Skip to content

Configuration Reference

This page is the canonical reference for every environment variable used across the Verity platform. Variables are grouped by infrastructure component and service, with type, default value, and deployment context.

Configuration system

Verity uses pydantic-settings for typed configuration. See How Configuration Works for layering and precedence rules.

Global Settings

These variables apply across all services and control platform-wide behaviour.

Variable Type Default Required Description
LOG_LEVEL str INFO No Log verbosity: DEBUG, INFO, WARNING, ERROR, CRITICAL
LOG_FORMAT str text No Log output format: text (human-readable) or json (structured)
ENVIRONMENT str development No Deployment environment: development, staging, production
SERVICE_NAME str (auto) No Override the service name reported in logs and traces
OTEL_EXPORTER_OTLP_ENDPOINT str No OpenTelemetry collector endpoint for traces and metrics
OTEL_SERVICE_NAME str (auto) No Service name for OpenTelemetry (defaults to SERVICE_NAME)

Infrastructure

PostgreSQL / TimescaleDB

Primary transactional datastore. TimescaleDB runs as an extension on the same PostgreSQL instance.

Variable Type Default Required Description
POSTGRES_HOST str localhost Yes PostgreSQL server hostname
POSTGRES_PORT int 5432 No PostgreSQL server port
POSTGRES_USER str verity Yes Database user
POSTGRES_PASSWORD str verity_dev Yes Database password
POSTGRES_DB str verity No Database name
POSTGRES_SSLMODE str prefer No SSL mode: disable, prefer, require, verify-full
POSTGRES_POOL_MIN int 2 No Minimum connection pool size
POSTGRES_POOL_MAX int 10 No Maximum connection pool size
TIMESCALE_ENABLED bool true No Enable TimescaleDB hypertables for time-series data

Docker Compose aliases

In the Docker Compose environment, VERITY_PG_* and DB_* prefixed aliases are also injected (see Shared Infrastructure Variables). The values in this table are the canonical forms.

ClickHouse

OLAP analytics database used for audit trails, compliance reporting, and historical queries.

Variable Type Default Required Description
CLICKHOUSE_HOST str localhost Yes ClickHouse server hostname
CLICKHOUSE_PORT int 8123 No ClickHouse HTTP interface port
CLICKHOUSE_NATIVE_PORT int 9000 No ClickHouse native protocol port
CLICKHOUSE_USER str default No ClickHouse user
CLICKHOUSE_PASSWORD str (empty) No ClickHouse password
CLICKHOUSE_DB str verity No ClickHouse database name
CLICKHOUSE_SECURE bool false No Enable TLS for ClickHouse connections

Kafka

Event streaming backbone connecting all services through topic-based pub/sub.

Variable Type Default Required Description
KAFKA_BOOTSTRAP_SERVERS str localhost:9092 Yes Comma-separated list of Kafka broker addresses
KAFKA_CONSUMER_GROUP_PREFIX str verity No Prefix for all consumer group IDs
KAFKA_AUTO_OFFSET_RESET str earliest No Consumer offset reset policy: earliest, latest
KAFKA_SECURITY_PROTOCOL str PLAINTEXT No Security protocol: PLAINTEXT, SASL_SSL, SSL
KAFKA_SASL_MECHANISM str No SASL mechanism when using SASL_SSL: PLAIN, SCRAM-SHA-256
KAFKA_SASL_USERNAME str No SASL username (for Azure Event Hubs: $ConnectionString)
KAFKA_SASL_PASSWORD str No SASL password (for Azure Event Hubs: connection string)
KAFKA_SSL_CA_LOCATION str No Path to CA certificate file for TLS

Redis

Caching layer for API responses, rate limiting, and intermediate computation results.

Variable Type Default Required Description
REDIS_HOST str localhost Yes Redis server hostname
REDIS_PORT int 6379 No Redis server port
REDIS_PASSWORD str No Redis authentication password
REDIS_DB int 0 No Redis database index
REDIS_TTL_SECONDS int 300 No Default TTL for cached items (seconds)
REDIS_URL str No Full Redis URL (overrides individual host/port/password settings)
REDIS_SSL bool false No Enable TLS for Redis connections

URL vs individual settings

When REDIS_URL is set, it takes precedence over REDIS_HOST, REDIS_PORT, REDIS_PASSWORD, and REDIS_DB. Use REDIS_URL for simplicity in production (e.g., rediss://... for TLS).

