npm - @varlock/nextjs-integration - Versions diffs - 1.0.0 → 1.1.0 - Mend

@varlock/nextjs-integration 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/README.md +3 -0
package/dist/loader.js +88 -0
package/dist/loader.js.map +1 -0
package/dist/next-env-compat.js +17735 -102
package/dist/next-env-compat.js.map +1 -1
package/dist/plugin.js +434 -141
package/dist/plugin.js.map +1 -1
package/package.json +16 -16
package/LICENSE +0 -21
package/dist/patch-next-runtime.js +0 -14
package/dist/patch-next-runtime.js.map +0 -1
/package/dist/{patch-next-runtime.d.ts → loader.d.ts} +0 -0

package/dist/plugin.js CHANGED Viewed

@@ -1,15 +1,239 @@
 'use strict';
-var fs = require('fs');
-var path = require('path');
+var fs3 = require('fs');
+var path2 = require('path');
 var env = require('varlock/env');
-var patchServerResponse = require('varlock/patch-server-response');
 var patchConsole = require('varlock/patch-console');
+var patchServerResponse = require('varlock/patch-server-response');
+require('varlock');
 function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
-var fs__default = /*#__PURE__*/_interopDefault(fs);
-var path__default = /*#__PURE__*/_interopDefault(path);
+var fs3__default = /*#__PURE__*/_interopDefault(fs3);
+var path2__default = /*#__PURE__*/_interopDefault(path2);
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+var WEBPACK_PLUGIN_NAME = "VarlockNextWebpackPlugin";
+var latestLoadedVarlockEnv;
+function createStaticReplacementsProxy(debug3) {
+  return new Proxy({}, {
+    ownKeys(_target) {
+      latestLoadedVarlockEnv = JSON.parse(process.env.__VARLOCK_ENV || "{}");
+      const replaceKeys = [];
+      for (const itemKey in latestLoadedVarlockEnv.config) {
+        const item = latestLoadedVarlockEnv.config[itemKey];
+        if (!item.isSensitive) replaceKeys.push(`ENV.${itemKey}`);
+      }
+      debug3("reloaded static replacements keys", replaceKeys);
+      return replaceKeys;
+    },
+    getOwnPropertyDescriptor(_target, prop) {
+      const itemKey = prop.toString().split(".")[1];
+      const item = latestLoadedVarlockEnv?.config[itemKey];
+      if (!item || item.isSensitive) return;
+      return {
+        value: "",
+        // this value is not used, the get handler will return the value
+        writable: false,
+        enumerable: true,
+        configurable: true
+      };
+    },
+    get(_target, prop) {
+      const itemKey = prop.toString().split(".")[1];
+      const item = latestLoadedVarlockEnv?.config[itemKey];
+      if (item && !item.isSensitive) return JSON.stringify(item.value);
+    }
+  });
+}
+function createWebpackConfigFn(resolvedNextConfig, patchGlobalFsMethods2, debug3, isBuild) {
+  const staticReplacementsProxy = createStaticReplacementsProxy(debug3);
+  return function webpackConfigFn(webpackConfig, options) {
+    debug3("varlockNextConfigPlugin webpack config patching");
+    const { dev } = options;
+    if (isBuild) patchGlobalFsMethods2();
+    if (env.varlockSettings.preventLeaks) {
+      patchServerResponse.patchGlobalServerResponse({
+        ignoreUrlPatterns: [
+          /^\/__nextjs_source-map\?.*/,
+          // sourcemaps
+          /[?&]_rsc=/
+          // RSC payloads are server-side and expected to contain sensitive data
+        ],
+        // in dev mode, we redact the secrets rather than throwing, because otherwise the dev server crashes
+        redactInsteadOfThrow: dev
