skillgate 1.1.0__tar.gz

skillgate-1.1.0/.codex/skills/local-ci-gate-pack/SKILL.md

@@ -0,0 +1,43 @@
+---
+name: local-ci-gate-pack
+description: Run local production-go gate validation for SkillGate with consolidated artifacts (lint, typecheck, tests, packaging, migrations, security, and governance decision gates) in fail-closed mode.
+---
+
+# Local CI Gate Pack
+
+Use this skill when asked to validate production readiness locally or reproduce CI-equivalent checks end-to-end.
+
+## Command
+
+From repo root:
+
+```bash
+./venv/bin/python scripts/quality/run_local_ci_gate.py --offline-safe
+```
+
+## What It Validates
+
+1. Lint + formatting + quality script gates
+2. Strict typing (`mypy --strict`)
+3. Test suite
+4. SLO gates
+5. Reliability scorecard generation
+6. Packaging smoke + build + twine metadata check (`--no-isolation`)
+7. API command matrix
+8. Web UI check/build
+9. Alembic upgrade/downgrade/upgrade against local DB URL
+10. Security checks (`pip-audit`, `detect-secrets`)
+11. Governance decision-gate checks
+
+## Artifacts
+
+- `docs/section-11-risk-mitigation/artifacts/consolidated-release-audit-<YYYY-MM-DD>.log`
+- `docs/section-11-risk-mitigation/artifacts/consolidated-release-audit-<YYYY-MM-DD>.json`
+- `docs/section-11-risk-mitigation/artifacts/consolidated-release-audit-<YYYY-MM-DD>.md`
+
+## Fail-Closed Rules
+
+- Do not skip a failing step and continue.
+- Do not install missing tools inside the gate command.
+- If offline/tooling constraints block `pip-audit` or `detect-secrets`, treat as gate failure and resolve prerequisites first.
+- Use `--skip-web-ui` only for scoped backend iteration, not production-go adjudication.

skillgate-1.1.0/.codex/skills/production-hardening-gate/SKILL.md

@@ -0,0 +1,141 @@
+---
+name: production-hardening-gate
+description: Run a strict production hardening and product-outcome gate for SkillGate: governance enforcement proof, evidence-backed claims, conversion path readiness, moat clarity, and GO/NO-GO verdict based on product trust and revenue-aligned signals.
+---
+
+# Production Hardening Gate
+
+Use this skill when asked for production readiness, release adjudication, or strict GO/NO-GO.
+
+Decision posture:
+
+- Optimize for product outcomes, not owner preference and not agent convenience.
+- Prefer decisions that increase defensible moat, trust, and conversion.
+- Reject work that adds features without strengthening enforcement, evidence, or distribution.
+
+## Scope
+
+Validate these gates in order (fail-closed):
+1. Claim-ledger hard gate + docs launch controls
+2. Tier-gating proof paths (`hunt`/`retroscan` CLI + API)
+3. Enterprise trust controls (signed token presence, subject binding, mode/authority lock abuse tests)
+4. Performance & latency SLO gates (p50/p95/p99 + cold-start where applicable)
+5. Resilience & degradation gates (timeouts, retries, circuit breakers, backpressure, graceful failure)
+6. Observability & supportability gates (structured logs, traces, metrics, runbooks, on-call debug flow)
+7. CLI/API matrix (including `saas`, `private_relay`, `airgap` coverage)
+8. Data integrity & migration gates (schema migrations, idempotency, replay safety)
+9. Packaging/release hardening (wheel + sdist + install smoke + publish rehearsal)
+10. Lint/type checks
+11. Product-outcome gates (moat clarity, SEO intent fit, CTA conversion path)
+12. Final self-review + reflection + GO/NO-GO checklist
+
+### Product-Outcome Gates (mandatory)
+
+1. Moat gate:
+- Messaging must define SkillGate as governance/enforcement/evidence control plane, not scanner clone.
+- Write-path approvals and signed evidence must be visibly central in product narrative.
