Merge pull request #166 from temisan0x/feature/env-config

feat: add environment configuration and validation with Zod (#2)

Author: greatest0fallt1me

.env.example

@@ -0,0 +1,80 @@
+# =============================================================================
+# Callora Backend — Environment Variables
+# Copy this file to .env and fill in your values.
+# Never commit .env to version control.
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Server
+# -----------------------------------------------------------------------------
+PORT=3000
+NODE_ENV=development                        # development | production | test
+
+# -----------------------------------------------------------------------------
+# Database — primary connection string (used by Prisma / pg.Pool)
+# -----------------------------------------------------------------------------
+DATABASE_URL=postgresql://postgres:postgres@localhost:5432/callora?schema=public
+
+# -----------------------------------------------------------------------------
+# Database — individual fields (used by health checks and direct Pool creation)
+# -----------------------------------------------------------------------------
+DB_HOST=localhost
+DB_PORT=5432
+DB_USER=postgres
+DB_PASSWORD=postgres
+DB_NAME=callora
+
+# -----------------------------------------------------------------------------
+# Database — connection pool tuning
+# -----------------------------------------------------------------------------
+DB_POOL_MAX=10
+DB_IDLE_TIMEOUT_MS=30000
+DB_CONN_TIMEOUT_MS=2000
+
+# -----------------------------------------------------------------------------
+# Auth — REQUIRED, app will not start without these
+# -----------------------------------------------------------------------------
+JWT_SECRET=your-jwt-secret-here
+ADMIN_API_KEY=your-admin-api-key-here
+METRICS_API_KEY=your-metrics-api-key-here
+
+# -----------------------------------------------------------------------------
+# Proxy / Gateway
+# -----------------------------------------------------------------------------
+UPSTREAM_URL=http://localhost:4000
+PROXY_TIMEOUT_MS=30000
+
+# -----------------------------------------------------------------------------
+# CORS — comma-separated list of allowed origins
+# -----------------------------------------------------------------------------
+CORS_ALLOWED_ORIGINS=http://localhost:5173
+
+# -----------------------------------------------------------------------------
+# Soroban RPC (optional — set SOROBAN_RPC_ENABLED=true to activate)
+# -----------------------------------------------------------------------------
+SOROBAN_RPC_ENABLED=false
+SOROBAN_RPC_URL=https://soroban-testnet.stellar.org
+SOROBAN_RPC_TIMEOUT=2000
+
+# -----------------------------------------------------------------------------
+# Horizon (optional — set HORIZON_ENABLED=true to activate)
+# -----------------------------------------------------------------------------
+HORIZON_ENABLED=false
+HORIZON_URL=https://horizon-testnet.stellar.org
+HORIZON_TIMEOUT=2000
+
+# -----------------------------------------------------------------------------
+# Health checks
+# -----------------------------------------------------------------------------
+HEALTH_CHECK_DB_TIMEOUT=2000
+APP_VERSION=1.0.0
+
+# -----------------------------------------------------------------------------
+# Logging
+# -----------------------------------------------------------------------------
+LOG_LEVEL=info
+
+# -----------------------------------------------------------------------------
+# Profiling
+# -----------------------------------------------------------------------------
+GATEWAY_PROFILING_ENABLED=false

.gitignore

@@ -14,3 +14,5 @@ package-lock.json
 database.db
 database.db-*
 coverage/
+
+!.env.example

