No raw secrets
Secret Store Setup
Placeholder-only setup commands and verification routes for Stripe, NyrA billing, license signing, and command-center cloud sync.
Secret Pack Controls
Open secret CSVRun npm run secret:pack after handoff scans or cloud billing changes. Real secret values go into Cloudflare Worker secrets, the chosen host secret manager, temporary PowerShell variables, or the browser Cloud Connection token field only.
Worker Secret Helper
Use this from a terminal after Cloudflare auth is available through CLOUDFLARE_API_TOKEN or an interactive Wrangler login. It prompts for values with Read-Host -AsSecureString, pipes them to wrangler secret put, and keeps raw secrets out of dashboard files, Markdown, CSV, .env files, command arguments, and logs.
powershell -NoProfile -ExecutionPolicy Bypass -File scripts/set-nyra-worker-secrets.ps1npm run secret:helper:dry-runRedaction Rules
- Use placeholders in docs and generated dashboards.
- Use `wrangler secret put` or the chosen host secret manager for real values.
- Use temporary PowerShell environment variables for local rehearsal only.
- Do not commit local secret files, screenshots containing secrets, or copied dashboard state with raw secrets.
- Clear temporary shell tokens after cloud sync or live billing rehearsal.
Secret Setup Rows
| Variable | Service | Target | Required For | Safe Setup Commands | Verify | No-Go Rule |
|---|---|---|---|---|---|---|
STRIPE_SECRET_KEY |
Stripe Billing | Cloudflare billing Worker secret and temporary billing rehearsal shell | Stripe Checkout, Customer Portal, subscription lookups, and billing API requests. | npx wrangler secret put STRIPE_SECRET_KEY --cwd cloud/billing-worker --env production | $env:STRIPE_SECRET_KEY = "<STRIPE_SECRET_KEY>" | npm run billing:live-preflight -- --mode test --allow-blocked |
Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat. |
STRIPE_WEBHOOK_SECRET |
Stripe Billing | Cloudflare billing Worker secret and temporary billing rehearsal shell | Stripe webhook signature verification for subscription and entitlement events. | npx wrangler secret put STRIPE_WEBHOOK_SECRET --cwd cloud/billing-worker --env production | $env:STRIPE_WEBHOOK_SECRET = "<STRIPE_WEBHOOK_SECRET>" | npm run billing:live-preflight -- --mode test --allow-blocked |
Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat. |
NYRA_STRIPE_PRICE_PRO_MONTHLY |
Stripe Billing | Cloudflare billing Worker secret and temporary billing rehearsal shell | Checkout Session creation for the monthly Pro subscription price. | npx wrangler secret put NYRA_STRIPE_PRICE_PRO_MONTHLY --cwd cloud/billing-worker --env production | $env:NYRA_STRIPE_PRICE_PRO_MONTHLY = "<NYRA_STRIPE_PRICE_PRO_MONTHLY>" | npm run billing:live-preflight -- --mode test --allow-blocked |
Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat. |
NYRA_BILLING_SUCCESS_URL |
NyrA Billing | Cloudflare billing Worker secret or hosted backend environment variable | Checkout success redirect after Stripe payment. | npx wrangler secret put NYRA_BILLING_SUCCESS_URL --cwd cloud/billing-worker --env production | $env:NYRA_BILLING_SUCCESS_URL = "<NYRA_BILLING_SUCCESS_URL>" | npm run billing:live-preflight -- --mode test --allow-blocked |
Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat. |
NYRA_BILLING_CANCEL_URL |
NyrA Billing | Cloudflare billing Worker secret or hosted backend environment variable | Checkout cancellation redirect back to the launch or app flow. | npx wrangler secret put NYRA_BILLING_CANCEL_URL --cwd cloud/billing-worker --env production | $env:NYRA_BILLING_CANCEL_URL = "<NYRA_BILLING_CANCEL_URL>" | npm run billing:live-preflight -- --mode test --allow-blocked |
Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat. |
NYRA_BILLING_RETURN_URL |
NyrA Billing | Cloudflare billing Worker secret or hosted backend environment variable | Customer Portal return redirect after subscription management. | npx wrangler secret put NYRA_BILLING_RETURN_URL --cwd cloud/billing-worker --env production | $env:NYRA_BILLING_RETURN_URL = "<NYRA_BILLING_RETURN_URL>" | npm run billing:live-preflight -- --mode test --allow-blocked |
Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat. |
NYRA_LICENSE_API_TOKEN |
NyrA License | Cloudflare billing Worker secret and desktop activation configuration | Private license status API access and customer-safe device activation. | npx wrangler secret put NYRA_LICENSE_API_TOKEN --cwd cloud/billing-worker --env production | $env:NYRA_LICENSE_API_TOKEN = "<NYRA_LICENSE_API_TOKEN>" | npm run cloud:billing:check && npm run test:cloud-billing-worker |
Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat. |
NYRA_LICENSE_SIGNING_SECRET |
NyrA License | Cloudflare billing Worker and mobile bridge Worker secret | HMAC signing of device-scoped license access tokens accepted by billing and mobile bridge APIs. | npx wrangler secret put NYRA_LICENSE_SIGNING_SECRET --cwd cloud/billing-worker --env production | npx wrangler secret put NYRA_LICENSE_SIGNING_SECRET --cwd cloud/mobile-bridge-worker --env production | $env:NYRA_LICENSE_SIGNING_SECRET = "<NYRA_LICENSE_SIGNING_SECRET>" | npm run cloud:billing:check && npm run test:cloud-billing-worker && npm run cloud:mobile-bridge:check |
Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat. |
NYRA_ANDROID_DOWNLOAD_TICKET_SECRET |
NyrA Mobile Bridge | Cloudflare mobile bridge Worker secret | Short-lived Android APK download tickets for customer update installs without a bundled shared bridge token. | npx wrangler secret put NYRA_ANDROID_DOWNLOAD_TICKET_SECRET --cwd cloud/mobile-bridge-worker --env production | $env:NYRA_ANDROID_DOWNLOAD_TICKET_SECRET = "<NYRA_ANDROID_DOWNLOAD_TICKET_SECRET>" | npm run cloud:mobile-bridge:check && npm run test:mobile-bridge-security |
Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat. |
NYRA_COMMAND_TOKEN |
Cloud Command Center | Cloudflare command-center Worker secret | Bearer-token authentication on the deployed command-center API. Use the same private value in the local NYRA_COMMAND_CENTER_TOKEN shell variable when syncing. | npx wrangler secret put NYRA_COMMAND_TOKEN --cwd cloud/command-center-worker --env production | npm run cloud:command-center:health |
Never place the command-center bearer token into wrangler.jsonc, dashboard state, repo files, screenshots, or chat. |
NYRA_COMMAND_CENTER_API_URL |
Cloud Command Center | Temporary local shell and browser Cloud Connection URL field after Worker deployment | After deploy, set NYRA_COMMAND_CENTER_API_URL in a temporary shell before cloud sync. | $env:NYRA_COMMAND_CENTER_API_URL = "https://<your-command-center-worker-url>" | npm run cloud:command-center:health |
Never publish a private dashboard URL without Cloudflare Access or bearer-token auth. The Worker URL itself can be saved in the dashboard. |
NYRA_COMMAND_CENTER_TOKEN |
Cloud Command Center | Temporary local shell and browser localStorage only | CLI cloud sync and browser API calls after deployment. | $env:NYRA_COMMAND_CENTER_TOKEN = "<same private value as NYRA_COMMAND_TOKEN>" | npm run cloud:command-center:health |
Store this only in the current shell or browser Cloud Connection control; clear it after use and never commit it. |
Agent Run Log
Each manual intake or scheduled cloud marker becomes a visible build handoff. Use this to confirm the dashboard was read and routed.
No intake runs loaded yet.
