Update Dockerfile, env example and settings

.env.example

@@ -1,136 +1,33 @@
-# =============================================================================
-# Django Backend Environment Variables
-# =============================================================================
-# Copy this file to .env and fill in your actual values
-# Never commit .env to version control (it should be in .gitignore)
-# =============================================================================
+# Grammo Backend - Example .env
+# Copy this file to .env and fill in the values as needed.
 
-# -----------------------------------------------------------------------------
-# Required Settings
-# -----------------------------------------------------------------------------
+# --- Required ---
+# Django Secret Key (generate one with the command in README)
+SECRET_KEY=
 
-# Django Secret Key (REQUIRED)
-# Generate a new secret key: python -c "from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())"
-# Or use: python manage.py shell -c "from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())"
-# WARNING: Never use the default value in production!
-SECRET_KEY=your-secret-key-here
+# HuggingFace API Token (any of these will be picked up; preferred shown first)
+HUGGINGFACEHUB_API_TOKEN=
+# HF_TOKEN=
+# HF_API_TOKEN=
 
-# HuggingFace API Token (REQUIRED)
-# Get your token from: https://huggingface.co/settings/tokens
-# Required for agent functionality that uses HuggingFace models
-HUGGINGFACEHUB_API_TOKEN=your-huggingface-api-token-here
-
-# -----------------------------------------------------------------------------
-# Debug and Development Settings
-# -----------------------------------------------------------------------------
-
-# Debug Mode
-# Set to True for development, False for production
-# When True: Shows detailed error pages, allows localhost access
-# When False: Shows generic error pages, requires ALLOWED_HOSTS to be set
-# Default: True
+# --- Core Runtime ---
+# Debug mode (default: True)
 DEBUG=True
 
-# -----------------------------------------------------------------------------
-# Host and CORS Configuration
-# -----------------------------------------------------------------------------
-
-# Allowed Hosts
-# Comma-separated list of host/domain names that this Django site can serve
-# Required for production (leave empty for development with DEBUG=True)
-# Example: grammo.kaeizen.dev,kaeizen.dev
-# Example: localhost,127.0.0.1 (for local development)
-# Default: [] (empty list, uses DEBUG=True fallback)
-ALLOWED_HOSTS=
-
-# CORS Allow All Origins
-# Set to True to allow all origins (development only)
-# Set to False or empty string to restrict origins (production)
-# When False, configure specific origins using django-cors-headers settings
-# Default: True (allows all origins)
-CORS_ALLOW_ALL_ORIGINS=True
-
-# CSRF Trusted Origins
-# Comma-separated list of trusted origins for CSRF protection
-# Include your frontend URL(s) here
-# Example: http://localhost:5173,http://localhost:3000
-# Example for production: https://grammo.kaeizen.dev,https://kaeizen.dev
-# Default: [] (empty list)
-CSRF_TRUSTED_ORIGINS=http://localhost:5173,http://localhost:3000
-
-# -----------------------------------------------------------------------------
-# Security Settings
-# -----------------------------------------------------------------------------
-
-# Session Cookie Security
-# Set to False for local development (no HTTPS)
-# Set to True for production (requires HTTPS)
-# When True, cookies are only sent over HTTPS connections
-# Default: False
-SESSION_COOKIE_SECURE=False
-
-# CSRF Cookie Security
-# Set to False for local development (no HTTPS)
-# Set to True for production (requires HTTPS)
-# When True, CSRF cookies are only sent over HTTPS connections
-# Default: False
-CSRF_COOKIE_SECURE=False
+# App mode: "development" (default) or "production"
+MODE=development
 
-# Secure SSL Redirect
-# Set to True in production to redirect all HTTP requests to HTTPS
-# Requires proper HTTPS configuration and valid SSL certificates
-# Set to False for local development (no HTTPS)
-# Default: False
-SECURE_SSL_REDIRECT=False
+# Port used only when running `python app.py` (Hugging Face Spaces)
+# PORT=7860
 