+      });
+    }
+    const webpack = options.webpack;
+    if (resolvedNextConfig.webpack) {
+      webpackConfig = resolvedNextConfig.webpack(webpackConfig, options);
+    }
+    if (!process.env.__VARLOCK_ENV) throw new Error("VarlockNextWebpackPlugin: __VARLOCK_ENV is not set");
+    if (options.isServer && options.nextRuntime !== "edge") {
+      webpackConfig.module.rules.push({
+        test: /\.(js|jsx|ts|tsx|mjs|mts)$/,
+        exclude: /node_modules/,
+        use: [
+          {
+            loader: __require.resolve("./loader"),
+            options: { bundler: "webpack" }
+          }
+        ]
+      });
+    }
+    if (options.isServer && options.nextRuntime === "edge") {
+      webpackConfig.module.rules.push({
+        test: /\.(js|jsx|ts|tsx|mjs|mts)$/,
+        exclude: /node_modules/,
+        use: [
+          {
+            loader: __require.resolve("./loader"),
+            options: { bundler: "webpack", isEdge: true }
+          }
+        ]
+      });
+    }
+    debug3("adding ENV.xxx static replacements proxy object");
+    webpackConfig.plugins.push(new webpack.DefinePlugin(staticReplacementsProxy));
+    if (env.varlockSettings.preventLeaks) {
+      webpackConfig.plugins.push({
+        apply(compiler) {
+          compiler.hooks.assetEmitted.tap(WEBPACK_PLUGIN_NAME, (_file, assetDetails) => {
+            const { content, targetPath } = assetDetails;
+            if (targetPath.includes("/.next/static/chunks/") || targetPath.endsWith(".html")) {
+              try {
+                env.scanForLeaks(content, {
+                  method: "@varlock/nextjs-integration/plugin - assetEmitted hook",
+                  file: targetPath
+                });
+              } catch (err) {
+                if (dev) {
+                  fs3__default.default.writeFileSync(targetPath, env.redactSensitiveConfig(content.toString()));
+                } else {
+                  throw err;
+                }
+              }
+            }
+          });
+        }
+      });
+    }
+    function injectVarlockInitIntoWebpackRuntime(edgeRuntime = false) {
+      return function assetUpdateFn(origSource) {
+        const origSourceStr = origSource.source();
+        const initBundleName = edgeRuntime ? "init-edge" : "init-server";
+        const injectorPath = __require.resolve(`varlock/${initBundleName}`);
+        const injectorSrc = fs3__default.default.readFileSync(injectorPath, "utf8");
+        const rawEnv = process.env.__VARLOCK_ENV;
+        const envInline = rawEnv ? `process.env.__VARLOCK_ENV = process.env.__VARLOCK_ENV || ${JSON.stringify(rawEnv)};` : "";
+        const updatedSourceStr = [
+          envInline,
+          // Wrap in IIFE to avoid symbol collisions when bundlers concatenate files.
+          // Provide dummy exports/module since the CJS bundle uses `exports.X = ...`
+          `(function(exports,module){${injectorSrc}})({},{exports:{}});`,
+          origSourceStr
+        ].join("\n");
+        return new webpack.sources.RawSource(updatedSourceStr);
+      };
+    }
+    const isEdgeRuntime = options.nextRuntime === "edge";
+    webpackConfig.plugins.push({
+      apply(compiler) {
+        compiler.hooks.thisCompilation.tap(WEBPACK_PLUGIN_NAME, (compilation) => {
+          compilation.hooks.processAssets.tap(
+            {
+              name: WEBPACK_PLUGIN_NAME,