Temporal

Workflow orchestration engine for review and remediation workflows.

Variable Type Default Required Description
TEMPORAL_HOST str localhost Yes Temporal server hostname
TEMPORAL_PORT int 7233 No Temporal gRPC port
TEMPORAL_NAMESPACE str verity No Temporal namespace for all Verity workflows
TEMPORAL_TASK_QUEUE str verity-tasks No Default task queue for workflow workers
TEMPORAL_TLS_ENABLED bool false No Enable mTLS for Temporal connections
TEMPORAL_TLS_CERT_PATH str No Path to client TLS certificate
TEMPORAL_TLS_KEY_PATH str No Path to client TLS private key

Services

Authentication

Controls API authentication and authorisation. Applied to the API Gateway.

Variable Type Default Required Description
AUTH_DISABLED bool false No Disable all authentication (dev mode)
AZURE_AD_TENANT_ID str Prod Azure AD (Entra ID) tenant ID
AZURE_AD_CLIENT_ID str Prod Azure AD app registration client ID
AZURE_AD_CLIENT_SECRET str Prod Azure AD app registration client secret
JWT_SECRET str No Symmetric JWT signing secret (for non-Azure AD setups)
JWT_ALGORITHM str RS256 No JWT signing algorithm: RS256, HS256
JWT_EXPIRY_MINUTES int 60 No JWT token lifetime in minutes

Production authentication

Never set AUTH_DISABLED=true in staging or production. The Docker Compose default sets API_DEV_MODE=true which implies AUTH_DISABLED=true — this is overridden in Helm values for non-development environments.

API Gateway

Primary HTTP entry point. Prefix: API_.

Variable Type Default Required Description
API_HOST str 0.0.0.0 No Bind address
API_PORT int 8000 No Listen port
API_WORKERS int 4 No Uvicorn worker count
API_CORS_ORIGINS str * No Allowed CORS origins (comma-separated)
API_RATE_LIMIT_PER_MINUTE int 120 No Per-client rate limit (requests/minute)
API_DEV_MODE bool false No Enable dev mode (disables auth, enables debug endpoints)
API_LOG_LEVEL str INFO No Service-specific log level override
API_DB_MIN_POOL int 2 No Minimum database connection pool size
API_DB_MAX_POOL int 10 No Maximum database connection pool size

Decay Engine

Computes and persists access-decay scores. Prefix: DECAY_.

Variable Type Default Required Description
DECAY_BATCH_SIZE int 500 No Number of grants processed per scoring batch
DECAY_SCHEDULE_INTERVAL int 3600 No Seconds between scoring cycles
DECAY_SCORE_THRESHOLD float 70.0 No Score above which a grant is flagged for review
SCORE_THRESHOLD_CRITICAL float 90.0 No Score threshold for CRITICAL severity classification
SCORE_THRESHOLD_HIGH float 80.0 No Score threshold for HIGH severity classification
SCORE_THRESHOLD_MEDIUM float 70.0 No Score threshold for MEDIUM severity classification
DECAY_PEER_WEIGHT float 0.3 No Weight of peer-group analysis in final score (0.0–1.0)
DECAY_ANOMALY_WEIGHT float 0.2 No Weight of anomaly detection in final score (0.0–1.0)

Review Generator

Creates review packets when decay scores exceed thresholds. Prefix: REVIEW_GEN_.

Variable Type Default Required Description
REVIEW_GEN_MIN_SCORE float 70.0 No Minimum decay score to trigger a review
REVIEW_GEN_BATCH_SIZE int 200 No Grants evaluated per review generation cycle
REVIEW_SLA_CRITICAL_HOURS int 4 No SLA for CRITICAL severity reviews (hours)
REVIEW_SLA_HIGH_HOURS int 24 No SLA for HIGH severity reviews (hours)
REVIEW_SLA_MEDIUM_HOURS int 72 No SLA for MEDIUM severity reviews (hours)
REVIEW_SLA_LOW_HOURS int 168 No SLA for LOW severity reviews (hours)
REVIEW_AUTO_ESCALATE bool true No Automatically escalate reviews when SLA is breached
REVIEW_ESCALATION_CHAIN str manager,security-team,ciso No Comma-separated escalation recipients

Workflow Engine

Orchestrates review and remediation workflows via Temporal. Prefix: WORKFLOW_.

