cqrenet/aoc
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 29 Wiki Activity
Files
47e0dfc2cab81eeb18fc127d3578906f052f86e8
aoc/.env.example
Tomas Kracmar 2fffe3aec2
All checks were successful
CI / lint-and-test (push) Successful in 21s
Details
feat: operation-level privacy gating instead of broad service-level 
- Replace broad service-level hiding with fine-grained operation-level gating
- PRIVACY_SENSITIVE_OPERATIONS config: hide specific operations across ALL services
- PRIVACY_SERVICES still works for broad service-level blocking (optional)
- Users without PRIVACY_SERVICE_ROLES:
  * Don't see sensitive operations in /api/filter-options
  * Can't query sensitive operations via /api/events or /api/ask
  * Get 403 on /api/events/{id}/explain for sensitive events
- Exchange/Teams services remain visible; only privacy ops are hidden
- Update .env.example with new operation-level config docs
2026-04-22 08:23:46 +02:00

60 lines
2.3 KiB
Plaintext
Raw Blame History

TENANT_ID=your-tenant-id
CLIENT_ID=your-client-id
CLIENT_SECRET=your-client-secret
ENABLE_PERIODIC_FETCH=false
FETCH_INTERVAL_MINUTES=60
AUTH_ENABLED=false
AUTH_TENANT_ID=your-tenant-id
AUTH_CLIENT_ID=your-api-client-id
# API scope the SPA should request at login.
# When set, the frontend acquires an access token for this scope (aud = AUTH_CLIENT_ID).
# When empty, the frontend falls back to the idToken, which is also valid for the backend.
# Example: api://cc31fd45-1eca-431f-a2c6-ba81cd4c5d50/.default
AUTH_SCOPE=
# Comma-separated lists (optional):
AUTH_ALLOWED_ROLES=
AUTH_ALLOWED_GROUPS=
MONGO_ROOT_USERNAME=root
MONGO_ROOT_PASSWORD=example
MONGO_PORT=27017
# MongoDB connection string (takes precedence over root credentials in Docker Compose)
MONGO_URI=mongodb://root:example@localhost:27017
# Optional: number of days to retain events in MongoDB (0 = disabled)
RETENTION_DAYS=0
# Optional: comma-separated CORS origins (e.g., http://localhost:3000,https://app.example.com)
CORS_ORIGINS=*
# Optional: SIEM export webhook (e.g., Splunk HEC, Sentinel, or generic syslog webhook)
SIEM_ENABLED=false
SIEM_WEBHOOK_URL=
# Optional: enable rule-based alerting during ingestion
ALERTS_ENABLED=false
# Optional: enable AI/natural-language features (/api/ask, MCP server)
# Set to false to completely disable AI endpoints and UI elements
AI_FEATURES_ENABLED=true
# Optional: LLM configuration for natural language querying (/api/ask)
# Supports any OpenAI-compatible API (OpenAI, Azure OpenAI, Ollama, etc.)
# For Azure OpenAI / MS Foundry, set BASE_URL to your deployment endpoint
# (e.g. https://your-resource.openai.azure.com/openai/deployments/your-deployment)
# and set API_VERSION to something like 2025-01-01-preview
LLM_API_KEY=
LLM_BASE_URL=https://api.openai.com/v1
LLM_MODEL=gpt-4o-mini
LLM_MAX_EVENTS=200
LLM_TIMEOUT_SECONDS=30
LLM_API_VERSION=
# Optional: privacy / access control
# Hide entire services from users without PRIVACY_SERVICE_ROLES
# PRIVACY_SERVICES=Exchange,Teams
# Hide specific operations across all services from users without PRIVACY_SERVICE_ROLES
# PRIVACY_SENSITIVE_OPERATIONS=MailItemsAccessed,Search-Mailbox,Send,ChatMessageRead
# Comma-separated list of Entra roles that can access privacy-sensitive data
# PRIVACY_SERVICE_ROLES=SecurityAdministrator,ComplianceAdministrator
Reference in New Issue View Git Blame Copy Permalink