@yottagraph-app/aether-instructions 1.1.38 → 1.1.39

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/rules/agents-data.mdc +39 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@yottagraph-app/aether-instructions",
3
- "version": "1.1.38",
3
+ "version": "1.1.39",
4
4
  "description": "Cursor rules, commands, and skills for Aether development",
5
5
  "files": [
6
6
  "rules",
package/rules/agents-data.mdc CHANGED
@@ -71,6 +71,45 @@ In production, all Elemental API calls go through the Portal Gateway at
71
71
  `broadchurch.yaml`) and the portal injects its own Auth0 M2M token
72
72
  upstream.
73
73
 
74
+ ## Agent secrets (DATABASE_URL etc.)
75
+
76
+ For runtime values that aren't shipped in `broadchurch.yaml` and can't be
77
+ sourced from Vercel — most commonly `DATABASE_URL` for tenants whose
78
+ Postgres is provisioned via the Vercel Neon integration — use
79
+ `get_agent_secret()` from `broadchurch_auth`. It fetches from the portal
80
+ at `GET /api/agent-secrets/{org_id}` using the same `X-Api-Key` the agent
81
+ already carries, and caches per-process.
82
+
83
+ ```python
84
+ try:
85
+ from broadchurch_auth import get_agent_secret
86
+ except ImportError:
87
+ from .broadchurch_auth import get_agent_secret
88
+
89
+ def my_db_tool() -> str:
90
+ db_url = get_agent_secret("DATABASE_URL")
91
+ if not db_url:
92
+ return "DATABASE_URL is not configured for this tenant."
93
+ # ... use db_url ...
94
+ ```
95
+
96
+ Resolution order is `os.environ[name]` → portal-stored secret → default.
97
+ The env var path means local dev "just works" with `export DATABASE_URL=...`
98
+ without touching the portal.
99
+
100
+ Set values via the portal admin endpoint:
101
+
102
+ ```bash
103
+ curl -X PUT $GATEWAY_URL/api/projects/$ORG_ID/agent-secrets \
104
+ -H 'Content-Type: application/json' \
105
+ -d '{"vars": {"DATABASE_URL": "postgresql://..."}}'
106
+ ```
107
+
108
+ Secrets are stored encrypted-at-rest in Firestore on the tenant doc.
109
+ There is no per-tenant Vercel/Neon integration — when credentials rotate,
110
+ push the new value via the same endpoint and let the agent cold-start
111
+ pick it up (or call `get_agent_secrets(refresh=True)`).
112
+
74
113
  ## MCP-based agents
75
114
 
76
115
  When the project uses **MCP-only data architecture**, agents access the