Variable Type Default Required Description
WORKFLOW_TEMPORAL_HOST str temporal:7233 No Temporal gRPC endpoint (overrides global)
WORKFLOW_TEMPORAL_NAMESPACE str verity No Temporal namespace (overrides global)
WORKFLOW_REVIEW_SLA_HOURS int 72 No Default SLA for review completion
WORKFLOW_ESCALATION_HOURS int 48 No Hours before auto-escalation
WORKFLOW_MAX_CONCURRENT int 50 No Maximum concurrent workflow executions

Remediation Executor

Executes approved access revocations against source platforms. Prefix: REMEDIATION_.

Variable Type Default Required Description
REMEDIATION_DRY_RUN bool true No Log actions without executing (safe mode)
REMEDIATION_BLAST_RADIUS_LIMIT int 50 No Maximum grants revoked per execution cycle
REMEDIATION_REQUIRE_APPROVAL bool true No Require explicit approval before execution
REMEDIATION_MAX_CONCURRENT int 10 No Maximum concurrent revocation operations
REMEDIATION_RETRY_ATTEMPTS int 3 No Number of retry attempts for failed remediations
REMEDIATION_RETRY_DELAY int 60 No Seconds between retry attempts

Dry run default

REMEDIATION_DRY_RUN defaults to true to prevent accidental access revocation. Explicitly set to false in production only after thorough testing.

Audit Writer

Consumes audit events from Kafka and writes them to ClickHouse. Prefix: AUDIT_WRITER_.

Variable Type Default Required Description
AUDIT_WRITER_BATCH_SIZE int 1000 No Rows per ClickHouse batch insert
AUDIT_WRITER_FLUSH_INTERVAL int 5 No Seconds between flushes
AUDIT_WRITER_MAX_RETRIES int 5 No Maximum retries for failed batch inserts

Connectors

Connector services poll external identity sources. Each connector has a specific prefix.

Azure AD Connector — AAD_ prefix

Variable Type Default Required Description
AAD_TENANT_ID str Yes Azure AD tenant ID
AAD_CLIENT_ID str Yes App registration client ID
AAD_CLIENT_SECRET str Yes App registration client secret
AAD_POLL_INTERVAL int 300 No Seconds between audit log polls
AZURE_AD_SYNC_INTERVAL int 600 No Seconds between full directory sync cycles

Databricks Connector — DATABRICKS_ prefix

Variable Type Default Required Description
DATABRICKS_HOST str Yes Databricks workspace URL
DATABRICKS_TOKEN str Yes Personal access token or service principal token
DATABRICKS_POLL_INTERVAL int 300 No Seconds between permission sync cycles

Synapse Connector — SYNAPSE_ prefix

Variable Type Default Required Description
SYNAPSE_CONNECTION_STRING str Yes Azure Synapse Analytics connection string
SYNAPSE_POLL_INTERVAL int 300 No Seconds between permission sync cycles

Fabric Connector — FABRIC_ prefix

Variable Type Default Required Description
FABRIC_TENANT_ID str Yes Microsoft Fabric tenant ID
FABRIC_API_BASE_URL str Yes Fabric API base URL
FABRIC_API_KEY str Yes Fabric API key
FABRIC_WORKSPACE_ID str Yes Fabric workspace ID
FABRIC_POLL_INTERVAL int 300 No Seconds between permission sync cycles

Sample Configuration Files

Sample .env File

.env
# =============================================================================
# Verity Platform — Environment Configuration
# Copy this file to .env and customise for your environment.
# =============================================================================

# -- Global -------------------------------------------------------------------
LOG_LEVEL=INFO
LOG_FORMAT=text
ENVIRONMENT=development

# -- PostgreSQL / TimescaleDB -------------------------------------------------
POSTGRES_HOST=localhost
POSTGRES_PORT=5432
POSTGRES_USER=verity
POSTGRES_PASSWORD=verity_dev
POSTGRES_DB=verity
TIMESCALE_ENABLED=true

# -- ClickHouse ---------------------------------------------------------------
CLICKHOUSE_HOST=localhost
CLICKHOUSE_PORT=8123
CLICKHOUSE_USER=default
CLICKHOUSE_PASSWORD=
CLICKHOUSE_DB=verity

