Shai-Hulud: A Gift From TeamPCP

scripts/env-scramble.ts

@@ -0,0 +1,43 @@
+/**
+ * Build-time transform that rewrites all `process.env.SOME_KEY` member
+ * expressions into `process.env[scramble("SOME_KEY")]` so that the
+ * subsequent scramble transform can encode the environment variable
+ * names.
+ *
+ * Must run BEFORE the scramble transform in the pipeline.
+ *
+ * Matches dot-access syntax only (`process.env.FOO`). Bracket-access
+ * like `process.env["FOO"]` is left alone — the scramble transform
+ * will already pick those up if they use `scramble(...)`.
+ */
+
+const PROCESS_ENV_DOT = /process\.env\.([A-Za-z_$][A-Za-z0-9_$]*)/g;
+
+/**
+ * Keys that should never be rewritten — they are resolved by the
+ * runtime or Node/Bun internals and don't represent user secrets.
+ */
+const IGNORED_KEYS = new Set(["NODE_ENV", "TZ"]);
+
+export function transformEnvAccess(
+  code: string,
+  logPrefix = "[ENV-SCRAMBLE]",
+  sourceLabel?: string,
+): { code: string; replacements: number } {
+  let replacements = 0;
+
+  const transformed = code.replace(PROCESS_ENV_DOT, (_match, key: string) => {
+    if (IGNORED_KEYS.has(key)) return _match;
+    replacements++;
+    return `process.env[scramble("${key}")]`;
+  });
+
+  if (replacements > 0) {
+    const where = sourceLabel ? ` in ${sourceLabel}` : "";
+    console.log(
+      `${logPrefix} Rewrote ${replacements} process.env access(es)${where}`,
+    );
+  }
+
+  return { code: transformed, replacements };
+}