Environment Variables

This document lists the environment variables that shape the current GloriousFlywheel operator path.

Backend Initialization

Use one of these paths for just tofu-init <stack>.

The root entrypoint now follows the active backend family declared in each stack’s backend.tf. On current main, all four active stacks now use the environment-owned S3-compatible backend on honey.

Variable	Required	Description
`TOFU_BACKEND_CONFIG_FILE`	Preferred if set	Absolute path to one backend HCL file for the stack you are initializing.
`TOFU_BACKEND_CONFIG_DIR`	Preferred if set	Directory containing per-stack backend files named `<stack>-<env>.hcl`, for example `attic-dev.hcl`.
`TF_HTTP_ADDRESS`	Compatibility-only	State URL for a legacy generic HTTP backend path.
`TF_HTTP_LOCK_ADDRESS`	Compatibility-only	Lock URL for that same legacy HTTP backend path.
`TF_HTTP_UNLOCK_ADDRESS`	Compatibility-only	Unlock URL for that same legacy HTTP backend path.
`TF_HTTP_LOCK_METHOD`	No	Lock method for the HTTP backend. Commonly `POST`.
`TF_HTTP_UNLOCK_METHOD`	No	Unlock method for the HTTP backend. Commonly `DELETE`.
`TF_HTTP_USERNAME`	Compatibility-only	Username for a legacy generic HTTP backend path, or optional override for the GitLab legacy path.
`TF_HTTP_PASSWORD`	Compatibility-only	Password/token for a legacy generic HTTP backend path. Also used by the GitLab legacy path if you still use it.

If these values are already exported and you want to persist them into the local stack files, use:

just tofu-backend-materialize-http <stack>

Current note:

all four active stacks now use the live environment-owned S3-compatible state path on honey
TF_HTTP_* remains compatibility-only for legacy or archived HTTP backend repair paths
repo tooling can still scaffold and materialize backend files when you need a checked local operator default

S3-Compatible Backend

These variables are the live init path for the four active stacks on current main, and they also let you write a local S3-compatible backend file as a checked operator default.

The preferred root entrypoint just tofu-init <stack> can consume these variables directly without first writing a checked-in backend file.

Variable	Required	Description
`TOFU_BACKEND_S3_ENDPOINT`	Yes	S3-compatible endpoint URL for the active environment-owned state authority.
`TOFU_BACKEND_S3_BUCKET`	Yes	Bucket that will own OpenTofu state.
`TOFU_BACKEND_S3_REGION`	No	Region string for the S3 backend. Defaults to `us-east-1`.
`TOFU_BACKEND_S3_ACCESS_KEY`	Yes	Access key for that S3-compatible state authority.
`TOFU_BACKEND_S3_SECRET_KEY`	Yes	Secret key for that S3-compatible state authority.
`TOFU_BACKEND_S3_KEY`	Sometimes	Exact object key to use when the stack/env does not have a locked canonical S3 key yet.
`TOFU_BACKEND_S3_KEY_PREFIX`	Fallback	Temporary prefix fallback used only when no canonical key is locked and no explicit `TOFU_BACKEND_S3_KEY` is set.
`TOFU_BACKEND_S3_USE_PATH_STYLE`	No	Path-style toggle written into the local backend file. Defaults to `true`.
`AWS_ACCESS_KEY_ID`	Fallback	Fallback for `TOFU_BACKEND_S3_ACCESS_KEY`.
`AWS_SECRET_ACCESS_KEY`	Fallback	Fallback for `TOFU_BACKEND_S3_SECRET_KEY`.

If these values are already exported and you want to persist them into the local stack files, use:

just tofu-backend-materialize-s3 <stack>

This writes config/backends/<stack>-<env>.hcl. For the four active stacks on current main, that file can be the live local default. For historical HTTP-family compatibility paths, materializing S3 values does not change the archived stack code by itself.

Current proven honey baseline key map for ENV=dev:

attic -> attic/terraform.tfstate
arc-runners -> arc-runners/terraform.tfstate
gitlab-runners -> tinyland-infra/gitlab-runners/terraform.tfstate
runner-dashboard -> tinyland-infra/runner-dashboard/terraform.tfstate

For any other environment or key layout, set TOFU_BACKEND_S3_KEY explicitly.

