Environment And Production
Use environment-specific config files, inheritance, environment variables, and production defaults.
Config selection
GraphJin uses environment-specific files:
| Environment | File |
|---|---|
| development | dev.yml |
| production | prod.yml |
| agentic | agentic.yml |
GO_ENV=agentic requires agentic.yml; agentic configs can inherit production settings.
# config/agentic.yml
inherits: prod
mode: agentic
sources:
- name: graphjin
kind: graphjin
catalog: true
metadata: true
access:
roots:
gj_catalog: authenticated
gj_security: admin
gj_runtime: adminVerified by
TestReadInConfigAgenticCanInheritProd
serv/serv_test.go:56Production recommendations
| Setting | Development | Production |
|---|---|---|
mode | dev | prod |
web_ui | true | false |
auth_fail_block | false | true |
disable_allow_list | true | false |
debug | true | false |
Verified by
TestNormalizeMode
core/validate_test.go:71Verified by
TestNewConfigCatalogEnabledAutoProduction
serv/config_test.go:26Production query model
Production should run reviewed saved queries and disable raw ad hoc operations unless a deployment deliberately opts out for a trusted environment.
mode: prod
disable_production_security: false
mcp:
allow_raw_queries: false
allow_mutations: falseEnvironment variables
Secrets and connection strings should come from environment variables, not checked-in config.
sources:
- name: app
kind: database
type: postgres
default: true
connection_string: ${DATABASE_URL}
admin_secret_key: ${GJ_ADMIN_SECRET_KEY}When updating config through the control plane, plaintext secret updates require keystore support; runtime events and errors should redact secrets before they reach the agent-facing graph.
Verified by
TestHandleUpdateCurrentConfig_RejectsPlaintextSecretWithoutKeystoreKey
serv/mcp_config_transaction_test.go:186Verified by
TestGraphQLControlPlaneConfigRuntimeEventsAreRedacted
serv/control_plane_graphql_test.go:2234