KV Key Registry
ENGINEERING_STANDARD §OO-EngStd-001 — Every KV prefix must appear here with
a tenant-scoped or cross-tenant classification. CI lint rule: any new KV
prefix introduced in src/ must have a matching row in this file.
Generated from codebase audit 2026-05-09. Canonical source: this file.
Classification legend
| Class | Meaning |
|---|
tenant-scoped | Key contains {tenant} or {hash} that maps to one tenant. One tenant cannot read another’s data via this prefix. |
cross-tenant | Key is shared across all tenants (config, global state, cron state). ACL protection is at the application layer. |
ephemeral | Short-lived (TTL ≤ 10 min). Not backed up. Not expected in restore. |
oauth-ephemeral | Ephemeral OAuth flow state. Purged once the flow completes. |
Auth & Identity
| Prefix | Pattern | Class | TTL | Owner | Description |
|---|
tenant_auth: | tenant_auth:{sha256_of_bearer_token} | cross-tenant | permanent | src/core/auth.ts | Maps hashed bearer token → { tenant_id, status }. Written by POST /admin/auth. |
tenant_config: | tenant_config:{tenant_id} | tenant-scoped | permanent | src/handlers/admin/index.ts | Tenant metadata: name, status, connected_apis, connected_aliases, accounts. Type: TenantConfig. |
Tokens
| Prefix | Pattern | Class | TTL | Owner | Description |
|---|
tokens: | tokens:{tenant}:{provider}:{account_id} | tenant-scoped | dynamic (exp) | src/core/tokens.ts, src/do/token-manager.ts | OAuth / API token. Written by TokenManager DO alarm. Read in request hot path. Type: TokenData. |
token_alias: | token_alias:{tenant}:{provider}:{account_id} | tenant-scoped | permanent | src/core/tokens.ts | Cross-tenant token alias pointer: { tenant, provider, account }. Agency model — one token shared across child tenants. ACL via tenant_config.connected_aliases. |
nango_managed: | nango_managed:{provider} | cross-tenant | permanent | src/handlers/admin/index.ts | Flag: provider token-write path is Nango (not DO alarm). Value: "true". |
reauth: | reauth:{tenant}:{provider}:{account} | tenant-scoped | permanent | src/handlers/admin/index.ts | Pending re-auth notification for expired / revoked token. |
hermes_internal_token: | hermes_internal_token:{tenant_id} | tenant-scoped | permanent | src/handlers/connect.ts | Internal Hermes bearer token for a tenant. |
API Config & Health
| Prefix | Pattern | Class | TTL | Owner | Description |
|---|
api_config: | api_config:{provider} | cross-tenant | permanent | src/core/router.ts, src/handlers/admin/index.ts | Provider endpoint config: { base_url, auth_type, required_headers, scopes }. Type: ApiConfig. |
api_health: | api_health:{provider} | cross-tenant | 10 min | src/cron/provider-health.ts | Cached API health snapshot. Ephemeral — stale on eviction is safe. |
OAuth Server Flow (ephemeral)
| Prefix | Pattern | Class | TTL | Owner | Description |
|---|
oauth_state: | oauth_state:{nonce} | oauth-ephemeral | 10 min | src/handlers/oauth-server.ts | PKCE state nonce → { code_challenge, redirect_uri, client_id, tenant }. |
oauth_code: | oauth_code:{authorization_code} | oauth-ephemeral | 10 min | src/handlers/oauth-server.ts | Authorization code → token exchange payload. |
oauth_token: | oauth_token:{sha256_hash} | oauth-ephemeral | variable | src/handlers/oauth-server.ts | OAuth access token hash → token record. |
oauth_refresh: | oauth_refresh:{sha256_hash} | oauth-ephemeral | variable | src/handlers/oauth-server.ts | OAuth refresh token hash → token record. |
oauth_client: | oauth_client:{client_id} | cross-tenant | permanent | src/handlers/oauth-server.ts | Registered OAuth client record. |
Rate Limiting
| Prefix | Pattern | Class | TTL | Owner | Description |
|---|
ratelimit: | ratelimit:{identity}:{minute} | tenant-scoped | 120 s | src/middleware/rate-limit.ts | Per-tenant per-minute request counter. Ephemeral. |
