mesh-forge/.cursor/rules/convex-env.mdc

---
description: Convex deployment environment variable names (MeshEnvy mesh-forge); values are secrets — never commit them.
alwaysApply: true
---

# Convex environment variables (this deployment)

These names are configured in the Convex dashboard for this project. **Do not put real values in the repo or in rules.**

## Auth (OAuth / Convex Auth)

- `AUTH_GITHUB_ID`
- `AUTH_GITHUB_SECRET`
- `AUTH_GOOGLE_ID`
- `AUTH_GOOGLE_SECRET`
- `JWKS`
- `JWT_PRIVATE_KEY`

## App / Convex Auth config

- `SITE_URL` — canonical site URL (often used by auth / redirects; set in dashboard as provided)

**Code note:** Convex code in this repo also reads `CONVEX_SITE_URL` for `auth.config.ts` (JWT domain) and `actions.ts` (GitHub Actions `convex_url` input). If something breaks around auth domain or workflow callbacks, confirm both dashboard vars match what Convex and the frontend expect.

## CI / GitHub integration

- `GITHUB_TOKEN` — GitHub API (repo scans, branches, dispatching `custom_build*.yml`)
- `CONVEX_ENV` — when `dev`, workflow dispatch uses **`custom_build_test.yml`** on git ref **`v2`** on `MeshEnvy/mesh-forge`; otherwise **`custom_build.yml`** on **`main`**
- `CONVEX_BUILD_TOKEN` — shared with GitHub Actions secret of the same name; bearer auth for `POST /ingest-repo-build`

## R2 (firmware artifacts / signed downloads)

- `R2_ACCESS_KEY_ID`
- `R2_SECRET_ACCESS_KEY`
- `R2_ACCOUNT_ID`
- `R2_BUCKET_NAME`
- `R2_ENDPOINT_URL`
- `R2_PUBLIC_URL`
- `R2_CLOUDFLARE_TOKEN`

**Code note:** `convex/lib/r2.ts` currently uses `R2_ACCOUNT_ID`, `R2_ACCESS_KEY_ID`, `R2_SECRET_ACCESS_KEY`, `R2_BUCKET_NAME` and builds the S3 endpoint from account id. Extra R2-related vars may be used elsewhere or reserved for future use.

## When editing Convex code

Prefer reading env vars that already exist in dashboard; if you introduce a new required variable, document it here and in any operator-facing setup notes.