# OpenSRE example environment # # Fast path: # 1. Set `LLM_PROVIDER` and the matching API key below. # 2. Run `opensre onboard` for guided local setup. # 3. Configure one integration with `opensre integrations setup `. # 4. Verify with `opensre health` and `opensre integrations verify `. # # `~/.config/opensre/integrations.json` is the preferred local integration store. # The env vars below are still supported as fallback/direct configuration. # --- Most important --------------------------------------------------------- # Provider used for LLM calls. Common values: anthropic, openai, openrouter, # deepseek, gemini, nvidia, minimax, bedrock, ollama, codex, claude-code, # opencode, kimi, copilot, antigravity-cli. LLM_PROVIDER=anthropic # Codex CLI works for `opensre investigate` after `codex login`. # Leave CODEX_MODEL empty to use the CLI's currently configured model. CODEX_MODEL= CODEX_BIN= # Claude Code CLI works for `opensre investigate` after `claude login` or setting ANTHROPIC_API_KEY. # Install: npm i -g @anthropic-ai/claude-code # Leave CLAUDE_CODE_MODEL empty to use the CLI's currently configured model. CLAUDE_CODE_MODEL= CLAUDE_CODE_BIN= # Gemini CLI works for `opensre investigate` after `gemini` auth setup. # Install: npm i -g @google/gemini-cli # Leave GEMINI_CLI_MODEL empty to use the CLI's configured default model. GEMINI_CLI_MODEL= GEMINI_CLI_BIN= # Antigravity CLI (agy) works for `opensre investigate` after running `agy` # (browser OAuth on first run; token cached by OS keyring). # Install: curl -fsSL https://antigravity.google/cli/install.sh | bash # Leave ANTIGRAVITY_CLI_MODEL empty to use agy's currently configured model. # Note: ANTIGRAVITY_CLI_MODEL is forward-compat; agy v1.0.2 does not yet expose # --model in headless mode. Switch models interactively via `/models` inside agy. ANTIGRAVITY_CLI_MODEL= ANTIGRAVITY_CLI_BIN= # ANTIGRAVITY_CLI_TIMEOUT_SECONDS= # OpenCode CLI works for `opensre investigate` after `opencode auth login`. # Leave OPENCODE_MODEL empty to use the CLI's currently configured model OPENCODE_MODEL= OPENCODE_BIN= # Cursor Agent CLI # Leave CURSOR_MODEL empty to use the CLI's currently configured model. CURSOR_MODEL= CURSOR_BIN= # Kimi Code CLI works for `opensre investigate` after `kimi login`. # Leave KIMI_MODEL empty to use the CLI's currently configured model. KIMI_MODEL= KIMI_BIN= KIMI_API_KEY= # KIMI_SHARE_DIR=~/.kimi # GitHub Copilot CLI works for `opensre investigate` after running `copilot` # and authenticating with the interactive `/login` slash command. # Install: npm i -g @github/copilot # Leave COPILOT_MODEL empty to use the CLI's currently configured model. COPILOT_MODEL= COPILOT_BIN= # Optional auth fallbacks (only used when no stored Copilot CLI login exists): # COPILOT_GITHUB_TOKEN= # GH_TOKEN= # GITHUB_TOKEN= # Optional config dir override (default: ~/.copilot): # COPILOT_HOME= # xAI Grok Build CLI works for `opensre investigate` after `grok login`, # or