finish up cloudflare docs

Author: theoephraim

packages/varlock-website/astro.config.ts

@@ -101,7 +101,7 @@ export default defineConfig({
           items: [
             { label: 'Overview', slug: 'integrations/overview' },
             { label: 'JavaScript / Node.js', slug: 'integrations/javascript' },
-            { label: 'Bun', slug: 'integrations/bun' },
+            { label: 'Bun', slug: 'integrations/bun', badge: 'new' },
             { label: 'Next.js', slug: 'integrations/nextjs' },
             { label: 'Vite-based', slug: 'integrations/vite' },
             { label: 'Astro', slug: 'integrations/astro' },

packages/varlock-website/src/content/docs/integrations/cloudflare.mdx

@@ -8,26 +8,25 @@ import Badge from '@/components/Badge.astro';
 import ExecCommandWidget from '@/components/ExecCommandWidget.astro';
 import InstallJsDepsWidget from '@/components/InstallJsDepsWidget.astro';
 
-<div class="page-badges">
-  <Badge npmPackage="@varlock/vite-integration" />
-</div>
-
 Varlock provides a robust solution for managing environment variables in Cloudflare Workers, offering validation, type safety, and security features that go beyond Cloudflare's built-in environment variable handling.
 
-
-## Two Approaches
+## Two approaches
 
 There are two main ways to use varlock with Cloudflare Workers:
 
-1. **With Vite plugin** (recommended) - Use the Vite integration alongside the Cloudflare Workers Vite plugin
+1. **With Vite plugin** (recommended) - Use the [Varlock Vite integration](/integrations/vite/) alongside the [Cloudflare Workers Vite plugin](https://developers.cloudflare.com/workers/vite-plugin/)
 2. **Without Vite** - Use Wrangler's `vars` and `secrets` directly
 
-## Approach 1: Using the Vite Plugin (Recommended)
+## Approach 1: Using the Vite plugin (recommended)
+
+Using the [Cloudflare Workers Vite plugin](https://developers.cloudflare.com/workers/vite-plugin/) allows more flexiblity in the bundling process. We can then use the [Varlock Vite plugin](/integrations/vite/) to bundle resolved environment variables into your built code, making it safe and straightforward to use.
+
+Even though it may feel a bit strange to use Vite on a backend-only project, it is the [recommended approach](https://developers.cloudflare.com/workers/development-testing/wrangler-vs-vite/#when-to-use-the-cloudflare-vite-plugin) by Cloudflare when you need more flexibility in your build process.
 
-The Vite plugin bundles resolved environment variables into your built code, making it safe and straightforward to use.
+:::caution[Bundled secrets]
+**Using this method, your sensitive values will never be exposed to any client-side code.**
 
-:::note[Backend-only Workers]
-Even for backend-only Workers, using the Vite plugin is recommended. Because it bundles the resolved env into your built code, within the Cloudflare dashboard, your team members can view the source code. Be mindful of this when including sensitive values or sending source maps to external services.
+However, within the Cloudflare dashboard, your team members can view the bundled source code, and you must be mindful of sending source maps to external services.
 :::
 
 ### Setup
@@ -45,156 +44,118 @@ Even for backend-only Workers, using the Vite plugin is recommended. Because it
 
 1. **Enable the Vite config plugin**
 
-    Add both the varlock Vite plugin and the Cloudflare Workers Vite plugin to your `vite.config.*` file:
+    Add the Varlock Vite plugin alongside the Cloudflare Workers Vite plugin to your `vite.config.*` file:
 
     ```diff lang="ts" title="vite.config.ts"
     import { defineConfig } from 'vite';
     +import { varlockVitePlugin } from '@varlock/vite-integration';
 
     export default defineConfig({
-    -  plugins: [otherPlugin()],
-    +  plugins: [
+      plugins: [
     +    varlockVitePlugin(),
-    +    cloudflare(),
-    +    otherPlugin()
-    +  ],
+        cloudflare(),
+        // other plugins ...
+      ],
     });
     ```
 
     The varlock plugin will automatically detect Cloudflare Workers and use the `resolved-env` mode, which injects the fully resolved environment data into your built code.
 
 </Steps>
 
-### Local Development
+### Update package.json scripts
 
-For local development, you can use Wrangler's `--var` flag to pass the resolved environment variables:
+If you were not already using the Vite plugin, you'll also need to update your `package.json` scripts:
 
 ```diff lang="json" title="package.json"
 {
   "scripts": {
--    "dev": "wrangler dev",
-+    "dev": "wrangler dev --var \"__VARLOCK_ENV:$(varlock load --format json-full)\"",
+    "dev": "vite dev",
+    "build": "vite build",
+    "preview": "npm run build && vite preview",
+    "deploy": "npm run build && wrangler deploy"
   }
 }
 ```
 
-### Deployment
+You can see more details in the [Cloudflare's Vite getting started guide](https://developers.cloudflare.com/workers/vite-plugin/get-started/).
+
 