-# Secure Content Type No Sniff
-# Prevents browsers from MIME-sniffing the content-type
-# Set to True for production, False for development (optional)
-# Default: False
-SECURE_CONTENT_TYPE_NOSNIFF=False
-
-# -----------------------------------------------------------------------------
-# HSTS (HTTP Strict Transport Security) Settings
-# -----------------------------------------------------------------------------
-# WARNING: Only enable HSTS after ensuring HTTPS works correctly for all domains!
-# Once enabled, browsers will remember this for SECURE_HSTS_SECONDS seconds
-# Setting a value > 0 will enable HSTS, set to 0 to disable (recommended for development)
-# -----------------------------------------------------------------------------
-
-# HSTS Seconds
-# Set to 0 to disable HSTS (recommended for development)
-# Set to a positive value (e.g., 31536000 for 1 year) for production
-# Only enable after ensuring HTTPS works correctly
-# Default: 0 (disabled)
-SECURE_HSTS_SECONDS=0
-
-# HSTS Include Subdomains
-# Only used when SECURE_HSTS_SECONDS > 0
-# Set to True to apply HSTS to all subdomains
-# Set to False to apply only to the main domain
-# Default: False
-SECURE_HSTS_INCLUDE_SUBDOMAINS=False
-
-# HSTS Preload
-# Only used when SECURE_HSTS_SECONDS > 0
-# Set to True to allow inclusion in browser preload lists
-# See: https://hstspreload.org/
-# Default: False
-SECURE_HSTS_PRELOAD=False
-
-# -----------------------------------------------------------------------------
-# Example Production Configuration
-# -----------------------------------------------------------------------------
-# For production, use settings similar to these:
-#
-# DEBUG=False
+# --- Production-only ---
+# When MODE=production, set these appropriately
+# Comma-separated (no spaces)
 # ALLOWED_HOSTS=yourdomain.com,www.yourdomain.com
-# SESSION_COOKIE_SECURE=True
-# CSRF_COOKIE_SECURE=True
+
+# Comma-separated full origins (scheme + host)
 # CSRF_TRUSTED_ORIGINS=https://yourdomain.com,https://www.yourdomain.com
-# SECURE_SSL_REDIRECT=True
-# SECURE_CONTENT_TYPE_NOSNIFF=True
-# SECURE_HSTS_SECONDS=31536000
-# SECURE_HSTS_INCLUDE_SUBDOMAINS=True
-# SECURE_HSTS_PRELOAD=True
-# CORS_ALLOW_ALL_ORIGINS=False
+
+# Notes:
+# - Security and CORS flags are derived automatically from MODE in settings.py
+# - Do not set SESSION_COOKIE_SECURE, CSRF_COOKIE_SECURE, CORS_ALLOW_ALL_ORIGINS, or SECURE_* directly

Dockerfile

@@ -22,20 +22,23 @@ RUN pip install --no-cache-dir -r requirements.txt
 # Install specific transformers
 RUN pip install git+https://github.com/huggingface/transformers@8fb854cac869b42c87a7bd15d9298985c5aea96e
 
-RUN --mount=type=secret,id=SECRET_KEY,env=SECRET_KEY
-RUN --mount=type=secret,id=HUGGINGFACEHUB_API_TOKEN,env=HUGGINGFACEHUB_API_TOKEN
-
-RUN --mount=type=secret,id=DEBUG,env=DEBUG
-RUN --mount=type=secret,id=SESSION_COOKIE_SECURE,env=SESSION_COOKIE_SECURE
-RUN --mount=type=secret,id=CSRF_COOKIE_SECURE,env=CSRF_COOKIE_SECURE
-RUN --mount=type=secret,id=ALLOWED_HOSTS,env=ALLOWED_HOSTS
-RUN --mount=type=secret,id=SECURE_CONTENT_TYPE_NOSNIFF,env=SECURE_CONTENT_TYPE_NOSNIFF
-RUN --mount=type=secret,id=SECURE_SSL_REDIRECT,env=SECURE_SSL_REDIRECT
-RUN --mount=type=secret,id=SECURE_HSTS_SECONDS,env=SECURE_HSTS_SECONDS
-RUN --mount=type=secret,id=SECURE_HSTS_INCLUDE_SUBDOMAINS,env=SECURE_HSTS_INCLUDE_SUBDOMAINS
-RUN --mount=type=secret,id=SECURE_HSTS_PRELOAD,env=SECURE_HSTS_PRELOAD
-RUN --mount=type=secret,id=CORS_ALLOW_ALL_ORIGINS,env=CORS_ALLOW_ALL_ORIGINS
-RUN --mount=type=secret,id=CSRF_TRUSTED_ORIGINS,env=CSRF_TRUSTED_ORIGINS
+RUN --mount=type=secret,id=SECRET_KEY,mode=0444,required=true \
+    sh -c 'printf "SECRET_KEY=%s\n" "$(cat /run/secrets/SECRET_KEY)" > .env'
+
+RUN --mount=type=secret,id=HUGGINGFACEHUB_API_TOKEN,mode=0444,required=true \
+    sh -c 'printf "HUGGINGFACEHUB_API_TOKEN=%s\n" "$(cat /run/secrets/HUGGINGFACEHUB_API_TOKEN)" >> .env'
+
+RUN --mount=type=secret,id=MODE,mode=0444,required=true \
+    sh -c 'printf "MODE=%s\n" "$(cat /run/secrets/MODE)" >> .env'
+
+RUN --mount=type=secret,id=DEBUG,mode=0444,required=true \
+    sh -c 'printf "DEBUG=%s\n" "$(cat /run/secrets/DEBUG)" >> .env'
+
+RUN --mount=type=secret,id=ALLOWED_HOSTS,mode=0444,required=true \
+    sh -c 'printf "ALLOWED_HOSTS=%s\n" "$(cat /run/secrets/ALLOWED_HOSTS)" >> .env'
+
+RUN --mount=type=secret,id=CSRF_TRUSTED_ORIGINS,mode=0444,required=true \
+    sh -c 'printf "CSRF_TRUSTED_ORIGINS=%s\n" "$(cat /run/secrets/CSRF_TRUSTED_ORIGINS)" >> .env'
 
