@suluk/platform - v0.6.0
    Preparing search index...

    Interface EnvVar

    An env var a module (or the app's provisioning) needs — drives the generated env.ts, .env.example, .env.temp, the env-check preflight, and the provision/sync-secrets scripts.

    interface EnvVar {
        name: string;
        required?: boolean;
        secret?: boolean;
        hint?: string;
        surface?: "local" | "cloudflare";
        provisioning?: boolean;
        minted?: boolean;
        generated?: boolean;
    }
    Index

    Properties

    name: string
    required?: boolean

    the app WON'T work without it (the "minimum keys") — the env-check requires a non-empty value before it's happy.

    secret?: boolean

    a credential (encrypted at rest in the committed .env, or — if provisioning — staged plaintext in .env.temp).

    hint?: string

    a one-line hint shown as a comment.

    surface?: "local" | "cloudflare"

    Where the value is USED. "cloudflare" = a Worker RUNTIME secret (pushed by sync-secrets / decrypted by loadEnv); "local" = used only by provisioning/deploy on this machine, NEVER shipped to the Worker. Defaults: a secret → the Worker runtime ("cloudflare"); a provisioning/minted cred → "local".

    provisioning?: boolean

    An EPHEMERAL provisioning credential (e.g. the Cloudflare API master token): supplied PLAINTEXT in .env.temp, used to provision infra + mint scoped tokens, then DELETED after provisioning — never committed (not even encrypted). Implies surface: "local".

    minted?: boolean

    a scoped least-privilege token MINTED during provisioning (from the master), then kept ENCRYPTED in .env. surface: "local".

    generated?: boolean

    a random secret the provisioning flow AUTO-GENERATES (e.g. BETTER_AUTH_SECRET ← 32 random bytes) if not already set — so the operator never supplies it in .env.temp; it still lands ENCRYPTED in the committed .env.