Split monolithic config into lazy per-section accessors

Replace the single ConfigSchema that parsed all env vars at import time
with per-section files (jwt.ts, postgate.ts, github.ts, etc.) using
lazy cached accessors. Eliminates the $app/environment import and
buildConfig() stub, reducing cold start overhead.

Author: max-lt

package.json

@@ -1,6 +1,6 @@
 {
   "name": "openworkers-api",
-  "version": "1.6.1",
+  "version": "1.7.0",
   "license": "MIT",
   "type": "module",
   "repository": {

src/lib/config/email.ts

@@ -0,0 +1,29 @@
+import { z } from 'zod';
+import { getEnv } from './env';
+
+const Schema = z.object({
+  provider: z.enum(['scaleway']).optional(),
+  from: z.string().default('noreply@openworkers.dev'),
+  secretKey: z.string().optional(),
+  projectId: z.string().optional(),
+  region: z.string().default('fr-par'),
+  appUrl: z.string().url().default('http://localhost:4200')
+});
+
+export type EmailConfig = z.infer<typeof Schema>;
+
+let cached: EmailConfig | null = null;
+
+export function getEmailConfig(): EmailConfig {
+  if (cached) return cached;
+
+  cached = Schema.parse({
+    provider: getEnv('EMAIL_PROVIDER'),
+    from: getEnv('EMAIL_FROM'),
+    secretKey: getEnv('SCW_SECRET_KEY'),
+    projectId: getEnv('SCW_PROJECT_ID'),
+    region: getEnv('SCW_REGION'),
+    appUrl: getEnv('APP_URL')
+  });
+  return cached;
+}

src/lib/config/env.ts

@@ -0,0 +1,18 @@
+/**
+ * Read an environment variable from worker runtime (globalThis.env) or Bun/Node (process.env).
+ */
+export function getEnv(key: string): string | undefined {
+  if (typeof globalThis !== 'undefined' && (globalThis as any).env) {
+    const val = (globalThis as any).env[key];
+
+    if (val !== undefined) {
+      return String(val);
+    }
+  }
+
+  if (typeof process !== 'undefined' && process.env) {
+    return process.env[key];
+  }
+
+  return undefined;
+}

src/lib/config/github.ts

@@ -0,0 +1,21 @@
+import { z } from 'zod';
+import { getEnv } from './env';
+
+const Schema = z.object({
+  clientId: z.string().optional(),
+  clientSecret: z.string().optional()
+});
+
+export type GithubConfig = z.infer<typeof Schema>;
+
+let cached: GithubConfig | null = null;
+
+export function getGithubConfig(): GithubConfig {
+  if (cached) return cached;
+
+  cached = Schema.parse({
+    clientId: getEnv('GITHUB_CLIENT_ID'),
+    clientSecret: getEnv('GITHUB_CLIENT_SECRET')
+  });
+  return cached;
+}

