17. IAM & Secrets

Application Secrets

Secret	Env Variable	Storage	Rotation
Anthropic API key	`ANTHROPIC_API_KEY`	Environment variable	Manual, restart required
JWT signing secret	`JWT_SECRET`	Environment variable	Manual, invalidates all tokens
Session secret	`SESSION_SECRET`	Environment variable	Manual, restart required
Postmark token	`POSTMARK_SERVER_TOKEN`	Environment variable	Manual, restart required
GitHub token	`GITHUB_TOKEN`	Environment variable	Manual
Sasha GitHub token	`SASHA_GITHUB_TOKEN`	Environment variable	Manual

Encrypted Secrets (In Database)

Secret	Table	Encryption
AWS Bedrock API key	`bedrock_config.api_key_encrypted`	AES-256-GCM
Cloud OAuth refresh tokens	`cloud_credentials.refresh_token_encrypted`	AES-256-GCM
Cloud OAuth access tokens	`cloud_credentials.access_token_encrypted`	AES-256-GCM
Named secrets	`named_secrets.value_encrypted`	AES-256-GCM

Encryption utility: server/utils/encryption.js

API Keys

Key Type	Format	Storage	Auth Method
User API keys	`sk_<random>`	bcrypt hash in `api_keys.key_hash`	`X-API-Key` header
Signing secrets	Random string	Plaintext in `api_keys.signing_secret`	HMAC callback verification

Cloud Provider Identities

AWS (for Bedrock)

Variable	Purpose
`AWS_REGION`	AWS region (default us-east-1)
`AWS_ACCESS_KEY_ID`	IAM access key
`AWS_SECRET_ACCESS_KEY`	IAM secret key
`AWS_SESSION_TOKEN`	Session token (if using STS)
`AWS_BEARER_TOKEN_BEDROCK`	Service bearer token

AWS (for ECS Deployment)

Resource	Account	Details
ECS cluster	748732838505	`hirebest` cluster in us-east-2
ECR repository	748732838505	`sasha-aesop4`
EFS volumes	748732838505	Persistent storage for `/home/sasha` and `/app/data`
ALB	748732838505	HTTPS termination with ACM wildcard cert

GitHub (for CI/CD)

Secret	Purpose
`GITHUB_TOKEN`	Package publishing to GHCR
Repository secrets	Docker build, image push

rclone (Cloud Drives)

Variable	Purpose
`RCLONE_RC_USER`	RC API authentication
`RCLONE_RC_PASS`	RC API authentication

Complete Environment Variable Inventory

Critical (Required for Operation)

Variable	Default	Purpose
`ANTHROPIC_API_KEY`	--	Claude API access
`PORT`	3005	Server port
`DB_PATH`	`/app/data/sasha.db`	Database file location

Security

Variable	Default	Purpose
`JWT_SECRET`	Hardcoded dev value	JWT signing
`SESSION_SECRET`	--	Session encryption
`HELMET_ENABLED`	true	Security headers
`RATE_LIMIT_ENABLED`	true	Rate limiting
`RATE_LIMIT_MAX`	100	Requests per window
`RATE_LIMIT_WINDOW_MS`	900000	Rate limit window (15 min)
`HEALTH_CHECK_SECRET`	--	Health check auth

Paths

Variable	Default	Purpose
`SHARED_ROOT`	Platform-dependent	Base path for all derived paths
`DOCS_PATH`	Derived from SHARED_ROOT	Knowledge base docs
`PROJECTS_PATH`	Derived from SHARED_ROOT	Project directories
`CLAUDE_HOME`	--	Claude CLI config directory
`CLAUDE_MD_PATH`	--	CLAUDE.md file location
`CONFIG_DIR`	--	Configuration directory
`UPLOADS_PATH`	--	File uploads directory
`CLOUD_MOUNT_ROOT`	--	Cloud mount points
`CLOUD_CACHE_ROOT`	--	Cloud cache location

AI Configuration

Variable	Default	Purpose
`ANTHROPIC_CUSTOM_HEADERS`	--	Beta feature headers
`ANTHROPIC_BETAS`	--	Beta flag list
`CLAUDE_CODE_USE_BEDROCK`	--	Enable Bedrock backend
`CLAUDE_CODE_ACTIVE_MODEL`	--	Selected model
`CLAUDE_CODE_ACTIVE_PROVIDER`	--	Provider selection
`CLAUDE_CODE_MAX_OUTPUT_TOKENS`	--	Token limit
`MAX_THINKING_TOKENS`	--	Extended thinking limit
`BEDROCK_EXTENDED_CONTEXT`	--	1M context toggle
`BEDROCK_DEBUG`	--	Bedrock debug logging

