Skip to content
Spectral Codex
GitHub
Reference

Configuration Index

A single-page inventory of runtime configuration grouped by entry-point app. The index is the fast lookup; canonical doctrine lives in the linked ADR or runbook for each row.

Each table has the same shape:

  • Env var — the variable name as it appears in code or in Render
  • Source — where the value is set: env group, per-service env var, image-baked at build, build-time bundled (frontends), or computed at runtime
  • Rotation — when the value changes, and the trigger
  • Owning — the canonical ADR or runbook for the value

For the env-group-vs-per-service placement principle see CD pipeline overview D7 / D8. For the provisioning + rotation flow see Secrets management and ADR-037. The two Render Environment Groups (spectral-staging-runtime, spectral-production-runtime) carry every “env group” row below.

apps/api — FastAPI on Render (api.runspectral.com)

Section titled “apps/api — FastAPI on Render (api.runspectral.com)”

Substrate

Section titled “Substrate”
Env varSourceRotationOwning
SUPABASE_URLEnv groupPer-environment; set at provisioningADR-039
SUPABASE_ANON_KEYEnv groupAt Supabase JWT-secret rotationAuth runbook
SUPABASE_SERVICE_ROLE_KEYEnv groupAt Supabase JWT-secret rotationAuth runbook
OTEL_EXPORTER_OTLP_ENDPOINTEnv groupProvider migration onlyADR-036
SENTRY_DSNEnv groupProvider migration onlyADR-036
LOGFIRE_TOKENEnv groupProvider migration onlyADR-036

Per-service (atomic with deploy)

Section titled “Per-service (atomic with deploy)”
Env varSourceRotationOwning
SPECTRAL_GENERATIONPer-service (set by GH Actions at deploy)Bumped per deployADR-048
TRUSTED_PROXIESPer-serviceEdge / DNS topology changeSecurity boundaries
Deploy-key registry (sk_deploy_*)Per-service env vars; key-exchange middleware reads at startupRotates as deploy side-effectDeployment topology — version-detail auth

apps/workers — LangGraph background runtime on Render

Section titled “apps/workers — LangGraph background runtime on Render”

Inherits all apps/api substrate vars plus:

Per-service (atomic with deploy)

Section titled “Per-service (atomic with deploy)”
Env varSourceRotationOwning
SPECTRAL_GENERATIONPer-serviceBumped per deploy (must match apps/api)ADR-048
HANDLER_MAXPer-service (default 60s)Tuning onlyDeployment topology — drain
SPECTRAL_DRAIN_AND_EXITPer-service (legacy-drain workflow only)Set on the temporary drain worker; never on prod workersLegacy-drain runbook
SPECTRAL_DRAIN_COOLING_SECONDSPer-serviceDrain-workflow tuningLegacy-drain runbook

maxShutdownDelaySeconds is a Render service-config property declared in render.yaml (per ADR-048 D9), not a worker-process env var; the workers do not read it directly.

LLM provider (production)

Section titled “LLM provider (production)”
Env varSourceRotationOwning
ANTHROPIC_API_KEYEnv groupQuarterly + on suspected leakLLM platform
OPENAI_API_KEYEnv groupQuarterly + on suspected leakLLM platform
GOOGLE_API_KEYEnv groupQuarterly + on suspected leakLLM platform

apps/dashboard — TanStack Start customer UI on Render (app.runspectral.com)

Section titled “apps/dashboard — TanStack Start customer UI on Render (app.runspectral.com)”

Frontend env vars are build-time bundled (Vite reads VITE_* at build, embeds into the client bundle). Rotation requires a rebuild, not a config flip.