+              stage: webpack.Compilation.PROCESS_ASSETS_STAGE_ADDITIONS
+            },
+            () => {
+              if (isEdgeRuntime) {
+                if (compilation.getAsset("edge-runtime-webpack.js")) {
+                  compilation.updateAsset("edge-runtime-webpack.js", injectVarlockInitIntoWebpackRuntime(true));
+                }
+                for (const name of ["webpack-runtime.js", "../webpack-runtime.js"]) {
+                  if (compilation.getAsset(name)) {
+                    compilation.updateAsset(name, injectVarlockInitIntoWebpackRuntime(true));
+                  }
+                }
+              } else if (options.isServer) {
+                for (const name of ["webpack-runtime.js", "../webpack-runtime.js", "webpack-api-runtime.js", "../webpack-api-runtime.js"]) {
+                  if (compilation.getAsset(name)) {
+                    compilation.updateAsset(name, injectVarlockInitIntoWebpackRuntime());
+                  }
+                }
+              }
+            }
+          );
+        });
+      }
+    });
+    return webpackConfig;
+  };
+}
+function debug(...args) {
+  if (!process.env.DEBUG_VARLOCK_NEXT_INTEGRATION) return;
+  console.log("[varlock]", ...args);
+}
+var injectedTurbopackRuntime = false;
+function injectVarlockInitIntoTurbopackRuntime(nextDirPath) {
+  if (injectedTurbopackRuntime) return;
+  const rawEnv = process.env.__VARLOCK_ENV;
+  if (!rawEnv) {
+    return;
+  }
+  const serverRuntimeFiles = [];
+  const edgeWrapperFiles = [];
+  const walkDir = (dir) => {
+    if (!fs3__default.default.existsSync(dir)) return;
+    for (const entry of fs3__default.default.readdirSync(dir, { withFileTypes: true })) {
+      if (entry.isDirectory()) {
+        walkDir(path2__default.default.join(dir, entry.name));
+      } else if (entry.name === "[turbopack]_runtime.js") {
+        serverRuntimeFiles.push(path2__default.default.join(dir, entry.name));
+      } else if (entry.name.includes("edge-wrapper") && entry.name.endsWith(".js")) {
+        edgeWrapperFiles.push(path2__default.default.join(dir, entry.name));
+      }
+    }
+  };
+  walkDir(nextDirPath);
+  debug(`turbopack runtime injection: found ${serverRuntimeFiles.length} server runtime files, ${edgeWrapperFiles.length} edge wrapper files`);
+  if (!serverRuntimeFiles.length) {
+    return;
+  }
+  injectedTurbopackRuntime = true;
+  const initServerSrc = fs3__default.default.readFileSync(__require.resolve("varlock/init-server"), "utf8");
+  const initEdgeSrc = fs3__default.default.readFileSync(__require.resolve("varlock/init-edge"), "utf8");
+  const envInline = `process.env.__VARLOCK_ENV = process.env.__VARLOCK_ENV || ${JSON.stringify(rawEnv)};`;
+  const iifeWrap = (src) => `(function(exports,module){${src}})({},{exports:{}});`;
+  for (const runtimeFile of serverRuntimeFiles) {
+    const origSource = fs3__default.default.readFileSync(runtimeFile, "utf8");
+    const updatedSource = [
+      envInline,
+      iifeWrap(initServerSrc),
+      origSource
+    ].join("\n");
+    fs3__default.default.writeFileSync(runtimeFile, updatedSource);
+    debug(`injected init-server into turbopack runtime: ${runtimeFile}`);
+  }
+  for (const wrapperFile of edgeWrapperFiles) {
+    const origSource = fs3__default.default.readFileSync(wrapperFile, "utf8");
+    const updatedSource = [
+      envInline,
+      iifeWrap(initEdgeSrc),
+      origSource
+    ].join("\n");
