From 58bee92b8c7c70f9d1f0a9699b0d002d37931717 Mon Sep 17 00:00:00 2001
From: Tobias Macey <tmacey@mit.edu>
Date: Wed, 20 May 2026 16:03:48 -0400
Subject: [PATCH 01/13] feat(nextjs): standalone output, deterministic builds,
 and scoped Fastly purge
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Three coordinated improvements to the Next.js deployment pipeline:

1. Scoped Fastly cache invalidation
   - Add Surrogate-Key: html-pages response header to HTML routes and
     sitemaps (excludes /_next/static/ via the existing file-extension
     regex), so purge/html-pages at deploy time no longer invalidates
     immutable content-addressed static chunks.

2. Deterministic builds
   - Add generateBuildId returning NEXT_PUBLIC_VERSION || GIT_REF || 'dev'
     so the build manifest filename is stable across identical builds.
   - Override webpack output.filename / output.chunkFilename to use
     [contenthash] instead of [chunkhash], making chunk filenames depend
     only on content rather than module graph ordering.

3. Standalone output + slimmed Docker image
   - Add output: 'standalone' to next.config.js so Next.js emits a
     self-contained server with a minimal node_modules tree.
   - Remove the build_skip_yarn Docker stage; add a new slim runner stage
     that copies .next/standalone/, .next/static/, and public/ from the
     build stage into a clean node:24-alpine image. The build is now fully
     baked in at image build time — no EFS volume or Kubernetes Job needed
     at deploy time.
   - Add ARG/ENV GIT_REF to the build stage so the git SHA passed by
     Concourse as BUILD_ARG_GIT_REF is available to next build.

BREAKING: this Dockerfile change must be deployed together with the
corresponding ol-infrastructure Pulumi change that removes the blue/green
EFS deployment and Kubernetes build Job.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 frontends/main/Dockerfile.web | 47 ++++++++++++++++++------------
 frontends/main/next.config.js | 55 +++++++++++++++++++++++++++++++++++
 2 files changed, 84 insertions(+), 18 deletions(-)

diff --git a/frontends/main/Dockerfile.web b/frontends/main/Dockerfile.web
index db9efa8100..a113972e9d 100644
--- a/frontends/main/Dockerfile.web
+++ b/frontends/main/Dockerfile.web
@@ -105,6 +105,12 @@ ENV NEXT_PUBLIC_SENTRY_ENV=$NEXT_PUBLIC_SENTRY_ENV
 ARG NEXT_PUBLIC_VERSION
 ENV NEXT_PUBLIC_VERSION=$NEXT_PUBLIC_VERSION
 
+# GIT_REF is the full commit SHA, passed by Concourse as BUILD_ARG_GIT_REF.
+# It is used by next.config.js generateBuildId as a fallback when
+# NEXT_PUBLIC_VERSION is not set (e.g. CI/main-branch builds).
+ARG GIT_REF
+ENV GIT_REF=$GIT_REF
+
 ARG NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE
 ENV NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE=$NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE
 
@@ -156,32 +162,37 @@ ENV NEXT_PUBLIC_DEFAULT_SEARCH_STALENESS_PENALTY="2.5"
 ENV NEXT_PUBLIC_DEFAULT_SEARCH_MINIMUM_SCORE_CUTOFF="0"
 ENV NEXT_PUBLIC_DEFAULT_SEARCH_MAX_INCOMPLETENESS_PENALTY="90"
 
-# NEW STAGE: build_skip_yarn
-# This stage is intended for scenarios where the 'yarn build' step
-# is not needed (e.g., build artifacts are provided externally or
-# for a development setup where 'yarn dev' might be used).
-# Note: 'yarn start' in the CMD requires a prior build to have occurred
-# and the '.next' directory to be present.
-FROM base AS build_skip_yarn
+# STAGE: build
+# Runs `next build` to compile the application. With output: "standalone" in
+# next.config.js this emits a minimal server at .next/standalone/ that includes
+# only the required runtime files and can be run with plain node.
+FROM base AS build
 
-EXPOSE 3000
+RUN yarn build
 
-ENV PORT=3000
-ENV HOSTNAME="0.0.0.0"
+# STAGE: runner (default)
+# Copies only the standalone server, static assets, and public directory from
+# the build stage into a clean image. No yarn, no node_modules, no source code.
+#
+# The standalone server is started directly with node (not `yarn start`), which
+# avoids yarn overhead and is the pattern recommended by Next.js for Docker:
+# https://github.com/vercel/next.js/tree/canary/examples/with-docker
+FROM node:24-alpine AS runner
 
-CMD ["yarn", "start"]
+WORKDIR /app
 
-# DEFAULT STAGE: build
-# This stage performs the 'yarn build' step and is the default target
-# if no --target is specified during the Docker build command.
-FROM base AS build
+# Copy the standalone server (includes a minimal node_modules)
+COPY --from=build /app/frontends/main/.next/standalone ./
 
-RUN yarn build
+# Copy static assets served by the Next.js server under /_next/static/
+COPY --from=build /app/frontends/main/.next/static ./frontends/main/.next/static
+
+# Copy the public directory (robots.txt, favicon.ico, etc.)
+COPY --from=build /app/frontends/main/public ./frontends/main/public
 
 EXPOSE 3000
 
 ENV PORT=3000
 ENV HOSTNAME="0.0.0.0"
 
-# CMD ["node", "/app/frontends/main/.next/standalone/frontends/main/server.js"]
-CMD ["yarn", "start"]
+CMD ["node", "frontends/main/server.js"]
diff --git a/frontends/main/next.config.js b/frontends/main/next.config.js
index 5cb947d145..f33158a3c8 100644
--- a/frontends/main/next.config.js
+++ b/frontends/main/next.config.js
@@ -38,6 +38,13 @@ const processFeatureFlags = () => {
 const nextConfig = {
   productionBrowserSourceMaps: true,
   allowedDevOrigins,
+  /**
+   * Standalone output emits a minimal self-contained server at
+   * .next/standalone/ with only the required runtime files. The resulting
+   * Docker image requires no node_modules and no yarn at startup.
+   * See: https://nextjs.org/docs/app/getting-started/deploying#docker
+   */
+  output: "standalone",
   async rewrites() {
     return [
       /* Static assets moved from /static, though image paths are sometimes
@@ -76,6 +83,9 @@ const nextConfig = {
             key: "Cache-Control",
             value: PAGE_CACHE_CONTROL,
           },
+          // Tag sitemaps with "html-pages" so Fastly can purge them on deploy
+          // without also purging immutable /_next/static/ chunks.
+          { key: "Surrogate-Key", value: "html-pages" },
         ],
       },
       /* This is intended to target the base HTML responses and streamed RSC
@@ -92,6 +102,11 @@ const nextConfig = {
             key: "Cache-Control",
             value: PAGE_CACHE_CONTROL,
           },
+          // Tag all HTML/page routes so Fastly can purge them on deploy
+          // without also purging immutable /_next/static/ chunks.
+          // The pattern above already excludes file extensions, so /_next/static/*.js
+          // will never receive this tag.
+          { key: "Surrogate-Key", value: "html-pages" },
         ],
       },
 
@@ -141,6 +156,46 @@ const nextConfig = {
     // Explicitly enable it for clarity (optional - already default)
     turbopackFileSystemCacheForDev: true,
   },
+
+  /**
+   * Stable, deterministic build ID based on the git SHA / version tag.
+   *
+   * Next.js embeds the build ID in manifest filenames (_buildManifest.js,
+   * _ssgManifest.js) and in page-data paths. Using the same ID across
+   * rebuilds of the same commit reduces inter-build hash drift.
+   *
+   * NEXT_PUBLIC_VERSION is set as a Kubernetes env var (and as a Docker
+   * build arg in future standalone builds). GIT_REF is the full commit SHA
+   * passed by Concourse. The 'dev' fallback is for local builds.
+   */
+  generateBuildId: async () =>
+    process.env.NEXT_PUBLIC_VERSION || process.env.GIT_REF || "dev",
+
+  /**
+   * Replace webpack's [chunkhash] with [contenthash].
+   *
+   * [chunkhash] is influenced by module ordering and internal IDs, so two
+   * builds of identical code can produce different filenames. [contenthash]
+   * is derived purely from the file's content, making chunk names stable
+   * across rebuilds when code is unchanged.
+   *
+   * See: https://github.com/vercel/next.js/discussions/65856
+   */
+  webpack: (config) => {
+    if (config.output.filename) {
+      config.output.filename = config.output.filename.replace(
+        "[chunkhash]",
+        "[contenthash]",
+      )
+    }
+    if (config.output.chunkFilename) {
+      config.output.chunkFilename = config.output.chunkFilename.replace(
+        "[chunkhash]",
+        "[contenthash]",
+      )
+    }
+    return config
+  },
 }
 
 const { withSentryConfig } = require("@sentry/nextjs")

From d77770c7831d86ad5fcf0f7b52f89152690c35e1 Mon Sep 17 00:00:00 2001
From: Tobias Macey <tmacey@mit.edu>
Date: Wed, 20 May 2026 16:17:44 -0400
Subject: [PATCH 02/13] fix: address PR review feedback on runner stage and
 surrogate key pattern

- Fix misleading comment: standalone bundle includes a minimal node_modules,
  not zero node_modules
- Add NODE_ENV=production to runner stage; it was previously inherited from
  the base stage but the runner uses a fresh FROM so must be set explicitly
- Exclude /healthcheck from the html-pages Surrogate-Key pattern; healthcheck
  returns JSON and should not be tagged as an HTML page for Fastly purges

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 frontends/main/Dockerfile.web | 5 ++++-
 frontends/main/next.config.js | 8 ++++----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/frontends/main/Dockerfile.web b/frontends/main/Dockerfile.web
index a113972e9d..a670a64314 100644
--- a/frontends/main/Dockerfile.web
+++ b/frontends/main/Dockerfile.web
@@ -172,7 +172,9 @@ RUN yarn build
 
 # STAGE: runner (default)
 # Copies only the standalone server, static assets, and public directory from
-# the build stage into a clean image. No yarn, no node_modules, no source code.
+# the build stage into a clean image. No workspace install is needed; the
+# standalone bundle ships with the minimal node_modules required to run the
+# server. No source code or build tooling is included.
 #
 # The standalone server is started directly with node (not `yarn start`), which
 # avoids yarn overhead and is the pattern recommended by Next.js for Docker:
@@ -192,6 +194,7 @@ COPY --from=build /app/frontends/main/public ./frontends/main/public
 
 EXPOSE 3000
 
+ENV NODE_ENV=production
 ENV PORT=3000
 ENV HOSTNAME="0.0.0.0"
 
diff --git a/frontends/main/next.config.js b/frontends/main/next.config.js
index f33158a3c8..9569a9b895 100644
--- a/frontends/main/next.config.js
+++ b/frontends/main/next.config.js
@@ -93,10 +93,12 @@ const nextConfig = {
        * sets no-cache. However we are currently serving public content that is
        * cacheable.
        *
-       * Excludes everything with a file extension so we're matching only on routes.
+       * Excludes everything with a file extension (so /_next/static/*.js is
+       * never matched) and also excludes /healthcheck, which returns JSON and
+       * should not be tagged as an HTML page for Fastly surrogate-key purges.
        */
       {
-        source: "/((?!.*\\.[a-zA-Z0-9]{2,4}$).*)",
+        source: "/((?!.*\\.[a-zA-Z0-9]{2,4}$)(?!healthcheck$).*)",
         headers: [
           {
             key: "Cache-Control",
@@ -104,8 +106,6 @@ const nextConfig = {
           },
           // Tag all HTML/page routes so Fastly can purge them on deploy
           // without also purging immutable /_next/static/ chunks.
-          // The pattern above already excludes file extensions, so /_next/static/*.js
-          // will never receive this tag.
           { key: "Surrogate-Key", value: "html-pages" },
         ],
       },

From 43048fb64adf00f0aa97aa9fc218f44076771695 Mon Sep 17 00:00:00 2001
From: Tobias Macey <tmacey@mit.edu>
Date: Wed, 20 May 2026 17:10:37 -0400
Subject: [PATCH 03/13] feat(nextjs): runtime env injection via PublicEnvScript
 + env() helper
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace webpack build-time NEXT_PUBLIC_* inlining with a runtime injection
pattern that allows a single Docker image to be deployed across environments.

Problem: DefinePlugin bakes all process.env.NEXT_PUBLIC_* references as
literal values at build time. When yarn build runs in CI (without per-env
values), all NEXT_PUBLIC_* vars are empty strings in the bundle—even though
the Kubernetes pod has the correct values set.

Solution:
- PublicEnvScript: a Server Component that calls connection() (opts out of
  SSG) and renders a synchronous inline <script> setting window.__ENV to
  all NEXT_PUBLIC_* values from process.env at request time. Placed in root
  <head> so it executes before any JS bundle loads.
- env(): a helper that reads window.__ENV in the browser and uses dynamic
  process.env[key] access on the server (dynamic bracket access is NOT
  replaced by DefinePlugin). Falls back to process.env[key] in the browser
  to support test environments (jsdom) that set process.env directly.
- Migrate all 143 process.env.NEXT_PUBLIC_* usages across 56 source files
  to env(). Test files unchanged—existing vi.stubEnv / direct process.env
  assignment continues to work via the fallback.