+
+2. SEO intent gate:
+- Core pages must target high-intent phrases:
+`AI code security governance`, `secure AI coding pipeline`, `AI coding policy enforcement`, `audit evidence for AI-generated code`.
+- Claims on these pages must map to proof artifacts.
+
+3. CTA gate:
+- Primary CTA must point to runnable first proof flow:
+`scan -> policy decision -> approval (if required) -> signed evidence pack`.
+- CTA path must be testable and reproducible from docs.
+
+4. Revenue proxy gate:
+- Track and report:
+`proof-pack generation rate`, `high-risk write block rate`, `approval-gated write rate`, `claim-to-proof coverage`.
+- If metrics are missing, release is `NO-GO`.
+
+## Required Commands (minimum)
+
+Run from repo root:
+
+```bash
+./venv/bin/pytest -m slow tests/slo/ -q
+
+# Performance & latency: require repeatable benchmarks (no network noise)
+./venv/bin/pytest -m perf tests/perf/ -q -rs
+python scripts/perf/bench_cli.py --runs 10 --json /tmp/skillgate-perf-cli.json
+python scripts/perf/bench_api.py --runs 10 --json /tmp/skillgate-perf-api.json
+
+# Resilience: failure-mode tests (timeouts/retries/backpressure)
+./venv/bin/pytest -m resilience tests/resilience/ -q -rs
+
+# Observability: log/trace/metrics schema checks
+./venv/bin/pytest tests/observability/ -q
+
+python scripts/quality/check_claim_ledger.py
+./venv/bin/pytest tests/docs/test_pricing_launch_controls.py -q
+./venv/bin/pytest tests/unit/test_hunt/test_cli.py tests/unit/test_retroscan/test_cli.py -q
+./venv/bin/pytest tests/unit/test_api/test_hunt_api.py tests/unit/test_api/test_retroscan_api.py -q
+./venv/bin/pytest tests/unit/test_api/test_entitlements_api.py tests/unit/test_entitlement/test_usage_authority.py tests/unit/test_cli/test_entitlement_gates.py -q
+./venv/bin/pytest tests/e2e/test_cli_command_matrix.py -q
+./venv/bin/pytest tests/e2e/test_api_command_matrix.py -q
+
+# Debuggability/support: verify runbooks & operational docs exist and render
+./venv/bin/pytest tests/docs/test_runbooks_present.py -q
+./venv/bin/pytest tests/docs/test_troubleshooting_render.py -q
+
+./venv/bin/pytest -m slow tests/e2e/test_packaging_release.py -q -rs
+python -m build --sdist --wheel --outdir /tmp/skillgate-dist-check
+python -m twine check /tmp/skillgate-dist-check/*
+./venv/bin/ruff check .
+./venv/bin/mypy --strict skillgate/
+```
+
+## Fail-Closed Rules
+
+- Any skipped test in packaging/perf/resilience gates is a red flag unless explicitly documented and approved.
+- `sdist` must produce a tarball; do not allow skip-based pass.
+- Matrix coverage must include positive + negative + regression paths.
+- Non-local runtime paths must fail-close when signed entitlement token/subject checks fail.
+- Do not mark GO if any required gate is missing from CI.
+- Do not mark GO if moat messaging is scanner-like or if CTA lacks proof-backed flow.
+- Do not mark GO if claims exist without artifact links.
+
+### Performance/Latency
+- Require baseline benchmarks to be reproducible (≥ 10 runs) and stored as artifacts.
+- Require explicit thresholds for p95 latency and error rate (documented in repo); failing thresholds is NO-GO.
+- Any performance regression vs last release baseline must be explained (root cause + mitigation or rollback plan).
+
+### Resilience
+- Verify timeouts are set (no unbounded waits) and retries are bounded with jitter/backoff.
+- Verify graceful degradation paths exist (partial results, cached reads, fail-open is NOT allowed for security gates).
+- Any single point of failure in critical paths must have mitigation (redundancy, circuit breaker, or clear operational workaround).
+
+### Observability/Supportability
+- Logs must be structured and include correlation IDs for all request/command executions.
