Generated by bpfcompat env --markdown. Do not edit by hand.
| Variable | Default | Description |
|---|---|---|
BPFCOMPAT_AGENT_IDENTITY_TOKEN |
(unset) | Optional identity JWT sent as X-API-Identity-Token by bpfcompat agent plan/apply when --identity-token is omitted. |
BPFCOMPAT_AGENT_LAST_RESULT_PATH |
(unset) | Default path read by bpfcompat agent status when --path is omitted. |
BPFCOMPAT_AGENT_LOAD_POLICY_PATH |
(unset) | Default local load-policy file used by bpfcompat agent apply --approve-load when --load-policy is omitted. |
BPFCOMPAT_AGENT_REGISTRY_TOKEN |
(unset) | Default registry bearer token used by bpfcompat agent plan/apply when --registry-token is omitted. |
BPFCOMPAT_AGENT_REQUIRE_LOAD_POLICY |
true | Require a local load policy before bpfcompat agent apply --approve-load. Disable only in controlled labs. |
| Variable | Default | Description |
|---|---|---|
BPFCOMPAT_FETCH_ALLOW_FILE_URI |
false | Allow file:// artifact URIs. Off by default; enable only for trusted on-host caches. |
BPFCOMPAT_FETCH_ALLOW_INTERNAL_HOSTS |
false | Allow fetches that resolve to RFC1918 / loopback / link-local / cloud-metadata IPs. Off by default to block SSRF. |
BPFCOMPAT_FETCH_MAX_BYTES |
134217728 | Maximum HTTP artifact download size (bytes). Default 128 MiB. |
| Variable | Default | Description |
|---|---|---|
BPFCOMPAT_API_ALLOW_ANONYMOUS_READ |
false | Allow unauthenticated reads of /api/v1/history/*, runtime probe, runtime decisions. Off by default. |
BPFCOMPAT_API_ALLOW_ANONYMOUS_RUNTIME_DELIVERY |
false | Allow unauthenticated /api/v1/runtime/select and /api/v1/runtime/fetch for public demos. Does not enable compare, registry writes, or runtime execute. |
BPFCOMPAT_API_ALLOW_ANONYMOUS_VALIDATE |
false | Allow unauthenticated calls to /api/v1/validate (also implies anonymous read of /api/v1/validate/status). |
BPFCOMPAT_API_ALLOW_ANONYMOUS_WRITE |
false | Allow unauthenticated calls to every write endpoint. Use only for local dev. |
BPFCOMPAT_API_MTLS_IDENTITY_MAP_PATH |
(unset) | JSON file mapping verified mTLS client certificates to explicit API identities, tenants, projects, scopes, and roles. Required before mTLS can authenticate API requests. |
BPFCOMPAT_API_REGISTRY_REQUIRE_IDENTITY |
false | When true, every /api/v1/registry/* call must carry an identity JWT. |
BPFCOMPAT_API_WRITE_JWT_AUDIENCE |
(unset) | Expected 'aud' claim. |
BPFCOMPAT_API_WRITE_JWT_HS256_SECRET |
(unset) | Shared HS256 secret used to verify identity JWTs. Mutually exclusive with JWKS_URL/JWKS_PATH. |
BPFCOMPAT_API_WRITE_JWT_ISSUER |
(unset) | Expected 'iss' claim. When set, tokens with a mismatching issuer are rejected. |
BPFCOMPAT_API_WRITE_JWT_JWKS_CACHE_TTL |
5m | How long to cache the JWKS document before refreshing. |
BPFCOMPAT_API_WRITE_JWT_JWKS_HTTP_TIMEOUT |
5s | Per-request HTTP timeout when fetching JWKS/OIDC documents. |
BPFCOMPAT_API_WRITE_JWT_JWKS_PATH |
(unset) | Filesystem path to a JWKS document (alternative to JWKS_URL). |
BPFCOMPAT_API_WRITE_JWT_JWKS_URL |
(unset) | HTTPS URL serving a JWKS document. http:// is rejected. |
BPFCOMPAT_API_WRITE_JWT_OIDC_DISCOVERY_CACHE_TTL |
10m | TTL on the OIDC discovery (jwks_uri) cache entry. |
BPFCOMPAT_API_WRITE_JWT_OIDC_ISSUER_URL |
(unset) | OIDC issuer URL; the discovery document is fetched to resolve jwks_uri. https:// only. |
