDERS_AZURE_RESOURCE_NAME=
+VEYLANT_PROVIDERS_AZURE_DEPLOYMENT_ID=
+
+# ── SMTP (email notifications) ────────────────────────────────────────────────
+VEYLANT_NOTIFICATIONS_SMTP_HOST=smtp.example.com
+VEYLANT_NOTIFICATIONS_SMTP_PORT=587
+VEYLANT_NOTIFICATIONS_SMTP_USERNAME=alerts@example.com
+VEYLANT_NOTIFICATIONS_SMTP_PASSWORD=your-smtp-password
+VEYLANT_NOTIFICATIONS_SMTP_FROM=noreply@example.com
+VEYLANT_NOTIFICATIONS_SMTP_FROM_NAME=Veylant IA
+
+# ── HashiCorp Vault (production only) ─────────────────────────────────────────
+# VAULT_ADDR=https://vault.example.com
+# VAULT_TOKEN=
diff --git a/.gitignore b/.gitignore
index a67ae99..3e9b8e9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
-# Go
+# ─── Go ───────────────────────────────────────────────────────────────────────
 bin/
 *.exe
 *.exe~
@@ -9,15 +9,13 @@ bin/
 *.out
 coverage.out
 coverage.html
-
-# Vendor
-vendor/
-
-# Go workspace
+coverage_internal.out
+coverage/
 go.work
 go.work.sum
+vendor/
 
-# Python
+# ─── Python ───────────────────────────────────────────────────────────────────
 __pycache__/
 *.py[cod]
 *$py.class
@@ -25,20 +23,27 @@ __pycache__/
 .venv/
 venv/
 env/
-dist/
 *.egg-info/
 .pytest_cache/
 .mypy_cache/
 htmlcov/
+.ruff_cache/
 
-# Node / Frontend
+# ─── Node / Frontend ──────────────────────────────────────────────────────────
 node_modules/
 .next/
 out/
 dist/
 *.local
+web/dist/
+web/.vite/
 
-# Environment & secrets
+# ─── web-public (standalone public site — has its own build/deploy) ───────────
+web-public/
+
+# ─── Secrets & config ─────────────────────────────────────────────────────────
+# Real config lives in config.yaml — use config.yaml.example as the template
+config.yaml
 .env
 .env.*
 !.env.example
@@ -49,31 +54,37 @@ dist/
 secrets/
 vault-tokens/
 
-# Docker
-.docker/
+# ─── Generated proto stubs (regenerated via `make proto`) ─────────────────────
+gen/
+services/pii/gen/
 
-# Terraform
+# ─── Terraform state ──────────────────────────────────────────────────────────
 .terraform/
 *.tfstate
 *.tfstate.*
 *.tfplan
 .terraform.lock.hcl
 
-# IDE
+# ─── Docker ───────────────────────────────────────────────────────────────────
+.docker/
+
+# ─── Logs & temp ──────────────────────────────────────────────────────────────
+*.log
+logs/
+tmp/
+*.tmp
+
+# ─── Test / scratch files ─────────────────────────────────────────────────────
+test_smtp.go
+
+# ─── IDE ──────────────────────────────────────────────────────────────────────
 .idea/
 .vscode/
 *.swp
 *.swo
 *~
 .DS_Store
+Thumbs.db
 
