Requirements#
- runtime version 3.4.0 or later
- 3.6.0 or later for the full sync contract
- a workspace API key generated from LumenFlow Cloud
Enroll a runtime#
- Create a workspace or regenerate its API key
- Copy the generated
connectCommandorsdkEnrollmentdescriptor - Set the workspace token in
LUMENFLOW_CLOUD_TOKEN - Run the bootstrap command in the runtime you want LumenFlow Cloud to govern
Example:
export LUMENFLOW_CLOUD_TOKEN=lf_your_workspace_token
npx lumenflow cloud connect --endpoint https://lumenflow.cloud --org-id <org-id> --project-id <workspace-id> --token-env LUMENFLOW_CLOUD_TOKEN
What the SDK descriptor contains#
| Field group | Purpose |
|---|---|
| bootstrap | Connect command, endpoint, org ID, workspace ID, and token environment |
| desiredState | Canonical config and policy fetch paths |
| observedState | Sessions, heartbeat, events, evidence, and telemetry paths |
| compatibility | Minimum supported runtime version and full-sync version |
Governance posture#
Connected runtimes inherit the same workspace-level controls as hosted Sidekick. Budgets, approvals, and enterprise governance stay in the hosted control plane. A runtime may run in your environment, but it does not become a separate authority plane.
Operational guidance#
- treat the workspace token like any other production secret
- keep the runtime on 3.6.0+ if you want the full sync contract
- watch Observe for runtime health, compatibility, and drift visibility
- rotate the API key if the runtime token is exposed or the environment changes