BPFCOMPAT_API_WRITE_JWT_REQUIRED_ROLES |
(unset) | Roles every JWT must carry. |
BPFCOMPAT_API_WRITE_JWT_REQUIRED_SCOPES |
(unset) | Space- or comma-separated scopes that every JWT must carry. |
BPFCOMPAT_API_WRITE_KEY |
(unset) | Pre-shared API key required by write endpoints when JWT identity is not configured. Compare is constant-time. |
BPFCOMPAT_API_WRITE_REQUIRE_IDENTITY |
false | When true, write endpoints require a valid X-API-Identity-Token JWT (API key alone is rejected). |
| Variable | Default | Description |
|---|---|---|
BPFCOMPAT_REGISTRY_AUDIT_MAX_BYTES |
67108864 | Active audit-log size before rotation (bytes). 0 disables rotation. |
BPFCOMPAT_REGISTRY_AUDIT_MAX_FILES |
10 | Max rotated audit-log files retained (active file is additional). |
BPFCOMPAT_REGISTRY_AUTH_TOKEN |
(unset) | Bootstrap superuser token. Use only for initial setup; rotate to per-tenant grants ASAP. |
BPFCOMPAT_REGISTRY_AUTH_TOKEN_EXPIRES_AT |
(unset) | Optional RFC3339 expiration timestamp for the bootstrap superuser token. |
BPFCOMPAT_REGISTRY_AUTH_TOKEN_NOT_BEFORE |
(unset) | Optional RFC3339 not-before timestamp for the bootstrap superuser token. |
BPFCOMPAT_REGISTRY_MAX_ARTIFACT_BYTES |
(unset) | Per-artifact upload size cap. |
BPFCOMPAT_REGISTRY_MAX_ARTIFACT_VERSIONS_PER_NAME |
(unset) | Max retained versions per artifact name. 0 disables. |
BPFCOMPAT_REGISTRY_MAX_PROJECT_STORAGE_BYTES |
(unset) | Total bytes stored across all artifacts in a project. |
BPFCOMPAT_REGISTRY_RATE_LIMIT_MAX_REQUESTS |
120 | Max requests per (subject, tenant, project, action) window. 0 disables rate limiting. |
BPFCOMPAT_REGISTRY_RATE_LIMIT_WINDOW_SECONDS |
60 | Rate-limit window length in seconds. |
BPFCOMPAT_RUNTIME_DECISIONS_MAX_BYTES |
67108864 | runtime_decisions.jsonl rotation cap. |
BPFCOMPAT_RUNTIME_DECISIONS_MAX_FILES |
10 | runtime_decisions retention. |
| Variable | Default | Description |
|---|---|---|
BPFCOMPAT_API_AUTO_SYNC_PROJECT |
(unset) | Project for auto-sync. |
BPFCOMPAT_API_AUTO_SYNC_PROJECT_VISIBILITY |
private | Visibility applied when auto-sync creates the project: private | public. |
BPFCOMPAT_API_AUTO_SYNC_REGISTRY |
false | Auto-publish completed validate runs into the cloud registry. Requires AUTO_SYNC_TENANT/PROJECT. |
BPFCOMPAT_API_AUTO_SYNC_TENANT |
(unset) | Tenant for auto-sync. |
BPFCOMPAT_API_CLIENT_CA_PATH |
(unset) | When set, enables mutual TLS. File must contain PEM-encoded CA certs; every client must present a chain that verifies against this pool. Requires TLSCertPath/TLSKeyPath. Verified client cert CN is accepted as identity (AuthType="mtls"). |
BPFCOMPAT_API_ENABLE_METRICS |
false | Expose /metrics (Prometheus) gated by read auth. |
BPFCOMPAT_API_ENABLE_PPROF |
false | Expose /debug/pprof/* runtime profiles gated by real API-key/JWT auth. Anonymous demo modes never open pprof. Off by default; exposes goroutine stacks and heap addresses when on. |
BPFCOMPAT_API_MAX_ACTIVE_VALIDATE_JOBS |
2 | Maximum concurrent VM-backed validate jobs. Hard cap is 64. |
BPFCOMPAT_API_MAX_QUEUED_VALIDATE_JOBS |
20 | Maximum queued validate jobs. Beyond this, /api/v1/validate/start returns 429. |
BPFCOMPAT_API_MAX_VALIDATE_CONCURRENCY |
8 | Per-job profile concurrency cap. |
BPFCOMPAT_API_MAX_VALIDATE_PROFILES |
32 | Maximum profile selections per request. |
BPFCOMPAT_API_MAX_VALIDATE_TIMEOUT |
