Configuration (`.env`)

All TaTi infrastructure (Postgres, app, MCP bridges) is driven by environment variables. The repo’s .env.example is the source of truth: it is commented line by line. Copy it to .env and customize.

Never commit .env

Slack, GitHub, OpenMetadata, cloud keys, etc. must stay out of Git and screenshots.

Basics

One line per key: if you duplicate a variable, only the last wins (standard .env parsers).
Docker / host consistency: DATABASE_URL for the app must point to the correct host (postgres in Compose, localhost if the app runs on the host outside Compose).
NODE_ENV: usually development in the repo Compose; production images follow the project Dockerfile.

PostgreSQL (app data)

Variable	Description
`POSTGRES_USER`	User created in the Postgres container.
`POSTGRES_PASSWORD`	Password — change outside dev.
`POSTGRES_DB`	TaTi application database name.
`POSTGRES_PORT`	Port exposed on the host if you map Postgres (avoid public exposure).
`DATABASE_URL`	Full string consumed by the SSR server (`postgres://user:pass@host:port/db`).

Application auth

Variable	Description
`TATI_AUTH_REQUIRED`	`true` to require login before the UI (recommended outside a personal sandbox).
`TATI_SESSION_TTL_HOURS`	Session lifetime in hours (`12` by default).

These are also passed to the app service in Compose files to avoid drift from a misread .env.

GHCR images (`docker-compose.dist.yml` mode)

Variable	Description
`TATI_IMAGE_REGISTRY`	Image prefix (`ghcr.io/<owner>` lower-case for GitHub).
`TATI_IMAGE_TAG`	Image tag (semver release or `latest`).
`APP_PORT`	Port where you reach the UI.

Optional: mounted paths for some MCPs (e.g. filesystem in dist mode).

OpenMetadata

Variable	Description
`OPENMETADATA_URL`	OpenMetadata API URL reachable from the MCP container (`host.docker.internal` on Docker Desktop if OM runs on the host).
`OPENMETADATA_JWT`	OM API token.
`OPENMETADATA_ALLOW_MUTATIONS`	Allow writes to OM or not.
`OPENMETADATA_WRITE_CONFIRM_TOKEN`	Expected value to confirm sensitive write tools.

MCP Postgres (SQL for the model)

Variable	Description
`MCP_POSTGRES_DATABASE_URL`	Database the bridge runs SQL against (often same as TaTi or a business DB).
`MCP_POSTGRES_PORT`	Bridge HTTP port on the host.
`MCP_POSTGRES_READ_ONLY`	`true` to restrict to reads (SELECT / introspection).

Messaging & files

Slack, Discord, PDF, Notion, filesystem: see MCP_SLACK_*, MCP_DISCORD_*, MCP_PDF_*, MCP_NOTION_TOKEN, MCP_FILESYSTEM_* in .env.example. Default ports are listed in MCP connectors.

Cloud & observability

Main groups in .env.example:

AWS — AWS_REGION, credentials or AWS_PROFILE.
Azure — Service Principal or AZURE_ACCESS_TOKEN.
GCP — GCP_PROJECT_ID, service account JSON.
Email SMTP — SMTP_*, allowlisted recipients.
Dagster — Dagster GraphQL URL, API token, DAGSTER_ALLOW_MUTATIONS.
Apache Airflow — AIRFLOW_BASE_URL, credentials or AIRFLOW_API_TOKEN, AIRFLOW_ALLOW_MUTATIONS, AIRFLOW_SSL_VERIFY.
dbt Cloud — DBT_CLOUD_DISCOVERY_URL, DBT_CLOUD_TOKEN, DBT_CLOUD_ENVIRONMENT_ID, DBT_SSL_VERIFY.
dbt Core (CLI bridge) — DBT_CORE_HOST_PROJECT, DBT_CORE_PROJECT_DIR, DBT_PROFILES_DIR, DBT_CORE_TARGET, DBT_ALLOW_MUTATIONS.
Elasticsearch — cluster URL, API key or login/password.
Grafana / Prometheus — monitoring stack URL + tokens if needed.
Datadog — Datadog MCP URL + API / application keys (often as headers in TaTi UI).
Atlassian / Jira + Confluence — https://mcp.atlassian.com/v1/mcp + OAuth 2.1 access token as Authorization: Bearer … header.
monday.com — https://mcp.monday.com/mcp + OAuth access token as Authorization: Bearer … header (optional Api-Version header).
Linear — https://mcp.linear.app/mcp + OAuth 2.1 access token as Authorization: Bearer … header.
Metabase — https://<your-metabase>/api/mcp + OAuth 2.0 access token as Authorization: Bearer … header; check MB_SITE_URL in Metabase.
Tableau — mcp-tableau service (MCP_TABLEAU_PORT=8024); TaTi URL http://mcp-tableau:3927/tableau-mcp; vars TABLEAU_SERVER_URL, TABLEAU_SITE_NAME, TABLEAU_PAT_NAME, TABLEAU_PAT_VALUE (or OAuth via TABLEAU_MCP_OAUTH_ISSUER).
Zendesk — ZENDESK_SUBDOMAIN, ZENDESK_EMAIL, ZENDESK_API_KEY, MCP_ZENDESK_PORT for the local mcp-zendesk bridge.
ServiceNow — SERVICENOW_INSTANCE_URL, SERVICENOW_USERNAME, SERVICENOW_PASSWORD or SERVICENOW_TOKEN / OAuth, MCP_SERVICENOW_PORT for the local mcp-servicenow bridge.
Brevo — https://mcp.brevo.com/v1/brevo/mcp + MCP token as Authorization: Bearer … header (Settings → MCP servers).
HubSpot — https://mcp.hubspot.com/ + HubSpot OAuth access token as Authorization: Bearer … header (OAuth PKCE required).
MuleSoft — ANYPOINT_CLIENT_ID, ANYPOINT_CLIENT_SECRET, ANYPOINT_REGION, MCP_MULESOFT_PORT for the local mcp-mulesoft bridge.
Salesforce — MCP_SALESFORCE_MCP_URL, SALESFORCE_OAUTH_CLIENT_ID, and OAuth access token as Authorization: Bearer … header (scope mcp_api).

Git forge

Variable	Description
`MCP_GITHUB_TOKEN` / `MCP_GITLAB_TOKEN`	API access with minimal scope.
`MCP_GITLAB_URL`	GitLab instance (cloud or self-hosted).
`MCP_WRITE_CONFIRM_TOKEN`	String write tools may require to prevent accidents.
`MCP_GITHUB_MCP_URL` / `MCP_GITLAB_MCP_URL`	Optional if your setup still references an explicit URL.

Google Workspace (remote MCP)

Variable	Description
`MCP_GMAIL_MCP_URL` / `MCP_GOOGLE_CALENDAR_MCP_URL`	Official Google MCP endpoints.
`GOOGLE_CLOUD_PROJECT_ID`	GCP project where APIs are enabled.
`GOOGLE_OAUTH_CLIENT_ID` / `SECRET`	OAuth flow for tooling.
`GOOGLE_OAUTH_ACCESS_TOKEN`	Bearer for tests or header-based integrations.

Moodle

MCP_MOODLE_MCP_URL and MCP_MOODLE_TOKEN — plugin endpoint URL and Moodle external service token.

When you’re stuck

Compare your .env with .env.example from the same release tag as your images.
Check MCP logs: docker compose logs mcp-<name>.
Re-read the dedicated section in MCP connectors.

Configuration (.env) ​

Basics ​

PostgreSQL (app data) ​

Application auth ​

GHCR images (docker-compose.dist.yml mode) ​

OpenMetadata ​

MCP Postgres (SQL for the model) ​

Messaging & files ​

Cloud & observability ​

Git forge ​

Google Workspace (remote MCP) ​

Moodle ​

When you’re stuck ​