Additional changes:
- next.config.js: gate validateEnv() with NEXT_BUILD_CI to skip at build
  time; runtime validation added to instrumentation-node.ts (runs at server
  startup via instrumentation.ts register()).
- Dockerfile: set ENV NEXT_BUILD_CI=1 in build stage.
- ConfiguredPostHogProvider: compute PostHog bootstrap feature flags from
  window.__ENV at runtime (previously baked via processFeatureFlags() in
  next.config.js which returns {} in CI builds). Remove build-time
  FEATURE_FLAGS from next.config.js env config.
- instrumentation-node.ts: use dynamic process.env[key] access for
  NEXT_PUBLIC_SENTRY_* and NEXT_PUBLIC_VERSION to avoid DefinePlugin
  inlining; add required env var check at startup.
- otel-utils.ts: same dynamic access for APP_VERSION.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 frontends/main/Dockerfile.web                 |  7 +++
 frontends/main/next.config.js                 | 28 +++---------
 .../src/app-pages/AboutPage/AboutPage.tsx     |  3 +-
 .../CertificatePage/CertificatePage.tsx       |  3 +-
 .../ChannelPage/TopicChannelTemplate.tsx      |  3 +-
 .../HomeEnrollmentsDisplay.tsx                |  3 +-
 .../DashboardPage/EnrollmentRedirectAlert.tsx |  3 +-
 .../HomePage/BrowseTopicsSection.tsx          |  5 ++-
 .../HomePage/UAIAnnouncementCard.tsx          |  3 +-
 .../app-pages/HonorCodePage/HonorCodePage.tsx |  3 +-
 .../src/app-pages/PrivacyPage/PrivacyPage.tsx |  5 ++-
 .../ProductPages/CourseEnrollmentButton.tsx   |  3 +-
 .../ProductPages/MitxOnlineResourceCard.tsx   |  3 +-
 .../ProductPages/ProductPageTemplate.tsx      |  3 +-
 .../ProductPages/ProgramEnrollmentButton.tsx  |  3 +-
 .../TopicsListingPage/TopicsListingPage.tsx   |  3 +-
 .../app-pages/UnitsListingPage/UnitCard.tsx   |  3 +-
 .../VideoDetailPage.tsx                       |  3 +-
 .../YouTubeIframePlayer.tsx                   |  3 +-
 .../[certificateType]/[uuid]/page.tsx         |  3 +-
 .../[certificateType]/[uuid]/pdf/route.tsx    |  3 +-
 frontends/main/src/app/(site)/layout.tsx      |  9 ++--
 .../src/app/components/PublicEnvScript.tsx    | 38 ++++++++++++++++
 frontends/main/src/app/healthcheck/route.ts   |  3 +-
 frontends/main/src/app/layout.tsx             |  8 +++-
 frontends/main/src/app/robots.ts              |  5 ++-
 .../main/src/app/sitemaps/channels/sitemap.ts |  3 +-
 .../main/src/app/sitemaps/podcast/sitemap.ts  |  3 +-
 .../main/src/app/sitemaps/products/sitemap.ts |  3 +-
 .../src/app/sitemaps/resources/sitemap.ts     |  3 +-
 .../app/sitemaps/sitemap-index.xml/route.ts   |  5 ++-
 .../main/src/app/sitemaps/static/sitemap.ts   |  5 ++-
 .../main/src/app/sitemaps/video/sitemap.ts    |  3 +-
 frontends/main/src/common/certificateUtils.ts |  3 +-
 frontends/main/src/common/client-utils.ts     |  5 +--
 frontends/main/src/common/config.ts           |  5 ++-
 frontends/main/src/common/metadata.ts         |  5 ++-
 frontends/main/src/common/mitxonline/index.ts |  9 ++--
 frontends/main/src/common/urls.ts             |  7 +--
 frontends/main/src/common/utils.ts            |  3 +-
 .../components/PrivateTitle/PrivateTitle.tsx  |  3 +-
 frontends/main/src/env.ts                     | 35 +++++++++++++++
 frontends/main/src/instrumentation-client.ts  | 15 ++++---
 frontends/main/src/instrumentation-node.ts    | 37 +++++++++++++---
 frontends/main/src/otel-utils.ts              |  2 +-
 .../AiChat/AiRecommendationBotDrawer.tsx      |  5 ++-
 .../AiChat/AskTimDrawerButton.tsx             |  3 +-
 .../ConfiguredPostHogProvider.tsx             | 43 +++++++++++++++----
 .../Dialogs/AddToListDialog.tsx               |  3 +-
 .../src/page-components/Header/Header.tsx     |  3 +-
 .../page-components/HeroSearch/HeroSearch.tsx |  5 ++-
 .../LearningResourceDrawer.tsx                |  5 ++-
 .../AiChatSyllabusSlideDown.tsx               |  7 +--
 .../CallToActionSection.tsx                   |  5 ++-
 .../ResourceCarousel/ResourceCarousel.tsx     |  3 +-
 .../SearchDisplay/SearchDisplay.tsx           |  3 +-
 .../SearchDisplay/UniversalAIBanner.tsx       |  3 +-
 .../SearchField/SearchField.tsx               |  3 +-
 .../SignupPopover/SignupPopover.tsx           |  3 +-
 .../node/ByLineInfoBar/ByLineInfoBar.tsx      |  3 +-
 60 files changed, 290 insertions(+), 120 deletions(-)
 create mode 100644 frontends/main/src/app/components/PublicEnvScript.tsx
 create mode 100644 frontends/main/src/env.ts

diff --git a/frontends/main/Dockerfile.web b/frontends/main/Dockerfile.web
index a670a64314..b37a3c10e8 100644
--- a/frontends/main/Dockerfile.web
+++ b/frontends/main/Dockerfile.web
@@ -166,8 +166,15 @@ ENV NEXT_PUBLIC_DEFAULT_SEARCH_MAX_INCOMPLETENESS_PENALTY="90"
 # Runs `next build` to compile the application. With output: "standalone" in
 # next.config.js this emits a minimal server at .next/standalone/ that includes
 # only the required runtime files and can be run with plain node.
+#
+# NEXT_BUILD_CI=1 skips validateEnv() in next.config.js, which would fail
+# because NEXT_PUBLIC_* vars are not available at build time — they are
+# injected at runtime by Kubernetes and surfaced to the browser via
+# PublicEnvScript. Validation runs at server startup in instrumentation-node.ts.
 FROM base AS build
 
+ENV NEXT_BUILD_CI=1
+
 RUN yarn build
 
 # STAGE: runner (default)
diff --git a/frontends/main/next.config.js b/frontends/main/next.config.js
index 9569a9b895..8e38e4c41e 100644
--- a/frontends/main/next.config.js
+++ b/frontends/main/next.config.js
@@ -1,7 +1,13 @@
 // @ts-check
 const { validateEnv } = require("./validateEnv")
 
-validateEnv()
+// In CI Docker builds (NEXT_BUILD_CI=1), NEXT_PUBLIC_* vars are not available
+// at build time — they are injected at runtime via PublicEnvScript. Skip
+// build-time validation; validateEnv() runs at server startup instead (see
+// src/instrumentation-node.ts).
+if (!process.env.NEXT_BUILD_CI) {
+  validateEnv()
+}
 
 const NEXT_PUBLIC_OPTIMIZE_IMAGES = Boolean(
   (process.env.NEXT_PUBLIC_OPTIMIZE_IMAGES ?? "true") === "true",
@@ -18,22 +24,6 @@ const NEXT_CACHE_S_MAXAGE_SECONDS =
   process.env.NEXT_CACHE_S_MAXAGE_SECONDS || "1800"
 const PAGE_CACHE_CONTROL = `s-maxage=${NEXT_CACHE_S_MAXAGE_SECONDS}, stale-if-error=86400, stale-while-revalidate=86400`
 
-const processFeatureFlags = () => {
-  const featureFlagPrefix =
-    process.env.NEXT_PUBLIC_POSTHOG_FEATURE_PREFIX || "FEATURE_"
-  const bootstrapFeatureFlags = {}
-
-  for (const [key, value] of Object.entries(process.env)) {
-    if (key.startsWith(`NEXT_PUBLIC_${featureFlagPrefix}`)) {
-      bootstrapFeatureFlags[
-        key.replace(`NEXT_PUBLIC_${featureFlagPrefix}`, "").replaceAll("_", "-")
-      ] = value === "True" ? true : JSON.stringify(value)
-    }
-  }
-
-  return bootstrapFeatureFlags
-}
-
 /** @type {import('next').NextConfig} */
 const nextConfig = {
   productionBrowserSourceMaps: true,
@@ -147,10 +137,6 @@ const nextConfig = {
     qualities: [25, 50, 75, 100],
   },
 
-  env: {
-    FEATURE_FLAGS: JSON.stringify(processFeatureFlags()),
-  },
-
   experimental: {
     // Turbopack filesystem caching is enabled by default in Next.js 16.1+
     // Explicitly enable it for clarity (optional - already default)
diff --git a/frontends/main/src/app-pages/AboutPage/AboutPage.tsx b/frontends/main/src/app-pages/AboutPage/AboutPage.tsx
index 5fd4196961..0d154dcdc3 100644
--- a/frontends/main/src/app-pages/AboutPage/AboutPage.tsx
+++ b/frontends/main/src/app-pages/AboutPage/AboutPage.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import {
   Breadcrumbs,
   Container,
@@ -15,7 +16,7 @@ import Image from "next/image"
 const WHAT_IS_MIT_OPEN_FRAGMENT_IDENTIFIER = "what-is-mit-learn"
 const ACADEMIC_AND_PROFESSIONAL_CONTENT = "kinds-of-content"
 
-const SITE_NAME = process.env.NEXT_PUBLIC_SITE_NAME
+const SITE_NAME = env("NEXT_PUBLIC_SITE_NAME")
 
 const PageContainer = styled(Container)({
   color: theme.custom.colors.darkGray2,
diff --git a/frontends/main/src/app-pages/CertificatePage/CertificatePage.tsx b/frontends/main/src/app-pages/CertificatePage/CertificatePage.tsx
index 59d43151a3..e69cf5592e 100644
--- a/frontends/main/src/app-pages/CertificatePage/CertificatePage.tsx
+++ b/frontends/main/src/app-pages/CertificatePage/CertificatePage.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React, { useRef, useEffect, useCallback, useState } from "react"
 import { notFound } from "next/navigation"
 import Image from "next/image"
@@ -556,7 +557,7 @@ const Certificate = ({
                 src={
                   signatory.signature_image.startsWith("http")
                     ? signatory.signature_image
-                    : `${process.env.NEXT_PUBLIC_MITX_ONLINE_BASE_URL}${signatory.signature_image}`
+                    : `${env("NEXT_PUBLIC_MITX_ONLINE_BASE_URL")}${signatory.signature_image}`
                 }
                 alt={signatory.name}
                 crossOrigin="anonymous"
diff --git a/frontends/main/src/app-pages/ChannelPage/TopicChannelTemplate.tsx b/frontends/main/src/app-pages/ChannelPage/TopicChannelTemplate.tsx
index e30ecd4727..c7bd475c1f 100644
--- a/frontends/main/src/app-pages/ChannelPage/TopicChannelTemplate.tsx
+++ b/frontends/main/src/app-pages/ChannelPage/TopicChannelTemplate.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import {
   styled,
@@ -110,7 +111,7 @@ const TopicChipsInternal: React.FC<TopicChipsInternalProps> = (props) => {
             key={topic.id}
             href={topic.channel_url ?? ""}
             onClick={() => {
-              if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+              if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
                 posthog.capture(posthogEvent, { topic })
               }
             }}
diff --git a/frontends/main/src/app-pages/DashboardPage/CoursewareDisplay/HomeEnrollmentsDisplay.tsx b/frontends/main/src/app-pages/DashboardPage/CoursewareDisplay/HomeEnrollmentsDisplay.tsx
index 2dc6755ba1..f1026ffb01 100644
--- a/frontends/main/src/app-pages/DashboardPage/CoursewareDisplay/HomeEnrollmentsDisplay.tsx
+++ b/frontends/main/src/app-pages/DashboardPage/CoursewareDisplay/HomeEnrollmentsDisplay.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import {
   Collapse,
@@ -89,7 +90,7 @@ const ShowAllContainer = styled.div(({ theme }) => ({
   },
 }))
 