set XAI_API_KEY for headless/CI use. # Install: curl -fsSL https://x.ai/cli/install.sh | bash # Leave GROK_CLI_MODEL empty to use the CLI's currently configured model. GROK_CLI_MODEL= GROK_CLI_BIN= XAI_API_KEY= # Optional xAI API base URL override. # XAI_BASE_URL= # Optional exec timeout in seconds (clamped 30-600; default 300). # GROK_CLI_TIMEOUT_SECONDS= # --- Pi coding tool (lets OpenSRE submit coding tasks to the Pi agent) --- # Separate from using Pi as an LLM provider. This tool edits the working tree # and returns a diff; it never commits or pushes. Mutating + approval-required, # so it is OFF unless PI_CODING_ENABLED is truthy. Install: npm i -g @earendil-works/pi-coding-agent # PI_CODING_ENABLED=1 # PI_CODING_MODEL=anthropic/claude-haiku-4-5 # PI_CODING_WORKSPACE= # Optional per-task timeout in seconds (clamped 60-1800; default 600). # PI_CODING_TIMEOUT_SECONDS= # --- Fix a Sentry issue (paste a Sentry issue URL, Pi proposes the fix) --- # Resolves the issue from Sentry (needs SENTRY_ORG_SLUG + SENTRY_AUTH_TOKEN below) # and runs the Pi coding agent in the current repo. Returns a diff for review. # OFF unless PI_ISSUE_FIX_ENABLED is truthy. Reuses the PI_CODING_MODEL / # PI_CODING_WORKSPACE / PI_CODING_TIMEOUT_SECONDS settings. # PI_ISSUE_FIX_ENABLED=1 # Maximum tokens for LLM responses (default: 4096). LLM_MAX_TOKENS=4096 # LLM transport: unset or "sdk" for native vendor SDKs; "litellm" routes all API providers # through LiteLLM (anthropic, openai, bedrock, and OpenAI-compatible endpoints). # CLI-backed providers (codex, claude-code, etc.) are unaffected. # OPENSRE_LLM_TRANSPORT=litellm # Set the key for the provider you choose above. ANTHROPIC_API_KEY= ANTHROPIC_REASONING_MODEL= ANTHROPIC_CLASSIFICATION_MODEL= ANTHROPIC_TOOLCALL_MODEL= OPENAI_API_KEY= OPENAI_REASONING_MODEL= OPENAI_CLASSIFICATION_MODEL= OPENAI_TOOLCALL_MODEL= # OpenRouter supports many hosted models behind one API key. OPENROUTER_API_KEY= OPENROUTER_MODEL= OPENROUTER_REASONING_MODEL= OPENROUTER_CLASSIFICATION_MODEL= OPENROUTER_TOOLCALL_MODEL= # DeepSeek official API (OpenAI-compatible endpoint). DEEPSEEK_API_KEY= DEEPSEEK_MODEL= DEEPSEEK_REASONING_MODEL= DEEPSEEK_CLASSIFICATION_MODEL= DEEPSEEK_TOOLCALL_MODEL= # Gemini uses the OpenAI-compatible endpoint in this project. GEMINI_API_KEY= GEMINI_MODEL= GEMINI_REASONING_MODEL= GEMINI_CLASSIFICATION_MODEL= GEMINI_TOOLCALL_MODEL= # NVIDIA NIM / hosted inference. NVIDIA_API_KEY= NVIDIA_MODEL= NVIDIA_REASONING_MODEL= NVIDIA_CLASSIFICATION_MODEL= NVIDIA_TOOLCALL_MODEL= # Amazon Bedrock — set `LLM_PROVIDER=bedrock` above. Uses the same AWS credential # chain as the AWS integration block below (region, keys, or IAM role). No LLM API key. BEDROCK_REASONING_MODEL= BEDROCK_CLASSIFICATION_MODEL= BEDROCK_TOOLCALL_MODEL= # Ollama (local) OLLAMA_MODEL= OLLAMA_HOST=http://localhost:11434 # MiniMax MINIMAX_API_KEY= MINIMAX_MODEL= MINIMAX_REASONING_MODEL= MINIMAX_CLASSIFICATION_MODEL= MINIMAX_TOOLCALL_MODEL= # Groq