.env.example

##############################################
# Docker Compose Configuration
##############################################

# Docker compose setup
COMPOSE_PROJECT_NAME=my_project
VERSION_TAG=latest
IMAGE_DIR=cryptolabinc/
PULL_POLICY=always  # if_not_present if you want to use local images
# Docker volume mount setup
DOCKER_VOLUME_DIRECTORY=./volumes # Set the docker volume mounting directory if needed
DOCKER_VOLUME_DIRECTORY_KMS=./kms-volumes # Separate volume directory for KMS to avoid permission issues with local storage
# Log Level
ENVECTOR_LOG_LEVEL=INFO
# License Key
# ENVECTOR_LICENSE_TOKEN=

##############################################
# Docker Images
##############################################

# Endpoint
ENVECTOR_ENDPOINT_IMAGE_NAME=${IMAGE_DIR}envector-endpoint
ENVECTOR_ENDPOINT_TAG=${VERSION_TAG}
# Backend
ENVECTOR_BACKEND_IMAGE_NAME=${IMAGE_DIR}envector-backend
ENVECTOR_BACKEND_TAG=${VERSION_TAG}
# Shaper
ENVECTOR_SHAPER_IMAGE_NAME=${IMAGE_DIR}envector-shaper
ENVECTOR_SHAPER_TAG=${VERSION_TAG}
# Orchestrator
ENVECTOR_ORCHESTRATOR_IMAGE_NAME=${IMAGE_DIR}envector-orchestrator
ENVECTOR_ORCHESTRATOR_TAG=${VERSION_TAG}
# Compute
ENVECTOR_COMPUTE_IMAGE_NAME=${IMAGE_DIR}envector-compute
ENVECTOR_COMPUTE_TAG=${VERSION_TAG}
# KMS (optional service; enable with ./start_envector.sh --kms)
ENVECTOR_KMS_IMAGE_NAME=${IMAGE_DIR}envector-kms
ENVECTOR_KMS_TAG=${VERSION_TAG}
ENVECTOR_KMS_TEE_IMAGE_NAME=${IMAGE_DIR}envector-kms-tee
ENVECTOR_KMS_TEE_TAG=${VERSION_TAG}
# Audit (optional service; enable with ./start_envector.sh --audit)
ENVECTOR_AUDIT_IMAGE_NAME=${IMAGE_DIR}envector-audit
ENVECTOR_AUDIT_TAG=${VERSION_TAG}

##############################################
# Connection Configurations
##############################################

# Endpoint
ENVECTOR_ENDPOINT_HOST_PORT=50050  # Set your endpoint host port here
ENVECTOR_HTTP_HEALTH_HOST_PORT=18080  # Exposes /health and /health/ready on the host
ENVECTOR_ADMIN_API_ENABLED=true
# KMS (optional service; enable with ./start_envector.sh --kms)
ENVECTOR_KMS_GRPC_HOST_PORT=50090
ENVECTOR_KMS_HTTP_HOST_PORT=50091
# KMS-Audit (optional service; enable with ./start_envector.sh --kms-audit)
ENVECTOR_KMS_AUDIT_HOST_PORT=50053
# Auth (optional service; enable with ./start_envector.sh --keycloak)
KEYCLOAK_HOST_PORT=8082
# Audit (optional service; enable with ./start_envector.sh --audit)
ENVECTOR_AUDIT_HOST_PORT=50052
ENVECTOR_AUDIT_HTTP_HOST_PORT=58052

##############################################
# Infra Configurations
##############################################

# DB
# If ENVECTOR_DB_URL is set, the individual ENVECTOR_DB_* params below are ignored.
ENVECTOR_DB_URL="postgresql://postgres:abcdefghi@metadatadb:5432/mydatabase?sslmode=disable"
# Optional: set individual DB parameters instead of URL
ENVECTOR_DB_HOST=metadatadb
ENVECTOR_DB_PORT=5432
ENVECTOR_DB_USER=postgres
ENVECTOR_DB_PASSWORD=abcdefghi
ENVECTOR_DB_NAME=mydatabase
ENVECTOR_DB_SCHEMA=public
ENVECTOR_DB_SSL=disable
# Optional: external DB endpoint (host:port), e.g. AWS RDS.
# ENVECTOR_DB_ADDRESS=mydb.abcdefghijkl.us-east-1.rds.amazonaws.com:5432

# Storage
ENVECTOR_STORAGE_PROVIDER=s3
ENVECTOR_STORAGE_PORT=59000
ENVECTOR_STORAGE_CONSOLE_PORT=59001
ENVECTOR_STORAGE_USER=minioadmin
ENVECTOR_STORAGE_PASSWORD=abcdefghi
ENVECTOR_STORAGE_SECURE=false # Set to true if using HTTPS
ENVECTOR_STORAGE_BUCKET_NAME=envector
ENVECTOR_STORAGE_CREATE_BUCKET=true
ENVECTOR_STORAGE_HAS_HEALTHCHECK_ENDPOINT=true # Set to true if storage has health check endpoint
ENVECTOR_STORAGE_REGION=us-east-1
# Cap MinIO Go runtime parallelism (defaults to 16). Uncomment compose `cpus` to also hard-limit.
# ENVECTOR_STORAGE_GOMAXPROCS=16

