Generated from configs/env/contract.yaml. Do not edit this file manually.
The generated configuration reference and the env-governance report pipeline share the same YAML contract-loading path so docs and policy checks stay in sync across gate cleanups.
| Name | Section | Required | Sensitive | Default | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
AI_FIX_MAX_ITERATIONS |
ai | no | no | 2 |
Maximum post-fix regression iterations before hard failure. | ||||||
AI_PROVIDER |
ai | no | no | gemini |
Active AI provider. | ||||||
AI_REVIEW_GEMINI_MULTIMODAL |
ai | no | no | false |
Enable Gemini multimodal UI/UX review from screenshots/video artifacts. | ||||||
AI_REVIEW_GEMINI_TOP_SCREENSHOTS |
ai | no | no | 3 |
Maximum screenshot artifacts sent to Gemini for multimodal UI/UX review. | ||||||
AI_REVIEW_MODE |
ai | no | no | llm |
AI review execution mode (llm or rule_fallback). | ||||||
AI_SPEED_MODE |
ai | no | no | false |
Prefer speed-oriented AI behavior. | ||||||
COMPUTER_USE_NODE_BINARY |
ai | no | no | (empty) | Optional absolute Node.js binary path override for computer-use bridge. | ||||||
GEMINI_API_KEY |
ai | no | yes | (empty) | Gemini API key. | ||||||
GEMINI_CONTEXT_CACHE_MODE |
ai | no | no | memory |
Context-caching strategy for Gemini requests (memory or api). | ||||||
GEMINI_EMBEDDING_MODEL |
ai | no | no | gemini-embedding-001 |
Gemini embedding model name. | ||||||
GEMINI_FAST_MODEL |
ai | no | no | models/gemini-3.0-flash |
Gemini flash model name. | ||||||
GEMINI_INCLUDE_THOUGHTS |
ai | no | no | true |
Include Gemini thought signatures in multi-turn flows. | ||||||
GEMINI_MEDIA_RESOLUTION |
ai | no | no | high |
Default media resolution hint for Gemini multimodal requests. | ||||||
GEMINI_MEDIA_RESOLUTION_DEFAULT |
ai | no | no | high |
Fallback media resolution when request-specific hint is absent. | ||||||
GEMINI_MODEL |
ai | no | no | models/gemini-3.1-pro-preview |
Primary Gemini model name. | ||||||
GEMINI_THINKING_LEVEL |
ai | no | no | high |
Gemini thinking effort level. | ||||||
GEMINI_TOOL_MODE |
ai | no | no | auto |
Gemini function/tool calling mode. | ||||||
MIDSCENE_MODEL_NAME |
ai | no | no | (empty) | Midscene model identifier. | ||||||
PROVIDER_POLICY_PATH |
ai | no | no | configs/ai/provider-policy.yaml |
Path to provider policy configuration file. | ||||||
RECON_MAIN_ENGINE |
ai | no | no | gemini |
Primary reconstruction engine identifier. | ||||||
RECON_PARAM_INPUT |
ai | no | no | (empty) | Governed env variable detected by automated env scan (ai scope). | ||||||
RECON_SECRET_INPUT |
ai | no | yes | (empty) | Governed env variable detected by automated env scan (ai scope). | ||||||
RECON_SECRET_PASSWORD |
ai | no | yes | (empty) | Governed env variable detected by automated env scan (ai scope). | ||||||
RECONSTRUCTION_ARTIFACT_MAX_BYTES |
ai | no | no | 16777216 |
Maximum size (bytes) for a single reconstruction artifact. | ||||||
UIQ_AI_FIX_ALLOWLIST |
ai | no | no | packages,apps,backend,frontend |
Comma-delimited relative path allowlist for auto-fix targets. | ||||||
UIQ_AI_FIX_MODE |
ai | no | no | report_only |
AI fix execution mode (report_only or auto). | ||||||
UIQ_COMPUTER_USE_TASK |
ai | no | no | (empty) | Fallback computer-use task when profile/target does not define one. | ||||||
AUTOMATION_ALLOW_LOCAL_NO_TOKEN |
auth | no | no | false |
Allow localhost token bypass for local development only. | ||||||
AUTOMATION_API_TOKEN |
auth | yes | yes | replace-with-strong-token |
