Fix false standard vars warning when variable is wired via init decorator

[Copilot]

_checkStandardVars unconditionally warns when a plugin's standard env var (e.g. OP_SERVICE_ACCOUNT_TOKEN) exists in the environment, even when it's already wired via the init decorator (@initOp(token=$OP_SERVICE_ACCOUNT_TOKEN)).

Changes

• packages/varlock/src/env-graph/lib/plugins.ts: _checkStandardVars now checks decValueResolver.deps on processed init decorator instances to identify already-wired variables. Detected standard vars that match a wired dependency are filtered out before the warning is emitted.

• packages/varlock/src/env-graph/lib/env-graph.ts: Moved _checkStandardVars call to after root decorator processing so that decValueResolver.deps is populated and available for the check.

• packages/varlock/src/env-graph/test/plugins.test.ts: Three new test cases covering: warning fires when var is present but not wired, warning suppressed when wired via init decorator, no warning when var absent from environment.

Example

# @plugin(@varlock/1password-plugin)
# @initOp(token=$OP_SERVICE_ACCOUNT_TOKEN)
# ---
# @type=opServiceAccountToken @sensitive
OP_SERVICE_ACCOUNT_TOKEN=

Previously warned despite token=$OP_SERVICE_ACCOUNT_TOKEN being explicitly wired. Now correctly suppressed.

[changeset-bot]

🦋 Changeset detected

Latest commit: 5e8624e

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 18 packages

Name	Type
varlock	Patch
@varlock/astro-integration	Patch
@varlock/cloudflare-integration	Patch
@varlock/expo-integration	Patch
@varlock/nextjs-integration	Patch
@varlock/vite-integration	Patch
@varlock/1password-plugin	Patch
@varlock/aws-secrets-plugin	Patch
@varlock/azure-key-vault-plugin	Patch
@varlock/bitwarden-plugin	Patch
@varlock/dashlane-plugin	Patch
@varlock/google-secret-manager-plugin	Patch
@varlock/hashicorp-vault-plugin	Patch
@varlock/infisical-plugin	Patch
@varlock/keepass-plugin	Patch
@varlock/pass-plugin	Patch
@varlock/passbolt-plugin	Patch
@varlock/proton-pass-plugin	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[theoephraim]

@copilot - is there not simpler way to figure out which config items a decorator depends on? If not, maybe we should add that as a more general helper on the decorator instance itself?

[Copilot]

@copilot - is there not simpler way to figure out which config items a decorator depends on? If not, maybe we should add that as a more general helper on the decorator instance itself?

Yes — the Resolver class already tracks config item dependencies via decValueResolver.deps. The issue was that _checkStandardVars was called before root decorator processing, so deps wasn't populated yet. In 5e8624e I moved the _checkStandardVars call to after root decorator processing and replaced the custom AST walker with a simple loop over decValueResolver.deps. No new helpers needed.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.iconify.design
  • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node --experimental-import-meta-resolve --require /home/REDACTED/work/varlock/varlock/node_modules/vitest/suppress-warnings.cjs --conditions node --conditions development /home/REDACTED/work/varlock/varlock/node_modules/vitest/dist/workers/forks.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/varlock@596

commit: 5e8624e