BetterFrame/sec-config.yaml

# BSB runtime configuration for BetterFrame server.
#
# Profile: 'default' — single-host install where the server, node-red, and
# (optionally) one kiosk all run on the same Pi. For multi-kiosk deployments
# the server is the same; kiosks have their own runtime config.
#
# Override individual values via env: BSB_<plugin>_<key>=value (consult BSB
# docs for the exact env-override semantics for v9).

default:
  observable:
    observable-default:
      plugin: observable-default
      enabled: true
      config: {}
  events:
    events-default:
      plugin: events-default
      enabled: true
  services:
    # ----- Data layer -----
    service-store:
      plugin: service-store
      enabled: true
      config:
        sqlitePath: /var/lib/betterframe/betterframe.db

    # ----- Admin UI + API (includes secrets + auth config) -----
    service-admin-http:
      plugin: service-admin-http
      enabled: true
      config:
        host: 0.0.0.0
        port: 18080
        # Secrets (was service-secrets)
        dataDir: /var/lib/betterframe
        # Auth (was service-auth)
        sessionIdleSeconds: 43200    # 12h
        sessionMaxSeconds: 2592000   # 30d
        loginLockoutThreshold: 8
        loginLockoutSeconds: 900     # 15m
        argon2Memory: 65536          # KiB; tuned for Pi5 ~100ms
        argon2TimeCost: 3
        argon2Parallelism: 2
        cookieName: betterframe_session
        totpIssuer: BetterFrame

    # ----- Kiosk-facing REST API -----
    service-api-http:
      plugin: service-api-http
      enabled: true
      config:
        host: 0.0.0.0
        port: 18081
        codeTtlSeconds: 600          # 10m pairing code TTL
        dataDir: /var/lib/betterframe
        argon2Memory: 65536
        argon2TimeCost: 3
        argon2Parallelism: 2

    # ----- Live kiosk WebSocket channel -----
    service-coordinator-ws:
      plugin: service-coordinator-ws
      enabled: true
      config:
        host: 0.0.0.0
        port: 18082
        noderedUrl: http://127.0.0.1:1880
        dataDir: /var/lib/betterframe
        argon2Memory: 65536
        argon2TimeCost: 3
        argon2Parallelism: 2
adding initial project 2026-05-09 23:09:13 +00:00			`# BSB runtime configuration for BetterFrame server.`
			`#`
			`# Profile: 'default' — single-host install where the server, node-red, and`
			`# (optionally) one kiosk all run on the same Pi. For multi-kiosk deployments`
			`# the server is the same; kiosks have their own runtime config.`
			`#`
			`# Override individual values via env: BSB_<plugin>_<key>=value (consult BSB`
			`# docs for the exact env-override semantics for v9).`

			`default:`
			`observable:`
			`observable-default:`
			`plugin: observable-default`
			`enabled: true`
			`config: {}`
			`events:`
			`events-default:`
			`plugin: events-default`
			`enabled: true`
			`services:`
refactor: collapse 6 non-service plugins into shared modules BSB plugins should be actual services (own port, lifecycle, resource ownership). Moved secrets, auth, pairing, bundle, nodered-bridge, and cec-relay from plugin folders to shared modules under server/src/shared/. 4 BSB plugins remain: service-store, service-admin-http, service-api-http, service-coordinator-ws. service-admin-http now initializes secrets + auth as plain modules in init() using the store repo from the plugin-registry singleton. No more setSiblings() hack or inter-plugin wiring. sec-config.yaml updated: secrets/auth config moved into service-admin-http, pairing config into service-api-http, nodered config into service-coordinator-ws. 2026-05-10 00:29:25 +00:00			`# ----- Data layer -----`
adding initial project 2026-05-09 23:09:13 +00:00			`service-store:`
			`plugin: service-store`
			`enabled: true`
			`config:`
			`sqlitePath: /var/lib/betterframe/betterframe.db`

