Skip to content

feat: encrypt injected env blob for secure serverless deployments#656

Open
theoephraim wants to merge 8 commits into
mainfrom
feat/encrypted-env-blob
Open

feat: encrypt injected env blob for secure serverless deployments#656
theoephraim wants to merge 8 commits into
mainfrom
feat/encrypted-env-blob

Conversation

@theoephraim
Copy link
Copy Markdown
Member

@theoephraim theoephraim commented Apr 24, 2026
edited
Loading

Summary

Adds support for encrypting the resolved env blob that varlock injects into server-side build output. This protects secrets from leaking via sourcemaps or build artifact inspection on serverless platforms (Vercel, Netlify, Cloudflare Workers, etc.).

Encryption across all integrations

When _VARLOCK_ENV_KEY is set (or @encryptInjectedEnv decorator is enabled), the env blob is encrypted with AES-256-GCM before injection. At runtime, server-only init code decrypts it before initVarlockEnv() runs.

  • Vite / Astro / SvelteKit / TanStack Start — encrypted blob set on globalThis.__varlockEncryptedEnv, decrypted in virtual init module
  • Next.js — encrypted payload in process.env.__VARLOCK_ENV, decrypted by init-server/init-edge bundles
  • Cloudflare Workers — encrypted blob uploaded as CF secret, decrypted in worker init
  • Expo — no encryption needed (same-process)
  • auto-load — encrypts process.env.__VARLOCK_ENV in-place, sets parsed object on globalThis

Architecture

  • Decryption removed from env.ts entirely — no node:crypto dependency in client-bundleable code
  • New globalThis.__varlockEncryptedEnv separates encrypted blobs from parsed objects on __varlockLoadedEnv
  • crypto.ts uses top-level import instead of broken require in ESM output

New root decorators

  • @encryptInjectedEnv — declares encryption intent, supports forEnv(). Auto-generates key for dev servers and Cloudflare deploys, errors on production builds without key
  • @disableProcessEnvInjection — prevents injecting individual vars into process.env, forcing ENV proxy usage. Combined with encryption = zero plaintext secrets in process.env

CLI changes

  • varlock generate-key — fixed for ESM builds
  • varlock run --inject <all|vars|blob> — controls what gets injected into child process env (replaces deprecated --no-inject-graph)

Docs

  • New "Encrypted deployments" guide with platform-specific setup (Vercel, Netlify, Cloudflare)
  • Root decorator reference for both new decorators
  • Integration pages updated with concise notes linking to guide

Test plan

  • varlock generate-key works
  • Auto-load path encrypts/decrypts correctly
  • Auto-generates key when decorator set but no key provided
  • Vite SSR build with @encryptInjectedEnv produces encrypted output
  • Next.js build with _VARLOCK_ENV_KEY produces encrypted runtime files
  • Cloudflare varlock-wrangler deploy auto-generates key
  • @disableProcessEnvInjection prevents individual var injection
  • varlock run --inject blob only injects blob
  • Framework tests pass

@bumpy-bot
Copy link
Copy Markdown
Collaborator

bumpy-bot commented Apr 24, 2026
edited by github-actions Bot
Loading

bumpy-frog

The changes in this PR will be included in the next version bump.

minor Minor releases

  • varlock 1.4.0 → 1.5.0

patch Patch releases

  • @varlock/astro-integration 1.0.3 → 1.0.4 (cascade)
  • @varlock/cloudflare-integration 1.1.4 → 1.1.5
  • @varlock/expo-integration 1.1.0 → 1.1.1
  • @varlock/nextjs-integration 1.1.2 → 1.1.3
  • @varlock/vite-integration 1.1.2 → 1.1.3

Bump files in this PR

Click here if you want to add another bump file to this PR

This comment is maintained by bumpy.

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented Apr 24, 2026
edited
Loading

Open in StackBlitz

varlock

npm i https://pkg.pr.new/varlock@656

@varlock/cloudflare-integration

npm i https://pkg.pr.new/@varlock/cloudflare-integration@656

@varlock/expo-integration

npm i https://pkg.pr.new/@varlock/expo-integration@656

@varlock/nextjs-integration

npm i https://pkg.pr.new/@varlock/nextjs-integration@656

@varlock/vite-integration

npm i https://pkg.pr.new/@varlock/vite-integration@656

commit: 14bbc4d

@theoephraim theoephraim changed the title feat: encrypt env blob with VARLOCK_ENV_KEY feat: encrypt env blob with _VARLOCK_ENV_KEY Apr 25, 2026
@theoephraim theoephraim force-pushed the feat/encrypted-env-blob branch from d467143 to 93ac514 Compare April 25, 2026 08:35
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Apr 25, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 varlock-website 14bbc4d Commit Preview URL

Branch Preview URL		 Jun 01 2026, 09:38 PM

@theoephraim
feat: encrypt env blob with _VARLOCK_ENV_KEY for secure deployments
5978976 
When _VARLOCK_ENV_KEY (64-char hex) is set at build time, the resolved
env blob injected into build output is encrypted with AES-256-GCM.
At runtime, the init bundles detect the varlock:v1: prefix and decrypt
using the same key from the runtime environment.

