Firecrawl and Exa have separate roles and independent disabled-by-default gates.
Discovery flow
Lucim records provider operations, budgets, lineage, candidate fingerprints, verification results, and coverage outcomes. Search cannot activate a candidate or emit a signal.
Operational controls
- Configure API keys only in Vault or platform secrets.
- Keep provider gates off until credentials, object storage, and request budgets are ready on both API and ordinary worker processes.
- Use signed Firecrawl callbacks plus polling reconciliation; callbacks are not the only completion path.
- Keep direct rendered-page fallback off unless a reviewed exception requires it.
- Use
/api/acquisition-health to inspect queue depth, lag, provider latency, budgets, coverage, and drift yield without exposing credentials.
Do not store Exa-generated summaries or Firecrawl search snippets as evidence. Lucim must fetch and verify the authoritative source through its registered adapter.