Skip to content

Configuration Reference

This page documents all configuration files and environment variables used by the Curaway backend. Configuration is split between YAML files (checked into the repo) and environment variables (managed per deployment).

config/guardrails.yaml

The guardrails configuration controls the AI agent's input classification and output validation. It prevents the agent from soliciting or disclosing sensitive information and keeps conversations within the medical tourism intake scope.

Classifier Categories

The input classifier assigns each user message to one of these categories before the message reaches the LLM:

Category Action Description
safe Allow Normal intake-related messages (symptoms, travel questions, logistics)
medical_advice Block User is asking for a diagnosis or treatment recommendation
pii_solicitation Block User is providing unsolicited PII (SSN, credit card, etc.)
emergency Escalate User describes an emergency medical situation
off_topic Redirect Message is unrelated to medical tourism (e.g., sports, weather)
profanity Block Message contains profanity or abusive language
legal_advice Block User is asking for legal counsel (malpractice, liability)
competitor_mention Log User mentions a competing platform (logged but allowed)

Forbidden Output Patterns

The output validator scans every LLM response against these 12 regex patterns. If any pattern matches, the response is blocked and a safe fallback is returned instead.

Pattern ID Description
diagnosis_statement Statements like "you have [condition]" or "you are diagnosed with"
dosage_recommendation Any mention of specific drug dosages
treatment_prescription Direct treatment prescriptions ("you should take", "I recommend the drug")
prognosis_prediction Survival rates, recovery time guarantees
lab_interpretation Interpreting specific lab values as normal/abnormal
emergency_self_treat Instructions for self-treating an emergency
insurance_guarantee Guaranteeing insurance coverage or reimbursement
price_guarantee Guaranteeing specific treatment costs
legal_opinion Any legal advice or liability statements
credential_leak API keys, passwords, or internal URLs in the response
internal_instruction System prompt or internal instruction leakage
competitor_endorsement Endorsing or recommending a competing platform

Response Templates

When a message is blocked, the system returns a pre-configured response template:

response_templates:
  medical_advice: >
    I understand your concern, but I'm not able to provide medical diagnoses
    or treatment recommendations. I can help connect you with qualified
    medical professionals who can properly evaluate your condition.
  emergency: >
    If you are experiencing a medical emergency, please call your local
    emergency services immediately. I can help you find appropriate care
    after your immediate needs are addressed.
  pii_solicitation: >
    For your safety, please do not share sensitive personal information
    like social security numbers or credit card details in this chat.
    Any required information will be collected securely during the
    formal intake process.
  off_topic: >
    I'm here to help with your medical travel needs. Could you tell me
    more about the medical procedure you're interested in or the
    destination you're considering?

Medical Keywords (Multilingual)

The classifier uses medical keyword lists in four languages to improve classification accuracy:

Language Example Keywords Count
English surgery, diagnosis, prescription, symptoms, treatment ~120
Arabic جراحة, تشخيص, وصفة طبية, أعراض, علاج ~90
German Operation, Diagnose, Rezept, Symptome, Behandlung ~95
Turkish ameliyat, teşhis, reçete, belirtiler, tedavi ~85

File Validation Limits

When guardrail file validation is enabled, uploaded files are checked against these limits:

Parameter Value Description
max_file_size_mb 20 Maximum file size in megabytes
allowed_extensions .pdf, .jpg, .jpeg, .png, .dcm Permitted file types
max_filename_length 255 Maximum filename character count
scan_for_malware true Whether to scan uploads with ClamAV (if available)
ocr_timeout_seconds 30 Maximum time for PyMuPDF OCR extraction

config/model_registry.yaml

The model registry defines which LLM models are available, their capabilities, and how they are assigned to different tasks.

