Configuration Properties

Complete reference for all Contexa configuration properties. All properties are set in application.yml and bound through Spring Boot's @ConfigurationProperties mechanism. Properties are organized into 5 categories below.

Configuration Categories

Contexa provides 27 @ConfigurationProperties classes across all modules. Select a category to view the full property reference.

Essential Properties

The most important properties to configure when starting with Contexa:

Property Default Description
contexa.enabled true Master switch for the entire Contexa platform
contexa.infrastructure.mode STANDALONE STANDALONE (in-memory) or DISTRIBUTED (Redis + Kafka)
contexa.llm.enabled true Enable LLM integration for AI-driven security decisions
contexa.security.zerotrust.enabled true Enable zero-trust continuous verification
spring.auth.state-type OAUTH2 State management: SESSION or OAUTH2. Can be omitted — defaults work for most setups.
contexa.llm.selection.chat.priority "" Comma-separated chat provider priority (e.g., ollama,anthropic,openai). Resolver picks the first available provider.

Minimal Configuration

A minimal application.yml to get started with Contexa in standalone mode:

YAML 
contexa:
  enabled: true
  infrastructure:
    mode: standalone
  llm:
    enabled: true
    selection:
      chat:
        priority: ollama,anthropic,openai
    chat:
      ollama:
        base-url: http://127.0.0.1:11434
        model: qwen2.5:14b
  rag:
    enabled: true

contexa.security:
  zerotrust:
    enabled: true

spring:
  auth:
    state-type: SESSION
  ai:
    security:
      layer1:
        model: qwen2.5:14b
      layer2:
        model: exaone3.5:latest

Contexa Core Properties

Top-level properties under the contexa prefix, bound to ContexaProperties.

Property Type Default Description
contexa
.enabled boolean true Master switch to enable or disable the entire Contexa platform
.infrastructure.mode enum STANDALONE Infrastructure mode: STANDALONE (in-memory) or DISTRIBUTED (Redis, Kafka)
.infrastructure.redis.enabled boolean true Enable Redis integration for distributed caching
.enterprise.enabled boolean false Enable enterprise-only integrations when the runtime provides them
.infrastructure.kafka.enabled boolean true Enable Kafka integration for event streaming (distributed mode)
.infrastructure.observability.enabled boolean true Enable observability infrastructure
.infrastructure.observability.open-telemetry-enabled boolean true Enable OpenTelemetry integration for distributed tracing

LLM Properties

Property Type Default Description
contexa.llm
.enabledbooleantrueEnable LLM integration for AI-driven security decisions
.advisor-enabledbooleantrueEnable the AI advisor chain
.selection.chat.modeenumDYNAMIC_PRIORITYChat provider selection strategy: DYNAMIC_PRIORITY walks the priority list, SPRING_PRIMARY uses the Spring @Primary bean
.selection.chat.priorityString""Comma-separated chat provider order (e.g., ollama,anthropic,openai) used when mode is DYNAMIC_PRIORITY
.selection.embedding.modeenumDYNAMIC_PRIORITYEmbedding provider selection strategy
.selection.embedding.priorityString""Comma-separated embedding provider order (e.g., ollama,openai)
.chat.ollama.base-urlString""Dedicated Ollama chat runtime URL required when Ollama chat is enabled
.chat.ollama.modelString""Ollama chat model name used by the Contexa chat runtime
.chat.ollama.keep-aliveString""Optional keep-alive hint passed to the Ollama chat runtime
.embedding.ollama.dedicated-runtime-enabledbooleanfalseUse a dedicated Ollama embedding runtime instead of the shared chat runtime
.embedding.ollama.base-urlString""Dedicated Ollama embedding runtime URL when dedicated-runtime-enabled is true
.embedding.ollama.modelString""Embedding model name for the Ollama embedding runtime

Tiered LLM and External Provider Configuration

Contexa reads tier selection from contexa.security.tiered*. External Anthropic and OpenAI providers use standard spring.ai.* properties. Ollama runtime selection is configured under contexa.llm.*, not spring.ai.ollama.*.

Property Type Description
spring.ai
.llm.layer1.modelStringTier-1 model name used for the first analysis pass
.llm.layer2.modelStringTier-2 model name used for deep analysis and escalation
.prompt-compression.enabledbooleanEnable runtime prompt compression for tiered execution
.layer1.timeout.total-mslongTotal timeout budget for the tier-1 execution path
.layer2.timeout-mslongTotal timeout budget for the tier-2 execution path
.anthropic.api-keyStringAnthropic API key for the standard Spring AI Anthropic client
.openai.api-keyStringOpenAI API key for the standard Spring AI OpenAI client
.openai.base-urlStringOverride the OpenAI API base URL when a proxy or compatible endpoint is used

