Appearance
Environment variables
The Flowstate Agent reads its configuration from environment variables on every platform. The same names work whether they're set via shell env, /etc/flowstate.env (macOS / Linux), or the Windows registry under HKLM\SOFTWARE\Flowstate\Agent — the agent normalises them all.
Precedence (highest wins):
- Local env var —
FLOWSTATE_LOG_LEVEL=debugset inline for a one-offflowstate proxy runinvocation while debugging. - Per-platform managed config —
/etc/flowstate.env(macOS / Linux), Windows registry. This is whereflowstate installwrites the values it received from the install flags / MDM. - Built-in defaults.
flowstate install writes /etc/flowstate.env (or the Windows registry) based on the --key, --user, and --host flags you pass. You typically don't need to set any of these by hand — the installer does it for you.
Required
| Variable | Description |
|---|---|
FLOWSTATE_OTLP_KEY | The org-scope composite key the agent presents to the cloud proxy. Issue at Settings → AI → Cloud Proxy. Set by flowstate install --key=. The agent refuses to start without one. |
FLOWSTATE_USER | The email of the device's user. Used as the Basic-Auth userid against the cloud proxy and as the attribution key in Flowstate. Set by flowstate install --user=. |
Cloud proxy
| Variable | Type | Default | Description |
|---|---|---|---|
FLOWSTATE_MODE | enum | cloud-proxy | The forwarding mode. Today the only supported value is cloud-proxy, in which the agent forwards captured exchanges to FLOWSTATE_CLOUD_PROXY over HTTPS with FLOWSTATE_OTLP_KEY as Basic-Auth credentials. Reserved for future modes (direct-OTLP, on-prem collector). |
FLOWSTATE_CLOUD_PROXY | URL | https://ai.flowstate.inc | The cloud proxy origin. Override for a regional EU endpoint, staging, or an on-prem mirror. Must be HTTPS. Set the value to the empty string (FLOWSTATE_CLOUD_PROXY=) to disable cloud-proxy forwarding entirely — only useful in development. |
Networking
| Variable | Type | Default | Description |
|---|---|---|---|
FLOWSTATE_UPSTREAM_PROXY | URL | unset | Corporate proxy for the agent's own outbound traffic (the connection to the cloud proxy, update downloads). Format: http://user:pass@proxy.example.com:8080. See corporate proxies. |
FLOWSTATE_PROXY_PORT | int | 47813 | Local TCP port the agent's PAC daemon listens on for AI traffic. Change only if you have a conflict. |
FLOWSTATE_PROXY_BIND | string | 127.0.0.1 | Bind address. Loopback by default; do not change unless you know exactly what you're doing. |
Enforcement
| Variable | Type | Default | Description |
|---|---|---|---|
FLOWSTATE_ENFORCEMENT_MODE | enum | observe | observe (default — capture-only) or enforce (apply AI policy at request time). See enforcement. The same setting lives in Settings → AI → Agent Policy → Enforcement. |
Diagnostics
| Variable | Type | Default | Description |
|---|---|---|---|
FLOWSTATE_LOG_LEVEL | enum | info | One of debug, info, warn, error. |
FLOWSTATE_LOG_PATH | path | OS-specific | Override the log file location. macOS: /var/log/flowstate.proxy.log. Linux: stdout (journald). Windows: C:\ProgramData\Flowstate\logs\agent.log. |
FLOWSTATE_SENTRY_DSN | URL | unset | Optional Sentry DSN for agent-side error reporting. When set, errors and panics flow to your Sentry project with on-device redaction (no AI traffic, no credentials). |
Per-platform notes
macOS — flowstate install writes /etc/flowstate.env (mode 0600, root:wheel). The launchd plist at /Library/LaunchDaemons/inc.flowstate.agent.proxy.plist references it via EnvironmentVariables. To override a single variable on one machine without changing MDM state, edit /etc/flowstate.env and run sudo launchctl kickstart -k system/inc.flowstate.agent.proxy.
Linux — Same /etc/flowstate.env file, loaded by systemd via EnvironmentFile=. Standard KEY=value syntax, no quotes needed for simple strings. Reload with sudo systemctl restart flowstate-agent.
Windows — Values live under HKLM\SOFTWARE\Flowstate\Agent. The MSI
flowstate installwrite them; Settings Catalog / GPO can overwrite them. Names are identical to the env-var names on the other platforms (no CamelCasing). The service reads (in order): machine env → registry → defaults. Boolean values areREG_DWORD1/0; everything else isREG_SZ.
Deprecated / removed
These were present in earlier builds and have been removed. The agent ignores them if it sees them — no error, no warning. Most have a direct replacement in the table above.
| Variable | Status | Replacement |
|---|---|---|
FLOWSTATE_TELEMETRY_KEY | replaced | Use FLOWSTATE_OTLP_KEY (the org-scope composite key — see telemetry keys). |
FLOWSTATE_OTLP_ENDPOINT | replaced | Use FLOWSTATE_CLOUD_PROXY. The cloud proxy fronts the OTLP collector; nothing customer-facing talks to otel.flowstate.inc directly. |
FLOWSTATE_CLOUD_PROXY_EMAIL | replaced | Use FLOWSTATE_USER. The old name still works as a fallback in the v1.12 line for back-compat; new MDM payloads should use FLOWSTATE_USER. |
FLOWSTATE_CLOUD_PROXY_KEY | replaced | The composite key supplies both tenant routing and authentication, so a separate KEY value is no longer needed. Set FLOWSTATE_OTLP_KEY instead. |
FLOWSTATE_CAPTURE_PROMPTS | removed | Prompt capture is per-tool and configured by flowstate install's per-tool config writer. Pass --prompts at install time to opt in. |
FLOWSTATE_UPDATE_* | removed | Auto-updates are coming via Sparkle once FlowstateAgent.app is notarised; in the meantime, re-run flowstate install to upgrade. See auto-updates. |
FLOWSTATE_REDACT_BODIES | removed | Not a posture under the current design. |
FLOWSTATE_REDACT_HEADERS | removed | Headers are always forwarded — they're how the cloud proxy attributes calls to users. |