Shared API token used by automation endpoints; placeholders and weak values are rejected fail-fast (min length 16). | ||||||
AUTOMATION_EMERGENCY_KILL_SWITCH |
auth | no | no | false |
Emergency stop for mutating automation APIs (POST/PUT/PATCH/DELETE). | ||||||
AUTOMATION_REQUIRE_TOKEN |
auth | no | no | true |
Require bearer token for automation API endpoints. | ||||||
APP_ENV |
core | no | no | development |
Runtime environment name. | ||||||
COOKIE_SECURE |
core | no | no | true |
Set secure cookie policy. | ||||||
CORS_ALLOWED_ORIGINS |
core | no | no | http://127.0.0.1:17373,http://localhost:17373 |
Comma-separated CORS origin allowlist. | ||||||
CSRF_TTL_SECONDS |
core | no | no | 900 |
CSRF token TTL in seconds. | ||||||
FRONTEND_REGISTER_URL |
core | no | no | (empty) | Optional frontend register URL override. | ||||||
LOG_BACKUP_COUNT |
core | no | no | 5 |
Number of rotated log files. | ||||||
LOG_LEVEL |
core | no | no | DEBUG |
Backend log level. | ||||||
LOG_MAX_BYTES |
core | no | no | 5242880 |
Per-log-file max size in bytes. | ||||||
TRUSTED_HOSTS |
core | no | no | 127.0.0.1,localhost,testserver |
Comma-separated trusted host allowlist. | ||||||
VITE_API_BASE_URL |
frontend | no | no | http://127.0.0.1:17380 |
Explicit frontend API base URL override. | ||||||
VITE_DEFAULT_BASE_URL |
frontend | no | no | http://127.0.0.1:17380 |
Frontend default backend base URL. | ||||||
VITE_RUM_ENABLED |
frontend | no | no | false |
Enable frontend RUM event forwarding. | ||||||
AUTOMATION_COMMAND_TIMEOUT_SECONDS |
limits | no | no | 1800 |
Command timeout in seconds. | ||||||
AUTOMATION_COMPLETED_TASK_TTL_SECONDS |
limits | no | no | 86400 |
TTL in seconds for completed task records. | ||||||
AUTOMATION_DEFAULT_RETRIES |
limits | no | no | 1 |
Default retry count for failed tasks. | ||||||
AUTOMATION_FAILURE_ALERT_THRESHOLD |
limits | no | no | 0.2 |
Failure ratio threshold for alert state. | ||||||
AUTOMATION_IDEMPOTENCY_TTL_SECONDS |
limits | no | no | 21600 |
TTL in seconds for idempotency replay records. | ||||||
AUTOMATION_MAX_PARALLEL |
limits | no | no | 6 |
Max concurrent automation tasks. | ||||||
AUTOMATION_MAX_PARALLEL_LONG |
limits | no | no | 1 |
Max concurrent long-running tasks. | ||||||
AUTOMATION_MAX_RATE_BUCKETS |
limits | no | no | 2000 |
In-memory rate-limit bucket cap. | ||||||
AUTOMATION_MAX_TASKS |
limits | no | no | 300 |
Max queued/runnable tasks retained. | ||||||
AUTOMATION_RATE_LIMIT_PER_MINUTE |
limits | no | no | 120 |
Per-route per-client rate limit. | ||||||
AUTOMATION_RETENTION_HOURS |
limits | no | no | 24 |
Retention window for automation artifacts in hours. | ||||||
AUTOMATION_RETRY_BASE_SECONDS |
limits | no | no | 1.0 |
Base delay in seconds for retry backoff. | ||||||
AUTOMATION_RETRY_JITTER_RATIO |
limits | no | no | 0.2 |
Random jitter ratio applied to retry backoff delays. | ||||||
AUTOMATION_RETRY_MAX_SECONDS |
limits | no | no | 30.0 |
Maximum retry delay in seconds after backoff. | ||||||
AUTOMATION_RUNTIME_MAX_BYTES |
limits | no | no | 1073741824 |
Max bytes allowed in automation runtime cache. | ||||||
CACHE_MAX_ENTRIES |
limits | no | no | 500 |
Max in-memory entries for universal validated-params cache. | ||||||
CACHE_TTL_SECONDS |
limits | no | no | 900 |
In-memory TTL (seconds) for universal validated-params cache. | ||||||
UIQ_MCP_API_BASE_URL |
mcp | no | no | http://127.0.0.1:18080 |
MCP backend base URL. | ||||||
UIQ_MCP_API_TIMEOUT_MS |
