-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathrender.yaml
More file actions
106 lines (104 loc) · 3.85 KB
/
render.yaml
File metadata and controls
106 lines (104 loc) · 3.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# Sentinel — Render Blueprint (free tier).
#
# Two web services, both Docker, both free. The API runs the analyzer
# worker in-process so we don't need a separate background worker
# (Render's free tier doesn't include those).
#
# Postgres: provisioned manually before applying this blueprint, since
# Render limits free-tier accounts to ONE Postgres instance and the
# user already has `claimrail-db`. We share that instance via a
# dedicated `sentinel` schema; see DATABASE_URL below.
#
# KV (Redis-protocol): also pre-existing (`sentinel-kv`).
#
# What you'll do
# 1. Render → New → Blueprint → connect this repo
# 2. Render reads this file, prompts you to confirm 2 services
# 3. Click Apply — first build ~6 min
# 4. After both services are green, run scripts/verify.ts locally
# with SENTINEL_API set to the api's render.com URL.
services:
- type: web
name: sentinel-api
runtime: docker
plan: free
region: oregon
rootDir: .
dockerfilePath: infra/docker/api.Dockerfile
dockerContext: .
autoDeploy: true
healthCheckPath: /healthz
envVars:
- key: NODE_ENV
value: production
- key: LOG_LEVEL
value: info
- key: API_HOST
value: 0.0.0.0
- key: API_PORT
value: "10000" # Render free web services bind to $PORT, default 10000
- key: API_RATE_LIMIT_PER_MIN
value: "120"
- key: API_JWT_SECRET
generateValue: true # Render mints a 32-byte secret per workspace
# Set this AFTER the api is up, to your Vercel domain. Empty value
# makes the api refuse to boot (env.ts hardening), so the first deploy
# ships with a placeholder you'll overwrite via the dashboard.
- key: ALLOWED_ORIGINS
sync: false
# Connection string with search_path pinned to the `sentinel` schema
# inside the existing claimrail-db. Set this manually because the
# blueprint's `fromDatabase` reference can't add the search_path arg.
- key: DATABASE_URL
sync: false
# Redis-protocol KV (already provisioned). Render KV resources can
# be referenced via `fromService` but the syntax for keyValue type is
# also a manual sync_false.
- key: REDIS_URL
sync: false
# ── LLM provider (all optional — deterministic baseline always works) ──
# "anthropic" / "gemini" / "none" / leave blank for auto-pick.
- key: LLM_PROVIDER
value: ""
# Anthropic (paid) — best quality. Optional.
- key: ANTHROPIC_API_KEY
sync: false
# Google Gemini (free tier — recommended for students).
# Get a key at https://aistudio.google.com/apikey (no card required).
- key: GOOGLE_API_KEY
sync: false
# Token for the seed endpoint (POST /v1/admin/seed). Generate once
# then call once to populate demo data.
- key: ADMIN_TOKEN
sync: false
# Internal service URL for the scanner. Render auto-resolves the
# private host once both services are up; pre-fill at apply time.
- key: SCANNER_URL
sync: false
# NATS is fully optional for this deploy — the api degrades to
# polling-only mode when unset (publishEvent + startNatsBridge gates).
- key: NATS_URL
value: ""
# Same for n8n — leave blank and remediation cards stay in `proposed`
# state for human review without dispatching anywhere.
- key: N8N_URL
value: ""
- type: web
name: sentinel-scanner
runtime: docker
plan: free
region: oregon
rootDir: .
dockerfilePath: infra/docker/scanner.Dockerfile
dockerContext: .
autoDeploy: true
healthCheckPath: /healthz
envVars:
- key: SCANNER_HOST
value: 0.0.0.0
- key: SCANNER_PORT
value: "10000"
- key: LOG_LEVEL
value: info
- key: SCANNER_MAX_CONCURRENT
value: "4"