For HA state-authority candidate proofs, use the separate TOFU_HA_STATE_* variables so scratch/disposable testing does not normalize active stack credentials or key overrides. The proof harness intentionally does not fall back to TOFU_BACKEND_S3_* or broad AWS_* variables; pass explicit command line flags instead if the candidate credentials come from another secure injection path. The proof harness requires --endpoint-package <path> before any live action; that non-secret package supplies the approved endpoint, region, and scratch bucket and must pass just ha-state-endpoint-package-gate. Disposable OpenTofu candidate proofs must run with --run-disposable-tofu --use-lockfile; the harness fails before mutation if the repo OpenTofu binary cannot prove native S3 lockfile behavior.

Variable	Required	Description
`TOFU_HA_STATE_ENDPOINT`	No	Optional endpoint override. If set, it must match the endpoint package.
`TOFU_HA_STATE_REGION`	No	Optional region override. If set, it must match the endpoint package.
`TOFU_HA_STATE_ACCESS_KEY`	Yes	Access key used by `just ha-state-candidate-proof`.
`TOFU_HA_STATE_SECRET_KEY`	Yes	Secret key used by `just ha-state-candidate-proof`.
`TOFU_HA_STATE_SCRATCH_BUCKET`	No	Optional scratch bucket override. If set, it must match the package.
`TOFU_HA_STATE_SCRATCH_BUCKET_PREFIX`	No	Legacy generated-bucket prefix; package scratch bucket is authoritative.

The candidate proof harness refuses tofu-state and refuses the protected active state keys. It is scratch/disposable state hardening, not a protected stack migration.

Bazel External Input Mirror

These variables are reserved for the future durable external-input authority package. They are not active on current main unless a proof explicitly passes a package accepted by just bazel-external-input-authority-package-gate.

The variables are deliberately separate from BAZEL_REMOTE_CACHE, BAZEL_REMOTE_EXECUTOR, Attic, OpenTofu state, BCR publication, and future RBE CAS/action-cache credentials.

Variable	Required	Description
`GF_EXTERNAL_INPUT_MIRROR_ENDPOINT`	Package	HTTPS endpoint from the accepted external-input authority package. Prefer GitHub variables for workflow injection; a secret fallback is accepted for constrained operators.
`GF_EXTERNAL_INPUT_MIRROR_REGION`	Package	Region string from the accepted package. Prefer GitHub variables for workflow injection; a secret fallback is accepted for constrained operators.
`GF_EXTERNAL_INPUT_MIRROR_ACCESS_KEY_ID`	Package	Scoped mirror credential for the package proof or merged-main writer path. Store as a GitHub secret, not a variable.
`GF_EXTERNAL_INPUT_MIRROR_SECRET_ACCESS_KEY`	Package	Secret value for the scoped mirror credential. Store as a GitHub secret; never commit it into the package or docs.

Consumer jobs should eventually receive read-only mirror access and attach it as BAZEL_DISTDIR; merged-main mirror maintenance is the only intended write path.

Legacy GitLab Compatibility

If you still use GitLab-managed HTTP state for an archived or external compatibility path, initialize with:

just tofu-init-gitlab-legacy <stack>

That path is compatibility-only and depends on gitlab.url and gitlab.project_id in config/organization.yaml. The four active main stacks now use backend "s3".

Local Operator Selection

Variable	Required	Description
`ENV`	No	Environment name used by root recipes. Defaults to `dev`.
`KUBE_CONTEXT`	No	Overrides the cluster context from `config/organization.yaml` for `tofu plan`, `tofu destroy`, and `tofu refresh`.
`HTTPS_PROXY`	Off-site only	SOCKS5 proxy URL when you must reach the cluster through a local proxy.
`GHCR_USERNAME`	Optional for `arc-runners`	Username for local `arc-runners` plan/refresh/destroy when `GHCR_TOKEN` is set and OpenTofu should create or rotate an explicitly configured GHCR pull secret.
`GHCR_TOKEN`	Optional for `arc-runners`	Token for local `arc-runners` plan/refresh/destroy when OpenTofu should create or rotate an explicitly configured GHCR pull secret. When unset, the stack expects a real `ghcr-pull` secret in `arc-runners` and you should use `just arc-ghcr-pull-secret-sync` to keep the `arc-systems` listener copy aligned.