+    fs3__default.default.writeFileSync(wrapperFile, updatedSource);
+    debug(`injected init-edge into edge wrapper: ${wrapperFile}`);
+  }
+}
+function isInjectedTurbopackRuntime() {
+  return injectedTurbopackRuntime;
+}
 // src/plugin.ts
 if (!process.env.__VARLOCK_ENV) {
@@ -23,8 +247,21 @@ if (!process.env.__VARLOCK_ENV) {
   throw new Error("VarlockNextWebpackPlugin: __VARLOCK_ENV is not set");
 }
 patchConsole.patchGlobalConsole();
+var IS_TURBOPACK = !!(process.env.TURBOPACK || process.env.TURBOPACK_DEV || process.env.TURBOPACK_BUILD || process.env.npm_config_turbopack);
+if (IS_TURBOPACK && env.varlockSettings.preventLeaks) {
+  patchServerResponse.patchGlobalServerResponse({
+    ignoreUrlPatterns: [
+      /^\/__nextjs_source-map\?.*/,
+      // sourcemaps
+      /[?&]_rsc=/
+      // RSC payloads are server-side and expected to contain sensitive data
+    ],
+    // always redact in dev to avoid crashing the dev server; prod builds override via init bundles
+    redactInsteadOfThrow: true
+  });
+}
 var IS_WORKER = !!process.env.NEXT_PRIVATE_WORKER;
-function debug(...args) {
+function debug2(...args) {
   if (!process.env.DEBUG_VARLOCK_NEXT_INTEGRATION) return;
   console.log(
     "plugin",
@@ -33,60 +270,148 @@ function debug(...args) {
     ...args
   );
 }
-debug("\u2728 LOADED @varlock/next-integration/plugin module!");
-var WEBPACK_PLUGIN_NAME = "VarlockNextWebpackPlugin";
+debug2("\u2728 LOADED @varlock/next-integration/plugin module!");
 var scannedStaticFiles = false;
 async function scanStaticFiles(nextDirPath) {
   scannedStaticFiles = true;
-  for await (const file of fs__default.default.promises.glob(`${nextDirPath}/**/*.html`)) {
-    const fileContents = await fs__default.default.promises.readFile(file, "utf8");
+  for await (const file of fs3__default.default.promises.glob(`${nextDirPath}/**/*.html`)) {
+    const fileContents = await fs3__default.default.promises.readFile(file, "utf8");
     env.scanForLeaks(fileContents, { method: "nextjs scan static html files", file });
   }
 }
+var scrubbedSourcemaps = false;
+async function scrubSourcemaps(nextDirPath) {
+  if (scrubbedSourcemaps) return;
+  scrubbedSourcemaps = true;
+  const envGraph = JSON.parse(process.env.__VARLOCK_ENV || "{}");
+  const sensitiveValues = [];
+  for (const itemKey in envGraph.config) {
+    const item = envGraph.config[itemKey];
+    if (item.isSensitive && item.value && typeof item.value === "string" && item.value.length > 0) {
+      sensitiveValues.push({
+        value: item.value,
+        replacement: "*".repeat(item.value.length)
+      });
+    }
+  }
+  if (!sensitiveValues.length) {
+    debug2("no sensitive values to scrub from sourcemaps");
+    return;
+  }
+  sensitiveValues.sort((a, b) => b.value.length - a.value.length);
+  let scrubCount = 0;
+  for await (const mapFile of fs3__default.default.promises.glob(`${nextDirPath}/**/*.map`)) {
+    const contents = await fs3__default.default.promises.readFile(mapFile, "utf8");
+    let scrubbed = contents;
+    for (const { value, replacement } of sensitiveValues) {
+      scrubbed = scrubbed.replaceAll(value, replacement);
+    }
+    if (scrubbed !== contents) {
+      await fs3__default.default.promises.writeFile(mapFile, scrubbed);
+      scrubCount++;
+    }
+  }
+  debug2(`scrubbed sensitive values from ${scrubCount} sourcemap files`);
+}
+var scannedBuildOutput = false;
