Environment Variables

All Causet services are configured through environment variables. This page documents the variables for each service. The canonical production reference is ecs-env-vars-reference.md in the repository root.


causet-runtime-service

The runtime service processes intents, evaluates rules, and writes events to the ledger.

VariableRequiredDefaultDescription
DATABASE_URLYesR2DBC URL for the causet database. Format: r2dbc:postgresql://host:5432/causet
KAFKA_BOOTSTRAP_SERVERSYesComma-separated Kafka broker addresses
S3_ENDPOINTYesS3-compatible endpoint URL. Use https://s3.amazonaws.com for AWS, MinIO URL for local
S3_BUCKETYesBucket name for IR artifacts (e.g., causet-artifacts-prod)
AWS_ACCESS_KEY_IDYesAWS/MinIO access key for S3 access
AWS_SECRET_ACCESS_KEYYesAWS/MinIO secret key for S3 access
AWS_REGIONNous-east-1AWS region for S3
CAUSET_SAAS_URLYesInternal URL of causet-saas-cloud for release resolution
SERVER_PORTNo8080HTTP server port
GRPC_PORTNo9090gRPC server port
SPRING_PROFILES_ACTIVENodefaultSpring profile. Set to prod for production configuration
JAVA_OPTSNoJVM options. Example: -Xms512m -Xmx1536m
REDIS_URLNoRedis URL for IR artifact caching. If unset, artifacts are fetched from S3 on each load
CAUSET_OPENAI_API_KEYNoPlatform OpenAI key for AI decisions and embeddings (fallback when no BYOK)
OPENAI_API_KEYNoAlias for CAUSET_OPENAI_API_KEY
CAUSET_SECRETS_MASTER_KEYNoAES-256-GCM master key for decrypting BYOK provider keys from control plane
CAUSET_MEMORY_STORENoin-memoryMemory backend: in-memory or postgres
CAUSET_MEMORY_INGESTION_ENABLEDNofalseWhen true, embed source events into vector memory
CAUSET_MEMORY_RETRIEVAL_LIMITNo10Max memory snippets retrieved per decision memory ref
WEBHOOK_DELIVERY_ENABLEDNotrueSet false when ws-gateway handles webhook delivery
WEBHOOK_EMIT_IN_DRY_RUNNotrueEmit ledger/intent webhooks from DRY_RUN forks when true

causet-projection-worker

The projection worker consumes events from Kafka and UPSERTs into projection tables.

VariableRequiredDefaultDescription
PROJECTIONS_DB_URLYesJDBC URL for the projections database. Format: jdbc:postgresql://host:5432/projections
KAFKA_BOOTSTRAP_SERVERSYesComma-separated Kafka broker addresses
KAFKA_GROUP_IDNocauset-projection-workerKafka consumer group ID
S3_ENDPOINTYesS3-compatible endpoint URL
S3_BUCKETYesBucket name for IR artifacts
AWS_ACCESS_KEY_IDYesAWS/MinIO access key
AWS_SECRET_ACCESS_KEYYesAWS/MinIO secret key
AWS_REGIONNous-east-1AWS region
CAUSET_SAAS_URLYesInternal URL of causet-saas-cloud for active release resolution
WORKER_HEALTH_PORTNo8083Internal HTTP port for /actuator/health
DLQ_TOPICNocauset.projection-dlq.v1Dead-letter queue topic name
MAX_RETRY_ATTEMPTSNo3Maximum retry attempts before sending to DLQ
RETRY_BACKOFF_MSNo1000Initial retry backoff in milliseconds (exponential)
JAVA_OPTSNoJVM options

causet-query-service

The query service executes named queries against projection tables.

