feat: complete runtime for production exposure

docs/CONFIGURATION.md

@@ -26,7 +26,8 @@ Comma-separated list of enabled handlers. Disabled verbs return `404`.
 |---|---|---|
 | `RECEIPT_SIGNER_ID` | `runtime` (or `ENS_NAME` when set) | Receipt proof signer identifier. |
 | `RECEIPT_SIGNING_PRIVATE_KEY_PEM_B64` | empty | Required for signing receipts. Base64 of PEM private key. |
-| `RECEIPT_SIGNING_PUBLIC_KEY` | empty | Optional local verifier pubkey text in `ed25519:<base64>` format for `/verify`. |
+| `RECEIPT_SIGNING_PUBLIC_KEY_PEM_B64` | empty | Public key for `/verify` (base64-encoded PEM). |
+| `RECEIPT_SIGNING_PUBLIC_KEY_PEM` | empty | Public key for `/verify` (plain PEM text). Either this or the B64 variant is sufficient. |
 | `ENS_NAME` | empty | Optional identity alias fallback. |
 
 ## ENS-based verification
@@ -47,6 +48,7 @@ Comma-separated list of enabled handlers. Disabled verbs return `404`.
 | `SCHEMA_FETCH_TIMEOUT_MS` | `15000` | Timeout per schema document fetch. |
 | `SCHEMA_VALIDATE_BUDGET_MS` | `15000` | Budget for async schema compilation. |
 | `VERIFY_SCHEMA_CACHED_ONLY` | `1` | If `1`, `/verify?schema=1` only uses warm validators and returns `202` on cold cache. |
+| `REQUEST_SCHEMA_VALIDATION` | `0` | If `1`, validate verb request payloads against published request schemas. Returns `503` if schemas are unavailable. |
 
 ## Cache controls
 
@@ -73,6 +75,35 @@ Comma-separated list of enabled handlers. Disabled verbs return `404`.
 | `ENABLE_SSRF_GUARD` | `1` | Enables DNS/IP/local-network SSRF checks. |
 | `ALLOW_FETCH_HOSTS` | empty | Optional CSV domain allowlist (`example.com,api.example.com`). |
 
+## CORS
+
+| Variable | Default | Purpose |
+|---|---|---|
+| `CORS_ALLOW_ORIGINS` | empty | Comma-separated list of allowed origins. Empty = deny browser-origin requests. Use `*` to allow all (not recommended in production). |
+| `CORS_ALLOW_HEADERS` | `Content-Type, Authorization` | Allowed request headers. |
+| `CORS_ALLOW_METHODS` | `GET,POST,OPTIONS` | Allowed HTTP methods. |
+
+## Debug routes
+
+| Variable | Default | Purpose |
+|---|---|---|
+| `DEBUG_ROUTES_ENABLED` | `0` | If `1`, enables `/debug/*` endpoints. Disabled by default in production. |
+| `DEBUG_BEARER_TOKEN` | empty | If set, requires `Authorization: Bearer <token>` on all debug routes. |
+
+## Request logging
+
+| Variable | Default | Purpose |
+|---|---|---|
+| `LOG_REQUESTS` | `1` | If `1`, emits structured JSON log lines to stdout for every request. |
+
+## Rate limiting
+
+| Variable | Default | Purpose |
+|---|---|---|
+| `RATE_LIMIT_ENABLED` | `0` | If `1`, enables per-IP rate limiting. |
+| `RATE_LIMIT_MAX` | `120` | Max requests per window per IP. |
+| `RATE_LIMIT_WINDOW_MS` | `60000` | Sliding window duration in milliseconds. |
+
 ## Schema prewarm behavior
 
 | Variable | Default | Purpose |
@@ -83,8 +114,11 @@ Comma-separated list of enabled handlers. Disabled verbs return `404`.
 
 ## Recommended production baseline
 
-- Set explicit signing keys and verify `signer_ok=true` on `/health`.
+- Set explicit signing keys and verify `signer_ok=true` and `verifier_ok=true` on `/health`.
 - Keep `VERIFY_SCHEMA_CACHED_ONLY=1` for edge stability.
+- Set `CORS_ALLOW_ORIGINS` to specific origins (never `*` in production).
+- Set `DEBUG_ROUTES_ENABLED=0` (default) or protect with `DEBUG_BEARER_TOKEN`.
+- Set `RATE_LIMIT_ENABLED=1` with appropriate limits for your traffic profile.
 - Restrict egress using both network policy and `ALLOW_FETCH_HOSTS` where possible.
 - Tune `FETCH_MAX_BYTES` and timeout budgets based on expected payload sizes.
 - Poll `/debug/validators` after deploy and prewarm critical verbs.