+async function scanBuildOutputForLeaks(nextDirPath, opts) {
+  if (scannedBuildOutput) return;
+  scannedBuildOutput = true;
+  let preventLeaks = env.varlockSettings.preventLeaks;
+  if (preventLeaks === void 0 && process.env.__VARLOCK_ENV) {
+    try {
+      const envGraph = JSON.parse(process.env.__VARLOCK_ENV);
+      preventLeaks = envGraph.settings?.preventLeaks;
+    } catch {
+    }
+  }
+  if (process.env.__VARLOCK_ENV) {
+    try {
+      env.initVarlockEnv();
+    } catch {
+    }
+  }
+  const redactionInfo = env.getRedactionMapInfo();
+  debug2(`scanBuildOutputForLeaks: preventLeaks=${preventLeaks}, redactionInfo=${JSON.stringify(redactionInfo)}`);
+  if (!preventLeaks) return;
+  const leakedFiles = [];
+  let scannedCount = 0;
+  for await (const file of fs3__default.default.promises.glob(`${nextDirPath}/static/chunks/**/*.js`)) {
+    scannedCount++;
+    const fileContents = await fs3__default.default.promises.readFile(file, "utf8");
+    try {
+      env.scanForLeaks(fileContents, {
+        method: "nextjs post-build scan (static chunks)",
+        file
+      });
+    } catch (err) {
+      leakedFiles.push(file);
+      await fs3__default.default.promises.writeFile(file, env.redactSensitiveConfig(fileContents));
+    }
+  }
+  debug2(`scanned ${scannedCount} static chunk files in ${nextDirPath}/static/chunks/`);
+  for (const ext of ["html"]) {
+    for await (const file of fs3__default.default.promises.glob(`${nextDirPath}/**/*.${ext}`)) {
+      scannedCount++;
+      const fileContents = await fs3__default.default.promises.readFile(file, "utf8");
+      try {
+        env.scanForLeaks(fileContents, {
+          method: `nextjs post-build scan (.${ext})`,
+          file
+        });
+      } catch (err) {
+        leakedFiles.push(file);
+        await fs3__default.default.promises.writeFile(file, env.redactSensitiveConfig(fileContents));
+      }
+    }
+  }
+  debug2(`scanned ${scannedCount} total build output files`);
+  if (leakedFiles.length > 0) {
+    const msg = `[varlock] \u26A0\uFE0F found and redacted leaked secrets in ${leakedFiles.length} build output file(s):
+${leakedFiles.map((f) => `  - ${f}`).join("\n")}`;
+    if (opts?.failBuild) {
+      throw new Error(msg);
+    }
+    console.error(msg);
+  } else {
+    debug2("\u2705 no leaks found in build output");
+  }
+}
 function patchGlobalFsMethods() {
-  const origWriteFileFn = fs__default.default.promises.writeFile;
-  fs__default.default.promises.writeFile = async function dmnoPatchedWriteFile(...args) {
+  debug2("patching global fs methods");
+  const origWriteFileFn = fs3__default.default.promises.writeFile;
+  fs3__default.default.promises.writeFile = async function dmnoPatchedWriteFile(...args) {
     const filePath = args[0].toString();
+    debug2("fs.promises.writeFile:", filePath);
+    if (!isInjectedTurbopackRuntime() && filePath.endsWith("/.next/export-detail.json")) {
+      const nextDirPath = filePath.substring(0, filePath.lastIndexOf("/"));
+      injectVarlockInitIntoTurbopackRuntime(nextDirPath);
+    }
     if (filePath.endsWith("/.next/next-server.js.nft.json") && !scannedStaticFiles) {
       const nextDirPath = filePath.substring(0, filePath.lastIndexOf("/"));
       await scanStaticFiles(nextDirPath);
     }
+    if (filePath.endsWith("/.next/next-server.js.nft.json") || filePath.endsWith("/.next/prerender-manifest.json")) {
