Handbook
Enterprise — actions and tooling allowlists
Treat LENSES_ALLOW_ACTIONS and LENSES_ALLOW_GIT_ACTIONS as explicit capability switches — see Configuration reference and env matrix.
Updated
What it is
Treat LENSES_ALLOW_ACTIONS and LENSES_ALLOW_GIT_ACTIONS as explicit capability switches — see Configuration reference and env matrix.
| Flag | Rough blast radius |
|---|---|
LENSES_ALLOW_ACTIONS |
Scripted workspace mutations beyond read-only dashboards when paired with authenticated sessions. |
LENSES_ALLOW_GIT_ACTIONS |
Automation into git + runner POST flows — audit lenses-access.json scopes before enabling outside labs. |
Pair flags with lenses-access.json files checked into repos your operators trust — never expose git/tool runners anonymously.
Verify
lenses-access.json scopes are reviewed before flipping either flag outside a lab network.