hexclave · nams1570 · May 6, 2026 · May 6, 2026
diff --git a/apps/backend/.env b/apps/backend/.env
@@ -15,7 +15,7 @@ STACK_SEED_INTERNAL_PROJECT_USER_PASSWORD=# default user's password, paired with
 STACK_SEED_INTERNAL_PROJECT_USER_INTERNAL_ACCESS=# if the default user has access to the internal dashboard project
 STACK_SEED_INTERNAL_PROJECT_USER_GITHUB_ID=# add github oauth id to the default user
 STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY=# default publishable client key for the internal project
-STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY=# default secret server key for the internal project
+STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY=# default secret server key for the internal project
 STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY=# default super secret admin key for the internal project
 
 # OAuth mock provider settings

diff --git a/apps/backend/.env.development b/apps/backend/.env.development
@@ -14,7 +14,7 @@ STACK_SEED_INTERNAL_PROJECT_OAUTH_PROVIDERS=github,spotify,google,microsoft
 STACK_SEED_INTERNAL_PROJECT_USER_GITHUB_ID=admin@example.com
 STACK_SEED_INTERNAL_PROJECT_USER_INTERNAL_ACCESS=true
 STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY=this-publishable-client-key-is-for-local-development-only
-STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY=this-secret-server-key-is-for-local-development-only
+STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY=this-secret-server-key-is-for-local-development-only
 STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY=this-super-secret-admin-key-is-for-local-development-only
 
 STACK_OAUTH_MOCK_URL=http://localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}14

diff --git a/apps/backend/prisma/seed.ts b/apps/backend/prisma/seed.ts
@@ -372,8 +372,8 @@ export async function seed() {
     const keySet = {
       publishableClientKey: rawPck || throwErr('STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY is not set'),
       secretServerKey: isLocalEmulator
-        ? (process.env.STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY ?? null)
-        : (process.env.STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY || throwErr('STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY is not set')),
+        ? (process.env.STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY ?? null)
+        : (process.env.STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY || throwErr('STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY is not set')),
       superSecretAdminKey: isLocalEmulator
         ? (process.env.STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY ?? null)
         : (process.env.STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY || throwErr('STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY is not set')),

diff --git a/apps/backend/src/stack.tsx b/apps/backend/src/stack.tsx
@@ -18,6 +18,6 @@ export function getStackServerApp() {
     projectId: 'internal',
     tokenStore: null,
     publishableClientKey: getEnvVariable('STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY'),
-    secretServerKey: getEnvVariable('STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY'),
+    secretServerKey: getEnvVariable('STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY'),
   });
 }
diff --git a/docker/local-emulator/qemu/cloud-init/emulator/user-data b/docker/local-emulator/qemu/cloud-init/emulator/user-data
@@ -118,7 +118,7 @@ write_files:
         cat /mnt/stack-runtime/base.env
         cat /mnt/stack-runtime/runtime.env
         printf 'STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY=%s\n' "$INTERNAL_PCK"
-        printf 'STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY=%s\n' "$INTERNAL_SSK"
+        printf 'STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY=%s\n' "$INTERNAL_SSK"
         printf 'STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY=%s\n' "$INTERNAL_SAK"
         if [ -n "$EMULATOR_CRON_SECRET" ]; then
           printf 'CRON_SECRET=%s\n' "$EMULATOR_CRON_SECRET"
@@ -503,7 +503,7 @@ write_files:
           --env-file /etc/stack-build.env \
           --env-file /etc/stack-build-computed.env \
           -e STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY="$SMOKE_PCK" \
-          -e STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY="$SMOKE_SSK" \
+          -e STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY="$SMOKE_SSK" \
           -e STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY="$SMOKE_SAK" \
           -e STACK_SKIP_MIGRATIONS=true \
           -e STACK_SKIP_SEED_SCRIPT=true \
@@ -646,7 +646,7 @@ write_files:
 
       exec docker exec \
         -e STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY \
-        -e STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY \
+        -e STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY \
         -e STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY \
         -e CRON_SECRET \
         stack /usr/local/bin/rotate-secrets

diff --git a/docker/local-emulator/qemu/run-emulator.sh b/docker/local-emulator/qemu/run-emulator.sh
@@ -693,7 +693,7 @@ qga_trigger_fast_rotate() {
   fresh_cron="$(openssl rand -hex 32)"
   payload=$(
     printf 'STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY=%s\n' "$fresh_pck"
-    printf 'STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY=%s\n' "$fresh_ssk"
+    printf 'STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY=%s\n' "$fresh_ssk"
     printf 'STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY=%s\n' "$fresh_sak"
     printf 'CRON_SECRET=%s\n' "$fresh_cron"
   )