15m | Upper bound on the per-job timeout parameter. |
BPFCOMPAT_API_SHUTDOWN_DRAIN_TIMEOUT |
10m | Maximum wait for in-flight validate jobs during graceful shutdown. |
BPFCOMPAT_API_SOURCE_COMPILE_ALLOW_EXTRA_FLAGS |
false | Allow per-request extra -D/-U flags to clang. Off by default. |
BPFCOMPAT_API_SOURCE_COMPILE_TIMEOUT |
30s | clang timeout when compiling source uploads. |
BPFCOMPAT_API_TRUSTED_PROXIES |
(unset) | Comma-separated CIDRs of trusted upstream proxies. Only requests from these peers have X-Forwarded-For honored. |
| Variable | Default | Description |
|---|---|---|
BPFCOMPAT_LOG_FORMAT |
json | slog handler format: 'json' (default) for log shippers, 'text' for local dev. |
BPFCOMPAT_LOG_LEVEL |
info | slog level filter: debug | info | warn | error. |
| Variable | Default | Description |
|---|---|---|
BPFCOMPAT_API_ENABLE_RUNTIME_EXECUTE |
false | Master switch for the host-load endpoint. Off by default; never enable on a multi-tenant host. |
BPFCOMPAT_API_REDACT_RUNTIME_DETAILS |
true | Redact filesystem paths in success and error responses. Disable only when debugging. |
BPFCOMPAT_API_RUNTIME_EXECUTE_APPROVAL_TOKEN |
(unset) | Required value for the X-Execute-Approval-Token header. Constant-time compared. |
BPFCOMPAT_API_RUNTIME_EXECUTE_JWT_REQUIRED_ROLES |
(unset) | Additional JWT roles required specifically for /api/v1/runtime/execute. |
BPFCOMPAT_API_RUNTIME_EXECUTE_JWT_REQUIRED_SCOPES |
(unset) | Additional space- or comma-separated JWT scopes required specifically for /api/v1/runtime/execute. |
BPFCOMPAT_API_RUNTIME_EXECUTE_KILL_SWITCH |
false | Emergency: when true, every /api/v1/runtime/execute call returns 503. Leaves the endpoint registered for audit. |
BPFCOMPAT_API_RUNTIME_EXECUTE_POLICY_PATH |
(unset) | Path to a YAML policy file evaluated before each execute. See docs/runtime-execute-policy.md. |
BPFCOMPAT_API_RUNTIME_EXECUTE_REQUIRE_POLICY |
false | Refuse runtime execute if no policy is configured (defense in depth). |
BPFCOMPAT_API_RUNTIME_EXECUTE_REQUIRE_WORKER_IDENTITY |
false | Refuse runtime execute if WORKER_USER is unset. |
BPFCOMPAT_API_RUNTIME_EXECUTE_WORKER_BINARY |
(unset) | Absolute path to the bpfcompat binary used as the worker. Defaults to os.Executable(). |
BPFCOMPAT_API_RUNTIME_EXECUTE_WORKER_USER |
(unset) | OS username to run the worker as via sudo -u. Leave empty to run as the API process user. |
| Variable | Default | Description |
|---|---|---|
BPFCOMPAT_SIGNING_EXTERNAL_ARGS |
(unset) | Whitespace-split extra args for the external signer. |
BPFCOMPAT_SIGNING_EXTERNAL_CMD |
(unset) | Command to invoke for external signing. Stdin = canonical payload; stdout = signature envelope JSON. |
BPFCOMPAT_SIGNING_MODE |
local | Where the registry signing key lives: 'local' (default, on disk) or 'external-cmd'. |
BPFCOMPAT_TRUSTED_SIGNING_KEYS_PATH |
(unset) | Path to a keyring file (one trusted key per line). |
BPFCOMPAT_TRUSTED_SIGNING_PUBLIC_KEYS |
(unset) | Inline trusted public keys (kid:base64, comma-separated). |
| Variable | Default | Description |
|---|---|---|
BPFCOMPAT_VALIDATOR_BIN |
(unset) | Absolute path to the C validator binary; wins over the /usr/libexec search path. |
BPFCOMPAT_VALIDATOR_SHA256 |
(unset) | Expected SHA-256 of the validator binary. When set, mismatched binaries are refused before exec. |