mcp | no | no | 30000 |
MCP API request timeout budget. | ||||||
UIQ_MCP_AUDIT_BACKUP_COUNT |
mcp | no | no | 10 |
Number of rotated MCP audit log files. | ||||||
UIQ_MCP_AUDIT_MAX_BYTES |
mcp | no | no | 10485760 |
Max size per MCP audit log file in bytes. | ||||||
UIQ_MCP_AUDIT_RETENTION_DAYS |
mcp | no | no | 14 |
MCP audit retention window in days. | ||||||
UIQ_MCP_BACKEND_PORT |
mcp | no | no | 18080 |
Preferred backend port for MCP-managed runtime. | ||||||
UIQ_MCP_ENABLE_ADVANCED_TOOLS |
mcp | no | no | true |
Enable advanced MCP tools. | ||||||
UIQ_MCP_HEALTH_TIMEOUT_MS |
mcp | no | no | 2000 |
MCP health-check timeout budget. | ||||||
UIQ_MCP_PERFECT_MODE |
mcp | no | no | true |
Enable perfect-mode MCP guardrails and strict defaults. | ||||||
UIQ_MCP_REMOTE_TOKEN_HOST_ALLOWLIST |
mcp | no | no | (empty) | Comma-separated host allowlist for remote token forwarding. | ||||||
UIQ_MCP_RUNTIME_CACHE_ROOT |
mcp | no | no | .runtime-cache |
Runtime cache root used by MCP server. | ||||||
FLOW_ALLOW_SENSITIVE_CAPTURE |
otp | no | no | false |
Allow sensitive artifact capture in flow recording mode. | ||||||
FLOW_ALLOW_SENSITIVE_HAR |
otp | no | no | false |
Allow HAR capture that may include sensitive request data. | ||||||
FLOW_ALLOW_SENSITIVE_INPUT_VALUES |
otp | no | no | false |
Allow plaintext capture of sensitive input values in flow artifacts. | ||||||
FLOW_ALLOW_SENSITIVE_STORAGE |
otp | no | no | false |
Allow storing sensitive flow artifacts on disk. | ||||||
FLOW_ALLOW_SENSITIVE_TRACE |
otp | no | no | false |
Allow trace capture that may include sensitive flow inputs. | ||||||
FLOW_ALLOW_SENSITIVE_VIDEO |
otp | no | no | false |
Allow video recording with potentially sensitive content. | ||||||
FLOW_DISABLE_AUTO_RUNTIME_CLEANUP |
otp | no | no | false |
Disable record-session automatic runtime cleanup trigger. | ||||||
FLOW_DISABLE_HTML_CAPTURE |
otp | no | no | false |
Disable HTML snapshot capture during flow recording. | ||||||
FLOW_FROM_STEP_ID |
otp | no | no | (empty) | Governed env variable detected by automated env scan (otp scope). | ||||||
FLOW_INPUT |
otp | no | no | (empty) | Governed env variable detected by automated env scan (otp scope). | ||||||
FLOW_OTP_CODE |
otp | no | yes | (empty) | Governed env variable detected by automated env scan (otp scope). | ||||||
FLOW_OTP_PROVIDER |
otp | no | no | gmail |
OTP provider strategy. | ||||||
FLOW_PROTECTED_PROVIDER_DOMAINS |
otp | no | no | (empty) | Governed env variable detected by automated env scan (otp scope). | ||||||
FLOW_REPLAY_PRECONDITIONS |
otp | no | no | false |
Governed env variable detected by automated env scan (otp scope). | ||||||
FLOW_RESUME_CONTEXT |
otp | no | no | false |
Governed env variable detected by automated env scan (otp scope). | ||||||
FLOW_SELECTOR_INDEX |
otp | no | no | 0 |
Governed env variable detected by automated env scan (otp scope). | ||||||
FLOW_STEP_ID |
otp | no | no | (empty) | Governed env variable detected by automated env scan (otp scope). | ||||||
GMAIL_IMAP_PASSWORD |
otp | no | yes | (empty) | Gmail IMAP app password. | ||||||
GMAIL_IMAP_USER |
otp | no | yes | (empty) | Gmail IMAP username. | ||||||
IMAP_HOST |
otp | no | no | (empty) | Generic IMAP host. | ||||||
IMAP_PASSWORD |
otp | no | yes | (empty) | Generic IMAP password. | ||||||
IMAP_USER |
otp | no | yes | (empty) | Generic IMAP username. | ||||||
RECORD_CAPTURE_INPUT_PLAINTEXT |
otp | no | no | false |
Legacy plaintext input capture switch for flow recording. | ||||||