+- Tracing must identify top-level operations (`hunt`, `retroscan`, entitlements verification) with spans.
+- Metrics must include: request rate, error rate, latency (p50/p95/p99), saturation signals, and queue depth where applicable.
+- A runbook must exist for each critical service/worker, including: how to reproduce, how to collect evidence, and rollback steps.
+
+## Self-Review + Reflection (required)
+
+Before issuing GO/NO-GO, perform a brief self-audit and record it in the output:
+
+1. **Correctness:** Did we validate the intended invariants (entitlements, tier gating, claim-ledger) with negative tests?
+2. **Performance:** What are the p50/p95/p99 numbers for CLI and API? Any regression vs baseline? Why?
+3. **Resilience:** What happens under dependency failure (timeouts, 5xx, slow downstream)? Do we degrade safely?
+4. **Supportability:** Could on-call debug this in < 15 minutes using logs/traces/runbooks? What evidence proves it?
+5. **Scalability:** What is the scaling bottleneck (CPU/memory/IO/queue/db)? What is the mitigation plan?
+6. **Maintainability:** Are modules cohesive, interfaces stable, and configuration explicit? Any tech debt that blocks GA?
+7. **Product Advantage:** Why is this hard for scanner-first competitors to copy quickly?
+8. **Distribution Readiness:** Are SEO intent pages + CTA flow aligned to the shipped proof path?
+
+If any answer is unclear, assume NO-GO until clarified with evidence.
+
+## Output Contract
+
+Return:
+1. Findings ordered by severity with `file:line` and a one-line impact.
+2. GO/NO-GO checklist with explicit green/red status per gate (Scope items 1–12).
+3. Performance snapshot table (p50/p95/p99, error rate, baseline comparison, environment notes).
+4. Resilience snapshot (tested failure modes + observed behavior + any gaps).
+5. Supportability snapshot (log/trace evidence, runbook links/paths, and fastest debug path).
+6. Product-outcome snapshot (`moat`, `SEO intent fit`, `CTA readiness`, `revenue proxies`) with pass/fail.
+7. One-line final verdict: `GO` or `NO-GO`.
+8. No mandatory environment variables to be placed in code; all to be mentioned in .env or .env.example with clear instructions. No fallbacks for mandatory environment variables that bypass checks.

skillgate-1.1.0/.env.example

@@ -0,0 +1,442 @@
+# SkillGate Environment Configuration
+# Copy this file to .env and fill in your values
+# DO NOT commit .env to version control
+
+# ============================================================================
+# DEPLOYMENT ENVIRONMENT
+# ============================================================================
+
+# Environment: development, staging, production
+# CRITICAL: production/staging enforces security invariants (signed keys, no demo OAuth, etc.)
+# MANDATORY
+SKILLGATE_ENV=development
+
+# Authentication provider mode
+# Allowed: local | supabase
+# MANDATORY
+SKILLGATE_AUTH_PROVIDER=local
+
+# ============================================================================
+# SECURITY SECRETS (REQUIRED IN PRODUCTION)
+# ============================================================================
+
+# {
+#   echo "SKILLGATE_JWT_SECRET=$(openssl rand -hex 64)"
+#   echo "SKILLGATE_API_KEY_SECRET=$(openssl rand -hex 64)"
+#   echo "SKILLGATE_API_KEY_PEPPER=$(openssl rand -hex 64)"
+#   echo "SKILLGATE_REFRESH_TOKEN_PEPPER=$(openssl rand -hex 64)"
+#   echo "SKILLGATE_ADMIN_KEY=sg_admin_$(openssl rand -hex 32)"
+# } >> .env.production
+
+# JWT signing secret for access tokens (≥64 chars, secure random)
+# Generate with: openssl rand -hex 64
+# MANDATORY
+SKILLGATE_JWT_SECRET=your-jwt-secret-here-minimum-64-characters-use-openssl-rand-hex-64
+
+# API key HMAC signing secret for cryptographic validation (≥64 chars)
+# SECURITY FIX 16.33: Used for signed API key format sg_v1_*
+# MANDATORY
+SKILLGATE_API_KEY_SECRET=your-api-key-secret-here-minimum-64-characters-secure-random
+
+# API key hashing pepper (≥64 chars, secure random)
+# MANDATORY
+SKILLGATE_API_KEY_PEPPER=your-api-key-pepper-here-minimum-64-characters-secure-random
+
+# Refresh token hashing pepper (≥64 chars, secure random)
+# MANDATORY
+SKILLGATE_REFRESH_TOKEN_PEPPER=your-refresh-token-pepper-here-minimum-64-characters-secure-random
+
+# Admin API key for privileged operations (webhook replay, reconciliation, etc.)