-# Generated proto stubs
-gen/
-services/pii/gen/
-
-# Logs
-*.log
-logs/
-
-# Coverage reports
-coverage/
+# ─── Compiled proxy binary ────────────────────────────────────────────────────
+proxy
diff --git a/config.yaml.example b/config.yaml.example
new file mode 100644
index 0000000..74113b7
--- /dev/null
+++ b/config.yaml.example
@@ -0,0 +1,131 @@
+server:
+  port: 8090
+  shutdown_timeout_seconds: 30
+  env: development          # "production" → fatal on any missing service
+  tenant_name: "My Organisation"
+  # CORS: origins allowed to call the proxy from a browser.
+  # Override in production: VEYLANT_SERVER_ALLOWED_ORIGINS=https://dashboard.example.com
+  allowed_origins:
+    - "http://localhost:3000"
+
+database:
+  url: "postgres://veylant:veylant_dev@localhost:5432/veylant?sslmode=disable"
+  max_open_conns: 25
+  max_idle_conns: 5
+  migrations_path: "migrations"
+
+redis:
+  url: "redis://localhost:6379"
+
+# Local JWT authentication (email/password).
+# MUST be changed in production — use a long random secret.
+# Generate: openssl rand -hex 32
+# Override: VEYLANT_AUTH_JWT_SECRET=<your-secret>
+auth:
+  jwt_secret: "change-me-in-production"
+  jwt_ttl_hours: 24
+
+pii:
+  enabled: true
+  service_addr: "localhost:50051"
+  timeout_ms: 100
+  fail_open: true           # set false in production
+
+log:
+  level: "info"             # debug | info | warn | error
+  format: "json"            # json | console
+
+# LLM provider adapters.
+# API keys MUST be injected via env vars — never hardcode them here.
+# Example: VEYLANT_PROVIDERS_OPENAI_API_KEY=sk-...
+# Provider configs can also be managed via the admin API (POST /v1/admin/providers).
+providers:
+  openai:
+    base_url: "https://api.openai.com/v1"
+    # api_key: set via VEYLANT_PROVIDERS_OPENAI_API_KEY
+    timeout_seconds: 30
+    max_conns: 100
+
+  anthropic:
+    base_url: "https://api.anthropic.com/v1"
+    version: "2023-06-01"
+    timeout_seconds: 30
+    max_conns: 100
+    # api_key: set via VEYLANT_PROVIDERS_ANTHROPIC_API_KEY
+
+  azure:
+    api_version: "2024-02-01"
+    timeout_seconds: 30
+    max_conns: 100
+    # api_key:       set via VEYLANT_PROVIDERS_AZURE_API_KEY
+    # resource_name: set via VEYLANT_PROVIDERS_AZURE_RESOURCE_NAME
+    # deployment_id: set via VEYLANT_PROVIDERS_AZURE_DEPLOYMENT_ID
+
+  mistral:
+    base_url: "https://api.mistral.ai/v1"
+    timeout_seconds: 30
+    max_conns: 100
+    # api_key: set via VEYLANT_PROVIDERS_MISTRAL_API_KEY
+
+  ollama:
+    base_url: "http://localhost:11434/v1"
+    timeout_seconds: 120
+    max_conns: 10
+
+# Role-based access control for the provider router.
+rbac:
+  # Models accessible to the "user" role (exact match or prefix).
+  # admin and manager always have unrestricted access.
+  user_allowed_models:
+    - "gpt-4o-mini"
+    - "gpt-3.5-turbo"
+    - "mistral-small"
+  # If false (default), auditors receive 403 on /v1/chat/completions.
+  auditor_can_complete: false
+
+metrics:
+  enabled: true
+  path: "/metrics"
+
+# Intelligent routing engine.
+routing:
+  # How long routing rules are cached in memory before a background refresh.
+  cache_ttl_seconds: 30
+
+# ClickHouse audit log.
+# DSN: clickhouse://user:pass@host:9000/database
+# Override: VEYLANT_CLICKHOUSE_DSN=clickhouse://...
+clickhouse:
+  dsn: "clickhouse://veylant:veylant_dev@localhost:9000/veylant_logs"
+  max_conns: 10
+  dial_timeout_seconds: 5
+
+# Cryptography.
+# AES-256-GCM key for encrypting stored prompts.
+# MUST be set in production via: VEYLANT_CRYPTO_AES_KEY_BASE64
+# Generate: openssl rand -base64 32
+crypto:
+  aes_key_base64: ""
+
+# Rate limiting defaults. Per-tenant overrides stored in the rate_limit_configs table.
+rate_limit:
+  default_tenant_rpm: 1000
+  default_tenant_burst: 200
+  default_user_rpm: 100
+  default_user_burst: 20
+
+# Email notifications via SMTP.
+# Override credentials in production via env vars:
+#   VEYLANT_NOTIFICATIONS_SMTP_HOST
+#   VEYLANT_NOTIFICATIONS_SMTP_PORT
+#   VEYLANT_NOTIFICATIONS_SMTP_USERNAME
+#   VEYLANT_NOTIFICATIONS_SMTP_PASSWORD
+#   VEYLANT_NOTIFICATIONS_SMTP_FROM
+notifications:
+  smtp:
+    host: "smtp.example.com"
+    port: 587
+    username: "alerts@example.com"
+    password: "your-smtp-password"
+    from: "noreply@example.com"
+    from_name: "Veylant IA"