Tofu Provider / Stack Inputs

Variable	Required	Description
`TF_VAR_gitlab_token`	GitLab surfaces only	GitLab provider token for legacy GitLab runner or dashboard integrations.
`TF_VAR_gitlab_oauth_client_id`	Dashboard auth path	GitLab OAuth application client ID for the dashboard compatibility login path.
`TF_VAR_gitlab_oauth_client_secret`	Dashboard auth path	GitLab OAuth application client secret for the dashboard compatibility login path.
`SESSION_SECRET`	Recommended dashboard auth	Enables signed dashboard session cookies.
`TRUST_PROXY_HEADERS`	Tailnet/mTLS operator path	When `true`, accepts trusted proxy identity headers before stored interactive sessions.
`PROXY_AUTH_DEFAULT_ROLE`	Tailnet/mTLS operator path	Default role for trusted proxy-header identities. Defaults to `operator`.
`AUTH_ADMIN_IDENTITIES`	Optional	Comma-separated usernames or emails that should resolve to `admin`.
`AUTH_OPERATOR_IDENTITIES`	Optional	Comma-separated usernames or emails that should resolve to `operator`.
`AUTH_VIEWER_IDENTITIES`	Optional	Comma-separated usernames or emails that should resolve to `viewer`.
`WEBAUTHN_RP_ID`	Dashboard auth path	WebAuthn relying-party ID. When set, the dashboard reports passkey auth as enabled.
`WEBAUTHN_RP_NAME`	Dashboard auth path	WebAuthn relying-party display name. Defaults to `Runner Dashboard` in app runtime.
`WEBAUTHN_ORIGIN`	Dashboard auth path	WebAuthn origin override. Defaults from `WEBAUTHN_RP_ID` when unset.

