143 docs
Reference

Preview config

Field-level reference for the `preview` section of `.143/config.json`.

Use the preview section when reviewers need a live app alongside the transcript and diff. The shape can stay small for one service or expand to multiple services, infrastructure, secrets, and network policy.

143 supports two shapes:

  • Single-service shorthand with top-level command, cwd, port, env, and ready.
  • Multi-service config with primary and services.

Do not mix the two shapes in one config.

Repos may also wrap preview configs in a named config map:

{
  "preview": {
    "default": "web",
    "configs": {
      "web": { "name": "Web", "command": ["npm", "run", "dev"], "port": 3000, "credentials": { "mode": "none" }, "network": { "mode": "managed" } },
      "docs": { "name": "Docs", "command": ["npm", "run", "dev"], "port": 3001, "credentials": { "mode": "none" }, "network": { "mode": "managed" } }
    }
  }
}

Use preview.default to auto-select one config. If there are multiple configs and no default, callers must provide a preview config name.

Top-level fields

preview.defaultstring
Default named config to use when `preview.configs` contains multiple entries.
preview.configsobject
Map of preview config name to a complete single-service or multi-service preview config.
preview.versionstring
Optional config version marker.
preview.namestring
Human label shown in the UI.
preview.primarystring
Service key that receives browser traffic in multi-service previews. Required for multi-service configs.
preview.installobject
Optional dependency install phase that runs before services start.
preview.servicesobject
Map of service name to service config.
preview.infrastructureobject
Optional managed sidecars such as Postgres or Redis.
preview.resourcesobject
Optional CPU, memory, and ephemeral-storage requests and limits.
preview.secretsobject | object[]
Admin-managed preview secret bundle reference. Use this for secret env vars and generated config files.
preview.credentialsobject
Legacy env-only credential injection policy. Omit it or use { "mode": "none" } if no legacy credential set is needed.
preview.networkobjectrequired
Network policy. Use { "mode": "managed" } for the default sandbox policy.
preview.progressiveboolean
For multi-service previews, allow partial readiness once the primary service is ready.
preview.commandstring[]
Single-service shorthand command.
preview.cwdstring
Single-service shorthand working directory.
preview.portinteger
Single-service shorthand port.
preview.envobject
Single-service shorthand non-secret env vars.
preview.readyobject
Single-service shorthand readiness probe.

Install fields

preview.install.commandstring[]required
Dependency install argv executed before services start.
preview.install.cwdstringdefault: .
Working directory relative to the repo root.
preview.install.lockfilesstring[]
Repo-relative files included in the install cache key.
preview.install.clean_pathsstring[]
Repo-relative paths or simple globs removed before reinstalling. 143 deletes only declared paths.
preview.install.verify_pathsstring[]
Repo-relative paths that must exist before a cached install can be reused.
preview.install.cache.enabledbooleandefault: true
Set false to opt out of dependency artifact caching.
preview.install.cache.pathsstring[]
Additive repo-relative dependency/build cache paths. Effective paths are clean_paths + cache.paths + inferred paths, excluding platform-owned install markers.
preview.install.cache.build.enabledbooleandefault: true
Set false to opt out of build-artifact caching (incremental build caches saved after services report ready).
preview.install.cache.build.pathsstring[]
Additive repo-relative build cache paths (globs allowed). Effective paths are build.paths + inferred Turborepo cache dirs next to each JS lockfile.
preview.install.timeout_secondsintegerdefault: 420
Maximum install duration. Max 1800.

Install caches are keyed from the install command, declared lockfiles, the platform sandbox cache ABI, and effective cache paths. They speed up preview startup without replacing source files from the session workspace. Routine 143 deploys do not change the ABI; platform operators bump it only when sandbox OS/toolchain/runtime compatibility changes.

Use preview.install for dependency installation only. Source-dependent builds belong in service commands, where they run against the current workspace on every start.

Inferred dependency cache paths:

Dependency fileInferred cache path
package-lock.json, npm-shrinkwrap.json, pnpm-lock.yaml, yarn.lock, bun.lock, bun.lockbnode_modules
poetry.lock, uv.lock, Pipfile.lock, pdm.lock, requirements.txt, requirements-dev.txt.venv
go.mod, go.sumvendor

Inference is relative to the dependency file directory. For example, services/api/poetry.lock infers services/api/.venv, and go.mod infers vendor.

Do not cache source directories, secret files, .git, .143/cache, .143/cache/preview-install, or any parent/glob path that can include preview install markers. requirements.txt is safe only when dependencies are pinned. For stale dependencies, change lockfiles or temporarily set cache.enabled: false.

Build-artifact cache

Build-artifact caches are separate from install artifacts. They are restored after install and saved asynchronously after services report ready. JS lockfiles infer Turborepo cache directories; add other content-addressed caches, such as .next/cache, with preview.install.cache.build.paths.

Only cache build directories whose tool validates entries by content hash. A stale build cache should degrade to a partial miss, not serve wrong output.

Service fields

commandstring[]required
Command argv executed directly inside the sandbox.
cwdstring
Working directory relative to the repo root.
portintegerrequired
Port the service binds to.
envobject
Non-secret environment variables.
ready.http_pathstring
Path used for readiness checks.
ready.timeout_secondsintegerdefault: 90
Maximum wait before readiness fails.

