@yottagraph-app/aether-instructions 1.1.1 → 1.1.2

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@yottagraph-app/aether-instructions",
-    "version": "1.1.1",
+    "version": "1.1.2",
     "description": "Cursor rules, commands, and skills for Aether development",
     "files": [
         "rules",

package/rules/agents.mdc

@@ -53,9 +53,12 @@ Use `broadchurch_auth` for all Elemental API calls. It lives at
 `agents/broadchurch_auth.py` and is automatically bundled into each agent
 directory at deploy time. It handles:
 
-- Reading the API URL from `broadchurch.yaml` (or `ELEMENTAL_API_URL` env var)
-- Minting and caching GCP ID tokens in production
-- Falling back to `ELEMENTAL_API_TOKEN` for local dev
+- Routing through the Broadchurch Portal gateway proxy in production
+  (no direct QS credentials needed — the portal handles Auth0 M2M auth)
+- Authenticating to the proxy with a per-tenant API key from
+  `broadchurch.yaml` (`gateway.qs_api_key`)
+- Falling back to `ELEMENTAL_API_URL` + `ELEMENTAL_API_TOKEN` env vars
+  for local dev
 
 ```python
 try:
@@ -123,6 +126,12 @@ Select your agent from the dropdown in the web UI. You can also run a single age
 during local dev (agents/ is the CWD → on sys.path). At deploy time, the
 workflow copies it into the agent directory alongside `broadchurch.yaml`.
 
+In production, all Elemental API calls go through the Portal Gateway at
+`{gateway_url}/api/qs/{org_id}/...`. The agent sends `X-Api-Key` (from
+`broadchurch.yaml`) and the portal injects its own Auth0 M2M token
+upstream. This keeps QS credentials out of agents entirely and gives the
+platform a per-tenant kill switch.
+
 **Important:** Always use the try/except import pattern shown above. ADK
 wraps agent code in a package at deploy time, so absolute imports fail at
 runtime in Agent Engine — the relative import fallback is required.