+# MANDATORY for hosted admin/replay endpoints
+SKILLGATE_ADMIN_KEY=your-admin-key-here-secure-random
+
+# ============================================================================
+# EMAIL VERIFICATION (RESEND)
+# ============================================================================
+
+# Resend API key for transactional emails (verification, password-reset notifications)
+# Get from: https://resend.com/api-keys
+# RESEND_API_KEY=re_your_resend_api_key_here
+
+# Verified sender email/domain in Resend
+# Example: no-reply@yourdomain.com
+# SKILLGATE_EMAIL_FROM=no-reply@skillgate.io
+
+# Public web app base URL used to build verification links
+# SKILLGATE_WEB_BASE_URL=https://app.skillgate.io
+
+# ============================================================================
+# DATABASE CONFIGURATION
+# ============================================================================
+
+# Primary database connection string
+# MANDATORY
+SKILLGATE_DATABASE_URL=postgresql+asyncpg://skillgate:skillgate@localhost:5432/skillgate
+
+# Optional read replica for read-heavy operations
+# SKILLGATE_READ_REPLICA_URL=postgresql+asyncpg://skillgate:skillgate@replica:5432/skillgate
+
+# Database connection pool settings
+# SKILLGATE_DB_POOL_SIZE=20
+# SKILLGATE_DB_MAX_OVERFLOW=10
+
+# Disable DB pooling (useful for one-shot scripts)
+# OPTIONAL
+# SKILLGATE_DISABLE_DB_POOL=false
+
+# Auto-initialize database on startup (development only)
+# SKILLGATE_AUTO_INIT_DB=false
+
+# ============================================================================
+# REDIS CONFIGURATION
+# ============================================================================
+
+# Redis connection string for caching, rate limiting, device codes
+# MANDATORY
+SKILLGATE_REDIS_URL=redis://localhost:6379/0
+
+# ============================================================================
+# CORS & WEB SECURITY
+# ============================================================================
+
+# Allowed CORS origins (comma-separated)
+# Production: set to your frontend domain(s)
+# Development: localhost with various ports
+# MANDATORY
+SKILLGATE_CORS_ORIGINS=http://localhost:3000,http://127.0.0.1:3000,http://localhost:3001,http://127.0.0.1:3001,https://app.skillgate.io
+
+# Allow credentials in CORS requests
+# SKILLGATE_CORS_ALLOW_CREDENTIALS=true
+
+# Enable HSTS (HTTP Strict Transport Security) headers
+# Auto-enabled in production/staging
+# SKILLGATE_ENABLE_HSTS=true
+
+# ============================================================================
+# OAUTH CONFIGURATION
+# ============================================================================
+
+# Enable OAuth authentication (Google, GitHub)
+# SKILLGATE_ENABLE_OAUTH=false
+
+# OAuth provider credentials (when OAuth is enabled)
+# GOOGLE_CLIENT_ID=your-google-client-id
+# GOOGLE_CLIENT_SECRET=your-google-client-secret
+# GITHUB_CLIENT_ID=your-github-client-id
+# GITHUB_CLIENT_SECRET=your-github-client-secret
+
+# ============================================================================