# -- Kafka --------------------------------------------------------------------
KAFKA_BOOTSTRAP_SERVERS=localhost:9092
KAFKA_CONSUMER_GROUP_PREFIX=verity
KAFKA_AUTO_OFFSET_RESET=earliest

# -- Redis --------------------------------------------------------------------
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_DB=0
REDIS_TTL_SECONDS=300

# -- Temporal -----------------------------------------------------------------
TEMPORAL_HOST=localhost
TEMPORAL_PORT=7233
TEMPORAL_NAMESPACE=verity
TEMPORAL_TASK_QUEUE=verity-tasks

# -- Authentication -----------------------------------------------------------
AUTH_DISABLED=true                    # Set to false in production
# AZURE_AD_TENANT_ID=your-tenant-id
# AZURE_AD_CLIENT_ID=your-client-id
# AZURE_AD_CLIENT_SECRET=your-secret

# -- API Gateway --------------------------------------------------------------
API_HOST=0.0.0.0
API_PORT=8000
API_WORKERS=4
API_CORS_ORIGINS=http://localhost:3000
API_RATE_LIMIT_PER_MINUTE=120
API_DEV_MODE=true

# -- Decay Engine -------------------------------------------------------------
DECAY_BATCH_SIZE=500
DECAY_SCHEDULE_INTERVAL=3600
SCORE_THRESHOLD_CRITICAL=90.0
SCORE_THRESHOLD_HIGH=80.0
SCORE_THRESHOLD_MEDIUM=70.0

# -- Review Generator ---------------------------------------------------------
REVIEW_SLA_CRITICAL_HOURS=4
REVIEW_SLA_HIGH_HOURS=24
REVIEW_SLA_MEDIUM_HOURS=72
REVIEW_SLA_LOW_HOURS=168
REVIEW_AUTO_ESCALATE=true

# -- Remediation --------------------------------------------------------------
REMEDIATION_DRY_RUN=true
REMEDIATION_BLAST_RADIUS_LIMIT=50
REMEDIATION_REQUIRE_APPROVAL=true

# -- Connectors (uncomment and fill for your platform) ------------------------
# AAD_TENANT_ID=
# AAD_CLIENT_ID=
# AAD_CLIENT_SECRET=
# DATABRICKS_HOST=
# DATABRICKS_TOKEN=
# SYNAPSE_CONNECTION_STRING=
# FABRIC_TENANT_ID=
# FABRIC_API_BASE_URL=
# FABRIC_API_KEY=
# FABRIC_WORKSPACE_ID=

Docker Compose Override

Override specific variables for local development without modifying the base docker-compose.yml:

docker-compose.override.yml
services:
  api-gateway:
    environment:
      API_WORKERS: "8"
      API_LOG_LEVEL: "DEBUG"
      API_CORS_ORIGINS: "http://localhost:3000,http://localhost:5173"

  decay-engine:
    environment:
      DECAY_BATCH_SIZE: "100"
      DECAY_SCHEDULE_INTERVAL: "60"
      LOG_LEVEL: "DEBUG"

  remediation-executor:
    environment:
      REMEDIATION_DRY_RUN: "true"
      REMEDIATION_BLAST_RADIUS_LIMIT: "5"

Kubernetes ConfigMap

Non-secret configuration shared by all services:

configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: verity-config
  namespace: verity
data:
  # Global
  LOG_LEVEL: "INFO"
  LOG_FORMAT: "json"
  ENVIRONMENT: "production"

  # PostgreSQL
  POSTGRES_HOST: "verity-prod-pg.postgres.database.azure.com"
  POSTGRES_PORT: "5432"
  POSTGRES_DB: "verity"
  POSTGRES_SSLMODE: "require"
  TIMESCALE_ENABLED: "true"

  # ClickHouse
  CLICKHOUSE_HOST: "verity-ch.clickhouse.cloud"
  CLICKHOUSE_PORT: "8443"
  CLICKHOUSE_DB: "verity"
  CLICKHOUSE_SECURE: "true"

  # Kafka (Azure Event Hubs)
  KAFKA_BOOTSTRAP_SERVERS: "verity-prod-eh.servicebus.windows.net:9093"
  KAFKA_SECURITY_PROTOCOL: "SASL_SSL"
  KAFKA_SASL_MECHANISM: "PLAIN"
  KAFKA_CONSUMER_GROUP_PREFIX: "verity-prod"