Cache And Runner Runtime

Variable	Required	Description
`ATTIC_SERVER`	Nix runner or dev path	URL of the Attic server. Self-hosted runners use the cluster API; internal developer machines normally use `https://nix-cache.<domain>`.
`ATTIC_CACHE`	Nix runner or dev path	Attic cache name. The shared default is `main`.
`ATTIC_PUBLIC_KEY`	Attic substituter trust path	Attic cache public key. When present with `ATTIC_SERVER`, `ATTIC_CACHE`, and `attic-enabled != false`, `setup-flywheel` / `nix-job` write the substituter into `NIX_CONFIG`. This is public trust material, not an auth token. In GitHub Actions, `setup-flywheel` also passes `${{ github.token }}` as a Nix `github.com` access token for GitHub flake/source fetches.
`ATTIC_TOKEN`	Private read or write path	Attic JWT for private-cache reads and trusted cache writes. Public reads from the shared `main` cache do not need this token. `nix-job` writes it into an ephemeral Nix `netrc-file` when present.
`BAZEL_REMOTE_CACHE`	Bazel shared-cache path	Bazel remote-cache endpoint. Self-hosted runners receive the in-cluster endpoint automatically; developer machines must attach through a product-owned profile carrying a real operator-provided endpoint. Pass it to Bazel as `--remote_cache="$BAZEL_REMOTE_CACHE"`.
`BAZEL_REMOTE_EXECUTOR`	Opt-in executor-backed path	Bazel remote-execution endpoint. This is separate from `BAZEL_REMOTE_CACHE`; when set, `GF_BAZEL_SUBSTRATE_MODE` must be `executor-backed` and the repo-managed wrapper passes it as `--remote_executor="$BAZEL_REMOTE_EXECUTOR"`.
`BAZEL_REMOTE_INSTANCE_NAME`	Optional REAPI tenant routing path	REAPI `instance_name` passed by the repo-managed and copied consumer wrappers as `--remote_instance_name=<value>`. Current valid values are `default`, `system`, and `spoke-<slug>`; enrollment profiles should use `default` for migration consumers and `spoke-<slug>` for spoke registry entries.
`GF_BAZEL_REMOTE_EXECUTION_PLATFORM`	Optional executor platform hint	Bazel remote-execution platform property passed by the repo-managed wrapper in executor-backed mode. Defaults to `gloriousflywheel-rbe-linux-x86_64`; candidate Darwin proofs use `gloriousflywheel-rbe-darwin-aarch64` only with an explicit Darwin REAPI executor.
`GF_BAZEL_LOCAL_PROOF`	Local port-forward proof only	Must be `port-forward` before the copied consumer wrapper accepts localhost cache or executor endpoints. Leave unset for normal runner, tailnet, or routed consumer usage.
`GF_RBE_PLATFORM`	Explicit proof platform	Platform identity consumed by the explicit proof wrappers. Supported values are `gloriousflywheel-rbe-linux-x86_64` and candidate `gloriousflywheel-rbe-darwin-aarch64`. Darwin proofs must not use the Linux gf-rbe Kubernetes manifest.
`GF_FLYWHEEL_PROFILE_STATE`	Fleet enrollment profile state	Machine-readable enrollment state installed by the fleet profile path. Valid values are `unattached`, `shared-cache-backed`, `executor-backed`, and `local-proof`. This is for doctor/verify tooling and does not itself mint auth tokens.
`GF_BAZEL_SUBSTRATE_MODE`	Derived by `.envrc`	`executor-backed` when `BAZEL_REMOTE_EXECUTOR` is present, `shared-cache-backed` when only `BAZEL_REMOTE_CACHE` is present, otherwise `compatibility-local-only`.
`GF_BAZEL_JOBS`	Optional executor throttle	Bazel `--jobs` override passed by the copied consumer wrapper in executor-backed mode. Useful for bounded port-forward proofs or small executor pools; omit for normal runner defaults.
`BAZEL_REMOTE_MAX_CONNECTIONS`	Optional remote gRPC throttle	Bazel `--remote_max_connections` override passed by the copied consumer wrapper in executor-backed mode. Useful for port-forward proofs; omit for normal routed runner use.
`BAZEL_CREDENTIAL_HELPER`	Optional Bazel auth path	Bazel `--credential_helper` value passed by the copied consumer wrapper. Use runtime injection; do not commit long-lived helper paths or secret-bearing values into downstream rc files.
`BAZEL_REMOTE_HEADER`	Optional Bazel auth/header path	Bazel `--remote_header` value passed by the copied consumer wrapper. Use only from secure runtime injection.
`BAZEL_REMOTE_CACHE_HEADER`	Optional cache auth/header path	Bazel `--remote_cache_header` value passed by the copied consumer wrapper. Use only from secure runtime injection.
`BAZEL_REMOTE_EXEC_HEADER`	Optional executor auth/header path	Bazel `--remote_exec_header` value passed by the copied consumer wrapper in executor-backed mode. Use only from secure runtime injection.
