Environment and configuration
Runtime readers use process environment first and local .env files as supported by each module. Keep .env server-side with restrictive permissions; the deploy workflow excludes it from repository upload. Never expose these values to browser code.
| Area | Important variables |
|---|---|
| Security | NPK_CRYPT_KEY (hex key for sealed provider/BYO secrets) |
| Public URLs | PUBLIC_BASE_URL, PUBLIC_APP_ORIGIN |
| Carrier/SMS | TELNYX_API_KEY, TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN, messaging profile/service IDs, COMMS_WEBHOOK_TOKEN, A2P_ENFORCE |
SENDGRID_API_KEY or SMTP_HOST, SMTP_PORT, SMTP_USER, SMTP_PASS, SMTP_FROM, SMTP_FROM_NAME | |
| LiveKit | LIVEKIT_URL, LIVEKIT_HTTP_URL, LIVEKIT_API_KEY, LIVEKIT_API_SECRET |
| AI | ANTHROPIC_API_KEY/CLAUDE_API_KEY, AI_MODEL, AI_GLOBAL_KILL, AI_DAILY_CAP_CENTS, AI_QA_MAX_PER_RUN, WHISPER_BIN, WHISPER_MODEL |
| Billing | BILLING_ENFORCE, BILLING_CHECKOUT_ENABLED, STRIPE_SECRET_KEY, Stripe price/product IDs, reservation TTL/grace |
| Booking/signup | GHL_PRIVATE_INTEGRATION_TOKEN, GHL location/calendar/timezone IDs, SIGNUP_ENABLED, RESEND_API_KEY, RESEND_FROM |
| Telephony/E2E | VICIDIAL_AMI_HOST, VICIDIAL_AMI_PORT, VICIDIAL_AMI_USER, VICIDIAL_AMI_SECRET; E2E bind/advertise overrides |
| Storage/ops | FIELD_UPLOAD_DIR, WAREHOUSE_DIR, ASTERISK_SOUNDS_DIR, QOS_BAD_ALERT_PCT |
Defaults in source are development conveniences, not production approval. Validate provider credentials and public webhook URLs with each module’s preflight/health path after deployment.
Implementation anchors: modern/shared/*_schema.php, carrier_providers.php, livekit.php, billing.php, stripe_billing.php, .github/workflows/deploy.yml, tests/e2e/docker-compose.yml.