+      const nextDirPath = filePath.substring(0, filePath.lastIndexOf("/"));
+      if (!scrubbedSourcemaps) await scrubSourcemaps(nextDirPath);
+      if (!scannedBuildOutput) await scanBuildOutputForLeaks(nextDirPath, { failBuild: true });
+    }
     return origWriteFileFn.call(this, ...args);
   };
+  const origWriteFileSyncFn = fs3__default.default.writeFileSync;
+  fs3__default.default.writeFileSync = function dmnoPatchedWriteFileSync(...args) {
+    const filePath = args[0].toString();
+    debug2("fs.writeFileSync:", filePath);
+    if (!isInjectedTurbopackRuntime() && filePath.endsWith("/.next/diagnostics/build-diagnostics.json")) {
+      const nextDirPath = filePath.substring(0, filePath.lastIndexOf("/"));
+      injectVarlockInitIntoTurbopackRuntime(nextDirPath);
+    }
+    return origWriteFileSyncFn.call(this, ...args);
+  };
 }
-var latestLoadedVarlockEnv;
-var StaticReplacementsProxy = new Proxy({}, {
-  ownKeys(_target) {
-    latestLoadedVarlockEnv = JSON.parse(process.env.__VARLOCK_ENV || "{}");
-    const replaceKeys = [];
-    for (const itemKey in latestLoadedVarlockEnv.config) {
-      const item = latestLoadedVarlockEnv.config[itemKey];
-      if (!item.isSensitive) replaceKeys.push(`ENV.${itemKey}`);
-    }
-    debug("reloaded static replacements keys", replaceKeys);
-    return replaceKeys;
-  },
-  getOwnPropertyDescriptor(_target, prop) {
-    const itemKey = prop.toString().split(".")[1];
-    const item = latestLoadedVarlockEnv?.config[itemKey];
-    if (!item || item.isSensitive) return;
-    return {
-      value: "",
-      // this value is not used, the get handler will return the value
-      writable: false,
-      enumerable: true,
-      configurable: true
-    };
-  },
-  get(_target, prop) {
-    const itemKey = prop.toString().split(".")[1];
-    const item = latestLoadedVarlockEnv?.config[itemKey];
-    if (item && !item.isSensitive) return JSON.stringify(item.value);
-  }
-});
 function varlockNextConfigPlugin(_pluginOptions) {
   return (nextConfig) => {
-    debug("varlockNextConfigPlugin init fn");
+    debug2("varlockNextConfigPlugin init fn");
     return async (phase, defaults) => {
       let resolvedNextConfig;
       if (typeof nextConfig === "function") {
@@ -95,107 +420,75 @@ function varlockNextConfigPlugin(_pluginOptions) {
       } else {
         resolvedNextConfig = nextConfig;
       }
-      if (process.env.TURBOPACK || process.env.npm_config_turbopack) {
-        console.error([
-          "\u{1F6A8} @varlock/nextjs-integration: Turbopack is not yet supported for varlockNextConfigPlugin \u{1F6A8}",
-          "",
-          "You can either stop using the `--turbopack` flag",
-          "or remove this plugin from your config, and only use the @next/env override.",
-          "However if you don't use the plugin, you will not get all the benefits of this integration.",
-          ""
-        ].join("\n"));
-        throw new Error("varlockNextConfigPlugin: Turbopack is not yet supported");
-      }
-      return {
-        ...resolvedNextConfig,
-        webpack(webpackConfig, options) {
-          debug("varlockNextConfigPlugin webpack config patching");
-          const { dev } = options;
-          if (env.varlockSettings.preventLeaks) {
-            patchGlobalFsMethods();
-            patchServerResponse.patchGlobalServerResponse({
-              // ignore sourcemaps - although we may in future want to scrub them?