Secret Pack JSON
{
"schemaVersion": 1,
"generatedAt": "2026-06-17T22:59:03.317Z",
"status": "SECRETS_WAITING",
"label": "Secrets Waiting",
"workerTargets": {
"billingWorkerName": "nyra-billing-api",
"commandWorkerName": "nyra-command-center-api",
"billingWorkerPath": "cloud/billing-worker",
"commandCenterWorkerPath": "cloud/command-center-worker"
},
"counts": {
"totalItems": 12,
"secretStoreItems": 9,
"cloudSyncItems": 3,
"billingWorkerSecrets": 8,
"commandCenterWorkerSecrets": 1,
"localOnlyItems": 11
},
"items": [
{
"id": "env-stripe_secret_key",
"source": "handoff-readiness",
"service": "Stripe Billing",
"variableName": "STRIPE_SECRET_KEY",
"target": "Cloudflare billing Worker secret and temporary billing rehearsal shell",
"requiredFor": "Stripe Checkout, Customer Portal, subscription lookups, and billing API requests.",
"dashboardPage": "pages/billing-rehearsal.html",
"dashboardField": "deployment secret store: STRIPE_SECRET_KEY",
"uploadSlot": "cloud-handoff",
"currentStatus": "Secret missing",
"workerService": "nyra-billing-api",
"safeSetupCommands": [
"npx wrangler secret put STRIPE_SECRET_KEY --cwd cloud/billing-worker --env production",
"$env:STRIPE_SECRET_KEY = \"<STRIPE_SECRET_KEY>\""
],
"verificationCommand": "npm run billing:live-preflight -- --mode test --allow-blocked",
"noGoRule": "Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat."
},
{
"id": "env-stripe_webhook_secret",
"source": "handoff-readiness",
"service": "Stripe Billing",
"variableName": "STRIPE_WEBHOOK_SECRET",
"target": "Cloudflare billing Worker secret and temporary billing rehearsal shell",
"requiredFor": "Stripe webhook signature verification for subscription and entitlement events.",
"dashboardPage": "pages/billing-rehearsal.html",
"dashboardField": "deployment secret store: STRIPE_WEBHOOK_SECRET",
"uploadSlot": "cloud-handoff",
"currentStatus": "Secret missing",
"workerService": "nyra-billing-api",
"safeSetupCommands": [
"npx wrangler secret put STRIPE_WEBHOOK_SECRET --cwd cloud/billing-worker --env production",
"$env:STRIPE_WEBHOOK_SECRET = \"<STRIPE_WEBHOOK_SECRET>\""
],
"verificationCommand": "npm run billing:live-preflight -- --mode test --allow-blocked",
"noGoRule": "Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat."
},
{
"id": "env-nyra_stripe_price_pro_monthly",
"source": "handoff-readiness",
"service": "Stripe Billing",
"variableName": "NYRA_STRIPE_PRICE_PRO_MONTHLY",
"target": "Cloudflare billing Worker secret and temporary billing rehearsal shell",
"requiredFor": "Checkout Session creation for the monthly Pro subscription price.",
"dashboardPage": "pages/billing-rehearsal.html",
"dashboardField": "deployment secret store: NYRA_STRIPE_PRICE_PRO_MONTHLY",
"uploadSlot": "cloud-handoff",
"currentStatus": "Secret missing",
"workerService": "nyra-billing-api",
"safeSetupCommands": [
"npx wrangler secret put NYRA_STRIPE_PRICE_PRO_MONTHLY --cwd cloud/billing-worker --env production",
"$env:NYRA_STRIPE_PRICE_PRO_MONTHLY = \"<NYRA_STRIPE_PRICE_PRO_MONTHLY>\""
],
"verificationCommand": "npm run billing:live-preflight -- --mode test --allow-blocked",
"noGoRule": "Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat."
},
{
"id": "env-nyra_billing_success_url",
"source": "handoff-readiness",
"service": "NyrA Billing",
"variableName": "NYRA_BILLING_SUCCESS_URL",
"target": "Cloudflare billing Worker secret or hosted backend environment variable",
"requiredFor": "Checkout success redirect after Stripe payment.",
"dashboardPage": "pages/billing-rehearsal.html",
"dashboardField": "deployment secret store: NYRA_BILLING_SUCCESS_URL",
"uploadSlot": "cloud-handoff",
"currentStatus": "Secret missing",
"workerService": "nyra-billing-api",
"safeSetupCommands": [
"npx wrangler secret put NYRA_BILLING_SUCCESS_URL --cwd cloud/billing-worker --env production",
"$env:NYRA_BILLING_SUCCESS_URL = \"<NYRA_BILLING_SUCCESS_URL>\""
],
"verificationCommand": "npm run billing:live-preflight -- --mode test --allow-blocked",
"noGoRule": "Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat."
