Skip to main content

Configuration Reference

Merlon is configured with environment variables. Copy .env.example to .env for local development; do not use its credentials or secrets in production.

Environment variables

VariableDefaultProduction guidance
MERLON_ENVdevelopmentSet to production. Production Engine connections require TLS.
MERLON_HTTP_ADDR:8080Bind behind a TLS-terminating reverse proxy.
MERLON_DATABASE_URLunsetUse TLS (sslmode=require or stronger) and a least-privilege application role.
MERLON_ENGINE_ADDRunsetKeep the gRPC endpoint on an internal network.
MERLON_ENGINE_TLS_CERTunsetRequired when MERLON_ENV=production and MERLON_ENGINE_ADDR is set. It is the CA certificate used to verify the Engine.
MERLON_ENGINE_TLS_SERVER_NAMEunsetSet the expected Engine TLS server name when it differs from the address host.
MERLON_ENCRYPTION_KEY_RINGunsetRequired for production PII protection. Use the documented key-ring format accepted by merlon-keyrotate; loss of every referenced key makes historical encrypted values unrecoverable. Back up keys through a protected KMS or secret manager.
MERLON_JWT_PRIVATE_KEY_FILE / MERLON_JWT_PUBLIC_KEY_FILEunsetUse an RS256 key pair for local-user authentication.
MERLON_JWT_SECRETunsetDevelopment fallback only. Do not set in production when using local-user authentication.
MERLON_BOOTSTRAP_TOKENunsetOne-time setup secret. Rotate or remove immediately after the first administrator/API key is created.
MERLON_POSTGRES_PASSWORDunsetCompose-only development password. Use a secret manager in production.
MERLON_AUTH_ENABLEDfalseMust be true in production.
MERLON_SEEDfalseDevelopment/demo data only; must be false in production.
MERLON_CONFIG_PATHconfig.yamlPath to application configuration.
MERLON_CACHE_BACKENDmemorySelect the configured cache backend.
MERLON_EVENT_BUSpg_notifyEvent bus driver used with PostgreSQL.
MERLON_RATE_LIMIT0Requests per window; 0 disables the limiter.
MERLON_ADAPTER_CONFIG_PATHunsetPath to an operator-managed adapter configuration.
MERLON_UI_DIRunsetOptional directory containing the built UI.
MERLON_SCREENING_IMPORT_ENABLEDfalseEnable external sanctions-list imports only with approved endpoints.
MERLON_SCREENING_RESCREEN_ENABLEDfalseEnable periodic customer rescreening.
MERLON_SCREENING_IMPORT_INTERVAL24hScreening-list import interval.
MERLON_SCREENING_CHECK_INTERVAL1hRescreening interval.
MERLON_SCREENING_OFAC_URL / MERLON_SCREENING_EU_URLunsetApproved OFAC/EU list endpoints.
MERLON_SCREENING_UN_URL / MERLON_SCREENING_MOF_URLunsetApproved UN/MOF list endpoints.
MERLON_SCREENING_PEP_URLunsetApproved PEP provider endpoint.
MERLON_SMTP_HOST / MERLON_SMTP_PORTunset / 587SMTP endpoint for notifications; configure TLS and credentials.
MERLON_SMTP_USERNAME / MERLON_SMTP_PASSWORDunsetSMTP credentials; use a secret manager.
MERLON_SMTP_FROM / MERLON_SMTP_TOunsetNotification sender and comma-separated recipients.
MERLON_SMTP_USE_TLSfalseEnable TLS for SMTP.
MERLON_NOTIFY_ROUTING_PATHunsetOptional notification routing YAML path.
MERLON_PUBLIC_URLunsetPublic base URL used in notification links.
MERLON_WHITELIST_MAX_VALID_DAYS365Maximum whitelist validity period.
MERLON_EDD_STAGE2_DAYS / MERLON_EDD_STAGE3_DAYS60 / 90EDD escalation thresholds.
MERLON_TM_SCENARIOS_PATHtm_scenariosStore the directory in controlled source management. Runtime digests identify loaded content but do not authorize changes.
MERLON_TM_BATCH_SCHEDULE02:00Daily HH:MM time for transaction-monitoring batch evaluation.
MERLON_TM_BATCH_TIMEZONElocal timezoneSet an IANA timezone explicitly in production.
MERLON_LOG_LEVELinfoKeep info or stricter; do not use debug logging for sensitive workloads.

The Engine also loads CDD weights and screening content from operator-supplied paths. Those files are outside the database audit trail. Control them through source control, change approval, access control, backup, and deployment procedures. See ADR-0012.

Encryption key rotation

merlon-keyrotate accepts --key-ring-env (default MERLON_ENCRYPTION_KEY_RING) to select the environment variable containing the key-ring specification. Introduce a new active key while retaining old keys needed to decrypt existing data, deploy the updated ring, complete the migration, and only then retire the old key. Test restoration of both the application database and key material before relying on a backup.

Operational thresholds

Sample TM and screening rules are examples, not production defaults. Choose thresholds from the deploying organization's risk assessment, test the change, and approve it through its rule-governance process. In particular, lowering a screening match threshold increases false positives; raising it increases missed-match risk. Under the fail-alert principle, resolve uncertainty toward additional review rather than suppressed alerts.