ratelimit: | ratelimit:{tenant}:iface:{interface}:{minute} | tenant-scoped | 120 s | src/middleware/rate-limit.ts | Per-tenant per-interface per-minute counter. |
ratelimit:ip: | ratelimit:ip:{ip_address}:{minute} | cross-tenant | 120 s | src/middleware/rate-limit.ts | Per-IP per-minute counter (anonymous requests). |
Usage Tracking
| Prefix | Pattern | Class | TTL | Owner | Description |
|---|
usage: | usage:{tenant_id}:{YYYY-MM} | tenant-scoped | permanent | src/middleware/auth.ts | Monthly call counter per tenant. Value: number (JSON). |
calls: | calls:{tenant_id}:{provider}:{hour} | tenant-scoped | 2 h | src/cron/autoresearch.ts | Per-hour call count for autoresearch rate-limiting. |
Grader & Bridge
| Prefix | Pattern | Class | TTL | Owner | Description |
|---|
grader:disabled | grader:disabled | cross-tenant | permanent | src/grader/cost.ts | Kill switch — truthy value disables grading globally. |
grader:deployed_at | grader:deployed_at | cross-tenant | permanent | src/cron/grader-tick.ts | Worker deploy epoch timestamp (ms). Seed once; never overwritten. |
grader:dominant_model | grader:dominant_model | cross-tenant | permanent | src/grader/dominant-model.ts | Current dominant model string (majority across recent traces). |
grader:dominant_refreshed_at | grader:dominant_refreshed_at | cross-tenant | permanent | src/grader/dominant-model.ts | ISO timestamp of last dominant-model refresh. |
grader:cost: | grader:cost:{YYYY-MM-DD} | cross-tenant | 48 h | src/grader/cost.ts | Daily grader spend in USD. Used for daily budget cap check. |
grader:category: | grader:category:{message_id} | cross-tenant | 1 h | src/grader/categorical-router.ts | Cached routing result for a trace message. |
judge_config: | judge_config:{provider}:current_model | cross-tenant | 10 days | src/cron/judge-model-discovery.ts | Live judge model name for provider (openai/gemini/deepseek). JSON { primary, fallback, auto_promote }. |
bridge:current_version | bridge:current_version | cross-tenant | permanent | scripts/post-deploy-record-version.ts | Active worker version ID. Written post-deploy. |
bridge:active_canary: | bridge:active_canary:{version} | cross-tenant | permanent | src/cron/bridge-controller.ts | Canary trial record for a version. |
bridge:promotion_state: | bridge:promotion_state:{version} | cross-tenant | permanent | src/cron/bridge-controller.ts | Promotion state machine for a canary version. |
bridge:baseline_window: | bridge:baseline_window:{...} | cross-tenant | permanent | src/cron/bridge-controller.ts | Baseline quality window for comparison. |
Daily Brief & Autoresearch
| Prefix | Pattern | Class | TTL | Owner | Description |
|---|
daily_brief:configs | daily_brief:configs | cross-tenant | permanent | src/cron/daily-gtm-brief.ts | JSON array of brief config names. |
daily_brief:config: | daily_brief:config:{name} | cross-tenant | permanent | src/cron/daily-gtm-brief.ts | Brief config object for a named brief. |
daily_brief:prompt:active | daily_brief:prompt:active | cross-tenant | permanent | src/cron/daily-gtm-brief.ts | Active prompt template for briefs. |
daily_brief: | daily_brief:{name}:{YYYY-MM-DD} | cross-tenant | 7 days | src/cron/daily-gtm-brief.ts | Cached brief output for a config on a date. |
daily_brief:last_run_at: | daily_brief:last_run_at:{name} | cross-tenant | permanent | src/cron/daily-gtm-brief.ts | ISO timestamp of last successful run. |
autoresearch:suggestions: | autoresearch:suggestions:{YYYY-MM-DD} | cross-tenant | 24 h | src/cron/autoresearch.ts | Cached autoresearch suggestions for a date. |
thought_leader:config | thought_leader:config | cross-tenant | permanent | src/cron/weekly-digest.ts | Thought-leader config object. |
thought_leader:cursor | thought_leader:cursor | cross-tenant | permanent | src/cron/weekly-digest.ts | Pagination cursor for thought-leader processing. |