},
{
"id": "env-nyra_billing_cancel_url",
"source": "handoff-readiness",
"service": "NyrA Billing",
"variableName": "NYRA_BILLING_CANCEL_URL",
"target": "Cloudflare billing Worker secret or hosted backend environment variable",
"requiredFor": "Checkout cancellation redirect back to the launch or app flow.",
"dashboardPage": "pages/billing-rehearsal.html",
"dashboardField": "deployment secret store: NYRA_BILLING_CANCEL_URL",
"uploadSlot": "cloud-handoff",
"currentStatus": "Secret missing",
"workerService": "nyra-billing-api",
"safeSetupCommands": [
"npx wrangler secret put NYRA_BILLING_CANCEL_URL --cwd cloud/billing-worker --env production",
"$env:NYRA_BILLING_CANCEL_URL = \"<NYRA_BILLING_CANCEL_URL>\""
],
"verificationCommand": "npm run billing:live-preflight -- --mode test --allow-blocked",
"noGoRule": "Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat."
},
{
"id": "env-nyra_billing_return_url",
"source": "handoff-readiness",
"service": "NyrA Billing",
"variableName": "NYRA_BILLING_RETURN_URL",
"target": "Cloudflare billing Worker secret or hosted backend environment variable",
"requiredFor": "Customer Portal return redirect after subscription management.",
"dashboardPage": "pages/billing-rehearsal.html",
"dashboardField": "deployment secret store: NYRA_BILLING_RETURN_URL",
"uploadSlot": "cloud-handoff",
"currentStatus": "Secret missing",
"workerService": "nyra-billing-api",
"safeSetupCommands": [
"npx wrangler secret put NYRA_BILLING_RETURN_URL --cwd cloud/billing-worker --env production",
"$env:NYRA_BILLING_RETURN_URL = \"<NYRA_BILLING_RETURN_URL>\""
],
"verificationCommand": "npm run billing:live-preflight -- --mode test --allow-blocked",
"noGoRule": "Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat."
},
{
"id": "env-nyra_license_api_token",
"source": "handoff-readiness",
"service": "NyrA License",
"variableName": "NYRA_LICENSE_API_TOKEN",
"target": "Cloudflare billing Worker secret and desktop activation configuration",
"requiredFor": "Private license status API access and customer-safe device activation.",
"dashboardPage": "pages/billing-rehearsal.html",
"dashboardField": "deployment secret store: NYRA_LICENSE_API_TOKEN",
"uploadSlot": "cloud-handoff",
"currentStatus": "Secret missing",
"workerService": "nyra-billing-api",
"safeSetupCommands": [
"npx wrangler secret put NYRA_LICENSE_API_TOKEN --cwd cloud/billing-worker --env production",
"$env:NYRA_LICENSE_API_TOKEN = \"<NYRA_LICENSE_API_TOKEN>\""
],
"verificationCommand": "npm run cloud:billing:check && npm run test:cloud-billing-worker",
"noGoRule": "Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat."
