Configuration Reference
Environment Variables
| Name | Default | Source | Description | Security |
|---|---|---|---|---|
gpt_path / GPT_PATH | None | sarpyx/cli/worldsar.py, scripts/setvars.sh | Path to SNAP GPT executable used by worldsar pipeline. | Prefer absolute trusted path; avoid untrusted binaries in PATH. |
grid_path / GRID_PATH | None | sarpyx/cli/worldsar.py, Makefile | Path to GeoJSON tiling grid. | Validate file provenance; malformed geometry can break tiling workflows. |
db_dir / DB_DIR | None | sarpyx/cli/worldsar.py | Output directory for tile database artifacts. | Use writable path with least privilege. |
cuts_outdir / OUTPUT_CUTS_DIR | None | sarpyx/cli/worldsar.py | Output directory for generated raster tiles. | Avoid writing to shared sensitive directories. |
base_path / BASE_PATH | project root | sarpyx/cli/worldsar.py | Base path used by worldsar fallback filesystem operations. | Keep under controlled workspace. |
SNAP_USERDIR / snap_userdir | <project_root>/.snap | sarpyx/cli/worldsar.py, sarpyx/snapflow/engine.py, scripts/setvars.sh | SNAP user configuration and cache directory. | Contains execution metadata; protect in multi-user environments. |
orbit_base_url / ORBIT_BASE_URL | https://step.esa.int/auxdata/orbits/Sentinel-1 | sarpyx/cli/worldsar.py | Base URL for Sentinel orbit prefetch. | Use trusted HTTPS endpoint only. |
HF_TOKEN | unset | sarpyx/cli/upload.py | Hugging Face access token for upload operations. | Treat as secret; do not commit to repository. |
JAVA_HOME | /usr/lib/jvm/java-8-openjdk-amd64 (container) | Dockerfile, docker-compose.yml | Java runtime required by SNAP. | Pin to trusted JRE installation. |
SNAP_HOME | /workspace/snap13 (container) or $CONDA_PREFIX/opt/esa-snap (helper) | Dockerfile, entrypoint.sh, scripts/setvars.sh | SNAP installation directory used to derive GPT_PATH. | Read-only in production container images where possible. |
SNAP_SKIP_UPDATES | 1 | entrypoint.sh, support/snap-install.sh | If set to 1, startup or install scripts skip SNAP online update checks. | Disabling auto-updates improves reproducibility. |
JUPYTER_ENABLE_LAB / JUPYTER_TOKEN / JUPYTER_ALLOW_INSECURE_WRITES | compose defaults | docker-compose.yml | Jupyter runtime behavior inside containerized workflow. | Setting empty token is insecure outside localhost-bound environments. |
For complete SNAP/GPT setup, including conda activation, scripts/setvars.sh, and --gpt-path usage, see GPT Path Setting.
Config Files
pyproject.tomluv.lockdocker-compose.ymlDockerfileMakefileentrypoint.shsupport/snap.varfileconda/recipe/meta.yaml
Defaults
- Package metadata and dependencies come from
pyproject.toml. - CLI defaults are defined in each parser function (for example
sarpyx/cli/main.pyandsarpyx/cli/worldsar.py). - Container defaults are defined in
Dockerfileanddocker-compose.yml.
Security Considerations
- Store
HF_TOKENin environment or secret manager, never in versioned files. - Do not expose Jupyter with an empty token outside localhost-bound development contexts.
- Pin trusted SNAP/Java binaries and validate filesystem paths passed to CLI commands.