Configuration Reference

Configuration Reference

Every TMI configuration key, grouped by category. See Configuration-Model for what the categories and columns mean.

Bootstrap settings

File/env only, read once at startup. Cannot come from the database.

Key	Env var	Type	Default	Required	Secret	Description
auth.build_mode	TMI_BUILD_MODE	string	(none)	yes	no	Build mode (dev, test, production)
auth.jwt.secret	TMI_JWT_SECRET	string	(secret)	yes	yes	JWT signing secret
auth.jwt.signing_method	TMI_JWT_SIGNING_METHOD	string	HS256	no	no	JWT signing method
database.connection_pool.conn_max_idle_time	TMI_DB_CONN_MAX_IDLE_TIME	int	30	no	no	Max connection idle time in seconds
database.connection_pool.conn_max_lifetime	TMI_DB_CONN_MAX_LIFETIME	int	240	no	no	Max connection lifetime in seconds
database.connection_pool.max_idle_conns	TMI_DB_MAX_IDLE_CONNS	int	2	no	no	Maximum idle database connections
database.connection_pool.max_open_conns	TMI_DB_MAX_OPEN_CONNS	int	10	no	no	Maximum open database connections
database.redis.db	TMI_REDIS_DB	int	0	no	no	Redis database number
database.redis.host	TMI_REDIS_HOST	string	localhost	no	no	Redis host
database.redis.password	TMI_REDIS_PASSWORD	string	(secret)	no	yes	Redis password
database.redis.port	TMI_REDIS_PORT	string	6379	no	no	Redis port
database.url	TMI_DATABASE_URL	string	(secret)	yes	yes	Database connection URL (password redacted)
logging.also_log_to_console	TMI_LOG_ALSO_LOG_TO_CONSOLE	bool	true	no	no	Also log to console
logging.cloud_error_threshold	TMI_LOG_CLOUD_ERROR_THRESHOLD	int	5	no	no	Cloud sink consecutive-failure threshold for one-shot Warn alarm (0 disables)
logging.is_dev	TMI_LOG_IS_DEV	bool	true	no	no	Development mode logging
logging.is_test	TMI_LOG_IS_TEST	bool	false	no	no	Test mode logging
logging.level	TMI_LOG_LEVEL	string	info	no	no	Log level
logging.log_api_requests	TMI_LOG_API_REQUESTS	bool	false	no	no	Log API requests
logging.log_api_responses	TMI_LOG_API_RESPONSES	bool	false	no	no	Log API responses
logging.log_dir	TMI_LOG_DIR	string	logs	no	no	Log directory
logging.log_websocket_messages	TMI_LOG_WEBSOCKET_MESSAGES	bool	false	no	no	Log WebSocket messages
logging.max_age_days	TMI_LOG_MAX_AGE_DAYS	int	7	no	no	Log max age in days
logging.max_backups	TMI_LOG_MAX_BACKUPS	int	10	no	no	Log max backup count
logging.max_size_mb	TMI_LOG_MAX_SIZE_MB	int	100	no	no	Log max size in MB
logging.redact_auth_tokens	TMI_LOG_REDACT_AUTH_TOKENS	bool	false	no	no	Redact auth tokens in logs
logging.suppress_unauthenticated_logs	TMI_LOG_SUPPRESS_UNAUTH_LOGS	bool	true	no	no	Suppress unauthenticated request logs
secrets.provider	TMI_SECRETS_PROVIDER	string	env	no	no	Secret provider type
secrets.vault_token	TMI_VAULT_TOKEN	string	(secret)	no	yes	HashiCorp Vault token
server.http_to_https_redirect	TMI_SERVER_HTTP_TO_HTTPS_REDIRECT	bool	true	no	no	HTTP to HTTPS redirect
server.idle_timeout	TMI_SERVER_IDLE_TIMEOUT	string	1m0s	no	no	HTTP idle timeout
server.interface	TMI_SERVER_INTERFACE	string	0.0.0.0	yes	no	Network interface to bind to
server.port	TMI_SERVER_PORT	string	8080	yes	no	HTTP server port
server.read_timeout	TMI_SERVER_READ_TIMEOUT	string	5s	no	no	HTTP read timeout
server.tls_enabled	TMI_SERVER_TLS_ENABLED	bool	false	no	no	TLS enabled
server.tls_subject_name	TMI_SERVER_TLS_SUBJECT_NAME	string	localhost	no	no	TLS certificate subject name
server.write_timeout	TMI_SERVER_WRITE_TIMEOUT	string	10s	no	no	HTTP write timeout

Operational settings

DB-backed, seeded from defaults on first run, editable at runtime via /admin/settings.