`BAZEL_REPOSITORY_CACHE`	Optional external fetch path	Bazel repository cache directory. Repo-managed wrappers pass it as `--repository_cache=<value>`; this covers repository/archive fetches, not action outputs.
`BAZEL_DISTDIR`	Optional external fetch path	Colon-separated Bazel distdir paths. Repo-managed wrappers pass each entry as `--distdir=<value>`; this is for pre-staged external archives.
`GF_BAZEL_REPOSITORY_DISABLE_DOWNLOAD`	Optional hermetic fetch proof	When `true`, repo-managed wrappers pass `--repository_disable_download`. Use only in explicit repository-cache/distdir proof lanes after the external inputs have been pre-populated.
`GF_BAZEL_INJECT_REPOSITORIES`	Optional consumer/proof input path	Colon-separated `repo=/absolute/path` entries for generated local Bazel repositories, passed as repeated `--inject_repository=<entry>` by the copied consumer wrapper and explicit RBE proof wrapper. Use only after the local repo has been materialized and verified.
`BAZEL_CACHE_DIR`	Optional local override	Local Bazel disk-cache parent used by the devshell. Defaults under `XDG_CACHE_HOME` or `~/.cache`.
`BAZEL_OUTPUT_BASE`	Optional local override	Workspace-specific Bazel output base. Defaults to the GloriousFlywheel path under `BAZEL_CACHE_DIR`; repo-managed wrappers pass it as Bazel startup `--output_base=<value>` when set.
`GF_REAPI_AUTHZ_MODE`	Optional REAPI cell gate	`off`, `warn`, or `enforce`. Defaults to `off` for current proof compatibility. `enforce` requires signed bearer JWTs on CAS, AC, ByteStream, Execute, and WaitExecution RPCs.
`GF_REAPI_AUTHZ_AUDIENCE`	Optional REAPI cell gate	JWT audience expected by `gf-reapi-cell`. Defaults to `gf-reapi-cell.gf-rbe.svc`.
`GF_REAPI_AUTHZ_TRUSTED_ISSUERS`	Required when authz is on	Comma-separated `issuer_url=jwks_url` mappings. The cell validates RSA-signed OIDC-shaped JWTs against these JWKS sources. `jwks_url` may be `https://`/`http://` or a mounted `file:///...` document; use `file:///...` for deny-egress cells so authz does not depend on outbound HTTP.
`GF_REAPI_CREDENTIAL_HELPER_TOKEN_FILE`	Optional Bazel RBE auth path	Path to a short-lived gf-reapi-cell JWT for `gf-reapi-credhelper`. Prefer a Kubernetes projected-token file. When unset, the helper uses `/var/run/secrets/tokens/gf-reapi-cell-token` if present. Do not point this at long-lived secrets.
`GF_REAPI_CREDENTIAL_HELPER_TOKEN`	Optional Bazel RBE auth path	Inline short-lived gf-reapi-cell JWT for `gf-reapi-credhelper`, intended for tests and tightly scoped proof jobs. The helper fails if both this and `GF_REAPI_CREDENTIAL_HELPER_TOKEN_FILE` are set.
`GF_REAPI_TOKEN_EXCHANGE_ISSUER`	Token exchange signing path	Issuer claim used by `gf-reapi-token-exchange` when minting gf-reapi-cell JWTs. The corresponding public key must be present in the cell’s trusted JWKS source before enforce-mode traffic can rely on it.
`GF_REAPI_TOKEN_EXCHANGE_KEY_ID`	Token exchange signing path	`kid` header used by `gf-reapi-token-exchange` for the signing key. Key material is supplied via `--signing-key-file`; do not commit it.
`GF_GITHUB_OIDC_TOKEN`	Token exchange input	Optional GitHub OIDC JWT input for `gf-reapi-token-exchange` outside Actions’ `ACTIONS_ID_TOKEN_REQUEST_*` path. Prefer `--github-token-file` or the Actions id-token endpoint in CI; do not commit this token.
`GF_REAPI_AC_WRITE_ATTESTATION_MODE`	Optional AC write gate	`off`, `warn`, or `enforce`. Defaults to `off`. When enabled, action-cache writes require normal `actioncache:Write` scope plus a trusted JWT subject. `enforce` rejects direct AC writes and prevents Execute from populating AC when the writer subject is untrusted.
`GF_REAPI_AC_WRITE_TRUSTED_SUBJECTS`	Required for AC write attestation	Comma-separated JWT `sub` allow-list for trusted action-cache writers, initially intended for the `gf-rbe` worker ServiceAccount subject.
`GF_REAPI_AC_AUDIT_LOG_PATH`	Optional AC audit path	JSONL audit log path for action-cache write attempts. Defaults to `${GF_REAPI_STORE_ROOT}/audit/ac-writes.jsonl`; relative paths are resolved under `GF_REAPI_STORE_ROOT`; `off` disables local audit persistence for proof-only debugging.
`GF_REAPI_BLOBSTORE_BACKEND`	Optional REAPI storage backend	`local` (default) or `s3`. `local` stores CAS/action-cache objects under `GF_REAPI_STORE_ROOT`; `s3` uses the dependency-free S3-compatible BlobStore seam and requires the `GF_REAPI_S3_*` settings below.
`GF_REAPI_S3_ENDPOINT`	Required for REAPI S3 backend	HTTPS S3-compatible endpoint URL for CAS/action-cache objects. No S3 provider is selected by this setting. The live RustFS service is the current self-hosted S3-compatible substrate for existing cache/state paths; promoting any RustFS-backed CAS/action-cache path requires the TIN-1147 repair/proof gate.
