@yottagraph-app/aether-instructions 1.1.38 → 1.1.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/package.json +1 -1
  2. package/rules/agents-data.mdc +39 -0
  3. package/rules/server.mdc +19 -8
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@yottagraph-app/aether-instructions",
3
- "version": "1.1.38",
3
+ "version": "1.1.40",
4
4
  "description": "Cursor rules, commands, and skills for Aether development",
5
5
  "files": [
6
6
  "rules",
package/rules/agents-data.mdc CHANGED
@@ -71,6 +71,45 @@ In production, all Elemental API calls go through the Portal Gateway at
71
71
  `broadchurch.yaml`) and the portal injects its own Auth0 M2M token
72
72
  upstream.
73
73
 
74
+ ## Agent secrets (DATABASE_URL etc.)
75
+
76
+ For runtime values that aren't shipped in `broadchurch.yaml` and can't be
77
+ sourced from Vercel — most commonly `DATABASE_URL` for tenants whose
78
+ Postgres is provisioned via the Vercel Neon integration — use
79
+ `get_agent_secret()` from `broadchurch_auth`. It fetches from the portal
80
+ at `GET /api/agent-secrets/{org_id}` using the same `X-Api-Key` the agent
81
+ already carries, and caches per-process.
82
+
83
+ ```python
84
+ try:
85
+ from broadchurch_auth import get_agent_secret
86
+ except ImportError:
87
+ from .broadchurch_auth import get_agent_secret
88
+
89
+ def my_db_tool() -> str:
90
+ db_url = get_agent_secret("DATABASE_URL")
91
+ if not db_url:
92
+ return "DATABASE_URL is not configured for this tenant."
93
+ # ... use db_url ...
94
+ ```
95
+
96
+ Resolution order is `os.environ[name]` → portal-stored secret → default.
97
+ The env var path means local dev "just works" with `export DATABASE_URL=...`
98
+ without touching the portal.
99
+
100
+ Set values via the portal admin endpoint:
101
+
102
+ ```bash
103
+ curl -X PUT $GATEWAY_URL/api/projects/$ORG_ID/agent-secrets \
104
+ -H 'Content-Type: application/json' \
105
+ -d '{"vars": {"DATABASE_URL": "postgresql://..."}}'
106
+ ```
107
+
108
+ Secrets are stored encrypted-at-rest in Firestore on the tenant doc.
109
+ There is no per-tenant Vercel/Neon integration — when credentials rotate,
110
+ push the new value via the same endpoint and let the agent cold-start
111
+ pick it up (or call `get_agent_secrets(refresh=True)`).
112
+
74
113
  ## MCP-based agents
75
114
 
76
115
  When the project uses **MCP-only data architecture**, agents access the
package/rules/server.mdc CHANGED
@@ -20,7 +20,7 @@ server/
20
20
  │ └── avatar/[url].ts # Avatar image proxy
21
21
  └── utils/
22
22
  ├── redis.ts # Upstash Redis client (lazy-init from KV_REST_API_URL)
23
- ├── neon.ts # Neon Postgres client (lazy-init from DATABASE_URL) — present if Neon provisioned
23
+ ├── neon.ts # Neon Postgres client (lazy-init from DATABASE_URL) — create if missing when Neon is provisioned
24
24
  └── cookies.ts # Cookie handling (@hapi/iron)
25
25
  ```
26
26
 
@@ -73,16 +73,27 @@ calling KV routes directly — see the `pref` rule.
73
73
 
74
74
  ## Neon Postgres
75
75
 
76
- If `DATABASE_URL` is in `.env`, Postgres is ready to use. The project init
77
- scaffolds `server/utils/neon.ts` and installs `@neondatabase/serverless`
78
- automatically when a Neon database is detected.
76
+ Neon provisioning is decided by the portal, not by what is in `.env`.
77
+ `DATABASE_URL` and `DATABASE_URL_UNPOOLED` are intentionally left commented
78
+ out locally Neon does not work in local dev. On deploy, Vercel
79
+ auto-injects `DATABASE_URL` at runtime.
79
80
 
80
81
  ### How to check
81
82
 
82
- - `DATABASE_URL` present in `.env` Postgres is connected
83
- - `server/utils/neon.ts` exists → utility is scaffolded
84
- - If either is missing, the project wasn't provisioned with Neon (add it
85
- from the Broadchurch Portal, then re-run `node init-project.js`)
83
+ Pull `gateway.url` and `tenant.org_id` out of `broadchurch.yaml` and ask the
84
+ portal:
85
+
86
+ ```bash
87
+ curl <gateway.url>/api/tenants/<tenant.org_id>
88
+ ```
89
+
90
+ - Provisioned: `vercel.postgres_store_id` is set in the response. The
91
+ `DATABASE_URL` is also findable under `agent_secrets`, but you usually
92
+ don't need to read it.
93
+ - `server/utils/neon.ts` present → ready to use. If missing, create it
94
+ (mirror the `getDb()` lazy-init pattern in `server/utils/redis.ts`).
95
+ - `@neondatabase/serverless` in `package.json` → ready. If missing, run
96
+ `npm install @neondatabase/serverless`.
86
97
 
87
98
  **Local dev:** `DATABASE_URL` is not yet available for local development.
88
99
  `getDb()` returns `null` when the credential is missing or invalid. Write