-const SUPPORT_EMAIL = process.env.NEXT_PUBLIC_MITOL_SUPPORT_EMAIL || ""
+const SUPPORT_EMAIL = env("NEXT_PUBLIC_MITOL_SUPPORT_EMAIL") || ""
 
 const getResourceKey = (resource: DashboardResource): string => {
   if (resource.type === DashboardType.ProgramEnrollment) {
diff --git a/frontends/main/src/app-pages/DashboardPage/EnrollmentRedirectAlert.tsx b/frontends/main/src/app-pages/DashboardPage/EnrollmentRedirectAlert.tsx
index 77f73ac1ff..4a57990a6f 100644
--- a/frontends/main/src/app-pages/DashboardPage/EnrollmentRedirectAlert.tsx
+++ b/frontends/main/src/app-pages/DashboardPage/EnrollmentRedirectAlert.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React from "react"
 import { useQuery } from "@tanstack/react-query"
 import { Alert } from "@mitodl/smoot-design"
@@ -170,7 +171,7 @@ const parseAlertRequest = (
 
 const EnrollmentRedirectAlert: React.FC = () => {
   const request = useConsumeSearchParamsOnce(parseAlertRequest)
-  const supportEmail = process.env.NEXT_PUBLIC_MITOL_SUPPORT_EMAIL || ""
+  const supportEmail = env("NEXT_PUBLIC_MITOL_SUPPORT_EMAIL") || ""
 
   const mitxOnlineUserQuery = useQuery({
     ...mitxUserQueries.me(),
diff --git a/frontends/main/src/app-pages/HomePage/BrowseTopicsSection.tsx b/frontends/main/src/app-pages/HomePage/BrowseTopicsSection.tsx
index 88ef1a5fb5..244af42986 100644
--- a/frontends/main/src/app-pages/HomePage/BrowseTopicsSection.tsx
+++ b/frontends/main/src/app-pages/HomePage/BrowseTopicsSection.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import Link from "next/link"
 import {
@@ -123,7 +124,7 @@ const BrowseTopicsSection: React.FC = () => {
                   key={id}
                   href={channelUrl ? new URL(channelUrl!).pathname : ""}
                   onClick={() => {
-                    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+                    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
                       posthog.capture(PostHogEvents.HomeTopicClicked, {
                         topic: name,
                       })
@@ -143,7 +144,7 @@ const BrowseTopicsSection: React.FC = () => {
         <SeeAllButton
           href="/topics/"
           onClick={() => {
-            if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+            if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
               posthog.capture(PostHogEvents.HomeSeeAllTopicsClicked)
             }
           }}
diff --git a/frontends/main/src/app-pages/HomePage/UAIAnnouncementCard.tsx b/frontends/main/src/app-pages/HomePage/UAIAnnouncementCard.tsx
index 0d8223a9e9..dfb9b0994b 100644
--- a/frontends/main/src/app-pages/HomePage/UAIAnnouncementCard.tsx
+++ b/frontends/main/src/app-pages/HomePage/UAIAnnouncementCard.tsx
@@ -1,4 +1,5 @@
 "use client"
+import { env } from "@/env"
 import React from "react"
 import { Typography, styled } from "ol-components"
 import { ButtonLink } from "@mitodl/smoot-design"
@@ -252,7 +253,7 @@ const UAIAnnouncementCard: React.FC = () => {
   })
 
   const handleCTAClick = () => {
-    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
       posthog.capture(PostHogEvents.CallToActionClicked, {
         label: "Learn about Universal AI",
         readableId: UAI_PROGRAM_READABLE_ID,
diff --git a/frontends/main/src/app-pages/HonorCodePage/HonorCodePage.tsx b/frontends/main/src/app-pages/HonorCodePage/HonorCodePage.tsx
index 73d98f13ca..8f8271f54f 100644
--- a/frontends/main/src/app-pages/HonorCodePage/HonorCodePage.tsx
+++ b/frontends/main/src/app-pages/HonorCodePage/HonorCodePage.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import {
   Breadcrumbs,
   Container,
@@ -64,7 +65,7 @@ const UnorderedList = styled.ul(({ theme }) => ({
   marginTop: "10px",
 }))
 
-const SITE_NAME = process.env.NEXT_PUBLIC_SITE_NAME
+const SITE_NAME = env("NEXT_PUBLIC_SITE_NAME")
 
 const HonorCodePage: React.FC = () => {
   return (
diff --git a/frontends/main/src/app-pages/PrivacyPage/PrivacyPage.tsx b/frontends/main/src/app-pages/PrivacyPage/PrivacyPage.tsx
index b4df60b38c..5ab03c7388 100644
--- a/frontends/main/src/app-pages/PrivacyPage/PrivacyPage.tsx
+++ b/frontends/main/src/app-pages/PrivacyPage/PrivacyPage.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import {
   Breadcrumbs,
   Container,
@@ -64,8 +65,8 @@ const UnorderedList = styled.ul(({ theme }) => ({
   marginTop: "10px",
 }))
 
-const SITE_NAME = process.env.NEXT_PUBLIC_SITE_NAME
-const MITOL_SUPPORT_EMAIL = process.env.NEXT_PUBLIC_MITOL_SUPPORT_EMAIL
+const SITE_NAME = env("NEXT_PUBLIC_SITE_NAME")
+const MITOL_SUPPORT_EMAIL = env("NEXT_PUBLIC_MITOL_SUPPORT_EMAIL")
 
 const PrivacyPage: React.FC = () => {
   return (
diff --git a/frontends/main/src/app-pages/ProductPages/CourseEnrollmentButton.tsx b/frontends/main/src/app-pages/ProductPages/CourseEnrollmentButton.tsx
index 99daf0c651..d13dd7c93f 100644
--- a/frontends/main/src/app-pages/ProductPages/CourseEnrollmentButton.tsx
+++ b/frontends/main/src/app-pages/ProductPages/CourseEnrollmentButton.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import { styled, Stack, LoadingSpinner } from "ol-components"
 import { useQuery } from "@tanstack/react-query"
@@ -94,7 +95,7 @@ const CourseEnrollmentButton: React.FC<CourseEnrollmentButtonProps> = ({
     if (me.isLoading) {
       return
     }
-    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
       posthog.capture(PostHogEvents.CallToActionClicked, {
         readableId: course.readable_id,
         resourceType: "course",
diff --git a/frontends/main/src/app-pages/ProductPages/MitxOnlineResourceCard.tsx b/frontends/main/src/app-pages/ProductPages/MitxOnlineResourceCard.tsx
index 2c07c18beb..e93a8f11c5 100644
--- a/frontends/main/src/app-pages/ProductPages/MitxOnlineResourceCard.tsx
+++ b/frontends/main/src/app-pages/ProductPages/MitxOnlineResourceCard.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React from "react"
 import { usePostHog } from "posthog-js/react"
 import { BaseLearningResourceCard } from "ol-components"
@@ -217,7 +218,7 @@ const MitxOnlineResourceCard: React.FC<MitxOnlineResourceCardProps> = (
       ariaLabel={`${data.displayType}: ${data.title}`}
       list={list}
       onClick={() => {
-        if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+        if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
           posthog.capture(PostHogEvents.CourseCardClicked, {
             label,
             resourceId: props.resource?.id,
diff --git a/frontends/main/src/app-pages/ProductPages/ProductPageTemplate.tsx b/frontends/main/src/app-pages/ProductPages/ProductPageTemplate.tsx
index ad2c32555e..8b8400f512 100644
--- a/frontends/main/src/app-pages/ProductPages/ProductPageTemplate.tsx
+++ b/frontends/main/src/app-pages/ProductPages/ProductPageTemplate.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React from "react"
 import {
   Container,
@@ -311,7 +312,7 @@ const ProductPageTemplate: React.FC<ProductPageTemplateProps> = ({
 
   const handleStayUpdatedClick = () => {
     if (!showStayUpdated || !resource) return
-    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
       posthog.capture(PostHogEvents.CallToActionClicked, {
         label: "Stay Updated",
         readableId: resource.readable_id,
diff --git a/frontends/main/src/app-pages/ProductPages/ProgramEnrollmentButton.tsx b/frontends/main/src/app-pages/ProductPages/ProgramEnrollmentButton.tsx
index 2dab57ce7b..e595d7df1d 100644
--- a/frontends/main/src/app-pages/ProductPages/ProgramEnrollmentButton.tsx
+++ b/frontends/main/src/app-pages/ProductPages/ProgramEnrollmentButton.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import { LoadingSpinner, Stack, theme } from "ol-components"
 import {
@@ -90,7 +91,7 @@ const ProgramEnrollmentButton: React.FC<ProgramEnrollmentButtonProps> = ({
     if (enrollments.isLoading || me.isLoading) {
       return
     }
-    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
       posthog.capture(PostHogEvents.CallToActionClicked, {
         readableId: program.readable_id,
         resourceType: "program",
diff --git a/frontends/main/src/app-pages/TopicsListingPage/TopicsListingPage.tsx b/frontends/main/src/app-pages/TopicsListingPage/TopicsListingPage.tsx
index db6bb0f58b..6540bf8a02 100644
--- a/frontends/main/src/app-pages/TopicsListingPage/TopicsListingPage.tsx
+++ b/frontends/main/src/app-pages/TopicsListingPage/TopicsListingPage.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React, { useMemo } from "react"
 import {
   Container,
@@ -34,7 +35,7 @@ const captureTopicClicked = (
   event: string,
   topic: string,
 ) => {
-  if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+  if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
     posthog.capture(event, { topic })
   }
 }
diff --git a/frontends/main/src/app-pages/UnitsListingPage/UnitCard.tsx b/frontends/main/src/app-pages/UnitsListingPage/UnitCard.tsx
index 6afee621b4..a7ef3c1167 100644
--- a/frontends/main/src/app-pages/UnitsListingPage/UnitCard.tsx
+++ b/frontends/main/src/app-pages/UnitsListingPage/UnitCard.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import type { OfferedByEnum } from "api"
 import type { UnitChannel } from "api/v0"
@@ -98,7 +99,7 @@ const UnitCard: React.FC<UnitCardProps> = (props) => {
               <Link
                 href={href}
                 onClick={() => {
-                  if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+                  if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
                     posthog.capture(PostHogEvents.ProviderLinkClicked, {
                       provider: unit,
                     })
diff --git a/frontends/main/src/app-pages/VideoPlaylistCollectionPage/VideoDetailPage.tsx b/frontends/main/src/app-pages/VideoPlaylistCollectionPage/VideoDetailPage.tsx
index bd2f3b9084..086850fd6c 100644
--- a/frontends/main/src/app-pages/VideoPlaylistCollectionPage/VideoDetailPage.tsx
+++ b/frontends/main/src/app-pages/VideoPlaylistCollectionPage/VideoDetailPage.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React, { useEffect, useRef, useState } from "react"
 import Link from "next/link"
 import Image from "next/image"
@@ -19,7 +20,7 @@ import SharePopover from "@/components/SharePopover/SharePopover"
 import { buildVideoStructuredData } from "./videoStructuredData"
 import VideoResourcePlayer from "./VideoResourcePlayer"
 
-const NEXT_PUBLIC_ORIGIN = process.env.NEXT_PUBLIC_ORIGIN
+const NEXT_PUBLIC_ORIGIN = env("NEXT_PUBLIC_ORIGIN")
 
 const PageWrapper = styled.div({
   backgroundColor: "#fff",
diff --git a/frontends/main/src/app-pages/VideoPlaylistCollectionPage/YouTubeIframePlayer.tsx b/frontends/main/src/app-pages/VideoPlaylistCollectionPage/YouTubeIframePlayer.tsx
index 7913907813..434b028913 100644
--- a/frontends/main/src/app-pages/VideoPlaylistCollectionPage/YouTubeIframePlayer.tsx
+++ b/frontends/main/src/app-pages/VideoPlaylistCollectionPage/YouTubeIframePlayer.tsx
@@ -1,9 +1,10 @@
 "use client"
 
+import { env } from "@/env"
 import React from "react"
 import invariant from "tiny-invariant"
 
-const NEXT_PUBLIC_ORIGIN = process.env.NEXT_PUBLIC_ORIGIN
+const NEXT_PUBLIC_ORIGIN = env("NEXT_PUBLIC_ORIGIN")
 invariant(NEXT_PUBLIC_ORIGIN, "NEXT_PUBLIC_ORIGIN must be defined")
 
 export type YouTubeIframePlayerProps = {
diff --git a/frontends/main/src/app/(site)/certificate/[certificateType]/[uuid]/page.tsx b/frontends/main/src/app/(site)/certificate/[certificateType]/[uuid]/page.tsx
index c0c53d21e5..7c07074586 100644
--- a/frontends/main/src/app/(site)/certificate/[certificateType]/[uuid]/page.tsx
+++ b/frontends/main/src/app/(site)/certificate/[certificateType]/[uuid]/page.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import { Metadata } from "next"
 import CertificatePage from "@/app-pages/CertificatePage/CertificatePage"
@@ -9,7 +10,7 @@ import { safeGenerateMetadata, standardizeMetadata } from "@/common/metadata"
 import { getQueryClient } from "@/app/getQueryClient"
 import { getCertificateInfo } from "@/common/certificateUtils"
 