Vector Store Properties

Property Type Default Description
contexa.rag
.enabledbooleantrueEnable the RAG subsystem inside Contexa
.defaults.top-kint10Default number of retrieved documents for general retrieval
.defaults.similarity-thresholddouble0.7Default similarity threshold for general retrieval
.behavior.lookback-daysint30Default behavior lookback window (days) used by RAG retrieval filters
.risk.top-kint50Number of retrieved documents for risk-oriented retrieval
.risk.similarity-thresholddouble0.8Similarity threshold for risk-oriented retrieval
.lab.batch-sizeint50RAG lab batch size
.lab.validation-enabledbooleantrueEnable lab-side validation pass
.lab.enrichment-enabledbooleantrueEnable lab-side enrichment pass
.lab.top-kint100Lab retrieval size
.lab.similarity-thresholddouble0.75Lab similarity threshold
.etl.batch-sizeint100Document batch size used during vector ETL
.etl.vector-table-nameStringvector_storeLogical vector table name used by Contexa ETL jobs
.etl.chunk-sizeint500Document chunk size used during vector ETL
.etl.chunk-overlapint50Chunk overlap used during vector ETL
.etl.behavior.retention-daysint90Retention window (days) for ETL behavior artifacts
contexa.vectorstore.pgvector
.dimensionsint1024Embedding dimension used by the pgvector store
.batch-sizeint100Batch size used when storing vectors
.top-kint100Default retrieval limit inside the pgvector store adapter
.similarity-thresholddouble0.5Minimum similarity threshold enforced by the pgvector adapter
.search-timeout-mslong10000Search timeout budget for pgvector queries
.store-timeout-mslong10000Store timeout budget for pgvector writes
.document.chunk-sizeint1000Chunk size used when preparing source documents for storage
.document.chunk-overlapint200Chunk overlap used when preparing source documents for storage

Zero Trust Properties

Properties under contexa.security.zerotrust, bound to SecurityZeroTrustProperties.

Property Type Default Description
contexa.security.zerotrust
.enabled boolean true Enable Zero Trust evaluation engine
.threat.initial double 0.3 Initial threat score assigned to new sessions
.cache.ttl-hours int 24 Trust evaluation cache TTL in hours
.cache.session-ttl-minutes int 30 Session cache TTL in minutes
.cache.invalidated-ttl-minutes int 60 Invalidated session cache TTL in minutes
.redis.timeout int 5 Redis operation timeout in seconds
.redis.update-interval-seconds int 30 Interval for syncing trust scores to Redis
.session.tracking-enabled boolean true Enable AI-driven session tracking

HCAD Properties

Hierarchical Context-Aware Detection properties under contexa.hcad, bound to HcadProperties.

Property Type Default Description
contexa.hcad
.enabledbooleantrueEnable the HCAD anomaly detection engine
.filter-orderint100Order of the HCAD filter in the security filter chain
.similarity.hot-path-thresholddouble0.7Similarity threshold used by the hot path evaluation stage
.baseline.learning.enabledbooleantrueEnable continuous baseline learning
.baseline.bootstrap.initial-samplesint10Minimum bootstrap sample count before the initial baseline is accepted
.baseline.statistical.min-samplesint20Minimum sample count for statistical baseline updates

Autonomous Security Properties

Property Type Default Description
contexa.autonomous
.enabledbooleantrueEnable autonomous security response processing
.event-timeoutlong30000Timeout for autonomous event processing in milliseconds

Session Security Properties

Properties under contexa.security.session, bound to SecuritySessionProperties.

Property Type Default Description
contexa.security.session
.cookie.name String SESSION Session cookie name
.header.name String X-Auth-Token Session header name for token-based sessions
.bearer.enabled boolean true Enable bearer token session resolution

Full Configuration Example

A complete application.yml showing all major configuration sections:

YAML 
contexa:
  enabled: true
  infrastructure:
    mode: standalone
    redis:
      enabled: true
    kafka:
      enabled: false
    observability:
      enabled: true
      open-telemetry-enabled: true

  hcad:
    enabled: true
    similarity:
      hot-path-threshold: 0.7
    baseline:
      min-samples: 10
      cache-ttl: 3600

  llm:
    enabled: true
    advisor-enabled: true
    selection:
      chat:
        mode: DYNAMIC_PRIORITY
        priority: ollama,anthropic,openai
      embedding:
        mode: DYNAMIC_PRIORITY
        priority: ollama,openai
    chat:
      ollama:
        base-url: http://127.0.0.1:11434
        model: qwen2.5:14b
        keep-alive: 24h
    embedding:
      ollama:
        dedicated-runtime-enabled: false
        model: mxbai-embed-large

  rag:
    enabled: true
    defaults:
      top-k: 10
      similarity-threshold: 0.7
    etl:
      vector-table-name: vector_store
      chunk-size: 500
      chunk-overlap: 50

  autonomous:
    enabled: true
    event-timeout: 30000

contexa.hcad:
  enabled: true
  filter-order: 100
  baseline:
    learning:
      enabled: true

contexa.security:
  zerotrust:
    enabled: true
    mode: ENFORCE
    threat:
      initial: 0.3
    cache:
      ttl-hours: 24
      session-ttl-minutes: 30
    redis:
      timeout: 5
      update-interval-seconds: 30

  session:
    cookie:
      name: SESSION
    header:
      name: X-Auth-Token
    bearer:
      enabled: true

spring:
  auth:
    state-type: SESSION
  ai:
    security:
      layer1:
        model: qwen2.5:14b
      layer2:
        model: exaone3.5:latest
      tiered:
        prompt-compression:
          enabled: true
    anthropic:
      api-key: ${ANTHROPIC_API_KEY:}
    openai:
      api-key: ${OPENAI_API_KEY:}
    vectorstore:
      pgvector:
        dimensions: 1024
        batch-size: 100
        top-k: 100
        similarity-threshold: 0.5
        document:
          chunk-size: 1000
          chunk-overlap: 200

ContexaProperties Quick Reference

Complete list of high-signal contexa.* properties from ContexaProperties. Each section links to the detailed sub-page.