refactor: collapse 6 non-service plugins into shared modules BSB plugins should be actual services (own port, lifecycle, resource ownership). Moved secrets, auth, pairing, bundle, nodered-bridge, and cec-relay from plugin folders to shared modules under server/src/shared/. 4 BSB plugins remain: service-store, service-admin-http, service-api-http, service-coordinator-ws. service-admin-http now initializes secrets + auth as plain modules in init() using the store repo from the plugin-registry singleton. No more setSiblings() hack or inter-plugin wiring. sec-config.yaml updated: secrets/auth config moved into service-admin-http, pairing config into service-api-http, nodered config into service-coordinator-ws. 2026-05-10 00:29:25 +00:00			`# ----- Admin UI + API (includes secrets + auth config) -----`
			`service-admin-http:`
			`plugin: service-admin-http`
adding initial project 2026-05-09 23:09:13 +00:00			`enabled: true`
			`config:`
fix: bind admin-http to 0.0.0.0 for external access 127.0.0.1 rejects connections from other machines on the network. 2026-05-10 00:48:47 +00:00			`host: 0.0.0.0`
refactor: collapse 6 non-service plugins into shared modules BSB plugins should be actual services (own port, lifecycle, resource ownership). Moved secrets, auth, pairing, bundle, nodered-bridge, and cec-relay from plugin folders to shared modules under server/src/shared/. 4 BSB plugins remain: service-store, service-admin-http, service-api-http, service-coordinator-ws. service-admin-http now initializes secrets + auth as plain modules in init() using the store repo from the plugin-registry singleton. No more setSiblings() hack or inter-plugin wiring. sec-config.yaml updated: secrets/auth config moved into service-admin-http, pairing config into service-api-http, nodered config into service-coordinator-ws. 2026-05-10 00:29:25 +00:00			`port: 18080`
			`# Secrets (was service-secrets)`
adding initial project 2026-05-09 23:09:13 +00:00			`dataDir: /var/lib/betterframe`
refactor: collapse 6 non-service plugins into shared modules BSB plugins should be actual services (own port, lifecycle, resource ownership). Moved secrets, auth, pairing, bundle, nodered-bridge, and cec-relay from plugin folders to shared modules under server/src/shared/. 4 BSB plugins remain: service-store, service-admin-http, service-api-http, service-coordinator-ws. service-admin-http now initializes secrets + auth as plain modules in init() using the store repo from the plugin-registry singleton. No more setSiblings() hack or inter-plugin wiring. sec-config.yaml updated: secrets/auth config moved into service-admin-http, pairing config into service-api-http, nodered config into service-coordinator-ws. 2026-05-10 00:29:25 +00:00			`# Auth (was service-auth)`
adding initial project 2026-05-09 23:09:13 +00:00			`sessionIdleSeconds: 43200 # 12h`
			`sessionMaxSeconds: 2592000 # 30d`
			`loginLockoutThreshold: 8`
			`loginLockoutSeconds: 900 # 15m`
			`argon2Memory: 65536 # KiB; tuned for Pi5 ~100ms`
			`argon2TimeCost: 3`
			`argon2Parallelism: 2`
fix: add cookieName and totpIssuer to sec-config explicitly BSB config doesn't apply schema defaults for missing keys. Cookie was being set with name "undefined". 2026-05-10 00:55:21 +00:00			`cookieName: betterframe_session`
			`totpIssuer: BetterFrame`
adding initial project 2026-05-09 23:09:13 +00:00
refactor: collapse 6 non-service plugins into shared modules BSB plugins should be actual services (own port, lifecycle, resource ownership). Moved secrets, auth, pairing, bundle, nodered-bridge, and cec-relay from plugin folders to shared modules under server/src/shared/. 4 BSB plugins remain: service-store, service-admin-http, service-api-http, service-coordinator-ws. service-admin-http now initializes secrets + auth as plain modules in init() using the store repo from the plugin-registry singleton. No more setSiblings() hack or inter-plugin wiring. sec-config.yaml updated: secrets/auth config moved into service-admin-http, pairing config into service-api-http, nodered config into service-coordinator-ws. 2026-05-10 00:29:25 +00:00			`# ----- Kiosk-facing REST API -----`