`GF_REAPI_S3_REGION`	Optional REAPI S3 backend	Signing region for the S3-compatible endpoint. Defaults to `us-east-1` when unset.
`GF_REAPI_S3_BUCKET`	Required for REAPI S3 backend	Dedicated bucket for gf-reapi-cell CAS/action-cache objects. Do not share this namespace with OpenTofu state, distdir mirrors, Attic objects, or RustFS repair probes.
`GF_REAPI_S3_ACCESS_KEY_ID`	Required for REAPI S3 backend	Access key for the dedicated CAS/action-cache bucket. Credentials need bucket reachability plus object `GET`, `PUT`, and `HEAD`; the readiness probe performs a signed `HeadBucket`.
`GF_REAPI_S3_SECRET_ACCESS_KEY`	Required for REAPI S3 backend	Secret key for the dedicated CAS/action-cache bucket. Treat as write authority to the RBE CAS/action-cache namespace.
`GF_REAPI_S3_PREFIX`	Optional REAPI S3 backend	Prefix prepended to every object key inside the bucket, useful for isolated proof cells or staging deployments.
`GF_REAPI_S3_FORCE_PATH_STYLE`	Optional REAPI S3 backend	Boolean; defaults to `true` for S3-compatible endpoints that require path-style addressing. Invalid values fail startup instead of silently switching addressing mode.
`GF_REAPI_BLOB_TTL`	Optional REAPI local GC	Go duration such as `168h`. When set on the `local` backend, a background sweeper evicts old CAS/action-cache objects only under `instances/<name>/{cas,ac}`. Local reads refresh the LRU timestamp. S3 expiry is handled by bucket lifecycle/ILM policy instead.
`GF_REAPI_GC_INTERVAL`	Optional REAPI local GC	Go duration for local BlobStore sweeps. Defaults to `1h` when `GF_REAPI_BLOB_TTL` or `GF_REAPI_CAS_MAX_BYTES` is set. Invalid or negative durations fail startup.
`GF_REAPI_MIN_CLIENT_CACHE_TTL`	Optional GC safety floor	Go duration equal to the Bazel client cache lease (`--experimental_remote_cache_ttl`, default `3h`) the deployment serves. When both this and `GF_REAPI_BLOB_TTL` are set, the cell fails startup unless `GF_REAPI_BLOB_TTL` >= this — so the GC sweeper can never evict a blob a client still assumes is leased (W1.3/TIN-1460). `GF_REAPI_CAS_MAX_BYTES` also requires this floor.
`GF_REAPI_CAS_MAX_BYTES`	Optional REAPI local CAS size bound	Byte count with optional `Ki`, `Mi`, `Gi`, or `Ti` suffix. Enables the W1.4 phase-1 local CAS size evictor, which evicts least-recently-used CAS blobs older than `GF_REAPI_MIN_CLIENT_CACHE_TTL`, reconciles durable quota counters, and emits `gf_reapi_size_eviction_*` plus `gf_reapi_evicted_while_referenced_total`. S3 size policy belongs to bucket/ILM configuration.
`GF_REAPI_QUOTAS`	Optional REAPI tenant guardrail	JSON policy with `default` and optional `instances` entries keyed by REAPI `instance_name`. Supports `maxConcurrentExecutions`, `maxBlobBytes`, and durable `maxCasBytes` / `maxAcEntries` on usage-scannable backends. Zero means unlimited. Breaches return `ResourceExhausted`, emit `gf_reapi_quota_rejected_total`, and expose tenant usage gauges.
`GF_REAPI_EXECUTOR_POOLS`	Optional REAPI pool guardrail	JSON policy with optional `propertyName` (default `Pool`), `default`, and optional `instances` entries keyed by REAPI `instance_name`. Each rule lists `allowedPools`; `Execute` rejects missing, duplicated, or unauthorized `Action.platform` pool properties before AC lookup or execution, then labels scheduler metrics with the admitted pool.
`GF_REAPI_WORKER_POOLS`	Optional REAPI worker lease guardrail	JSON policy with a `default` rule and optional `pools` overrides keyed by admitted executor-pool name. Each rule can set `slots` and optional static `workers`; zero slots means unbounded local dispatch unless workers are configured, in which case the worker inventory defines the local lease slots and provenance. Emits slot/availability metrics plus `gf_reapi_worker_pool_registered_workers`.
`GF_REAPI_WORKER_REGISTRY_TTL`	Optional REAPI worker heartbeat seam	Go duration enabling the in-memory live worker heartbeat registry. Requires `GF_REAPI_WORKER_REGISTRY_TOKEN`. Non-expired heartbeat workers are preferred for scheduler lease provenance; stale or absent live workers fall back to `GF_REAPI_WORKER_POOLS`. This is single-cell scheduler plumbing, not remote dispatch.
`GF_REAPI_WORKER_REGISTRY_TOKEN`	Required with worker registry TTL	Bearer token for `POST /worker/heartbeat` registrations. Treat as scheduler-placement authority for proof-cell workers; do not expose it to untrusted clients.

