Configuration
Runtime settings resolve DB override → environment → default. A saved value is stored in the database and takes precedence over the environment. Settings marked env only are read at startup and shown for reference (secrets masked); change them via the environment and restart.
| Setting | Value |
|---|---|
KE_WORKER_MEM_BUDGET Memory-aware admission budget: 'auto', a fraction in (0,1), or absolute bytes. Unset = off. env | |
KE_GC_DELETED_RETENTION_MS How long (ms) a soft-deleted object survives before `ke gc --force` hard-deletes it. 0 = immediately. default | |
KE_LOG_LEVEL Structured log level. env | |
KE_MCP_MODE MCP tool surface mounted at /mcp. envneeds restart | |
KE_WORKER_CONCURRENCY Extractors run in parallel per worker (sizes the pool at startup; applies on worker restart). envneeds restart | |
DATABASE_URL Postgres connection string (password masked). envneeds restart | postgres://ke_simple:***@postgres:5432/ke_simpleenv only |
KE_DB_SSL Postgres TLS mode: 'require', 'prefer', or unset (off). defaultneeds restart | —env only |
KE_STORAGE_BACKEND Blob storage backend: 'local' or 's3'. envneeds restart | s3env only |
KE_S3_BUCKET S3 bucket holding all blobs (required when KE_STORAGE_BACKEND=s3). envneeds restart | ke-malwareenv only |
KE_S3_ENDPOINT S3 endpoint URL (required for MinIO/R2; omit for AWS). envneeds restart | https://fsn1.your-objectstorage.comenv only |
KE_S3_REGION S3 region. envneeds restart | eu-centralenv only |
KE_S3_ACCESS_KEY_ID S3 access key id. envneeds restart | S4CLD4IMQGXD9QGKDPI7env only |
KE_S3_SECRET_ACCESS_KEY S3 secret access key. envneeds restart | ••••••••env only |
KE_S3_SESSION_TOKEN S3 temporary session token (STS). defaultneeds restart | —env only |
KE_API_HOST Bind address for the REST API / web UI. envneeds restart | 0.0.0.0env only |
KE_API_PORT Listen port for the REST API / web UI. envneeds restart | 3000env only |
KE_GITEA_URL Gitea instance base URL (hosted git repos). Unset defaults to the bundled dev Gitea (http://localhost:3010); set empty to disable. envneeds restart | http://gitea:3000env only |
KE_GITEA_TOKEN Gitea API admin token. envneeds restart | ••••••••env only |
KE_GITEA_USER Default owner for Gitea repos created by KE. envneeds restart | keadminenv only |
KE_GITEA_WEBHOOK_SECRET HMAC-SHA256 secret for verifying Gitea webhook deliveries. dbneeds restart | ••••••••env only |
KE_WEBHOOK_HOST How the Gitea container reaches KE; used to derive KE_WEBHOOK_URL (default host.docker.internal). envneeds restart | keenv only |
KE_WEBHOOK_URL Gitea push-webhook target. Auto-derived from KE_WEBHOOK_HOST + KE_API_PORT when unset. defaultneeds restart | —env only |
IDA_PATH Path to the IDA headless executable (idat). Auto-discovered when unset. envneeds restart | /app/.ida/idatenv only |
KE_GIT_IDA_PATH Path to the git-ida executable (IDBREP materialization). Auto-resolved when unset. defaultneeds restart | —env only |
KE_IDA_PYTHONPATH Extra PYTHONPATH entries for IDA-Python extractors (path-list). defaultneeds restart | —env only |
KEP_ML_SERVER_URL_PREFIX Base URL of the ML embedding service used by kep-ml (e.g. https://host/v1). Unset disables kep-ml extraction. defaultneeds restart | —env only |
KEP_ML_API_KEY Bearer token for the kep-ml embedding service (optional). defaultneeds restart | —env only |
KEP_ML_BATCH_SIZE Number of function pseudocode inputs kep-ml sends per embed request. defaultneeds restart | 4env only |