+# SUPABASE AUTH PROVIDER (REQUIRED WHEN SKILLGATE_AUTH_PROVIDER=supabase)
+# ============================================================================
+
+# Supabase project base URL
+# REQUIRED for supabase auth provider
+# SUPABASE_URL=https://your-project.supabase.co
+
+# Supabase anonymous key (client-side key)
+# REQUIRED for supabase auth provider
+# SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
+
+# Supabase service role key (server-only secret)
+# REQUIRED for supabase auth provider
+# SUPABASE_SERVICE_ROLE_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
+
+# Supabase JWT verification mode (choose one)
+# REQUIRED for supabase auth provider in production/staging
+# Option A: shared secret
+# SUPABASE_JWT_SECRET=your-supabase-jwt-secret
+# Option B: JWKS URL (auto-derives from SUPABASE_URL if omitted)
+# SUPABASE_JWKS_URL=https://your-project.supabase.co/auth/v1/keys
+
+# Additional outbound host allowlist for Supabase client egress policy
+# OPTIONAL
+# SKILLGATE_SUPABASE_EGRESS_ALLOWLIST=api.supabase.co
+
+# ============================================================================
+# STRIPE PAYMENT INTEGRATION
+# ============================================================================
+
+# Stripe API secret key
+# Get from: https://dashboard.stripe.com/apikeys
+# MANDATORY for payments routes
+STRIPE_SECRET_KEY=sk_test_your_stripe_secret_key_here
+
+# Stripe webhook signing secret
+# Get from: https://dashboard.stripe.com/webhooks
+# MANDATORY for webhook routes
+STRIPE_WEBHOOK_SECRET=whsec_your_stripe_webhook_secret_here
+
+# Stripe price IDs for subscription tiers (monthly and annual)
+# Get from: https://dashboard.stripe.com/products
+# Industry standard: ~17% discount on annual (2 months free)
+STRIPE_PRICE_PRO_MONTHLY=price_pro_monthly_id
+STRIPE_PRICE_PRO_YEARLY=price_pro_yearly_id
+STRIPE_PRICE_TEAM_MONTHLY=price_team_monthly_id
+STRIPE_PRICE_TEAM_YEARLY=price_team_yearly_id
+STRIPE_PRICE_ENT_MONTHLY=price_enterprise_monthly_id
+STRIPE_PRICE_ENT_YEARLY=price_enterprise_yearly_id
+
+# Legacy single-price aliases (deprecated; kept for backward compatibility)
+# OPTIONAL
+# STRIPE_PRICE_PRO=price_pro_monthly_id
+# STRIPE_PRICE_TEAM=price_team_monthly_id
+# STRIPE_PRICE_ENT=price_enterprise_monthly_id
+
+# Beta switch: force backend pricing catalog paid-tier CTAs to "Get Started Free"
+# and route users through free onboarding while Stripe is validated.
+# SKILLGATE_PRICING_BETA_FREE_CTA=false
+
+# ============================================================================
+# INTEGRATIONS & ALERTING
+# ============================================================================
+
+# Default Slack webhook URL for scan alerts
+# SECURITY FIX 16.32: Still validated against allowlist
+# SKILLGATE_SLACK_WEBHOOK=https://hooks.slack.com/services/YOUR/WEBHOOK/URL
+
+# Entitlement incident webhook destination
+# OPTIONAL
+# SKILLGATE_ENTITLEMENT_INCIDENT_WEBHOOK_URL=https://hooks.slack.com/services/YOUR/ENTITLEMENT/WEBHOOK
+
+# ============================================================================