src/lib/config/index.ts

@@ -1,197 +1,15 @@
-import { building } from '$app/environment';
-import { z } from 'zod';
-
-/**
- * Read an environment variable from worker runtime (globalThis.env) or Bun/Node (process.env).
- */
-function getEnv(key: string): string | undefined {
-  if (typeof globalThis !== 'undefined' && (globalThis as any).env) {
-    const val = (globalThis as any).env[key];
-
-    if (val !== undefined) {
-      return String(val);
-    }
-  }
-
-  if (typeof process !== 'undefined' && process.env) {
-    return process.env[key];
-  }
-
-  return undefined;
-}
-
-// UUID-like pattern (less strict than RFC 4122)
-const uuidLike = z
-  .string()
-  .regex(/^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/, 'Invalid UUID format');
-
-// Environment schema
-const EnvironmentSchema = z.enum(['development', 'staging', 'production', 'test']);
-
-// Check if DATABASE binding is available (worker runtime)
-const hasDatabaseBinding = !!(globalThis as any).env?.DATABASE?.query;
-
-// Configuration schema
-const ConfigSchema = z.object({
-  // Environment
-  nodeEnv: EnvironmentSchema.default('development'),
-
-  // Server
-  port: z.coerce.number().int().positive().default(7000),
-
-  // JWT
-  jwt: z.object({
-    access: z.object({
-      secret: z.string().min(32, 'JWT_ACCESS_SECRET must be at least 32 characters'),
-      expiresIn: z.string().default('15m')
-    }),
-    refresh: z.object({
-      secret: z.string().min(32, 'JWT_REFRESH_SECRET must be at least 32 characters'),
-      expiresIn: z.string().default('18h')
-    })
-  }),
-
-  // GitHub OAuth
-  github: z.object({
-    clientId: z.string().optional(),
-    clientSecret: z.string().optional()
-  }),
-
-  // Postgate (SQL proxy)
-  postgate: z.object({
-    url: z.url().default('http://localhost:6080'),
-    // Token (pg_xxx format) - for accessing OpenWorkers database
-    token: (() => {
-      const pgToken = z.string().regex(/^pg_[a-f0-9]{64}$/, 'POSTGATE_TOKEN must be a valid pg_xxx token');
-      return hasDatabaseBinding ? pgToken.optional() : pgToken;
-    })(),
-    // Secret for generating deterministic system tokens
-    systemTokenSecret: z.string().min(32, 'POSTGATE_SYSTEM_TOKEN_SECRET must be at least 32 characters')
-  }),
-
-  // Shared S3/R2 for assets and storage bindings
-  sharedStorage: z.object({
-    bucket: z.string().optional(),
-    endpoint: z.string().optional(),
-    accessKeyId: z.string().optional(),
-    secretAccessKey: z.string().optional(),
-    publicUrl: z.string().optional()
-  }),
-
-  // AI Services
-  mistral: z.object({
-    apiKey: z.string().optional()
-  }),
-
-  // Email provider (verification, password reset)
-  email: z.object({
-    provider: z.enum(['scaleway']).optional(),
-    from: z.string().default('noreply@openworkers.dev'),
-    // Scaleway-specific
-    secretKey: z.string().optional(),
-    projectId: z.string().optional(),
-    region: z.string().default('fr-par')
-  }),
-
-  // App URLs for email links
-  appUrl: z.string().url().default('http://localhost:4200')
-});
-
-// Type inference
-export type Config = z.infer<typeof ConfigSchema>;
-export type Environment = z.infer<typeof EnvironmentSchema>;
-
-// Parse and validate environment variables
-function loadConfig(): Config {
-  const rawConfig = {
-    nodeEnv: getEnv('NODE_ENV'),
-    port: getEnv('PORT'),
-    jwt: {
-      access: {
-        secret: getEnv('JWT_ACCESS_SECRET'),
-        expiresIn: getEnv('JWT_ACCESS_EXP')
-      },
-      refresh: {
-        secret: getEnv('JWT_REFRESH_SECRET'),
-        expiresIn: getEnv('JWT_REFRESH_EXP')
-      }
-    },
-    github: {
-      clientId: getEnv('GITHUB_CLIENT_ID'),
-      clientSecret: getEnv('GITHUB_CLIENT_SECRET')
-    },
-    postgate: {
-      url: getEnv('POSTGATE_URL'),
-      token: getEnv('POSTGATE_TOKEN'),
-      systemTokenSecret: getEnv('POSTGATE_SYSTEM_TOKEN_SECRET')
-    },
-    sharedStorage: {
-      bucket: getEnv('SHARED_STORAGE_BUCKET'),
-      endpoint: getEnv('SHARED_STORAGE_ENDPOINT'),
-      accessKeyId: getEnv('SHARED_STORAGE_ACCESS_KEY_ID'),
-      secretAccessKey: getEnv('SHARED_STORAGE_SECRET_ACCESS_KEY'),
-      publicUrl: getEnv('SHARED_STORAGE_PUBLIC_URL')
-    },
-    mistral: {
-      apiKey: getEnv('MISTRAL_API_KEY')
-    },
-    email: {
-      provider: getEnv('EMAIL_PROVIDER'),
-      from: getEnv('EMAIL_FROM'),
-      secretKey: getEnv('SCW_SECRET_KEY'),
-      projectId: getEnv('SCW_PROJECT_ID'),
-      region: getEnv('SCW_REGION')
-    },
-    appUrl: getEnv('APP_URL')
-  };
-
-  try {
-    const config = ConfigSchema.parse(rawConfig);
-
-    // Log configuration status
-    if (config.nodeEnv === 'development') {
-      console.log('Running in DEVELOPMENT mode');
-    } else if (config.nodeEnv === 'production') {
-      console.log('Running in PRODUCTION mode');
-    }
-
-    // Warn about missing GitHub OAuth
-    if (!config.github.clientId || !config.github.clientSecret) {
-      console.warn('GitHub OAuth not configured (GITHUB_CLIENT_ID/GITHUB_CLIENT_SECRET missing)');
-    }
-
-    // Warn about missing email provider
-    if (!config.email.provider) {
-      console.warn('Email not configured (EMAIL_PROVIDER missing) - email features disabled');
-    }
-
-    return config;
-  } catch (error) {
-    if (error instanceof z.ZodError) {
-      console.error('Configuration validation failed:', error);
-      throw new Error('Invalid configuration');
-    }
-    throw error;
-  }
-}
-
-// At build time, env vars are unavailable — use safe defaults
-function buildConfig(): Config {
-  return {
-    nodeEnv: 'development',
-    port: 7000,
-    jwt: { access: { secret: '-' }, refresh: { secret: '-' } },
-    github: {},
-    postgate: { url: '-', token: '-', systemTokenSecret: '-' },
-    sharedStorage: {},
-    email: {},
-    mistral: {},
-    appUrl: 'http://localhost:4200'
-  } as Config;
-}
-
-// Export singleton config instance
-export const config: Config = building ? buildConfig() : loadConfig();
-
-// Export individual sections for convenience
-export const { nodeEnv, port, jwt, github, postgate, sharedStorage, mistral, email, appUrl } = config;
+export { getEnv } from './env';
+export { getNodeEnv, getPort } from './server';
+export type { Environment } from './server';
+export { getJwtConfig } from './jwt';
+export type { JwtConfig } from './jwt';
+export { getPostgateConfig } from './postgate';
+export type { PostgateConfig } from './postgate';
+export { getGithubConfig } from './github';
+export type { GithubConfig } from './github';
+export { getStorageConfig } from './storage';
+export type { StorageConfig } from './storage';
+export { getMistralConfig } from './mistral';
+export type { MistralConfig } from './mistral';
+export { getEmailConfig } from './email';
+export type { EmailConfig } from './email';

