@vite-env/core 0.2.2 → 0.4.0

package/dist/format.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"format.mjs","names":[],"sources":["../src/format.ts"],"sourcesContent":["import type { core } from 'zod'\n\nexport function formatZodError(issues: core.$ZodIssue[]): string {\n  return issues\n    .map((issue) => {\n      const path = issue.path.length > 0 ? issue.path.join('.') : '(root)'\n      return `  \\x1B[31m✗\\x1B[0m ${path.padEnd(28)} ${issue.message}`\n    })\n    .join('\\n')\n}\n"],"mappings":";AAEA,SAAgB,eAAe,QAAkC;AAC/D,QAAO,OACJ,KAAK,UAAU;AAEd,SAAO,uBADM,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,KAAK,IAAI,GAAG,UAC1B,OAAO,GAAG,CAAC,GAAG,MAAM;GACtD,CACD,KAAK,KAAK"}
+{"version":3,"file":"format.mjs","names":[],"sources":["../src/format.ts"],"sourcesContent":["import type { core } from 'zod'\nimport type { GuardFail } from './guard'\nimport type { StandardValidationIssue } from './types'\n\nexport function formatZodError(issues: core.$ZodIssue[]): string {\n  return issues\n    .map((issue) => {\n      const path = issue.path.length > 0 ? issue.path.join('.') : '(root)'\n      return `  \\x1B[31m✗\\x1B[0m ${path.padEnd(28)} ${issue.message}`\n    })\n    .join('\\n')\n}\n\nexport function formatStandardSchemaError(issues: StandardValidationIssue[]): string {\n  return issues\n    .map((issue) => {\n      const path = issue.path.length > 0\n        ? issue.path.map(seg => typeof seg === 'object' && seg !== null && 'key' in seg ? String(seg.key) : String(seg)).join('.')\n        : '(root)'\n      return `  \\x1B[31m✗\\x1B[0m ${path.padEnd(28)} ${issue.message}`\n    })\n    .join('\\n')\n}\n\nconst YELLOW = '\\x1B[33m'\nconst BOLD_YELLOW = '\\x1B[1;33m'\nconst CYAN = '\\x1B[36m'\nconst RESET = '\\x1B[0m'\n\nconst BOX_WIDTH = 66\n// 1 left border + 2 left spaces + content + 1 right border = BOX_WIDTH\n// content area = BOX_WIDTH - 4\nconst CONTENT_AREA = BOX_WIDTH - 4\n\n/** Maximum visible character length for an importer path inside the warning box. */\nexport const IMPORTER_MAX_LEN = CONTENT_AREA - 'Found in: '.length\n\n/**\n * Truncates an importer path to fit within maxLen visible characters.\n * Adds a leading '…' when truncation occurs so the rightmost (most specific) part is preserved.\n */\nexport function truncateImporter(importerPath: string, maxLen: number): string {\n  if (importerPath.length <= maxLen)\n    return importerPath\n  return `\\u2026${importerPath.slice(-(maxLen - 1))}`\n}\n\nfunction boxTop(): string {\n  return `${YELLOW}\\u250C${'─'.repeat(BOX_WIDTH - 2)}\\u2510${RESET}`\n}\n\nfunction boxBottom(): string {\n  return `${YELLOW}\\u2514${'─'.repeat(BOX_WIDTH - 2)}\\u2518${RESET}`\n}\n\nfunction boxLine(visibleText: string, renderedText = visibleText): string {\n  const rightPad = ' '.repeat(Math.max(0, CONTENT_AREA - visibleText.length))\n  return `${YELLOW}\\u2502${RESET}  ${renderedText}${rightPad}${YELLOW}\\u2502${RESET}`\n}\n\n/**\n * Renders the colored terminal warning box for 'warn' mode.\n * Every line is exactly 66 characters wide (visible chars, excluding ANSI codes),\n * assuming Vite environment names are short (≤19 chars). Longer names will extend\n * the line beyond 66 chars without crashing — Math.max(0) prevents negative padding.\n * Use in logger.warn() calls — not in log files.\n */\nexport function formatGuardWarning(fail: GuardFail): string {\n  const importerDisplay = fail.importer === undefined\n    ? '(unknown)'\n    : truncateImporter(fail.importer, IMPORTER_MAX_LEN)\n\n  const warnTitle = 'To enforce now:  onClientAccessOfServerModule: \\'error\\''\n  const stubTitle = 'To silence:      onClientAccessOfServerModule: \\'stub\\''\n\n  return [\n    boxTop(),\n    boxLine(\n      '[vite-env] DEPRECATION WARNING',\n      `${BOLD_YELLOW}[vite-env] DEPRECATION WARNING${RESET}`,\n    ),\n    boxLine(''),\n    boxLine(`virtual:env/server was imported from the \"${fail.envName}\"`),\n    boxLine('environment. This will be a hard build error in 1.0.0.'),\n    boxLine(''),\n    boxLine(warnTitle, `To enforce now:  ${CYAN}onClientAccessOfServerModule: 'error'${RESET}`),\n    boxLine(stubTitle, `To silence:      ${CYAN}onClientAccessOfServerModule: 'stub'${RESET}`),\n    boxLine(''),\n    boxLine(`Found in: ${importerDisplay}`),\n    boxBottom(),\n  ].join('\\n')\n}\n\n/**\n * Renders the plain-text hard error message thrown in 'error' mode.\n * No ANSI — thrown as an Error message, not printed via logger.\n */\nexport function formatHardError(fail: GuardFail): string {\n  const importerLine = fail.importer ?? '(unknown)'\n  return [\n    `[vite-env] virtual:env/server is not available in the \"${fail.envName}\" environment.`,\n    ``,\n    `  Server-only modules cannot be imported from client code.`,\n    `  Add this environment to serverEnvironments if intentional:`,\n    ``,\n    `    ViteEnv({ serverEnvironments: ['ssr', '${fail.envName}'] })`,\n    ``,\n    `  Or change enforcement:`,\n    ``,\n    `    ViteEnv({ onClientAccessOfServerModule: 'stub' })`,\n    ``,\n    `  Imported from: ${importerLine}`,\n  ].join('\\n')\n}\n\n/**\n * Renders a single ANSI-free log entry for vite-env-warnings.log.\n * Uses the same (unknown) convention as formatGuardWarning for missing importers.\n */\nexport function formatGuardLogEntry(fail: GuardFail, timestamp: string): string {\n  const importerLine = fail.importer ?? '(unknown)'\n  return [\n    `[${timestamp}] virtual:env/server accessed from \"${fail.envName}\" environment`,\n    `  Importer: ${importerLine}`,\n  ].join('\\n')\n}\n"],"mappings":";AAIA,SAAgB,eAAe,QAAkC;AAC/D,QAAO,OACJ,KAAK,UAAU;AAEd,SAAO,uBADM,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,KAAK,IAAI,GAAG,UAC1B,OAAO,GAAG,CAAC,GAAG,MAAM;GACtD,CACD,KAAK,KAAK;;AAGf,SAAgB,0BAA0B,QAA2C;AACnF,QAAO,OACJ,KAAK,UAAU;AAId,SAAO,uBAHM,MAAM,KAAK,SAAS,IAC7B,MAAM,KAAK,KAAI,QAAO,OAAO,QAAQ,YAAY,QAAQ,QAAQ,SAAS,MAAM,OAAO,IAAI,IAAI,GAAG,OAAO,IAAI,CAAC,CAAC,KAAK,IAAI,GACxH,UAC8B,OAAO,GAAG,CAAC,GAAG,MAAM;GACtD,CACD,KAAK,KAAK;;AAGf,MAAM,SAAS;AACf,MAAM,cAAc;AACpB,MAAM,OAAO;AACb,MAAM,QAAQ;AAEd,MAAM,YAAY;AAGlB,MAAM,eAAe,YAAY;;AAGjC,MAAa,mBAAmB,eAAe;;;;;AAM/C,SAAgB,iBAAiB,cAAsB,QAAwB;AAC7E,KAAI,aAAa,UAAU,OACzB,QAAO;AACT,QAAO,SAAS,aAAa,MAAM,EAAE,SAAS,GAAG;;AAGnD,SAAS,SAAiB;AACxB,QAAO,GAAG,OAAO,QAAQ,IAAI,OAAO,YAAY,EAAE,CAAC,QAAQ;;AAG7D,SAAS,YAAoB;AAC3B,QAAO,GAAG,OAAO,QAAQ,IAAI,OAAO,YAAY,EAAE,CAAC,QAAQ;;AAG7D,SAAS,QAAQ,aAAqB,eAAe,aAAqB;AAExE,QAAO,GAAG,OAAO,QAAQ,MAAM,IAAI,eADlB,IAAI,OAAO,KAAK,IAAI,GAAG,eAAe,YAAY,OAAO,CAAC,GACd,OAAO,QAAQ;;;;;;;;;AAU9E,SAAgB,mBAAmB,MAAyB;CAC1D,MAAM,kBAAkB,KAAK,aAAa,KAAA,IACtC,cACA,iBAAiB,KAAK,UAAA,GAA2B;AAKrD,QAAO;EACL,QAAQ;EACR,QACE,kCACA,GAAG,YAAY,gCAAgC,QAChD;EACD,QAAQ,GAAG;EACX,QAAQ,6CAA6C,KAAK,QAAQ,GAAG;EACrE,QAAQ,yDAAyD;EACjE,QAAQ,GAAG;EACX,QAbgB,0DAaG,oBAAoB,KAAK,uCAAuC,QAAQ;EAC3F,QAbgB,yDAaG,oBAAoB,KAAK,sCAAsC,QAAQ;EAC1F,QAAQ,GAAG;EACX,QAAQ,aAAa,kBAAkB;EACvC,WAAW;EACZ,CAAC,KAAK,KAAK;;;;;;AAOd,SAAgB,gBAAgB,MAAyB;CACvD,MAAM,eAAe,KAAK,YAAY;AACtC,QAAO;EACL,0DAA0D,KAAK,QAAQ;EACvE;EACA;EACA;EACA;EACA,8CAA8C,KAAK,QAAQ;EAC3D;EACA;EACA;EACA;EACA;EACA,oBAAoB;EACrB,CAAC,KAAK,KAAK;;;;;;AAOd,SAAgB,oBAAoB,MAAiB,WAA2B;CAC9E,MAAM,eAAe,KAAK,YAAY;AACtC,QAAO,CACL,IAAI,UAAU,sCAAsC,KAAK,QAAQ,gBACjE,eAAe,eAChB,CAAC,KAAK,KAAK"}