REGISTER_PASSWORD |
otp | no | yes | (empty) | Governed env variable detected by automated env scan (otp scope). | ||||||
REPLAY_TOKEN |
otp | no | yes | (empty) | Governed env variable detected by automated env scan (otp scope). | ||||||
AUTOMATION_BACKEND_PORT |
runtime | no | no | 17380 |
Governed env variable detected by automated env scan (runtime scope). | ||||||
BACKEND_PORT |
runtime | no | no | 17380 |
Governed env variable detected by automated env scan (runtime scope). | ||||||
BASE_URL |
runtime | no | no | http://127.0.0.1:17380 |
Governed env variable detected by automated env scan (runtime scope). | ||||||
HEADLESS |
runtime | no | no | false |
Governed env variable detected by automated env scan (runtime scope). | ||||||
RUNTIME_GC_AUTO_ON_DEV_UP |
runtime | no | no | true |
Run runtime GC preflight automatically during scripts/dev-up.sh startup. | ||||||
RUNTIME_GC_DIR_SIZE_THRESHOLD_MB |
runtime | no | no | 256 |
Directory-size threshold (MB) that triggers runtime GC. | ||||||
RUNTIME_GC_FAIL_ON_ERROR |
runtime | no | no | false |
Enable fail-fast behavior when runtime GC reports errors. | ||||||
RUNTIME_GC_KEEP_RUNS |
runtime | no | no | 50 |
Number of latest runtime run directories kept. | ||||||
RUNTIME_GC_LOG_TAIL_LINES |
runtime | no | no | 4000 |
Tail lines kept when oversized runtime logs are truncated. | ||||||
RUNTIME_GC_MAX_DELETE_PER_RUN |
runtime | no | no | 500 |
Max delete operations allowed in a single runtime GC run. | ||||||
RUNTIME_GC_MAX_LOG_SIZE_MB |
runtime | no | no | 64 |
Max size (MB) for non-rotating runtime logs before tail truncation. | ||||||
RUNTIME_GC_RETENTION_DAYS |
runtime | no | no | 7 |
Runtime GC retention window in days. | ||||||
RUNTIME_GC_SCOPE |
runtime | no | no | all |
Default runtime GC scope (logs | runs | cache | automation | backups | extras | all); all only covers logs/runs/cache/backups plus scratch/disposable extras. |
RUNTIME_GC_STATE_PATH |
runtime | no | no | .runtime-cache/metrics/runtime-gc-state.json |
Runtime GC state JSON output path. | ||||||
RUNTIME_ROOT |
runtime | no | no | (empty) | Governed env variable detected by automated env scan (runtime scope). | ||||||
START_URL |
runtime | no | no | (empty) | Governed env variable detected by automated env scan (runtime scope). | ||||||
SUCCESS_SELECTOR |
runtime | no | no | (empty) | Governed env variable detected by automated env scan (runtime scope). | ||||||
UIQ_BASE_URL |
runtime | no | no | (empty) | Governed env variable detected by automated env scan (runtime scope). | ||||||
DATABASE_URL |
storage | no | yes | postgresql+pg8000://postgres:5432/automation |
Primary Postgres connection URL. | ||||||
REDIS_URL |
storage | no | yes | redis://redis:6379/0 |
Redis backend URL for shared rate limiting. | ||||||
UIQ_RUNTIME_CACHE_ROOT |
storage | no | no | .runtime-cache |
Canonical runtime cache root path. | ||||||
UIQ_TRUSTED_BIN_DIRS |
storage | no | no | (empty) | Optional comma-separated trusted binary directories. | ||||||
UNIVERSAL_AUDIT_BACKUP_COUNT |
storage | no | no | 5 |
Number of rotated universal-platform audit log files. | ||||||
UNIVERSAL_AUDIT_MAX_BYTES |
storage | no | no | 5242880 |
Max size per universal-platform audit log file in bytes. | ||||||
UNIVERSAL_AUDIT_RETENTION_DAYS |
storage | no | no | 7 |
Universal-platform audit log retention window in days. | ||||||
UNIVERSAL_AUTOMATION_RUNTIME_DIR |
storage | no | no | (empty) | Override universal runtime directory. | ||||||
