# ============================================================ # Specothesis — Environment Configuration # Copy this file to .env and fill in your values. # .env is gitignored; never commit real credentials. # ============================================================ # --- Target --- # Base URL to open in the browser when starting a capture. # Can be overridden at runtime with: npm run capture -- --url SCANNER_BASE_URL=https://example.com # API host used as the global server in the OpenAPI spec. # This is NOT the browser start URL — it is where your API calls actually go. # Example: https://api.example.com (different from the frontend URL above) SCANNER_API_URL= # Glob or full URL prefix to scope which requests are captured. # Default: **/api/** (only XHR/fetch calls whose URL contains /api/) # Use "**" to capture everything, or a full prefix like https://api.example.com/** SCANNER_URL_FILTER=**/api/** # Run Chromium headlessly (true/false). Default: false (browser window opens). SCANNER_HEADLESS=false # Default output folder slug. Auto-derived from hostname if left blank. SCANNER_OUT_NAME= # Named session — used as the output folder name under captures/. # Can be overridden at runtime with: --session SCANNER_SESSION= # Name of a saved auth profile to load (reuse a previous login). # Can be overridden at runtime with: --profile SCANNER_PROFILE= # Path to a Playwright automation script. Runs instead of manual interaction. # The script receives (page, context, config) as arguments. # SCANNER_SCRIPT_PATH=scripts/my-journey.ts # --- Credentials --- # Used by automation scripts (config.username / config.password). # Also written as ${{env.SCANNER_USERNAME}} / ${{env.SCANNER_PASSWORD}} # in StepCI workflows so tests can pick them up from the environment. SCANNER_USERNAME= SCANNER_PASSWORD= # Full URL of your login endpoint. # When set, a login step is prepended to the StepCI workflow and OpenAPI spec. # Example: https://auth.example.com/api/v1/login SCANNER_AUTH_URL= # Auth strategy. Auto-detected from SCANNER_AUTH_URL when not set. # Values: bearer-login | bearer-static | api-key | basic | none # bearer-login POST credentials to SCANNER_AUTH_URL, capture token, inject as Bearer # bearer-static Use SCANNER_AUTH_TOKEN directly — no login step # api-key Use SCANNER_API_KEY in X-Api-Key header — no login step # basic Use SCANNER_USERNAME:SCANNER_PASSWORD as Basic auth — no login step # none No auth injected # SCANNER_AUTH_METHOD=bearer-login # Login request body format (applies when SCANNER_AUTH_METHOD=bearer-login) # Values: form (default) | json | formData # SCANNER_AUTH_BODY_FORMAT=form # Field names for credentials in the login request body # SCANNER_AUTH_USERNAME_FIELD=username # SCANNER_AUTH_PASSWORD_FIELD=password # JSONPath to extract the token from the login response # Default: $.access_token — works for {"access_token": "..."} # Other examples: $.token | $.data.access_token | $.auth.jwt # SCANNER_AUTH_TOKEN_PATH=$.access_token # Prefix applied before the token in the Authorization header # Default: Bearer — produces "Authorization: Bearer " # Set to empty string to send the raw token with no prefix # SCANNER_AUTH_SCHEME=Bearer # Bearer token — used as a static value when SCANNER_AUTH_METHOD=bearer-static, # or written as ${{env.SCANNER_AUTH_TOKEN}} in StepCI output for manual runs. SCANNER_AUTH_TOKEN= # API key — written as ${{env.SCANNER_API_KEY}} in StepCI output. # Set this if your API uses X-Api-Key or similar. SCANNER_API_KEY= # --- OpenAPI spec info --- # Customize the info block in the generated OpenAPI spec. # SCANNER_API_TITLE=My API # SCANNER_API_VERSION=1.0.0 # SCANNER_API_DESCRIPTION=Generated by Specothesis # --- Anomaly detection thresholds --- # SCANNER_ANOMALY_SLOW_MS=2000 # avg response time (ms) to trigger slow-response warning # SCANNER_ANOMALY_LARGE_KB=500 # response body size (KB) to trigger large-response warning # SCANNER_ANOMALY_REPEATED_N=5 # call count to trigger repeated-calls warning # Comma-separated path keywords treated as public (suppress missing-auth warning). # Extend the built-in list: login, signup, register, health, ping, status, public # SCANNER_PUBLIC_PATTERNS=webhook,open,pub # --- Capture behaviour --- # Suppress per-request [req]/[res] log lines during capture. # The final summary is always printed regardless. Default: false SCANNER_QUIET=false # Include requests that never received an HTTP response (network errors, # CORS preflight failures, cancellations). Playwright records these as status -1. # Enabling this keeps them in the pipeline but will produce invalid OpenAPI status # codes unless your downstream tooling tolerates non-standard codes. Default: false SCANNER_CAPTURE_FAILED=false # --- Feature flags --- # Set any of these to false to disable that output / post-processing step. # All default to true — omitting a variable keeps the feature enabled. # v1 outputs SCANNER_ENABLE_DEDUP=true # deduplicate repeated identical requests SCANNER_ENABLE_OPENAPI=true # generate openapi.yaml / openapi.json SCANNER_ENABLE_STEPCI=true # generate stepci-workflow.yaml SCANNER_ENABLE_CURL=true # generate curls/ directory # v2 post-processing SCANNER_ENABLE_EXAMPLES=true # embed real captured values as examples in OpenAPI spec SCANNER_ENABLE_COVERAGE=true # write coverage.json and print coverage table SCANNER_ENABLE_ANOMALIES=true # write anomalies.json and print anomaly findings SCANNER_ENABLE_DRIFT=true # write drift.json and print drift section (requires prior run) SCANNER_ENABLE_HTML_REPORT=true # write report.html SCANNER_ENABLE_REDACTION=true # redact sensitive field values (passwords, tokens, keys) in all outputs # --- Extras --- # Any SCANNER_EXTRA_* variables are forwarded to automation scripts # via config.extras as { KEY: value } (prefix stripped). # Example: # SCANNER_EXTRA_TENANT_ID=acme # SCANNER_EXTRA_REGION=us-east-1 # # WARNING: SCANNER_EXTRA_* values are passed as-is to scripts and included in # generated output files. Do NOT store secrets (tokens, passwords) in EXTRA_* # variables — use SCANNER_AUTH_TOKEN / SCANNER_API_KEY / SCANNER_PASSWORD instead, # which are handled with redaction and are never written to HAR or curl outputs.