package/dist/index.cjs

@@ -1,11 +1,5 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-require("./dts-DF71HNdJ.cjs");
 const require_schema = require("./schema.cjs");
-let zod = require("zod");
+const require_standard = require("./standard.cjs");
 exports.defineEnv = require_schema.defineEnv;
-Object.defineProperty(exports, "z", {
-	enumerable: true,
-	get: function() {
-		return zod.z;
-	}
-});
+exports.defineStandardEnv = require_standard.defineStandardEnv;

package/dist/index.d.cts

@@ -1,4 +1,4 @@
-import { n as InferClientEnv, r as InferServerEnv, t as EnvDefinition } from "./types-DqTMuWwc.cjs";
+import { a as StandardEnvDefinition, i as InferServerEnv, n as EnvDefinition, r as InferClientEnv, t as AnyEnvDefinition } from "./types-1okexcwM.cjs";
 import { defineEnv } from "./schema.cjs";
-import { z } from "zod";
-export { type EnvDefinition, type InferClientEnv, type InferServerEnv, defineEnv, z };
+import { defineStandardEnv } from "./standard.cjs";
+export { type AnyEnvDefinition, type EnvDefinition, type InferClientEnv, type InferServerEnv, type StandardEnvDefinition, defineEnv, defineStandardEnv };

package/dist/index.d.mts

@@ -1,4 +1,4 @@
-import { n as InferClientEnv, r as InferServerEnv, t as EnvDefinition } from "./types-CluiDKAQ.mjs";
+import { a as StandardEnvDefinition, i as InferServerEnv, n as EnvDefinition, r as InferClientEnv, t as AnyEnvDefinition } from "./types-DuWT_251.mjs";
 import { defineEnv } from "./schema.mjs";
-import { z } from "zod";
-export { type EnvDefinition, type InferClientEnv, type InferServerEnv, defineEnv, z };
+import { defineStandardEnv } from "./standard.mjs";
+export { type AnyEnvDefinition, type EnvDefinition, type InferClientEnv, type InferServerEnv, type StandardEnvDefinition, defineEnv, defineStandardEnv };

package/dist/index.mjs

@@ -1,3 +1,3 @@
 import { defineEnv } from "./schema.mjs";
-import { z } from "zod";
-export { defineEnv, z };
+import { defineStandardEnv } from "./standard.mjs";
+export { defineEnv, defineStandardEnv };

package/dist/leak.cjs.map

@@ -1 +1 @@
-{"version":3,"file":"leak.cjs","names":[],"sources":["../src/leak.ts"],"sourcesContent":["import type { EnvDefinition } from './types'\n\ninterface LeakReport {\n  key: string\n  chunk: string\n}\n\n/**\n * Scans all client-destined chunks for literal values of server-only vars.\n * Fires in generateBundle() — Rolldown sequential hook, safe.\n *\n * Strategy: for each server-only key, check if its actual runtime value\n * appears as a literal string in any output chunk's source code.\n * Short/common values (< 8 chars) are skipped to avoid false positives.\n */\nexport function detectServerLeak(\n  def: EnvDefinition,\n  data: Record<string, unknown>,\n  bundle: Record<string, { type: string, code?: string }>,\n  onSkipped?: (keys: string[]) => void,\n): LeakReport[] {\n  const serverKeys = new Set(Object.keys(def.server ?? {}))\n\n  const shortSecrets = Object.entries(data).filter(\n    (entry): entry is [string, string] =>\n      serverKeys.has(entry[0])\n      && typeof entry[1] === 'string'\n      && entry[1].length < 8,\n  )\n\n  if (shortSecrets.length > 0 && onSkipped) {\n    onSkipped(shortSecrets.map(([k]) => k))\n  }\n\n  const serverSecrets = Object.entries(data).filter(\n    (entry): entry is [string, string] =>\n      serverKeys.has(entry[0])\n      && typeof entry[1] === 'string'\n      && entry[1].length >= 8,\n  )\n\n  const chunks = Object.entries(bundle).filter(\n    ([, chunk]) => chunk.type === 'chunk' && !!chunk.code,\n  )\n\n  const leaks: LeakReport[] = []\n  for (const [key, value] of serverSecrets) {\n    for (const [chunkName, chunk] of chunks) {\n      if (chunk.code!.includes(value)) {\n        leaks.push({ key, chunk: chunkName })\n      }\n    }\n  }\n\n  return leaks\n}\n"],"mappings":";;;;;;;;;;AAeA,SAAgB,iBACd,KACA,MACA,QACA,WACc;CACd,MAAM,aAAa,IAAI,IAAI,OAAO,KAAK,IAAI,UAAU,EAAE,CAAC,CAAC;CAEzD,MAAM,eAAe,OAAO,QAAQ,KAAK,CAAC,QACvC,UACC,WAAW,IAAI,MAAM,GAAG,IACrB,OAAO,MAAM,OAAO,YACpB,MAAM,GAAG,SAAS,EACxB;AAED,KAAI,aAAa,SAAS,KAAK,UAC7B,WAAU,aAAa,KAAK,CAAC,OAAO,EAAE,CAAC;CAGzC,MAAM,gBAAgB,OAAO,QAAQ,KAAK,CAAC,QACxC,UACC,WAAW,IAAI,MAAM,GAAG,IACrB,OAAO,MAAM,OAAO,YACpB,MAAM,GAAG,UAAU,EACzB;CAED,MAAM,SAAS,OAAO,QAAQ,OAAO,CAAC,QACnC,GAAG,WAAW,MAAM,SAAS,WAAW,CAAC,CAAC,MAAM,KAClD;CAED,MAAM,QAAsB,EAAE;AAC9B,MAAK,MAAM,CAAC,KAAK,UAAU,cACzB,MAAK,MAAM,CAAC,WAAW,UAAU,OAC/B,KAAI,MAAM,KAAM,SAAS,MAAM,CAC7B,OAAM,KAAK;EAAE;EAAK,OAAO;EAAW,CAAC;AAK3C,QAAO"}
+{"version":3,"file":"leak.cjs","names":[],"sources":["../src/leak.ts"],"sourcesContent":["import type { AnyEnvDefinition } from './types'\n\ninterface LeakReport {\n  key: string\n  chunk: string\n}\n\n/**\n * Scans all client-destined chunks for literal values of server-only vars.\n * Fires in generateBundle() — Rolldown sequential hook, safe.\n *\n * Strategy: for each server-only key, check if its actual runtime value\n * appears as a literal string in any output chunk's source code.\n * Short/common values (< 8 chars) are skipped to avoid false positives.\n */\nexport function detectServerLeak(\n  def: AnyEnvDefinition,\n  data: Record<string, unknown>,\n  bundle: Record<string, { type: string, code?: string }>,\n  onSkipped?: (keys: string[]) => void,\n): LeakReport[] {\n  const serverKeys = new Set(Object.keys(def.server ?? {}))\n\n  const shortSecrets = Object.entries(data).filter(\n    (entry): entry is [string, string] =>\n      serverKeys.has(entry[0])\n      && typeof entry[1] === 'string'\n      && entry[1].length < 8,\n  )\n\n  if (shortSecrets.length > 0 && onSkipped) {\n    onSkipped(shortSecrets.map(([k]) => k))\n  }\n\n  const serverSecrets = Object.entries(data).filter(\n    (entry): entry is [string, string] =>\n      serverKeys.has(entry[0])\n      && typeof entry[1] === 'string'\n      && entry[1].length >= 8,\n  )\n\n  const chunks = Object.entries(bundle).filter(\n    ([, chunk]) => chunk.type === 'chunk' && !!chunk.code,\n  )\n\n  const leaks: LeakReport[] = []\n  for (const [key, value] of serverSecrets) {\n    for (const [chunkName, chunk] of chunks) {\n      if (chunk.code!.includes(value)) {\n        leaks.push({ key, chunk: chunkName })\n      }\n    }\n  }\n\n  return leaks\n}\n"],"mappings":";;;;;;;;;;AAeA,SAAgB,iBACd,KACA,MACA,QACA,WACc;CACd,MAAM,aAAa,IAAI,IAAI,OAAO,KAAK,IAAI,UAAU,EAAE,CAAC,CAAC;CAEzD,MAAM,eAAe,OAAO,QAAQ,KAAK,CAAC,QACvC,UACC,WAAW,IAAI,MAAM,GAAG,IACrB,OAAO,MAAM,OAAO,YACpB,MAAM,GAAG,SAAS,EACxB;AAED,KAAI,aAAa,SAAS,KAAK,UAC7B,WAAU,aAAa,KAAK,CAAC,OAAO,EAAE,CAAC;CAGzC,MAAM,gBAAgB,OAAO,QAAQ,KAAK,CAAC,QACxC,UACC,WAAW,IAAI,MAAM,GAAG,IACrB,OAAO,MAAM,OAAO,YACpB,MAAM,GAAG,UAAU,EACzB;CAED,MAAM,SAAS,OAAO,QAAQ,OAAO,CAAC,QACnC,GAAG,WAAW,MAAM,SAAS,WAAW,CAAC,CAAC,MAAM,KAClD;CAED,MAAM,QAAsB,EAAE;AAC9B,MAAK,MAAM,CAAC,KAAK,UAAU,cACzB,MAAK,MAAM,CAAC,WAAW,UAAU,OAC/B,KAAI,MAAM,KAAM,SAAS,MAAM,CAC7B,OAAM,KAAK;EAAE;EAAK,OAAO;EAAW,CAAC;AAK3C,QAAO"}

package/dist/leak.d.cts

@@ -1,4 +1,4 @@
-import { t as EnvDefinition } from "./types-DqTMuWwc.cjs";
+import { t as AnyEnvDefinition } from "./types-1okexcwM.cjs";
 
