Enterprise — actions and tooling allowlists

Treat LENSES_ALLOW_ACTIONS and LENSES_ALLOW_GIT_ACTIONS as explicit capability switches — see Configuration reference and env matrix.

Updated

What it is

Treat LENSES_ALLOW_ACTIONS and LENSES_ALLOW_GIT_ACTIONS as explicit capability switches — see Configuration reference and env matrix.

Flag Rough blast radius
LENSES_ALLOW_ACTIONS Scripted workspace mutations beyond read-only dashboards when paired with authenticated sessions.
LENSES_ALLOW_GIT_ACTIONS Automation into git + runner POST flows — audit lenses-access.json scopes before enabling outside labs.

Pair flags with lenses-access.json files checked into repos your operators trust — never expose git/tool runners anonymously.

Verify

lenses-access.json scopes are reviewed before flipping either flag outside a lab network.

What to do next