Email (Postmark)

Variable	Default	Purpose
`POSTMARK_SERVER_TOKEN`	--	API authentication
`POSTMARK_FROM_EMAIL`	--	Sender address
`POSTMARK_FROM_NAME`	--	Sender display name
`POSTMARK_MESSAGE_STREAM`	--	Stream ID
`POSTMARK_RESET_TEMPLATE_ALIAS`	--	Password reset template
`POSTMARK_WELCOME_TEMPLATE_ALIAS`	--	Welcome template
`POSTMARK_SUPPORT_URL`	--	Support link in emails

Git

Variable	Default	Purpose
`GITHUB_TOKEN`	--	GitHub API
`SASHA_GITHUB_TOKEN`	--	Community skills
`GIT_USER`	--	Commit identity
`GIT_EMAIL`	--	Commit identity
`GIT_DEFAULT_BRANCH`	main	Default branch
`GIT_REMOTE_URL`	--	Repository URL

Logging & Debug

Variable	Default	Purpose
`EXECUTION_LOG_FILE`	--	Execution log path
`SCHEDULER_LOG_FILE`	--	Scheduler log path
`DEBUG`	--	General debug
`DEBUG_HTTP`	--	HTTP request logging
`DEBUG_UPLOADS`	--	Upload diagnostics
`DEBUG_PASSWORD_RESET`	--	Password reset debug
`DEBUG_AUTH`	--	Auth middleware debug
`SASHA_TRACE`	0	Session tracing
`VERBOSE_LOGGING`	--	Verbose output
`BEDROCK_DEBUG`	--	Bedrock debug

Docker & Deployment

Variable	Default	Purpose
`NODE_ENV`	--	Environment type
`HOST`	0.0.0.0	Bind address
`RUNNING_IN_DOCKER`	--	Docker flag
`USE_DOCKER_WORKSPACE`	--	Docker workspace mode
`DEPLOYMENT_PLATFORM`	--	Platform type
`BUILD_DOCS_ON_STARTUP`	--	Build docs at start

Feature Flags

Variable	Default	Purpose
`ENABLE_MESSAGE_STREAMING`	true	WebSocket streaming
`ENABLE_AUTO_SESSION_TITLES`	1	Auto-generate titles
`ENABLE_ACTIVITY_LOGGING`	enabled	Activity logging
`ENABLE_HOOK_ANALYTICS`	enabled	Hook event analytics
`DOCSIDECAR_ENABLED`	true	DocSidecar service
`MAX_FILE_SIZE`	50MB	Upload limit

Retention

Variable	Default	Purpose
`ACTIVITY_LOG_RETENTION_DAYS`	--	Activity log retention
`ACTIVITY_LOG_RETENTION_SWEEP_MS`	6 hours	Cleanup interval
`QUALITY_RETENTION_DAYS`	90	Quality signals retention
`QUALITY_RETENTION_SWEEP_MS`	--	Cleanup interval

Memory & Performance

Variable	Default	Purpose
`NODE_OPTIONS`	`--max-old-space-size=4096`	Heap size
`CONTAINER_MEMORY_MB`	--	Container memory
`MEMORY_BUDGET_WARNING_PCT`	--	Warning threshold
`MEMORY_BUDGET_CRITICAL_PCT`	--	Critical threshold
`MEMORY_BUDGET_KILL_PCT`	--	Kill threshold
`EVENT_LOOP_WARNING_MS`	--	Event loop warning
`EVENT_LOOP_CRITICAL_MS`	--	Event loop critical

Analytics

Variable	Default	Purpose
`VITE_POSTHOG_KEY`	--	PostHog analytics key
`VITE_POSTHOG_HOST`	`eu.i.posthog.com`	PostHog host

Least-Privilege Boundaries

Identity	Access Level	Scope
Regular user (JWT)	Read/write own project files, chat, skills	Per-deployment
Admin user (JWT)	All of above + user mgmt, AI config, analytics	Per-deployment
API key consumer	External APIs only (meetings, projects, tasks)	Per-key
Localhost (Claude CLI)	Cron execution, MCP listing, internal APIs	Container-local
GitHub Actions	GHCR push, Docker build	CI/CD only
AWS IAM (ECS)	ECR pull, EFS mount, CloudWatch logs	Per-service

Local Developer Profiles

Profile	Purpose	Config File
Local dev	Development	`claudecodeui/.env.local`
Docker dev	Local Docker testing	`docker-compose.yml` env section
Test	Integration tests	`claudecodeui/.env.test`