What is the 'Neural Link'?

The Neural Link is a bi-directional bridge that connects AI agents (like Gemini or Claude) directly to the Neo.mjs runtime. It allows agents to 'see' the application's Scene Graph, inspect component state, verify event listeners, and even mutate the running application in real-time. This turns the application into a 'glass box' for AI, enabling autonomous debugging and feature development.

Why is Neo.mjs called an 'Application Engine' instead of a framework?

Traditional frameworks are general-purpose libraries (like a Toyota) that help you organize code, but they compile away into ephemeral DOM nodes. Neo.mjs is a precision-engineered runtime (like an F1 car), similar to Unreal Engine for games. It maintains a persistent 'Scene Graph' of objects in a separate worker thread. These objects retain their identity, state, and relationships, allowing for advanced capabilities like multi-window orchestration, runtime permutation, and deep AI introspection that are impossible with 'melted plastic' DOM-based frameworks.

What is 'Context Engineering'?

Context Engineering is the practice of curating the environment and information flow for AI agents to maximize their autonomy. In Neo.mjs, this is implemented via three Model Context Protocol (MCP) servers: a Knowledge Base for semantic code understanding, a Memory Core for learning from past sessions, and a GitHub Workflow server for project management. This ecosystem allows agents to work as fully integrated members of the development team.

What is 'Object Permanence' in the context of Neo.mjs?

In Neo.mjs, UI components are persistent JavaScript objects living in the App Worker, not just transient rendering results. This 'Object Permanence' means a component (like a Dashboard) maintains its state (scroll position, user input, internal logic) even if it is detached from the DOM or moved to a different browser window. This is the 'Lego Technic' approach versus the 'Duplo' approach of traditional frameworks.

What is an 'Agent Operating System'?

Neo.mjs v11 introduced the concept of an Agent OS, where the platform itself provides the tools and interfaces for AI agents to operate. It combines a standalone, type-safe AI SDK for autonomous 'Code Execution' with the Neural Link for runtime control. This enables agents to monitor, debug, and heal the application autonomously, effectively acting as an operating system for synthetic intelligence.

How does Neo.mjs handle multi-window applications?

Neo.mjs uses shared web workers to run a single application instance across multiple browser windows. All windows share the same application state and data in real-time. Components can even move between windows while retaining their JavaScript instances. This enables desktop-class experiences like multi-window IDEs, browser-based email clients, and multi-screen control rooms.

What makes Neo.mjs different from React, Angular, or Vue?

Neo.mjs is fundamentally different in its architecture: (1) It uses True Multithreading via web workers to prevent UI jank, (2) It is an AI-Native Application Engine with built-in bridges for AI collaboration, and (3) It treats components as persistent objects in a Scene Graph, enabling native multi-window support and runtime permutation.

Frontmatter

id	10824
title	Audit MCP env vars for config substrate cleanup
state	Closed
labels	enhancementairefactoringarchitecturemodel-experience
assignees	neo-gpt
createdAt	May 6, 2026, 6:10 PM
updatedAt	May 6, 2026, 11:41 PM
githubUrl	https://github.com/neomjs/neo/issues/10824
author	neo-gpt
commentsCount	0
parentIssue	10822
subIssues	[]
subIssuesCompleted	0
subIssuesTotal	0
blockedBy	[]
blocking	[]
closedAt	May 6, 2026, 11:41 PM

Audit MCP env vars for config substrate cleanup

Name: Neo.mjs Application Engine
Author: Neo.mjs

Closedenhancementairefactoringarchitecturemodel-experience

neo-gpt commented on May 6, 2026, 6:10 PM

Context

Epic #10822 graduated Discussion #10819 into the config substrate cleanup track. Phase 1 AC1 requires an audit that classifies every environment-variable read across ai/mcp/server/** before the swarm deletes aliases, introduces the Tier 1 shared config, or restores config.mjs delta-merge as the primary non-env extensibility path.

This ticket exists because Phase 1 #2 is already filed as #10823, but deletion should consume an explicit inventory rather than infer scope from resolver-local grep. Claude's A2A lane handoff (MESSAGE:ecb64615-491c-4a87-bd9d-b735bcd4a5d0) assigned this read-only audit lane to @neo-gpt.

Duplicate sweep evidence:

Knowledge Base semantic ticket sweep for duplicate ticket env-var audit classify config substrate cleanup AC1 returned no relevant documents.
GitHub exact sweeps found #10822 and #10823, but no standalone AC1 inventory ticket.
Local grep found the AC1 parent text in resources/content/issues/issue-10822.md:99.

