Configuration Reference

Environment Variables

Name	Default	Source	Description	Security
`gpt_path / GPT_PATH`	`None`	`sarpyx/cli/worldsar.py`	Path to SNAP GPT executable used by worldsar pipeline.	Prefer absolute trusted path; avoid untrusted binaries in PATH.
`grid_path / GRID_PATH`	`None`	`sarpyx/cli/worldsar.py, Makefile`	Path to GeoJSON tiling grid.	Validate file provenance; malformed geometry can break tiling workflows.
`db_dir / DB_DIR`	`None`	`sarpyx/cli/worldsar.py`	Output directory for tile database artifacts.	Use writable path with least privilege.
`cuts_outdir / OUTPUT_CUTS_DIR`	`None`	`sarpyx/cli/worldsar.py`	Output directory for generated raster tiles.	Avoid writing to shared sensitive directories.
`base_path / BASE_PATH`	`project root`	`sarpyx/cli/worldsar.py`	Base path used by worldsar fallback filesystem operations.	Keep under controlled workspace.
`SNAP_USERDIR / snap_userdir`	`<project_root>/.snap`	`sarpyx/cli/worldsar.py, sarpyx/snapflow/engine.py`	SNAP user configuration and cache directory.	Contains execution metadata; protect in multi-user environments.
`orbit_base_url / ORBIT_BASE_URL`	`https://step.esa.int/auxdata/orbits/Sentinel-1`	`sarpyx/cli/worldsar.py`	Base URL for Sentinel orbit prefetch.	Use trusted HTTPS endpoint only.
`HF_TOKEN`	`unset`	`sarpyx/cli/upload.py`	Hugging Face access token for upload operations.	Treat as secret; do not commit to repository.
`JAVA_HOME`	`/usr/lib/jvm/java-8-openjdk-amd64 (container)`	`Dockerfile, docker-compose.yml`	Java runtime required by SNAP.	Pin to trusted JRE installation.
`SNAP_HOME`	`/snap12 or /workspace/snap12 (container)`	`Dockerfile, entrypoint.sh`	SNAP installation directory.	Read-only in production container images where possible.
`SNAP_SKIP_UPDATES`	`1`	`entrypoint.sh`	If set to 1, startup script skips SNAP online update check.	Disabling auto-updates improves reproducibility.
`JUPYTER_ENABLE_LAB / JUPYTER_TOKEN / JUPYTER_ALLOW_INSECURE_WRITES`	`compose defaults`	`docker-compose.yml`	Jupyter runtime behavior inside containerized workflow.	Setting empty token is insecure outside localhost-bound environments.

Config Files

pyproject.toml
uv.lock
pdm.lock
docker-compose.yml
Dockerfile
Makefile
entrypoint.sh
support/snap.varfile
conda/recipe/meta.yaml

Defaults

Package metadata and dependencies come from pyproject.toml.
CLI defaults are defined in each parser function (for example sarpyx/cli/main.py and sarpyx/cli/worldsar.py).
Container defaults are defined in Dockerfile and docker-compose.yml.

Security Considerations

Store HF_TOKEN in environment or secret manager, never in versioned files.
Do not expose Jupyter with an empty token outside localhost-bound development contexts.
Pin trusted SNAP/Java binaries and validate filesystem paths passed to CLI commands.