+# LLM EXPLAINER (OPTIONAL)
+# ============================================================================
+
+# Anthropic API key for Claude-based explanations
+# ANTHROPIC_API_KEY=sk-ant-your-anthropic-key-here
+
+# Anthropic base URL override
+# OPTIONAL
+# ANTHROPIC_BASE_URL=https://api.anthropic.com
+
+# OpenAI API key for GPT-based explanations
+# OPENAI_API_KEY=sk-your-openai-key-here
+
+# OpenAI base URL override
+# OPTIONAL
+# OPENAI_BASE_URL=https://api.openai.com
+
+# Custom explanation provider controls (optional)
+# Provider: azure-openai | groq | ollama
+# SKILLGATE_EXPLAIN_CUSTOM_PROVIDER=
+# SKILLGATE_EXPLAIN_CUSTOM_BASE_URL=
+# SKILLGATE_EXPLAIN_CUSTOM_MODEL=
+# SKILLGATE_EXPLAIN_CUSTOM_DEPLOYMENT=
+# SKILLGATE_EXPLAIN_AZURE_API_VERSION=2024-02-15-preview
+# AZURE_OPENAI_API_KEY=
+# GROQ_API_KEY=
+# SKILLGATE_EXPLAIN_EGRESS=false
+# SKILLGATE_EXPLAIN_ENDPOINT_ALLOWLIST=api.openai.com,api.anthropic.com
+# SKILLGATE_EXPLAIN_PROVIDER_TIMEOUT_S=8
+# SKILLGATE_EXPLAIN_PROVIDER_RETRIES=2
+
+# ============================================================================
+# OBSERVABILITY & TELEMETRY
+# ============================================================================
+
+# Enable OpenTelemetry instrumentation
+# SKILLGATE_OTEL_ENABLED=false
+
+# OpenTelemetry exporter endpoint
+# OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
+
+# ============================================================================
+# CLI CONFIGURATION
+# ============================================================================
+
+# API endpoint for CLI commands (auth, scan upload, etc.)
+# SKILLGATE_API_URL=https://api.skillgate.io
+
+# API key for CLI authentication (alternative to web login)
+# SKILLGATE_API_KEY=sg_v1_your_signed_api_key_here
+
+# Local/dev only: have UI-generated API keys use tier-encoded legacy format
+# (sg_free_*, sg_pro_*, sg_team_*, sg_ent_*) compatible with local CLI resolver.
+# Ignored unless SKILLGATE_ENV is development/dev/local.
+# SKILLGATE_LOCAL_UI_TIER_KEYS=false
+# SKILLGATE_LOCAL_UI_DEFAULT_TIER=free
+
+# CLI mode flag for CI-oriented behavior
+# OPTIONAL
+# SKILLGATE_CI_MODE=false
+
+# Entitlement enforcement mode:
+# - local: local tier + local quota cache (dev/default)
+# - saas: hosted authority endpoint for usage/entitlements
+# - private_relay: enterprise internal authority endpoint (no direct public egress from CI)
+# - airgap: signed/offline entitlement flow
+# SKILLGATE_ENTITLEMENT_MODE=local
+
+# Non-local authority endpoint for saas/private_relay mode.
+# Expected consume endpoint: {url}/v1/entitlements/consume-scan
+# SKILLGATE_ENTITLEMENT_AUTHORITY_URL=https://api.skillgate.io
+
+# On-prem entitlement relay endpoint and auth (server runtime)
+# OPTIONAL (used for private enterprise entitlement relay mode)
+# SKILLGATE_ONPREM_ENTITLEMENT_URL=https://entitlement.internal
+# SKILLGATE_ONPREM_ENTITLEMENT_TOKEN=internal-shared-token
+# SKILLGATE_ONPREM_ENTITLEMENT_TIMEOUT=3.0
+# SKILLGATE_ONPREM_FAIL_OPEN=true
+
+# Authority shared secret for hosted entitlement consume endpoint