These are runtime hints for acceleration. They do not, by themselves, install Nix, create a public Bazel endpoint, or imply any publication path.

For fleet-managed developer and agent machines, install non-secret endpoint and mode metadata through the NixOS/Home Manager profile module documented in docs/runners/fleet-profile-distribution.md. That profile may carry credential-helper paths and token-file paths, but it must not carry bearer tokens.

Current cache authority:

shared self-hosted runners are the proved Bazel-cache consumers
internal developer machines may attach to Attic over HTTPS
public reads from the shared main Attic cache require ATTIC_PUBLIC_KEY but not ATTIC_TOKEN; in this repo, .envrc derives the default ATTIC_PUBLIC_KEY from committed live runner tfvars when unset
just cache-contract-nix-strict verifies that the configured Attic substituter and public trust key are actually present in NIX_CONFIG
private Attic cache reads and trusted writes require both ATTIC_PUBLIC_KEY and ATTIC_TOKEN; nix-job maps the token into netrc-file for Nix HTTP substituter requests. If a private-cache token is not present, either set attic-enabled: "false" to skip private Attic attachment or accept 401 fallback to other configured substituters
internal developer machines only attach Bazel dogfood to the shared substrate when BAZEL_REMOTE_CACHE is explicitly set and just cache-contract-strict passes
executor-backed Bazel work is opt-in and requires both BAZEL_REMOTE_EXECUTOR and BAZEL_REMOTE_CACHE; the executor endpoint is not a replacement for the CAS/action-cache endpoint
just developer-cache-attachment-proof is the bounded local proof command; it defaults to read-only remote-cache use and can opt into trusted writes with GF_DEVELOPER_CACHE_PROOF_UPLOAD=true
if BAZEL_REMOTE_CACHE is empty, just info must report compatibility-local-only, and just cache-contract-strict must fail

Dashboard Runtime

The runner-dashboard module maps stack inputs into these runtime variables.

Variable	Required	Description
`GITLAB_URL`	Compatibility control plane	GitLab API base used by compatibility auth, runner control, and GitOps submission.
`GITLAB_TOKEN`	Compatibility control plane	GitLab token used by compatibility runner control and GitOps submission.
`GITLAB_GROUP_ID`	Compatibility control plane	GitLab group ID used by compatibility runner inventory and pause/resume actions.
`GITLAB_PROJECT_ID`	Compatibility control plane	GitLab project ID used by compatibility GitOps branch and merge-request operations.
`RUNNER_STACK_NAME`	Compatibility control plane	Stack name used by compatibility GitOps config reads and writes.
`PROMETHEUS_URL`	Optional read plane	Prometheus base URL for dashboard monitoring queries.
`K8S_CACHE_NAMESPACE`	Optional read plane	Kubernetes namespace for Attic, Bazel remote cache, and cache-plane metrics.
`K8S_RUNNER_NAMESPACES`	Optional read plane	Comma-separated Kubernetes namespaces for runner monitoring.
`ARC_NAMESPACE`	Optional read plane	Primary ARC namespace when configured.

Tailnet / Proxy Identity

When TRUST_PROXY_HEADERS=true, request auth now prefers trusted proxy identity headers over stored interactive sessions. That is the current tailnet-first operator contract.

Only enable this behind a trusted proxy that owns or strips the accepted identity headers. The current app accepts x-webauth-user, x-webauth-email, and x-client-cert-cn.

See Auth and Mutation Authority for the current distinction between access auth, read authority, compatibility mutation, and managed infrastructure authority.

Local Files That Matter

Item	Description
`.env`	Local environment file loaded by direnv.
`config/organization.yaml`	Cluster and namespace mapping used by the root `Justfile`.
`config/backend.http.example.hcl`	Template for generic HTTP backend config files.
`config/backend.s3.example.hcl`	Template for S3-compatible backend files.
`tofu/stacks/<stack>/<env>.tfvars`	Per-stack per-environment OpenTofu inputs.