Environment Variables
All runtime configuration is environment-driven. This page is the complete reference for every variable Weavestream reads; the .env.example file in the repository is the minimal getting-started template.
Variables fall into two tiers:
- Required — the app refuses to boot without them:
APP_URL,API_URL,DATABASE_URL,REDIS_URL, and the encryption/signing keys (with their_KIDs). These ship in.env.example. - Optional — everything else has a safe built-in default and can be omitted.
.env.examplecarries a short commented block of the most commonly-tuned ones; the rest are documented here and only need to be set to override a default.
Each table lists the default (where one exists) and its operational impact. Valid ranges are enforced at boot by the schema in packages/shared/src/env.ts.
Release Pinning
Host Ports
The default compose.yml only exposes the web UI. Postgres and Redis stay internal.
Postgres and Redis are not published to the host by the production compose file. Inspect them with docker compose exec postgres psql ... and docker compose exec redis redis-cli ....
For local development, compose.build.yml publishes Postgres on 5434 and Redis on 6381. See Development Setup for the contributor workflow.
Core URLs
Postgres
Redis
Authentication & Sessions
Generate all signing keys with ./scripts/keygen.sh. Each key is 32 random bytes in base64.
Argon2 (Password Hashing)
Advanced; the defaults follow OWASP guidance and rarely need tuning.
Rate Limiting
note Proxy-aware rate limiting
The global throttler keys on req.user.id for authenticated requests. For unauthenticated requests, it falls back to the real client IP. Configure TRUST_PROXY_HOPS to match the number of trusted proxy hops between the browser and API.
Reverse Proxy & Network
Egress / SSRF Guard
Every server-side outbound HTTP request (integration drivers, RDAP/HIBP probes, domain checks) flows through safeFetch, which refuses to connect to loopback, RFC1918, link-local, or cloud-metadata (169.254.169.254) targets. Each refusal is recorded in the audit log as security.egress.blocked and surfaced under Admin → Security → Egress blocks.
Password Vault Encryption
Email (SMTP) Credential Encryption
The SMTP password configured under Admin → Settings → Email is encrypted at rest with the same kid-tagged AES-256-GCM scheme as the password vault, under a separate key so mail credentials rotate independently. Generate the key with ./scripts/keygen.sh.
HaveIBeenPwned
File Storage
Uploaded files (attachments, thumbnails, logos, export PDFs) live on the local filesystem under a single host-bind-mounted directory, isolated per tenant by directory:
${FILE_STORAGE_DIR}/<companyId>/uploads/<uploadId>/<filename>
${FILE_STORAGE_DIR}/<companyId>/thumbs/<uploadId>.webp
${FILE_STORAGE_DIR}/<companyId>/exports/<exportId>.pdf
Every thumbnail, attachment, logo, and export PDF is streamed through the API on the same origin as the web app. A single reverse-proxy virtual host covers the whole application; there is no separate files.example.com host to configure.
Uploads
Data Directory
Logging
Integrations
Settings for the integration sync engine and provider drivers. Generate encryption keys with ./scripts/keygen.sh.
Credential Encryption
Integration credential bundles (API tokens, secrets) are encrypted with the same kid-tagged envelope scheme as the password vault, but under a separate key so each can be rotated independently.
Sync Scheduling
Concurrency
HTTP Behaviour
These settings apply to every outbound HTTP call made by integration drivers (e.g. Action1 API requests). Retries use exponential backoff on 429 and 5xx responses.
Backups
Scheduled Postgres dumps (admin Backups page) and their *.manifest.json sidecars.
Background Jobs & Schedulers
Repeatable BullMQ jobs. Every *_CRON takes a standard 5-field cron expression, or the literal string off to disable scheduled runs (manual / on-demand runs still work).