},
{
"id": "env-nyra_license_signing_secret",
"source": "handoff-readiness",
"service": "NyrA License",
"variableName": "NYRA_LICENSE_SIGNING_SECRET",
"target": "Cloudflare billing Worker and mobile bridge Worker secret",
"requiredFor": "HMAC signing of device-scoped license access tokens accepted by billing and mobile bridge APIs.",
"dashboardPage": "pages/billing-rehearsal.html",
"dashboardField": "deployment secret store: NYRA_LICENSE_SIGNING_SECRET",
"uploadSlot": "cloud-handoff",
"currentStatus": "Secret missing",
"workerService": "nyra-billing-api",
"safeSetupCommands": [
"npx wrangler secret put NYRA_LICENSE_SIGNING_SECRET --cwd cloud/billing-worker --env production",
"npx wrangler secret put NYRA_LICENSE_SIGNING_SECRET --cwd cloud/mobile-bridge-worker --env production",
"$env:NYRA_LICENSE_SIGNING_SECRET = \"<NYRA_LICENSE_SIGNING_SECRET>\""
],
"verificationCommand": "npm run cloud:billing:check && npm run test:cloud-billing-worker && npm run cloud:mobile-bridge:check",
"noGoRule": "Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat."
},
{
"id": "env-nyra_android_download_ticket_secret",
"source": "handoff-readiness",
"service": "NyrA Mobile Bridge",
"variableName": "NYRA_ANDROID_DOWNLOAD_TICKET_SECRET",
"target": "Cloudflare mobile bridge Worker secret",
"requiredFor": "Short-lived Android APK download tickets for customer update installs without a bundled shared bridge token.",
"dashboardPage": "pages/billing-rehearsal.html",
"dashboardField": "deployment secret store: NYRA_ANDROID_DOWNLOAD_TICKET_SECRET",
"uploadSlot": "cloud-handoff",
"currentStatus": "Secret missing",
"workerService": "mobile-bridge",
"safeSetupCommands": [
"npx wrangler secret put NYRA_ANDROID_DOWNLOAD_TICKET_SECRET --cwd cloud/mobile-bridge-worker --env production",
"$env:NYRA_ANDROID_DOWNLOAD_TICKET_SECRET = \"<NYRA_ANDROID_DOWNLOAD_TICKET_SECRET>\""
],
"verificationCommand": "npm run cloud:mobile-bridge:check && npm run test:mobile-bridge-security",
"noGoRule": "Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat."
},
{
"id": "cloud-worker-secret-nyra_command_token",
"source": "cloud-command-center-worker",
"service": "Cloud Command Center",
"variableName": "NYRA_COMMAND_TOKEN",
"target": "Cloudflare command-center Worker secret",
"requiredFor": "Bearer-token authentication on the deployed command-center API. Use the same private value in the local NYRA_COMMAND_CENTER_TOKEN shell variable when syncing.",
"dashboardPage": "pages/cloud.html",
"dashboardField": "deployment secret store: NYRA_COMMAND_TOKEN",
"uploadSlot": "cloud-handoff",
"currentStatus": "Waiting on private token",
"workerService": "nyra-command-center-api",
"safeSetupCommands": [
"npx wrangler secret put NYRA_COMMAND_TOKEN --cwd cloud/command-center-worker --env production"
],
"verificationCommand": "npm run cloud:command-center:health",
"noGoRule": "Never place the command-center bearer token into wrangler.jsonc, dashboard state, repo files, screenshots, or chat."
},
{
"id": "env-api-url",
"source": "cloud-deploy-preflight",
"service": "Cloud Command Center",
"variableName": "NYRA_COMMAND_CENTER_API_URL",
"target": "Temporary local shell and browser Cloud Connection URL field after Worker deployment",
"requiredFor": "After deploy, set NYRA_COMMAND_CENTER_API_URL in a temporary shell before cloud sync.",
"dashboardPage": "pages/cloud.html",
"dashboardField": "cloudSync.apiUrl",
"uploadSlot": "cloud-handoff",
"currentStatus": "Waiting on deployed Worker URL",
"workerService": "nyra-command-center-api",
"safeSetupCommands": [
"$env:NYRA_COMMAND_CENTER_API_URL = \"https://<your-command-center-worker-url>\""
],
"verificationCommand": "npm run cloud:command-center:health",
"noGoRule": "Never publish a private dashboard URL without Cloudflare Access or bearer-token auth. The Worker URL itself can be saved in the dashboard."