GROQ_API_KEY= GROQ_MODEL= GROQ_REASONING_MODEL= GROQ_CLASSIFICATION_MODEL= GROQ_TOOLCALL_MODEL= # Azure OpenAI (routes via LiteLLM; model values are deployment names in your resource) AZURE_OPENAI_BASE_URL= AZURE_OPENAI_API_KEY= AZURE_OPENAI_API_VERSION=2024-10-21 AZURE_OPENAI_REASONING_MODEL= AZURE_OPENAI_CLASSIFICATION_MODEL= AZURE_OPENAI_TOOLCALL_MODEL= # --- First integrations to set up ------------------------------------------ # For a first real RCA run, one of Grafana / Datadog / Honeycomb / Coralogix # is usually enough. Prefer `opensre integrations setup ` when local. # Grafana # For `make grafana-local-up`, use `http://localhost:3000` and any placeholder # token such as `local`. GRAFANA_READ_TOKEN= GRAFANA_INSTANCE_URL= GRAFANA_LOKI_DATASOURCE_UID= GRAFANA_TEMPO_DATASOURCE_UID= # Optional multi-instance override. When set, this takes precedence over the # single-instance Grafana vars above. # GRAFANA_INSTANCES='[ # {"name":"prod","tags":{"env":"prod"},"endpoint":"https://prod.grafana.net","api_key":"..."} # ]' GRAFANA_INSTANCES= # Argo CD (read-only REST API integration) # Use exactly one auth method: ARGOCD_AUTH_TOKEN/ARGOCD_TOKEN or username/password. ARGOCD_BASE_URL= ARGOCD_AUTH_TOKEN= ARGOCD_TOKEN= ARGOCD_USERNAME= ARGOCD_PASSWORD= ARGOCD_PROJECT= ARGOCD_APP_NAMESPACE= ARGOCD_VERIFY_SSL=true # Multi-instance Argo CD (optional). When set, takes precedence over the # single-instance ARGOCD_* vars above. See docs/multi-instance-integrations.mdx. # ARGOCD_INSTANCES='[{"name":"prod","base_url":"https://argocd.example.com","bearer_token":"***","project":"default"}]' ARGOCD_INSTANCES= # Helm 3 (read-only CLI — list/status/history/get values/get manifest) # Requires OSRE_HELM_INTEGRATION=1 (or true/yes) to activate from env. OSRE_HELM_INTEGRATION= HELM_PATH=helm HELM_KUBE_CONTEXT= HELM_KUBECONFIG= HELM_NAMESPACE= # Optional: cap manifest size from helm get manifest (integer, min 1024; default 600000). # HELM_MANIFEST_MAX_CHARS= # Datadog DD_API_KEY= DD_APP_KEY= DD_SITE=datadoghq.com # Optional multi-instance override. # DD_INSTANCES='[{"name":"prod","api_key":"...","app_key":"...","site":"datadoghq.com"}]' DD_INSTANCES= # groundcover # Read-only service-account token (Bearer). GROUNDCOVER_MCP_TOKEN is accepted as an alias. GROUNDCOVER_API_KEY= GROUNDCOVER_MCP_URL=https://mcp.groundcover.com/api/mcp # Optional routing — only needed for multi-workspace / multi-backend accounts. GROUNDCOVER_TENANT_UUID= GROUNDCOVER_BACKEND_ID= GROUNDCOVER_TIMEZONE=UTC # Optional multi-instance override. # GROUNDCOVER_INSTANCES='[{"name":"prod","api_key":"...","tenant_uuid":"...","backend_id":"..."