Pramiti Docs

Configuration

All environment variables, feature flags, and auth modes

All configuration is via environment variables, prefixed with EPISTOM_. Create .env.local from the template:

cp .env.example .env.local

LLM Provider

VariableDefaultDescription
EPISTOM_LLM_PROVIDERanthropicProvider: anthropic, openai, bedrock, ollama
EPISTOM_LLM_MODEL_IDclaude-sonnet-4-5Model identifier
EPISTOM_ANTHROPIC_API_KEYAnthropic API key
EPISTOM_OPENAI_API_KEYOpenAI API key
EPISTOM_AWS_REGIONus-east-1AWS region for Bedrock
EPISTOM_AWS_PROFILEAWS profile for Bedrock
EPISTOM_OLLAMA_BASE_URLhttp://localhost:11434Ollama server URL

Database

VariableDefaultDescription
EPISTOM_DATABASE_URLPostgreSQL connection string
EPISTOM_POSTGRES_HOSTlocalhostDatabase host (alternative to URL)
EPISTOM_POSTGRES_PORT5432Database port
EPISTOM_POSTGRES_USERepistomDatabase user
EPISTOM_POSTGRES_PASSWORDepistomDatabase password
EPISTOM_POSTGRES_DBepistomDatabase name

Triplestore

VariableDefaultDescription
EPISTOM_OXIGRAPH_ENDPOINThttp://localhost:7878Oxigraph SPARQL endpoint
EPISTOM_NEPTUNE_SPARQL_ENDPOINTAWS Neptune endpoint (production alternative)

Authentication

VariableDefaultDescription
EPISTOM_AUTH_DISABLEDfalseDisable all auth (local dev only)
EPISTOM_AUTH_MODEproductionAuth mode: production, demo
EPISTOM_JWT_SECRETJWT signing secret (256-bit hex)
EPISTOM_DEMO_JWT_SECRETDemo mode JWT secret
EPISTOM_COOKIE_DOMAINCookie domain for JWT
EPISTOM_BASE_URLBase URL for auth redirects
EPISTOM_AZURE_AD_TENANT_IDAzure AD tenant for SSO
EPISTOM_AZURE_AD_CLIENT_IDAzure AD client ID

Security

VariableDefaultDescription
EPISTOM_ENCRYPTION_KEYFernet key for credential encryption
EPISTOM_AEGIS_SIGNING_KEYEd25519 private key for attestation signing
EPISTOM_AUDIT_HMAC_SECRETHMAC secret for audit log tamper detection
EPISTOM_CORS_ALLOWED_ORIGINSComma-separated CORS origins

Query Safety

VariableDefaultDescription
EPISTOM_MAX_QUERY_ROWS1000Maximum rows returned per query
EPISTOM_QUERY_TIMEOUT_SECONDS300Query execution timeout
EPISTOM_SQL_READONLYtruePrevent LLM-generated SQL from writing

Rate Limiting

VariableDefaultDescription
EPISTOM_RATE_LIMIT100Requests per minute (0 = disabled)
EPISTOM_RATE_LIMIT_REDIS_URLRedis URL for shared counters across pods

Observability

VariableDefaultDescription
EPISTOM_OTLP_ENDPOINTOpenTelemetry gRPC endpoint for tracing

Feature Flags

VariableDefaultDescription
EPISTOM_REGISTRATION_OPENtrueAllow new user registration
EPISTOM_TRINO_ENABLEDfalseEnable Trino cross-source federation

Generating Secrets

# JWT secret (256-bit hex)
python3 -c "import secrets; print(secrets.token_hex(32))"
 
# Fernet encryption key
python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
 
# Ed25519 signing key
python3 -c "from epistom.aegis_proxy.attestation_store import generate_ed25519_keypair; priv, pub = generate_ed25519_keypair(); print(f'Private: {priv}\nPublic: {pub}')"

On this page