Env varSourceRotationOwning
VITE_API_URLEnv group → built into bundleEdge / DNS topology changeFrontend architecture
VITE_SUPABASE_URLEnv group → built into bundleAt Supabase JWT-secret rotationADR-039
VITE_SUPABASE_ANON_KEYEnv group → built into bundleAt Supabase JWT-secret rotationADR-039
SUPABASE_SERVICE_ROLE_KEYNever (server-side only)n/an/a

Rule: anything sensitive lands at apps/api and is reached through the API proxy. The dashboard holds only public-facing keys.

apps/operations — TanStack Start staff console on Render (ops.runspectral.com)

Section titled “apps/operations — TanStack Start staff console on Render (ops.runspectral.com)”

Same frontend posture as apps/dashboard, plus the Pattern A auth surface:

Env varSourceRotationOwning
VITE_API_URLEnv group → built into bundleEdge / DNS topology changeFrontend architecture
VITE_SUPABASE_URLEnv group → built into bundleAt Supabase JWT-secret rotationADR-039
VITE_SUPABASE_ANON_KEYEnv group → built into bundleAt Supabase JWT-secret rotationADR-039
OPERATIONS_SCOPESPer-service (Pattern A middleware reads at startup)Scope-taxonomy change onlyAccess control

docs-codex (Cloudflare Pages, codex.runspectral.com)

Section titled “docs-codex (Cloudflare Pages, codex.runspectral.com)”

The Codex docs site is a static Astro build with a Pages Function for JWKS-local auth on operator-only routes.

Env varSourceRotationOwning
OPERATIONS_SCOPESCloudflare Pages env (Function reads at request time)Scope-taxonomy change onlyAccess control
SUPABASE_URLCloudflare Pages envAt Supabase JWT-secret rotationADR-039

docs-user (Cloudflare Pages, docs.runspectral.com)

Section titled “docs-user (Cloudflare Pages, docs.runspectral.com)”

Public marketing/docs site. No runtime config; all content is statically rendered at build.

retention-run cron (reuses apps/workers image)

Section titled “retention-run cron (reuses apps/workers image)”

Inherits the apps/workers env. Posts a single retention.run_scheduled event into the substrate, then exits. No cron-specific env vars.

backup-nightly cron

Section titled “backup-nightly cron”

Required env vars per tools/ops/backup/backup-nightly.sh:

Env varSourceRotationOwning
DATABASE_URLEnv groupAt Supabase JWT-secret rotationDisaster recovery runbook
AGE_RECIPIENTEnv groupAt age-key rotationDisaster recovery runbook
GCS_BACKUP_BUCKETEnv groupBucket migration onlyADR-040
GCS_SA_KEY_PATHEnv group (filesystem path to a mounted SA key)At GCS service-account rotationDisaster recovery runbook
BACKUP_RETENTION_DAYSEnv groupAt retention-policy changeADR-040

CI secrets (GitHub Actions, not runtime)

Section titled “CI secrets (GitHub Actions, not runtime)”

GitHub Environments hold these. Each environment carries required-reviewer = self. See CI secrets handling runbook and ADR-062 for rotation procedure.

Env varEnvironmentUsed byRotation
RENDER_API_KEYstaging, productionDeploy workflowsQuarterly
CLOUDFLARE_API_TOKENstaging, productionEdge config workflowsQuarterly
SUPABASE_MANAGEMENT_PATstaging, productionMigration / preview-branch workflowsQuarterly
LLM_TEST_ANTHROPIC_KEYtest-liveNightly LLM live-drift workflowAt provider key rotation
LLM_TEST_OPENAI_KEYtest-liveNightly LLM live-drift workflowAt provider key rotation
LLM_TEST_GOOGLE_KEYtest-liveNightly LLM live-drift workflowAt provider key rotation
GITHUB_OAUTH_TEST_CLIENT_*stagingOAuth integration testsAt OAuth-app rotation
GOOGLE_OAUTH_TEST_CLIENT_*stagingOAuth integration testsAt OAuth-app rotation

Tunables that are code constants, not env vars

Section titled “Tunables that are code constants, not env vars”

The following appear in design docs but are set in source code (not configurable per-deploy). Listed here so a reader who searches for them lands somewhere useful:

ConstantDefined inNotes
min_size, max_size, max_idle, prepare_threshold, reconnect_timeoutpsycopg_pool config in spectral_api.db and spectral_workers.dbSee Connection pooling for the alpha defaults
Session-var names (app.account_id, app.workspace_id, app.user_id)spectral.core.db.session_varsPinned by RLS contract tests

See also

Section titled “See also”