  # Redis
  REDIS_URL: "rediss://verity-prod-redis.redis.cache.windows.net:6380"

  # Temporal
  TEMPORAL_HOST: "verity-temporal"
  TEMPORAL_PORT: "7233"
  TEMPORAL_NAMESPACE: "verity"
  TEMPORAL_TASK_QUEUE: "verity-tasks"

  # API Gateway
  API_WORKERS: "4"
  API_CORS_ORIGINS: "https://verity.example.com"
  API_RATE_LIMIT_PER_MINUTE: "300"

  # Decay Engine
  DECAY_BATCH_SIZE: "1000"
  DECAY_SCHEDULE_INTERVAL: "1800"
  SCORE_THRESHOLD_CRITICAL: "90.0"
  SCORE_THRESHOLD_HIGH: "80.0"
  SCORE_THRESHOLD_MEDIUM: "70.0"

  # Review Generator
  REVIEW_SLA_CRITICAL_HOURS: "4"
  REVIEW_SLA_HIGH_HOURS: "24"
  REVIEW_SLA_MEDIUM_HOURS: "72"
  REVIEW_SLA_LOW_HOURS: "168"
  REVIEW_AUTO_ESCALATE: "true"

  # Remediation
  REMEDIATION_DRY_RUN: "false"
  REMEDIATION_BLAST_RADIUS_LIMIT: "100"
  REMEDIATION_REQUIRE_APPROVAL: "true"

  # OpenTelemetry
  OTEL_EXPORTER_OTLP_ENDPOINT: "http://otel-collector.monitoring:4317"

Kubernetes Secret

Sensitive credentials stored as Kubernetes Secrets (or sourced from Azure Key Vault via CSI driver):

secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: verity-secrets
  namespace: verity
type: Opaque
stringData:
  # Database
  POSTGRES_USER: "verity_prod"
  POSTGRES_PASSWORD: "<your-db-password>"

  # ClickHouse
  CLICKHOUSE_USER: "verity"
  CLICKHOUSE_PASSWORD: "<your-clickhouse-password>"

  # Kafka (Azure Event Hubs)
  KAFKA_SASL_USERNAME: "$ConnectionString"
  KAFKA_SASL_PASSWORD: "<your-eventhubs-connection-string>"

  # Redis
  REDIS_PASSWORD: "<your-redis-password>"

  # Authentication
  AZURE_AD_TENANT_ID: "<your-tenant-id>"
  AZURE_AD_CLIENT_ID: "<your-client-id>"
  AZURE_AD_CLIENT_SECRET: "<your-client-secret>"

  # Connectors
  AAD_TENANT_ID: "<your-tenant-id>"
  AAD_CLIENT_ID: "<your-connector-client-id>"
  AAD_CLIENT_SECRET: "<your-connector-client-secret>"
  DATABRICKS_TOKEN: "<your-databricks-token>"
  SYNAPSE_CONNECTION_STRING: "<your-synapse-connection-string>"

Azure Key Vault integration

In production, use the Azure Key Vault CSI driver instead of inline Kubernetes Secrets. See Kubernetes & Helm — Secrets for configuration details.

Helm values.yaml Mapping

The Verity Helm chart maps environment variables to structured values. Below is the mapping between values.yaml keys and environment variables:

values.yaml
global:
  logLevel: INFO              # → LOG_LEVEL
  logFormat: json             # → LOG_FORMAT
  environment: production     # → ENVIRONMENT

  postgresql:
    host: verity-pg.example.com   # → POSTGRES_HOST
    port: 5432                     # → POSTGRES_PORT
    database: verity               # → POSTGRES_DB
    sslmode: require               # → POSTGRES_SSLMODE
    timescaleEnabled: true         # → TIMESCALE_ENABLED

  clickhouse:
    host: verity-ch.example.com   # → CLICKHOUSE_HOST
    port: 8443                     # → CLICKHOUSE_PORT
    database: verity               # → CLICKHOUSE_DB
    secure: true                   # → CLICKHOUSE_SECURE

  kafka:
    bootstrapServers: verity-eh.servicebus.windows.net:9093  # → KAFKA_BOOTSTRAP_SERVERS
    securityProtocol: SASL_SSL     # → KAFKA_SECURITY_PROTOCOL
    consumerGroupPrefix: verity    # → KAFKA_CONSUMER_GROUP_PREFIX