-const NEXT_PUBLIC_ORIGIN = process.env.NEXT_PUBLIC_ORIGIN
+const NEXT_PUBLIC_ORIGIN = env("NEXT_PUBLIC_ORIGIN")
 
 enum CertificateType {
   Course = "course",
diff --git a/frontends/main/src/app/(site)/certificate/[certificateType]/[uuid]/pdf/route.tsx b/frontends/main/src/app/(site)/certificate/[certificateType]/[uuid]/pdf/route.tsx
index 54a1ccd249..13cecb72e3 100644
--- a/frontends/main/src/app/(site)/certificate/[certificateType]/[uuid]/pdf/route.tsx
+++ b/frontends/main/src/app/(site)/certificate/[certificateType]/[uuid]/pdf/route.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 /* eslint-disable no-restricted-syntax */
 import React from "react"
 import type { AxiosError } from "axios"
@@ -384,7 +385,7 @@ const CertificateDoc = ({
                     source={
                       signatory.signature_image.startsWith("http")
                         ? signatory.signature_image
-                        : `${process.env.NEXT_PUBLIC_MITX_ONLINE_BASE_URL}${signatory.signature_image}`
+                        : `${env("NEXT_PUBLIC_MITX_ONLINE_BASE_URL")}${signatory.signature_image}`
                     }
                     style={{
                       width: "100px",
diff --git a/frontends/main/src/app/(site)/layout.tsx b/frontends/main/src/app/(site)/layout.tsx
index 982058ea30..32f941e427 100644
--- a/frontends/main/src/app/(site)/layout.tsx
+++ b/frontends/main/src/app/(site)/layout.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import Script from "next/script"
 import Header from "@/page-components/Header/Header"
@@ -86,13 +87,13 @@ j=d.createElement(s),dl=l!=='dataLayer'?'&l='+l:'';j.async=true;j.src=
           <Footer />
         </PageWrapper>
       </SiteProviders>
-      {process.env.NEXT_PUBLIC_APPZI_URL ? (
-        <Script async src={process.env.NEXT_PUBLIC_APPZI_URL} />
+      {env("NEXT_PUBLIC_APPZI_URL") ? (
+        <Script async src={env("NEXT_PUBLIC_APPZI_URL")} />
       ) : null}
-      {process.env.NEXT_PUBLIC_HUBSPOT_PORTAL_ID ? (
+      {env("NEXT_PUBLIC_HUBSPOT_PORTAL_ID") ? (
         <Script
           id="hs-script-loader"
-          src={`https://js.hs-scripts.com/${process.env.NEXT_PUBLIC_HUBSPOT_PORTAL_ID}.js`}
+          src={`https://js.hs-scripts.com/${env("NEXT_PUBLIC_HUBSPOT_PORTAL_ID")}.js`}
           strategy="afterInteractive"
         />
       ) : null}
diff --git a/frontends/main/src/app/components/PublicEnvScript.tsx b/frontends/main/src/app/components/PublicEnvScript.tsx
new file mode 100644
index 0000000000..8709bdbfe1
--- /dev/null
+++ b/frontends/main/src/app/components/PublicEnvScript.tsx
@@ -0,0 +1,38 @@
+/**
+ * Server Component that injects all NEXT_PUBLIC_* environment variables into
+ * the page HTML as a synchronous inline <script> before any JS bundle loads.
+ *
+ * This enables the `env()` helper (src/env.ts) to read per-environment values
+ * at runtime in the browser, decoupling them from webpack's build-time
+ * DefinePlugin substitution.
+ *
+ * Placement: render inside <head> in the root app/layout.tsx.
+ *
+ * Execution order guarantee: a plain <script> (not next/script) in <head>
+ * runs synchronously during HTML parsing — before any deferred or async JS
+ * module loads. `window.__ENV` is therefore available when
+ * instrumentation-client.ts (Sentry) and all React component modules evaluate.
+ *
+ * Security: JSON output is sanitized to prevent </script> injection. The app
+ * currently has no CSP; if one is added, this script will need a nonce.
+ */
+import React from "react"
+import { connection } from "next/server"
+
+export async function PublicEnvScript() {
+  // `connection()` opts this route out of static prerendering so that
+  // process.env is read fresh on every request (not baked at build time).
+  await connection()
+
+  const publicEnv = Object.fromEntries(
+    Object.entries(process.env).filter(([k]) => k.startsWith("NEXT_PUBLIC_")),
+  )
+
+  // Escape `<` to prevent a value like `</script><script>...` from breaking
+  // out of the script tag.
+  const json = JSON.stringify(publicEnv).replace(/</g, "\\u003c")
+
+  return (
+    <script dangerouslySetInnerHTML={{ __html: `window.__ENV=${json};` }} />
+  )
+}
diff --git a/frontends/main/src/app/healthcheck/route.ts b/frontends/main/src/app/healthcheck/route.ts
index 2eb9277042..04d5009f5a 100644
--- a/frontends/main/src/app/healthcheck/route.ts
+++ b/frontends/main/src/app/healthcheck/route.ts
@@ -1,4 +1,5 @@
-const VERSION = process.env.NEXT_PUBLIC_VERSION || "unknown"
+import { env } from "@/env"
+const VERSION = env("NEXT_PUBLIC_VERSION") || "unknown"
 export async function GET() {
   return Response.json(
     {
diff --git a/frontends/main/src/app/layout.tsx b/frontends/main/src/app/layout.tsx
index 3ae2f503ff..e952b67382 100644
--- a/frontends/main/src/app/layout.tsx
+++ b/frontends/main/src/app/layout.tsx
@@ -1,9 +1,11 @@
 import React from "react"
 import Providers from "./providers"
+import { PublicEnvScript } from "./components/PublicEnvScript"
+import { env } from "@/env"
 
 import "./GlobalStyles"
 
-const NEXT_PUBLIC_ORIGIN = process.env.NEXT_PUBLIC_ORIGIN
+const NEXT_PUBLIC_ORIGIN = env("NEXT_PUBLIC_ORIGIN")
 
 /**
  * As part of the root layout, this metadata object is site-wide defaults
@@ -42,8 +44,10 @@ export default function RootLayout({
         ></link>
         <meta
           name="application-version"
-          content={process.env.NEXT_PUBLIC_VERSION || "unknown"}
+          content={env("NEXT_PUBLIC_VERSION") || "unknown"}
         />
+        {/* Inject all NEXT_PUBLIC_* env vars for runtime access via env() */}
+        <PublicEnvScript />
       </head>
       <body>
         <Providers>{children}</Providers>
diff --git a/frontends/main/src/app/robots.ts b/frontends/main/src/app/robots.ts
index 6893b369a8..f41a82dbfb 100644
--- a/frontends/main/src/app/robots.ts
+++ b/frontends/main/src/app/robots.ts
@@ -1,8 +1,9 @@
+import { env } from "@/env"
 import type { MetadataRoute } from "next"
 import invariant from "tiny-invariant"
 
-invariant(process.env.NEXT_PUBLIC_ORIGIN, "NEXT_PUBLIC_ORIGIN must be defined")
-const BASE_URL: string = process.env.NEXT_PUBLIC_ORIGIN
+invariant(env("NEXT_PUBLIC_ORIGIN"), "NEXT_PUBLIC_ORIGIN must be defined")
+const BASE_URL: string = env("NEXT_PUBLIC_ORIGIN")
 
 export default function robots(): MetadataRoute.Robots {
   const shouldIndex = process.env.MITOL_NOINDEX === "false"
diff --git a/frontends/main/src/app/sitemaps/channels/sitemap.ts b/frontends/main/src/app/sitemaps/channels/sitemap.ts
index 76e9b5b6ac..7aea1a816c 100644
--- a/frontends/main/src/app/sitemaps/channels/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/channels/sitemap.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import type { MetadataRoute } from "next"
 import invariant from "tiny-invariant"
 import type { GenerateSitemapResult } from "../types"
@@ -5,7 +6,7 @@ import { dangerouslyDetectProductionBuildPhase } from "../util"
 import { getQueryClient } from "@/app/getQueryClient"
 import { channelQueries } from "api/hooks/channels"
 
-const BASE_URL = process.env.NEXT_PUBLIC_ORIGIN
+const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
 invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
 
 const PAGE_SIZE = 100
diff --git a/frontends/main/src/app/sitemaps/podcast/sitemap.ts b/frontends/main/src/app/sitemaps/podcast/sitemap.ts
index 3257123ef7..aea4b26602 100644
--- a/frontends/main/src/app/sitemaps/podcast/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/podcast/sitemap.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import type { MetadataRoute } from "next"
 import { getQueryClient } from "@/app/getQueryClient"
 import { learningResourceQueries } from "api/hooks/learningResources"
@@ -6,7 +7,7 @@ import invariant from "tiny-invariant"
 import type { GenerateSitemapResult } from "../types"
 import { dangerouslyDetectProductionBuildPhase } from "../util"
 
-const BASE_URL = process.env.NEXT_PUBLIC_ORIGIN
+const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
 invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
 
 const PAGE_SIZE = 1_000
diff --git a/frontends/main/src/app/sitemaps/products/sitemap.ts b/frontends/main/src/app/sitemaps/products/sitemap.ts
index 5e421625f6..48f66ed942 100644
--- a/frontends/main/src/app/sitemaps/products/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/products/sitemap.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import type { MetadataRoute } from "next"
 import { getQueryClient } from "@/app/getQueryClient"
 import { learningResourceQueries } from "api/hooks/learningResources"
@@ -6,7 +7,7 @@ import invariant from "tiny-invariant"
 import { GenerateSitemapResult } from "../types"
 import { dangerouslyDetectProductionBuildPhase } from "../util"
 
-const BASE_URL = process.env.NEXT_PUBLIC_ORIGIN
+const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
 invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
 
 const PAGE_SIZE = 1_000
diff --git a/frontends/main/src/app/sitemaps/resources/sitemap.ts b/frontends/main/src/app/sitemaps/resources/sitemap.ts
index 3c28f7ad3a..2da7e6b195 100644
--- a/frontends/main/src/app/sitemaps/resources/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/resources/sitemap.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import type { MetadataRoute } from "next"
 import { getQueryClient } from "@/app/getQueryClient"
 import { learningResourceQueries } from "api/hooks/learningResources"
@@ -5,7 +6,7 @@ import invariant from "tiny-invariant"
 import { GenerateSitemapResult } from "../types"
 import { dangerouslyDetectProductionBuildPhase } from "../util"
 
-const BASE_URL = process.env.NEXT_PUBLIC_ORIGIN
+const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
 invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
 
 const PAGE_SIZE = 1_000
diff --git a/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts b/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
index 7fd20af808..c8141e6f65 100644
--- a/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
+++ b/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import { NextResponse } from "next/server"
 import invariant from "tiny-invariant"
 import * as resourceSitemap from "../resources/sitemap"
@@ -6,8 +7,8 @@ import * as productsSitemap from "../products/sitemap"
 import * as videoSitemap from "../video/sitemap"
 import * as podcastSitemap from "../podcast/sitemap"
 
-invariant(process.env.NEXT_PUBLIC_ORIGIN, "NEXT_PUBLIC_ORIGIN must be defined")
-const BASE_URL: string = process.env.NEXT_PUBLIC_ORIGIN
+invariant(env("NEXT_PUBLIC_ORIGIN"), "NEXT_PUBLIC_ORIGIN must be defined")
+const BASE_URL: string = env("NEXT_PUBLIC_ORIGIN")
 
 export async function GET() {
   const content = await buildSitemapIndex()
diff --git a/frontends/main/src/app/sitemaps/static/sitemap.ts b/frontends/main/src/app/sitemaps/static/sitemap.ts
index 62aa1466cf..8b0806edee 100644
--- a/frontends/main/src/app/sitemaps/static/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/static/sitemap.ts
@@ -1,8 +1,9 @@
+import { env } from "@/env"
 import type { MetadataRoute } from "next"
 import invariant from "tiny-invariant"
 
-invariant(process.env.NEXT_PUBLIC_ORIGIN)
-const BASE_URL: string = process.env.NEXT_PUBLIC_ORIGIN
+invariant(env("NEXT_PUBLIC_ORIGIN"))
+const BASE_URL: string = env("NEXT_PUBLIC_ORIGIN")
 
 export default function sitemap(): MetadataRoute.Sitemap {
   return [
diff --git a/frontends/main/src/app/sitemaps/video/sitemap.ts b/frontends/main/src/app/sitemaps/video/sitemap.ts
index 42a3077ac4..75ed529455 100644
--- a/frontends/main/src/app/sitemaps/video/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/video/sitemap.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import type { MetadataRoute } from "next"
 import { getQueryClient } from "@/app/getQueryClient"
 import { learningResourceQueries } from "api/hooks/learningResources"
@@ -6,7 +7,7 @@ import invariant from "tiny-invariant"
 import type { GenerateSitemapResult } from "../types"
 import { dangerouslyDetectProductionBuildPhase } from "../util"
 
-const BASE_URL = process.env.NEXT_PUBLIC_ORIGIN
+const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
 invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
 
 const PAGE_SIZE = 1_000
diff --git a/frontends/main/src/common/certificateUtils.ts b/frontends/main/src/common/certificateUtils.ts
index 08c66b752d..8dfd184b56 100644
--- a/frontends/main/src/common/certificateUtils.ts
+++ b/frontends/main/src/common/certificateUtils.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import type {
   V2ProgramCertificate,
   V2CourseRunCertificate,
@@ -24,7 +25,7 @@ export enum CertificateType {
  * The below matches my naive expectations but we need to confirm that since we need unauthenticated access
  */
 
-const API_BASE_URL = process.env.NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL
+const API_BASE_URL = env("NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL")
 invariant(API_BASE_URL, "NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL must be set")
 
 /* This is the Organization ID for MIT OpenLearning on LinkedIn as far as I can tell. We could parameterize this if needed */
diff --git a/frontends/main/src/common/client-utils.ts b/frontends/main/src/common/client-utils.ts
index 0a93fd759f..3320136dba 100644
--- a/frontends/main/src/common/client-utils.ts
+++ b/frontends/main/src/common/client-utils.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import { ChannelCounts } from "api/v0"
 import { auth } from "./urls"
 import { redirect, usePathname, useSearchParams } from "next/navigation"
@@ -46,9 +47,7 @@ function getCookie(name: string) {
  * Returns CsrfToken from cookie if it is present
  */
 const getCsrfToken = () => {
-  return (
-    getCookie(process.env.NEXT_PUBLIC_CSRF_COOKIE_NAME || "csrftoken") ?? ""
-  )
+  return getCookie(env("NEXT_PUBLIC_CSRF_COOKIE_NAME") || "csrftoken") ?? ""
 }
 
