veylant/config.yaml.example

server:
  port: 8090
  shutdown_timeout_seconds: 30
  env: development          # "production" → fatal on any missing service
  tenant_name: "My Organisation"
  # CORS: origins allowed to call the proxy from a browser.
  # Override in production: VEYLANT_SERVER_ALLOWED_ORIGINS=https://dashboard.example.com
  allowed_origins:
    - "http://localhost:3000"

database:
  url: "postgres://veylant:veylant_dev@localhost:5432/veylant?sslmode=disable"
  max_open_conns: 25
  max_idle_conns: 5
  migrations_path: "migrations"

redis:
  url: "redis://localhost:6379"

# Local JWT authentication (email/password).
# MUST be changed in production — use a long random secret.
# Generate: openssl rand -hex 32
# Override: VEYLANT_AUTH_JWT_SECRET=<your-secret>
auth:
  jwt_secret: "change-me-in-production"
  jwt_ttl_hours: 24

pii:
  enabled: true
  service_addr: "localhost:50051"
  timeout_ms: 100
  fail_open: true           # set false in production

log:
  level: "info"             # debug | info | warn | error
  format: "json"            # json | console

# LLM provider adapters.
# API keys MUST be injected via env vars — never hardcode them here.
# Example: VEYLANT_PROVIDERS_OPENAI_API_KEY=sk-...
# Provider configs can also be managed via the admin API (POST /v1/admin/providers).
providers:
  openai:
    base_url: "https://api.openai.com/v1"
    # api_key: set via VEYLANT_PROVIDERS_OPENAI_API_KEY
    timeout_seconds: 30
    max_conns: 100

  anthropic:
    base_url: "https://api.anthropic.com/v1"
    version: "2023-06-01"
    timeout_seconds: 30
    max_conns: 100
    # api_key: set via VEYLANT_PROVIDERS_ANTHROPIC_API_KEY

  azure:
    api_version: "2024-02-01"
    timeout_seconds: 30
    max_conns: 100
    # api_key:       set via VEYLANT_PROVIDERS_AZURE_API_KEY
    # resource_name: set via VEYLANT_PROVIDERS_AZURE_RESOURCE_NAME
    # deployment_id: set via VEYLANT_PROVIDERS_AZURE_DEPLOYMENT_ID

  mistral:
    base_url: "https://api.mistral.ai/v1"
    timeout_seconds: 30
    max_conns: 100
    # api_key: set via VEYLANT_PROVIDERS_MISTRAL_API_KEY

  ollama:
    base_url: "http://localhost:11434/v1"
    timeout_seconds: 120
    max_conns: 10

# Role-based access control for the provider router.
rbac:
  # Models accessible to the "user" role (exact match or prefix).
  # admin and manager always have unrestricted access.
  user_allowed_models:
    - "gpt-4o-mini"
    - "gpt-3.5-turbo"
    - "mistral-small"
  # If false (default), auditors receive 403 on /v1/chat/completions.
  auditor_can_complete: false

metrics:
  enabled: true
  path: "/metrics"

# Intelligent routing engine.
routing:
  # How long routing rules are cached in memory before a background refresh.
  cache_ttl_seconds: 30

# ClickHouse audit log.
# DSN: clickhouse://user:pass@host:9000/database
# Override: VEYLANT_CLICKHOUSE_DSN=clickhouse://...
clickhouse:
  dsn: "clickhouse://veylant:veylant_dev@localhost:9000/veylant_logs"
  max_conns: 10
  dial_timeout_seconds: 5

# Cryptography.
# AES-256-GCM key for encrypting stored prompts.
# MUST be set in production via: VEYLANT_CRYPTO_AES_KEY_BASE64
# Generate: openssl rand -base64 32
crypto:
  aes_key_base64: ""

# Rate limiting defaults. Per-tenant overrides stored in the rate_limit_configs table.
rate_limit:
  default_tenant_rpm: 1000
  default_tenant_burst: 200
  default_user_rpm: 100
  default_user_burst: 20

# Email notifications via SMTP.
# Override credentials in production via env vars:
#   VEYLANT_NOTIFICATIONS_SMTP_HOST
#   VEYLANT_NOTIFICATIONS_SMTP_PORT
#   VEYLANT_NOTIFICATIONS_SMTP_USERNAME
#   VEYLANT_NOTIFICATIONS_SMTP_PASSWORD
#   VEYLANT_NOTIFICATIONS_SMTP_FROM
notifications:
  smtp:
    host: "smtp.example.com"
    port: 587
    username: "alerts@example.com"
    password: "your-smtp-password"
    from: "noreply@example.com"
    from_name: "Veylant IA"