Master Switches

PropertyTypeDefaultDescription
contexa.enabledbooleantrueMaster switch for the entire Contexa platform.

HCAD (Behavioral Analysis)

PropertyTypeDefaultDescription
contexa.hcad.enabledbooleantrueEnable the Contexa-side HCAD toggle.
contexa.hcad.similarity.hot-path-thresholddouble0.7Hot path similarity threshold exposed through ContexaProperties.
contexa.hcad.baseline.min-samplesint10Minimum baseline sample count in the Contexa wrapper properties.
contexa.hcad.baseline.cache-ttlint3600Baseline cache TTL in seconds in the Contexa wrapper properties.

LLM (Language Model)

PropertyTypeDefaultDescription
contexa.llm.enabledbooleantrueEnable LLM integration.
contexa.llm.advisor-enabledbooleantrueEnable the advisor chain.
contexa.llm.selection.chat.modeenumDYNAMIC_PRIORITYChat provider selection strategy.
contexa.llm.selection.chat.priorityString""Comma-separated chat provider order (e.g., ollama,anthropic,openai).
contexa.llm.selection.embedding.modeenumDYNAMIC_PRIORITYEmbedding provider selection strategy.
contexa.llm.selection.embedding.priorityString""Comma-separated embedding provider order (e.g., ollama,openai).
contexa.llm.chat.ollama.base-urlString""Ollama chat runtime URL.
contexa.llm.embedding.ollama.dedicated-runtime-enabledbooleanfalseEnable a dedicated embedding runtime.

RAG (Retrieval-Augmented Generation)

PropertyTypeDefaultDescription
contexa.rag.enabledbooleantrueEnable the RAG pipeline wrapper.
contexa.rag.defaults.top-kint10Default retrieval size.
contexa.rag.defaults.similarity-thresholddouble0.7Default similarity threshold.
contexa.rag.etl.vector-table-nameStringvector_storeLogical vector table name for ETL output.

Autonomous Agent

PropertyTypeDefaultDescription
contexa.autonomous.enabledbooleantrueEnable autonomous security processing.
contexa.autonomous.event-timeoutlong30000Event processing timeout in milliseconds.

Infrastructure

PropertyTypeDefaultDescription
contexa.infrastructure.modeenumSTANDALONESTANDALONE (in-memory) or DISTRIBUTED (Redis + Kafka).
contexa.infrastructure.redis.enabledbooleantrueEnable Redis for distributed caching.
contexa.infrastructure.kafka.enabledbooleantrueEnable Kafka for event streaming.
contexa.infrastructure.observability.enabledbooleantrueEnable observability.
contexa.infrastructure.observability.open-telemetry-enabledbooleantrueEnable OpenTelemetry integration.
contexa.enterprise.enabledbooleanfalseEnable enterprise-only integrations when the runtime provides them.

SaaS Integration (Enterprise)