 /**
diff --git a/frontends/main/src/common/config.ts b/frontends/main/src/common/config.ts
index 69e32cbf43..15a717655c 100644
--- a/frontends/main/src/common/config.ts
+++ b/frontends/main/src/common/config.ts
@@ -1,5 +1,6 @@
+import { env } from "@/env"
 export const getRecaptchaSiteKey = (): string | undefined =>
-  (process.env.NEXT_PUBLIC_RECAPTCHA_SITE_KEY ?? "").trim() || undefined
+  (env("NEXT_PUBLIC_RECAPTCHA_SITE_KEY") ?? "").trim() || undefined
 
 export const getStayUpdatedHubspotFormId = (): string =>
-  (process.env.NEXT_PUBLIC_STAY_UPDATED_HUBSPOT_FORM_ID ?? "").trim()
+  (env("NEXT_PUBLIC_STAY_UPDATED_HUBSPOT_FORM_ID") ?? "").trim()
diff --git a/frontends/main/src/common/metadata.ts b/frontends/main/src/common/metadata.ts
index 29b796cb64..74ebe0ab51 100644
--- a/frontends/main/src/common/metadata.ts
+++ b/frontends/main/src/common/metadata.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import {
   canonicalResourceDrawerUrl,
   RESOURCE_DRAWER_PARAMS,
@@ -117,13 +118,13 @@ export const standardizeMetadata = ({
   social = true,
   ...otherMeta
 }: MetadataProps = {}): Metadata => {
-  title = `${title} | ${process.env.NEXT_PUBLIC_SITE_NAME}`
+  title = `${title} | ${env("NEXT_PUBLIC_SITE_NAME")}`
   const socialMetadata = social
     ? {
         openGraph: {
           title,
           description,
-          siteName: process.env.NEXT_PUBLIC_SITE_NAME,
+          siteName: env("NEXT_PUBLIC_SITE_NAME"),
           images: [
             {
               url: image,
diff --git a/frontends/main/src/common/mitxonline/index.ts b/frontends/main/src/common/mitxonline/index.ts
index db3ba602f2..243c8e8daa 100644
--- a/frontends/main/src/common/mitxonline/index.ts
+++ b/frontends/main/src/common/mitxonline/index.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import type {
   BaseProduct,
   CourseRunV2,
@@ -13,12 +14,10 @@ import {
 } from "@mitodl/mitxonline-api-axios/v2"
 import invariant from "tiny-invariant"
 
-const NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL =
-  process.env.NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL
-invariant(
-  NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL,
-  "NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL must be set",
+const NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL = env(
+  "NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL",
 )
+invariant(NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL)
 
 const upgradeRunUrl = (product: ProductFlexiblePrice): string => {
   try {
diff --git a/frontends/main/src/common/urls.ts b/frontends/main/src/common/urls.ts
index 2796fea4eb..c931364a01 100644
--- a/frontends/main/src/common/urls.ts
+++ b/frontends/main/src/common/urls.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import type { BaseProgramDisplayMode } from "@mitodl/mitxonline-api-axios/v2"
 import { DisplayModeEnum } from "@mitodl/mitxonline-api-axios/v2"
 import invariant from "tiny-invariant"
@@ -88,13 +89,13 @@ export const makeChannelManageWidgetsPath = (
   name: string,
 ) => generatePath(CHANNEL_EDIT_WIDGETS, { channelType, name })
 
-const ORIGIN = process.env.NEXT_PUBLIC_ORIGIN
+const ORIGIN = env("NEXT_PUBLIC_ORIGIN")
 invariant(ORIGIN, "NEXT_PUBLIC_ORIGIN must be set")
 if (process.env.NODE_ENV !== "production") {
   invariant(!ORIGIN?.endsWith("/"), "NEXT_PUBLIC_ORIGIN should not end with /")
 }
 
-const MITOL_API_BASE_URL = process.env.NEXT_PUBLIC_MITOL_API_BASE_URL
+const MITOL_API_BASE_URL = env("NEXT_PUBLIC_MITOL_API_BASE_URL")
 
 export const DASHBOARD_VIEW = "/dashboard/[tab]"
 const dashboardView = (tab: string) => generatePath(DASHBOARD_VIEW, { tab })
@@ -146,7 +147,7 @@ export const RESOURCE_DRAWER_PARAMS = {
 } as const
 
 export const canonicalResourceDrawerUrl = (resourceId: number) =>
-  `${process.env.NEXT_PUBLIC_ORIGIN}/search?${RESOURCE_DRAWER_PARAMS.resource}=${resourceId}`
+  `${env("NEXT_PUBLIC_ORIGIN")}/search?${RESOURCE_DRAWER_PARAMS.resource}=${resourceId}`
 
 export const querifiedSearchUrl = (
   params:
diff --git a/frontends/main/src/common/utils.ts b/frontends/main/src/common/utils.ts
index a949f11090..df37ea31ec 100644
--- a/frontends/main/src/common/utils.ts
+++ b/frontends/main/src/common/utils.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import { OrganizationPage } from "@mitodl/mitxonline-api-axios/v2"
 import type { VideoPlaylistResource } from "api/v1"
 
@@ -136,7 +137,7 @@ function hexToRgba(hex: string, alpha: number): string | undefined {
 const isOcwPlaylist = (resource: VideoPlaylistResource | undefined) =>
   resource?.offered_by?.code === "ocw" ? true : false
 
-const ORIGIN = process.env.NEXT_PUBLIC_ORIGIN
+const ORIGIN = env("NEXT_PUBLIC_ORIGIN")
 
 /**
  * Returns `{ target: "_blank", rel: "noopener noreferrer", ...extra }` for URLs
diff --git a/frontends/main/src/components/PrivateTitle/PrivateTitle.tsx b/frontends/main/src/components/PrivateTitle/PrivateTitle.tsx
index 3d0bb6e37a..2875727060 100644
--- a/frontends/main/src/components/PrivateTitle/PrivateTitle.tsx
+++ b/frontends/main/src/components/PrivateTitle/PrivateTitle.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 
 /**
@@ -9,7 +10,7 @@ import React from "react"
  * See [title](https://react.dev/reference/react-dom/components/title)
  */
 const PrivateTitle: React.FC<{ title: string }> = ({ title }) => {
-  return <title>{[title, process.env.NEXT_PUBLIC_SITE_NAME].join(" | ")}</title>
+  return <title>{[title, env("NEXT_PUBLIC_SITE_NAME")].join(" | ")}</title>
 }
 
 export default PrivateTitle
diff --git a/frontends/main/src/env.ts b/frontends/main/src/env.ts
new file mode 100644
index 0000000000..43e77625eb
--- /dev/null
+++ b/frontends/main/src/env.ts
@@ -0,0 +1,35 @@
+/**
+ * Runtime environment variable accessor for NEXT_PUBLIC_* vars.
+ *
+ * Problem: webpack's DefinePlugin inlines `process.env.NEXT_PUBLIC_FOO` at
+ * *build* time. When the Docker image is built in CI without per-environment
+ * values, every NEXT_PUBLIC_* reference in the compiled bundle becomes an
+ * empty string, even though the Kubernetes pod has the correct values set.
+ *
+ * Solution: `PublicEnvScript` (a Server Component in app/layout.tsx) renders
+ * a synchronous inline <script> that sets `window.__ENV = { NEXT_PUBLIC_*:
+ * <runtime value> }` before any JS bundle loads. This function reads from
+ * that object in the browser and from process.env (dynamic bracket access,
+ * not inlined by DefinePlugin) on the server.
+ *
+ * Test compatibility: jsdom sets `window` but not `window.__ENV`. The
+ * `?? process.env[key]` fallback lets existing tests that mutate
+ * `process.env.NEXT_PUBLIC_*` directly continue to work with no changes.
+ */
+declare global {
+  interface Window {
+    __ENV?: Record<string, string | undefined>
+  }
+}
+
+export const env = (key: `NEXT_PUBLIC_${string}`): string | undefined => {
+  if (typeof window !== "undefined") {
+    // Browser: read from server-injected window.__ENV; fall back to
+    // process.env (which webpack polyfills — safe in webpack bundles, and
+    // allows test environments that set process.env directly to work).
+    return window.__ENV?.[key] ?? process.env[key]
+  }
+  // Server: dynamic bracket access is NOT replaced by DefinePlugin, so this
+  // reads the actual Kubernetes env var at request time.
+  return process.env[key]
+}
diff --git a/frontends/main/src/instrumentation-client.ts b/frontends/main/src/instrumentation-client.ts
index 7caf85b390..3d174dd4d2 100644
--- a/frontends/main/src/instrumentation-client.ts
+++ b/frontends/main/src/instrumentation-client.ts
@@ -1,3 +1,4 @@
+import { env } from "./env"
 // Client-side Sentry initialization.
 //
 // This file replaces sentry.client.config.ts, which relied on Sentry's webpack
@@ -10,20 +11,20 @@ import { bootstrapApiClients } from "./bootstrap/api"
 import { parseSampleRate } from "./sentry-utils"
 
 Sentry.init({
-  dsn: process.env.NEXT_PUBLIC_SENTRY_DSN,
-  release: process.env.NEXT_PUBLIC_VERSION,
-  environment: process.env.NEXT_PUBLIC_SENTRY_ENV,
+  dsn: env("NEXT_PUBLIC_SENTRY_DSN"),
+  release: env("NEXT_PUBLIC_VERSION"),
+  environment: env("NEXT_PUBLIC_SENTRY_ENV"),
   profilesSampleRate: parseSampleRate(
-    process.env.NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE,
+    env("NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE"),
     0,
   ),
   tracesSampleRate: parseSampleRate(
-    process.env.NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE,
+    env("NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE"),
     1,
   ),
   tracePropagationTargets: [
-    process.env.NEXT_PUBLIC_MITOL_API_BASE_URL,
-    process.env.NEXT_PUBLIC_MITX_ONLINE_BASE_URL,
+    env("NEXT_PUBLIC_MITOL_API_BASE_URL"),
+    env("NEXT_PUBLIC_MITX_ONLINE_BASE_URL"),
   ].filter((url) => url !== undefined),
   integrations: [
     Sentry.browserTracingIntegration(),
diff --git a/frontends/main/src/instrumentation-node.ts b/frontends/main/src/instrumentation-node.ts
index 4170536032..2c729cc882 100644
--- a/frontends/main/src/instrumentation-node.ts
+++ b/frontends/main/src/instrumentation-node.ts
@@ -23,11 +23,36 @@ import {
 } from "./otel-utils"
 import { parseSampleRate } from "./sentry-utils"
 
+// Validate required NEXT_PUBLIC_* env vars at server startup. These are
+// injected by Kubernetes (not baked at build time), so they must be present
+// when the server starts. validateEnv() is skipped in next.config.js during
+// Docker builds (NEXT_BUILD_CI=1) since standalone mode does not re-run
+// next.config.js at startup.
+const REQUIRED_ENV_VARS = [
+  "NEXT_PUBLIC_ORIGIN",
+  "NEXT_PUBLIC_MITOL_API_BASE_URL",
+  "NEXT_PUBLIC_SITE_NAME",
+  "NEXT_PUBLIC_MITOL_SUPPORT_EMAIL",
+  "NEXT_PUBLIC_CSRF_COOKIE_NAME",
+] as const
+
+for (const key of REQUIRED_ENV_VARS) {
+  if (!process.env[key]) {
+    // Log clearly then exit so the pod crash-loops and ops can see it
+    // immediately, rather than silently serving broken pages.
+    console.error(
+      `[startup] Required environment variable ${key} is not set. ` +
+        "Exiting to prevent broken deployment.",
+    )
+    process.exit(1)
+  }
+}
+
 // Inject service.version into OTEL_RESOURCE_ATTRIBUTES so the OTEL SDK's
 // EnvDetector picks it up alongside any other attributes set via env.
 // Simpler than interpolating OTEL_RESOURCE_ATTRIBUTES in ol-infrastructure.
-if (process.env.NEXT_PUBLIC_VERSION) {
-  const prefix = `service.version=${encodeURIComponent(process.env.NEXT_PUBLIC_VERSION)}`
+if (process.env["NEXT_PUBLIC_VERSION"]) {
+  const prefix = `service.version=${encodeURIComponent(process.env["NEXT_PUBLIC_VERSION"])}`
   const existing = process.env.OTEL_RESOURCE_ATTRIBUTES
   process.env.OTEL_RESOURCE_ATTRIBUTES = existing
     ? `${prefix},${existing}`
@@ -172,14 +197,14 @@ const otelSampleRate = parseSampleRate(process.env.OTEL_TRACES_SAMPLER_ARG, 1)
 // sent to the Sentry backend. Defaults to 1.0 when unset.
 // This lets you run Alloy at 100% while keeping Sentry costs/quota lower.
 const sentrySampleRate = parseSampleRate(
-  process.env.NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE,
+  process.env["NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE"],
   1,
 )
 
 Sentry.init({
-  dsn: process.env.NEXT_PUBLIC_SENTRY_DSN,
-  release: process.env.NEXT_PUBLIC_VERSION,
-  environment: process.env.NEXT_PUBLIC_SENTRY_ENV,
+  dsn: process.env["NEXT_PUBLIC_SENTRY_DSN"],
+  release: process.env["NEXT_PUBLIC_VERSION"],
+  environment: process.env["NEXT_PUBLIC_SENTRY_ENV"],
 
   // Controls the OTEL sampler — spans not sampled here never reach any
   // processor. Set via OTEL_TRACES_SAMPLER_ARG at runtime (K8s/Helm).
diff --git a/frontends/main/src/otel-utils.ts b/frontends/main/src/otel-utils.ts
index 7cf3369d2b..5add725404 100644
--- a/frontends/main/src/otel-utils.ts
+++ b/frontends/main/src/otel-utils.ts
@@ -16,7 +16,7 @@ export type RequestLogEntry = {
   version: string | null
 }
 
