fix(varlock): scope audit/init env scanning in monorepos

[theoephraim]

What & why

Running varlock audit (and the source scan in varlock init) in a monorepo erroneously pulled in env var references from every child package, producing a large list of spurious "missing in schema" findings — most noticeable during init — and it was slow.

Changes

1. Respect package boundaries when scanning

discoverSourceFiles now walks manually and stops descending into any subdirectory that is its own project — detected by the presence of a package.json or .env.schema. package.json covers JS workspace packages regardless of package manager, and works in a fresh monorepo where child packages haven't run varlock init yet; .env.schema covers already-initialized and non-JS projects. The scan root itself is always exempt. Ignored dirs (node_modules, etc.) are pruned up front rather than globbed-then-filtered.

2. Ignore pure execution-environment plumbing

New well-known-env-keys.ts / isWellKnownEnvKey(). Variables that are an artifact of where/how the process runs — shell/OS (PATH, HOME, SHELL, …), node launch flags (NODE_OPTIONS, NODE_PATH, …), and package-manager lifecycle (npm_*) — are read from process.env in normal code but are never declared in a schema, so:

• audit no longer reports them as "missing in schema"
• init no longer adds them to inferred schemas

The list is intentionally narrow. It deliberately does not include semantically meaningful vars an app or its CI may depend on — NODE_ENV, the CI flag, GitHub Actions / GitLab context vars, hosting markers like VERCEL. Those keep showing up in audit so you can decide whether to declare them or suppress them with @auditIgnore. It also never matches anything that could be config or a secret (no PORT/HOST/DATABASE_URL, no GITHUB_ prefix-match).

Impact (auditing this repo's root)

	Files scanned	"Missing in schema"
before	~17,500	81
package boundaries	13	8
+ ignore env plumbing	13	6

The remaining findings are genuine project-specific vars (GitHub Actions context vars used in CI scripts, RELEASE_*) — real signal, surfaced on purpose.

Notes

• Existing @auditIgnore / @auditIgnorePaths / --ignore escape hatches are unchanged; isWellKnownEnvKey is structured so a user-extensible config layer can compose on top later if needed.
• One behavior change worth flagging: a subfolder within a package that has its own package.json (e.g. a bundled demo/examples app) is now skipped during the parent's audit. That's almost always desired, but it is a change.

Tests

• New unit tests for the scanner boundary behavior and isWellKnownEnvKey (incl. that NODE_ENV / CI / GitHub vars are still tracked), plus audit-command tests for both filtered-and-not cases. Full varlock suite passes.
• Docs (CLI reference) and changeset updated.

[github-actions]

The changes in this PR will be included in the next version bump.

Patch releases

• varlock 1.8.0 → 1.8.1

Bump files in this PR

• audit-skip-nested-projects.md (view diff) (edit)

Click here if you want to add another bump file to this PR

---

This comment is maintained by bumpy.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
🔵 In progress View logs	varlock-website	31bee74	Jun 25 2026, 06:41 AM

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/varlock@830

commit: 6235d75