README.md

@@ -80,6 +80,42 @@ callora-backend/
 
 ## Environment
 
-- `PORT` — HTTP port (default: 3000). Optional for local dev.
+Copy `.env.example` to `.env` and fill in your values before running locally:
+
+```bash
+cp .env.example .env
+```
+
+The app validates all environment variables at startup using [Zod](https://zod.dev). If a required variable is missing, the app will exit immediately with a clear error message.
+
+| Variable | Required | Default | Description |
+|---|---|---|---|
+| `PORT` | No | `3000` | HTTP port |
+| `NODE_ENV` | No | `development` | `development` / `production` / `test` |
+| `DATABASE_URL` | No | local postgres | Primary PostgreSQL connection string |
+| `DB_HOST` | No | `localhost` | Database host |
+| `DB_PORT` | No | `5432` | Database port |
+| `DB_USER` | No | `postgres` | Database user |
+| `DB_PASSWORD` | No | `postgres` | Database password |
+| `DB_NAME` | No | `callora` | Database name |
+| `DB_POOL_MAX` | No | `10` | Max pool connections |
+| `DB_IDLE_TIMEOUT_MS` | No | `30000` | Pool idle timeout (ms) |
+| `DB_CONN_TIMEOUT_MS` | No | `2000` | Pool connection timeout (ms) |
+| `JWT_SECRET` | **Yes** | — | Secret for signing JWTs |
+| `ADMIN_API_KEY` | **Yes** | — | Key for admin endpoints |
+| `METRICS_API_KEY` | **Yes** | — | Key for `/api/metrics` in production |
+| `UPSTREAM_URL` | No | `http://localhost:4000` | Gateway upstream URL |
+| `PROXY_TIMEOUT_MS` | No | `30000` | Proxy request timeout (ms) |
+| `CORS_ALLOWED_ORIGINS` | No | `http://localhost:5173` | Comma-separated allowed origins |
+| `SOROBAN_RPC_ENABLED` | No | `false` | Enable Soroban RPC health check |
+| `SOROBAN_RPC_URL` | If `SOROBAN_RPC_ENABLED=true` | — | Soroban RPC endpoint URL |
+| `SOROBAN_RPC_TIMEOUT` | No | `2000` | Soroban RPC timeout (ms) |
+| `HORIZON_ENABLED` | No | `false` | Enable Horizon health check |
+| `HORIZON_URL` | If `HORIZON_ENABLED=true` | — | Horizon endpoint URL |
+| `HORIZON_TIMEOUT` | No | `2000` | Horizon timeout (ms) |
+| `HEALTH_CHECK_DB_TIMEOUT` | No | `2000` | DB health check timeout (ms) |
+| `APP_VERSION` | No | `1.0.0` | Reported in health check responses |
+| `LOG_LEVEL` | No | `info` | `trace` / `debug` / `info` / `warn` / `error` / `fatal` |
+| `GATEWAY_PROFILING_ENABLED` | No | `false` | Enable request profiling |
 
 This repo is part of [Callora](https://github.com/your-org/callora). Frontend: `callora-frontend`. Contracts: `callora-contracts`.

