Env config viewer
Outcome
A platform admin can confirm the env vars in effect on the running rcm-core instance, with a hard-redaction policy on secret-shaped keys — without shell access.
Prerequisites
PLATFORM_ADMINorPLATFORM_SUPPORT(gated byrequirePlatformAuth()).
Surface
| Element | Where |
|---|---|
| Page | /platform/env-config |
| Endpoint | GET /platform/env-config returns { generatedAt, nodeEnv, nodeVersion, processUptimeSec, entries } where each entry is { key, group, description, isSecret, isSet, isDefault, value, defaultValue }. |
| Catalog source | apps/rcm-core/src/gateway/routes/env-config-catalog.ts — authoritative allowlist of env vars consumed by apps/rcm-core/src/config.ts. |
Redaction policy
The redactEnvValue helper in
apps/rcm-core/src/gateway/routes/env-config-report.ts is the single
point of truth:
| Entry kind | value on the wire |
|---|---|
Secret (isSecret=true) | Always null, regardless of whether the var is set or falls back to default. Even baked-in dev defaults (e.g. JWT_SECRET fallback) are masked. |
| Non-secret | Raw string from process.env[key] when set, otherwise the catalog default. |
defaultValue | Always passed through (catalog defaults are repo-public). |
The integration test
tests/integration-pg/src/ui28-platform-env-config.int.test.ts asserts
that the seeded plaintext secret never appears anywhere in the
response — keep this assertion in place if the catalog surface evolves.
When to use
| Scenario | What you do |
|---|---|
| Confirming a deploy | "Did the new DASHBOARD_EMAIL_INTERVAL_MS actually land?" — the page shows source = env vs default. An unset override surfaces as default. |
| Outage triage | Quick check that KEY_VAULT_MODE, AZURE_SERVICE_BUS_CONNECTION_STRING, or INGESTION_JOBS_ENABLED are configured the way the runbook expects, without container shell access. |
| Onboarding | Operators without direct K8s/ACA access can still sanity-check what's wired up. |
Adding a new env var
Add a row to
ENV_CONFIG_CATALOGwith the rightgroup,defaultValue,description, and an honestisSecretflag.Run the catalog test:
npx vitest run apps/rcm-core/src/gateway/routes/env-config-report.test.tsThe test guards against duplicate keys and naively non-redacted "secret-shaped" names.
Restart the running rcm-core process. The viewer reflects
process.envsnapshot at request time, so changes take effect on the next refresh.
What's out of scope
- Runtime-editable feature flags. The viewer is read-only by design. A flag-service item would be a separate scoped roadmap row.
- edi-gateway env visibility. This page reports the running rcm-core
process only. Confirm edi-gateway via its own
/healthendpoint or container env inspection. - Diff vs previous deploy. Would require persisting a startup snapshot — out of scope.
Validation
| Check | Expected |
|---|---|
| Secret entries on the wire | value: null regardless of isSet |
| Non-secret entry under fallback default | value reflects catalog default |
| Catalog test | Green |
| Adding a new env var without catalog row | Visible in process.env but not in the page (intentional gating) |
Cross-references
- Distributed tracing & alert response for log/trace IDs.
- Deployability + DR drill for how Bicep binds env values from Key Vault.
- PHI encryption at rest — uses several of the cataloged env vars.
Next
End of the runbook — return to the Operations overview.