fix: cloudflare + tanstack start + vite 6/7/8 compatibility

.bumpy/_config.json

@@ -12,6 +12,12 @@
       "skipNpmPublish": true,
       "buildCommand": "bun run package",
       "publishCommand": "bun run publish:vsce && bun run publish:ovsx"
+    },
+    "@varlock/astro-integration": {
+      "cascadeFrom": ["@varlock/vite-integration"]
+    },
+    "@varlock/cloudflare-integration": {
+      "cascadeFrom": ["@varlock/vite-integration"]
     }
   }
 }

.bumpy/fix-cf-tanstack-vite-compat.md

@@ -0,0 +1,6 @@
+---
+"@varlock/vite-integration": patch
+"@varlock/cloudflare-integration": patch
+---
+
+fix cloudflare + tanstack start + vite 6/7/8 compatibility

framework-tests/frameworks/astro/astro-shared.ts

@@ -250,6 +250,7 @@ export function defineAstroTests(astroVersion: number, testDir: string) {
               shouldContain: [
                 'public_var::public-var-value',
                 'has_secret::yes',
+                'toplevel_has_secret::yes',
               ],
               shouldNotContain: ['super-secret-value'],
             },

framework-tests/frameworks/astro/files/pages/api-endpoint.ts

@@ -1,11 +1,16 @@
 import type { APIRoute } from 'astro';
 import { ENV } from 'varlock/env';
 
+// Top-level ENV access — runs at module evaluation time.
+// Verifies initVarlockEnv runs before user modules.
+const TOP_LEVEL_HAS_SECRET = ENV.SENSITIVE_VAR ? 'yes' : 'no';
+
 export const GET: APIRoute = () => {
   const lines = [
     `public_var::${ENV.PUBLIC_VAR}`,
     `env_specific::${ENV.ENV_SPECIFIC_VAR}`,
     `has_secret::${ENV.SENSITIVE_VAR ? 'yes' : 'no'}`,
+    `toplevel_has_secret::${TOP_LEVEL_HAS_SECRET}`,
   ];
   return new Response(lines.join('\n'));
 };

