agent tree

.env.example

@@ -41,3 +41,22 @@ PORT=3000
 # Maximum agent loop iterations
 MAX_ITERATIONS=50
 
+# =============================================================================
+# Dashboard / API Auth (JWT)
+# =============================================================================
+# When DEV_MODE=false, the API requires Authorization: Bearer <jwt> on all endpoints
+# except /api/health and /api/auth/login.
+#
+# For local debugging, set DEV_MODE=true to disable auth entirely.
+DEV_MODE=true
+
+# Password the dashboard submits to obtain a JWT.
+# Choose something strong in real deployments.
+DASHBOARD_PASSWORD=change-me
+
+# HMAC secret used to sign/verify JWTs. Use a strong random value in production.
+JWT_SECRET=change-me-to-a-long-random-string
+
+# JWT validity in days (default: 30)
+JWT_TTL_DAYS=30
+