Prism Server Requires Undocumented PRISM_CLIENT_SPAWNABLE Environment Variable

Resolved 💬 3 comments Opened Dec 9, 2025 by not-a-not-c Closed Feb 8, 2026

Bug Description

When attempting to create entities (Projects, Reuse Retailers, etc.) from the browser client, the server rejects mutations with "Authorization denied: component cannot be spawned by clients" unless the PRISM_CLIENT_SPAWNABLE environment variable is set.

Severity

Minor - DevOps/Configuration issue, but blocks all entity creation without proper configuration

Steps to Reproduce

  1. Start Prism server without PRISM_CLIENT_SPAWNABLE env var
  2. Start Decon Depot HTTP server
  3. Navigate to http://localhost:3000/projects/new
  4. Fill in project details and click "Create Project"
  5. Observe error in console/network tab

Expected Behavior

  • Either the environment variable should be documented in setup instructions
  • Or client-spawnable components should be configured by default for development

Actual Behavior

  • Error: "Authorization denied: component cannot be spawned by clients"
  • No entity is created
  • User sees generic error message

Workaround

Set the environment variable when starting Prism:

PRISM_CLIENT_SPAWNABLE="type://decon-depot/" prism serve

Technical Context

  • Prism ECS uses URI-based permissions
  • The PRISM_CLIENT_SPAWNABLE prefix allows browser clients to create entities matching the URI pattern
  • This is a security feature but needs documentation for developers

Acceptance Criteria

  • [ ] Document the PRISM_CLIENT_SPAWNABLE env var in README or setup docs
  • [ ] Consider adding to development startup scripts
  • [ ] Add clear error message explaining what's needed when permission denied

Environment

  • Prism runtime
  • Decon Depot app
  • Development environment

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