# 17. IAM & Secrets

## Application Secrets

| Secret | Env Variable | Storage | Rotation |
|--------|-------------|---------|----------|
| Anthropic API key | `ANTHROPIC_API_KEY` | Environment variable | Manual, restart required |
| JWT signing secret | `JWT_SECRET` | Environment variable | Manual, invalidates all tokens |
| Session secret | `SESSION_SECRET` | Environment variable | Manual, restart required |
| Postmark token | `POSTMARK_SERVER_TOKEN` | Environment variable | Manual, restart required |
| GitHub token | `GITHUB_TOKEN` | Environment variable | Manual |
| Sasha GitHub token | `SASHA_GITHUB_TOKEN` | Environment variable | Manual |

## Encrypted Secrets (In Database)

| Secret | Table | Encryption |
|--------|-------|-----------|
| AWS Bedrock API key | `bedrock_config.api_key_encrypted` | AES-256-GCM |
| Cloud OAuth refresh tokens | `cloud_credentials.refresh_token_encrypted` | AES-256-GCM |
| Cloud OAuth access tokens | `cloud_credentials.access_token_encrypted` | AES-256-GCM |
| Named secrets | `named_secrets.value_encrypted` | AES-256-GCM |

**Encryption utility:** `server/utils/encryption.js`

## API Keys

| Key Type | Format | Storage | Auth Method |
|----------|--------|---------|------------|
| User API keys | `sk_<random>` | bcrypt hash in `api_keys.key_hash` | `X-API-Key` header |
| Signing secrets | Random string | Plaintext in `api_keys.signing_secret` | HMAC callback verification |

## Cloud Provider Identities

### AWS (for Bedrock)

| Variable | Purpose |
|----------|---------|
| `AWS_REGION` | AWS region (default us-east-1) |
| `AWS_ACCESS_KEY_ID` | IAM access key |
| `AWS_SECRET_ACCESS_KEY` | IAM secret key |
| `AWS_SESSION_TOKEN` | Session token (if using STS) |
| `AWS_BEARER_TOKEN_BEDROCK` | Service bearer token |

### AWS (for ECS Deployment)

| Resource | Account | Details |
|----------|---------|---------|
| ECS cluster | 748732838505 | `hirebest` cluster in us-east-2 |
| ECR repository | 748732838505 | `sasha-aesop4` |
| EFS volumes | 748732838505 | Persistent storage for `/home/sasha` and `/app/data` |
| ALB | 748732838505 | HTTPS termination with ACM wildcard cert |

### GitHub (for CI/CD)

| Secret | Purpose |
|--------|---------|
| `GITHUB_TOKEN` | Package publishing to GHCR |
| Repository secrets | Docker build, image push |

### rclone (Cloud Drives)

| Variable | Purpose |
|----------|---------|
| `RCLONE_RC_USER` | RC API authentication |
| `RCLONE_RC_PASS` | RC API authentication |

## Complete Environment Variable Inventory

### Critical (Required for Operation)

| Variable | Default | Purpose |
|----------|---------|---------|
| `ANTHROPIC_API_KEY` | -- | Claude API access |
| `PORT` | 3005 | Server port |
| `DB_PATH` | `/app/data/sasha.db` | Database file location |

### Security

| Variable | Default | Purpose |
|----------|---------|---------|
| `JWT_SECRET` | Hardcoded dev value | JWT signing |
| `SESSION_SECRET` | -- | Session encryption |
| `HELMET_ENABLED` | true | Security headers |
| `RATE_LIMIT_ENABLED` | true | Rate limiting |
| `RATE_LIMIT_MAX` | 100 | Requests per window |
| `RATE_LIMIT_WINDOW_MS` | 900000 | Rate limit window (15 min) |
| `HEALTH_CHECK_SECRET` | -- | Health check auth |

### Paths

| Variable | Default | Purpose |
|----------|---------|---------|
| `SHARED_ROOT` | Platform-dependent | Base path for all derived paths |
| `DOCS_PATH` | Derived from SHARED_ROOT | Knowledge base docs |
| `PROJECTS_PATH` | Derived from SHARED_ROOT | Project directories |
| `CLAUDE_HOME` | -- | Claude CLI config directory |
| `CLAUDE_MD_PATH` | -- | CLAUDE.md file location |
| `CONFIG_DIR` | -- | Configuration directory |
| `UPLOADS_PATH` | -- | File uploads directory |
| `CLOUD_MOUNT_ROOT` | -- | Cloud mount points |
| `CLOUD_CACHE_ROOT` | -- | Cloud cache location |

### AI Configuration

| Variable | Default | Purpose |
|----------|---------|---------|
| `ANTHROPIC_CUSTOM_HEADERS` | -- | Beta feature headers |
| `ANTHROPIC_BETAS` | -- | Beta flag list |
| `CLAUDE_CODE_USE_BEDROCK` | -- | Enable Bedrock backend |
| `CLAUDE_CODE_ACTIVE_MODEL` | -- | Selected model |
| `CLAUDE_CODE_ACTIVE_PROVIDER` | -- | Provider selection |
| `CLAUDE_CODE_MAX_OUTPUT_TOKENS` | -- | Token limit |
| `MAX_THINKING_TOKENS` | -- | Extended thinking limit |
| `BEDROCK_EXTENDED_CONTEXT` | -- | 1M context toggle |
| `BEDROCK_DEBUG` | -- | Bedrock debug logging |

