Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / Aptible Environment Configuration

Documentation

Aptible Environment Configuration

arxsec-app / APTIBLE_ENV_SETUP.md

arxsec-app repo-root APTIBLE_ENV_SETUP.md

Setting Runtime and Frontend Variables

The API requires production runtime secrets in Aptible. The GitHub Actions deploy workflow syncs these from GitHub Secrets before each API deploy so the container never boots with local-development defaults.

API Runtime Secrets

Set these in GitHub repository secrets:

`` ARXSEC_ENCRYPTION_KEY=<openssl rand -base64 48> DD_API_KEY=<datadog-api-key> ``

Optional region-specific overrides are also supported:

`` ARXSEC_ENCRYPTION_KEY_US=<us-specific-key> ARXSEC_ENCRYPTION_KEY_EU=<eu-specific-key> DD_API_KEY_US=<us-specific-datadog-key> DD_API_KEY_EU=<eu-specific-datadog-key> ``

ARXSEC_ENCRYPTION_KEY is mandatory for production and staging API deploys. Do not use dev-encryption-key-change-in-production; the API intentionally refuses to boot with that sentinel outside local development.

DD_API_KEY is optional while Datadog is being provisioned. Production will boot without it and log a warning. Set ARXSEC_REQUIRE_DATADOG=true once the Datadog API key is available if you want deploys to block when observability is misconfigured.

The frontend requires these environment variables to be set in Aptible for proper builds:

For Production (app.arxsec.io)

In Aptible dashboard, set these environment variables on the arx_frontend app:

`` NEXT_PUBLIC_SUPABASE_URL=https://arxsecdemo.supabase.co NEXT_PUBLIC_SUPABASE_ANON_KEY=<your-anon-key> NEXT_PUBLIC_API_URL=https://api.arxsec.io ``

How It Works

  1. Docker Build Time: When Aptible builds the Docker image:
  • Reads environment variables from Aptible config
  • Passes them as build arguments to Docker
  • Dockerfile converts ARGs to ENVs
  • Next.js build embeds them in JavaScript bundles
  1. Default Fallback: If NEXT_PUBLIC_API_URL is not set:
  • Dockerfile default: https://api.arxsec.io
  • api.ts fallback: https://api.arxsec.io
  • This ensures production always works
  1. No Hardcoding: Environment variables flow through the entire build pipeline:
  • GitHub Actions → Aptible → Docker Build → Next.js → Browser

To Update

  1. Push changes to main branch
  2. GitHub Actions automatically triggers
  3. Aptible detects new push and rebuilds with current environment variables
  4. New frontend deployed with correct configuration

Verification

Check browser console at app.arxsec.io:

  • API calls should go to https://api.arxsec.io/v1/...
  • No 404 errors with malformed URLs