llm.txthome

Production Checklist

Lucent can harden the plugin layer, but production readiness is shared across three layers:

  • Lucent itself
  • your host Elysia app
  • your infrastructure and deployment platform

Use Environment as the canonical env reference.

Lucent Responsibilities

Lucent directly owns:

  • auth route generation and token/session handling
  • schema-diff migrations
  • request ID forwarding/generation
  • default security headers
  • collection CRUD, access control, and OpenAPI generation

App Responsibilities

Your Elysia app still owns:

  • any routes outside Lucent
  • app-wide rate limiting beyond Lucent's scoped defaults
  • custom cookies and their SameSite/domain behavior
  • request size limits
  • deployment-time migration workflow

Infrastructure Responsibilities

Your platform still owns:

  • TLS termination
  • reverse proxy configuration
  • backups and restore procedures
  • monitoring and incident response
  • secret storage and rotation

Must Do Before Deploying

Strong Secrets

JWT_SECRET and SESSION_SECRET should be at least 32 random bytes.

openssl rand -base64 32

HTTPS Only

  • never expose the Bun process directly on public HTTP
  • terminate TLS at your reverse proxy or hosting platform
  • redirect HTTP to HTTPS

Recommended header at the edge:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Configure CORS Explicitly

Do not use wildcard origins when credentials are enabled.

api: {
  cors: {
    origin: ["https://app.example.com"],
    credentials: true,
  },
}

Review Migrations Before Running Them

Use dry-run before applying migrations in production:

lucent migrate --dry-run
lucent migrate

If dropOrphaned is enabled, verify backups first.

Audit Dependencies

bun audit

Queues

  • use durable Redis persistence/replication for BullMQ jobs that must survive restarts
  • treat queue workers as part of your runtime dependency graph
  • do not assume ephemeral container filesystems are safe for persisted jobs

S3 Storage

If using S3-compatible storage:

  • deny public bucket access unless you explicitly need it
  • prefer short signedUrlExpiry values
  • scope IAM credentials to the exact bucket and operations you need

Final Boundary Check

Lucent being “production-ready” does not mean:

  • your reverse proxy is safe
  • your backups exist
  • your Redis/Postgres topology is correct
  • your deployment process can recover from a bad migration

Those remain your responsibility.