Key	Type	Default	Mutability	Visibility	Secret	Description
auth.auto_promote_first_user	bool	false	hot	admin-only	no	Auto-promote first user to admin
auth.cookie.domain	string	(none)	hot	admin-only	no	Cookie domain
auth.cookie.enabled	bool	true	hot	admin-only	no	HttpOnly cookie-based auth enabled
auth.cookie.secure	bool	false	hot	admin-only	no	Require HTTPS for cookies
auth.everyone_is_a_reviewer	bool	false	hot	admin-only	no	Auto-add all users to Security Reviewers group
auth.jwt.expiration_seconds	int	3600	hot	admin-only	no	JWT token expiration in seconds
auth.jwt.refresh_token_days	int	7	hot	admin-only	no	Refresh token TTL in days
auth.jwt.session_lifetime_days	int	7	hot	admin-only	no	Absolute session lifetime in days
auth.oauth_callback_url	string	http://localhost:8080/oauth2/callback	hot	admin-only	no	OAuth callback URL
auth.step_up_window_seconds	int	300	hot	admin-only	no	Step-up auth_time freshness window in seconds for /admin/* writes (#355); minimum 60
content_extractors.compressed_size_bytes	int	20971520	hot	admin-only	no	Max compressed upload size in bytes
content_extractors.decompressed_size_bytes	int	52428800	hot	admin-only	no	Max decompressed content size in bytes
content_extractors.markdown_size_bytes	int	131072	hot	admin-only	no	Max markdown output size in bytes
content_extractors.part_size_bytes	int	20971520	hot	admin-only	no	Max size of a single archive part in bytes
content_extractors.per_user_concurrency_default	int	2	hot	admin-only	no	Default max concurrent extractions per user
content_extractors.pptx_slides	int	100	hot	admin-only	no	Max number of PowerPoint slides to extract
content_extractors.wall_clock_budget	string	30s	hot	admin-only	no	Max wall-clock time for a single extraction
content_extractors.xlsx_cells	int	1000	hot	admin-only	no	Max number of Excel cells to extract
content_sources.confluence.enabled	bool	false	hot	admin-only	no	Confluence content source enabled
content_sources.google_drive.enabled	bool	false	hot	admin-only	no	Google Drive content source enabled
content_sources.google_workspace.enabled	bool	false	hot	admin-only	no	Google Workspace content source enabled
content_sources.microsoft.enabled	bool	false	hot	admin-only	no	Microsoft content source enabled
features.saml_enabled	bool	false	hot	public	no	Enable SAML authentication
observability.enabled	bool	false	hot	admin-only	no	OpenTelemetry tracing enabled
observability.prometheus_port	int	0	hot	admin-only	no	Prometheus metrics port (0 = disabled)
observability.sampling_rate	string	1	hot	admin-only	no	OpenTelemetry trace sampling rate (0.0–1.0)
server.disable_rate_limiting	bool	false	hot	admin-only	no	Disable all rate limiting (dev/test only)
server.ratelimit_public_rpm	int	0	hot	admin-only	no	Requests per minute per IP for public endpoints
server.require_if_match	bool	false	hot	admin-only	no	Return 428 when If-Match header is missing on PUT/PATCH
session.timeout_minutes	int	60	hot	admin-only	no	JWT token expiration in minutes
timmy.chunk_overlap	int	50	hot	admin-only	no	Embedding chunk overlap
timmy.chunk_size	int	512	hot	admin-only	no	Embedding chunk size
timmy.code_embedding_api_key	string	(secret)	hot	admin-only	yes	Code embedding API key
timmy.code_embedding_base_url	string	(none)	hot	admin-only	no	Code embedding API base URL
timmy.code_embedding_model	string	(none)	hot	admin-only	no	Code embedding model
timmy.code_embedding_provider	string	(none)	hot	admin-only	no	Code embedding provider
timmy.code_retrieval_top_k	int	10	hot	admin-only	no	Code retrieval top-k results
timmy.dump_extracted_text_to_note	bool	false	hot	admin-only	no	Dump extracted text to note (dev/test only)
timmy.embedding_cleanup_interval_minutes	int	60	hot	admin-only	no	Embedding cleanup interval in minutes
timmy.embedding_dimension	int	0	hot	admin-only	no	Text embedding vector dimension — shared invariant
timmy.embedding_idle_days_active	int	30	hot	admin-only	no	Days before idle active-TM embeddings are cleaned up
timmy.embedding_idle_days_closed	int	7	hot	admin-only	no	Days before idle closed-TM embeddings are cleaned up
timmy.enabled	bool	false	hot	admin-only	no	Timmy AI assistant enabled
timmy.inactivity_timeout_seconds	int	3600	hot	admin-only	no	Session inactivity timeout in seconds
timmy.llm_api_key	string	(secret)	hot	admin-only	yes	LLM API key
timmy.llm_base_url	string	(none)	hot	admin-only	no	LLM API base URL
timmy.llm_model	string	(none)	hot	admin-only	no	LLM model
timmy.llm_provider	string	(none)	hot	admin-only	no	LLM provider
timmy.llm_timeout_seconds	int	120	hot	admin-only	no	LLM request timeout in seconds
timmy.max_concurrent_llm_requests	int	10	hot	admin-only	no	Max concurrent LLM requests
timmy.max_conversation_history	int	50	hot	admin-only	no	Max conversation history entries
timmy.max_memory_mb	int	256	hot	admin-only	no	Max memory in MB
timmy.max_messages_per_user_per_hour	int	60	hot	admin-only	no	Max messages per user per hour
timmy.max_sessions_per_threat_model	int	50	hot	admin-only	no	Max Timmy sessions per threat model
timmy.operator_system_prompt	string	(none)	hot	admin-only	no	Operator system prompt override
timmy.query_decomposition_enabled	bool	false	hot	admin-only	no	Query decomposition enabled
timmy.rerank_api_key	string	(secret)	hot	admin-only	yes	Reranker API key
timmy.rerank_base_url	string	(none)	hot	admin-only	no	Reranker API base URL
timmy.rerank_model	string	(none)	hot	admin-only	no	Reranker model
timmy.rerank_provider	string	(none)	hot	admin-only	no	Reranker provider
timmy.rerank_top_k	int	10	hot	admin-only	no	Reranker top-k results
timmy.text_embedding_api_key	string	(secret)	hot	admin-only	yes	Text embedding API key
timmy.text_embedding_base_url	string	(none)	hot	admin-only	no	Text embedding API base URL — shared invariant
timmy.text_embedding_model	string	(none)	hot	admin-only	no	Text embedding model — shared invariant between ingest and query
timmy.text_embedding_provider	string	(none)	hot	admin-only	no	Text embedding provider
timmy.text_retrieval_top_k	int	10	hot	admin-only	no	Text retrieval top-k results
webhooks.allow_http_targets	bool	false	hot	admin-only	no	Allow non-HTTPS webhook target URLs (intra-cluster use only)
websocket.inactivity_timeout_seconds	int	300	hot	admin-only	no	WebSocket inactivity timeout in seconds

