server: port: 8090 shutdown_timeout_seconds: 30 env: development # "production" → fatal on any missing service tenant_name: "My Organisation" # CORS: origins allowed to call the proxy from a browser. # Override in production: VEYLANT_SERVER_ALLOWED_ORIGINS=https://dashboard.example.com allowed_origins: - "http://localhost:3000" database: url: "postgres://veylant:veylant_dev@localhost:5432/veylant?sslmode=disable" max_open_conns: 25 max_idle_conns: 5 migrations_path: "migrations" redis: url: "redis://localhost:6379" # Local JWT authentication (email/password). # MUST be changed in production — use a long random secret. # Generate: openssl rand -hex 32 # Override: VEYLANT_AUTH_JWT_SECRET= auth: jwt_secret: "change-me-in-production" jwt_ttl_hours: 24 pii: enabled: true service_addr: "localhost:50051" timeout_ms: 100 fail_open: true # set false in production log: level: "info" # debug | info | warn | error format: "json" # json | console # LLM provider adapters. # API keys MUST be injected via env vars — never hardcode them here. # Example: VEYLANT_PROVIDERS_OPENAI_API_KEY=sk-... # Provider configs can also be managed via the admin API (POST /v1/admin/providers). providers: openai: base_url: "https://api.openai.com/v1" # api_key: set via VEYLANT_PROVIDERS_OPENAI_API_KEY timeout_seconds: 30 max_conns: 100 anthropic: base_url: "https://api.anthropic.com/v1" version: "2023-06-01" timeout_seconds: 30 max_conns: 100 # api_key: set via VEYLANT_PROVIDERS_ANTHROPIC_API_KEY azure: api_version: "2024-02-01" timeout_seconds: 30 max_conns: 100 # api_key: set via VEYLANT_PROVIDERS_AZURE_API_KEY # resource_name: set via VEYLANT_PROVIDERS_AZURE_RESOURCE_NAME # deployment_id: set via VEYLANT_PROVIDERS_AZURE_DEPLOYMENT_ID mistral: base_url: "https://api.mistral.ai/v1" timeout_seconds: 30 max_conns: 100 # api_key: set via VEYLANT_PROVIDERS_MISTRAL_API_KEY ollama: base_url: "http://localhost:11434/v1" timeout_seconds: 120 max_conns: 10 # Role-based access control for the provider router. rbac: # Models accessible to the "user" role (exact match or prefix). # admin and manager always have unrestricted access. user_allowed_models: - "gpt-4o-mini" - "gpt-3.5-turbo" - "mistral-small" # If false (default), auditors receive 403 on /v1/chat/completions. auditor_can_complete: false metrics: enabled: true path: "/metrics" # Intelligent routing engine. routing: # How long routing rules are cached in memory before a background refresh. cache_ttl_seconds: 30 # ClickHouse audit log. # DSN: clickhouse://user:pass@host:9000/database # Override: VEYLANT_CLICKHOUSE_DSN=clickhouse://... clickhouse: dsn: "clickhouse://veylant:veylant_dev@localhost:9000/veylant_logs" max_conns: 10 dial_timeout_seconds: 5 # Cryptography. # AES-256-GCM key for encrypting stored prompts. # MUST be set in production via: VEYLANT_CRYPTO_AES_KEY_BASE64 # Generate: openssl rand -base64 32 crypto: aes_key_base64: "" # Rate limiting defaults. Per-tenant overrides stored in the rate_limit_configs table. rate_limit: default_tenant_rpm: 1000 default_tenant_burst: 200 default_user_rpm: 100 default_user_burst: 20 # Email notifications via SMTP. # Override credentials in production via env vars: # VEYLANT_NOTIFICATIONS_SMTP_HOST # VEYLANT_NOTIFICATIONS_SMTP_PORT # VEYLANT_NOTIFICATIONS_SMTP_USERNAME # VEYLANT_NOTIFICATIONS_SMTP_PASSWORD # VEYLANT_NOTIFICATIONS_SMTP_FROM notifications: smtp: host: "smtp.example.com" port: 587 username: "alerts@example.com" password: "your-smtp-password" from: "noreply@example.com" from_name: "Veylant IA"