-const APP_VERSION = process.env.NEXT_PUBLIC_VERSION ?? null
+const APP_VERSION = process.env["NEXT_PUBLIC_VERSION"] ?? null
 
 type OtelEnvSubset = Readonly<Record<string, string | undefined>>
 
diff --git a/frontends/main/src/page-components/AiChat/AiRecommendationBotDrawer.tsx b/frontends/main/src/page-components/AiChat/AiRecommendationBotDrawer.tsx
index 6787cfb2fc..69729be2cf 100644
--- a/frontends/main/src/page-components/AiChat/AiRecommendationBotDrawer.tsx
+++ b/frontends/main/src/page-components/AiChat/AiRecommendationBotDrawer.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React, { useState } from "react"
 import { styled, RoutedDrawer } from "ol-components"
 import { RiCloseLine } from "@remixicon/react"
@@ -70,9 +71,9 @@ const DrawerContent: React.FC<{
         askTimTitle="to recommend a course"
         scrollElement={scrollElement}
         requestOpts={{
-          apiUrl: process.env.NEXT_PUBLIC_LEARN_AI_RECOMMENDATION_ENDPOINT!,
+          apiUrl: env("NEXT_PUBLIC_LEARN_AI_RECOMMENDATION_ENDPOINT")!,
           csrfCookieName:
-            process.env.NEXT_PUBLIC_LEARN_AI_CSRF_COOKIE_NAME || "csrftoken",
+            env("NEXT_PUBLIC_LEARN_AI_CSRF_COOKIE_NAME") || "csrftoken",
           csrfHeaderName: "X-CSRFToken",
           fetchOpts: {
             credentials: "include",
diff --git a/frontends/main/src/page-components/AiChat/AskTimDrawerButton.tsx b/frontends/main/src/page-components/AiChat/AskTimDrawerButton.tsx
index bcb980d82a..4b132bd9d7 100644
--- a/frontends/main/src/page-components/AiChat/AskTimDrawerButton.tsx
+++ b/frontends/main/src/page-components/AiChat/AskTimDrawerButton.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React from "react"
 import { Typography, styled, LinkAdapter } from "ol-components"
 import { RiSparkling2Line } from "@remixicon/react"
@@ -33,7 +34,7 @@ const AskTIMButton = () => {
         shallow
         href={`?${RECOMMENDER_QUERY_PARAM}`}
         onClick={() => {
-          if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+          if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
             posthog.capture(PostHogEvents.AskTimClicked, {
               type: "recommendation_bot",
             })
diff --git a/frontends/main/src/page-components/ConfiguredPostHogProvider/ConfiguredPostHogProvider.tsx b/frontends/main/src/page-components/ConfiguredPostHogProvider/ConfiguredPostHogProvider.tsx
index 08f2452e59..30545360c3 100644
--- a/frontends/main/src/page-components/ConfiguredPostHogProvider/ConfiguredPostHogProvider.tsx
+++ b/frontends/main/src/page-components/ConfiguredPostHogProvider/ConfiguredPostHogProvider.tsx
@@ -3,11 +3,34 @@ import posthog from "posthog-js"
 import { PostHogProvider, usePostHog } from "posthog-js/react"
 import { useUserMe } from "api/hooks/user"
 import { INTERNAL_BOOTSTRAPPING_FLAG } from "@/common/feature_flags"
+import { env } from "@/env"
 
-const POSTHOG_API_KEY = process.env.NEXT_PUBLIC_POSTHOG_API_KEY
-const POSTHOG_API_HOST = process.env.NEXT_PUBLIC_POSTHOG_API_HOST
-const POSTHOG_UI_HOST = process.env.NEXT_PUBLIC_POSTHOG_UI_HOST
-const FEATURE_FLAGS = process.env.FEATURE_FLAGS
+/**
+ * Compute PostHog bootstrap feature flags from window.__ENV at runtime.
+ * Previously this was computed at build time from process.env in next.config.js
+ * (as FEATURE_FLAGS), but that approach bakes empty values when the Docker
+ * image is built in CI without per-environment values. Reading from
+ * window.__ENV gives the correct per-env flags injected by PublicEnvScript.
+ */
+const getBootstrapFeatureFlags = (): Record<
+  string,
+  boolean | string
+> | null => {
+  if (typeof window === "undefined") return null
+  const envSource = window.__ENV ?? {}
+  const prefix = envSource["NEXT_PUBLIC_POSTHOG_FEATURE_PREFIX"] ?? "FEATURE_"
+  const fullPrefix = `NEXT_PUBLIC_${prefix}`
+  const flags: Record<string, boolean | string> = {}
+
+  for (const [key, value] of Object.entries(envSource)) {
+    if (value !== undefined && key.startsWith(fullPrefix)) {
+      const flagName = key.replace(fullPrefix, "").replaceAll("_", "-")
+      flags[flagName] = value === "True" ? true : JSON.stringify(value)
+    }
+  }
+
+  return Object.keys(flags).length > 0 ? flags : null
+}
 
 const PosthogIdentifier = () => {
   const { data: user } = useUserMe()
@@ -39,23 +62,27 @@ const ConfiguredPostHogProvider: React.FC<{ children: React.ReactNode }> = ({
   children,
 }) => {
   useEffect(() => {
+    const POSTHOG_API_KEY = env("NEXT_PUBLIC_POSTHOG_API_KEY")
+    const POSTHOG_API_HOST = env("NEXT_PUBLIC_POSTHOG_API_HOST")
+    const POSTHOG_UI_HOST = env("NEXT_PUBLIC_POSTHOG_UI_HOST")
     if (POSTHOG_API_KEY) {
+      const featureFlags = getBootstrapFeatureFlags()
       posthog.init(POSTHOG_API_KEY, {
         api_host: POSTHOG_API_HOST,
         ui_host: POSTHOG_UI_HOST,
         bootstrap: {
-          featureFlags: FEATURE_FLAGS
+          featureFlags: featureFlags
             ? {
-                ...JSON.parse(FEATURE_FLAGS),
+                ...featureFlags,
                 [INTERNAL_BOOTSTRAPPING_FLAG]: true,
               }
-            : null,
+            : undefined,
         },
       })
     }
   }, [])
 
-  if (!POSTHOG_API_KEY) {
+  if (!env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
     return children
   }
 
diff --git a/frontends/main/src/page-components/Dialogs/AddToListDialog.tsx b/frontends/main/src/page-components/Dialogs/AddToListDialog.tsx
index 04980d9c56..b489b4087a 100644
--- a/frontends/main/src/page-components/Dialogs/AddToListDialog.tsx
+++ b/frontends/main/src/page-components/Dialogs/AddToListDialog.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React, { useCallback } from "react"
 import {
   LoadingSpinner,
@@ -100,7 +101,7 @@ const AddToListDialogInner: React.FC<AddToListDialogInnerProps> = ({
     },
     onSubmit: async (values) => {
       if (resource) {
-        if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+        if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
           posthog.capture(PostHogEvents.LRAddToList, {
             listType: listType,
             resourceId: resource?.id,
diff --git a/frontends/main/src/page-components/Header/Header.tsx b/frontends/main/src/page-components/Header/Header.tsx
index 0552408c4f..701109d69c 100644
--- a/frontends/main/src/page-components/Header/Header.tsx
+++ b/frontends/main/src/page-components/Header/Header.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React, { FunctionComponent } from "react"
 import type { NavData } from "ol-components"
 import {
@@ -286,7 +287,7 @@ const Header: FunctionComponent = () => {
     ? PostHogEvents.ClosedNavDrawer
     : PostHogEvents.OpenedNavDrawer
   const posthogCapture = (event: string) => {
-    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
       posthog.capture(event)
     }
   }
diff --git a/frontends/main/src/page-components/HeroSearch/HeroSearch.tsx b/frontends/main/src/page-components/HeroSearch/HeroSearch.tsx
index c058b7cc2d..19323a0460 100644
--- a/frontends/main/src/page-components/HeroSearch/HeroSearch.tsx
+++ b/frontends/main/src/page-components/HeroSearch/HeroSearch.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React, { useState, useCallback } from "react"
 import { useRouter } from "next-nprogress-bar"
 import { FeatureFlags } from "@/common/feature_flags"
@@ -202,7 +203,7 @@ const TrendingContainer = styled.div({
 const HeroSearch: React.FC<{ imageIndex: number }> = ({ imageIndex }) => {
   const posthog = usePostHog()
   const posthogCapture = (event: string) => {
-    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
       posthog.capture(event)
     }
   }
@@ -252,7 +253,7 @@ const HeroSearch: React.FC<{ imageIndex: number }> = ({ imageIndex }) => {
                 <TopicLink
                   href="/topics/"
                   onClick={() => {
-                    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+                    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
                       posthogCapture(PostHogEvents.HeroBrowseTopics)
                     }
                   }}
diff --git a/frontends/main/src/page-components/LearningResourceDrawer/LearningResourceDrawer.tsx b/frontends/main/src/page-components/LearningResourceDrawer/LearningResourceDrawer.tsx
index 33ee4f33d4..940fd9f6e5 100644
--- a/frontends/main/src/page-components/LearningResourceDrawer/LearningResourceDrawer.tsx
+++ b/frontends/main/src/page-components/LearningResourceDrawer/LearningResourceDrawer.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React, { Suspense, useEffect, useId, useMemo } from "react"
 import { RoutedDrawer, imgConfigs } from "ol-components"
 import { LearningResourceExpanded } from "../LearningResourceExpanded/LearningResourceExpanded"
@@ -35,7 +36,7 @@ const ALL_PARAMS = [
 const useCapturePageView = (resourceId: number) => {
   const { data, isSuccess } = useLearningResourcesDetail(Number(resourceId))
   const posthog = usePostHog()
-  const apiKey = process.env.NEXT_PUBLIC_POSTHOG_API_KEY
+  const apiKey = env("NEXT_PUBLIC_POSTHOG_API_KEY")
 
   useEffect(() => {
     if (!apiKey || apiKey.length < 1) return
@@ -72,7 +73,7 @@ const DrawerContent: React.FC<{
    */
   const posthog = usePostHog()
   const resource = useLearningResourcesDetail(Number(resourceId))
-  if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+  if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
     posthog.capture(PostHogEvents.LearningResourceDrawerOpen, {
       resource: resource?.data,
     })
diff --git a/frontends/main/src/page-components/LearningResourceExpanded/AiChatSyllabusSlideDown.tsx b/frontends/main/src/page-components/LearningResourceExpanded/AiChatSyllabusSlideDown.tsx
index fa70037fbe..f6874a2bb4 100644
--- a/frontends/main/src/page-components/LearningResourceExpanded/AiChatSyllabusSlideDown.tsx
+++ b/frontends/main/src/page-components/LearningResourceExpanded/AiChatSyllabusSlideDown.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React, { useRef, useEffect } from "react"
 import { Typography, styled } from "ol-components"
 import { Button } from "@mitodl/smoot-design"
@@ -152,7 +153,7 @@ export const AiChatSyllabusOpener = ({
         aria-pressed={open}
         open={open}
         onClick={() => {
-          if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+          if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
             posthog.capture(PostHogEvents.AskTimClicked, {
               type: "syllabus_bot",
               resourceId: resource.id,
@@ -223,9 +224,9 @@ const AiChatSyllabusSlideDown = ({
         topPosition={contentTopPosition}
         scrollElement={scrollElement}
         requestOpts={{
-          apiUrl: process.env.NEXT_PUBLIC_LEARN_AI_SYLLABUS_ENDPOINT!,
+          apiUrl: env("NEXT_PUBLIC_LEARN_AI_SYLLABUS_ENDPOINT")!,
           csrfCookieName:
-            process.env.NEXT_PUBLIC_LEARN_AI_CSRF_COOKIE_NAME || "csrftoken",
+            env("NEXT_PUBLIC_LEARN_AI_CSRF_COOKIE_NAME") || "csrftoken",
           csrfHeaderName: "X-CSRFToken",
           fetchOpts: {
             credentials: "include",
diff --git a/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx b/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx
index 37f0ccab2d..4adc867844 100644
--- a/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx
+++ b/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React, { useState } from "react"
 import styled from "@emotion/styled"
 import { default as NextImage } from "next/image"
@@ -50,7 +51,7 @@ import { FeatureFlags } from "@/common/feature_flags"
 import { externalLinkProps } from "@/common/utils"
 import invariant from "tiny-invariant"
 
-const NEXT_PUBLIC_ORIGIN = process.env.NEXT_PUBLIC_ORIGIN
+const NEXT_PUBLIC_ORIGIN = env("NEXT_PUBLIC_ORIGIN")
 invariant(NEXT_PUBLIC_ORIGIN, "NEXT_PUBLIC_ORIGIN must be defined")
 
 const showChatClass = "show-chat"
@@ -456,7 +457,7 @@ const CallToActionSection = ({
           size="medium"
           href={url}
           onClick={() => {
-            if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+            if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
               posthog.capture(PostHogEvents.CallToActionClicked, {
                 resource,
                 label: cta,
diff --git a/frontends/main/src/page-components/ResourceCarousel/ResourceCarousel.tsx b/frontends/main/src/page-components/ResourceCarousel/ResourceCarousel.tsx
index 3d08a8ee58..00b11eae43 100644
--- a/frontends/main/src/page-components/ResourceCarousel/ResourceCarousel.tsx
+++ b/frontends/main/src/page-components/ResourceCarousel/ResourceCarousel.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React from "react"
 import { learningResourceQueries } from "api/hooks/learningResources"
 import {
@@ -326,7 +327,7 @@ const ResourceCarousel: React.FC<ResourceCarouselProps> = ({
                           parentHeadingEl={titleComponent}
                           {...tabConfig.cardProps}
                           onCardClick={() => {
-                            if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+                            if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
                               posthog.capture(PostHogEvents.CourseCardClicked, {
                                 label: title,
                                 resourceId: resource.id,
diff --git a/frontends/main/src/page-components/SearchDisplay/SearchDisplay.tsx b/frontends/main/src/page-components/SearchDisplay/SearchDisplay.tsx
index 78493c79b7..6016991910 100644
--- a/frontends/main/src/page-components/SearchDisplay/SearchDisplay.tsx
+++ b/frontends/main/src/page-components/SearchDisplay/SearchDisplay.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React, { useEffect, useMemo, useRef, useState } from "react"
 import {
   styled,
@@ -866,7 +867,7 @@ const SearchDisplay: React.FC<SearchDisplayProps> = ({
 
   const posthog = usePostHog()
 