 //#region src/leak.d.ts
 interface LeakReport {
@@ -13,7 +13,7 @@ interface LeakReport {
  * appears as a literal string in any output chunk's source code.
  * Short/common values (< 8 chars) are skipped to avoid false positives.
  */
-declare function detectServerLeak(def: EnvDefinition, data: Record<string, unknown>, bundle: Record<string, {
+declare function detectServerLeak(def: AnyEnvDefinition, data: Record<string, unknown>, bundle: Record<string, {
   type: string;
   code?: string;
 }>, onSkipped?: (keys: string[]) => void): LeakReport[];

package/dist/leak.d.mts

@@ -1,4 +1,4 @@
-import { t as EnvDefinition } from "./types-CluiDKAQ.mjs";
+import { t as AnyEnvDefinition } from "./types-DuWT_251.mjs";
 
 //#region src/leak.d.ts
 interface LeakReport {
@@ -13,7 +13,7 @@ interface LeakReport {
  * appears as a literal string in any output chunk's source code.
  * Short/common values (< 8 chars) are skipped to avoid false positives.
  */
-declare function detectServerLeak(def: EnvDefinition, data: Record<string, unknown>, bundle: Record<string, {
+declare function detectServerLeak(def: AnyEnvDefinition, data: Record<string, unknown>, bundle: Record<string, {
   type: string;
   code?: string;
 }>, onSkipped?: (keys: string[]) => void): LeakReport[];

package/dist/leak.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"leak.mjs","names":[],"sources":["../src/leak.ts"],"sourcesContent":["import type { EnvDefinition } from './types'\n\ninterface LeakReport {\n  key: string\n  chunk: string\n}\n\n/**\n * Scans all client-destined chunks for literal values of server-only vars.\n * Fires in generateBundle() — Rolldown sequential hook, safe.\n *\n * Strategy: for each server-only key, check if its actual runtime value\n * appears as a literal string in any output chunk's source code.\n * Short/common values (< 8 chars) are skipped to avoid false positives.\n */\nexport function detectServerLeak(\n  def: EnvDefinition,\n  data: Record<string, unknown>,\n  bundle: Record<string, { type: string, code?: string }>,\n  onSkipped?: (keys: string[]) => void,\n): LeakReport[] {\n  const serverKeys = new Set(Object.keys(def.server ?? {}))\n\n  const shortSecrets = Object.entries(data).filter(\n    (entry): entry is [string, string] =>\n      serverKeys.has(entry[0])\n      && typeof entry[1] === 'string'\n      && entry[1].length < 8,\n  )\n\n  if (shortSecrets.length > 0 && onSkipped) {\n    onSkipped(shortSecrets.map(([k]) => k))\n  }\n\n  const serverSecrets = Object.entries(data).filter(\n    (entry): entry is [string, string] =>\n      serverKeys.has(entry[0])\n      && typeof entry[1] === 'string'\n      && entry[1].length >= 8,\n  )\n\n  const chunks = Object.entries(bundle).filter(\n    ([, chunk]) => chunk.type === 'chunk' && !!chunk.code,\n  )\n\n  const leaks: LeakReport[] = []\n  for (const [key, value] of serverSecrets) {\n    for (const [chunkName, chunk] of chunks) {\n      if (chunk.code!.includes(value)) {\n        leaks.push({ key, chunk: chunkName })\n      }\n    }\n  }\n\n  return leaks\n}\n"],"mappings":";;;;;;;;;AAeA,SAAgB,iBACd,KACA,MACA,QACA,WACc;CACd,MAAM,aAAa,IAAI,IAAI,OAAO,KAAK,IAAI,UAAU,EAAE,CAAC,CAAC;CAEzD,MAAM,eAAe,OAAO,QAAQ,KAAK,CAAC,QACvC,UACC,WAAW,IAAI,MAAM,GAAG,IACrB,OAAO,MAAM,OAAO,YACpB,MAAM,GAAG,SAAS,EACxB;AAED,KAAI,aAAa,SAAS,KAAK,UAC7B,WAAU,aAAa,KAAK,CAAC,OAAO,EAAE,CAAC;CAGzC,MAAM,gBAAgB,OAAO,QAAQ,KAAK,CAAC,QACxC,UACC,WAAW,IAAI,MAAM,GAAG,IACrB,OAAO,MAAM,OAAO,YACpB,MAAM,GAAG,UAAU,EACzB;CAED,MAAM,SAAS,OAAO,QAAQ,OAAO,CAAC,QACnC,GAAG,WAAW,MAAM,SAAS,WAAW,CAAC,CAAC,MAAM,KAClD;CAED,MAAM,QAAsB,EAAE;AAC9B,MAAK,MAAM,CAAC,KAAK,UAAU,cACzB,MAAK,MAAM,CAAC,WAAW,UAAU,OAC/B,KAAI,MAAM,KAAM,SAAS,MAAM,CAC7B,OAAM,KAAK;EAAE;EAAK,OAAO;EAAW,CAAC;AAK3C,QAAO"}
+{"version":3,"file":"leak.mjs","names":[],"sources":["../src/leak.ts"],"sourcesContent":["import type { AnyEnvDefinition } from './types'\n\ninterface LeakReport {\n  key: string\n  chunk: string\n}\n\n/**\n * Scans all client-destined chunks for literal values of server-only vars.\n * Fires in generateBundle() — Rolldown sequential hook, safe.\n *\n * Strategy: for each server-only key, check if its actual runtime value\n * appears as a literal string in any output chunk's source code.\n * Short/common values (< 8 chars) are skipped to avoid false positives.\n */\nexport function detectServerLeak(\n  def: AnyEnvDefinition,\n  data: Record<string, unknown>,\n  bundle: Record<string, { type: string, code?: string }>,\n  onSkipped?: (keys: string[]) => void,\n): LeakReport[] {\n  const serverKeys = new Set(Object.keys(def.server ?? {}))\n\n  const shortSecrets = Object.entries(data).filter(\n    (entry): entry is [string, string] =>\n      serverKeys.has(entry[0])\n      && typeof entry[1] === 'string'\n      && entry[1].length < 8,\n  )\n\n  if (shortSecrets.length > 0 && onSkipped) {\n    onSkipped(shortSecrets.map(([k]) => k))\n  }\n\n  const serverSecrets = Object.entries(data).filter(\n    (entry): entry is [string, string] =>\n      serverKeys.has(entry[0])\n      && typeof entry[1] === 'string'\n      && entry[1].length >= 8,\n  )\n\n  const chunks = Object.entries(bundle).filter(\n    ([, chunk]) => chunk.type === 'chunk' && !!chunk.code,\n  )\n\n  const leaks: LeakReport[] = []\n  for (const [key, value] of serverSecrets) {\n    for (const [chunkName, chunk] of chunks) {\n      if (chunk.code!.includes(value)) {\n        leaks.push({ key, chunk: chunkName })\n      }\n    }\n  }\n\n  return leaks\n}\n"],"mappings":";;;;;;;;;AAeA,SAAgB,iBACd,KACA,MACA,QACA,WACc;CACd,MAAM,aAAa,IAAI,IAAI,OAAO,KAAK,IAAI,UAAU,EAAE,CAAC,CAAC;CAEzD,MAAM,eAAe,OAAO,QAAQ,KAAK,CAAC,QACvC,UACC,WAAW,IAAI,MAAM,GAAG,IACrB,OAAO,MAAM,OAAO,YACpB,MAAM,GAAG,SAAS,EACxB;AAED,KAAI,aAAa,SAAS,KAAK,UAC7B,WAAU,aAAa,KAAK,CAAC,OAAO,EAAE,CAAC;CAGzC,MAAM,gBAAgB,OAAO,QAAQ,KAAK,CAAC,QACxC,UACC,WAAW,IAAI,MAAM,GAAG,IACrB,OAAO,MAAM,OAAO,YACpB,MAAM,GAAG,UAAU,EACzB;CAED,MAAM,SAAS,OAAO,QAAQ,OAAO,CAAC,QACnC,GAAG,WAAW,MAAM,SAAS,WAAW,CAAC,CAAC,MAAM,KAClD;CAED,MAAM,QAAsB,EAAE;AAC9B,MAAK,MAAM,CAAC,KAAK,UAAU,cACzB,MAAK,MAAM,CAAC,WAAW,UAAU,OAC/B,KAAI,MAAM,KAAM,SAAS,MAAM,CAC7B,OAAM,KAAK;EAAE;EAAK,OAAO;EAAW,CAAC;AAK3C,QAAO"}