+# REQUIRED when acting as entitlement authority
+# SKILLGATE_ENTITLEMENT_AUTHORITY_TOKEN=
+
+# Runtime lock guards (optional policy hardening)
+# SKILLGATE_ENTITLEMENT_MODE_LOCK=local
+# SKILLGATE_ENTITLEMENT_AUTHORITY_URL_LOCK=https://api.skillgate.io
+
+# Optional timeout for authority calls (seconds)
+# SKILLGATE_ENTITLEMENT_AUTHORITY_TIMEOUT_SECONDS=3
+
+# Optional signed entitlement payload preference in non-local modes
+# SKILLGATE_ENTITLEMENT_TOKEN=base64url_payload.signature_hex
+# SKILLGATE_ENTITLEMENT_PUBLIC_KEY=ed25519_public_key_hex
+# Optional key ring for multi-key verification
+# SKILLGATE_ENTITLEMENT_PUBLIC_KEYS=key1hex,key2hex
+
+# Signed entitlement claim expectations (optional, advanced)
+# SKILLGATE_ENTITLEMENT_ISSUER=skillgate-authority
+# SKILLGATE_ENTITLEMENT_AUDIENCE=skillgate-cli
+# SKILLGATE_ENTITLEMENT_CLOCK_SKEW_SECONDS=120
+# SKILLGATE_ENTITLEMENT_NONCE_TTL_SECONDS=900
+# SKILLGATE_ENTITLEMENT_NONCE_CACHE_SIZE=10000
+
+# Runtime trust propagation for nested agent invocations (native hooks / sub-agents)
+# Scope token from parent SkillGate runtime session
+# SKILLGATE_SCOPE_TOKEN=
+# Ed25519 public key used to verify SKILLGATE_SCOPE_TOKEN
+# SKILLGATE_SCOPE_PUBLIC_KEY=
+
+# Signed reputation graph path for runtime reputation enforcement
+# SKILLGATE_REPUTATION_STORE=.skillgate/reputation/reputation.json
+
+# Runtime gateway and sandbox controls
+# OPTIONAL
+# SKILLGATE_ALLOWED_TOOL_CLASSES=shell,network,filesystem,process
+# SKILLGATE_SANDBOX_BACKEND=
+# SKILLGATE_RUNTIME_TIMEOUT_SECONDS=15
+
+# Runtime capability budgets (per day; set >0 to enforce in ci/prod/strict)
+# SKILLGATE_CAPABILITY_BUDGET_PATH=.skillgate/runtime/capability_budgets.json
+# SKILLGATE_BUDGET_SHELL_PER_DAY=0
+# SKILLGATE_BUDGET_NETWORK_PER_DAY=0
+# SKILLGATE_BUDGET_FILESYSTEM_PER_DAY=0
+# SKILLGATE_BUDGET_PROCESS_PER_DAY=0
+# Optional scoped budgets (enforced in addition to global daily budgets)
+# SKILLGATE_BUDGET_SHELL_PER_ORG_PER_DAY=0
+# SKILLGATE_BUDGET_NETWORK_PER_ORG_PER_DAY=0
+# SKILLGATE_BUDGET_FILESYSTEM_PER_ORG_PER_DAY=0
+# SKILLGATE_BUDGET_PROCESS_PER_ORG_PER_DAY=0
+# SKILLGATE_BUDGET_SHELL_PER_SESSION=0
+# SKILLGATE_BUDGET_NETWORK_PER_SESSION=0
+# SKILLGATE_BUDGET_FILESYSTEM_PER_SESSION=0
+# SKILLGATE_BUDGET_PROCESS_PER_SESSION=0
+# External-domain budget controls
+# SKILLGATE_BUDGET_EXTERNAL_DOMAINS_PER_DAY=0
+# SKILLGATE_BUDGET_EXTERNAL_DOMAINS_PER_ORG_PER_DAY=0
+# SKILLGATE_BUDGET_EXTERNAL_DOMAINS_PER_SESSION=0
+# Domain-chain budget controls (unique domain-to-domain transitions)
+# SKILLGATE_BUDGET_DOMAIN_CHAINS_PER_DAY=0
+# SKILLGATE_BUDGET_DOMAIN_CHAINS_PER_ORG_PER_DAY=0
+# SKILLGATE_BUDGET_DOMAIN_CHAINS_PER_SESSION=0
+# Optional org identifier fallback for runtime wrappers
+# SKILLGATE_ORG_ID=
+# Optional approval workflow quorum for hardened runtime invocations
+# SKILLGATE_APPROVAL_REQUIRED_REVIEWERS=0
+
+# Air-gap mode daily remaining scans counter (set by offline entitlement pack process)
+# SKILLGATE_AIRGAP_SCANS_REMAINING_TODAY=3
+# Air-gap entitlement pack file path