-  const NEXT_PUBLIC_POSTHOG_API_KEY = process.env.NEXT_PUBLIC_POSTHOG_API_KEY
+  const NEXT_PUBLIC_POSTHOG_API_KEY = env("NEXT_PUBLIC_POSTHOG_API_KEY")
 
   const toggleMobileDrawer = (newOpen: boolean) => () => {
     setMobileDrawerOpen(newOpen)
diff --git a/frontends/main/src/page-components/SearchDisplay/UniversalAIBanner.tsx b/frontends/main/src/page-components/SearchDisplay/UniversalAIBanner.tsx
index 3972f078d3..95d8c226ea 100644
--- a/frontends/main/src/page-components/SearchDisplay/UniversalAIBanner.tsx
+++ b/frontends/main/src/page-components/SearchDisplay/UniversalAIBanner.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React, { useMemo } from "react"
 import Link from "next/link"
 import { styled, Typography } from "ol-components"
@@ -111,7 +112,7 @@ const UniversalAIBanner: React.FC<UniversalAIBannerProps> = ({
   })
 
   const handleCTAClick = () => {
-    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
       posthog.capture(PostHogEvents.CallToActionClicked, {
         label: "Learn more about Universal AI",
         readableId: UAI_PROGRAM_READABLE_ID,
diff --git a/frontends/main/src/page-components/SearchField/SearchField.tsx b/frontends/main/src/page-components/SearchField/SearchField.tsx
index 71d0ad8d9d..062e6737e9 100644
--- a/frontends/main/src/page-components/SearchField/SearchField.tsx
+++ b/frontends/main/src/page-components/SearchField/SearchField.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import { SearchInput } from "ol-components"
 import type { SearchInputProps, SearchSubmissionEvent } from "ol-components"
@@ -26,7 +27,7 @@ const SearchField: React.FC<SearchFieldProps> = ({
   ) => {
     onSubmit(event)
     setPage?.(1)
-    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
       posthog.capture(PostHogEvents.SearchUpdate, { isEnter: isEnter })
     }
   }
diff --git a/frontends/main/src/page-components/SignupPopover/SignupPopover.tsx b/frontends/main/src/page-components/SignupPopover/SignupPopover.tsx
index 98e38f498c..710580517a 100644
--- a/frontends/main/src/page-components/SignupPopover/SignupPopover.tsx
+++ b/frontends/main/src/page-components/SignupPopover/SignupPopover.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import { Popover, Typography, styled } from "ol-components"
 import { ButtonLink } from "@mitodl/smoot-design"
@@ -25,7 +26,7 @@ const Footer = styled.div({
   justifyContent: "end",
 })
 
-const SITE_NAME = process.env.NEXT_PUBLIC_SITE_NAME
+const SITE_NAME = env("NEXT_PUBLIC_SITE_NAME")
 
 type SignupPopoverProps = Pick<
   PopoverProps,
diff --git a/frontends/main/src/page-components/TiptapEditor/extensions/node/ByLineInfoBar/ByLineInfoBar.tsx b/frontends/main/src/page-components/TiptapEditor/extensions/node/ByLineInfoBar/ByLineInfoBar.tsx
index 84c2b6f6a9..fbeb563ea1 100644
--- a/frontends/main/src/page-components/TiptapEditor/extensions/node/ByLineInfoBar/ByLineInfoBar.tsx
+++ b/frontends/main/src/page-components/TiptapEditor/extensions/node/ByLineInfoBar/ByLineInfoBar.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React, { useState, useRef, useEffect } from "react"
 import { NodeViewWrapper } from "@tiptap/react"
 import type { ReactNodeViewProps } from "@tiptap/react"
@@ -10,7 +11,7 @@ import { useWebsiteContent } from "../../../WebsiteContentContext"
 import { calculateReadTime } from "../../utils"
 import SharePopover from "@/components/SharePopover/SharePopover"
 
-const NEXT_PUBLIC_ORIGIN = process.env.NEXT_PUBLIC_ORIGIN
+const NEXT_PUBLIC_ORIGIN = env("NEXT_PUBLIC_ORIGIN")
 
 const StyledWrapper = styled.div(({ theme }) => ({
   width: "100vw",

From 87ea5055942dd28d1e6ffbc1e3fdbb76c3a12b05 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 20 May 2026 22:06:20 +0000
Subject: [PATCH 04/13] fix: narrow required public env vars for sitemap build

Agent-Logs-Url: https://github.com/mitodl/mit-learn/sessions/03f963fb-4658-4987-87e4-3a7610eee518

Co-authored-by: blarghmatey <479088+blarghmatey@users.noreply.github.com>
---
 frontends/main/src/app/robots.ts                          | 6 ++----
 .../main/src/app/sitemaps/sitemap-index.xml/route.ts      | 6 ++----
 frontends/main/src/app/sitemaps/static/sitemap.ts         | 6 ++----
 frontends/main/src/env.ts                                 | 8 ++++++++
 4 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/frontends/main/src/app/robots.ts b/frontends/main/src/app/robots.ts
index f41a82dbfb..4a0aa64216 100644
--- a/frontends/main/src/app/robots.ts
+++ b/frontends/main/src/app/robots.ts
@@ -1,9 +1,7 @@
-import { env } from "@/env"
+import { env, requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
-import invariant from "tiny-invariant"
 
-invariant(env("NEXT_PUBLIC_ORIGIN"), "NEXT_PUBLIC_ORIGIN must be defined")
-const BASE_URL: string = env("NEXT_PUBLIC_ORIGIN")
+const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
 
 export default function robots(): MetadataRoute.Robots {
   const shouldIndex = process.env.MITOL_NOINDEX === "false"
diff --git a/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts b/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
index c8141e6f65..33ba2a8e2b 100644
--- a/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
+++ b/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
@@ -1,14 +1,12 @@
-import { env } from "@/env"
+import { requiredEnv } from "@/env"
 import { NextResponse } from "next/server"
-import invariant from "tiny-invariant"
 import * as resourceSitemap from "../resources/sitemap"
 import * as channelsSitemap from "../channels/sitemap"
 import * as productsSitemap from "../products/sitemap"
 import * as videoSitemap from "../video/sitemap"
 import * as podcastSitemap from "../podcast/sitemap"
 
-invariant(env("NEXT_PUBLIC_ORIGIN"), "NEXT_PUBLIC_ORIGIN must be defined")
-const BASE_URL: string = env("NEXT_PUBLIC_ORIGIN")
+const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
 
 export async function GET() {
   const content = await buildSitemapIndex()
diff --git a/frontends/main/src/app/sitemaps/static/sitemap.ts b/frontends/main/src/app/sitemaps/static/sitemap.ts
index 8b0806edee..a0d3c97d2a 100644
--- a/frontends/main/src/app/sitemaps/static/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/static/sitemap.ts
@@ -1,9 +1,7 @@
-import { env } from "@/env"
+import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
-import invariant from "tiny-invariant"
 
-invariant(env("NEXT_PUBLIC_ORIGIN"))
-const BASE_URL: string = env("NEXT_PUBLIC_ORIGIN")
+const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
 
 export default function sitemap(): MetadataRoute.Sitemap {
   return [
diff --git a/frontends/main/src/env.ts b/frontends/main/src/env.ts
index 43e77625eb..994e2be3f0 100644
--- a/frontends/main/src/env.ts
+++ b/frontends/main/src/env.ts
@@ -1,3 +1,5 @@
+import invariant from "tiny-invariant"
+
 /**
  * Runtime environment variable accessor for NEXT_PUBLIC_* vars.
  *
@@ -33,3 +35,9 @@ export const env = (key: `NEXT_PUBLIC_${string}`): string | undefined => {
   // reads the actual Kubernetes env var at request time.
   return process.env[key]
 }
+
+export const requiredEnv = (key: `NEXT_PUBLIC_${string}`): string => {
+  const value = env(key)
+  invariant(value, `${key} must be defined`)
+  return value
+}

From cd2575bf8ba05431cab91f0d0f048a5979648b8d Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 20 May 2026 22:09:10 +0000
Subject: [PATCH 05/13] fix: remove unused robots env import

Agent-Logs-Url: https://github.com/mitodl/mit-learn/sessions/03f963fb-4658-4987-87e4-3a7610eee518

Co-authored-by: blarghmatey <479088+blarghmatey@users.noreply.github.com>
---
 frontends/main/src/app/robots.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontends/main/src/app/robots.ts b/frontends/main/src/app/robots.ts
index 4a0aa64216..bd872e74a2 100644
--- a/frontends/main/src/app/robots.ts
+++ b/frontends/main/src/app/robots.ts
@@ -1,4 +1,4 @@
-import { env, requiredEnv } from "@/env"
+import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
 
 const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")

From 18dbf27c7aa9912ef7909c504a9cb0b9ad6ff2d8 Mon Sep 17 00:00:00 2001
From: Tobias Macey <tmacey@mit.edu>
Date: Fri, 22 May 2026 10:59:31 -0400
Subject: [PATCH 06/13] fix: address PR review feedback on Dockerfile build
 args and required env vars

- Remove all obsolete NEXT_PUBLIC_* ARG/ENV build-arg pairs from
  Dockerfile.web base stage; env vars are now runtime-injected via
  PublicEnvScript and do not need to be present at build time.
  Only GIT_REF is retained (used by generateBuildId in next.config.js).
  Header comment updated to reflect the correct build invocation.

- Fix duplicate ARG/ENV declarations for NEXT_PUBLIC_SENTRY_DSN,
  NEXT_PUBLIC_SENTRY_ENV, NEXT_PUBLIC_VERSION,
  NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE, and
  NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE (removed as part of the above).

- Extract REQUIRED_PUBLIC_ENV_VARS from validateEnv.js as a shared
  exported constant. instrumentation-node.ts now imports it instead of
  maintaining its own inline copy, so both the local-dev yup schema and
  the Kubernetes startup check stay in sync from a single source of truth.
---
 frontends/main/Dockerfile.web              | 96 ++--------------------
 frontends/main/src/instrumentation-node.ts | 24 +++---
 frontends/main/validateEnv.js              | 26 +++++-
 3 files changed, 40 insertions(+), 106 deletions(-)

diff --git a/frontends/main/Dockerfile.web b/frontends/main/Dockerfile.web
index b37a3c10e8..68231125de 100644
--- a/frontends/main/Dockerfile.web
+++ b/frontends/main/Dockerfile.web
@@ -2,24 +2,12 @@
 # Build: \
 # docker build \
 #   -f frontends/main/Dockerfile.web \
-#   --build-arg NEXT_PUBLIC_ORIGIN=http://api.open.odl.local:8062 \
-#   --build-arg NEXT_PUBLIC_MITOL_API_BASE_URL=http://open.odl.local:8063 \
-#   --build-arg NEXT_PUBLIC_SITE_NAME="MIT Learn" \
-#   --build-arg NEXT_PUBLIC_MITOL_SUPPORT_EMAIL=mitlearn-support@mit.edu \
-#   --build-arg NEXT_PUBLIC_MITOL_AXIOS_WITH_CREDENTIALS=true \
-#   --build-arg NEXT_PUBLIC_CSRF_COOKIE_NAME=csrftoken-local \
-#   --build-arg NEXT_PUBLIC_POSTHOG_API_HOST= \
-#   --build-arg NEXT_PUBLIC_POSTHOG_PROJECT_ID= \
-#   --build-arg NEXT_PUBLIC_POSTHOG_API_KEY= \
-#   --build-arg NEXT_PUBLIC_POSTHOG_ENABLE_SESSION_RECORDING= \
-#   --build-arg NEXT_PUBLIC_SENTRY_DSN= \
-#   --build-arg NEXT_PUBLIC_SENTRY_ENV= \
-#   --build-arg NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE= \
-#   --build-arg NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE= \
-#   --build-arg NEXT_PUBLIC_APPZI_URL= \
-#   --build-arg NEXT_PUBLIC_LEARN_AI_RECOMMENDATION_ENDPOINT= \
-#   --build-arg NEXT_PUBLIC_LEARN_AI_SYLLABUS_ENDPOINT= \  --build-arg NEXT_PUBLIC_HUBSPOT_PORTAL_ID= \#   --build-arg NEXT_PUBLIC_VERSION= \
+#   --build-arg GIT_REF=$(git rev-parse HEAD) \
 #   -t mitodl/mit-learn-frontend:latest .
+#
+# NEXT_PUBLIC_* vars are NOT passed as build args — they are injected at
+# runtime by Kubernetes and surfaced to the browser via PublicEnvScript.
+# Only GIT_REF is needed at build time (for generateBuildId in next.config.js).
 