src/config/env.ts

@@ -0,0 +1,98 @@
+import 'dotenv/config';
+import { z } from 'zod';
+
+const envSchema = z
+  .object({
+    // Server
+    PORT: z.coerce.number().default(3000),
+    NODE_ENV: z.enum(['development', 'production', 'test']).default('development'),
+
+    // Database (primary connection string)
+    DATABASE_URL: z
+      .string()
+      .default('postgresql://postgres:postgres@localhost:5432/callora?schema=public'),
+
+    // Database pool
+    DB_POOL_MAX: z.coerce.number().default(10),
+    DB_IDLE_TIMEOUT_MS: z.coerce.number().default(30_000),
+    DB_CONN_TIMEOUT_MS: z.coerce.number().default(2_000),
+
+    // Database (individual fields for health checks)
+    DB_HOST: z.string().default('localhost'),
+    DB_PORT: z.coerce.number().default(5432),
+    DB_USER: z.string().default('postgres'),
+    DB_PASSWORD: z.string().default('postgres'),
+    DB_NAME: z.string().default('callora'),
+
+    // Auth
+    JWT_SECRET: z.string().min(1, 'JWT_SECRET is required'),
+    ADMIN_API_KEY: z.string().min(1, 'ADMIN_API_KEY is required'),
+    METRICS_API_KEY: z.string().min(1, 'METRICS_API_KEY is required'),
+
+    // Proxy / Gateway
+    UPSTREAM_URL: z.string().url().default('http://localhost:4000'),
+    PROXY_TIMEOUT_MS: z.coerce.number().default(30_000),
+
+    // CORS
+    CORS_ALLOWED_ORIGINS: z.string().default('http://localhost:5173'),
+
+    // Soroban RPC (optional)
+    SOROBAN_RPC_ENABLED: z
+      .string()
+      .transform((v) => v === 'true')
+      .default('false'),
+    SOROBAN_RPC_URL: z.string().url().optional(),
+    SOROBAN_RPC_TIMEOUT: z.coerce.number().default(2_000),
+
+    // Horizon (optional)
+    HORIZON_ENABLED: z
+      .string()
+      .transform((v) => v === 'true')
+      .default('false'),
+    HORIZON_URL: z.string().url().optional(),
+    HORIZON_TIMEOUT: z.coerce.number().default(2_000),
+
+    // Health check
+    HEALTH_CHECK_DB_TIMEOUT: z.coerce.number().default(2_000),
+    APP_VERSION: z.string().default('1.0.0'),
+
+    // Logging
+    LOG_LEVEL: z
+      .enum(['trace', 'debug', 'info', 'warn', 'error', 'fatal'])
+      .default('info'),
+
+    // Profiling
+    GATEWAY_PROFILING_ENABLED: z
+      .string()
+      .transform((v) => v === 'true')
+      .default('false'),
+  })
+  .superRefine((values, ctx) => {
+    if (values.SOROBAN_RPC_ENABLED && !values.SOROBAN_RPC_URL) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        path: ['SOROBAN_RPC_URL'],
+        message: 'SOROBAN_RPC_URL is required when SOROBAN_RPC_ENABLED=true',
+      });
+    }
+
+    if (values.HORIZON_ENABLED && !values.HORIZON_URL) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        path: ['HORIZON_URL'],
+        message: 'HORIZON_URL is required when HORIZON_ENABLED=true',
+      });
+    }
+  });
+
+const parsed = envSchema.safeParse(process.env);
+
+if (!parsed.success) {
+  console.error('❌ Invalid environment configuration:');
+  parsed.error.issues.forEach((issue) => {
+    console.error(`  - ${issue.path.join('.')}: ${issue.message}`);
+  });
+  process.exit(1);
+}
+
+export const env = parsed.data;

src/config/health.ts

@@ -5,71 +5,61 @@
  */
 
 import { Pool } from 'pg';
+import { env } from './env.js';
 import type { HealthCheckConfig } from '../services/healthCheck.js';
 
 let dbPool: Pool | null = null;
 
-/**
- * Creates or returns existing database connection pool
- */
 function getDbPool(): Pool {
   if (!dbPool) {
     dbPool = new Pool({
-      host: process.env.DB_HOST || 'localhost',
-      port: parseInt(process.env.DB_PORT || '5432', 10),
-      user: process.env.DB_USER || 'postgres',
-      password: process.env.DB_PASSWORD || 'postgres',
-      database: process.env.DB_NAME || 'callora',
-      max: 10,
-      idleTimeoutMillis: 30000,
-      connectionTimeoutMillis: 5000,
+      host: env.DB_HOST,
+      port: env.DB_PORT,
+      user: env.DB_USER,
+      password: env.DB_PASSWORD,
+      database: env.DB_NAME,
+      max: env.DB_POOL_MAX,
+      idleTimeoutMillis: env.DB_IDLE_TIMEOUT_MS,
+      connectionTimeoutMillis: env.DB_CONN_TIMEOUT_MS,
     });
   }
   return dbPool;
 }
 