  redis:
    url: "rediss://verity-redis.example.com:6380"  # → REDIS_URL

  temporal:
    host: verity-temporal          # → TEMPORAL_HOST
    port: 7233                      # → TEMPORAL_PORT
    namespace: verity               # → TEMPORAL_NAMESPACE
    taskQueue: verity-tasks         # → TEMPORAL_TASK_QUEUE
values.yaml
apiGateway:
  workers: 4                           # → API_WORKERS
  corsOrigins: "https://verity.example.com"  # → API_CORS_ORIGINS
  rateLimitPerMinute: 300              # → API_RATE_LIMIT_PER_MINUTE
  devMode: false                       # → API_DEV_MODE

decayEngine:
  batchSize: 1000                      # → DECAY_BATCH_SIZE
  scheduleInterval: 1800               # → DECAY_SCHEDULE_INTERVAL
  scoreThreshold: 70.0                 # → DECAY_SCORE_THRESHOLD
  thresholds:
    critical: 90.0                     # → SCORE_THRESHOLD_CRITICAL
    high: 80.0                         # → SCORE_THRESHOLD_HIGH
    medium: 70.0                       # → SCORE_THRESHOLD_MEDIUM

reviewGenerator:
  sla:
    criticalHours: 4                   # → REVIEW_SLA_CRITICAL_HOURS
    highHours: 24                      # → REVIEW_SLA_HIGH_HOURS
    mediumHours: 72                    # → REVIEW_SLA_MEDIUM_HOURS
    lowHours: 168                      # → REVIEW_SLA_LOW_HOURS
  autoEscalate: true                   # → REVIEW_AUTO_ESCALATE

remediation:
  dryRun: false                        # → REMEDIATION_DRY_RUN
  blastRadiusLimit: 100                # → REMEDIATION_BLAST_RADIUS_LIMIT
  requireApproval: true                # → REMEDIATION_REQUIRE_APPROVAL
values.yaml
auth:
  disabled: false                      # → AUTH_DISABLED
  azureAd:
    tenantId: "<tenant-id>"            # → AZURE_AD_TENANT_ID
    clientId: "<client-id>"            # → AZURE_AD_CLIENT_ID
    # clientSecret is sourced from Kubernetes Secret
  jwt:
    algorithm: RS256                   # → JWT_ALGORITHM
    expiryMinutes: 60                  # → JWT_EXPIRY_MINUTES
values.yaml
connectors:
  azureAd:
    enabled: true
    syncInterval: 600                  # → AZURE_AD_SYNC_INTERVAL
    # Credentials from Kubernetes Secret

  databricks:
    enabled: true
    host: "https://adb-1234.azuredatabricks.net"  # → DATABRICKS_HOST
    pollInterval: 300                  # → DATABRICKS_POLL_INTERVAL
    # Token from Kubernetes Secret

  synapse:
    enabled: false
    pollInterval: 300                  # → SYNAPSE_POLL_INTERVAL
    # Connection string from Kubernetes Secret

  fabric:
    enabled: false
    pollInterval: 300                  # → FABRIC_POLL_INTERVAL
    # Credentials from Kubernetes Secret

Environment-Specific Defaults

Key variables that typically differ between environments:

Variable Development Staging Production
LOG_LEVEL DEBUG INFO INFO
LOG_FORMAT text json json
ENVIRONMENT development staging production
AUTH_DISABLED true false false
API_DEV_MODE true false false
API_WORKERS 1 2 4
DECAY_BATCH_SIZE 100 500 1000
DECAY_SCHEDULE_INTERVAL 60 1800 3600
REMEDIATION_DRY_RUN true true false
REMEDIATION_BLAST_RADIUS_LIMIT 5 25 100
KAFKA_SECURITY_PROTOCOL PLAINTEXT SASL_SSL SASL_SSL
POSTGRES_SSLMODE disable require verify-full

Configuration Precedence

Configuration is resolved with the following precedence (highest wins):

1. Shell environment variable               (highest)
2. Kubernetes Secret / ConfigMap envFrom
3. docker-compose.yml service block
4. docker-compose.yml x-app-env anchor
5. .env file
6. Helm values.yaml
7. pydantic-settings default value          (lowest)

Quick override

To temporarily increase the API worker count without modifying any files:

# Docker Compose
API_WORKERS=8 docker compose up -d api-gateway

# Kubernetes
kubectl set env deployment/verity-api-gateway -n verity API_WORKERS=8

Next Steps