Backend (src/configs/settings.py)

Pydantic settings load from the environment. At a high level, operators configure:
AreaPurpose (conceptual)
Primary databaseConnection string and database identity for application state.
Vector / searchHost and access for embedding-backed retrieval, when used.
Model providersCredentials and feature flags for LLM-backed behavior.
Browser policyWhich web origins may call the API from the browser.
AuthenticationServer-side signing and validation settings (exact variables are defined in code and should not be copied into public runbooks with real values).
Exact variable names, defaults, and port numbers belong in private configuration docs or your secret manager—not in a public doc site.

Frontend (Next.js)

Public build-time variables supply the API base URL (and related non-secret flags) the browser needs. Values must match your deployed API hostname and TLS policy.

Secrets hygiene

Do not commit production credentials to any repository. Use secret managers or encrypted configuration for staging and production; restrict who can read integration secrets. See Docker and Production rollout for how these fit into deployment.