},
{
"id": "env-api-token",
"source": "cloud-deploy-preflight",
"service": "Cloud Command Center",
"variableName": "NYRA_COMMAND_CENTER_TOKEN",
"target": "Temporary local shell and browser localStorage only",
"requiredFor": "CLI cloud sync and browser API calls after deployment.",
"dashboardPage": "pages/cloud.html",
"dashboardField": "browser localStorage only: nyraCommandCenterApiConfig.token",
"uploadSlot": "cloud-handoff",
"currentStatus": "Waiting on temporary sync token",
"workerService": "nyra-command-center-api",
"safeSetupCommands": [
"$env:NYRA_COMMAND_CENTER_TOKEN = \"<same private value as NYRA_COMMAND_TOKEN>\""
],
"verificationCommand": "npm run cloud:command-center:health",
"noGoRule": "Store this only in the current shell or browser Cloud Connection control; clear it after use and never commit it."
}
],
"topSecrets": [
{
"id": "env-stripe_secret_key",
"source": "handoff-readiness",
"service": "Stripe Billing",
"variableName": "STRIPE_SECRET_KEY",
"target": "Cloudflare billing Worker secret and temporary billing rehearsal shell",
"requiredFor": "Stripe Checkout, Customer Portal, subscription lookups, and billing API requests.",
"dashboardPage": "pages/billing-rehearsal.html",
"dashboardField": "deployment secret store: STRIPE_SECRET_KEY",
"uploadSlot": "cloud-handoff",
"currentStatus": "Secret missing",
"workerService": "nyra-billing-api",
"safeSetupCommands": [
"npx wrangler secret put STRIPE_SECRET_KEY --cwd cloud/billing-worker --env production",
"$env:STRIPE_SECRET_KEY = \"<STRIPE_SECRET_KEY>\""
],
"verificationCommand": "npm run billing:live-preflight -- --mode test --allow-blocked",
"noGoRule": "Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat."
},
{
"id": "env-stripe_webhook_secret",
"source": "handoff-readiness",
"service": "Stripe Billing",
"variableName": "STRIPE_WEBHOOK_SECRET",
"target": "Cloudflare billing Worker secret and temporary billing rehearsal shell",
"requiredFor": "Stripe webhook signature verification for subscription and entitlement events.",
"dashboardPage": "pages/billing-rehearsal.html",
"dashboardField": "deployment secret store: STRIPE_WEBHOOK_SECRET",
"uploadSlot": "cloud-handoff",
"currentStatus": "Secret missing",
"workerService": "nyra-billing-api",
"safeSetupCommands": [
"npx wrangler secret put STRIPE_WEBHOOK_SECRET --cwd cloud/billing-worker --env production",
"$env:STRIPE_WEBHOOK_SECRET = \"<STRIPE_WEBHOOK_SECRET>\""
],
"verificationCommand": "npm run billing:live-preflight -- --mode test --allow-blocked",
"noGoRule": "Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat."
},
{
"id": "env-nyra_stripe_price_pro_monthly",
"source": "handoff-readiness",
"service": "Stripe Billing",
"variableName": "NYRA_STRIPE_PRICE_PRO_MONTHLY",
"target": "Cloudflare billing Worker secret and temporary billing rehearsal shell",
"requiredFor": "Checkout Session creation for the monthly Pro subscription price.",
"dashboardPage": "pages/billing-rehearsal.html",
"dashboardField": "deployment secret store: NYRA_STRIPE_PRICE_PRO_MONTHLY",
"uploadSlot": "cloud-handoff",
"currentStatus": "Secret missing",
"workerService": "nyra-billing-api",
"safeSetupCommands": [
"npx wrangler secret put NYRA_STRIPE_PRICE_PRO_MONTHLY --cwd cloud/billing-worker --env production",
"$env:NYRA_STRIPE_PRICE_PRO_MONTHLY = \"<NYRA_STRIPE_PRICE_PRO_MONTHLY>\""
],
"verificationCommand": "npm run billing:live-preflight -- --mode test --allow-blocked",
"noGoRule": "Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat."