##############################################
# KMS Configurations (optional service; enable with ./start_envector.sh --kms)
##############################################

# KMS PubKey Storage
ENVECTOR_KMS_MINIO_ENDPOINT=kms-storage:9000
ENVECTOR_KMS_MINIO_BUCKET=kms-keys
ENVECTOR_KMS_MINIO_ACCESS_KEY=minioadmin
ENVECTOR_KMS_MINIO_SECRET_KEY=minioadmin
# KMS SecKey Storage
ENVECTOR_KMS_SEAL_MODE=vault-transit
ENVECTOR_KMS_TRANSIT_MOUNT=transit
ENVECTOR_KMS_SECRET_MANAGER_ADDR=https://kms-vault:8200
ENVECTOR_KMS_SECRET_MANAGER_MOUNT=secret
# Require https:// + CA/mTLS on the kms-tee->Vault link; refuse startup otherwise.
ENVECTOR_KMS_REQUIRE_VAULT_TLS=false
# Shared local PKI compose defaults
STEP_CA_NAME=envector-local-ca
STEP_CA_DNS=step-ca,localhost,127.0.0.1
STEP_CA_ADDRESS=:9000
STEP_CA_PROVISIONER=envector-workloads
# Optional local provisioner password. Leave empty to auto-generate it into
# /step-secrets/step_ca_password in the envector-ca-secrets compose volume.
STEP_CA_PASSWORD=
STEP_CA_X509_DEFAULT_DUR=8760h
STEP_CA_X509_MAX_DUR=8760h
STEP_CA_URL=https://step-ca:9000
# CN is the certificate subject. SAN values are what modern TLS clients use
# for server name/IP verification.
VAULT_TLS_CN=kms-vault
VAULT_TLS_DNS=kms-vault,localhost
VAULT_TLS_IP=127.0.0.1
KMS_TEE_TLS_CN=envector-kms-tee
KMS_TEE_TLS_DNS=envector-kms-tee
KMS_API_TLS_CN=envector-kms
KMS_API_TLS_DNS=envector-kms,localhost
KMS_API_TLS_IP=127.0.0.1  # add your IP here if you use IP-based addressing for KMS API clients
# KMS TEE score decrypt worker count for DecryptBatchTopK.
ENVECTOR_KMS_DECRYPT_TOPK_JOBS=1
# ENVECTOR_KMS_TEE_GOMAXPROCS=
# KMS Auth
# Uncomment when using local KMS + Keycloak auth together.
# ENVECTOR_KMS_AUTH_JWKS_URL=http://keycloak:8080/realms/envector/protocol/openid-connect/certs
# ENVECTOR_KMS_AUTH_OIDC_ISSUER=http://localhost:8082/realms/envector
# ENVECTOR_KMS_AUTH_ALLOWED_AUDIENCES=envector-cli
# ENVECTOR_KMS_AUTH_ROLE_CLAIM=envector_roles
# ENVECTOR_KMS_AUTH_PRINCIPAL_CLAIM=principal_id
# ENVECTOR_KMS_AUTH_CAPABILITY_POLICY_JSON=
# KMS Audit
ENVECTOR_KMS_AUDIT_EXPORT_REQUIRE_PRINCIPAL=true
ENVECTOR_KMS_AUDIT_LOG_INCLUDE_IDENTITY_CLAIMS=false
# KMS Audit Storage
ENVECTOR_KMS_AUDIT_STORAGE_PROVIDER=s3
ENVECTOR_KMS_AUDIT_STORAGE_ADDRESS=kms-storage:9000
ENVECTOR_KMS_AUDIT_STORAGE_BUCKET_NAME=envector-kms-audit
ENVECTOR_KMS_AUDIT_STORAGE_USER=minioadmin
ENVECTOR_KMS_AUDIT_STORAGE_PASSWORD=minioadmin
ENVECTOR_KMS_AUDIT_STORAGE_REGION=us-east-1
ENVECTOR_KMS_AUDIT_STORAGE_SECURE=false

##############################################
# Auth N/Z Configurations (optional service; enable with ./start_envector.sh --keycloak)
##############################################

# Auth
ENVECTOR_AUTH_ROLE_CLAIM=envector_roles
ENVECTOR_AUTH_PRINCIPAL_CLAIM=principal_id
ENVECTOR_AUTH_JWKS_URL=
# JWT validation clock-skew tolerance in seconds (default 0 = strict). Applies to
# exp/nbf checks across all JWKS verifiers. Recommended 30-60 in production.
# ENVECTOR_JWT_LEEWAY_SECONDS=0
# Uncomment when using local KMS + Keycloak auth together.
# ENVECTOR_AUTH_OIDC_ISSUER=http://localhost:8082/realms/envector
# ENVECTOR_AUTH_ALLOWED_AUDIENCES=envector-cli
# ENVECTOR_AUTH_CAPABILITY_POLICY_JSON=http://keycloak:8080/realms/envector/protocol/openid-connect/certs