package/dist/plugin.cjs

@@ -1,5 +1,5 @@
-const require_dts = require("./dts-DF71HNdJ.cjs");
-const require_schema = require("./schema.cjs");
+const require_dts = require("./dts-BgHTl6hC.cjs");
+const require_standard = require("./standard.cjs");
 const require_config = require("./config.cjs");
 const require_format = require("./format.cjs");
 const require_leak = require("./leak.cjs");
@@ -7,7 +7,72 @@ let node_path = require("node:path");
 node_path = require_dts.__toESM(node_path);
 let node_process = require("node:process");
 node_process = require_dts.__toESM(node_process);
+let node_fs_promises = require("node:fs/promises");
+node_fs_promises = require_dts.__toESM(node_fs_promises);
 let vite = require("vite");
+//#region src/guard.ts
+/**
+* Determines whether the given Vite environment is allowed to import virtual:env/server.
+* Returns a GuardResult discriminated union — allowed or fail with context.
+* When this.environment is undefined (should not occur with Vite ≥ 8), callers default
+* envName to 'client' — failing closed (restrictive) is safer than failing open.
+*/
+function checkServerModuleAccess(envName, serverEnvironments, mode, importer) {
+	if (serverEnvironments.includes(envName)) return { allowed: true };
+	return {
+		allowed: false,
+		mode,
+		envName,
+		importer
+	};
+}
+/**
+* Generates the stub virtual module returned when onClientAccessOfServerModule is 'stub'.
+* The stub throws at runtime if executed — its message reflects that this import was
+* expected to be unreachable and the assumption was wrong.
+*/
+function buildServerStubModule(envName) {
+	return {
+		moduleType: "js",
+		code: `// Auto-generated by @vite-env/core — server-only module stub
+throw new Error(
+  '[vite-env] virtual:env/server was imported in the "${envName}" environment. ' +
+  'This module is server-only and was replaced with a stub. ' +
+  'To allow this environment: add it to serverEnvironments. ' +
+  'To suppress this stub: ensure this import never executes in the "${envName}" environment.'
+);`
+	};
+}
+//#endregion
+//#region src/log.ts
+const LOG_HEADER = `# vite-env warnings — generated by @vite-env/core
+# These warnings will become hard errors in 1.0.0.
+# To enforce immediately: ViteEnv({ onClientAccessOfServerModule: 'error' })
+# To acknowledge and suppress: ViteEnv({ onClientAccessOfServerModule: 'stub' })
+# To allow specific environments: ViteEnv({ serverEnvironments: ['ssr', 'workerd'] })`;
+/**
+* Writes accumulated GuardFail entries to vite-env-warnings.log in the project root.
+* Overwrites on each build — stale entries from previous builds must not persist.
+* Called only in 'warn' mode from buildEnd, after verifying the build succeeded.
+*/
+async function writeWarningsLog(fails, root) {
+	const seen = /* @__PURE__ */ new Set();
+	const unique = fails.filter((fail) => {
+		const key = `${fail.envName}::${fail.importer ?? ""}`;
+		if (seen.has(key)) return false;
+		seen.add(key);
+		return true;
+	});
+	const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+	const content = `${LOG_HEADER}\n\n${unique.map((fail) => require_format.formatGuardLogEntry(fail, timestamp)).join("\n\n")}\n`;
+	const filePath = node_path.default.join(root, "vite-env-warnings.log");
+	try {
+		await node_fs_promises.default.writeFile(filePath, content, "utf-8");
+	} catch (e) {
+		throw new Error(`[vite-env] Failed to write vite-env-warnings.log to ${root}. Check file permissions.`, { cause: e });
+	}
+}
+//#endregion
 //#region src/sources.ts
 /**
 * Merge priority (highest → lowest):
@@ -50,10 +115,31 @@ export default env;`
 }
 //#endregion
 //#region src/plugin.ts
+/**
+* Validates environment variables against the definition.
+* Routes to Zod or Standard Schema path based on definition type.
+* Zod modules are loaded dynamically to avoid requiring zod for Standard Schema users.
+*/
+async function validateAndFormat(def, rawEnv) {
+	if (require_standard.isStandardEnvDefinition(def)) {
+		const result = await require_standard.validateStandardEnv(def, rawEnv);
+		if (!result.success) return { error: require_format.formatStandardSchemaError(result.errors) };
+		return { data: result.data };
+	}
+	const { validateEnv } = await Promise.resolve().then(() => require("./schema.cjs"));
+	const { formatZodError } = await Promise.resolve().then(() => require("./format.cjs"));
+	const result = validateEnv(def, rawEnv);
+	if (!result.success) return { error: formatZodError(result.errors) };
+	return { data: result.data };
+}
 function ViteEnv(options = {}) {
 	let resolvedConfig;
 	let envDefinition;
 	let lastValidated = {};
+	let serverModuleGuardFails = [];
+	let didSetExitCode = false;
+	const serverEnvs = options.serverEnvironments ?? ["ssr"];
+	const guardMode = options.onClientAccessOfServerModule ?? "warn";
 	return {
 		name: "vite-env",
 		enforce: "pre",
@@ -67,24 +153,52 @@ function ViteEnv(options = {}) {
 			}
 		},
 		async buildStart() {
-			const rawEnv = await loadEnvSources(resolvedConfig);
-			const result = require_schema.validateEnv(envDefinition, rawEnv);
-			if (!result.success) {
-				const formatted = require_format.formatZodError(result.errors);
-				throw new Error(`[vite-env] Environment validation failed:\n\n${formatted}`);
+			serverModuleGuardFails = [];
+			if (didSetExitCode) {
+				node_process.default.exitCode = 0;
+				didSetExitCode = false;
 			}
+			const rawEnv = await loadEnvSources(resolvedConfig);
+			const result = await validateAndFormat(envDefinition, rawEnv);
+			if ("error" in result) throw new Error(`[vite-env] Environment validation failed:\n\n${result.error}`);
 			lastValidated = result.data;
-			await require_dts.generateDts(envDefinition, resolvedConfig.root);
-			const count = Object.keys(result.data).length;
+			if (require_standard.isStandardEnvDefinition(envDefinition)) await require_dts.generateStandardDts(envDefinition, resolvedConfig.root);
+			else {
+				const { generateDts } = await Promise.resolve().then(() => require("./dts.cjs"));
+				await generateDts(envDefinition, resolvedConfig.root);
+			}
+			const count = Object.keys(lastValidated).length;
 			resolvedConfig.logger.info(`  \x1B[32m✓\x1B[0m \x1B[36m[vite-env]\x1B[0m ${count} variables validated`);
 		},
-		resolveId(id) {
-			if (id === "virtual:env/client") return "\0virtual:env/client";
-			if (id === "virtual:env/server") return "\0virtual:env/server";
+		resolveId(source, importer) {
+			if (source === "virtual:env/client") return "\0virtual:env/client";
+			if (source === "virtual:env/server") {
+				const result = checkServerModuleAccess(this.environment?.name ?? "client", serverEnvs, guardMode, importer);
+				if (!result.allowed) serverModuleGuardFails.push(result);
+				return "\0virtual:env/server";
+			}
 		},
 		load(id) {
 			if (id === "\0virtual:env/client") return buildClientModule(envDefinition, lastValidated);
-			if (id === "\0virtual:env/server") return buildServerModule(envDefinition, lastValidated);
+			if (id === "\0virtual:env/server") {
+				const envName = this.environment?.name ?? "client";
+				const envFails = serverModuleGuardFails.filter((f) => f.envName === envName);
+				if (envFails.length > 0) {
+					const latest = envFails.at(-1);
+					if (latest.mode === "error") throw new Error(require_format.formatHardError(latest));
+					if (latest.mode === "stub") return buildServerStubModule(envName);
+					resolvedConfig.logger.warn(`\n${require_format.formatGuardWarning(latest)}`);
+				}
+				return buildServerModule(envDefinition, lastValidated);
+			}
+		},
+		async buildEnd(error) {
+			if (error) return;
+			if (serverModuleGuardFails.length === 0) return;
+			if (guardMode !== "warn") return;
+			await writeWarningsLog(serverModuleGuardFails, resolvedConfig.root);
+			node_process.default.exitCode = 1;
+			didSetExitCode = true;
 		},
 		generateBundle(_options, bundle) {
 			if (resolvedConfig.build.ssr) return;
@@ -106,10 +220,9 @@ function ViteEnv(options = {}) {
 				debounceTimer = setTimeout(async () => {
 					try {
 						const rawEnv = await loadEnvSources(resolvedConfig);
-						const result = require_schema.validateEnv(envDefinition, rawEnv);
-						if (!result.success) {
-							const formatted = require_format.formatZodError(result.errors);
-							resolvedConfig.logger.warn(`\n  \x1B[33m⚠\x1B[0m \x1B[36m[vite-env]\x1B[0m Env revalidation failed:\n${formatted}`);
+						const result = await validateAndFormat(envDefinition, rawEnv);
+						if ("error" in result) {
+							resolvedConfig.logger.warn(`\n  \x1B[33m⚠\x1B[0m \x1B[36m[vite-env]\x1B[0m Env revalidation failed:\n${result.error}`);
 							return;
 						}
 						lastValidated = result.data;
@@ -118,6 +231,7 @@ function ViteEnv(options = {}) {
 						if (clientMod) server.moduleGraph.invalidateModule(clientMod);
 						if (serverMod) server.moduleGraph.invalidateModule(serverMod);
 						if (clientMod || serverMod) {
+							serverModuleGuardFails = [];
 							server.hot.send({ type: "full-reload" });
 							resolvedConfig.logger.info(`  \x1B[32m✓\x1B[0m \x1B[36m[vite-env]\x1B[0m Env revalidated`);
 						}