PropertyTypeDefaultDescription
contexa.saas.enabledbooleanfalseEnable SaaS integration with Contexa Cloud.
contexa.saas.endpointStringhttps://saas.ctxa.aiSaaS platform endpoint URL.
contexa.saas.include-reasoningbooleanfalseInclude reasoning payload in forwarded decisions.
contexa.saas.include-raw-analysis-databooleanfalseInclude raw analysis data in forwarded decisions.
contexa.saas.outbox-batch-sizeint50Outbox batch size for event forwarding.
contexa.saas.max-retry-attemptsint10Maximum retry attempts for failed event delivery.
contexa.saas.retry-initial-backoff-mslong1000Initial backoff delay for retry attempts.
contexa.saas.retry-max-backoff-mslong60000Maximum backoff delay for retry attempts.
contexa.saas.dispatch-interval-mslong30000Dispatch interval for SaaS forwarding jobs.
contexa.saas.pseudonymization-secretStringdefault-dev-secret-change-in-prodPseudonymization secret. Must be replaced in production.
contexa.saas.global-correlation-secretStringdefault-dev-correlation-secretCross-tenant correlation secret. Must be replaced in production.
contexa.saas.oauth2
.enabledbooleantrueEnable OAuth2 client credentials for SaaS forwarding.
.registration-idStringcontexa-saas-clientSpring Security OAuth2 registration ID.
.token-uriStringhttps://saas.ctxa.ai/oauth2/tokenSaaS token endpoint URL.
.client-idStringdev-clientOAuth2 client ID.
.client-secretStringdev-secretOAuth2 client secret.
.scopeString(11 default scopes)Comma-separated OAuth2 scope list. Must include scopes for every enabled forwarding feature.
.expiry-skew-secondsint30Token expiry skew in seconds.
contexa.saas.decision-feedback
.enabledbooleanfalseEnable decision feedback forwarding.
.endpoint-pathString/api/saas/runtime/ai-tuning/feedback-ingestionsDecision feedback ingestion path.
contexa.saas.baseline-signal
.enabledbooleanfalseEnable baseline signal sharing.
.endpoint-pathString/api/saas/runtime/ai-tuning/baseline-signalsBaseline signal publish path.
.seed-endpoint-pathString/api/saas/runtime/ai-tuning/baseline-seedBaseline seed pull path.
.publish-interval-mslong604800000Baseline publish interval (default 7 days).
.initial-delay-mslong300000Initial publish delay (default 5 min).
.seed-pull-interval-mslong3600000Seed pull interval (default 1 hour).
.seed-initial-delay-mslong120000Seed pull initial delay (default 2 min).
.seed-cache-ttl-minutesint180Seed cache TTL (default 3 hours).
.minimum-organization-baseline-countint3Minimum organization samples required.
.minimum-user-baseline-countint25Minimum user samples required.
.hour-bucket-limitint8Hour bucket cap per publish batch.
.day-bucket-limitint7Day bucket cap per publish batch.
.operating-system-limitint6OS fingerprint bucket cap.
.industry-categoryStringGENERALOrganization industry category tag.
contexa.saas.threat-intelligence
.enabledbooleanfalseEnable threat intelligence pull.
.endpoint-pathString/api/saas/runtime/ai-tuning/threat-signalsThreat signal pull path.
.pull-interval-mslong3600000Pull interval (default 1 hour).
.initial-delay-mslong0Initial pull delay.
.signal-limitint5Signal count limit per pull.
.prompt-limitint3Prompt injection sample limit.
.cache-ttl-minutesint90Local cache TTL.
contexa.saas.threat-outcome
.enabledbooleanfalseEnable threat outcome forwarding.
.endpoint-pathString/api/saas/runtime/ai-tuning/threat-outcomesThreat outcome ingestion path.
contexa.saas.threat-knowledge
.enabledbooleanfalseEnable threat knowledge pull.
.endpoint-pathString/api/saas/runtime/ai-tuning/threat-knowledge-packThreat knowledge pack pull path.
.runtime-policy-endpoint-pathString/api/saas/runtime/ai-tuning/threat-runtime-policyRuntime policy pull path.
.pull-interval-mslong3600000Pull interval.
.initial-delay-mslong0Initial pull delay.
.case-limitint12Case count limit per pull.
.prompt-limitint3Prompt injection sample limit.
.cache-ttl-minutesint90Local cache TTL.
contexa.saas.detection-strategy
.enabledbooleanfalseEnable detection strategy pull.
.endpoint-pathString/api/saas/runtime/ai-tuning/detection-strategy-packDetection strategy pack pull path.
.pull-interval-mslong3600000Pull interval.
.initial-delay-mslong0Initial pull delay.
.strategy-limitint12Strategy count limit per pull.
.prompt-limitint3Prompt injection sample limit.
.cache-ttl-minutesint90Local cache TTL.
contexa.saas.calibration-profile
.enabledbooleanfalseEnable calibration profile pull.
.endpoint-pathString/api/saas/runtime/ai-tuning/calibration-profile-packCalibration profile pack pull path.
.pull-interval-mslong3600000Pull interval.
.initial-delay-mslong0Initial pull delay.
.profile-limitint12Profile count limit per pull.
.cache-ttl-minutesint90Local cache TTL.
contexa.saas.performance-telemetry
.enabledbooleanfalseEnable performance telemetry forwarding.
.endpoint-pathString/api/saas/runtime/ai-tuning/performance-telemetryPerformance telemetry ingestion path.
.publish-interval-mslong3600000Publish interval.
.initial-delay-mslong60000Initial publish delay.
contexa.saas.prompt-context-audit
.enabledbooleanfalseEnable prompt context audit forwarding.
.endpoint-pathString/api/saas/runtime/prompt-context-auditsPrompt context audit ingestion path.

HCAD Engine (contexa.hcad prefix)

Advanced HCAD engine tuning surface bound by HcadProperties. Defaults suit most deployments; tune these only after reviewing operational baselines.