},
{
"id": "env-nyra_billing_success_url",
"source": "handoff-readiness",
"service": "NyrA Billing",
"variableName": "NYRA_BILLING_SUCCESS_URL",
"target": "Cloudflare billing Worker secret or hosted backend environment variable",
"requiredFor": "Checkout success redirect after Stripe payment.",
"dashboardPage": "pages/billing-rehearsal.html",
"dashboardField": "deployment secret store: NYRA_BILLING_SUCCESS_URL",
"uploadSlot": "cloud-handoff",
"currentStatus": "Secret missing",
"workerService": "nyra-billing-api",
"safeSetupCommands": [
"npx wrangler secret put NYRA_BILLING_SUCCESS_URL --cwd cloud/billing-worker --env production",
"$env:NYRA_BILLING_SUCCESS_URL = \"<NYRA_BILLING_SUCCESS_URL>\""
],
"verificationCommand": "npm run billing:live-preflight -- --mode test --allow-blocked",
"noGoRule": "Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat."
},
{
"id": "env-nyra_billing_cancel_url",
"source": "handoff-readiness",
"service": "NyrA Billing",
"variableName": "NYRA_BILLING_CANCEL_URL",
"target": "Cloudflare billing Worker secret or hosted backend environment variable",
"requiredFor": "Checkout cancellation redirect back to the launch or app flow.",
"dashboardPage": "pages/billing-rehearsal.html",
"dashboardField": "deployment secret store: NYRA_BILLING_CANCEL_URL",
"uploadSlot": "cloud-handoff",
"currentStatus": "Secret missing",
"workerService": "nyra-billing-api",
"safeSetupCommands": [
"npx wrangler secret put NYRA_BILLING_CANCEL_URL --cwd cloud/billing-worker --env production",
"$env:NYRA_BILLING_CANCEL_URL = \"<NYRA_BILLING_CANCEL_URL>\""
],
"verificationCommand": "npm run billing:live-preflight -- --mode test --allow-blocked",
"noGoRule": "Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat."
},
{
"id": "env-nyra_billing_return_url",
"source": "handoff-readiness",
"service": "NyrA Billing",
"variableName": "NYRA_BILLING_RETURN_URL",
"target": "Cloudflare billing Worker secret or hosted backend environment variable",
"requiredFor": "Customer Portal return redirect after subscription management.",
"dashboardPage": "pages/billing-rehearsal.html",
"dashboardField": "deployment secret store: NYRA_BILLING_RETURN_URL",
"uploadSlot": "cloud-handoff",
"currentStatus": "Secret missing",
"workerService": "nyra-billing-api",
"safeSetupCommands": [
"npx wrangler secret put NYRA_BILLING_RETURN_URL --cwd cloud/billing-worker --env production",
"$env:NYRA_BILLING_RETURN_URL = \"<NYRA_BILLING_RETURN_URL>\""
],
"verificationCommand": "npm run billing:live-preflight -- --mode test --allow-blocked",
"noGoRule": "Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat."
},
{
"id": "env-nyra_license_api_token",
"source": "handoff-readiness",
"service": "NyrA License",
"variableName": "NYRA_LICENSE_API_TOKEN",
"target": "Cloudflare billing Worker secret and desktop activation configuration",
"requiredFor": "Private license status API access and customer-safe device activation.",
"dashboardPage": "pages/billing-rehearsal.html",
"dashboardField": "deployment secret store: NYRA_LICENSE_API_TOKEN",
"uploadSlot": "cloud-handoff",
"currentStatus": "Secret missing",
"workerService": "nyra-billing-api",
"safeSetupCommands": [
"npx wrangler secret put NYRA_LICENSE_API_TOKEN --cwd cloud/billing-worker --env production",
"$env:NYRA_LICENSE_API_TOKEN = \"<NYRA_LICENSE_API_TOKEN>\""
],
"verificationCommand": "npm run cloud:billing:check && npm run test:cloud-billing-worker",
"noGoRule": "Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat."
