backend/app/core/config.py is the complete settings catalog. Non-secret deployment defaults live in service manifests; secrets belong in Vault or the hosting platform’s secret store.

Core runtime

Programmatic access

Acquisition and discovery

Each provider also has explicit concurrency, request, item, byte, page, credit, timeout, and retry bounds. Invalid values fail startup rather than widening admission.

AI

OPENROUTER_API_KEY enables AI-only work through the shared OpenRouter client. Deterministic monitoring remains available without it. Remediation uses the dedicated configured model tier; embeddings and other tasks use their own explicit settings.

Provider delivery

Nango authorization requires NANGO_ENABLED, runtime API and webhook-signing keys, and stable provider integration IDs. PROVIDER_ROUTING_ENABLED exposes route management; PROVIDER_DISPATCH_ENABLED separately permits outbound provider work.

Sandbox execution

Keep SANDBOX_ENABLED, SANDBOX_STDIO_ENABLED, and broker/provider gates false until runtime digests, signing and broker keys, provider conformance evidence, and dedicated-worker health match across control and execution planes.
Do not copy a broad .env file into every process. Give API, ordinary worker, hosted MCP, scanner, and sandbox worker only the secrets each process owns.