Environment variables
Two workers, each with their own env. The app worker holds Supabase/Electric credentials; the agents worker holds stream and LLM credentials.
App worker (packages/www)
.env (committed)
Public values baked into the build. Not secrets.
| Variable | Description |
|---|---|
PUBLIC_SUPABASE_URL | Supabase API URL |
PUBLIC_SUPABASE_PUBLISHABLE_DEFAULT_KEY | Supabase publishable key |
PUBLIC_ELECTRIC_URL | Electric SQL shape API base URL |
PUBLIC_DURABLE_STREAMS_URL | Electric durable streams endpoint |
PUBLIC_POSTHOG_KEY | PostHog project API key (client-side analytics) |
PUBLIC_POSTHOG_HOST | PostHog ingest endpoint (https://eu.i.posthog.com) |
.env.local (gitignored)
Secrets. Copy from .env.example and fill in values.
| Variable | Description | Where to find it |
|---|---|---|
SUPABASE_JWT_SECRET | JWT signing key for bot auth tokens | Supabase dashboard → Settings → API → JWT Secret |
DURABLE_STREAMS_SECRET | JWT for durable stream requests | Electric SQL dashboard |
ELECTRIC_SOURCE_ID | Electric SQL source identifier | Electric SQL dashboard |
ELECTRIC_SOURCE_SECRET | JWT for Electric shape requests | Electric SQL dashboard |
SvelteKit conventions: PUBLIC_* vars are exposed to the browser via $env/static/public. All other vars are server-only ($env/static/private). SvelteKit loads .env first, then .env.local overrides.
Agents worker (packages/worker)
wrangler.jsonc (committed)
| Variable | Type | Description |
|---|---|---|
SUPABASE_URL | var | Supabase API URL (same value as app’s PUBLIC_SUPABASE_URL) |
DURABLE_STREAMS_URL | var | Durable streams endpoint (same value as PUBLIC_DURABLE_STREAMS_URL) |
.dev.vars (gitignored)
For local dev, wrangler reads secrets from .dev.vars.
| Variable | Description |
|---|---|
DURABLE_STREAMS_SECRET | Same value as app’s DURABLE_STREAMS_SECRET |
ANTHROPIC_API_KEY | Anthropic API key — used by default for all bots unless the model is a @cf/ Workers AI model |
SUPABASE_PUBLISHABLE_KEY | Supabase publishable key (same value as app’s PUBLIC_SUPABASE_PUBLISHABLE_DEFAULT_KEY) — used by bot DOs for PostgREST queries with RLS |
Production secrets
PUBLIC_* vars are baked at build time from .env. Everything else must be set via Wrangler:
# App workercd packages/wwwbunx wrangler secret put SUPABASE_JWT_SECRETbunx wrangler secret put DURABLE_STREAMS_SECRETbunx wrangler secret put ELECTRIC_SOURCE_IDbunx wrangler secret put ELECTRIC_SOURCE_SECRET# Agents workercd packages/workerbunx wrangler secret put DURABLE_STREAMS_SECRETbunx wrangler secret put ANTHROPIC_API_KEYbunx wrangler secret put SUPABASE_PUBLISHABLE_KEY