PropertyTypeDefaultDescription
contexa.hcad.enabledbooleantrueMaster toggle for the HCAD engine.
contexa.hcad.filter-orderint100Servlet filter order for HCAD interception.
contexa.hcad.threshold
.basedouble0.7Base anomaly threshold.
.mindouble0.3Lower clamp for adaptive adjustments.
.maxdouble0.95Upper clamp for adaptive adjustments.
.adjustment-ratedouble0.01Per-step threshold adjustment rate.
.sensitivitydouble1.0Sensitivity multiplier.
.warndouble0.7Warning-level threshold.
contexa.hcad.cache
.max-sizeint100000Maximum in-memory analysis cache entries.
.ttl-mslong300000Cache entry TTL (default 5 min).
.clear-on-startupbooleanfalseClear cache on startup.
.local.ttl-minutesint10Local tier TTL for per-node cache.
contexa.hcad.analysis
.max-age-mslong3600000Maximum allowed age for reusable analyses (default 1h).
contexa.hcad.baseline
.min-confidencedouble0.3Minimum confidence for baseline acceptance.
.update-alphadouble0.1Exponential smoothing alpha for baseline updates.
.learning.alphadouble0.1Online learning alpha.
.learning.enabledbooleantrueEnable baseline online learning.
.bootstrap.enabledbooleantrueEnable baseline bootstrap from initial samples.
.bootstrap.initial-samplesint10Initial sample count required for bootstrap.
.bootstrap.max-anomaly-scoredouble0.85Upper anomaly score accepted during bootstrap.
.statistical.enabledbooleantrueEnable statistical baseline branch.
.statistical.min-samplesint20Minimum samples for statistical baseline.
.statistical.update-intervalint10Samples between statistical updates.
.statistical.z-score-thresholddouble3.0Z-score anomaly threshold.
.redis.ttl-daysint30Redis-persisted baseline TTL.
contexa.hcad.feedback
.learning-ratedouble0.1Feedback-driven learning rate.
.retrain-thresholddouble0.7Accuracy threshold below which retrain is triggered.
.window-sizeint1000Sliding feedback window size.
.baseline.update-thresholddouble0.95Baseline update confidence threshold.
contexa.hcad.orchestrator
.enabledbooleantrueEnable the HCAD orchestrator.
.feedback-intervalint300Feedback aggregation interval (seconds).
.sync-batch-sizeint50Synchronization batch size.
.performance-trackingbooleantrueEnable performance tracking.
contexa.hcad.vector
.embedding-dimensionint384Vector embedding dimension.
.cache-ttl-hoursint24Vector cache TTL.
.max-cached-embeddingsint1000Maximum cached embeddings.
.similarity-thresholddouble0.85Vector similarity threshold.
.scenario-detection-enabledbooleantrueEnable scenario detection via vector similarity.
contexa.hcad.session
.cookie-nameStringJSESSIONIDSession cookie name used for correlation.
.header-nameStringX-Session-IdSession header name used for correlation.
contexa.hcad.signal
.chi-square-thresholddouble14.07Chi-square anomaly threshold.
.history-sizeint100Signal history buffer size.
.covariance.min-samplesint30Minimum samples for covariance.
.geoip.providerStringapiGeoIP provider identifier.
.geoip.api-urlStringhttps://ipapi.co/{ip}/json/GeoIP lookup URL template.
.timing.bucket-countint7Timing bucket count.
.timing.interval.history-sizeint100Timing interval history size.
contexa.hcad.sampling
.random.floordouble0.01Random sampling floor.
.random.ceilingdouble0.03Random sampling ceiling.
.composite.identifier.enabledbooleantrueEnable composite identifier sampling.
contexa.hcad.adaptive
.adjustment-ratedouble0.1Adaptive adjustment rate.
.cusum.thresholddouble5.0CUSUM drift detection threshold.
.cusum.slackdouble0.5CUSUM slack value.
.baseline.windowint100Adaptive baseline window size.
.min.trust.scoredouble0.7Minimum trust score floor.
contexa.hcad.resource
.sensitive-patternsList<String>[]URL patterns classified as sensitive resources; populated by the application.
contexa.hcad.similarity
.hot-path-thresholddouble0.7Hot-path similarity threshold for HCAD fast-path decisions.
contexa.hcad.redis
.key-prefixStringhcad:baseline:v2:Redis key prefix for HCAD baseline data.
contexa.hcad.geoip
.enabledbooleanfalseEnable local GeoIP lookups.
.db-pathStringdata/GeoLite2-City.mmdbPath to the MaxMind GeoLite2 database.
contexa.hcad.pre-trigger
.enabledbooleantrueEnable the pre-trigger fast-path.
.cooldown-secondsint15Pre-trigger cooldown window (seconds).
.in-flight-ttl-secondsint15In-flight request TTL.
.negative-cache-secondsint3Negative-cache retention.
.redline-scoreint70Redline (block) risk score.
.high-risk-scoreint50High-risk score threshold.
.medium-risk-scoreint30Medium-risk score threshold.
.low-baseline-confidence-thresholddouble0.35Low baseline confidence trigger threshold.
.failed-login-burst-thresholdint3Failed-login burst count.
.request-burst-thresholdint12Rapid request burst count.
.rapid-request-interval-mslong1000Rapid request interval window (ms).
.sensitive-path-indicatorsList<String>[/admin/, /export, /download, /sensitive/, /critical/]URL path fragments that raise sensitivity.

LLM Bindings (contexa.llm.bindings)

Named chat and embedding provider bindings. Used together with contexa.llm.selection.* to resolve which provider is active for a given request.

PropertyTypeDefaultDescription
contexa.llm.bindings.chat.<name>
.bean-nameString""Target Spring bean name for this chat binding.
.providerString""Provider identifier (e.g., ollama, anthropic, openai).
.model-idString""Logical model identifier exposed to Contexa.
.aliasesList<String>[]Additional names that resolve to the same binding.
.enabledbooleantrueEnable this binding.
.primarybooleanfalseMark this binding as the Spring @Primary chat model.
contexa.llm.bindings.embedding.<name>
.bean-nameString""Target Spring bean name for this embedding binding.
.providerString""Embedding provider identifier.
.model-idString""Logical embedding model identifier.
.aliasesList<String>[]Additional names.
.enabledbooleantrueEnable this binding.
.primarybooleanfalseMark as @Primary embedding model.

Advisor Chain (contexa.advisor)

PropertyTypeDefaultDescription
contexa.advisor.chain-profileStringSTANDARDAdvisor chain profile name.
contexa.advisor.security.enabledbooleantrueEnable security advisor registration.
contexa.advisor.security.orderint50Security advisor order in the chain.
contexa.advisor.security.require-authenticationbooleanfalseRequire authenticated principal for security advisor.
contexa.advisor.soar.approval.enabledbooleantrueEnable SOAR approval advisor.
contexa.advisor.soar.approval.orderint100SOAR approval advisor order.
contexa.advisor.soar.approval.timeoutint300SOAR approval timeout (seconds).