### Email (Postmark)

| Variable | Default | Purpose |
|----------|---------|---------|
| `POSTMARK_SERVER_TOKEN` | -- | API authentication |
| `POSTMARK_FROM_EMAIL` | -- | Sender address |
| `POSTMARK_FROM_NAME` | -- | Sender display name |
| `POSTMARK_MESSAGE_STREAM` | -- | Stream ID |
| `POSTMARK_RESET_TEMPLATE_ALIAS` | -- | Password reset template |
| `POSTMARK_WELCOME_TEMPLATE_ALIAS` | -- | Welcome template |
| `POSTMARK_SUPPORT_URL` | -- | Support link in emails |

### Git

| Variable | Default | Purpose |
|----------|---------|---------|
| `GITHUB_TOKEN` | -- | GitHub API |
| `SASHA_GITHUB_TOKEN` | -- | Community skills |
| `GIT_USER` | -- | Commit identity |
| `GIT_EMAIL` | -- | Commit identity |
| `GIT_DEFAULT_BRANCH` | main | Default branch |
| `GIT_REMOTE_URL` | -- | Repository URL |

### Logging & Debug

| Variable | Default | Purpose |
|----------|---------|---------|
| `EXECUTION_LOG_FILE` | -- | Execution log path |
| `SCHEDULER_LOG_FILE` | -- | Scheduler log path |
| `DEBUG` | -- | General debug |
| `DEBUG_HTTP` | -- | HTTP request logging |
| `DEBUG_UPLOADS` | -- | Upload diagnostics |
| `DEBUG_PASSWORD_RESET` | -- | Password reset debug |
| `DEBUG_AUTH` | -- | Auth middleware debug |
| `SASHA_TRACE` | 0 | Session tracing |
| `VERBOSE_LOGGING` | -- | Verbose output |
| `BEDROCK_DEBUG` | -- | Bedrock debug |

### Docker & Deployment

| Variable | Default | Purpose |
|----------|---------|---------|
| `NODE_ENV` | -- | Environment type |
| `HOST` | 0.0.0.0 | Bind address |
| `RUNNING_IN_DOCKER` | -- | Docker flag |
| `USE_DOCKER_WORKSPACE` | -- | Docker workspace mode |
| `DEPLOYMENT_PLATFORM` | -- | Platform type |
| `BUILD_DOCS_ON_STARTUP` | -- | Build docs at start |

### Feature Flags

| Variable | Default | Purpose |
|----------|---------|---------|
| `ENABLE_MESSAGE_STREAMING` | true | WebSocket streaming |
| `ENABLE_AUTO_SESSION_TITLES` | 1 | Auto-generate titles |
| `ENABLE_ACTIVITY_LOGGING` | enabled | Activity logging |
| `ENABLE_HOOK_ANALYTICS` | enabled | Hook event analytics |
| `DOCSIDECAR_ENABLED` | true | DocSidecar service |
| `MAX_FILE_SIZE` | 50MB | Upload limit |

### Retention

| Variable | Default | Purpose |
|----------|---------|---------|
| `ACTIVITY_LOG_RETENTION_DAYS` | -- | Activity log retention |
| `ACTIVITY_LOG_RETENTION_SWEEP_MS` | 6 hours | Cleanup interval |
| `QUALITY_RETENTION_DAYS` | 90 | Quality signals retention |
| `QUALITY_RETENTION_SWEEP_MS` | -- | Cleanup interval |

### Memory & Performance

| Variable | Default | Purpose |
|----------|---------|---------|
| `NODE_OPTIONS` | `--max-old-space-size=4096` | Heap size |
| `CONTAINER_MEMORY_MB` | -- | Container memory |
| `MEMORY_BUDGET_WARNING_PCT` | -- | Warning threshold |
| `MEMORY_BUDGET_CRITICAL_PCT` | -- | Critical threshold |
| `MEMORY_BUDGET_KILL_PCT` | -- | Kill threshold |
| `EVENT_LOOP_WARNING_MS` | -- | Event loop warning |
| `EVENT_LOOP_CRITICAL_MS` | -- | Event loop critical |

### Analytics

| Variable | Default | Purpose |
|----------|---------|---------|
| `VITE_POSTHOG_KEY` | -- | PostHog analytics key |
| `VITE_POSTHOG_HOST` | `eu.i.posthog.com` | PostHog host |

## Least-Privilege Boundaries

| Identity | Access Level | Scope |
|----------|-------------|-------|
| Regular user (JWT) | Read/write own project files, chat, skills | Per-deployment |
| Admin user (JWT) | All of above + user mgmt, AI config, analytics | Per-deployment |
| API key consumer | External APIs only (meetings, projects, tasks) | Per-key |
| Localhost (Claude CLI) | Cron execution, MCP listing, internal APIs | Container-local |
| GitHub Actions | GHCR push, Docker build | CI/CD only |
| AWS IAM (ECS) | ECR pull, EFS mount, CloudWatch logs | Per-service |

## Local Developer Profiles

| Profile | Purpose | Config File |
|---------|---------|------------|
| Local dev | Development | `claudecodeui/.env.local` |
| Docker dev | Local Docker testing | `docker-compose.yml` env section |
| Test | Integration tests | `claudecodeui/.env.test` |