The Problem

The current config substrate mixes at least five env-var roles in one surface: secrets, runtime binding, identity/session binding, single-writer process role, and operator one-shot toggles. It also carries dev-branch-only aliases and config-key fallbacks that are scheduled for hard deletion under #10823.

Without an explicit inventory, follow-up PRs can accidentally delete boot-critical env reads too early, leave dead aliases behind, or move values into the wrong tier of the three-tier model. The audit is the dependency that turns KISS deletion into a controlled substrate change.

The Architectural Reality

Empirical starter scan on current dev:

rg "process\\.env\\.[A-Z0-9_]+|process\\.env\\[[^\\]]+\\]" ai/mcp/server finds reads in Memory Core, Knowledge Base, and shared server services.
ai/mcp/server/shared/helpers/DeploymentConfig.mjs:23 resolves MCP_HTTP_PORT with legacy SSE_PORT.
ai/mcp/server/shared/helpers/DeploymentConfig.mjs:67 and :89 resolve Chroma host/port with optional legacy env-var names.
ai/mcp/server/memory-core/helpers/EmbeddingProviderConfig.mjs:12 resolves canonical and legacy embedding-provider inputs.
ai/mcp/server/knowledge-base/config.template.mjs:141 still reads both NEO_MEMORY_DB_PATH and NEO_MEMORY_CORE_DB_PATH.
ai/mcp/server/shared/services/TransportService.mjs:112 still reads bare HOST, which needs classification rather than blind deletion.

The target classification is defined by #10822: keep env vars only when they belong to secrets, runtime-binding, identity-binding, single-writer-process-role, multi-tenant-isolation, or operator-one-shot-toggle roles. Everything else should move to Tier 1 shared config or Tier 2 per-server config, or be deleted.

The Fix

Produce a markdown audit table, committed with the implementation PR, covering every env-var read under ai/mcp/server/**.

Required table columns:

env var	current readers	target tier	deletion/keep rationale

The audit must distinguish canonical env vars from legacy aliases and must explicitly call out reads that are not direct process.env.NAME dot-access, such as indexed legacy env reads.

Contract Ledger Matrix

Target Surface	Source of Authority	Proposed Behavior	Fallback / Edge Case	Docs	Evidence
Env-var inventory for `ai/mcp/server/**`	#10822 AC1 + operator KISS/v13 direction	Complete markdown table classifying every env-var read into the target tier model	If a read cannot be classified confidently, mark it `needs-design` with the owning file and rationale instead of guessing	PR body links the table and summarizes keep/delete counts	`rg` command output plus reviewed source paths
Alias deletion dependency	#10822 AC2 + #10823	#10823 consumes the audit output before deleting aliases	Deletion PR must not remove boot-critical vars before Phase 1.5 substrate is active per #10822 AC14	Cross-link from #10823 or PR body	Audit table rows for each alias

Acceptance Criteria

Every process.env.* and process.env[...] read under ai/mcp/server/** is represented in the table.
Every row includes current reader path(s), target tier, and deletion/keep rationale.
The table explicitly marks legacy/deprecated aliases targeted by #10823.
The table explicitly marks boot-critical env vars that must survive until Phase 1.5 config substrate is active per #10822 AC14.
The PR body includes the exact scan command(s) used and a short count summary by target tier.
No alias deletion or resolver behavior change lands in this ticket's PR.

Out of Scope

Deleting aliases or flattening resolvers. That belongs to #10823 and later #10822 AC12 work.
Creating the Tier 1 shared config module.
Implementing the boot-time validator.
Operator-side .env migration across harnesses.

Avoided Traps

Blind deletion from grep output: env-var reads have different roles; some are secrets or runtime binding and should stay env-backed.
Framework-style deprecation chains: the audit should not preserve aliases just because they exist; dev-branch-only aliases are not released-version compatibility.
Moving secrets into config files: secrets remain env territory.

Parent: #10822
Feeds: #10823
Originating Discussion: #10819
Origin A2A Message: MESSAGE:ecb64615-491c-4a87-bd9d-b735bcd4a5d0

Handoff Retrieval Hints

query_raw_memories(query="config substrate cleanup KISS three-tier env-var audit")
query_raw_memories(query="Phase 1 env var audit classify every process.env ai/mcp/server")
GitHub archaeological source: Discussion #10819 and Epic #10822

tobiu closed this issue on May 6, 2026, 11:41 PM

tobiu referenced in commit 6a498f4 - "docs(agentos): audit MCP env-var substrate (#10824) (#10831) on May 6, 2026, 11:41 PM