Environment variables
Astro / Vite (PUBLIC_* and app secrets)
Section titled “Astro / Vite (PUBLIC_* and app secrets)”These are typically set in apps/cosmos/digital-services/.env (local) or your deployment environment for the static build. PUBLIC_* are exposed to client bundles; never put secrets in PUBLIC_*.
| Variable | Scope | Likely source | Used for |
|---|---|---|---|
PUBLIC_SITE_URL | Browser-safe | .env | Optional site URL hints (see src/env.d.ts). |
PUBLIC_CONTACT_FORM_WORKER_URL | Browser-safe | .env | Contact form POST target. |
PUBLIC_TURNSTILE_SITEKEY | Browser-safe | .env | Cloudflare Turnstile widget. |
PUBLIC_MAINTENANCE_MODE | Browser-safe | .env | When true, Astro middleware rewrites most routes to /maintenance. |
PUBLIC_OUTGOING_MAIL_WORKER_URL | Browser-safe | .env | /portal/outgoing-mail authenticated POST target. |
PUBLIC_OUTGOING_MAIL_ACCESS_DEV_BYPASS_TOKEN | Browser-safe (sensitive in practice) | .env | Dev/local header bypass for Access-protected mail worker flows. |
TURNSTILE_SECRET_KEY | Secret | .env / deploy | Server-side Turnstile validation. |
RESEND_API_KEY | Secret | .env / worker | Outbound mail provider (where used by app/workers). |
FROM_EMAIL | Secret/config | .env / worker | Default sender. |
TO_EMAIL | Secret/config | .env / worker | Default recipient. |
See also README.md in the app for example .env blocks and mail worker split (PUBLIC_CONTACT_FORM_WORKER_URL vs PUBLIC_OUTGOING_MAIL_WORKER_URL).
Gateway worker (Wrangler)
Section titled “Gateway worker (Wrangler)”Set in workers/wrangler.gateway.toml under [vars], [env.production.vars], or [env.staging.vars].
| Variable | Scope | Used for |
|---|---|---|
AUTH_WORKER_VERIFY_URL | Worker-only | Auth token verification endpoint (POST from gateway). |
PROTECTED_PATH_PREFIXES | Worker-only | Comma-separated prefixes (e.g. /portal,/admin) requiring verified token before static fetch. |
Image worker (Wrangler)
Section titled “Image worker (Wrangler)”Set in workers/wrangler.image.toml.
| Variable | Scope | Used for |
|---|---|---|
ENABLE_IMAGE_RESIZING | Worker-only | Feature toggle string consumed by edge-utils image pipeline. |
Environment matrix (staging vs production)
Section titled “Environment matrix (staging vs production)”AUTH_WORKER_VERIFY_URLdiffers between[env.staging.vars]and[env.production.vars]inwrangler.gateway.toml. Using the wrong URL for the hostname is a common source of “auth works in prod but not staging” (or the reverse).- Staging hostnames use parallel route entries in both gateway and image Wrangler configs (e.g.
staging.cosmosdigitalservices.com).
Typings note
Section titled “Typings note”apps/cosmos/digital-services/src/env.d.ts documents Astro ImportMetaEnv for PUBLIC_* variables but does not list server-only secrets such as TURNSTILE_SECRET_KEY (they may still be read at build or server boundaries). AUTH_WORKER_VERIFY_URL and PROTECTED_PATH_PREFIXES are not in that file—they exist only in Wrangler. Treat this page plus README.md and Wrangler TOML as the operational catalog until typings are expanded.
Safe handling
Section titled “Safe handling”- Never commit real
.envfiles; use team secret storage for CI/deploy. - Rotate Turnstile, Resend, and any bypass tokens on leak suspicion.
- Prefer least exposure: keep mail and auth endpoints Access-protected as documented in the app
README.md.