VariableRequiredDefaultDescription
PROJECTIONS_DB_URLYesJDBC or R2DBC URL for the projections database
REDIS_URLNoRedis URL for query result caching. Leave unset to disable caching
REDIS_CACHE_TTL_SECONDSNo30Query result cache TTL in seconds
S3_ENDPOINTYesS3-compatible endpoint URL
S3_BUCKETYesBucket name for IR artifacts
AWS_ACCESS_KEY_IDYesAWS/MinIO access key
AWS_SECRET_ACCESS_KEYYesAWS/MinIO secret key
AWS_REGIONNous-east-1AWS region
CAUSET_SAAS_URLYesInternal URL of causet-saas-cloud for active release resolution
SERVER_PORTNo8082HTTP server port
JAVA_OPTSNoJVM options

causet-saas-cloud

The SaaS / control plane API manages platforms, applications, releases, and fork deployments.

VariableRequiredDefaultDescription
CONTROL_PLANE_DB_URLYesJDBC URL for the control plane database (causet_control_plane)
CLERK_SECRET_KEYYesClerk secret key for JWT verification
CLERK_PUBLISHABLE_KEYYesClerk publishable key
S3_ENDPOINTYesS3-compatible endpoint URL
S3_BUCKETYesBucket name for IR artifact storage
AWS_ACCESS_KEY_IDYesAWS/MinIO access key (needs s3:PutObject for uploads)
AWS_SECRET_ACCESS_KEYYesAWS/MinIO secret key
AWS_REGIONNous-east-1AWS region
SERVER_PORTNo8085HTTP server port
JAVA_OPTSNoJVM options
CAUSET_SECRETS_MASTER_KEYNoAES key for BYOK AI provider secrets (must match runtime)

causet-cloud-control-plane

The Next.js web UI for the control plane.

VariableRequiredDefaultDescription
NEXT_PUBLIC_CAUSET_SAAS_URLYesPublic URL of causet-saas-cloud (accessed from the browser)
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEYYesClerk publishable key for frontend auth
CLERK_SECRET_KEYYesClerk secret key for server-side auth
PORTNo3000Next.js server port

ws-gateway-go

The WebSocket gateway proxies real-time event streams to connected clients.

VariableRequiredDefaultDescription
KAFKA_BOOTSTRAP_SERVERSYesComma-separated Kafka broker addresses
KAFKA_GROUP_IDNows-gatewayKafka consumer group ID
PORTNo8081WebSocket server port
CAUSET_SAAS_URLYesInternal URL of causet-saas-cloud for auth token validation
CAUSET_SECRETS_MASTER_KEYNoDecrypt webhook signing secrets synced from saas-cloud

Secrets management

In production, do not place sensitive values directly in ECS task definitions. Use AWS Secrets Manager and reference secrets by ARN:

"secrets": [
  {
    "name": "DATABASE_URL",
    "valueFrom": "arn:aws:secretsmanager:us-east-1:ACCOUNT:secret:causet/prod/runtime-db-url"
  },
  {
    "name": "CLERK_SECRET_KEY",
    "valueFrom": "arn:aws:secretsmanager:us-east-1:ACCOUNT:secret:causet/prod/clerk-secret-key"
  }
]

ECS injects the secret value as an environment variable at container startup. Secrets Manager supports automatic rotation for RDS credentials with the built-in rotation lambda.

See Secrets Management for more detail.


Local vs production differences

SettingLocal (Docker Compose)Production (AWS)
S3_ENDPOINThttp://minio:9000https://s3.amazonaws.com (or omit to use default)
DATABASE_URLr2dbc:postgresql://postgres:5432/causetRDS endpoint
PROJECTIONS_DB_URLjdbc:postgresql://postgres:5432/projectionsRDS endpoint
KAFKA_BOOTSTRAP_SERVERSredpanda:9092MSK broker endpoints
REDIS_URLredis://redis:6379ElastiCache endpoint
AWS_ACCESS_KEY_IDminioadminIAM role (no key needed with task role)
Secrets management.env filesAWS Secrets Manager

Note: On AWS ECS with a task role configured, you do not need AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY for S3 access. The AWS SDK automatically uses the task role credentials. Only set these explicitly when using MinIO or a non-AWS S3-compatible store.