Documentation

Configuration

UrNammu uses a combination of environment variables and runtime settings stored in the database. Runtime settings can be changed from the Settings page without redeployment.

Environment variables

Set these in your .env file or hosting provider's environment config:

Required

# Database connection
DATABASE_URL=postgresql://user:pass@host:5432/urnammu

# NextAuth session encryption
NEXTAUTH_SECRET=generate-a-random-32-char-string
NEXTAUTH_URL=https://your-domain.com

Authentication

# Google OAuth (for production sign-in)
GOOGLE_CLIENT_ID=your-google-client-id
GOOGLE_CLIENT_SECRET=your-google-client-secret

# Dev login (development only!)
ENABLE_DEV_LOGIN=true   # Set to "false" in production

Optional

# AI provider fallbacks (if not configured in Settings UI)
ANTHROPIC_API_KEY=sk-ant-...
OPENAI_API_KEY=sk-...

# API proxy shared secret
PROXY_SECRET=your-shared-secret

# Google Workspace shadow AI scanning
GOOGLE_SERVICE_ACCOUNT_KEY={"type":"service_account",...}
GOOGLE_ADMIN_EMAIL=admin@your-domain.com

# Cron job authentication
CRON_SECRET=your-cron-secret

Runtime settings

These are managed from the Settings page in the app and stored in the AppSetting table. They take precedence over environment variables.

Settings > General

  • AI Provider — Choose between Anthropic Claude or OpenAI ChatGPT
  • AI Model — Select the specific model (e.g., claude-sonnet-4-20250514, gpt-4o)
  • API Key — Provider-specific API key

Settings > Users & Identity

  • Google Sign-In — Configure Google OAuth client ID and secret
  • Microsoft 365 — Configure Azure AD OAuth credentials
  • Local Auth — Enable/disable local email+password authentication
  • Dev Login — Enable/disable development login (never in production)

Settings > Shadow AI

  • Google Workspace Discovery — Service account key and admin email for OAuth token scanning
  • Scan Schedule — Configure daily automated scan (default: 2 AM UTC via Vercel Cron)

Settings > Proxy

  • Proxy URL — Azure Functions proxy endpoint
  • Proxy Secret — Shared authentication secret between app and proxy

Roles and permissions

UrNammu has three user roles:

  • ADMIN — Full access. Can manage settings, users, and all entities. The first user to sign in is automatically ADMIN.
  • COMPLIANCE_OFFICER — Can manage policies, risk assessments, and compliance data. Cannot access system settings or user management.
  • VIEWER — Read-only access to all dashboards and data. Default role for new users.

Shadow AI discovery methods

Google Workspace scan

Uses a Google Workspace service account to scan OAuth tokens granted by users in your organization. Detects third-party AI tools that have been given access to your Workspace data.

DNS / proxy log import

Import CSV or TXT files containing DNS queries or proxy logs. UrNammu matches domains against a built-in registry of 18+ known AI tools and flags any matches. Also supports JSON API ingestion for automated pipelines.

Manual reporting

Employees can report AI tools they discover via the Shadow AI page. These are added to the triage queue for review by governance teams.