Docs / Getting started
Configuration
Environment variables, secrets, organisation and roles, API keys.
.env file
.env
# ─── Licensing (required) ──────────────────────────────────── LICENSE_KEY=your-license-key-here # ─── Application ───────────────────────────────────────────── APP_PORT=8080 PUBLIC_URL=https://tprm.example.com TRUSTED_PROXY=127.0.0.1 SESSION_SECRET=CHANGE_ME_random_64_chars # ─── MySQL (business data) ─────────────────────────────────── DB_HOST=mysql DB_PORT=3306 DB_USERNAME=mlab_web DB_PASSWORD=CHANGE_ME_mysql_password DB_ROOT_PASSWORD=CHANGE_ME_mysql_root_password # ─── ClickHouse (analytics / activity) ─────────────────────── CH_HOST=clickhouse CH_USERNAME=default CH_PASSWORD=CHANGE_ME_clickhouse_password
Variable reference
| Variable | Required | Default | Description |
|---|---|---|---|
LICENSE_KEY | Yes | — | Your tprm.mlab.sh license token (free or licensed). |
APP_PORT | No | 8080 | Port the app container exposes. |
PUBLIC_URL | Recommended | http://localhost:8080 | External URL used for links and report references. |
TRUSTED_PROXY | If behind reverse proxy | — | IP of the proxy. Honors X-Forwarded-*. |
SESSION_SECRET | Yes | — | Random 64+ chars. Used to sign session cookies. |
DB_HOST / DB_PORT | Yes | mysql / 3306 | MySQL host and port. |
DB_USERNAME / DB_PASSWORD | Yes | — | MySQL credentials. |
DB_ROOT_PASSWORD | Yes | — | MySQL root (used at first init only). |
CH_HOST | Yes | clickhouse | ClickHouse host. |
CH_USERNAME / CH_PASSWORD | Yes | — | ClickHouse credentials. |
Don't commit
.env. Add it to your .gitignore. Rotate SESSION_SECRET and all DB passwords if they ever leak.
Generating secrets
terminal
openssl rand -hex 32 # session secret / DB passwords
License token
Sign in on mlab.sh, then visit Organization > TPRM. A free token is created for you automatically. Paste it into LICENSE_KEY. See Licensing for how validation works.
Organisation & roles (RBAC)
Access control is based on a 12-bit permission model. Manage members under /orga/team and roles under /orga/roles. The permission bits are:
| Permission | Grants |
|---|---|
| Admin | Super-user (full access, implicit). |
| Email verified | Confirmed email account. |
| Manage team | Invite / remove users, manage roles. |
| Manage providers | CRUD on ICT third-party providers. |
| Manage assessments | CRUD on risk assessments. |
| Manage contracts | CRUD on contracts. |
| Manage exit strategies | CRUD on exit plans. |
| Manage incidents | CRUD on third-party incidents. |
| View risk dashboard | Access to concentration analysis. |
| View analytics | Access to advanced reporting. |
| Manage settings | Organisation configuration. |
| Manage register / compliance | DORA register, functions, due diligence, audits, Art. 30, entity, scope, branches, intra-group, definitions, EBA export. |
API keys
Create keys under /settings/api-keys with a descriptive note. Keys are formatted mlab_ + unique identifier and can be revoked at any time. On the Free tier keys are read-only (GET); on Licensed they support full CRUD. See the API reference.