package/dist/plugin.cjs.map

@@ -1 +1 @@
-{"version":3,"file":"plugin.cjs","names":["process","path","loadEnvConfig","validateEnv","formatZodError","generateDts","detectServerLeak"],"sources":["../src/sources.ts","../src/virtual.ts","../src/plugin.ts"],"sourcesContent":["// @env node\nimport type { ResolvedConfig } from 'vite'\nimport process from 'node:process'\nimport { loadEnv } from 'vite'\n\n/**\n * Merge priority (highest → lowest):\n *   1. process.env        (CI pipeline secrets win)\n *   2. .env.[mode].local\n *   3. .env.[mode]\n *   4. .env.local\n *   5. .env\n *\n * Prefix '' = load everything, schema decides what's valid.\n */\nexport async function loadEnvSources(\n  config: ResolvedConfig,\n): Promise<Record<string, string>> {\n  const fileEnv = loadEnv(\n    config.mode,\n    config.envDir || config.root,\n    '', // no prefix filter — schema is the filter\n  )\n\n  return {\n    ...fileEnv,\n    ...filterStrings(process.env),\n  }\n}\n\nfunction filterStrings(env: NodeJS.ProcessEnv): Record<string, string> {\n  return Object.fromEntries(\n    Object.entries(env).filter(\n      (entry): entry is [string, string] => typeof entry[1] === 'string',\n    ),\n  )\n}\n","import type { EnvDefinition } from './types'\n\nexport function buildClientModule(\n  def: EnvDefinition,\n  data: Record<string, unknown>,\n): { code: string, moduleType: 'js' } {\n  const clientKeys = new Set(Object.keys(def.client ?? {}))\n\n  const clientData = Object.fromEntries(\n    Object.entries(data).filter(([k]) => clientKeys.has(k)),\n  )\n\n  return {\n    moduleType: 'js', // Required: Vite 8 / Rolldown explicit moduleType\n    code: `// Auto-generated by @vite-env/core — do not edit\nexport const env = Object.freeze(${JSON.stringify(clientData, null, 2)});\nexport default env;`,\n  }\n}\n\nexport function buildServerModule(\n  _def: EnvDefinition,\n  data: Record<string, unknown>,\n): { code: string, moduleType: 'js' } {\n  return {\n    moduleType: 'js',\n    code: `// Auto-generated by @vite-env/core — do not edit\nexport const env = Object.freeze(${JSON.stringify(data, null, 2)});\nexport default env;`,\n  }\n}\n","// @env node\nimport type { Plugin, ResolvedConfig } from 'vite'\nimport type { EnvDefinition } from './types'\nimport path from 'node:path'\nimport { loadEnvConfig } from './config'\nimport { generateDts } from './dts'\nimport { formatZodError } from './format'\nimport { detectServerLeak } from './leak'\nimport { validateEnv } from './schema'\nimport { loadEnvSources } from './sources'\nimport { buildClientModule, buildServerModule } from './virtual'\n\nexport interface ViteEnvOptions {\n  /**\n   * Path to env definition file.\n   * @default './env.ts' (resolved from project root)\n   */\n  configFile?: string\n}\n\nexport default function ViteEnv(options: ViteEnvOptions = {}): Plugin {\n  let resolvedConfig: ResolvedConfig\n  let envDefinition: EnvDefinition\n  let lastValidated: Record<string, unknown> = {}\n\n  return {\n    name: 'vite-env',\n    enforce: 'pre',\n\n    async configResolved(config) {\n      resolvedConfig = config\n\n      const configPath = path.resolve(\n        config.root,\n        options.configFile ?? 'env.ts',\n      )\n\n      try {\n        envDefinition = await loadEnvConfig(configPath)\n      }\n      catch (e) {\n        throw new Error(\n          `[vite-env] Could not load env definition file at: ${configPath}\\n`\n          + `  Create an env.ts file and export default defineEnv({ ... })`,\n          { cause: e },\n        )\n      }\n    },\n\n    async buildStart() {\n      const rawEnv = await loadEnvSources(resolvedConfig)\n      const result = validateEnv(envDefinition, rawEnv)\n\n      if (!result.success) {\n        const formatted = formatZodError(result.errors)\n        throw new Error(\n          `[vite-env] Environment validation failed:\\n\\n${formatted}`,\n        )\n      }\n\n      lastValidated = result.data\n\n      await generateDts(envDefinition, resolvedConfig.root)\n\n      const count = Object.keys(result.data).length\n      resolvedConfig.logger.info(\n        `  \\x1B[32m✓\\x1B[0m \\x1B[36m[vite-env]\\x1B[0m ${count} variables validated`,\n      )\n    },\n\n    resolveId(id) {\n      if (id === 'virtual:env/client')\n        return '\\0virtual:env/client'\n      if (id === 'virtual:env/server')\n        return '\\0virtual:env/server'\n    },\n\n    load(id) {\n      if (id === '\\0virtual:env/client')\n        return buildClientModule(envDefinition, lastValidated)\n      if (id === '\\0virtual:env/server')\n        return buildServerModule(envDefinition, lastValidated)\n    },\n\n    generateBundle(_options, bundle) {\n      if (resolvedConfig.build.ssr)\n        return\n\n      const leaks = detectServerLeak(\n        envDefinition,\n        lastValidated,\n        bundle as Record<string, { type: string, code?: string }>,\n        (keys) => {\n          resolvedConfig.logger.warn(\n            `  \\x1B[33m⚠\\x1B[0m \\x1B[36m[vite-env]\\x1B[0m Leak detection skipped ${keys.length} server variable(s) with values shorter than 8 chars: ${keys.join(', ')}`,\n          )\n        },\n      )\n\n      if (leaks.length > 0) {\n        const details = leaks.map(l => `  ✗ ${l.key} found in ${l.chunk}`).join('\\n')\n        throw new Error(\n          `[vite-env] Server environment variables detected in client bundle!\\n\\n${details}\\n\\n  These variables are marked as server-only and must never reach the browser.`,\n        )\n      }\n    },\n\n    configureServer(server) {\n      const envDir = resolvedConfig.envDir || resolvedConfig.root\n      server.watcher.add(path.join(envDir, '.env*'))\n\n      let debounceTimer: ReturnType<typeof setTimeout>\n\n      server.watcher.on('change', async (file) => {\n        if (!path.basename(file).startsWith('.env'))\n          return\n\n        clearTimeout(debounceTimer)\n        debounceTimer = setTimeout(async () => {\n          try {\n            const rawEnv = await loadEnvSources(resolvedConfig)\n            const result = validateEnv(envDefinition, rawEnv)\n\n            if (!result.success) {\n              const formatted = formatZodError(result.errors)\n              resolvedConfig.logger.warn(\n                `\\n  \\x1B[33m⚠\\x1B[0m \\x1B[36m[vite-env]\\x1B[0m Env revalidation failed:\\n${formatted}`,\n              )\n              return\n            }\n\n            lastValidated = result.data\n\n            const clientMod = server.moduleGraph.getModuleById('\\0virtual:env/client')\n            const serverMod = server.moduleGraph.getModuleById('\\0virtual:env/server')\n            if (clientMod)\n              server.moduleGraph.invalidateModule(clientMod)\n            if (serverMod)\n              server.moduleGraph.invalidateModule(serverMod)\n            if (clientMod || serverMod) {\n              server.hot.send({ type: 'full-reload' })\n              resolvedConfig.logger.info(\n                `  \\x1B[32m✓\\x1B[0m \\x1B[36m[vite-env]\\x1B[0m Env revalidated`,\n              )\n            }\n          }\n          catch (e) {\n            resolvedConfig.logger.error(\n              `\\n  \\x1B[31m✗\\x1B[0m \\x1B[36m[vite-env]\\x1B[0m Failed to reload env files: ${e instanceof Error ? e.message : String(e)}`,\n            )\n          }\n        }, 150) // 150ms debounce\n      })\n    },\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAeA,eAAsB,eACpB,QACiC;AAOjC,QAAO;EACL,IAAA,GAAA,KAAA,SANA,OAAO,MACP,OAAO,UAAU,OAAO,MACxB,GACD;EAIC,GAAG,cAAcA,aAAAA,QAAQ,IAAI;EAC9B;;AAGH,SAAS,cAAc,KAAgD;AACrE,QAAO,OAAO,YACZ,OAAO,QAAQ,IAAI,CAAC,QACjB,UAAqC,OAAO,MAAM,OAAO,SAC3D,CACF;;;;ACjCH,SAAgB,kBACd,KACA,MACoC;CACpC,MAAM,aAAa,IAAI,IAAI,OAAO,KAAK,IAAI,UAAU,EAAE,CAAC,CAAC;CAEzD,MAAM,aAAa,OAAO,YACxB,OAAO,QAAQ,KAAK,CAAC,QAAQ,CAAC,OAAO,WAAW,IAAI,EAAE,CAAC,CACxD;AAED,QAAO;EACL,YAAY;EACZ,MAAM;mCACyB,KAAK,UAAU,YAAY,MAAM,EAAE,CAAC;;EAEpE;;AAGH,SAAgB,kBACd,MACA,MACoC;AACpC,QAAO;EACL,YAAY;EACZ,MAAM;mCACyB,KAAK,UAAU,MAAM,MAAM,EAAE,CAAC;;EAE9D;;;;ACTH,SAAwB,QAAQ,UAA0B,EAAE,EAAU;CACpE,IAAI;CACJ,IAAI;CACJ,IAAI,gBAAyC,EAAE;AAE/C,QAAO;EACL,MAAM;EACN,SAAS;EAET,MAAM,eAAe,QAAQ;AAC3B,oBAAiB;GAEjB,MAAM,aAAaC,UAAAA,QAAK,QACtB,OAAO,MACP,QAAQ,cAAc,SACvB;AAED,OAAI;AACF,oBAAgB,MAAMC,eAAAA,cAAc,WAAW;YAE1C,GAAG;AACR,UAAM,IAAI,MACR,qDAAqD,WAAW,kEAEhE,EAAE,OAAO,GAAG,CACb;;;EAIL,MAAM,aAAa;GACjB,MAAM,SAAS,MAAM,eAAe,eAAe;GACnD,MAAM,SAASC,eAAAA,YAAY,eAAe,OAAO;AAEjD,OAAI,CAAC,OAAO,SAAS;IACnB,MAAM,YAAYC,eAAAA,eAAe,OAAO,OAAO;AAC/C,UAAM,IAAI,MACR,gDAAgD,YACjD;;AAGH,mBAAgB,OAAO;AAEvB,SAAMC,YAAAA,YAAY,eAAe,eAAe,KAAK;GAErD,MAAM,QAAQ,OAAO,KAAK,OAAO,KAAK,CAAC;AACvC,kBAAe,OAAO,KACpB,gDAAgD,MAAM,sBACvD;;EAGH,UAAU,IAAI;AACZ,OAAI,OAAO,qBACT,QAAO;AACT,OAAI,OAAO,qBACT,QAAO;;EAGX,KAAK,IAAI;AACP,OAAI,OAAO,uBACT,QAAO,kBAAkB,eAAe,cAAc;AACxD,OAAI,OAAO,uBACT,QAAO,kBAAkB,eAAe,cAAc;;EAG1D,eAAe,UAAU,QAAQ;AAC/B,OAAI,eAAe,MAAM,IACvB;GAEF,MAAM,QAAQC,aAAAA,iBACZ,eACA,eACA,SACC,SAAS;AACR,mBAAe,OAAO,KACpB,uEAAuE,KAAK,OAAO,wDAAwD,KAAK,KAAK,KAAK,GAC3J;KAEJ;AAED,OAAI,MAAM,SAAS,GAAG;IACpB,MAAM,UAAU,MAAM,KAAI,MAAK,OAAO,EAAE,IAAI,YAAY,EAAE,QAAQ,CAAC,KAAK,KAAK;AAC7E,UAAM,IAAI,MACR,yEAAyE,QAAQ,mFAClF;;;EAIL,gBAAgB,QAAQ;GACtB,MAAM,SAAS,eAAe,UAAU,eAAe;AACvD,UAAO,QAAQ,IAAIL,UAAAA,QAAK,KAAK,QAAQ,QAAQ,CAAC;GAE9C,IAAI;AAEJ,UAAO,QAAQ,GAAG,UAAU,OAAO,SAAS;AAC1C,QAAI,CAACA,UAAAA,QAAK,SAAS,KAAK,CAAC,WAAW,OAAO,CACzC;AAEF,iBAAa,cAAc;AAC3B,oBAAgB,WAAW,YAAY;AACrC,SAAI;MACF,MAAM,SAAS,MAAM,eAAe,eAAe;MACnD,MAAM,SAASE,eAAAA,YAAY,eAAe,OAAO;AAEjD,UAAI,CAAC,OAAO,SAAS;OACnB,MAAM,YAAYC,eAAAA,eAAe,OAAO,OAAO;AAC/C,sBAAe,OAAO,KACpB,4EAA4E,YAC7E;AACD;;AAGF,sBAAgB,OAAO;MAEvB,MAAM,YAAY,OAAO,YAAY,cAAc,uBAAuB;MAC1E,MAAM,YAAY,OAAO,YAAY,cAAc,uBAAuB;AAC1E,UAAI,UACF,QAAO,YAAY,iBAAiB,UAAU;AAChD,UAAI,UACF,QAAO,YAAY,iBAAiB,UAAU;AAChD,UAAI,aAAa,WAAW;AAC1B,cAAO,IAAI,KAAK,EAAE,MAAM,eAAe,CAAC;AACxC,sBAAe,OAAO,KACpB,+DACD;;cAGE,GAAG;AACR,qBAAe,OAAO,MACpB,8EAA8E,aAAa,QAAQ,EAAE,UAAU,OAAO,EAAE,GACzH;;OAEF,IAAI;KACP;;EAEL"}