Audit retention settings

File/env only, read once at startup. Changing these requires a server restart — the retention floors are baked into the append-only database triggers at boot.

Key	Env var	Type	Default	Min	Description
audit.retention_days	AUDIT_RETENTION_DAYS	int	365	30 (hard)	Days to retain audit_entries rows; trigger floor = configured − 1, hard min 30
audit.version_retention_days	VERSION_RETENTION_DAYS	int	90	7 (hard)	Days to retain version_snapshots rows; trigger floor = min(VERSION_RETENTION_DAYS, TOMBSTONE_RETENTION_DAYS) − 1, hard min 7
audit.version_retention_count	VERSION_RETENTION_COUNT	int	50	—	Max snapshots per object (count-based pruning; never targets rows younger than VERSION_RETENTION_DAYS)
audit.tombstone_retention_days	TOMBSTONE_RETENTION_DAYS	int	30	—	Days to retain soft-deleted sub-resources before purge; contributes to version_snapshots trigger floor
audit.system_audit_retention_days	SYSTEM_AUDIT_RETENTION_DAYS	int	365	90 (hard)	Days to retain system_audit_entries rows; trigger floor = configured − 1, hard min 90

See Maintenance-Tasks#audit-retention-and-immutability for how these interact with the append-only triggers.

Alerting settings

File/env only, read once at startup. Configures the operator-pinned audit alert sink (T7). See Webhook-Integration#operator-pinned-alert-sink.

Key	Env var	Type	Default	Secret	Description
alerting.enabled	TMI_ALERTING_ENABLED	bool	false	no	Enable the operator-pinned system audit webhook subscription
alerting.webhook_url	TMI_ALERTING_WEBHOOK_URL	string	(none)	no	Destination URL for system_audit.admin_write events (HTTPS required)
alerting.webhook_secret	TMI_ALERTING_WEBHOOK_SECRET	string	(secret)	yes	HMAC signing secret; resolvable via the configured secrets provider