framework-tests/frameworks/cloudflare/cloudflare-shared.ts

@@ -0,0 +1,193 @@
+/*
+Shared Cloudflare Workers test definitions, parameterized by Vite version.
+Covers basic worker dev, leak detection, build + preview, and large env chunking.
+*/
+import {
+  describe, beforeAll, afterAll,
+} from 'vitest';
+import { FrameworkTestEnv } from '../../harness/index';
+
+export function defineCloudflareTests(
+  label: string,
+  testDir: string,
+  opts: {
+    viteVersion: string;
+    /** Base port — each dev scenario offsets from this */
+    basePort: number;
+  },
+) {
+  const { viteVersion, basePort } = opts;
+
+  describe(`Cloudflare Workers (${label})`, () => {
+    const cfEnv = new FrameworkTestEnv({
+      testDir,
+      framework: `cloudflare-vite-${label}`,
+      packageManager: 'bun',
+      dependencies: {
+        varlock: 'will-be-replaced',
+        '@varlock/cloudflare-integration': 'will-be-replaced',
+        vite: viteVersion,
+        wrangler: '^4',
+        '@cloudflare/vite-plugin': '^1.30.0',
+      },
+      templateFiles: {
+        '.env.schema': 'schemas/.env.schema',
+        '.env.dev': 'schemas/.env.dev',
+      },
+      overrides: {
+        punycode: 'npm:punycode@^2.3.1',
+      },
+    });
+    beforeAll(() => cfEnv.setup(), 180_000);
+    afterAll(() => cfEnv.teardown());
+
+    cfEnv.describeDevScenario('basic worker', {
+      command: `vite dev --port ${basePort}`,
+      readyPattern: /Local:.*http/,
+      readyTimeout: 30_000,
+      templateFiles: {
+        'src/index.ts': 'workers/basic-worker.ts',
+        'vite.config.ts': 'vite-configs/vite.config.ts',
+        'wrangler.jsonc': '_base-wrangler/wrangler.jsonc',
+        'tsconfig.json': '_base-wrangler/tsconfig.json',
+      },
+      requests: [
+        {
+          path: '/',
+          bodyAssertions: {
+            shouldContain: [
+              // varlock ENV proxy - non-sensitive
+              'public_var::public-test-value',
+              'api_url::https://api.example.com',
+              // varlock ENV proxy - sensitive (accessible but value not leaked)
+              'has_sensitive::yes',
+              // top-level ENV access (module evaluation time, not per-request)
+              'toplevel_api_url::https://api.example.com',
+              'toplevel_has_secret::yes',
+              // cloudflare native env access
+              'native_public_var::public-test-value',
+              'native_has_secret::yes',
+            ],
+            shouldNotContain: ['super-secret-value'],
+          },
+        },
+      ],
+      outputAssertions: [
+        {
+          description: 'sensitive value is redacted in console output',
+          shouldContain: ['secret-log-test::'],
+          shouldNotContain: ['super-secret-value'],
+        },
+      ],
+    });
+
+    cfEnv.describeDevScenario('leaky worker', {
+      command: `vite dev --port ${basePort + 1}`,
+      readyPattern: /Local:.*http/,
+      readyTimeout: 30_000,
+      templateFiles: {
+        'src/index.ts': 'workers/leaky-worker.ts',
+        'vite.config.ts': 'vite-configs/vite.config.ts',
+        'wrangler.jsonc': '_base-wrangler/wrangler.jsonc',
+        'tsconfig.json': '_base-wrangler/tsconfig.json',
+      },
+      requests: [
+        {
+          path: '/',
+          expectedStatus: 500,
+          bodyAssertions: {
+            shouldNotContain: ['super-secret-value'],
+          },
+        },
+      ],
+      outputAssertions: [
+        {
+          description: 'leak detection message appears',
+          shouldContain: ['DETECTED LEAKED SENSITIVE CONFIG'],
+        },
+      ],
+    });
+
+    cfEnv.describeDevScenario('leaky worker (Uint8Array body)', {
+      command: `vite dev --port ${basePort + 2}`,
+      readyPattern: /Local:.*http/,
+      readyTimeout: 30_000,
+      templateFiles: {
+        'src/index.ts': 'workers/leaky-uint8array-worker.ts',
+        'vite.config.ts': 'vite-configs/vite.config.ts',
+        'wrangler.jsonc': '_base-wrangler/wrangler.jsonc',
+        'tsconfig.json': '_base-wrangler/tsconfig.json',
+      },
+      requests: [
+        {
+          path: '/',
+          expectedStatus: 500,
+          bodyAssertions: {
+            shouldNotContain: ['super-secret-value'],
+          },
+        },
+      ],
+      outputAssertions: [
+        {
+          description: 'leak detection message appears for Uint8Array body',
+          shouldContain: ['DETECTED LEAKED SENSITIVE CONFIG'],
+        },
+      ],
+    });
+
+    cfEnv.describeDevScenario('build + preview', {
+      command: `vite build && vite preview --port ${basePort + 3}`,
+      readyPattern: /Local:.*http/,
+      readyTimeout: 60_000,
+      timeout: 120_000,
+      templateFiles: {
+        'src/index.ts': 'workers/basic-worker.ts',
+        'vite.config.ts': 'vite-configs/vite.config.ts',
+        'wrangler.jsonc': '_base-wrangler/wrangler.jsonc',
+        'tsconfig.json': '_base-wrangler/tsconfig.json',
+      },
+      requests: [
+        {
+          path: '/',
+          bodyAssertions: {
+            shouldContain: [
+              'public_var::public-test-value',
+              'api_url::https://api.example.com',
+              'has_sensitive::yes',
+              'toplevel_api_url::https://api.example.com',
+              'toplevel_has_secret::yes',
+            ],
+            shouldNotContain: ['super-secret-value'],
+          },
+        },
+      ],
+    });
+
+    cfEnv.describeDevScenario('large env (chunking)', {
+      command: `vite dev --port ${basePort + 4}`,
+      readyPattern: /Local:.*http/,
+      readyTimeout: 30_000,
+      templateFiles: {
+        'src/index.ts': 'workers/large-env-worker.ts',
+        'vite.config.ts': 'vite-configs/vite.config.ts',
+        'wrangler.jsonc': '_base-wrangler/wrangler.jsonc',
+        'tsconfig.json': '_base-wrangler/tsconfig.json',
+        '.env.schema': 'schemas/.env.schema.large',
+      },
+      requests: [
+        {
+          path: '/',
+          bodyAssertions: {
+            shouldContain: [
+              'public_var::public-test-value',
+              // two 3000-char vars — verify they survived __VARLOCK_ENV chunking
+              'large_var_a_length::3000',
+              'large_var_b_length::3000',
+              'has_secret::yes',
+            ],
+          },
+        },
+      ],
+    });
+  });
+}