# Environment variables `apps/www` is the only worker. Public values bake in at build from `.env` (committed, not secrets); secrets live in `.env.local` (gitignored) for dev and as Wrangler secrets for prod. SvelteKit convention: `PUBLIC_*` vars are exposed to the browser via `$env/static/public`; everything else is server-only. The core Supabase, Electric, and durable-stream vars fail fast at startup with a loud error naming any that are missing (`hooks.server.ts`); the AI-provider and Daytona keys below are read on demand, so a missing one just disables that feature. `.env` loads first, then `.env.local` overrides. ``` .env (committed, public — baked into the build) PUBLIC_SUPABASE_URL # Supabase API URL PUBLIC_SUPABASE_PUBLISHABLE_KEY # Supabase publishable key PUBLIC_ELECTRIC_URL # Electric SQL shape API base URL PUBLIC_DURABLE_STREAMS_URL # Electric durable streams endpoint PUBLIC_POSTHOG_KEY # PostHog client key PUBLIC_POSTHOG_HOST # PostHog ingest (e.g. https://eu.i.posthog.com) .env.local (secrets — also as wrangler secrets in prod) SUPABASE_JWT_SECRET # raw HS256 from Supabase → Settings → API → JWT Secret # NOT a JWT, NOT the service role key — wrong value → "No suitable key" SUPABASE_SERVICE_ROLE_KEY # admin operations DURABLE_STREAMS_SECRET # bearer for durable stream requests (Electric SQL dashboard) ELECTRIC_SOURCE_ID # Electric source identifier ELECTRIC_SOURCE_SECRET # JWT for Electric shape requests OPENROUTER_API_KEY # THE LLM key: in-process bot replies + ambient gate (default # provider) and the sandbox pi default model. A house secret of # the same name overrides it for that house's turns. ANTHROPIC_API_KEY # optional — only consulted when a thread/bot model is an explicit # `anthropic/` (direct API). House secret of the same name overrides. # Other direct-provider keys (e.g. GEMINI_API_KEY) are house/env-binding # secrets only, never worker env — see system/llm-keys.md. DAYTONA_API_KEY # Daytona sandbox operator key; a same-named house secret overrides it RAGTHIS_API_URL # file-index (ragthis) base URL; with the key below it enables search_files / list_files # prod: https://ragthis-arbe.fly.dev (fly app `ragthis-arbe`, arbe's own deployment of oskarrough/ragthis; gated by the key) # dev: http://localhost:8787 (`bun run dev:api` in ~/sites/ragthis; ungated locally, set any key) RAGTHIS_API_KEY # file-index bearer token — server-side only, never reaches browser or model # rotate with `fly secrets set API_KEY=...` on the ragthis app + `wrangler secret put RAGTHIS_API_KEY` here # poke the instance directly with the ragthis CLI: `ragthis config` shows url/key + source, `ragthis ping` verifies # (config: `ragthis config set url|key …` → ~/.config/ragthis/config.json; env vars override it) CONDUCTOR_SECRET # shared secret the workflow conductor sends as `x-conductor-secret` to POST /api/wf/step; set the SAME value here and in the arbe1 sprite `.env` (the conductor) ``` Production: `bunx wrangler secret put ` from `apps/www/`. `apps/www/.env.example` lists the dev secrets to copy and fill — but it's incomplete (the optional provider keys above aren't in it yet). Optional release stamping: `RELEASE_SHA` (falls back to `'dev'`). `SUPABASE_PROJECT_REF` sits in `.env` but is used only by the Supabase CLI, not the worker. GitHub access uses `GITHUB_TOKEN`, a per-house/sandbox secret — not a worker env var. Code: `apps/www/.env.example`.
See [system/deployment](./deployment.md), [system/development](./development.md), [system/auth](./auth.md), [system/environments](./environments.md).