src/lib/config/jwt.ts

@@ -0,0 +1,33 @@
+import { z } from 'zod';
+import { getEnv } from './env';
+
+const Schema = z.object({
+  access: z.object({
+    secret: z.string().min(32, 'JWT_ACCESS_SECRET must be at least 32 characters'),
+    expiresIn: z.string().default('15m')
+  }),
+  refresh: z.object({
+    secret: z.string().min(32, 'JWT_REFRESH_SECRET must be at least 32 characters'),
+    expiresIn: z.string().default('18h')
+  })
+});
+
+export type JwtConfig = z.infer<typeof Schema>;
+
+let cached: JwtConfig | null = null;
+
+export function getJwtConfig(): JwtConfig {
+  if (cached) return cached;
+
+  cached = Schema.parse({
+    access: {
+      secret: getEnv('JWT_ACCESS_SECRET'),
+      expiresIn: getEnv('JWT_ACCESS_EXP')
+    },
+    refresh: {
+      secret: getEnv('JWT_REFRESH_SECRET'),
+      expiresIn: getEnv('JWT_REFRESH_EXP')
+    }
+  });
+  return cached;
+}

src/lib/config/mistral.ts

@@ -0,0 +1,19 @@
+import { z } from 'zod';
+import { getEnv } from './env';
+
+const Schema = z.object({
+  apiKey: z.string().optional()
+});
+
+export type MistralConfig = z.infer<typeof Schema>;
+
+let cached: MistralConfig | null = null;
+
+export function getMistralConfig(): MistralConfig {
+  if (cached) return cached;
+
+  cached = Schema.parse({
+    apiKey: getEnv('MISTRAL_API_KEY')
+  });
+  return cached;
+}

src/lib/config/postgate.ts

@@ -0,0 +1,29 @@
+import { z } from 'zod';
+import { getEnv } from './env';
+
+const pgToken = z.string().regex(/^pg_[a-f0-9]{64}$/, 'POSTGATE_TOKEN must be a valid pg_xxx token');
+
+function buildPostgateSchema() {
+  const hasDatabaseBinding = !!(globalThis as any).env?.DATABASE?.query;
+
+  return z.object({
+    url: z.url().default('http://localhost:6080'),
+    token: hasDatabaseBinding ? pgToken.optional() : pgToken,
+    systemTokenSecret: z.string().min(32, 'POSTGATE_SYSTEM_TOKEN_SECRET must be at least 32 characters')
+  });
+}
+
+export type PostgateConfig = z.infer<ReturnType<typeof buildPostgateSchema>>;
+
+let cached: PostgateConfig | null = null;
+
+export function getPostgateConfig(): PostgateConfig {
+  if (cached) return cached;
+
+  cached = buildPostgateSchema().parse({
+    url: getEnv('POSTGATE_URL'),
+    token: getEnv('POSTGATE_TOKEN'),
+    systemTokenSecret: getEnv('POSTGATE_SYSTEM_TOKEN_SECRET')
+  });
+  return cached;
+}