+# OPTIONAL
+# SKILLGATE_AIRGAP_PACK_PATH=.skillgate/airgap-pack.json
+
+# Local quota file override
+# OPTIONAL
+# SKILLGATE_QUOTA_FILE=.skillgate/quota.json
+
+# Disable logo/banner in CLI output
+# SKILLGATE_NO_LOGO=false
+# SKILLGATE_NO_BANNER=false
+
+# Disable color output (for CI/CD environments)
+# NO_COLOR=
+
+# Test mode (disables network calls in scans)
+# SKILLGATE_TEST_MODE=false
+
+# Team/tier test harness controls (test/dev only)
+# OPTIONAL
+# SKILLGATE_TIER=free
+# SKILLGATE_TEAM_ACTIVE_SEATS=0
+
+# CLI simulate command provider tokens
+# OPTIONAL
+# SKILLGATE_GITHUB_TOKEN=
+# GITHUB_TOKEN=
+# SKILLGATE_GITLAB_TOKEN=
+# GITLAB_TOKEN=
+
+# npm shim override (Node wrapper to choose Python binary)
+# OPTIONAL
+# SKILLGATE_PYTHON=/absolute/path/to/python
+
+# ============================================================================
+# WEB-UI VARIABLES (also mirrored in web-ui/.env.example)
+# ============================================================================
+
+# Public API base URL consumed by web app
+# REQUIRED for production web deployment
+# NEXT_PUBLIC_API_URL=https://api.skillgate.io/api/v1
+
+# Analytics endpoint + batching
+# OPTIONAL
+# NEXT_PUBLIC_ANALYTICS_ENDPOINT=
+# NEXT_PUBLIC_ANALYTICS_FLUSH_SIZE=10
+
+# Pricing beta CTA switch
+# OPTIONAL
+# NEXT_PUBLIC_PRICING_BETA_FREE_CTA=false
+
+# Client-side Stripe key
+# REQUIRED for Stripe checkout UX in web app
+# NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_live_xxx
+
+# Web E2E/playwright runtime vars (CI/dev only)
+# OPTIONAL
+# PLAYWRIGHT_PORT=4010
+# PLAYWRIGHT_HOST=127.0.0.1
+# PLAYWRIGHT_BASE_URL=http://127.0.0.1:4010
+# PLAYWRIGHT_ANALYTICS_ENDPOINT=http://127.0.0.1:4010/__analytics
+
+# General node/web build flags (CI/dev)
+# OPTIONAL
+# NODE_ENV=production
+# ANALYZE=false
+# CI=false
+# PORT=3000
+
+# ============================================================================
+# PRODUCTION DEPLOYMENT CHECKLIST
+# ============================================================================
+#
+# Before deploying to production, ensure:
+#
+# 1. ✅ SKILLGATE_ENV=production
+# 2. ✅ All *_SECRET and *_PEPPER variables are set with ≥64 secure random chars
+# 3. ✅ SKILLGATE_DATABASE_URL points to production database
+# 4. ✅ SKILLGATE_REDIS_URL points to production Redis
+# 5. ✅ STRIPE_SECRET_KEY is production key (sk_live_*)
+# 6. ✅ STRIPE_WEBHOOK_SECRET is configured with endpoint signature
+# 7. ✅ SKILLGATE_CORS_ORIGINS contains only trusted domains
+# 8. ✅ OAuth credentials are production (if OAuth enabled)
+# 9. ✅ No .env file is committed to version control
+# 10. ✅ Secrets are stored in secure secret management (AWS Secrets Manager, HashiCorp Vault, etc.)
+#
+# Security reminders:
+# - Legacy unsigned API keys (sg_pro_*, sg_ent_*) are BLOCKED in production
+# - Demo OAuth mode is BLOCKED in production  
+# - All webhook URLs are validated against allowlist
+# - Rate limiting uses socket IP (not spoofable headers)
+#
+# ============================================================================