 # Copy the entire backend directory
 COPY . .

README.md

@@ -73,18 +73,22 @@ pip install -r requirements.txt
 
 ### 4. Set up environment variables
 
-Create a `.env` file in the `backend` directory:
+Create a `.env` file in the `backend` directory (or copy from the example):
 
 ```bash
-touch .env
+cp .env.example .env  # or: touch .env
 ```
 
-Add the following environment variables (see [Environment Variables](#environment-variables) section for details):
+At minimum, set the variables below (see [Environment Variables](#environment-variables) for details):
 
 ```env
+# Required
 SECRET_KEY=your-secret-key-here
 HUGGINGFACEHUB_API_TOKEN=your-huggingface-api-token
+
+# Common
 DEBUG=True
+MODE=development  # change to "production" for deployment
 ```
 
 To generate a Django secret key:
@@ -101,49 +105,51 @@ python manage.py migrate
 
 ## Environment Variables
 
-Create a `.env` file in the `backend` directory with the following variables:
+Create a `.env` file in the `backend` directory. The backend loads variables from this file using `python-dotenv`.
 
-### Required Variables
+### Required
 
 ```env
 # Django Secret Key (generate one using the command above)
 SECRET_KEY=your-secret-key-here
 
-# HuggingFace API Token
+# HuggingFace API Token (any of these will be picked up; preferred shown first)
 HUGGINGFACEHUB_API_TOKEN=your-huggingface-api-token
+# HF_TOKEN=your-huggingface-api-token
+# HF_API_TOKEN=your-huggingface-api-token
 ```
 
-### Optional Development Variables
+### Core Runtime
 
 ```env
 # Debug mode (default: True)
 DEBUG=True
 
-# Session security (default: False for development)
-SESSION_COOKIE_SECURE=False  # Set to True in production (requires HTTPS)
-CSRF_COOKIE_SECURE=False     # Set to True in production (requires HTTPS)
+# App mode: "development" (default) or "production"
+MODE=development
 
-# CORS settings
-CORS_ALLOW_ALL_ORIGINS=True  # Set to False in production and specify origins
+# Port only used when running `python app.py` (Hugging Face Spaces)
+# PORT=7860
 ```
 
-### Optional Production Variables
+### Production-only
+
+When `MODE=production`, the following become relevant:
 
 ```env
-# Allowed hosts (comma-separated)
+# Allowed hosts (comma-separated, no spaces)
 ALLOWED_HOSTS=yourdomain.com,www.yourdomain.com
 
 # CSRF trusted origins (comma-separated)
 CSRF_TRUSTED_ORIGINS=https://yourdomain.com,https://www.yourdomain.com
-
-# Security settings
-SECURE_SSL_REDIRECT=True
-SECURE_CONTENT_TYPE_NOSNIFF=True
-SECURE_HSTS_SECONDS=31536000
-SECURE_HSTS_INCLUDE_SUBDOMAINS=True
-SECURE_HSTS_PRELOAD=True
 ```
 
+Notes:
+- Most security and CORS flags are derived automatically from `MODE` in `backend/settings.py`:
+  - In development: permissive defaults for local usage
+  - In production: `CORS_ALLOW_ALL_ORIGINS=False`, secure cookies, HSTS, content type nosniff, and SSL redirect are enabled
+- Do not set `SESSION_COOKIE_SECURE`, `CSRF_COOKIE_SECURE`, `CORS_ALLOW_ALL_ORIGINS`, or `SECURE_*` directly via env; they are computed from `MODE`.
+
 ## Running the Application
 
