Prism Server Requires Undocumented PRISM_CLIENT_SPAWNABLE Environment Variable
Resolved 💬 3 comments Opened Dec 9, 2025 by not-a-not-c Closed Feb 8, 2026
Bug Description
When attempting to create entities (Projects, Reuse Retailers, etc.) from the browser client, the server rejects mutations with "Authorization denied: component cannot be spawned by clients" unless the PRISM_CLIENT_SPAWNABLE environment variable is set.
Severity
Minor - DevOps/Configuration issue, but blocks all entity creation without proper configuration
Steps to Reproduce
- Start Prism server without
PRISM_CLIENT_SPAWNABLEenv var - Start Decon Depot HTTP server
- Navigate to http://localhost:3000/projects/new
- Fill in project details and click "Create Project"
- Observe error in console/network tab
Expected Behavior
- Either the environment variable should be documented in setup instructions
- Or client-spawnable components should be configured by default for development
Actual Behavior
- Error: "Authorization denied: component cannot be spawned by clients"
- No entity is created
- User sees generic error message
Workaround
Set the environment variable when starting Prism:
PRISM_CLIENT_SPAWNABLE="type://decon-depot/" prism serve
Technical Context
- Prism ECS uses URI-based permissions
- The
PRISM_CLIENT_SPAWNABLEprefix allows browser clients to create entities matching the URI pattern - This is a security feature but needs documentation for developers
Acceptance Criteria
- [ ] Document the
PRISM_CLIENT_SPAWNABLEenv var in README or setup docs - [ ] Consider adding to development startup scripts
- [ ] Add clear error message explaining what's needed when permission denied
Environment
- Prism runtime
- Decon Depot app
- Development environment
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