Model Definitions

models:
  gpt-4o:
    provider: openai
    context_window: 128000
    max_output_tokens: 4096
    supports_vision: true
    supports_function_calling: true
    cost_per_1k_input: 0.005
    cost_per_1k_output: 0.015

  gpt-4o-mini:
    provider: openai
    context_window: 128000
    max_output_tokens: 4096
    supports_vision: true
    supports_function_calling: true
    cost_per_1k_input: 0.00015
    cost_per_1k_output: 0.0006

  claude-3-5-sonnet:
    provider: anthropic
    context_window: 200000
    max_output_tokens: 8192
    supports_vision: true
    supports_function_calling: true
    cost_per_1k_input: 0.003
    cost_per_1k_output: 0.015

Tier Assignments

Models are assigned to tiers that map to specific use cases:

Tier Model Use Case
intake_chat gpt-4o-mini Patient intake conversations (cost-optimized)
medical_summary gpt-4o EHR summary generation (accuracy-critical)
document_analysis gpt-4o OCR result analysis and extraction
provider_matching gpt-4o-mini Generating match explanations
translation gpt-4o-mini Multilingual response translation
guardrail_classifier gpt-4o-mini Input classification for safety

Fallback Chains

If the primary model is unavailable, the system falls back through this chain:

fallback_chains:
  default:
    - gpt-4o
    - claude-3-5-sonnet
    - gpt-4o-mini
  cost_sensitive:
    - gpt-4o-mini
    - claude-3-5-sonnet
  accuracy_critical:
    - gpt-4o
    - claude-3-5-sonnet

Environment Variables

All environment variables are required unless marked as optional. Never commit actual values -- use .env.example as a template.

Database

Variable Description Example Format
DATABASE_URL PostgreSQL connection string postgresql+asyncpg://user:pass@host:5432/curaway
NEO4J_URI Neo4j Bolt connection URI neo4j+s://xxxx.databases.neo4j.io
NEO4J_USERNAME Neo4j authentication username neo4j
NEO4J_PASSWORD Neo4j authentication password (secret)
QDRANT_URL Qdrant vector database URL https://xxxx.cloud.qdrant.io:6333
QDRANT_API_KEY Qdrant API key (secret)
UPSTASH_REDIS_URL Upstash Redis connection URL rediss://default:xxxx@xxxx.upstash.io:6379

Authentication

Variable Description Example Format
CLERK_SECRET_KEY Clerk backend API secret key sk_live_xxxx
CLERK_PUBLISHABLE_KEY Clerk frontend publishable key (optional, frontend only) pk_live_xxxx

Feature Management

Variable Description Example Format
FLAGSMITH_API_KEY Flagsmith environment API key (secret)
FLAGSMITH_API_URL Flagsmith API URL (optional, defaults to cloud) https://edge.api.flagsmith.com/api/v1/

Observability

Variable Description Example Format
LANGFUSE_SECRET_KEY Langfuse secret key for LLM tracing sk-lf-xxxx
LANGFUSE_PUBLIC_KEY Langfuse public key pk-lf-xxxx
LANGFUSE_HOST Langfuse host URL (optional) https://cloud.langfuse.com

Email & Notifications

Variable Description Example Format
RESEND_API_KEY Resend email API key re_xxxx
NOTIFICATION_FROM_EMAIL Sender email address (optional) noreply@curaway.ai

Storage (Cloudflare R2)

Variable Description Example Format
CLOUDFLARE_R2_ACCESS_KEY_ID R2 access key ID (secret)
CLOUDFLARE_R2_SECRET_ACCESS_KEY R2 secret access key (secret)
CLOUDFLARE_R2_BUCKET R2 bucket name curaway-uploads
CLOUDFLARE_R2_ENDPOINT R2 S3-compatible endpoint https://xxxx.r2.cloudflarestorage.com
CLOUDFLARE_R2_PUBLIC_URL Public URL prefix for uploaded files (optional) https://uploads.curaway.ai

AI / Embeddings

Variable Description Example Format
OPENAI_API_KEY OpenAI API key for LLM and embeddings sk-xxxx
ANTHROPIC_API_KEY Anthropic API key (optional, for fallback) sk-ant-xxxx
EMBEDDING_PROVIDER Embedding provider (openai or local) openai
EMBEDDING_MODEL Embedding model name (optional) text-embedding-3-small

Application

Variable Description Example Format
APP_ENV Environment name (development, staging, production) production
AUTH_DISABLED Disable JWT auth for local development (optional) true
CORS_ORIGINS Comma-separated allowed CORS origins (optional) https://app.curaway.ai,http://localhost:3000
LOG_LEVEL Logging level (optional, defaults to INFO) DEBUG