-For deployments, you can use the same approach with the `--var` flag:
+----
+
+## Approach 2: Using Wrangler vars and secrets (without Vite)
+
+For local development, you can use Wrangler's `--var` flag to pass the entire resolved env:
 
 ```diff lang="json" title="package.json"
 {
   "scripts": {
--    "deploy": "wrangler deploy",
-+    "deploy": "wrangler deploy --var \"__VARLOCK_ENV:$(APP_ENV=prod varlock load --format json-full)\"",
+-    "dev": "wrangler dev",
++    "dev": "wrangler dev --var \"__VARLOCK_ENV:$(varlock load --format json-full)\"",
   }
 }
 ```
 
-:::caution[Team visibility]
-When using `--var`, the environment variables will be visible in the Cloudflare dashboard to your team members. For sensitive values, consider using the secrets approach below.
-:::
-
-### Using Secrets for Sensitive Values
-
-To properly attach sensitive environment variables as secrets, you must use a 3-step deployment process using Wrangler's [versions commands](https://developers.cloudflare.com/workers/wrangler/commands/#versions):
-
-1. Create a new deployment version
-2. Attach the secret
-3. Activate the deployment
-
-```bash
-# Step 1: Create a version that's not deployed immediately
-# and note the version id for the next steps
-wrangler versions upload
-
-# Step 2: Attach secret (using the resolved env as a single JSON object)
-wrangler secret put __VARLOCK_ENV --version <version-id> <<< "$(APP_ENV=prod varlock load --format json-full)"
-
-# Step 3: Activate the deployment
-wrangler versions deploy <version-id>
-```
-
-:::note[Future improvement]
-Cloudflare is working on the ability to push secrets with a deploy command. See [this pull request](https://github.com/cloudflare/workers-sdk/pull/10896) for updates.
-:::
-
----
-
-## Approach 2: Using Wrangler Vars and Secrets (Without Vite)
-
-If you prefer not to use the Vite plugin, you can use Wrangler's built-in environment variable handling. Note that this approach will not provide varlock's security features like leak detection and log redaction.
-
-### Local Development
-
-For local development, you can use `varlock run` to inject resolved environment variables:
+For deployments we can use the same method. Note that you may need to set your current env, either within the deploy command or infer it from the CI environemnt (see below).
 
 ```diff lang="json" title="package.json"
 {
   "scripts": {
--    "dev": "wrangler dev",
-+    "dev": "env -i PATH="$PATH" varlock run -- <command>",
+-    "deploy": "wrangler deploy",
++    "deploy": "wrangler deploy --var \"__VARLOCK_ENV:$(varlock load --format json-full)\"",
   }
 }
 ```
 
-:::caution
-Because you're creating a child process with a 'clean' environment, you may need to explicitly include any system level env vars that you need.
+:::caution[Team visibility]
+For deployments, when using `--var`, the environment variables will be visible in the Cloudflare dashboard to your team members. For higher security, consider using the secrets approach below.
 :::
 
-### Deployment
+### Using Cloudflare secrets
+
+To attach the resolved env blob as a secret, you must use a 3-step deployment process using Wrangler's [versions commands](https://developers.cloudflare.com/workers/wrangler/commands/#versions):
 
-For deployments using Wrangler's built-in environment variables, you'll need to use the 3-step deployment process with `secret bulk`:
+1. Upload new deployment version of your bundled code
+2. Create a second version with the secret attached
+3. Promote the latest version to be the active deployment
 
 ```bash
 # Step 1: Create a version that's not deployed immediately
-# and note the version id for the next steps
-wrangler versions upload
+# note the empty __VARLOCK_ENV so it will not reuse existing config
+npx wrangler versions upload --var "__VARLOCK_ENV:{}"
 
-# Step 2: Attach secrets in bulk (using resolved env in env format)
-wrangler secret bulk --version <version-id> < varlock load --format env
+# Step 2: Attach a new secret containing the resolved env as a single JSON object
+echo "$(APP_ENV=prod npx varlock load --format json-full)" | npx wrangler versions secret put __VARLOCK_ENV
 
 # Step 3: Activate the deployment
-wrangler versions deploy <version-id>
+npx wrangler versions deploy --version-id=$(npx wrangler versions list | grep -oE 'Version ID:[[:space:]]*[a-f0-9-]+' | tail -n1 | sed 's/Version ID:[[:space:]]*//') --percentage=100 --yes
 ```
 
----
+:::tip[Future improvement]
+Cloudflare is working on the ability to push secrets atomically with the deploy command. See [this pull request](https://github.com/cloudflare/workers-sdk/pull/10896) for updates. Feel free to comment and tell them it is important!
+:::
 