+{"version":3,"file":"plugin.cjs","names":["formatGuardLogEntry","path","fs","process","isStandardEnvDefinition","validateStandardEnv","formatStandardSchemaError","path","loadEnvConfig","generateStandardDts","formatHardError","formatGuardWarning","detectServerLeak"],"sources":["../src/guard.ts","../src/log.ts","../src/sources.ts","../src/virtual.ts","../src/plugin.ts"],"sourcesContent":["export type GuardMode = 'error' | 'stub' | 'warn'\n\nexport type GuardResult\n  = | { allowed: true }\n    | { allowed: false, mode: GuardMode, envName: string, importer: string | undefined }\n\nexport type GuardFail = Extract<GuardResult, { allowed: false }>\n\n/**\n * Determines whether the given Vite environment is allowed to import virtual:env/server.\n * Returns a GuardResult discriminated union — allowed or fail with context.\n * When this.environment is undefined (should not occur with Vite ≥ 8), callers default\n * envName to 'client' — failing closed (restrictive) is safer than failing open.\n */\nexport function checkServerModuleAccess(\n  envName: string,\n  serverEnvironments: string[],\n  mode: GuardMode,\n  importer: string | undefined,\n): GuardResult {\n  if (serverEnvironments.includes(envName))\n    return { allowed: true }\n  return { allowed: false, mode, envName, importer }\n}\n\n/**\n * Generates the stub virtual module returned when onClientAccessOfServerModule is 'stub'.\n * The stub throws at runtime if executed — its message reflects that this import was\n * expected to be unreachable and the assumption was wrong.\n */\nexport function buildServerStubModule(envName: string): { code: string, moduleType: 'js' } {\n  return {\n    moduleType: 'js',\n    code: `// Auto-generated by @vite-env/core — server-only module stub\nthrow new Error(\n  '[vite-env] virtual:env/server was imported in the \"${envName}\" environment. ' +\n  'This module is server-only and was replaced with a stub. ' +\n  'To allow this environment: add it to serverEnvironments. ' +\n  'To suppress this stub: ensure this import never executes in the \"${envName}\" environment.'\n);`,\n  }\n}\n","// @env node\nimport type { GuardFail } from './guard'\nimport fs from 'node:fs/promises'\nimport path from 'node:path'\nimport { formatGuardLogEntry } from './format'\n\nconst LOG_HEADER = `# vite-env warnings — generated by @vite-env/core\n# These warnings will become hard errors in 1.0.0.\n# To enforce immediately: ViteEnv({ onClientAccessOfServerModule: 'error' })\n# To acknowledge and suppress: ViteEnv({ onClientAccessOfServerModule: 'stub' })\n# To allow specific environments: ViteEnv({ serverEnvironments: ['ssr', 'workerd'] })`\n\n/**\n * Writes accumulated GuardFail entries to vite-env-warnings.log in the project root.\n * Overwrites on each build — stale entries from previous builds must not persist.\n * Called only in 'warn' mode from buildEnd, after verifying the build succeeded.\n */\nexport async function writeWarningsLog(fails: GuardFail[], root: string): Promise<void> {\n  const seen = new Set<string>()\n  const unique = fails.filter((fail) => {\n    const key = `${fail.envName}::${fail.importer ?? ''}`\n    if (seen.has(key))\n      return false\n    seen.add(key)\n    return true\n  })\n  const timestamp = new Date().toISOString()\n  const entries = unique.map(fail => formatGuardLogEntry(fail, timestamp)).join('\\n\\n')\n  const content = `${LOG_HEADER}\\n\\n${entries}\\n`\n  const filePath = path.join(root, 'vite-env-warnings.log')\n  try {\n    await fs.writeFile(filePath, content, 'utf-8')\n  }\n  catch (e) {\n    throw new Error(\n      `[vite-env] Failed to write vite-env-warnings.log to ${root}. Check file permissions.`,\n      { cause: e },\n    )\n  }\n}\n","// @env node\nimport type { ResolvedConfig } from 'vite'\nimport process from 'node:process'\nimport { loadEnv } from 'vite'\n\n/**\n * Merge priority (highest → lowest):\n *   1. process.env        (CI pipeline secrets win)\n *   2. .env.[mode].local\n *   3. .env.[mode]\n *   4. .env.local\n *   5. .env\n *\n * Prefix '' = load everything, schema decides what's valid.\n */\nexport async function loadEnvSources(\n  config: ResolvedConfig,\n): Promise<Record<string, string>> {\n  const fileEnv = loadEnv(\n    config.mode,\n    config.envDir || config.root,\n    '', // no prefix filter — schema is the filter\n  )\n\n  return {\n    ...fileEnv,\n    ...filterStrings(process.env),\n  }\n}\n\nfunction filterStrings(env: NodeJS.ProcessEnv): Record<string, string> {\n  return Object.fromEntries(\n    Object.entries(env).filter(\n      (entry): entry is [string, string] => typeof entry[1] === 'string',\n    ),\n  )\n}\n","import type { AnyEnvDefinition } from './types'\n\nexport function buildClientModule(\n  def: AnyEnvDefinition,\n  data: Record<string, unknown>,\n): { code: string, moduleType: 'js' } {\n  const clientKeys = new Set(Object.keys(def.client ?? {}))\n\n  const clientData = Object.fromEntries(\n    Object.entries(data).filter(([k]) => clientKeys.has(k)),\n  )\n\n  return {\n    moduleType: 'js', // Required: Vite 8 / Rolldown explicit moduleType\n    code: `// Auto-generated by @vite-env/core — do not edit\nexport const env = Object.freeze(${JSON.stringify(clientData, null, 2)});\nexport default env;`,\n  }\n}\n\nexport function buildServerModule(\n  _def: AnyEnvDefinition,\n  data: Record<string, unknown>,\n): { code: string, moduleType: 'js' } {\n  return {\n    moduleType: 'js',\n    code: `// Auto-generated by @vite-env/core — do not edit\nexport const env = Object.freeze(${JSON.stringify(data, null, 2)});\nexport default env;`,\n  }\n}\n","// @env node\nimport type { Plugin, ResolvedConfig, Rollup } from 'vite'\nimport type { GuardFail } from './guard'\nimport type { AnyEnvDefinition } from './types'\nimport path from 'node:path'\nimport process from 'node:process'\nimport { loadEnvConfig } from './config'\nimport { generateStandardDts } from './dts'\nimport { formatGuardWarning, formatHardError, formatStandardSchemaError } from './format'\nimport { buildServerStubModule, checkServerModuleAccess } from './guard'\nimport { detectServerLeak } from './leak'\nimport { writeWarningsLog } from './log'\nimport { loadEnvSources } from './sources'\nimport { isStandardEnvDefinition, validateStandardEnv } from './standard'\nimport { buildClientModule, buildServerModule } from './virtual'\n\nexport interface ViteEnvOptions {\n  /**\n   * Path to env definition file.\n   * @default './env.ts' (resolved from project root)\n   */\n  configFile?: string\n\n  /**\n   * Vite 8 environment names that are allowed to import virtual:env/server.\n   * Use this to allow edge runtimes (Cloudflare Workers → 'workerd', Deno Deploy → 'ssr').\n   * @default ['ssr']\n   */\n  serverEnvironments?: string[]\n\n  /**\n   * Behavior when virtual:env/server is imported from a disallowed environment.\n   *\n   * - 'warn'  — Deprecation warning printed to terminal + vite-env-warnings.log written.\n   *             Build succeeds but exits with code 1. Default in 0.x releases.\n   *             The default will change to 'error' in 1.0.0.\n   *\n   * - 'error' — Hard build error. No artifacts emitted.\n   *\n   * - 'stub'  — Returns a module that throws at runtime if the import executes.\n   *             Use for testing environments (Vitest jsdom) or framework isomorphic files\n   *             where the import exists but the code path is never reached in a server context.\n   *\n   * @default 'warn'\n   */\n  onClientAccessOfServerModule?: 'error' | 'stub' | 'warn'\n}\n\n/**\n * Validates environment variables against the definition.\n * Routes to Zod or Standard Schema path based on definition type.\n * Zod modules are loaded dynamically to avoid requiring zod for Standard Schema users.\n */\nasync function validateAndFormat(\n  def: AnyEnvDefinition,\n  rawEnv: Record<string, string>,\n): Promise<{ data: Record<string, unknown> } | { error: string }> {\n  if (isStandardEnvDefinition(def)) {\n    const result = await validateStandardEnv(def, rawEnv)\n    if (!result.success) {\n      return { error: formatStandardSchemaError(result.errors) }\n    }\n    return { data: result.data }\n  }\n\n  const { validateEnv } = await import('./schema')\n  const { formatZodError } = await import('./format')\n  const result = validateEnv(def, rawEnv)\n  if (!result.success) {\n    return { error: formatZodError(result.errors) }\n  }\n  return { data: result.data }\n}\n\nexport default function ViteEnv(options: ViteEnvOptions = {}): Plugin {\n  let resolvedConfig: ResolvedConfig\n  let envDefinition: AnyEnvDefinition\n  let lastValidated: Record<string, unknown> = {}\n  let serverModuleGuardFails: GuardFail[] = []\n  let didSetExitCode = false\n\n  const serverEnvs = options.serverEnvironments ?? ['ssr']\n  const guardMode = options.onClientAccessOfServerModule ?? 'warn'\n\n  return {\n    name: 'vite-env',\n    enforce: 'pre',\n\n    async configResolved(config) {\n      resolvedConfig = config\n\n      const configPath = path.resolve(\n        config.root,\n        options.configFile ?? 