Constraints:

  • At most 4 services per preview config.
  • Ports must be unique.
  • port must be in the range 1024 to 65535.
  • ready.http_path must start with / and use safe URL path characters.

Infrastructure fields

templatestringrequired
Managed sidecar template such as `postgres-17` or `redis-7`.
init_scriptstring
Optional SQL or shell script relative to the repo root.
inject_envobject
Environment variables built from sidecar connection placeholders.
inject_intostring[]
Service names that receive injected environment variables.

Supported templates:

TemplateDefault port
postgres-175432
postgres-165432
redis-76379
mysql-83306

Supported inject_env placeholders are {{username}}, {{password}}, {{host}}, {{port}}, and {{database}}.

Secret bundle fields

New preview configs should prefer preview.secrets. The legacy preview.credentials shape remains supported for env-var-only credential sets.

preview.secrets.bundlestringrequired
Name of the admin-managed preview secret bundle.
preview.secrets.servicesstring[]required
Service names that receive env outputs from the bundle. File outputs are workspace-wide and must list every preview service.
preview.secrets.envstring[]
Non-secret hint listing required env var names.
preview.secrets.filesstring[]
Non-secret hint listing the generated secret file path, such as `development.conf.json`. V1 admin bundles support one file output.

preview.secrets may be a single object or an array of objects. The repo config never contains secret values. It only declares the bundle name, service scope, and expected output names. A bundle may deliver multiple environment variables and one generated file.

Admin-managed bundle outputs support:

Output formatUse
envInject named env vars into scoped services.
jsonGenerate a JSON file from structured content or from one managed secret value containing the whole JSON document. The resolved value must parse as JSON.
rawGenerate a file from one complete secret value, useful for PEM blocks or other non-JSON blobs.

For a whole JSON file such as development.conf.json, store the raw JSON document as the managed secret value and configure the file output as:

{
  "type": "file",
  "path": "development.conf.json",
  "format": "json",
  "value": "secret:development_conf_json"
}

Do not base64-encode JSON just to preserve quotes or newlines. 143 writes generated files as bytes and handles runtime shell transport internally.

Credential fields

preview.credentials.modestring
Use "none" for no legacy credentials or "managed_env" for a legacy managed credential set.
preview.credentials.credential_setstring
Name of the admin-managed credential set to use.
preview.credentials.envstring[]
Allowlist of environment variable names to inject from the credential set.
preview.credentials.inject_intostring[]
Service names that receive these credential env vars.

Secret values do not belong in .143/config.json. Put public, non-secret values in service env; reference secrets with preview.secrets or legacy preview.credentials.

Network fields

preview.network.modestringrequired
Use "managed" for the default sandbox egress policy.
preview.network.destinationsstring[]
Named managed destinations, such as staging databases or partner APIs, that the preview may reach.

Resource fields

preview.resources.requests.cpustring
CPU request, such as "500m" or "1".
preview.resources.requests.memorystring
Memory request, such as "512Mi" or "1Gi".
preview.resources.requests.ephemeral-storagestring
Ephemeral storage request, such as "5Gi".
preview.resources.limits.cpustring
CPU limit. Platform hard cap is 2 cores; org admins can configure a lower max.
preview.resources.limits.memorystring
Memory limit. Platform hard cap is 8Gi; org admins can configure a lower max.
preview.resources.limits.ephemeral-storagestring
Ephemeral storage limit. Platform hard cap is 10Gi; org admins can configure a lower max.

Platform-injected environment

Every service receives:

VariableUse
HOSTDefaults to 0.0.0.0 so frameworks bind where the preview gateway can reach them.
ONEFORTYTHREEAlways true. Use this to detect that the process is running on 143. This name is reserved; preview configs and secret bundle env outputs that declare it fail validation.
ONEFORTYTHREE_ENVAlways preview for preview runtimes. Use this to disable background consumers, schedulers, profilers, telemetry exporters, and other work that is not required to serve the preview. This name is reserved; preview configs and secret bundle env outputs that declare it fail validation.
PREVIEW_ORIGINPublic preview URL. Use this for external base URLs, redirects, callbacks, and absolute links.

Trust rules

Preview config is repository content. For fields that can expose secrets or network access, 143 reads from the base branch rather than an agent diff.

For non-connected previews, service runtime fields can come from the session diff. For connected previews, launch behavior is pinned to the base branch. A preview is connected when preview.secrets is present, preview.credentials.mode is not none, or preview.network.destinations is non-empty.

Runtime freshness

143 can live-update ordinary source changes through the preview's dev server. Dependency, preview config, build config, environment config, and schema changes require a preview refresh. Refreshes reuse install, package-manager, and build caches when their keys still match.

For task-based examples and behavior details, see Preview environments. For repo-wide setup, see Repo config.

On this page

Top-level fieldsInstall fieldsBuild-artifact cacheService fieldsInfrastructure fieldsSecret bundle fieldsCredential fieldsNetwork fieldsResource fieldsPlatform-injected environmentTrust rulesRuntime freshness