-              ignoreUrlPatterns: [/^\/__nextjs_source-map\?.*/],
-              // in dev mode, we redact the secrets rather than throwing, because otherwise the dev server crashes
-              redactInsteadOfThrow: dev
-            });
-          }
-          const webpack = options.webpack;
-          if (resolvedNextConfig.webpack) {
-            webpackConfig = resolvedNextConfig.webpack(webpackConfig, options);
-          }
-          if (!process.env.__VARLOCK_ENV) throw new Error("VarlockNextWebpackPlugin: __VARLOCK_ENV is not set");
-          debug("adding ENV.xxx static replacements proxy object");
-          webpackConfig.plugins.push(new webpack.DefinePlugin(StaticReplacementsProxy));
-          if (env.varlockSettings.preventLeaks) {
-            webpackConfig.plugins.push({
-              apply(compiler) {
-                compiler.hooks.assetEmitted.tap(WEBPACK_PLUGIN_NAME, (file, assetDetails) => {
-                  const { content, targetPath } = assetDetails;
-                  if (targetPath.includes("/.next/static/chunks/") || targetPath.endsWith(".html") || targetPath.endsWith(".body") || targetPath.endsWith(".rsc")) {
-                    try {
-                      env.scanForLeaks(content, {
-                        method: "@varlock/nextjs-integration/plugin - assetEmitted hook",
-                        file: targetPath
-                      });
-                    } catch (err) {
-                      if (dev) {
-                        fs__default.default.writeFileSync(targetPath, env.redactSensitiveConfig(content.toString()));
-                      } else {
-                        throw err;
-                      }
-                    }
-                  }
-                });
-              }
+      const isTurbopack = !!(process.env.TURBOPACK || process.env.TURBOPACK_DEV || process.env.TURBOPACK_BUILD || process.env.npm_config_turbopack);
+      const isBuild = phase === "phase-production-build";
+      debug2(`turbopack detection: TURBOPACK=${process.env.TURBOPACK}, TURBOPACK_DEV=${process.env.TURBOPACK_DEV}, TURBOPACK_BUILD=${process.env.TURBOPACK_BUILD}, phase=${phase}, isTurbopack=${isTurbopack}, isBuild=${isBuild}`);
+      if (isBuild) {
+        process.once("beforeExit", () => {
+          const nextDirPath = path2__default.default.resolve(process.cwd(), ".next");
+          const scanPromises = [];
+          if (!scrubbedSourcemaps) scanPromises.push(scrubSourcemaps(nextDirPath));
+          if (!scannedBuildOutput) scanPromises.push(scanBuildOutputForLeaks(nextDirPath, { failBuild: true }));
+          if (scanPromises.length > 0) {
+            Promise.all(scanPromises).catch((err) => {
+              console.error("[varlock] post-build scan failed:", err);
+              process.exitCode = 1;
             });
           }
-          function injectVarlockInitIntoWebpackRuntime(_edgeRuntime = false) {
-            return function assetUpdateFn(origSource) {
-              const origSourceStr = origSource.source();
-              const injectorPath = path__default.default.resolve(__dirname, "./patch-next-runtime.js");
-              const injectorSrc = fs__default.default.readFileSync(injectorPath, "utf8");
-              const updatedSourceStr = [
-                // TODO: reimplement dynamic/static functionality, which triggers a call to next/headers (or similar)
-                // when accessing a dynamic env item. This will force the page into dynamic rendering mode
-                // see DMNO integration for more details
-                // inline the dmno injector code
-                injectorSrc,
-                origSourceStr
-              ].join("\n");
-              return new webpack.sources.RawSource(updatedSourceStr);
-            };
+        });
+      }
+      if (isTurbopack) {
+        debug2("turbopack detected, injecting loader rules");
+        if (isBuild) patchGlobalFsMethods();
+        let turbopackConfig = resolvedNextConfig.turbopack ?? resolvedNextConfig.experimental?.turbo;
+        if (!turbopackConfig) {
+          turbopackConfig = {};
+          resolvedNextConfig.turbopack = turbopackConfig;
+        }
+        const loaderRule = {
+          loaders: [__require.resolve("./loader")]
+        };
+        turbopackConfig.rules ||= {};
