# ============================================================================= # roboomp environment # ============================================================================= # # This file is read in two distinct ways and you MUST keep that in mind when # filling it in: # # 1. `docker compose` interpolates `${VAR}` references in docker-compose.yml. # The compose file uses per-service explicit `environment:` allowlists # (NO `env_file:`), so only the keys listed in each service's block flow # into the corresponding container — never the whole .env. # # 2. The Python `Settings` loader (`src/config.py`) also reads `.env` # for any local CLI invocation (e.g. `python -m robomp.cli triage …` # running on the host outside docker). `_validate_proxy_or_pat` fails # fast if BOTH a PAT and `ROBOMP_GH_PROXY_URL` are configured, so the # two modes below are mutually exclusive. # # Pick ONE of the two mode blocks below; leave the other fully commented out. # Variables under "### shared ###" apply in either mode. # ============================================================================= # ### shared ### — required regardless of mode # ============================================================================= # Shared HMAC secret used to verify webhook signatures. Must match the secret # configured in the GitHub webhook UI / settings. GITHUB_WEBHOOK_SECRET= # GitHub login handle for the bot account whose PAT is in GITHUB_TOKEN (or # whichever account the gh-proxy authenticates as). Prefer the lowercase bare # mention handle (`roboomp`, not `@roboomp` or `roboomp[bot]`); startup # normalizes common forms, including uppercase and surrounding whitespace. ROBOMP_BOT_LOGIN= # Commit identity for branches the bot pushes. The email is what reviewers and # GitHub will display next to the commit; pick one that matches how you want # bot-authored commits to appear (a no-reply alias, a real address, etc.). # `gh_push_branch` refuses to push unless every commit on the workspace branch # carries this exact name + email. ROBOMP_GIT_AUTHOR_NAME= ROBOMP_GIT_AUTHOR_EMAIL= # Comma-separated owner/repo entries the bot is allowed to act on. ROBOMP_REPO_ALLOWLIST= # Optional comma-separated GitHub logins whose @ROBOMP_BOT_LOGIN comments may # authorize implementation work in addition to repo OWNER. Prefer lowercase # bare logins; startup ignores leading `@`, case, whitespace, and `[bot]`. ROBOMP_MAINTAINER_LOGINS= # ============================================================================= # ### gh-proxy mode (RECOMMENDED, default in docker compose) ### # # The orchestrator NEVER holds the PAT; it talks to the sibling gh-proxy # container over an internal-only docker network, authenticated with a # shared HMAC key. Fill in BOTH variables below and leave the PAT mode # block fully commented out. # ============================================================================= # Shared HMAC secret the orchestrator uses to authenticate every request to # gh-proxy. The two containers MUST agree on this value. The proxy refuses # any unsigned request; the orchestrator refuses to start without it. # Generate with: openssl rand -hex 32 ROBOMP_GH_PROXY_HMAC_KEY= # URL the orchestrator uses to reach gh-proxy. The default below matches the # service name + port in docker-compose.yml; override only for local # development outside compose (e.g. `http://127.0.0.1:8081`). ROBOMP_GH_PROXY_URL=http://gh-proxy:8081 # PAT with `repo` (push, comment, PR) scope. A fine-grained token scoped to # the allowlisted repos is recommended; a classic PAT also works. # # In gh-proxy mode this value lives ONLY in the gh-proxy container's # environment (compose interpolates it into gh-proxy's allowlist only). # Settings refuses to construct an orchestrator config that sees both # GITHUB_TOKEN and ROBOMP_GH_PROXY_URL, so when running orchestrator code # directly on the host (CLI, tests) you MUST keep GITHUB_TOKEN unset. GITHUB_TOKEN= # ============================================================================= # ### PAT mode (single-process, no sidecar) ### # # Drop the gh-proxy entirely and let the orchestrator hold the PAT directly. # To use this mode: uncomment GITHUB_TOKEN below, leave ROBOMP_GH_PROXY_URL # and ROBOMP_GH_PROXY_HMAC_KEY UNSET (above), and run the orchestrator # outside of the bundled docker-compose (which is wired for proxy mode). # ============================================================================= # GITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ============================================================================= # --- Model selection --- # ============================================================================= # Either a single model id or a comma-separated pool — roboomp picks one # uniformly at random per task. Use the `/` form that matches # your ~/.omp/agent/models.container.yml (which is mounted into the container as models.yml). ROBOMP_MODEL=anthropic/claude-sonnet-4-6 # off|low|medium|high ROBOMP_THINKING=high # Optional provider override (passed to `omp --provider`). # ROBOMP_PROVIDER= # ============================================================================= # --- Runtime --- # ============================================================================= ROBOMP_MAX_CONCURRENCY=8 ROBOMP_TASK_TIMEOUT_SECONDS=2400 ROBOMP_TASK_TIMEOUT_HARD_GRACE_SECONDS=60 ROBOMP_REQUEST_TIMEOUT_SECONDS=120 # ============================================================================= # --- PR review / vouch gate --- # ============================================================================= # robomp reviews incoming contributor PRs. When PRs are gated by the vouch # GitHub Action (.github/workflows/vouch-pr.yml), set the trigger to # `vouched_label` so robomp reviews ONLY the PRs the gate let through (the # workflow labels survivors with ROBOMP_VOUCH_REVIEW_LABEL) instead of racing # the gate on PR open. Set ROBOMP_PR_REVIEW_ENABLED=false to disable robomp PR # review entirely. ROBOMP_PR_REVIEW_ENABLED=true # open | vouched_label ROBOMP_PR_REVIEW_TRIGGER=open ROBOMP_VOUCH_REVIEW_LABEL=vouched # In vouched_label mode only `labeled` events from this actor trigger review, # so a manual triage/maintainer label cannot bypass the gate. Default matches # the stock GITHUB_TOKEN actor; set to your App's bot login if the vouch # workflow labels via a GitHub App token. ROBOMP_VOUCH_REVIEW_LABELER=github-actions[bot] # ============================================================================= # --- Per-submitter rate limiting --- # ============================================================================= # Rolling window plus per-tier caps on queue-worthy submissions per # GitHub login. Accounts whose webhook payload reports author_association # OWNER/MEMBER/COLLABORATOR bypass the limiter automatically. Use the # unlimited list (comma-separated logins, `@` optional) to whitelist # additional users — e.g. yourself when developing outside the repo. ROBOMP_RATE_LIMIT_WINDOW_SECONDS=3600 ROBOMP_RATE_LIMIT_DEFAULT=3 ROBOMP_RATE_LIMIT_CONTRIBUTOR=10 ROBOMP_RATE_LIMIT_UNLIMITED= # ============================================================================= # --- Question auto-close --- # ============================================================================= # When the bot answers an issue classified as `question` it appends a # 👎-to-keep-open prompt and schedules the issue to close as # `state_reason=completed` after `HOURS`. Set `ENABLED=false` (or `HOURS=0`) # to disable. Cancellation is automatic on a follow-up comment, an external # close, or the issue author downvoting the bot's comment. ROBOMP_QUESTION_AUTOCLOSE_ENABLED=true ROBOMP_QUESTION_AUTOCLOSE_HOURS=4 # How often the scheduler scans for due rows. 60s is plenty given the # multi-hour close window. ROBOMP_QUESTION_AUTOCLOSE_SCAN_SECONDS=60 # Path or command name for the omp binary inside the container. The shipped # image installs a shim that invokes Bun against the mounted pi checkout. ROBOMP_OMP_COMMAND=omp # ============================================================================= # --- Paths (inside the container) --- # ============================================================================= ROBOMP_WORKSPACE_ROOT=/data/workspaces ROBOMP_SQLITE_PATH=/data/robomp.sqlite ROBOMP_LOG_DIR=/data/logs # ============================================================================= # --- Dev only --- # ============================================================================= # Bind address for the webhook receiver. ROBOMP_BIND_HOST=0.0.0.0 ROBOMP_BIND_PORT=8080 # Optional token enabling the POST /replay endpoint; leave blank to disable. # ROBOMP_REPLAY_TOKEN= # ============================================================================= # --- oh-my-pi source location (host side) --- # ============================================================================= # robomp lives inside the oh-my-pi monorepo at `python/robomp/`. The default # `bun run robomp:pi-artifacts` builds the parent monorepo (`../..`) as its docker # build context, and `docker-compose.yml` mounts that same path read-only at # `/work/pi` inside the container. Override `PI_ROOT` only if you want to point # the build/mount at a different oh-my-pi checkout. # PI_ROOT=../..