Streaming (contexa.streaming)

PropertyTypeDefaultDescription
contexa.streaming.final-response-markerString(protocol constant)Marker indicating the final streaming response chunk.
contexa.streaming.streaming-markerString(protocol constant)Marker indicating streaming mode.
contexa.streaming.json-start-markerString(protocol constant)Marker for JSON block start.
contexa.streaming.json-end-markerString(protocol constant)Marker for JSON block end.
contexa.streaming.timeoutDuration5mTotal streaming timeout.
contexa.streaming.max-retriesint3Maximum retries for streaming failures.
contexa.streaming.retry-delayDuration1sInitial retry delay.
contexa.streaming.retry-multiplierdouble1.5Exponential backoff multiplier.
contexa.streaming.marker-buffer-sizeint100Buffer size for marker detection.
contexa.streaming.sentence-buffering-enabledbooleantrueBuffer partial sentences before emitting.

OpenTelemetry (contexa.opentelemetry)

PropertyTypeDefaultDescription
contexa.opentelemetry.enabledbooleantrueEnable OpenTelemetry exporter.
contexa.opentelemetry.service-nameStringcontexa-coreOTel service name.
contexa.opentelemetry.exporter-endpointStringhttp://localhost:4317OTLP gRPC endpoint.
contexa.opentelemetry.sampling-probabilitydouble1.0Trace sampling probability (0.0–1.0).

Cache (contexa.cache)

PropertyTypeDefaultDescription
contexa.cache.typeenumREDISCache backend type: LOCAL, REDIS, HYBRID.
contexa.cache.local.max-sizeint1000Local cache max entries.
contexa.cache.local.default-ttl-secondsint60Local cache default TTL.
contexa.cache.redis.default-ttl-secondsint300Redis cache default TTL.
contexa.cache.redis.key-prefixStringcontexa:cache:Redis key prefix.
contexa.cache.pubsub.enabledbooleantrueEnable pub/sub cache invalidation.
contexa.cache.pubsub.channelStringcontexa:cache:invalidationPub/sub channel for invalidation events.
contexa.cache.domains.<domain> — domains: users, roles, permissions, groups, policies, soar, hcad
.local-ttl-secondsintvariesPer-domain local TTL (users/roles/groups 3600–14400, permissions 28800, policies 30, soar 900, hcad 86400).
.redis-ttl-secondsintvariesPer-domain Redis TTL (matching local defaults except policies=300).

Bridge (contexa.bridge)

PropertyTypeDefaultDescription
contexa.bridge.enabledbooleantrueEnable the SecurityContext bridge.
contexa.bridge.populate-security-contextbooleantruePopulate Contexa SecurityContext from Spring Security.
contexa.bridge.authentication.prefer-security-contextbooleantruePrefer SecurityContext over token claims during authentication mapping.
contexa.bridge.authentication.security-context.enabledbooleantrueEnable authentication bridge toward SecurityContext.
contexa.bridge.authentication.security-context.display-name-keysList<String>[displayName, name, fullName, userName, username, preferred_username]Claim keys resolved into display name.
contexa.bridge.authentication.security-context.principal-type-keysList<String>[principalType, userType, actorType, token_use]Claim keys resolved into principal type.
contexa.bridge.authentication.security-context.authentication-type-keysList<String>[authenticationType, authMethod, loginMethod, method, factorType]Claim keys for authentication type.
contexa.bridge.authentication.security-context.authentication-assurance-keysList<String>[authenticationAssurance, authLevel, loa, acr]Claim keys for assurance level.
contexa.bridge.authentication.security-context.mfa-keysList<String>[mfa, mfaVerified, mfaCompleted, secondFactorVerified, amr]Claim keys for MFA flags.
contexa.bridge.authentication.security-context.auth-time-keysList<String>[authenticationTime, authenticatedAt, loginTime, issuedAt, auth_time, iat]Claim keys for authentication time.
contexa.bridge.authorization.security-context.enabledbooleantrueEnable authorization bridge.
contexa.bridge.authorization.security-context.authorization-effect-keysList<String>[authorizationEffect, effect, decision, decisionEffect]Claim keys for authorization effect.
contexa.bridge.authorization.security-context.privileged-keysList<String>[privileged, isPrivileged, privilegedFlow]Claim keys for privileged flag.
contexa.bridge.authorization.security-context.policy-id-keysList<String>[policyId, policy, decisionPolicy]Claim keys for policy ID.
contexa.bridge.authorization.security-context.policy-version-keysList<String>[policyVersion, version]Claim keys for policy version.
contexa.bridge.authorization.security-context.scope-tag-keysList<String>[scopeTags, scopes, scope, permissionScopes, scp]Claim keys for scope tags.
contexa.bridge.authorization.security-context.role-keysList<String>[effectiveRoles, roles, roleSet, groups]Claim keys for roles.
contexa.bridge.authorization.security-context.authority-keysList<String>[effectiveAuthorities, authorities, permissions, grantedAuthorities, scope, scp]Claim keys for authorities.
contexa.bridge.authorization.session.enabledbooleantruePersist authorization context in session.
contexa.bridge.delegation.session.enabledbooleantruePersist delegation context in session.
contexa.bridge.session.enabledbooleantrueEnable session-backed bridge storage.
contexa.bridge.sync.enabledbooleantrueEnable user synchronization.
contexa.bridge.sync.min-refresh-interval-secondslong60Minimum interval between user refreshes.
contexa.bridge.sync.synthetic-email-domainStringshadow.contexa.localSynthetic email domain for shadow users.

Tiered LLM Strategy (contexa.security.tiered)

Detailed layer 1 (fast) and layer 2 (expert) runtime tuning exposed through TieredStrategyProperties.