}]' GROUNDCOVER_INSTANCES= # Honeycomb # `HONEYCOMB_DATASET` can be a dataset slug or `__all__`. HONEYCOMB_API_KEY= HONEYCOMB_DATASET=__all__ HONEYCOMB_API_URL=https://api.honeycomb.io # Optional multi-instance override. # HONEYCOMB_INSTANCES='[{"name":"prod","api_key":"...","dataset":"__all__"}]' HONEYCOMB_INSTANCES= # Coralogix CORALOGIX_API_KEY= CORALOGIX_API_URL=https://api.coralogix.com CORALOGIX_APPLICATION_NAME= CORALOGIX_SUBSYSTEM_NAME= # Optional multi-instance override. # CORALOGIX_INSTANCES='[{"name":"prod","api_key":"...","base_url":"https://api.coralogix.com"}]' CORALOGIX_INSTANCES= # SigNoz (Query API — logs, metrics, traces) # Local Docker stack: http://localhost:8080 (see docs/signoz.mdx) # API key: Settings → Service Accounts → Keys SIGNOZ_URL= SIGNOZ_API_KEY= # Grafana Tempo (standalone — direct HTTP API, no Grafana datasource proxy) # Default local Tempo HTTP port is 3200. Auth is optional: provide either # TEMPO_API_KEY (bearer token) OR TEMPO_USERNAME/TEMPO_PASSWORD (basic auth), # not both. TEMPO_ORG_ID is only needed for multi-tenant deployments. TEMPO_URL= TEMPO_API_KEY= TEMPO_USERNAME= TEMPO_PASSWORD= TEMPO_ORG_ID= # Temporal (self-hosted only — talks to the Temporal HTTP API, not gRPC or Cloud) # Point TEMPORAL_API_URL at the frontend HTTP port (default 7243), not the gRPC # port (7233) or Web UI (8233). TEMPORAL_NAMESPACE defaults to "default". # TEMPORAL_API_KEY is optional — leave empty for unauthenticated self-hosted clusters. TEMPORAL_API_URL= TEMPORAL_NAMESPACE=default TEMPORAL_API_KEY= # AWS AWS_REGION=us-east-1 AWS_ROLE_ARN= AWS_EXTERNAL_ID= AWS_ACCESS_KEY_ID= AWS_SECRET_ACCESS_KEY= AWS_SESSION_TOKEN= # Optional multi-instance override. # AWS_INSTANCES='[ # {"name":"prod","tags":{"account":"prod"},"role_arn":"arn:aws:iam::111:role/opensre"} # ]' AWS_INSTANCES= # GitHub MCP GITHUB_MCP_URL= GITHUB_MCP_MODE=streamable-http GITHUB_MCP_COMMAND= GITHUB_MCP_ARGS= GITHUB_MCP_AUTH_TOKEN= GITHUB_MCP_TOOLSETS=repos,issues,pull_requests,actions,search # Optional: 5-500, default 50. # OPENSRE_GITHUB_MCP_REPO_PROBE_LIMIT= # Sentry # Runtime error monitoring for OpenSRE itself uses the project Sentry DSN constant. # Optional: override for operator-side DSN rotation without rebuilding. # OPENSRE_SENTRY_DSN= SENTRY_ERROR_SAMPLE_RATE=1.0 SENTRY_TRACES_SAMPLE_RATE=1.0 OPENSRE_SENTRY_DISABLED=0 OPENSRE_SENTRY_LOGGING_DISABLED=0 # Tag value attached to Sentry events to identify how this process is deployed. # Common values: railway, ec2, vercel, local. Defaults to "local" when unset. # OPENSRE_DEPLOYMENT_METHOD=local # Interactive-shell prompt logging (for local eval mining + PostHog LLM analytics). # Set OPENSRE_PROMPT_LOG_DISABLED=1 to disable prompt/response logging entirely. OPENSRE_PROMPT_LOG_DISABLED=0 # Disable only local JSONL prompt log file. OPENSRE_PROMPT_LOG_LOCAL_DISABLED=0 # Redact prompt/response content (known token shapes) before local or PostHog # sinks. On by default — set to 0 to log/send raw, unredacted content. OPENSRE_PROMPT_LOG_REDACT=1 # Optional override for local prompt log path (default ~/.config/opensre/prompt_log.jsonl). # OPENSRE_PROMPT_LOG_PATH= # Sentry investigation integration SENTRY_URL=https://sentry.io SENTRY_ORG_SLUG= SENTRY_PROJECT_SLUG= SENTRY_AUTH_TOKEN= # Slack