This page covers every configuration surface in the Tenor toolchain: environment variables consumed by CLI commands, the TOML adapter config that wires Source declarations to live systems, trust keypair management, and Cargo feature flags for building from source.

---

Environment Variables

All environment variables are optional. Commands that require them will produce a clear error if the variable is absent.

ANTHROPIC_API_KEY

Used by: tenor connect, tenor ambiguity, LlmPolicy agent policy

Anthropic API key for Claude. Required when using LLM-powered features:

• tenor connect uses Claude to propose fact-to-endpoint mappings from Source declarations and environment schemas (OpenAPI, GraphQL SDL, SQL).
• tenor ambiguity uses Claude to analyze contracts for natural-language ambiguity in fact descriptions and rule semantics.
• LlmPolicy is the AI-powered agent policy that uses Claude to select which flow to execute when multiple actions are available in the action space.

export ANTHROPIC_API_KEY="sk-ant-..."

The --heuristic flag on tenor connect bypasses the LLM entirely, using pattern matching instead. If you do not need LLM features, this variable is not required.

TENOR_REGISTRY_TOKEN

Used by: tenor publish

Authentication token for the Tenor template registry. Required when publishing contract templates for reuse.

export TENOR_REGISTRY_TOKEN="tr_..."

TENOR_REGISTRY_URL

Used by: tenor publish, tenor deploy

Override for the registry endpoint URL. When unset, commands use the default public registry. Set this when running a private registry instance or pointing at a staging environment.

export TENOR_REGISTRY_URL="https://registry.internal.example.com"

TENOR_PLATFORM_TOKEN

Used by: tenor deploy

Authentication token for the Tenor hosted platform. Required when deploying contracts to the multi-tenant hosted execution environment.

export TENOR_PLATFORM_TOKEN="tp_..."

RUST_LOG

Used by: All Tenor crates (via tracing-subscriber)

Controls log verbosity. Uses the standard tracing-subscriber EnvFilter syntax.

# See all tenor crate logs at debug level
export RUST_LOG="tenor_core=debug,tenor_eval=debug,tenor_cli=debug"

# Trace-level logging for the elaborator only
export RUST_LOG="tenor_core=trace"

# Quiet mode: only errors
export RUST_LOG="error"

# Info level for everything
export RUST_LOG="info"

When unset, no log output is produced. The CLI does not set a default log level.

---

Adapter Config (TOML)

The adapter config file maps Source declarations in your contract to runtime connection details. It is a TOML file loaded via the --adapter-config flag on tenor serve or the platform serve command.

Structure

The file has two section types:

1. [global] --- settings that apply to all adapters (timeouts, retry policy)
2. [sources.<source_id>] --- per-source connection details, keyed by the Source construct's id from the contract

Complete Example

Given a contract with these Source declarations:

source order_service {
  protocol: http
  base_url: "https://api.example.com/v2"
  description: "Order management REST API"
}

source compliance_db {
  protocol: database
  dialect: "postgresql"
  description: "Compliance reporting database"
}

source exchange_rates {
  protocol: http
  base_url: "https://rates.example.com"
  description: "Currency exchange rate service"
}

source manual_review {
  protocol: manual
  description: "Human compliance officer input"
}

The corresponding adapter config:

[global]
timeout_ms = "30000"

[sources.order_service]
base_url = "https://api.example.com/v2"
auth_header = "Bearer eyJhbGciOiJIUzI1NiIs..."

[sources.compliance_db]
connection_string = "postgresql://tenor_read:s3cret@db.internal.example.com:5432/compliance"

[sources.exchange_rates]
base_url = "https://rates.example.com"
auth_header = "X-Api-Key abc123"

# manual sources require no config — they prompt at runtime

Field Reference

Global section:

Field	Type	Description
timeout_ms	String (numeric)	Default HTTP/database timeout in milliseconds. Applies to all adapter fetches unless overridden per-source.

Per-source fields (HTTP protocol):

Field	Type	Description
base_url	String	Base URL for HTTP requests. Overrides the Source declaration's base_url if both are present.
auth_header	String	Full Authorization header value (e.g., "Bearer <token>" or "X-Api-Key <key>"). Sent on every request to this source.

Per-source fields (Database protocol):

Field	Type	Description
connection_string	String	Full database connection URI. Format depends on dialect (postgresql://, mysql://, etc.).

Per-source fields (GraphQL protocol):

Field	Type	Description
endpoint	String	GraphQL endpoint URL.
auth_header	String	Authorization header value.

Per-source fields (gRPC protocol):

Field	Type	Description
address	String	gRPC server address (host:port).