-## Accessing Environment Variables
+## Accessing environment variables
 
-Regardless of which approach you use, we recommend using varlock's `ENV` object instead of Cloudflare's built-in environment variable access:
+Because we are not re-emitting all env vars into the Cloudflare's vars/secrets, you must using varlock's `ENV` object instead of Cloudflare's built-in environment variable access:
 
 ```ts title="src/index.ts"
-import { ENV } from 'varlock/env';
-
-export default {
-  async fetch(request: Request): Promise<Response> {
-    // ❌ Not recommended - uses Cloudflare's built-in env
-    // const apiKey = env.API_KEY;
+// ❌ Do not use Cloudflare's built-in env
+import { env } from "cloudflare:workers";
+console.log(env.API_KEY);
 
-    // ✅ Recommended - uses varlock's ENV
-    const apiKey = ENV.API_KEY;
-
-    return new Response('Hello World');
-  },
-};
+// ✅ Recommended - uses varlock's ENV
+import { ENV } from 'varlock/env';
+console.log(ENV.API_KEY);
 ```
 
-### Why use `ENV` instead of Cloudflare's built-in env?
-
-- Non-string values (e.g., number, boolean) are properly typed and coerced
-- Better error messages for invalid or unavailable keys
-- Type safety and IntelliSense support
-- Security features like leak detection and log redaction (if using the Vite plugin)
-- Consistent API across different deployment platforms
-
 ---
 
 ## Managing Multiple Environments
 
 Varlock can load multiple _environment-specific_ `.env` files (e.g., `.env.development`, `.env.preview`, `.env.production`) by using the [`@currentEnv` root decorator](/reference/root-decorators/#currentenv).
 
-You can use Cloudflare's branch name to determine the environment:
+If you are using Cloudflare's CI, you can use the current branch name (`WORKERS_CI_BRANCH`) to determine the environment:
 
 ```env-spec title=".env.schema"
 # @currentEnv=$APP_ENV
@@ -205,15 +166,3 @@ APP_ENV=remap($WORKERS_CI_BRANCH, production="main", preview=regex(.*), developm
 ```
 
 For more information, see the [environments guide](/guides/environments).
-
----
-
-## Reference
-
-- [Root decorators reference](/reference/root-decorators)
-- [Item decorators reference](/reference/item-decorators)
-- [Functions reference](/reference/functions)
-- [Vite integration](/integrations/vite/) - for more details on the Vite plugin
-- [Cloudflare Workers documentation](https://developers.cloudflare.com/workers/)
-- [Wrangler documentation](https://developers.cloudflare.com/workers/wrangler/)
-

packages/varlock-website/src/content/docs/integrations/overview.mdx

@@ -6,21 +6,22 @@ description: How Varlock integrates with popular frameworks, bundlers, and runti
 Varlock ships with official integrations that wire the CLI, runtime helpers, and framework-specific plugins together so your configuration is validated, type-safe, and protected everywhere it runs.
 
 Integrations allow you to:
-- load and validate `.env` files automatically during dev and use them in CI/CD and production.
-- inject config into your code at build or request time.
-- enable runtime protections such as leak prevention, and log redaction.
+- load and validate `.env` files automatically during dev and use them in CI/CD and production
+- inject config into your code at build or request time
+- enable runtime protections such as leak prevention, and log redaction
 
 ## Official integrations
-- [JavaScript / Node.js](/integrations/javascript/) — use `varlock` in custom toolchains, scripts, and servers.
-- [Next.js](/integrations/nextjs/) — drop-in replacement for `@next/env`.
-- [Vite](/integrations/vite/) — Vite plugin that validates and replaces at build time.
-- [Qwik](/integrations/vite/) — Use the Vite integration.
-- [React Router](/integrations/vite/) — Use the Vite integration.
-- [Cloudflare Workers](/integrations/cloudflare/) — Use the Vite integration or Wrangler vars/secrets directly.
-- [Astro](/integrations/astro/) — Astro integration built on top of our Vite plugin.
-- [GitHub Actions](/integrations/github-action/) — Validate your `.env.schema` in GitHub Actions workflows
-- [Other languages](/integrations/other-languages/) — guidance for piping varlock output into non-JS runtimes.
-- [Docker](/guides/docker/) — A Docker wrapper around the varlock CLI including examples. 
+- [JavaScript / Node.js](/integrations/javascript/) — use `varlock` in custom toolchains, scripts, and servers
+- [Bun](/integrations/bun/) — instructions to set up Varlock with Bun
+- [Next.js](/integrations/nextjs/) — drop-in replacement for `@next/env`
+- [Vite](/integrations/vite/) — Vite plugin that validates and replaces at build time
+- [Qwik](/integrations/vite/) — use the Vite integration
+- [React Router](/integrations/vite/) — use the Vite integration
+- [Cloudflare Workers](/integrations/cloudflare/) — use the Vite integration or Wrangler vars/secrets directly
+- [Astro](/integrations/astro/) — Astro integration built on top of our Vite plugin
+- [GitHub Actions](/integrations/github-action/) — validate your `.env.schema` in GitHub Actions workflows
+- [Other languages](/integrations/other-languages/) — guidance for piping varlock output into non-JS runtimes
+- [Docker](/guides/docker/) — a Docker wrapper around the varlock CLI including examples
 
 
 ## Coming soon