+        turbopackConfig.rules["*.{js,jsx,ts,tsx,mjs,mts}"] = loaderRule;
+        const varlockNodeModulesPath = path2__default.default.resolve(process.cwd(), "node_modules/varlock");
+        let isSymlinked = false;
+        try {
+          isSymlinked = fs3__default.default.lstatSync(varlockNodeModulesPath).isSymbolicLink();
+        } catch {
+        }
+        if (isSymlinked) {
+          debug2("varlock is symlinked, copying dist files for turbopack");
+          const varlockDistDir = path2__default.default.resolve(path2__default.default.dirname(__require.resolve("varlock/env")), "..");
+          const varlockRoot = path2__default.default.resolve(varlockDistDir, "..");
+          const cacheDir = path2__default.default.resolve(process.cwd(), "node_modules/.varlock");
+          const cacheDistDir = path2__default.default.join(cacheDir, "dist");
+          try {
+            fs3__default.default.mkdirSync(cacheDir, { recursive: true });
+            fs3__default.default.cpSync(varlockDistDir, cacheDistDir, { recursive: true });
+            fs3__default.default.copyFileSync(path2__default.default.join(varlockRoot, "package.json"), path2__default.default.join(cacheDir, "package.json"));
+            debug2("copied varlock package files to", cacheDir);
+          } catch (err) {
+            console.warn("[varlock] failed to copy varlock package files:", err);
           }
-          webpackConfig.plugins.push({
-            apply(compiler) {
-              compiler.hooks.thisCompilation.tap(WEBPACK_PLUGIN_NAME, (compilation) => {
-                compilation.hooks.processAssets.tap(
-                  {
-                    name: WEBPACK_PLUGIN_NAME,
-                    stage: webpack.Compilation.PROCESS_ASSETS_STAGE_ADDITIONS
-                  },
-                  () => {
-                    if (compilation.getAsset("webpack-runtime.js")) {
-                      compilation.updateAsset("webpack-runtime.js", injectVarlockInitIntoWebpackRuntime());
-                    }
-                    if (compilation.getAsset("../webpack-runtime.js")) {
-                      compilation.updateAsset("../webpack-runtime.js", injectVarlockInitIntoWebpackRuntime());
-                    }
-                    if (compilation.getAsset("webpack-api-runtime.js")) {
-                      compilation.updateAsset("webpack-api-runtime.js", injectVarlockInitIntoWebpackRuntime());
-                    }
-                    if (compilation.getAsset("../webpack-api-runtime.js")) {
-                      compilation.updateAsset("../webpack-api-runtime.js", injectVarlockInitIntoWebpackRuntime());
-                    }
-                    if (compilation.getAsset("edge-runtime-webpack.js")) {
-                      compilation.updateAsset("edge-runtime-webpack.js", injectVarlockInitIntoWebpackRuntime(true));
-                    }
-                  }
-                );
-              });
-            }
-          });
-          return webpackConfig;
+          turbopackConfig.resolveAlias ||= {};
+          turbopackConfig.resolveAlias["varlock/env"] = "./node_modules/.varlock/dist/runtime/env.js";
+          turbopackConfig.resolveAlias["varlock/patch-console"] = "./node_modules/.varlock/dist/runtime/patch-console.js";
+          turbopackConfig.resolveAlias["varlock/patch-server-response"] = "./node_modules/.varlock/dist/runtime/patch-server-response.js";
+          turbopackConfig.resolveAlias["varlock/patch-response"] = "./node_modules/.varlock/dist/runtime/patch-response.js";
+          turbopackConfig.resolveAlias["varlock/init-server"] = "./node_modules/.varlock/dist/runtime/init-server.cjs";
+          turbopackConfig.resolveAlias["varlock/init-edge"] = "./node_modules/.varlock/dist/runtime/init-edge.cjs";
+          debug2("set resolveAlias for varlock subpaths -> ./node_modules/.varlock/dist/...");
+        } else {
+          debug2("varlock is not symlinked, turbopack can resolve it natively");
+        }
+      }
+      return {
+        ...resolvedNextConfig,
+        ...isTurbopack && {
+          turbopack: resolvedNextConfig.turbopack
+        },
+        ...!IS_TURBOPACK && {
+          webpack: createWebpackConfigFn(resolvedNextConfig, patchGlobalFsMethods, debug2, isBuild)
         }
       };
     };