Brand & Scheduling
| Prefix | Pattern | Class | TTL | Owner | Description |
|---|
brand_foundation: | brand_foundation:{tenant_id} | tenant-scoped | permanent | src/cron/daily-gtm-brief.ts | Brand foundation blob for a tenant. |
canonical_tracking: | canonical_tracking:{tenant_account} | tenant-scoped | permanent | src/cron/daily-gtm-brief.ts | Canonical tracking config for a tenant account. |
calcom_config: | calcom_config:{tenant_id} | tenant-scoped | permanent | src/handlers/connect.ts | Cal.com integration config for a tenant. |
scheduling_policy: | scheduling_policy:{tenant_id} | tenant-scoped | permanent | src/handlers/connect.ts | Scheduling policy for a tenant. |
booking: | booking:{booking_id} | cross-tenant | permanent | src/handlers/async.ts | Booking record. |
Async Jobs & Approvals
| Prefix | Pattern | Class | TTL | Owner | Description |
|---|
job: | job:{job_id} | cross-tenant | permanent | src/handlers/async.ts | Async job record. |
pending_approval: | pending_approval:{id} | cross-tenant | permanent | src/handlers/admin/index.ts | Pending human-in-the-loop approval. |
Observability & Infra
| Prefix | Pattern | Class | TTL | Owner | Description |
|---|
system_health:current | system_health:current | cross-tenant | 10 min | src/cron/provider-health.ts | Aggregated system health snapshot. |
gateway_auth_alert:last | gateway_auth_alert:last | cross-tenant | permanent | src/cron/gateway-auth-monitor.ts | ISO timestamp of last auth alert (dedup guard). |
infisical_auth_token:cache | infisical_auth_token:cache | cross-tenant | 58 min | src/cron/infisical-reconciler.ts | Cached Infisical machine token. Ephemeral. |
infisical_reconciler:last_run | infisical_reconciler:last_run | cross-tenant | permanent | src/cron/infisical-reconciler.ts | ISO timestamp of last successful reconciler run. |
agent_state | agent_state | cross-tenant | permanent | src/tools/agent-state.ts | Global agent state blob. |
Pattern Bank & Memory
| Prefix | Pattern | Class | TTL | Owner | Description |
|---|
pattern_bank:seeded: | pattern_bank:seeded:{run_id} | cross-tenant | 30 days | src/cron/seed-pattern-bank.ts | Idempotency key — marks a pattern-bank seed run as complete. |
pattern_bank:last_seeded_at | pattern_bank:last_seeded_at | cross-tenant | permanent | src/cron/seed-pattern-bank.ts | ISO timestamp of last successful seeding. |
hindsight: | hindsight:{bank} | cross-tenant | permanent | src/lib/memory-patterns.ts | Hindsight memory bank. |
hindsight:banks | hindsight:banks | cross-tenant | permanent | src/lib/memory-patterns.ts | List of hindsight bank names. |
Slack Monitor
| Prefix | Pattern | Class | TTL | Owner | Description |
|---|
slack_monitor:drafts: | slack_monitor:drafts:{workspace_id} | tenant-scoped | permanent | src/cron/weekly-digest.ts | Pending Slack drafts for a workspace. |
Capability Index (KV cache layer)
| Prefix | Pattern | Class | TTL | Owner | Description |
|---|
capability_index: | capability_index:{tool_name} | cross-tenant | permanent | src/lib/capability-retrieval.ts | KV-cached capability entry for a tool (mirrors Vectorize). Written by embed script. |
Backup coverage
KV prefixes included in weekly kv-backup cron (src/cron/kv-backup.ts):
tenant_auth: ✓tenant_config: ✓api_config: ✓
All other prefixes are either ephemeral (TTL < 24 h), derivable from D1, or
low-blast-radius (re-creatable from source). Expand backup scope via
PREFIXES array in src/cron/kv-backup.ts.
Adding a new prefix
- Add a row to this file.
- Classify as
tenant-scoped or cross-tenant.
- Document TTL and owner.
- If
tenant-scoped, ensure the key pattern includes {tenant} or a hash that is tenant-specific.
- If the prefix should be backed up, add it to the
PREFIXES array in src/cron/kv-backup.ts.