This lets Vercel users set a single env var and have all other config
travel encrypted inside the deployment artifact.

- New crypto module with sync (node:crypto) and async (Web Crypto) paths
- All integration injection points (Next.js, Vite) encrypt when key is present
- _VARLOCK_ENV_KEY auto-excluded from injected blob and type generation
- varlock generate-key CLI command with --plain flag for piping
- Docs for Next.js and Vite integrations
- Framework tests for encrypted blob flow
@theoephraim theoephraim force-pushed the feat/encrypted-env-blob branch from 93ac514 to 5978976 Compare May 30, 2026 05:40
@theoephraim theoephraim changed the title feat: encrypt env blob with _VARLOCK_ENV_KEY feat: encrypted deployments with @encryptInjectedEnv + @disableProcessEnvInjection May 30, 2026
@theoephraim theoephraim changed the title feat: encrypted deployments with @encryptInjectedEnv + @disableProcessEnvInjection feat: encrypt injected env blob for secure serverless deployments May 30, 2026
@theoephraim theoephraim requested a review from philmillman May 30, 2026 05:54
@theoephraim
fix: use correct glob pattern for nextjs encrypted blob test
71dc215 
The test was looking for `.next/server/**/*runtime*.js` which doesn't
match webpack output files. Changed to `.next/server/**/*.js` and
removed the prerendered HTML assertion since the page is dynamic.
@theoephraim
test: add expectSuccess to vite encrypted blob test for debugging
ef80c32
@RobAndrewHurst RobAndrewHurst mentioned this pull request Jun 1, 2026
Draft
philmillman
philmillman approved these changes Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@philmillman philmillman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added a few nits. One thing we may want to consider for the future is whether we allow an arbitrary key name and then do the logic based on a type instead? Also does it make sense to allow them to generate/BYOK?

Comment thread framework-tests/frameworks/vite/vite-shared.ts Outdated
Comment thread packages/varlock-website/src/content/docs/integrations/nextjs.mdx Outdated
Comment thread packages/varlock-website/src/content/docs/integrations/nextjs.mdx Outdated
Comment thread packages/varlock-website/src/content/docs/integrations/vite.mdx Outdated
Comment thread packages/varlock-website/src/content/docs/integrations/vite.mdx Outdated
@theoephraim
fix: externalize crypto for Vite SSR to fix encrypted blob builds
bdffabe 
tsup/esbuild strips the node: prefix from imports, so varlock's built
dist uses `import crypto from 'crypto'` instead of 'node:crypto'.
Vite SSR only auto-externalizes node:-prefixed imports, so it tries
to bundle bare 'crypto' and fails with "Dynamic require not supported".

Fix: explicitly add 'crypto' to ssr.external in the Vite plugin config.
@theoephraim
fix: externalize bare crypto for Vite SSR builds
19c80ac 
esbuild strips the node: prefix from imports, so varlock's built dist
uses bare 'crypto' which Vite SSR doesn't auto-externalize. Add it
to ssr.external in the Vite plugin config.
@theoephraim
fix: externalize bare crypto for Vite SSR, skip for Cloudflare
25bdc15 
esbuild strips the node: prefix from imports, so varlock's built dist
uses bare 'crypto' which Vite SSR doesn't auto-externalize. Add it to
ssr.external in the Vite plugin, but skip when CF Vite plugin is present
since Workers handle node builtins via nodejs_compat.
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Jun 1, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​ansis@​4.3.11001005494100
Addednpm/​tsdown@​0.22.1981008896100
Addednpm/​semver@​7.8.110010010092100

View full report

@theoephraim
chore: address PR review comments
14bbc4d 
- Use dynamic encryption keys in framework tests instead of hardcoded
- Improve docs wording for encrypted env blob notes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@philmillman philmillman philmillman approved these changes

Assignees

No one assigned

Labels

core:varlock core:website integration:nextjs integration:vite maintainer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@theoephraim @bumpy-bot @philmillman