UNIVERSAL_PLATFORM_DATA_DIR |
storage | no | no | (empty) | Override universal platform data directory. | ||||||
UIQ_ALLOW_COMPOSE_SKIP |
tests | no | no | 0 |
Allow CI compose validation skip when compose CLI is unavailable. | ||||||
UIQ_ALLOW_COMPOSE_SKIP_REASON |
tests | no | no | (empty) | Required reason when UIQ_ALLOW_COMPOSE_SKIP=1 for auditable exemptions. | ||||||
UIQ_ALLOW_LIGHT_PREPUSH |
tests | no | no | 0 |
Explicitly allow light pre-push mode when code-impacting changes are detected. | ||||||
UIQ_ALLOW_LIGHT_PREPUSH_REASON |
tests | no | no | (empty) | Required reason when UIQ_ALLOW_LIGHT_PREPUSH=1 for auditable exemptions. | ||||||
UIQ_CAPTURE_API_MOCK |
tests | no | no | 0 |
Enable API mock routing for capture/explore/chaos in local CI web target. | ||||||
UIQ_SKIP_SHARED_MODULE_LINK_REPAIR |
tests | no | no | 0 |
Skip shared module link repair for targeted smoke and self-test lanes that only validate repo governance contracts. | ||||||
UIQ_TEST_MATRIX_ALLOW_CMD_OVERRIDE |
tests | no | no | 0 |
Allow test-matrix suite command overrides (intended for controlled self-tests). | ||||||
UIQ_WEB_PORT |
tests | no | no | 4173 |
Governed env variable detected by automated env scan (tests scope). | ||||||
OTP_DEDUPE_REDIS_PREFIX |
vonage | no | no | otp:vonage:dedupe |
Redis key prefix for Vonage OTP dedupe. | ||||||
OTP_DEDUPE_STRICT |
vonage | no | no | false |
Fail closed when dedupe storage is unavailable. | ||||||
VONAGE_AUDIT_BACKUP_COUNT |
vonage | no | no | 4 |
Number of rotated Vonage callback audit log files. | ||||||
VONAGE_AUDIT_MAX_BYTES |
vonage | no | no | 2097152 |
Max size per Vonage callback audit log file in bytes. | ||||||
VONAGE_AUDIT_RETENTION_DAYS |
vonage | no | no | 7 |
Vonage callback audit log retention window in days. | ||||||
VONAGE_INBOUND_TOKEN |
vonage | no | yes | (empty) | Vonage inbound webhook token. | ||||||
VONAGE_INBOUND_TOKEN_HEADER_ENABLED |
vonage | no | no | false |
Enable bearer-token header fallback for inbound token check. | ||||||
VONAGE_MESSAGE_ID_TTL_SECONDS |
vonage | no | no | 86400 |
Message-id dedupe TTL. | ||||||
VONAGE_OTP_TO_NUMBER |
vonage | no | no | (empty) | Allowed recipient number for OTP pickup. | ||||||
VONAGE_SIGNATURE_ALGO |
vonage | no | no | sha256 |
Vonage signature algorithm. | ||||||
VONAGE_SIGNATURE_MAX_SKEW_SECONDS |
vonage | no | no | 600 |
Max callback timestamp skew. | ||||||
VONAGE_SIGNATURE_SECRET |
vonage | no | yes | (empty) | Vonage callback signature secret. |
These names are intentionally allowed by env governance as CI, container, or runtime-injected values. They are contract-tracked, but they are not user-supplied .env.example entries or settings that maintainers should hand-copy into local env files.
ABORT_COMMANDAGENT_TOOLSDIRECTORYCHROME_PATHCICOMMAND_TOWER_EVIDENCE_MAX_BYTESCOMMAND_TOWER_EVIDENCE_TIMELINE_DEFAULT_LIMITCOMMAND_TOWER_EVIDENCE_TIMELINE_MAX_LIMITGITHUB_ACTIONSGITHUB_BASE_REFGITHUB_EVENT_NAMEGITHUB_REFGITHUB_REPOSITORYGITHUB_STEP_SUMMARYGITHUB_WORKSPACEHOMELANGLAST_RUN_ATLC_ALLLINE_LIMITMAX_BEHINDPATHPYTEST_CURRENT_TESTPYTEST_XDIST_WORKERROOT_DIRRUNNER_TEMPRUNNER_TOOL_CACHERUNNER_WORKSPACERUNTIME_CACHE_DIRRUNTIME_LOG_DIRSCOPESTARTED_ATSTATE_PATHSTATUSSTRATEGYSYNC_BRANCH_DATETERMTRACING_ENABLEDTRACING_EXPORTERTRACING_OTLP_ENDPOINTTRACING_OTLP_HEADERSTRACING_SERVICE_NAME__STRYKER_ACTIVE_MUTANT__AI_REVIEW_AUTOMATION_GLOBAL_AUTOMATION_RUNTIME_GEMINI_GOOGLE_PLAYWRIGHT_PNPM_RECON_TM_UIQ_VITE_npm_