{
  "app_id": "db82f581256a3c9244c4d7129a67336990d08cdf",
  "git_sha": "8174c06",
  "image_digest": "sha256:5f109cbf90383ee46bf37d94ee0d4989e69541047ad1351c35558e49b00b79ce",
  "source_code": "https://github.com/jameslbarnes/hermes",
  "trust_center": "https://trust.phala.com/app/db82f581256a3c9244c4d7129a67336990d08cdf",
  "tee_metadata": "https://db82f581256a3c9244c4d7129a67336990d08cdf-8090.dstack-pha-prod9.phala.network/",
  "env_vars": {
    "BASE_URL": true,
    "FIREBASE_SERVICE_ACCOUNT_BASE64": true,
    "ANTHROPIC_API_KEY": true,
    "MODERATOR_URL": true,
    "MODERATOR_API_KEY": true,
    "FIRECRAWL_API_KEY": false,
    "SENDGRID_API_KEY": true,
    "SENDGRID_FROM_EMAIL": true,
    "TELEGRAM_BOT_TOKEN": false,
    "TELEGRAM_CHANNEL_ID": false,
    "TELEGRAM_GROUP_CHAT_ID": false,
    "TELEGRAM_BOT_SECRET_KEY": false,
    "TELEGRAM_BOT_HANDLE": false,
    "TELEGRAM_POST_MODE": false,
    "TELEGRAM_MAX_PER_HOUR": false,
    "TELEGRAM_COOLDOWN_MS": false
  },
  "env_vars_note": "Values are injected via Phala dashboard encrypted storage. The docker-compose template (in source) uses bare variable names — no secrets are baked into the compose file or exposed in TEE metadata.",
  "verification_steps": [
    "Check env_vars above — secrets are set (true) but values are never in the compose file",
    "Read docker-compose.template.yml in the source repo to confirm bare variable names",
    "Visit trust_center to verify the TDX attestation from Intel hardware",
    "Compare image_digest with the GitHub Actions build output for the git_sha commit"
  ]
}