adding initial project 2026-05-09 23:09:13 +00:00			`service-api-http:`
			`plugin: service-api-http`
			`enabled: true`
			`config:`
feat: implement kiosk API, pairing flow, and bundle generation - service-api-http: h3 on :18081 with pairing, bundle, heartbeat, and event endpoints - shared/pairing.ts: 8-char code state machine (initiate → claim → confirm) - shared/bundle.ts: label-scoped bundle with cluster-encrypted ONVIF passwords - Admin kiosks page: POST /admin/kiosks/pair wired to confirmPairing - sec-config: api-http bound to 0.0.0.0 with auth config 2026-05-10 01:12:07 +00:00			`host: 0.0.0.0`
adding initial project 2026-05-09 23:09:13 +00:00			`port: 18081`
refactor: collapse 6 non-service plugins into shared modules BSB plugins should be actual services (own port, lifecycle, resource ownership). Moved secrets, auth, pairing, bundle, nodered-bridge, and cec-relay from plugin folders to shared modules under server/src/shared/. 4 BSB plugins remain: service-store, service-admin-http, service-api-http, service-coordinator-ws. service-admin-http now initializes secrets + auth as plain modules in init() using the store repo from the plugin-registry singleton. No more setSiblings() hack or inter-plugin wiring. sec-config.yaml updated: secrets/auth config moved into service-admin-http, pairing config into service-api-http, nodered config into service-coordinator-ws. 2026-05-10 00:29:25 +00:00			`codeTtlSeconds: 600 # 10m pairing code TTL`
feat: implement kiosk API, pairing flow, and bundle generation - service-api-http: h3 on :18081 with pairing, bundle, heartbeat, and event endpoints - shared/pairing.ts: 8-char code state machine (initiate → claim → confirm) - shared/bundle.ts: label-scoped bundle with cluster-encrypted ONVIF passwords - Admin kiosks page: POST /admin/kiosks/pair wired to confirmPairing - sec-config: api-http bound to 0.0.0.0 with auth config 2026-05-10 01:12:07 +00:00			`dataDir: /var/lib/betterframe`
			`argon2Memory: 65536`
			`argon2TimeCost: 3`
			`argon2Parallelism: 2`
adding initial project 2026-05-09 23:09:13 +00:00
refactor: collapse 6 non-service plugins into shared modules BSB plugins should be actual services (own port, lifecycle, resource ownership). Moved secrets, auth, pairing, bundle, nodered-bridge, and cec-relay from plugin folders to shared modules under server/src/shared/. 4 BSB plugins remain: service-store, service-admin-http, service-api-http, service-coordinator-ws. service-admin-http now initializes secrets + auth as plain modules in init() using the store repo from the plugin-registry singleton. No more setSiblings() hack or inter-plugin wiring. sec-config.yaml updated: secrets/auth config moved into service-admin-http, pairing config into service-api-http, nodered config into service-coordinator-ws. 2026-05-10 00:29:25 +00:00			`# ----- Live kiosk WebSocket channel -----`
adding initial project 2026-05-09 23:09:13 +00:00			`service-coordinator-ws:`
			`plugin: service-coordinator-ws`
			`enabled: true`
			`config:`
feat: RTSP field split, coordinator-ws stub, CLAUDE.md update - Camera add/edit: split RTSP URL into host/port/path/user/pass fields - Camera edit updates stream URI when RTSP URL changes - service-coordinator-ws: HTTP health stub (WS upgrade deferred) - Repository: added updateCameraStream - CLAUDE.md: full rewrite reflecting current architecture 2026-05-10 13:35:47 +00:00			`host: 0.0.0.0`
adding initial project 2026-05-09 23:09:13 +00:00			`port: 18082`
			`noderedUrl: http://127.0.0.1:1880`
feat: RTSP field split, coordinator-ws stub, CLAUDE.md update - Camera add/edit: split RTSP URL into host/port/path/user/pass fields - Camera edit updates stream URI when RTSP URL changes - service-coordinator-ws: HTTP health stub (WS upgrade deferred) - Repository: added updateCameraStream - CLAUDE.md: full rewrite reflecting current architecture 2026-05-10 13:35:47 +00:00			`dataDir: /var/lib/betterframe`
			`argon2Memory: 65536`
			`argon2TimeCost: 3`
			`argon2Parallelism: 2`