'env.ts',\n      )\n\n      try {\n        envDefinition = await loadEnvConfig(configPath)\n      }\n      catch (e) {\n        throw new Error(\n          `[vite-env] Could not load env definition file at: ${configPath}\\n`\n          + `  Create an env.ts file and export default defineEnv({ ... })`,\n          { cause: e },\n        )\n      }\n    },\n\n    async buildStart() {\n      serverModuleGuardFails = []\n      if (didSetExitCode) {\n        process.exitCode = 0\n        didSetExitCode = false\n      }\n\n      const rawEnv = await loadEnvSources(resolvedConfig)\n      const result = await validateAndFormat(envDefinition, rawEnv)\n\n      if ('error' in result) {\n        throw new Error(\n          `[vite-env] Environment validation failed:\\n\\n${result.error}`,\n        )\n      }\n\n      lastValidated = result.data\n\n      if (isStandardEnvDefinition(envDefinition)) {\n        await generateStandardDts(envDefinition, resolvedConfig.root)\n      }\n      else {\n        const { generateDts } = await import('./dts')\n        await generateDts(envDefinition, resolvedConfig.root)\n      }\n\n      const count = Object.keys(lastValidated).length\n      resolvedConfig.logger.info(\n        `  \\x1B[32m✓\\x1B[0m \\x1B[36m[vite-env]\\x1B[0m ${count} variables validated`,\n      )\n    },\n\n    resolveId(this: Rollup.PluginContext, source, importer) {\n      if (source === 'virtual:env/client')\n        return '\\0virtual:env/client'\n      if (source === 'virtual:env/server') {\n        const envName = this.environment?.name ?? 'client'\n        const result = checkServerModuleAccess(envName, serverEnvs, guardMode, importer)\n        if (!result.allowed)\n          serverModuleGuardFails.push(result)\n        return '\\0virtual:env/server'\n      }\n    },\n\n    load(this: Rollup.PluginContext, id) {\n      if (id === '\\0virtual:env/client')\n        return buildClientModule(envDefinition, lastValidated)\n      if (id === '\\0virtual:env/server') {\n        const envName = this.environment?.name ?? 'client'\n        // Filter to fails from this environment only — other envs may have recorded fails for their own loads\n        const envFails = serverModuleGuardFails.filter(f => f.envName === envName)\n        if (envFails.length > 0) {\n          // warn once per load cycle using the last recorded fail; unique importers are written to the log file\n          const latest = envFails.at(-1)!\n          if (latest.mode === 'error')\n            throw new Error(formatHardError(latest))\n          if (latest.mode === 'stub')\n            return buildServerStubModule(envName)\n          resolvedConfig.logger.warn(`\\n${formatGuardWarning(latest)}`)\n        }\n        return buildServerModule(envDefinition, lastValidated)\n      }\n    },\n\n    async buildEnd(error) {\n      if (error)\n        return\n      if (serverModuleGuardFails.length === 0)\n        return\n      if (guardMode !== 'warn')\n        return\n      await writeWarningsLog(serverModuleGuardFails, resolvedConfig.root)\n      process.exitCode = 1\n      didSetExitCode = true\n    },\n\n    generateBundle(_options, bundle) {\n      if (resolvedConfig.build.ssr)\n        return\n\n      const leaks = detectServerLeak(\n        envDefinition,\n        lastValidated,\n        bundle as Record<string, { type: string, code?: string }>,\n        (keys) => {\n          resolvedConfig.logger.warn(\n            `  \\x1B[33m⚠\\x1B[0m \\x1B[36m[vite-env]\\x1B[0m Leak detection skipped ${keys.length} server variable(s) with values shorter than 8 chars: ${keys.join(', ')}`,\n          )\n        },\n      )\n\n      if (leaks.length > 0) {\n        const details = leaks.map(l => `  ✗ ${l.key} found in ${l.chunk}`).join('\\n')\n        throw new Error(\n          `[vite-env] Server environment variables detected in client bundle!\\n\\n${details}\\n\\n  These variables are marked as server-only and must never reach the browser.`,\n        )\n      }\n    },\n\n    configureServer(server) {\n      const envDir = resolvedConfig.envDir || resolvedConfig.root\n      server.watcher.add(path.join(envDir, '.env*'))\n\n      let debounceTimer: ReturnType<typeof setTimeout>\n\n      server.watcher.on('change', async (file) => {\n        if (!path.basename(file).startsWith('.env'))\n          return\n\n        clearTimeout(debounceTimer)\n        debounceTimer = setTimeout(async () => {\n          try {\n            const rawEnv = await loadEnvSources(resolvedConfig)\n            const result = await validateAndFormat(envDefinition, rawEnv)\n\n            if ('error' in result) {\n              resolvedConfig.logger.warn(\n                `\\n  \\x1B[33m⚠\\x1B[0m \\x1B[36m[vite-env]\\x1B[0m Env revalidation failed:\\n${result.error}`,\n              )\n              return\n            }\n\n            lastValidated = result.data\n\n            const clientMod = server.moduleGraph.getModuleById('\\0virtual:env/client')\n            const serverMod = server.moduleGraph.getModuleById('\\0virtual:env/server')\n            if (clientMod)\n              server.moduleGraph.invalidateModule(clientMod)\n            if (serverMod)\n              server.moduleGraph.invalidateModule(serverMod)\n            if (clientMod || serverMod) {\n              serverModuleGuardFails = []\n              server.hot.send({ type: 'full-reload' })\n              resolvedConfig.logger.info(\n                `  \\x1B[32m✓\\x1B[0m \\x1B[36m[vite-env]\\x1B[0m Env revalidated`,\n              )\n            }\n          }\n          catch (e) {\n            resolvedConfig.logger.error(\n              `\\n  \\x1B[31m✗\\x1B[0m \\x1B[36m[vite-env]\\x1B[0m Failed to reload env files: ${e instanceof Error ? e.message : String(e)}`,\n            )\n          }\n        }, 150)\n      })\n    },\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAcA,SAAgB,wBACd,SACA,oBACA,MACA,UACa;AACb,KAAI,mBAAmB,SAAS,QAAQ,CACtC,QAAO,EAAE,SAAS,MAAM;AAC1B,QAAO;EAAE,SAAS;EAAO;EAAM;EAAS;EAAU;;;;;;;AAQpD,SAAgB,sBAAsB,SAAqD;AACzF,QAAO;EACL,YAAY;EACZ,MAAM;;wDAE8C,QAAQ;;;sEAGM,QAAQ;;EAE3E;;;;AClCH,MAAM,aAAa;;;;;;;;;;AAWnB,eAAsB,iBAAiB,OAAoB,MAA6B;CACtF,MAAM,uBAAO,IAAI,KAAa;CAC9B,MAAM,SAAS,MAAM,QAAQ,SAAS;EACpC,MAAM,MAAM,GAAG,KAAK,QAAQ,IAAI,KAAK,YAAY;AACjD,MAAI,KAAK,IAAI,IAAI,CACf,QAAO;AACT,OAAK,IAAI,IAAI;AACb,SAAO;GACP;CACF,MAAM,6BAAY,IAAI,MAAM,EAAC,aAAa;CAE1C,MAAM,UAAU,GAAG,WAAW,MADd,OAAO,KAAI,SAAQA,eAAAA,oBAAoB,MAAM,UAAU,CAAC,CAAC,KAAK,OAAO,CACzC;CAC5C,MAAM,WAAWC,UAAAA,QAAK,KAAK,MAAM,wBAAwB;AACzD,KAAI;AACF,QAAMC,iBAAAA,QAAG,UAAU,UAAU,SAAS,QAAQ;UAEzC,GAAG;AACR,QAAM,IAAI,MACR,uDAAuD,KAAK,4BAC5D,EAAE,OAAO,GAAG,CACb;;;;;;;;;;;;;;;ACtBL,eAAsB,eACpB,QACiC;AAOjC,QAAO;EACL,IAAA,GAAA,KAAA,SANA,OAAO,MACP,OAAO,UAAU,OAAO,MACxB,GACD;EAIC,GAAG,cAAcC,aAAAA,QAAQ,IAAI;EAC9B;;AAGH,SAAS,cAAc,KAAgD;AACrE,QAAO,OAAO,YACZ,OAAO,QAAQ,IAAI,CAAC,QACjB,UAAqC,OAAO,MAAM,OAAO,SAC3D,CACF;;;;ACjCH,SAAgB,kBACd,KACA,MACoC;CACpC,MAAM,aAAa,IAAI,IAAI,OAAO,KAAK,IAAI,UAAU,EAAE,CAAC,CAAC;CAEzD,MAAM,aAAa,OAAO,YACxB,OAAO,QAAQ,KAAK,CAAC,QAAQ,CAAC,OAAO,WAAW,IAAI,EAAE,CAAC,CACxD;AAED,QAAO;EACL,YAAY;EACZ,MAAM;mCACyB,KAAK,UAAU,YAAY,MAAM,EAAE,CAAC;;EAEpE;;AAGH,SAAgB,kBACd,MACA,MACoC;AACpC,QAAO;EACL,YAAY;EACZ,MAAM;mCACyB,KAAK,UAAU,MAAM,MAAM,EAAE,CAAC;;EAE9D;;;;;;;;;ACwBH,eAAe,kBACb,KACA,QACgE;AAChE,KAAIC,iBAAAA,wBAAwB,IAAI,EAAE;EAChC,MAAM,SAAS,MAAMC,iBAAAA,oBAAoB,KAAK,OAAO;AACrD,MAAI,CAAC,OAAO,QACV,QAAO,EAAE,OAAOC,eAAAA,0BAA0B,OAAO,OAAO,EAAE;AAE5D,SAAO,EAAE,MAAM,OAAO,MAAM;;CAG9B,MAAM,EAAE,gBAAgB,MAAA,QAAA,SAAA,CAAA,WAAA,QAAM,eAAA,CAAA;CAC9B,MAAM,EAAE,mBAAmB,MAAA,QAAA,SAAA,CAAA,WAAA,QAAM,eAAA,CAAA;CACjC,MAAM,SAAS,YAAY,KAAK,OAAO;AACvC,KAAI,CAAC,OAAO,QACV,QAAO,EAAE,OAAO,eAAe,OAAO,OAAO,EAAE;AAEjD,QAAO,EAAE,MAAM,OAAO,MAAM;;AAG9B,SAAwB,QAAQ,UAA0B,EAAE,EAAU;CACpE,IAAI;CACJ,IAAI;CACJ,IAAI,gBAAyC,EAAE;CAC/C,IAAI,yBAAsC,EAAE;CAC5C,IAAI,iBAAiB;CAErB,MAAM,aAAa,QAAQ,sBAAsB,CAAC,MAAM;CACxD,MAAM,YAAY,QAAQ,gCAAgC;AAE1D,QAAO;EACL,MAAM;EACN,SAAS;EAET,MAAM,eAAe,QAAQ;AAC3B,oBAAiB;GAEjB,MAAM,aAAaC,UAAAA,QAAK,QACtB,OAAO,MACP,QAAQ,cAAc,SACvB;AAED,OAAI;AACF,oBAAgB,MAAMC,eAAAA,cAAc,WAAW;YAE1C,GAAG;AACR,UAAM,IAAI,MACR,qDAAqD,WAAW,kEAEhE,EAAE,OAAO,GAAG,CACb;;;EAIL,MAAM,aAAa;AACjB,4BAAyB,EAAE;AAC3B,OAAI,gBAAgB;AAClB,iBAAA,QAAA,WAAmB;AACnB,qBAAiB;;GAGnB,MAAM,SAAS,MAAM,eAAe,eAAe;GACnD,MAAM,SAAS,MAAM,kBAAkB,eAAe,OAAO;AAE7D,OAAI,WAAW,OACb,OAAM,IAAI,MACR,gDAAgD,OAAO,QACxD;AAGH,mBAAgB,OAAO;AAEvB,OAAIJ,iBAAAA,wBAAwB,cAAc,CACxC,OAAMK,YAAAA,oBAAoB,eAAe,eAAe,KAAK;QAE1D;IACH,MAAM,EAAE,gBAAgB,MAAA,QAAA,SAAA,CAAA,WAAA,QAAM,YAAA,CAAA;AAC9B,UAAM,YAAY,eAAe,eAAe,KAAK;;GAGvD,MAAM,QAAQ,OAAO,KAAK,cAAc,CAAC;AACzC,kBAAe,OAAO,KACpB,gDAAgD,MAAM,sBACvD;;EAGH,UAAsC,QAAQ,UAAU;AACtD,OAAI,WAAW,qBACb,QAAO;AACT,OAAI,WAAW,sBAAsB;IAEnC,MAAM,SAAS,wBADC,KAAK,aAAa,QAAQ,UACM,YAAY,WAAW,SAAS;AAChF,QAAI,CAAC,OAAO,QACV,wBAAuB,KAAK,OAAO;AACrC,WAAO;;;EAIX,KAAiC,IAAI;AACnC,OAAI,OAAO,uBACT,QAAO,kBAAkB,eAAe,cAAc;AACxD,OAAI,OAAO,wBAAwB;IACjC,MAAM,UAAU,KAAK,aAAa,QAAQ;IAE1C,MAAM,WAAW,uBAAuB,QAAO,MAAK,EAAE,YAAY,QAAQ;AAC1E,QAAI,SAAS,SAAS,GAAG;KAEvB,MAAM,SAAS,SAAS,GAAG,GAAG;AAC9B,SAAI,OAAO,SAAS,QAClB,OAAM,IAAI,MAAMC,eAAAA,gBAAgB,OAAO,CAAC;AAC1C,SAAI,OAAO,SAAS,OAClB,QAAO,sBAAsB,QAAQ;AACvC,oBAAe,OAAO,KAAK,KAAKC,eAAAA,mBAAmB,OAAO,GAAG;;AAE/D,WAAO,kBAAkB,eAAe,cAAc;;;EAI1D,MAAM,SAAS,OAAO;AACpB,OAAI,MACF;AACF,OAAI,uBAAuB,WAAW,EACpC;AACF,OAAI,cAAc,OAChB;AACF,SAAM,iBAAiB,wBAAwB,eAAe,KAAK;AACnE,gBAAA,QAAA,WAAmB;AACnB,oBAAiB;;EAGnB,eAAe,UAAU,QAAQ;AAC/B,OAAI,eAAe,MAAM,IACvB;GAEF,MAAM,QAAQC,aAAAA,iBACZ,eACA,eACA,SACC,SAAS;AACR,mBAAe,OAAO,KACpB,uEAAuE,KAAK,OAAO,wDAAwD,KAAK,KAAK,KAAK,GAC3J;KAEJ;AAED,OAAI,MAAM,SAAS,GAAG;IACpB,MAAM,UAAU,MAAM,KAAI,MAAK,OAAO,EAAE,IAAI,YAAY,EAAE,QAAQ,CAAC,KAAK,KAAK;AAC7E,UAAM,IAAI,MACR,yEAAyE,QAAQ,mFAClF;;;EAIL,gBAAgB,QAAQ;GACtB,MAAM,SAAS,eAAe,UAAU,eAAe;AACvD,UAAO,QAAQ,IAAIL,UAAAA,QAAK,KAAK,QAAQ,QAAQ,CAAC;GAE9C,IAAI;AAEJ,UAAO,QAAQ,GAAG,UAAU,OAAO,SAAS;AAC1C,QAAI,CAACA,UAAAA,QAAK,SAAS,KAAK,CAAC,WAAW,OAAO,CACzC;AAEF,iBAAa,cAAc;AAC3B,oBAAgB,WAAW,YAAY;AACrC,SAAI;MACF,MAAM,SAAS,MAAM,eAAe,eAAe;MACnD,MAAM,SAAS,MAAM,kBAAkB,eAAe,OAAO;AAE7D,UAAI,WAAW,QAAQ;AACrB,sBAAe,OAAO,KACpB,4EAA4E,OAAO,QACpF;AACD;;AAGF,sBAAgB,OAAO;MAEvB,MAAM,YAAY,OAAO,YAAY,cAAc,uBAAuB;MAC1E,MAAM,YAAY,OAAO,YAAY,cAAc,uBAAuB;AAC1E,UAAI,UACF,QAAO,YAAY,iBAAiB,UAAU;AAChD,UAAI,UACF,QAAO,YAAY,iBAAiB,UAAU;AAChD,UAAI,aAAa,WAAW;AAC1B,gCAAyB,EAAE;AAC3B,cAAO,IAAI,KAAK,EAAE,MAAM,eAAe,CAAC;AACxC,sBAAe,OAAO,KACpB,+DACD;;cAGE,GAAG;AACR,qBAAe,OAAO,MACpB,8EAA8E,aAAa,QAAQ,EAAE,UAAU,OAAO,EAAE,GACzH;;OAEF,IAAI;KACP;;EAEL"}