PropertyTypeDefaultDescription
contexa.security.tiered.layer1
.vector-search-limitint3Layer 1 vector search result count.
.default-budget-profileStringCORTEX_L1_INTERACTIVE_STRICTDefault prompt budget profile for layer 1.
.rag.similarity-thresholddouble0.5Layer 1 RAG similarity threshold.
.session.max-recent-actionsint100Recent action window for layer 1.
.cache.max-sizeint1000Layer 1 cache size.
.cache.ttl-minutesint30Layer 1 cache TTL.
.timeout.total-mslong5000Layer 1 total timeout.
.timeout.llm-mslong3200Layer 1 LLM call timeout.
.timeout.rag-mslong900Layer 1 RAG call timeout.
.prompt.max-similar-eventsint2Max similar events embedded in layer 1 prompt.
.prompt.max-rag-documentsint3Max RAG documents embedded in layer 1 prompt.
.prompt.include-event-idbooleanfalseInclude raw event IDs.
.prompt.include-raw-timestampbooleanfalseInclude raw timestamps.
.prompt.include-raw-session-idbooleanfalseInclude raw session IDs.
.prompt.include-full-user-agentbooleanfalseInclude full user-agent strings.
contexa.security.tiered.layer2
.timeout-mslong7000Layer 2 total timeout.
.enable-soarbooleanfalseEnable SOAR escalation from layer 2.
.rag-top-kint5Layer 2 RAG top-k.
.default-budget-profileStringCORTEX_L2_EXPERT_STRICTDefault prompt budget profile for layer 2.
.rag.similarity-thresholddouble0.5Layer 2 RAG similarity threshold.
.cache.max-sizeint1000Layer 2 cache size.
.cache.ttl-minutesint30Layer 2 cache TTL.
contexa.security.tiered.truncation
.layer1.user-agentint150Layer 1 user-agent truncation length.
.layer1.payloadint200Layer 1 payload truncation length.
.layer1.rag-documentint180Layer 1 RAG document truncation length.
.layer2.user-agentint150Layer 2 user-agent truncation length.
.layer2.payloadint1000Layer 2 payload truncation length.
.layer2.rag-documentint500Layer 2 RAG document truncation length.
contexa.security.tiered.vector-cache
.max-sizeint10000Vector cache size.
.expire-minutesint5Vector cache expiration.
.enabledbooleantrueEnable vector cache.
.record-statsbooleantrueRecord cache statistics.
contexa.security.tiered.security
.trusted-proxiesList<String>[]Trusted reverse proxy CIDRs.
.trusted-proxy-validation-enabledbooleantrueEnable trusted proxy validation.
contexa.security.tiered.prompt-compression / .prompt-runtime
.prompt-compression.enabledbooleantrueEnable prompt compression.
.prompt-runtime.native-structured-output-enabledbooleantrueEnable native structured output.
.prompt-runtime.native-structured-output-disabled-profilesList<String>[]Profiles that disable native structured output.
.prompt-runtime.telemetry-enabledbooleantrueEnable prompt runtime telemetry.

Spring AI Task Mapping (contexa.security.mapping)

PropertyTypeDefaultDescription
contexa.security.mapping.task-to-tierMap<String, Integer>{}Override tier assignment per task type.
contexa.security.mapping.task-to-analysis-levelMap<String, String>{}Override analysis level per task type.
contexa.security.mapping.task-configsMap<String, Object>{}Per-task configuration overrides.
contexa.security.mapping.defaults.tier1-tasksString[][THREAT_FILTERING, QUICK_DETECTION]Default tier 1 task list.
contexa.security.mapping.defaults.tier2-tasksString[][CONTEXTUAL_ANALYSIS, BEHAVIOR_ANALYSIS, CORRELATION]Default tier 2 task list.
contexa.security.mapping.defaults.tier3-tasksString[][EXPERT_INVESTIGATION, INCIDENT_RESPONSE, FORENSIC_ANALYSIS, SOAR_AUTOMATION, APPROVAL_WORKFLOW]Default tier 3 task list.
contexa.security.mapping.defaults.default-tierInteger2Fallback tier.
contexa.security.mapping.defaults.default-analysis-levelStringNORMALFallback analysis level.

Security Event / Router / Redis / Kafka / Session / Pipeline / Plane / ColdPath / StepUp

Additional runtime-level tuning surfaces. Defaults are production-ready; override only when instructed.