delivery and Slack-thread investigation context SLACK_WEBHOOK_URL= SLACK_BOT_TOKEN= # SLACK_ACCESS_TOKEN= # --- Additional RCA integrations ------------------------------------------- # Alertmanager ALERTMANAGER_URL= ALERTMANAGER_BEARER_TOKEN= ALERTMANAGER_USERNAME= ALERTMANAGER_PASSWORD= # MongoDB MONGODB_CONNECTION_STRING= MONGODB_DATABASE= MONGODB_AUTH_SOURCE=admin MONGODB_TLS=true # Redis REDIS_HOST= REDIS_PORT=6379 REDIS_USERNAME= REDIS_PASSWORD= REDIS_DATABASE=0 REDIS_SSL=false # MongoDB Atlas MONGODB_ATLAS_PUBLIC_KEY= MONGODB_ATLAS_PRIVATE_KEY= MONGODB_ATLAS_PROJECT_ID= MONGODB_ATLAS_BASE_URL=https://cloud.mongodb.com/api/atlas/v2 # PostgreSQL POSTGRESQL_HOST= POSTGRESQL_PORT=5432 POSTGRESQL_DATABASE= POSTGRESQL_USERNAME=postgres POSTGRESQL_PASSWORD= POSTGRESQL_SSL_MODE=prefer # MySQL MYSQL_HOST= MYSQL_PORT=3306 MYSQL_DATABASE= MYSQL_USERNAME=root MYSQL_PASSWORD= MYSQL_SSL_MODE=preferred # MariaDB MARIADB_HOST= MARIADB_PORT=3306 MARIADB_DATABASE= MARIADB_USERNAME= MARIADB_PASSWORD= MARIADB_SSL=true # Dagster workflow orchestration DAGSTER_ENDPOINT= DAGSTER_API_TOKEN= # RabbitMQ management API RABBITMQ_HOST= RABBITMQ_MANAGEMENT_PORT=15672 RABBITMQ_USERNAME= RABBITMQ_PASSWORD= RABBITMQ_VHOST=/ RABBITMQ_SSL=false RABBITMQ_VERIFY_SSL=true # Better Stack Telemetry BETTERSTACK_QUERY_ENDPOINT= BETTERSTACK_USERNAME= BETTERSTACK_PASSWORD= BETTERSTACK_SOURCES= # Kafka KAFKA_BOOTSTRAP_SERVERS= KAFKA_SECURITY_PROTOCOL=PLAINTEXT KAFKA_SASL_MECHANISM= KAFKA_SASL_USERNAME= KAFKA_SASL_PASSWORD= # ClickHouse CLICKHOUSE_HOST= CLICKHOUSE_PORT=8123 CLICKHOUSE_DATABASE=default CLICKHOUSE_USER=default CLICKHOUSE_PASSWORD= CLICKHOUSE_SECURE=false # Bitbucket BITBUCKET_WORKSPACE= BITBUCKET_USERNAME= BITBUCKET_APP_PASSWORD= # GitLab GITLAB_BASE_URL=https://gitlab.com/api/v4 GITLAB_MR_WRITEBACK=false GITLAB_MR_IID= GITLAB_ACCESS_TOKEN= GITLAB_PROJECT_ID= GITLAB_REPO_URL= # Jira JIRA_BASE_URL= JIRA_EMAIL= JIRA_API_TOKEN= JIRA_PROJECT_KEY= # OpsGenie OPSGENIE_API_KEY= OPSGENIE_REGION=us # incident.io INCIDENT_IO_API_KEY= INCIDENT_IO_BASE_URL= # Splunk SPLUNK_URL= SPLUNK_TOKEN= SPLUNK_INDEX=main SPLUNK_VERIFY_SSL=true # Hermes HERMES_API_URL= HERMES_API_KEY= # OpenObserve OPENOBSERVE_URL= OPENOBSERVE_TOKEN= OPENOBSERVE_USERNAME= OPENOBSERVE_PASSWORD= OPENOBSERVE_ORG=default OPENOBSERVE_STREAM= OPENOBSERVE_MAX_RESULTS=100 # Azure Monitor (Log Analytics) AZURE_LOG_ANALYTICS_WORKSPACE_ID= AZURE_LOG_ANALYTICS_TOKEN= AZURE_TENANT_ID= AZURE_SUBSCRIPTION_ID= AZURE_MAX_RESULTS=100 # VictoriaLogs VICTORIA_LOGS_URL= VICTORIA_LOGS_TENANT_ID= # Vercel VERCEL_API_TOKEN= VERCEL_TEAM_ID= # PostHog (REST bounce-rate alerting) POSTHOG_PROJECT_ID= POSTHOG_PERSONAL_API_KEY= POSTHOG_BASE_URL=https://us.i.posthog.com POSTHOG_TIMEOUT_SECONDS=15.0 POSTHOG_BOUNCE_THRESHOLD=0.6 POSTHOG_BOUNCE_WINDOW=24h # PostHog MCP (analytics, feature flags, error tracking, HogQL via the hosted MCP server) POSTHOG_MCP_MODE=streamable-http