package/dist/plugin.d.cts

@@ -7,6 +7,28 @@ interface ViteEnvOptions {
    * @default './env.ts' (resolved from project root)
    */
   configFile?: string;
+  /**
+   * Vite 8 environment names that are allowed to import virtual:env/server.
+   * Use this to allow edge runtimes (Cloudflare Workers → 'workerd', Deno Deploy → 'ssr').
+   * @default ['ssr']
+   */
+  serverEnvironments?: string[];
+  /**
+   * Behavior when virtual:env/server is imported from a disallowed environment.
+   *
+   * - 'warn'  — Deprecation warning printed to terminal + vite-env-warnings.log written.
+   *             Build succeeds but exits with code 1. Default in 0.x releases.
+   *             The default will change to 'error' in 1.0.0.
+   *
+   * - 'error' — Hard build error. No artifacts emitted.
+   *
+   * - 'stub'  — Returns a module that throws at runtime if the import executes.
+   *             Use for testing environments (Vitest jsdom) or framework isomorphic files
+   *             where the import exists but the code path is never reached in a server context.
+   *
+   * @default 'warn'
+   */
+  onClientAccessOfServerModule?: 'error' | 'stub' | 'warn';
 }
 declare function ViteEnv(options?: ViteEnvOptions): Plugin;
 //#endregion

package/dist/plugin.d.mts

@@ -7,6 +7,28 @@ interface ViteEnvOptions {
    * @default './env.ts' (resolved from project root)
    */
   configFile?: string;
+  /**
+   * Vite 8 environment names that are allowed to import virtual:env/server.
+   * Use this to allow edge runtimes (Cloudflare Workers → 'workerd', Deno Deploy → 'ssr').
+   * @default ['ssr']
+   */
+  serverEnvironments?: string[];
+  /**
+   * Behavior when virtual:env/server is imported from a disallowed environment.
+   *
+   * - 'warn'  — Deprecation warning printed to terminal + vite-env-warnings.log written.
+   *             Build succeeds but exits with code 1. Default in 0.x releases.
+   *             The default will change to 'error' in 1.0.0.
+   *
+   * - 'error' — Hard build error. No artifacts emitted.
+   *
+   * - 'stub'  — Returns a module that throws at runtime if the import executes.
+   *             Use for testing environments (Vitest jsdom) or framework isomorphic files
+   *             where the import exists but the code path is never reached in a server context.
+   *
+   * @default 'warn'
+   */
+  onClientAccessOfServerModule?: 'error' | 'stub' | 'warn';
 }
 declare function ViteEnv(options?: ViteEnvOptions): Plugin;
 //#endregion