diff --git a/docker/local-emulator/rotate-secrets.sh b/docker/local-emulator/rotate-secrets.sh
@@ -38,7 +38,7 @@ if [ -n "${STACK_ROTATE_INPUT:-}" ] && [ -f "$STACK_ROTATE_INPUT" ]; then
 fi
 
 for var in STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY \
-           STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY \
+           STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY \
            STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY \
            CRON_SECRET; do
   val="${!var:-}"
@@ -56,12 +56,12 @@ mkdir -p "$(dirname "$OUTPUT")"
 umask 077
 {
   printf 'STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY=%s\n' "$STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY"
-  printf 'STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY=%s\n' "$STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY"
+  printf 'STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY=%s\n' "$STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY"
   printf 'STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY=%s\n' "$STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY"
   printf 'CRON_SECRET=%s\n' "$CRON_SECRET"
   # Mirror these so process.env lookups in Node match env after restart.
   printf 'NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY=%s\n' "$STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY"
-  printf 'STACK_SECRET_SERVER_KEY=%s\n' "$STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY"
+  printf 'STACK_SECRET_SERVER_KEY=%s\n' "$STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY"
   printf 'STACK_SUPER_SECRET_ADMIN_KEY=%s\n' "$STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY"
 } > "$OUTPUT"
 chmod 0600 "$OUTPUT"
@@ -92,7 +92,7 @@ if [ -n "${STACK_DATABASE_CONNECTION_STRING:-}" ]; then
   psql "$STACK_DATABASE_CONNECTION_STRING" -v ON_ERROR_STOP=1 <<SQL
 UPDATE "ApiKeySet" SET
   "publishableClientKey" = '${STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY}',
-  "secretServerKey"      = '${STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY}',
+  "secretServerKey"      = '${STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY}',
   "superSecretAdminKey"  = '${STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY}',
   "updatedAt"            = NOW()
 WHERE "projectId" = 'internal' AND id = '3142e763-b230-44b5-8636-aa62f7489c26';

diff --git a/docker/server/entrypoint.sh b/docker/server/entrypoint.sh
@@ -23,23 +23,23 @@ fi
 # ============= ENV VARS =============
 
 if [ "$NEXT_PUBLIC_STACK_IS_LOCAL_EMULATOR" = "true" ]; then
-  for v in STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY; do
+  for v in STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY; do
     if [ -z "${!v:-}" ]; then
       echo "$v must be set in local-emulator mode (injected by the QEMU VM)." >&2
       exit 1
     fi
   done
-  export STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY
+  export STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY
 else
   export STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY=${STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY:-$(openssl rand -base64 32)}
-  export STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY=${STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY:-$(openssl rand -base64 32)}
+  export STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY=${STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY:-$(openssl rand -base64 32)}
   export STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY=${STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY:-$(openssl rand -base64 32)}
 fi
 
 export NEXT_PUBLIC_STACK_PROJECT_ID=internal
 export NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY=${STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY}
-if [ -n "${STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY:-}" ]; then
-  export STACK_SECRET_SERVER_KEY=${STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY}
+if [ -n "${STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY:-}" ]; then
+  export STACK_SECRET_SERVER_KEY=${STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY}
 fi
 if [ -n "${STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY:-}" ]; then
   export STACK_SUPER_SECRET_ADMIN_KEY=${STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY}
@@ -102,7 +102,7 @@ fi
 if [ "$NEXT_PUBLIC_STACK_IS_LOCAL_EMULATOR" = "true" ] && [ -n "${STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY:-}" ] && [ -n "${STACK_DATABASE_CONNECTION_STRING:-}" ]; then
   # Validate the keys are hex-only to defuse any SQL-injection risk (the VM
   # generates them via `openssl rand -hex 32`, so this is an assert, not a filter).
-  for varname in STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY; do
+  for varname in STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY; do
     val="${!varname:-}"
     if [ -z "$val" ]; then
       echo "ERROR: $varname is not set; refusing to bootstrap internal api key set." >&2
@@ -118,7 +118,7 @@ if [ "$NEXT_PUBLIC_STACK_IS_LOCAL_EMULATOR" = "true" ] && [ -n "${STACK_INTERNAL
 INSERT INTO "ApiKeySet" ("projectId", id, description, "expiresAt", "createdAt", "updatedAt", "publishableClientKey", "secretServerKey", "superSecretAdminKey")
 VALUES ('internal', '3142e763-b230-44b5-8636-aa62f7489c26', 'Internal API key set', '2099-12-31T23:59:59Z', NOW(), NOW(),
         '${STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY}',
-        '${STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY}',
+        '${STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY}',
         '${STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY}')
 ON CONFLICT ("projectId", id) DO UPDATE SET
   "publishableClientKey" = EXCLUDED."publishableClientKey",