API & Configuration Reference
Panovista is designed to be configured entirely via environment variables and declarative JSON schemas. This ensures that your Layer 7 security proxies can be deployed immutably across any environment—from local Docker sidecars to enterprise Kubernetes clusters—without requiring manual dashboard configuration or persistent databases.
Environment Variables
When deploying the Panovista container, the following environment variables control its core behavior, network routing, and logging outputs.
| Variable | Required | Default | Description |
|---|---|---|---|
PANOVISTA_MODE |
Yes | sidecar |
The operational mode. Set to sidecar (protecting a single server) or gateway (routing multiple tools). |
TARGET_MCP_URL |
Yes | none |
The internal, sealed URL of the raw Model Context Protocol (MCP) tool server (e.g., http://internal-db:8000/mcp). |
UPSTREAM_PROVIDER |
No | none |
The external LLM destination if routing API keys (e.g., openai, anthropic). |
PROVIDER_API_KEY |
No | none |
The securely injected API key for the upstream provider. |
PANOVISTA_PORT |
No | 4321 |
The local port the proxy listens on for incoming AI agent requests. |
PANOVISTA_LOG_LEVEL |
No | info |
Determines audit log verbosity (debug, info, warn, error). |
SCHEMA_MOUNT_PATH |
No | /etc/panovista |
The local directory where Panovista loads your declarative *.json policy files. |
DLP Policy Schema (JSON)
Panovista evaluates outgoing MCP tool calls and inbound AI prompts against your local policy schemas. Policies must be written in standard JSON format and mounted to the container at boot.
Here is a complete reference of the Policy object:
{
"version": "1.0",
"policy_name": "customer_database_sanitization",
"target_tool": "query_customer_database",
"action": "redact",
"rules": [
{
"field": "ssn",
"type": "regex",
"pattern": "^\\d{3}-\\d{2}-\\d{4}$",
"replacement_token": "[SSN_REDACTED]"
},
{
"field": "email",
"type": "semantic",
"intent": "pii_email",
"replacement_token": "[EMAIL_REDACTED]"
}
]
}
Schema Object Definitions
version(string): The schema version parser to use (currently1.0).policy_name(string): A human-readable identifier for audit logging and SIEM tracking.target_tool(string): The exact name of the MCP tool this policy applies to. If set to*, the rule applies globally to all MCP tools behind the proxy.action(string): The enforcement mechanism. Must be eitherredact(swaps data for zero-knowledge tokens) orblock(drops the connection entirely).rules(array): An array of rule objects dictating how specific parameters, regex patterns, or semantic intents are handled in real-time.
Local Health Endpoints
To integrate seamlessly with cloud load balancers (AWS ALB) or Kubernetes orchestration, Panovista exposes local unauthenticated endpoints to verify container health. These endpoints do not proxy traffic to the backend MCP servers.
GET /health/live
Returns a 200 OK status immediately if the HTTP server is actively running. Used for Kubernetes Liveness Probes.
GET /health/ready
Returns a 200 OK status only if the proxy has successfully parsed, validated, and loaded all JSON schemas located in the SCHEMA_MOUNT_PATH. Used for Kubernetes Readiness Probes to ensure traffic isn’t routed to a proxy without active DLP rules.
{
"status": "ready",
"uptime_seconds": 3402,
"loaded_schemas": 14,
"fips_mode": true
}