Optionalrequiredthe app WON'T work without it (the "minimum keys") — the env-check requires a non-empty value before it's happy.
Optionalsecreta credential (encrypted at rest in the committed .env, or — if provisioning — staged plaintext in .env.temp).
Optionalhinta one-line hint shown as a comment.
OptionalsurfaceWhere the value is USED. "cloudflare" = a Worker RUNTIME secret (pushed by sync-secrets / decrypted by loadEnv);
"local" = used only by provisioning/deploy on this machine, NEVER shipped to the Worker. Defaults: a secret → the
Worker runtime ("cloudflare"); a provisioning/minted cred → "local".
OptionalprovisioningAn EPHEMERAL provisioning credential (e.g. the Cloudflare API master token): supplied PLAINTEXT in .env.temp, used to
provision infra + mint scoped tokens, then DELETED after provisioning — never committed (not even encrypted). Implies
surface: "local".
Optionalminteda scoped least-privilege token MINTED during provisioning (from the master), then kept ENCRYPTED in .env. surface: "local".
Optionalgenerateda random secret the provisioning flow AUTO-GENERATES (e.g. BETTER_AUTH_SECRET ← 32 random bytes) if not already set —
so the operator never supplies it in .env.temp; it still lands ENCRYPTED in the committed .env.
An env var a module (or the app's provisioning) needs — drives the generated
env.ts,.env.example,.env.temp, the env-check preflight, and the provision/sync-secrets scripts.