# keycloak (recommended local auth overlay for v3)
KEYCLOAK_REALM=envector
KEYCLOAK_BOOTSTRAP_ADMIN_USERNAME=kcadmin
KEYCLOAK_BOOTSTRAP_ADMIN_PASSWORD=kcadmin
KEYCLOAK_CLIENT_ID=envector-cli
KEYCLOAK_CLIENT_SECRET=
KEYCLOAK_TOKEN_SCOPES="openid profile email"
KEYCLOAK_LOCAL_USER_PASSWORD=password
KEYCLOAK_TEST_ALLOWED_AUDIENCES=envector-cli,envector-api
KEYCLOAK_TEST_ROLE_CLAIM=envector_roles
KEYCLOAK_TEST_PRINCIPAL_CLAIM=principal_id
KEYCLOAK_TEST_JWKS_URL=http://keycloak:8080/realms/envector/protocol/openid-connect/certs
KEYCLOAK_TEST_AUTH_CAPABILITY_POLICY_JSON={"role_capabilities":{"security":["read","write","owner_bypass"],"ops":["read"],"app":["read","write"]}}

##############################################
# Audit Configurations (optional service; enable with ./start_envector.sh --audit)
##############################################

# audit configuration
AUDIT_EXPORT_REQUIRE_PRINCIPAL=false  # Set to true in production
AUDIT_LOG_SINK=file
AUDIT_LOG_INCLUDE_IDENTITY_CLAIMS=false
# audit auth
ENVECTOR_AUDIT_AUTH_OIDC_ISSUER=
ENVECTOR_AUDIT_AUTH_JWKS_URL=http://keycloak:8080/realms/envector/protocol/openid-connect/certs
ENVECTOR_AUDIT_AUTH_EXPECTED_ISSUER=http://localhost:8082/realms/envector
ENVECTOR_AUDIT_AUTH_ALLOWED_AUDIENCES=envector-cli
# audit storage configuration
ENVECTOR_AUDIT_STORAGE_PROVIDER=s3
ENVECTOR_AUDIT_STORAGE_ADDRESS=storage:59000  # Set to audit-storage:59000 in production
ENVECTOR_AUDIT_STORAGE_BUCKET_NAME=envector-audit
ENVECTOR_AUDIT_STORAGE_USER=minioadmin
ENVECTOR_AUDIT_STORAGE_PASSWORD=abcdefghi
ENVECTOR_AUDIT_STORAGE_SECURE=false
ENVECTOR_AUDIT_STORAGE_REGION=us-east-1
# In production, separate audit storage instance is recommended.
# Uncomment `audit-storage` service from envector storage in docker-compose.audit.yml.
# ENVECTOR_AUDIT_STORAGE_ADDRESS=audit-storage:59000
# In production, object lock must be set.
# ENVECTOR_AUDIT_OBJECT_LOCK_ENABLED=true
# ENVECTOR_AUDIT_OBJECT_LOCK_MODE=COMPLIANCE
# ENVECTOR_AUDIT_RETENTION_DAYS=2190  # 6 years

##############################################
# GPU Configuration (if needed)
##############################################

# ENVECTOR_COMPUTE GPU ID
# ENVECTOR_COMPUTE_GPU0_ID=0
# ENVECTOR_COMPUTE_GPU1_ID=1
# ENVECTOR_COMPUTE_GPU2_ID=2
# ENVECTOR_COMPUTE_GPU3_ID=3

##############################################
# Advanced runtime options
##############################################

# Backend
# ENVECTOR_MAX_NUM_VECTORS_PER_SHARD=4096
# CTXTMAP_READ_BATCH_SIZE=4096
# CTXTMAP_INSERT_BATCH_SIZE=4096
# CTXTMAP_WRITE_BATCH_SIZE=4096
# METADATA_INSERT_BATCH_SIZE=8192
# METADATA_WRITE_BATCH_SIZE=8192
# ENVECTOR_CLEANUP_GRACE_PERIOD=5m
# VCT_CAPACITY=4096
# ENVECTOR_LOAD_INDEX_SHARD_CONCURRENCY=32
# ENVECTOR_BASELINE_INSERTABLE_SHARDS=8

# Shaper
# ENVECTOR_SHAPER_MAX_WORKERS=16
# ENVECTOR_SHAPER_CLEANUP_PERIOD=1h
# ENVECTOR_SHAPER_JOB_TTL=24h
# ENVECTOR_SHAPER_SPLIT_UPLOAD_CONCURRENCY=1
# ENVECTOR_SHAPER_MERGE_DOWNLOAD_CONCURRENCY=1
# MALLOC_ARENA_MAX=2

# Compute
# NUM_SEARCH_WORKERS=30
# ENVECTOR_THREAD_POOL_SCALE=4