-/**
- * Builds health check configuration from environment variables
- */
 export function buildHealthCheckConfig(): HealthCheckConfig | undefined {
-  // Only enable detailed health checks if database is configured
-  if (!process.env.DB_HOST && !process.env.DB_NAME) {
+  // Only enable detailed health checks if database is explicitly configured
+  if (env.DB_HOST === 'localhost' && env.DB_NAME === 'callora') {
     return undefined;
   }
 
-  const config: HealthCheckConfig = {
-    version: process.env.APP_VERSION || '1.0.0',
+  const healthConfig: HealthCheckConfig = {
+    version: env.APP_VERSION,
     database: {
       pool: getDbPool(),
-      timeout: parseInt(process.env.HEALTH_CHECK_DB_TIMEOUT || '2000', 10),
+      timeout: env.HEALTH_CHECK_DB_TIMEOUT,
     },
   };
 
-  // Add Soroban RPC if enabled
-  if (process.env.SOROBAN_RPC_ENABLED === 'true' && process.env.SOROBAN_RPC_URL) {
-    config.sorobanRpc = {
-      url: process.env.SOROBAN_RPC_URL,
-      timeout: parseInt(process.env.SOROBAN_RPC_TIMEOUT || '2000', 10),
+  if (env.SOROBAN_RPC_ENABLED && env.SOROBAN_RPC_URL) {
+    healthConfig.sorobanRpc = {
+      url: env.SOROBAN_RPC_URL,
+      timeout: env.SOROBAN_RPC_TIMEOUT,
     };
   }
 
-  // Add Horizon if enabled
-  if (process.env.HORIZON_ENABLED === 'true' && process.env.HORIZON_URL) {
-    config.horizon = {
-      url: process.env.HORIZON_URL,
-      timeout: parseInt(process.env.HORIZON_TIMEOUT || '2000', 10),
+  if (env.HORIZON_ENABLED && env.HORIZON_URL) {
+    healthConfig.horizon = {
+      url: env.HORIZON_URL,
+      timeout: env.HORIZON_TIMEOUT,
     };
   }
 
-  return config;
+  return healthConfig;
 }
 
-/**
- * Closes database pool gracefully
- */
 export async function closeDbPool(): Promise<void> {
   if (dbPool) {
     await dbPool.end();
     dbPool = null;
   }
-}
+}

src/index.ts

@@ -1,3 +1,4 @@
+import './config/env.js'
 import express from 'express';
 import { initializeDb, closeDb } from './db/index.js';
 import { type AuthenticatedLocals } from './middleware/requireAuth.js';
@@ -14,6 +15,7 @@ import { createUsageStore } from './services/usageStore.js';
 import { createSettlementStore } from './services/settlementStore.js';
 import { createApiRegistry } from './data/apiRegistry.js';
 import { ApiKey } from './types/gateway.js';
+import { config } from './config/index.js';
 
 
 
@@ -59,7 +61,7 @@ if (isDirectExecution) {
     billing,
     rateLimiter,
     usageStore,
-    upstreamUrl: process.env.UPSTREAM_URL ?? 'http://localhost:4000',
+    upstreamUrl: config.proxy.upstreamUrl,
     apiKeys,
   });
   app.use('/api/gateway', gatewayRouter);
@@ -72,7 +74,7 @@ if (isDirectExecution) {
     registry,
     apiKeys,
     proxyConfig: {
-      timeoutMs: parseInt(process.env.PROXY_TIMEOUT_MS ?? '30000', 10),
+      timeoutMs: config.proxy.timeoutMs,
     },
   });
   app.use('/v1/call', proxyRouter);
@@ -83,7 +85,7 @@ if (isDirectExecution) {
   // Global error handler (must be after all routes)
   app.use(errorHandler);
 
-  const PORT = process.env.PORT ?? 3000;
+  const PORT = config.port;
 
   // Initialize database and start server
   async function startServer() {
@@ -158,4 +160,4 @@ if (isDirectExecution) {
   startServer();
 }
 
-export default app;
+export default app;