117 lines
3.5 KiB
YAML
117 lines
3.5 KiB
YAML
server:
|
|
port: 8090
|
|
shutdown_timeout_seconds: 30
|
|
env: development
|
|
tenant_name: "Mon Organisation"
|
|
# CORS: origins allowed to call the proxy from a browser (React dashboard).
|
|
# Override in production: VEYLANT_SERVER_ALLOWED_ORIGINS=https://dashboard.veylant.ai
|
|
allowed_origins:
|
|
- "http://localhost:3000"
|
|
|
|
database:
|
|
url: "postgres://veylant:veylant_dev@localhost:5432/veylant?sslmode=disable"
|
|
max_open_conns: 25
|
|
max_idle_conns: 5
|
|
migrations_path: "migrations"
|
|
|
|
redis:
|
|
url: "redis://localhost:6379"
|
|
|
|
# Local JWT authentication (email/password — replaces Keycloak).
|
|
# Override jwt_secret in production via VEYLANT_AUTH_JWT_SECRET.
|
|
auth:
|
|
jwt_secret: "change-me-in-production-use-VEYLANT_AUTH_JWT_SECRET"
|
|
jwt_ttl_hours: 24
|
|
|
|
pii:
|
|
enabled: true
|
|
service_addr: "localhost:50051"
|
|
timeout_ms: 100
|
|
fail_open: true
|
|
|
|
log:
|
|
level: "info"
|
|
format: "json"
|
|
|
|
# LLM provider adapters.
|
|
# Sensitive values (API keys) must be injected via env vars — never hardcode them.
|
|
# Example: VEYLANT_PROVIDERS_OPENAI_API_KEY=sk-...
|
|
providers:
|
|
openai:
|
|
base_url: "https://api.openai.com/v1"
|
|
timeout_seconds: 30
|
|
max_conns: 100
|
|
|
|
anthropic:
|
|
base_url: "https://api.anthropic.com/v1"
|
|
version: "2023-06-01"
|
|
timeout_seconds: 30
|
|
max_conns: 100
|
|
# api_key: set via VEYLANT_PROVIDERS_ANTHROPIC_API_KEY
|
|
|
|
azure:
|
|
api_version: "2024-02-01"
|
|
timeout_seconds: 30
|
|
max_conns: 100
|
|
# api_key: set via VEYLANT_PROVIDERS_AZURE_API_KEY
|
|
# resource_name: set via VEYLANT_PROVIDERS_AZURE_RESOURCE_NAME (e.g. "my-azure-resource")
|
|
# deployment_id: set via VEYLANT_PROVIDERS_AZURE_DEPLOYMENT_ID (e.g. "gpt-4o")
|
|
|
|
mistral:
|
|
base_url: "https://api.mistral.ai/v1"
|
|
timeout_seconds: 30
|
|
max_conns: 100
|
|
# api_key: set via VEYLANT_PROVIDERS_MISTRAL_API_KEY
|
|
|
|
ollama:
|
|
base_url: "http://localhost:11434/v1"
|
|
timeout_seconds: 120
|
|
max_conns: 10
|
|
|
|
# Role-based access control for the provider router.
|
|
# Controls which models each role can access.
|
|
rbac:
|
|
# Models accessible to the "user" role (exact match or prefix, e.g. "gpt-4o-mini" matches "gpt-4o-mini-2024-07-18").
|
|
# admin and manager roles always have unrestricted access.
|
|
user_allowed_models:
|
|
- "gpt-4o-mini"
|
|
- "gpt-3.5-turbo"
|
|
- "mistral-small"
|
|
# If false (default), auditors receive 403 on /v1/chat/completions.
|
|
auditor_can_complete: false
|
|
|
|
metrics:
|
|
enabled: true
|
|
path: "/metrics"
|
|
|
|
# Intelligent routing engine.
|
|
# Rules are stored in the routing_rules table and cached per tenant.
|
|
routing:
|
|
# How long routing rules are cached in memory before a background refresh.
|
|
# Admin mutations call Invalidate() immediately regardless of this TTL.
|
|
cache_ttl_seconds: 30
|
|
|
|
# ClickHouse audit log (Sprint 6).
|
|
# DSN: clickhouse://user:pass@host:9000/database
|
|
# Set via env var: VEYLANT_CLICKHOUSE_DSN
|
|
clickhouse:
|
|
dsn: "clickhouse://veylant:veylant_dev@localhost:9000/veylant_logs"
|
|
max_conns: 10
|
|
dial_timeout_seconds: 5
|
|
|
|
# Cryptography settings.
|
|
# AES-256-GCM key for encrypting prompt_anonymized in the audit log.
|
|
# MUST be set via env var in production: VEYLANT_CRYPTO_AES_KEY_BASE64
|
|
# Generate: openssl rand -base64 32
|
|
crypto:
|
|
# Development placeholder — override in production via env var.
|
|
aes_key_base64: ""
|
|
|
|
# Rate limiting defaults. Per-tenant overrides are stored in rate_limit_configs table.
|
|
# Override via env: VEYLANT_RATE_LIMIT_DEFAULT_TENANT_RPM, VEYLANT_RATE_LIMIT_DEFAULT_USER_RPM, etc.
|
|
rate_limit:
|
|
default_tenant_rpm: 1000
|
|
default_tenant_burst: 200
|
|
default_user_rpm: 100
|
|
default_user_burst: 20
|