Sources with protocol static or manual require no adapter config entries. Static sources return values defined in the contract. Manual sources prompt for human input at runtime.

Loading

# Local development
tenor serve contract.tenor --adapter-config ./config/adapters.toml

# With TLS
tenor serve contract.tenor --adapter-config ./config/adapters.toml \
  --tls-cert cert.pem --tls-key key.pem --port 3000

The adapter config is loaded once at startup. To update connection details, restart the server. The config file path is resolved relative to the current working directory.

---

Trust Config

Trust signing uses Ed25519 keypairs for contract attestation and provenance authenticity (executor obligations E18-E20). Keypairs are generated by the tenor keygen command.

Key Generation

# Default: generates tenor-key.secret and tenor-key.public
tenor keygen

# Custom prefix
tenor keygen --prefix my-signer
# Generates: my-signer.secret, my-signer.public

Key File Locations

File	Format	Contents
tenor-key.secret	PEM-encoded Ed25519 private key	Used for signing bundles and WASM modules. Keep this file secure --- never commit to version control.
tenor-key.public	PEM-encoded Ed25519 public key	Used for signature verification. Distribute to verifiers.

PEM Format

The key files use standard PEM encoding:

-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIJ...
-----END PRIVATE KEY-----

-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEA...
-----END PUBLIC KEY-----

Signing Workflows

Bundle signing (contract attestation):

# Sign an elaborated bundle
tenor sign bundle.json --key tenor-key.secret
# Output: bundle.signed.json

# Verify signature
tenor verify bundle.signed.json
# Uses the public key embedded in the attestation

The signed bundle contains a top-level attestation object with: signer_public_key, signature (base64), algorithm ("ed25519"), signed_at timestamp, and signed_etag (SHA-256 of the bundle content).

WASM bundle signing (evaluator integrity):

# Sign a WASM evaluator, binding it to a specific contract
tenor sign-wasm evaluator.wasm --key tenor-key.secret --bundle-etag abc123...

# Verify
tenor verify-wasm evaluator.wasm --sig evaluator.wasm.sig --pubkey tenor-key.public

WASM signing binds the evaluator binary to a specific contract bundle via the etag. This prevents substitution attacks where a signed WASM module could be used with a different contract.

Manifest Trust Field

When deploying with trust enabled, the TenorManifest includes the trust metadata:

{
  "bundle_attestation": "<base64 signature>",
  "trust_domain": "acme.prod.us-east-1",
  "attestation_format": "ed25519-detached"
}

The trust field is non-evaluating: the evaluator ignores it entirely. It is consumed by auditors, operators, and compliance tooling. See Executor Obligations E18-E20 for the formal requirements.

---

Cargo Features

When building Tenor from source, these Cargo feature flags control which capabilities are compiled in.

tenor-eval Crate

Feature	Default	Effect
adapter	Yes	Enables the fact adapter framework, including HTTP, database, and GraphQL adapters. Pulls in tokio (async runtime) and ureq (HTTP client).
interactive	Yes	Enables RandomPolicy for agent policy selection. Pulls in rand.
anthropic	No	Enables AnthropicClient for the LlmPolicy agent policy. Pulls in ureq and tokio. Requires ANTHROPIC_API_KEY at runtime.

tenor-cli Crate

Feature	Default	Effect
tls	No	Enables TLS support for tenor serve. Pulls in axum-server with TLS. Without this feature, --tls-cert and --tls-key flags are unavailable.

WASM and Python SDK Builds

WASM (tenor-eval-wasm) and Python SDK (tenor-python) builds must use default-features = false:

[dependencies]
tenor-eval = { path = "../eval", default-features = false }

This excludes tokio and ureq, which are not available in WASM or PyO3 environments. The evaluator core (rule evaluation, predicate evaluation, flow execution, action space computation) works without any feature flags.

Building with Features

# Default build (adapter + interactive enabled)
cargo build --release

# With LLM support
cargo build --release --features anthropic

# With TLS for the CLI server
cargo build --release -p tenor-cli --features tls

# Minimal evaluator only (no adapter, no interactive)
cargo build --release -p tenor-eval --no-default-features

# Everything
cargo build --release --features "anthropic,tls"

Feature Dependency Graph

tenor-eval
├── adapter (default)     → tokio, ureq, toml
├── interactive (default) → rand
└── anthropic             → ureq, tokio

tenor-cli
└── tls                   → axum-server

The anthropic feature does not imply adapter or vice versa, but both pull in ureq. If you enable anthropic, the ureq dependency is already present regardless of the adapter flag.