PropertyTypeDefaultDescription
contexa.security.coldpath (SecurityColdPathProperties)
.confidence.layer1-basedouble0.5Base confidence used by layer 1 cold path.
.confidence.layer2-basedouble0.7Base confidence used by layer 2 cold path.
contexa.security.event (SecurityEventProperties)
.publishing.enabledbooleantruePublish security events.
.publishing.exclude-urisString/actuator,/health,/metricsURIs excluded from publishing.
.publishing.anonymous.enabledbooleantruePublish anonymous events.
.executor.core-pool-sizeintcores×2Publisher executor core size.
.executor.max-pool-sizeintcores×4Publisher executor max size.
.executor.queue-capacityint10000Publisher queue capacity.
.tier.critical.max-latency-msint100Critical tier latency budget.
.tier.contextual.max-latency-msint1000Contextual tier latency budget.
.tier.general.max-latency-msint10000General tier latency budget.
.tier.general.sampling-ratedouble0.1General tier sampling rate.
.deduplication.enabledbooleantrueEnable event deduplication.
.deduplication.window-minutesint5Deduplication window.
.deduplication.cache-sizeint10000Deduplication cache size.
contexa.security.router (SecurityRouterProperties)
.threshold.soardouble0.9SOAR escalation threshold.
.threshold.blockdouble0.8Block action threshold.
.threshold.analysis-confidencedouble0.6Analysis confidence threshold.
.threshold.pass-throughdouble0.6Pass-through threshold.
contexa.security.session (SecuritySessionProperties)
.create.allowedbooleantrueAllow session creation.
.header.nameStringX-Auth-TokenSession token header.
.bearer.enabledbooleantrueAccept bearer tokens.
.hijack.channelStringsecurity:session:hijack:eventSession hijack event channel.
.hijack.detection.enabledbooleantrueEnable session hijack detection.
.cookie.nameStringSESSIONSession cookie name.
.threat.ip-change-riskdouble0.4Risk score for IP change.
.threat.ua-change-riskdouble0.3Risk score for UA change.
.threat.rapid-access-threshold-msint100Rapid access threshold.
.threat.rapid-access-riskdouble0.2Rapid access risk score.
.threat.thresholds.monitoringdouble0.5Monitoring threshold.
.threat.thresholds.grace-perioddouble0.7Grace period threshold.
.threat.thresholds.invalidationdouble0.9Invalidation threshold.
security.redis (SecurityRedisProperties)
.channel.authorizationStringsecurity:authorization:eventsAuthorization event channel.
.channel.authenticationStringsecurity:eventsAuthentication event channel.
.channel.incidentStringsecurity:incidentsIncident event channel.
.channel.threatStringsecurity:threatsThreat event channel.
.channel.auditStringsecurity:audit:eventsAudit event channel.
.channel.generalStringsecurity:eventsGeneral event channel.
.stream.authorization / .incident / .threat / .audit / .general / .authenticationStringsecurity:stream:*Redis Streams names by domain.
.stream.maxlenint10000Redis Stream max length.
.ttl.minutesint60Security Redis key TTL.
.memory.max-mbint1024Security Redis memory budget.
.memory.warning-thresholddouble0.8Memory warning threshold.
.memory.critical-thresholddouble0.9Memory critical threshold.
security.kafka (SecurityKafkaProperties)
.topic.authorizationStringsecurity-authorization-eventsAuthorization topic.
.topic.authenticationStringauth-eventsAuthentication topic.
.topic.incidentStringsecurity-incident-eventsIncident topic.
.topic.threatStringthreat-indicatorsThreat topic.
.topic.auditStringsecurity-audit-eventsAudit topic.
.topic.generalStringsecurity-eventsGeneral topic.
.topic.dlqStringsecurity-events-dlqDLQ topic.
.topic.soar-actionStringsoar-action-eventsSOAR action topic.
.dlq.max-retriesint3DLQ max retries.
.dlq.retry-delay-msint5000DLQ retry delay.
.dlq.alert-thresholdint10DLQ alert threshold.
contexa.security.pipeline (SecurityPipelineProperties)
.kafka.topicStringsecurity-eventsDefault pipeline Kafka topic.
contexa.security.plane (SecurityPlaneProperties)
.agent.nameStringSecurityPlaneAgent-1Plane agent identifier.
.agent.auto-startbooleantrueAuto-start the plane agent.
.agent.organization-idStringdefault-orgAgent organization ID.
.agent.execution-modeStringASYNCAgent execution mode.
.agent.auto-approve-low-riskbooleanfalseAuto-approve low-risk actions.
.agent.event-timeout-mslong30000Agent event processing timeout.
.agent.max-deferred-retriesint3Max deferred retries.
.kafka.bootstrap-serversStringlocalhost:9092Kafka bootstrap servers.
.kafka.group-idStringsecurity-plane-consumerKafka consumer group.
.kafka.topics.security-events / .threat-indicators / .network-events / .auth-eventsString(various)Plane Kafka topic names.
.monitor.queue-sizeint10000Monitor queue size.
.monitor.batch-sizeint8Monitor batch size.
.monitor.flush-interval-mslong500Monitor flush interval.
.monitor.correlation-window-minutesint10Monitor correlation window.
.monitor.dedup-window-minutesint5Monitor dedup window.
.notifier.batch-sizeint10Notifier batch size.
.notifier.async-enabledbooleantrueNotifier async mode.
.notifier.critical-thresholddouble0.8Notifier critical threshold.
.redis.batch-sizeint50Plane Redis batch size.
.redis.cache.ttl-minutesint60Plane Redis cache TTL.
.redis.channel.security-eventsStringsecurity:eventsPlane Redis security event channel.
.redis.channel.threat-alertsStringsecurity:threatsPlane Redis threat alert channel.
.llm-executor.core-pool-sizeint2LLM executor core size.
.llm-executor.max-pool-sizeint2LLM executor max size.
.llm-executor.queue-capacityint50LLM executor queue capacity.
.deduplication.enabledbooleantrueEnable plane deduplication.
.deduplication.window-minutesint5Deduplication window.
.deduplication.cache-sizeint10000Deduplication cache size.
contexa.security.stepup (SecurityStepUpProperties)
.max-attemptsint3Max step-up attempts.
.lockout-durationint300Lockout duration (seconds).
contexa.iam.admin / contexa.policy
contexa.iam.admin.rest-docs-pathString/docs/index.htmlIAM admin REST docs path.
contexa.policy.combining-algorithmenumFIRST_APPLICABLEXACML policy combining algorithm.