},
{
"id": "env-nyra_license_signing_secret",
"source": "handoff-readiness",
"service": "NyrA License",
"variableName": "NYRA_LICENSE_SIGNING_SECRET",
"target": "Cloudflare billing Worker and mobile bridge Worker secret",
"requiredFor": "HMAC signing of device-scoped license access tokens accepted by billing and mobile bridge APIs.",
"dashboardPage": "pages/billing-rehearsal.html",
"dashboardField": "deployment secret store: NYRA_LICENSE_SIGNING_SECRET",
"uploadSlot": "cloud-handoff",
"currentStatus": "Secret missing",
"workerService": "nyra-billing-api",
"safeSetupCommands": [
"npx wrangler secret put NYRA_LICENSE_SIGNING_SECRET --cwd cloud/billing-worker --env production",
"npx wrangler secret put NYRA_LICENSE_SIGNING_SECRET --cwd cloud/mobile-bridge-worker --env production",
"$env:NYRA_LICENSE_SIGNING_SECRET = \"<NYRA_LICENSE_SIGNING_SECRET>\""
],
"verificationCommand": "npm run cloud:billing:check && npm run test:cloud-billing-worker && npm run cloud:mobile-bridge:check",
"noGoRule": "Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat."
},
{
"id": "env-nyra_android_download_ticket_secret",
"source": "handoff-readiness",
"service": "NyrA Mobile Bridge",
"variableName": "NYRA_ANDROID_DOWNLOAD_TICKET_SECRET",
"target": "Cloudflare mobile bridge Worker secret",
"requiredFor": "Short-lived Android APK download tickets for customer update installs without a bundled shared bridge token.",
"dashboardPage": "pages/billing-rehearsal.html",
"dashboardField": "deployment secret store: NYRA_ANDROID_DOWNLOAD_TICKET_SECRET",
"uploadSlot": "cloud-handoff",
"currentStatus": "Secret missing",
"workerService": "mobile-bridge",
"safeSetupCommands": [
"npx wrangler secret put NYRA_ANDROID_DOWNLOAD_TICKET_SECRET --cwd cloud/mobile-bridge-worker --env production",
"$env:NYRA_ANDROID_DOWNLOAD_TICKET_SECRET = \"<NYRA_ANDROID_DOWNLOAD_TICKET_SECRET>\""
],
"verificationCommand": "npm run cloud:mobile-bridge:check && npm run test:mobile-bridge-security",
"noGoRule": "Never paste raw secret values into dashboard fields, Markdown files, CSV files, screenshots, source code, repo state, or chat."
},
{
"id": "cloud-worker-secret-nyra_command_token",
"source": "cloud-command-center-worker",
"service": "Cloud Command Center",
"variableName": "NYRA_COMMAND_TOKEN",
"target": "Cloudflare command-center Worker secret",
"requiredFor": "Bearer-token authentication on the deployed command-center API. Use the same private value in the local NYRA_COMMAND_CENTER_TOKEN shell variable when syncing.",
"dashboardPage": "pages/cloud.html",
"dashboardField": "deployment secret store: NYRA_COMMAND_TOKEN",
"uploadSlot": "cloud-handoff",
"currentStatus": "Waiting on private token",
"workerService": "nyra-command-center-api",
"safeSetupCommands": [
"npx wrangler secret put NYRA_COMMAND_TOKEN --cwd cloud/command-center-worker --env production"
],
"verificationCommand": "npm run cloud:command-center:health",
"noGoRule": "Never place the command-center bearer token into wrangler.jsonc, dashboard state, repo files, screenshots, or chat."
}
],
"redactionRules": [
"Use placeholders in docs and generated dashboards.",
"Use `wrangler secret put` or the chosen host secret manager for real values.",
"Use temporary PowerShell environment variables for local rehearsal only.",
"Do not commit local secret files, screenshots containing secrets, or copied dashboard state with raw secrets.",
"Clear temporary shell tokens after cloud sync or live billing rehearsal."
],
"outputs": {
"json": "docs/launch_command_center/secret-store-pack.json",
"csv": "docs/launch_command_center/secret-store-pack.csv",
"report": "docs/launch_command_center/SECRET_STORE_PACK.md",
"dashboard": "docs/launch_command_center/pages/secret-store.html",
"helperScript": "scripts/set-nyra-worker-secrets.ps1"
}
}