 ### Development Mode
@@ -323,12 +329,10 @@ The backend includes a `Dockerfile` configured for HuggingFace Spaces deployment
 1. **Set environment variables** in your Space settings:
    - `SECRET_KEY`
    - `HUGGINGFACEHUB_API_TOKEN`
+   - `MODE=production`
    - `DEBUG=False`
    - `ALLOWED_HOSTS=your-space-name.hf.space`
-   - `CORS_ALLOW_ALL_ORIGINS=False`
    - `CSRF_TRUSTED_ORIGINS=https://your-space-name.hf.space`
-   - `SESSION_COOKIE_SECURE=True`
-   - `CSRF_COOKIE_SECURE=True`
 
 2. **Push your code** to the Space repository
 
@@ -337,7 +341,8 @@ The backend includes a `Dockerfile` configured for HuggingFace Spaces deployment
 ### General Production Deployment
 
 1. Set production environment variables (see [Environment Variables](#environment-variables))
-2. Set `DEBUG=False`
+   - `MODE=production`, `DEBUG=False`
+   - `ALLOWED_HOSTS` and `CSRF_TRUSTED_ORIGINS`
 3. Configure a proper database (PostgreSQL recommended)
 4. Set up Redis or another cache backend for sessions
 5. Use a production ASGI server (Uvicorn with multiple workers or Gunicorn with Uvicorn workers)

backend/settings.py

@@ -30,41 +30,47 @@ SECRET_KEY = os.environ.get("SECRET_KEY", "local-dev-secret")
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = os.environ.get("DEBUG", "True") == "True"
 
-ALLOWED_HOSTS = [
+MODE = os.environ.get("MODE", "development")
+
+ALLOWED_HOSTS =[
     origin.strip()
     for origin in os.environ.get("ALLOWED_HOSTS", "").split(",")
     if origin.strip()
-] if os.environ.get("ALLOWED_HOSTS") else []
+] if MODE == 'production' else []
 
 CORS_ALLOW_CREDENTIALS = True
-CORS_ALLOW_ALL_ORIGINS = os.environ.get("CORS_ALLOW_ALL_ORIGINS", "True") == "True"
+CORS_ALLOW_ALL_ORIGINS = False if MODE == 'production' else True
 
 
 SESSION_COOKIE_HTTPONLY = True
-SESSION_COOKIE_SECURE = os.environ.get("SESSION_COOKIE_SECURE", "False") == "True" # use False only for local dev (no HTTPS)
+SESSION_COOKIE_SECURE = False if MODE == 'production' else True # use False only for local dev (no HTTPS)
 SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 SESSION_COOKIE_AGE = 60 * 60 * 24  # 1 day
 
 CSRF_COOKIE_HTTPONLY = True
-CSRF_COOKIE_SECURE = os.environ.get("CSRF_COOKIE_SECURE", "False") == "True"
+CSRF_COOKIE_SECURE = False if MODE == 'production' else True
 CSRF_TRUSTED_ORIGINS = [
     origin.strip()
     for origin in os.environ.get("CSRF_TRUSTED_ORIGINS", "").split(",")
     if origin.strip()
-]
+] if MODE == 'production' else [
+	'http://localhost:5173',
+	'http://localhost:4173',
+	'http://localhost:3000'
+	]
 
-SECURE_SSL_REDIRECT = os.environ.get("SECURE_SSL_REDIRECT", "False") == "True"
+SECURE_SSL_REDIRECT = False if MODE == 'production' else True
 
-SECURE_CONTENT_TYPE_NOSNIFF = os.environ.get("SECURE_CONTENT_TYPE_NOSNIFF", "False") == "True"
+SECURE_CONTENT_TYPE_NOSNIFF = False if MODE == 'production' else True
 
 # HSTS settings - only enable in production with proper HTTPS configuration
 # WARNING: Once enabled, browsers will remember this for SECURE_HSTS_SECONDS seconds
 # Only enable after ensuring HTTPS works correctly for all domains
 # Set to 0 to disable HSTS (default for development), or set a positive value (e.g., 31536000 for 1 year) for production
-SECURE_HSTS_SECONDS = int(os.environ.get("SECURE_HSTS_SECONDS", "0"))
-if SECURE_HSTS_SECONDS > 0:
-    SECURE_HSTS_INCLUDE_SUBDOMAINS = os.environ.get("SECURE_HSTS_INCLUDE_SUBDOMAINS", "False") == "True"
-    SECURE_HSTS_PRELOAD = os.environ.get("SECURE_HSTS_PRELOAD", "False") == "True"
+SECURE_HSTS_SECONDS = 31536000 if MODE == 'production' else 0
+if MODE == 'production':
+    SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+    SECURE_HSTS_PRELOAD = True
 
 
 # Allow embedding in an iframe only from Hugging Face Spaces (for integration)