POSTHOG_MCP_URL=https://mcp.posthog.com/mcp POSTHOG_MCP_AUTH_TOKEN= POSTHOG_MCP_ORGANIZATION_ID= POSTHOG_MCP_PROJECT_ID= POSTHOG_MCP_FEATURES= POSTHOG_MCP_READ_ONLY=true POSTHOG_MCP_COMMAND= POSTHOG_MCP_ARGS= # Sentry MCP (issues, events, traces, releases, Seer root-cause via the hosted MCP server) SENTRY_MCP_MODE=streamable-http SENTRY_MCP_URL=https://mcp.sentry.dev/mcp SENTRY_MCP_AUTH_TOKEN= SENTRY_MCP_HOST= SENTRY_MCP_ORGANIZATION_SLUG= SENTRY_MCP_PROJECT_SLUG= SENTRY_MCP_SKILLS= SENTRY_MCP_COMMAND= SENTRY_MCP_ARGS= # X (Twitter) MCP (post, search, timelines, likes via https://github.com/xdevplatform/xmcp) # XMCP runs locally by default; point X_MCP_URL at your own instance # (optionally tunneled) or launch it directly with X_MCP_COMMAND/X_MCP_ARGS. X_MCP_MODE=streamable-http X_MCP_URL=http://127.0.0.1:8000/mcp X_MCP_AUTH_TOKEN= X_MCP_COMMAND= X_MCP_ARGS= # X API bearer token forwarded to the local xmcp server (its own X API auth, # not the MCP transport auth above). X_BEARER_TOKEN= # Google Docs export GOOGLE_CREDENTIALS_FILE= GOOGLE_DRIVE_FOLDER_ID= # OpenClaw MCP OPENCLAW_MCP_MODE=stdio OPENCLAW_MCP_URL= OPENCLAW_MCP_COMMAND=openclaw OPENCLAW_MCP_ARGS=mcp serve OPENCLAW_MCP_AUTH_TOKEN= # Splunk SPLUNK_URL= SPLUNK_TOKEN= SPLUNK_INDEX=main SPLUNK_VERIFY_SSL=true # Hermes HERMES_API_URL= HERMES_API_KEY= # OpenObserve OPENOBSERVE_URL= OPENOBSERVE_TOKEN= OPENOBSERVE_USERNAME= OPENOBSERVE_PASSWORD= OPENOBSERVE_ORG=default OPENOBSERVE_STREAM= OPENOBSERVE_MAX_RESULTS=100 # Azure Monitor (Log Analytics) AZURE_LOG_ANALYTICS_WORKSPACE_ID= AZURE_LOG_ANALYTICS_TOKEN= AZURE_TENANT_ID= AZURE_SUBSCRIPTION_ID= AZURE_MAX_RESULTS=100 # VictoriaLogs VICTORIA_LOGS_URL= VICTORIA_LOGS_TENANT_ID= # Discord DISCORD_BOT_TOKEN= DISCORD_APPLICATION_ID= DISCORD_PUBLIC_KEY= DISCORD_DEFAULT_CHANNEL_ID= # Telegram TELEGRAM_BOT_TOKEN= TELEGRAM_DEFAULT_CHAT_ID= # WhatsApp (Twilio) TWILIO_ACCOUNT_SID= TWILIO_AUTH_TOKEN= TWILIO_WHATSAPP_FROM= WHATSAPP_DEFAULT_TO= # Twilio SMS — shares TWILIO_ACCOUNT_SID / TWILIO_AUTH_TOKEN from the block # above (do NOT re-declare them; dotenv keeps only the first occurrence). # Set either TWILIO_SMS_FROM (E.164 number) or TWILIO_SMS_MESSAGING_SERVICE_SID. TWILIO_SMS_FROM= # TWILIO_SMS_MESSAGING_SERVICE_SID= TWILIO_SMS_DEFAULT_TO= # --- Web app / hosted runtime only ----------------------------------------- # Required only when using the Tracer web app / hosted integration path. JWT_TOKEN= TRACER_API_URL= # Remote server API key for `opensre remote ...` and hosted agent access. OPENSRE_API_KEY= # --- Deployment / runtime --------------------------------------------------- # Required for hosted OpenSRE runtimes that need persistent storage. DATABASE_URI= REDIS_URI= ENV=development # Reversible masking before external LLM calls. Off by default. OPENSRE_MASK_ENABLED=false # Comma-separated kinds to mask. Empty = project defaults. OPENSRE_MASK_KINDS= # Example: '{"jira_key": "\\b[A-Z]+-\\d+\\b"}' OPENSRE_MASK_EXTRA_REGEX=