 
 # Run:
@@ -81,81 +69,13 @@ WORKDIR /app/frontends/main
 
 ENV NODE_ENV=production
 
-ARG NEXT_PUBLIC_ORIGIN
-ENV NEXT_PUBLIC_ORIGIN=$NEXT_PUBLIC_ORIGIN
-
-ARG NEXT_PUBLIC_MITOL_API_BASE_URL
-ENV NEXT_PUBLIC_MITOL_API_BASE_URL=$NEXT_PUBLIC_MITOL_API_BASE_URL
-
-ARG NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL
-ENV NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL=$NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL
-
-ARG NEXT_PUBLIC_SITE_NAME
-ENV NEXT_PUBLIC_SITE_NAME=$NEXT_PUBLIC_SITE_NAME
-
-ARG NEXT_PUBLIC_MITOL_SUPPORT_EMAIL
-ENV NEXT_PUBLIC_MITOL_SUPPORT_EMAIL=$NEXT_PUBLIC_MITOL_SUPPORT_EMAIL
-
-ARG NEXT_PUBLIC_SENTRY_DSN
-ENV NEXT_PUBLIC_SENTRY_DSN=$NEXT_PUBLIC_SENTRY_DSN
-
-ARG NEXT_PUBLIC_SENTRY_ENV
-ENV NEXT_PUBLIC_SENTRY_ENV=$NEXT_PUBLIC_SENTRY_ENV
-
-ARG NEXT_PUBLIC_VERSION
-ENV NEXT_PUBLIC_VERSION=$NEXT_PUBLIC_VERSION
-
 # GIT_REF is the full commit SHA, passed by Concourse as BUILD_ARG_GIT_REF.
-# It is used by next.config.js generateBuildId as a fallback when
-# NEXT_PUBLIC_VERSION is not set (e.g. CI/main-branch builds).
+# It is used by next.config.js generateBuildId to produce a stable, unique
+# build manifest filename that is the same across identical builds.
+# All NEXT_PUBLIC_* vars are injected at runtime — NOT at build time.
 ARG GIT_REF
 ENV GIT_REF=$GIT_REF
 
-ARG NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE
-ENV NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE=$NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE
-
-ARG NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE
-ENV NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE=$NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE
-
-ARG NEXT_PUBLIC_MITOL_AXIOS_WITH_CREDENTIALS=true
-ENV NEXT_PUBLIC_MITOL_AXIOS_WITH_CREDENTIALS=$NEXT_PUBLIC_MITOL_AXIOS_WITH_CREDENTIALS
-
-ARG NEXT_PUBLIC_CSRF_COOKIE_NAME
-ENV NEXT_PUBLIC_CSRF_COOKIE_NAME=$NEXT_PUBLIC_CSRF_COOKIE_NAME
-
-ARG NEXT_PUBLIC_POSTHOG_API_HOST
-ENV NEXT_PUBLIC_POSTHOG_API_HOST=$NEXT_PUBLIC_POSTHOG_API_HOST
-ARG NEXT_PUBLIC_POSTHOG_UI_HOST
-ENV NEXT_PUBLIC_POSTHOG_UI_HOST=$NEXT_PUBLIC_POSTHOG_UI_HOST
-ARG NEXT_PUBLIC_POSTHOG_PROJECT_ID
-ENV NEXT_PUBLIC_POSTHOG_PROJECT_ID=$NEXT_PUBLIC_POSTHOG_PROJECT_ID
-ARG NEXT_PUBLIC_POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY=$NEXT_PUBLIC_POSTHOG_API_KEY
-
-ARG NEXT_PUBLIC_SENTRY_DSN
-ENV NEXT_PUBLIC_SENTRY_DSN=$NEXT_PUBLIC_SENTRY_DSN
-ARG NEXT_PUBLIC_SENTRY_ENV
-ENV NEXT_PUBLIC_SENTRY_ENV=$NEXT_PUBLIC_SENTRY_ENV
-ARG NEXT_PUBLIC_VERSION
-ENV NEXT_PUBLIC_VERSION=$NEXT_PUBLIC_VERSION
-ARG NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE
-ENV NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE=$NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE
-ARG NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE
-ENV NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE=$NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE
-
-ARG NEXT_PUBLIC_APPZI_URL
-ENV NEXT_PUBLIC_APPZI_URL=$NEXT_PUBLIC_APPZI_URL
-
-ARG NEXT_PUBLIC_LEARN_AI_CSRF_COOKIE_NAME
-ENV NEXT_PUBLIC_LEARN_AI_CSRF_COOKIE_NAME=$NEXT_PUBLIC_LEARN_AI_CSRF_COOKIE_NAME
-ARG NEXT_PUBLIC_LEARN_AI_RECOMMENDATION_ENDPOINT
-ENV NEXT_PUBLIC_LEARN_AI_RECOMMENDATION_ENDPOINT=$NEXT_PUBLIC_LEARN_AI_RECOMMENDATION_ENDPOINT
-ARG NEXT_PUBLIC_LEARN_AI_SYLLABUS_ENDPOINT
-ENV NEXT_PUBLIC_LEARN_AI_SYLLABUS_ENDPOINT=$NEXT_PUBLIC_LEARN_AI_SYLLABUS_ENDPOINT
-
-ARG NEXT_PUBLIC_HUBSPOT_PORTAL_ID
-ENV NEXT_PUBLIC_HUBSPOT_PORTAL_ID=$NEXT_PUBLIC_HUBSPOT_PORTAL_ID
-
 ENV NEXT_PUBLIC_DEFAULT_SEARCH_MODE="phrase"
 ENV NEXT_PUBLIC_DEFAULT_SEARCH_SLOP="6"
 ENV NEXT_PUBLIC_DEFAULT_SEARCH_STALENESS_PENALTY="2.5"
diff --git a/frontends/main/src/instrumentation-node.ts b/frontends/main/src/instrumentation-node.ts
index 2c729cc882..609c4b18b8 100644
--- a/frontends/main/src/instrumentation-node.ts
+++ b/frontends/main/src/instrumentation-node.ts
@@ -23,20 +23,16 @@ import {
 } from "./otel-utils"
 import { parseSampleRate } from "./sentry-utils"
 
-// Validate required NEXT_PUBLIC_* env vars at server startup. These are
-// injected by Kubernetes (not baked at build time), so they must be present
-// when the server starts. validateEnv() is skipped in next.config.js during
-// Docker builds (NEXT_BUILD_CI=1) since standalone mode does not re-run
-// next.config.js at startup.
-const REQUIRED_ENV_VARS = [
-  "NEXT_PUBLIC_ORIGIN",
-  "NEXT_PUBLIC_MITOL_API_BASE_URL",
-  "NEXT_PUBLIC_SITE_NAME",
-  "NEXT_PUBLIC_MITOL_SUPPORT_EMAIL",
-  "NEXT_PUBLIC_CSRF_COOKIE_NAME",
-] as const
-
-for (const key of REQUIRED_ENV_VARS) {
+// REQUIRED_PUBLIC_ENV_VARS is defined in validateEnv.js and shared with the
+// local-dev yup schema so both lists stay in sync from a single source of
+// truth. validateEnv() is skipped in next.config.js during Docker builds
+// (NEXT_BUILD_CI=1); this loop is the runtime equivalent for Kubernetes pods.
+// eslint-disable-next-line @typescript-eslint/no-require-imports
+const { REQUIRED_PUBLIC_ENV_VARS } = require("../validateEnv") as {
+  REQUIRED_PUBLIC_ENV_VARS: readonly string[]
+}
+
+for (const key of REQUIRED_PUBLIC_ENV_VARS) {
   if (!process.env[key]) {
     // Log clearly then exit so the pod crash-loops and ops can see it
     // immediately, rather than silently serving broken pages.
diff --git a/frontends/main/validateEnv.js b/frontends/main/validateEnv.js
index 6489da5977..f10dd3b858 100644
--- a/frontends/main/validateEnv.js
+++ b/frontends/main/validateEnv.js
@@ -7,22 +7,40 @@
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const yup = require("yup")
 
+/**
+ * NEXT_PUBLIC_* vars that must be present at runtime. Shared between:
+ *  - validateEnv() below (local dev check at `next build` / `next start`)
+ *  - src/instrumentation-node.ts (Docker startup check in Kubernetes)
+ *
+ * Keep this list in sync with the `.required()` fields in the schema below.
+ */
+const REQUIRED_PUBLIC_ENV_VARS = /** @type {const} */ ([
+  "NEXT_PUBLIC_ORIGIN",
+  "NEXT_PUBLIC_MITOL_API_BASE_URL",
+  "NEXT_PUBLIC_SITE_NAME",
+  "NEXT_PUBLIC_MITOL_SUPPORT_EMAIL",
+  "NEXT_PUBLIC_CSRF_COOKIE_NAME",
+])
+
 const schema = yup.object().shape({
   // Server-only env vars
   MITOL_NOINDEX: yup.string().oneOf(["true", "false"]),
   NEXT_CACHE_S_MAXAGE_SECONDS: yup
     .string()
     .matches(/^\d+$/, { excludeEmptyString: true }),
-  // Client or Server env vars
-  NEXT_PUBLIC_APPZI_URL: yup.string(),
+  // Required client/server vars — must be present in local dev and at runtime.
+  // The list is defined above as REQUIRED_PUBLIC_ENV_VARS so that
+  // instrumentation-node.ts can import it as a single source of truth.
   NEXT_PUBLIC_ORIGIN: yup.string().required(),
   NEXT_PUBLIC_MITOL_API_BASE_URL: yup.string().required(),
   NEXT_PUBLIC_SITE_NAME: yup.string().required(),
   NEXT_PUBLIC_MITOL_SUPPORT_EMAIL: yup.string().required(),
+  NEXT_PUBLIC_CSRF_COOKIE_NAME: yup.string().required(),
+  // Optional client or server vars
+  NEXT_PUBLIC_APPZI_URL: yup.string(),
   NEXT_PUBLIC_MITOL_AXIOS_WITH_CREDENTIALS: yup
     .string()
     .oneOf(["true", "false"]),
-  NEXT_PUBLIC_CSRF_COOKIE_NAME: yup.string().required(),
   NEXT_PUBLIC_POSTHOG_API_KEY: yup.string(),
   NEXT_PUBLIC_POSTHOG_FEATURE_PREFIX: yup.string(),
   NEXT_PUBLIC_POSTHOG_API_HOST: yup.string(),
@@ -32,4 +50,4 @@ const schema = yup.object().shape({
 
 const validateEnv = () => schema.validateSync(process.env)
 
-module.exports = { validateEnv }
+module.exports = { validateEnv, REQUIRED_PUBLIC_ENV_VARS }

From 6cd1544a821e660c7b339712b2d0e5229be6c833 Mon Sep 17 00:00:00 2001
From: Tobias Macey <tmacey@mit.edu>
Date: Fri, 22 May 2026 12:13:05 -0400
Subject: [PATCH 07/13] fix: move requiredEnv calls inside route functions;
 clean up ci.yml build args

robots.ts and sitemaps/static/sitemap.ts called requiredEnv("NEXT_PUBLIC_ORIGIN")
at module scope. During 'next build', Next.js evaluates these modules while
collecting page data. With NEXT_PUBLIC_ORIGIN no longer injected as a Docker
build arg (it is runtime-injected via PublicEnvScript), the invariant threw
and the build failed.

Fix: move const BASE_URL = requiredEnv(...) inside each function body so it
is only evaluated at request time, when the env var is available.

Also update ci.yml to match the new Dockerfile: remove all obsolete
--build-arg NEXT_PUBLIC_* lines (the Dockerfile no longer declares
the corresponding ARG instructions) and pass only GIT_REF.
---
 .github/workflows/ci.yml                      | 39 +------------------
 frontends/main/src/app/robots.ts              |  3 +-
 .../main/src/app/sitemaps/static/sitemap.ts   |  3 +-
 3 files changed, 3 insertions(+), 42 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 44f49bf47d..e55813f4c5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -146,48 +146,11 @@ jobs:
 
       - name: Build the Docker image
         env:
-          ORIGIN: http://fakelearn.odl.local:8062
-          MITOL_API_BASE_URL: http://api.fakelearn.odl.local:8065
-          MITX_ONLINE_LEGACY_BASE_URL: https://cifake.mitxonline.mit.edu
-          SITE_NAME: MIT Learn
-          SUPPORT_EMAIL: mitlearn-support@mit.edu
-          MITOL_AXIOS_WITH_CREDENTIALS: true
-          CSRF_COOKIE_NAME: learn_csrftoken_ci
-          POSTHOG_API_HOST: https://app.posthog.com
-          POSTHOG_UI_HOST: https://us.posthog.com
-          POSTHOG_PROJECT_ID: fake-posthog-project-id
-          POSTHOG_API_KEY: fake-posthog-api-key
-          SENTRY_DSN: fake-sentry-dsn
-          SENTRY_ENV: fake-sentry-env
-          SENTRY_PROFILES_SAMPLE_RATE: 0.1
-          SENTRY_TRACES_SAMPLE_RATE: 0.1
-          LEARN_AI_RECOMMENDATION_ENDPOINT: http://api.fakelearn.odl.local:8065/ai/http/recommendation_agent
-          LEARN_AI_SYLLABUS_ENDPOINT: http://api.fakelearn.odl.local:8065/ai/http/syllabus_agent
-          HUBSPOT_PORTAL_ID: fake-hubspot-portal-id
           VERSION: ${{ github.sha }}
         run: |
           docker build \
             -f frontends/main/Dockerfile.web \
-            --build-arg NEXT_PUBLIC_ORIGIN=$ORIGIN \
-            --build-arg NEXT_PUBLIC_MITOL_API_BASE_URL=$MITOL_API_BASE_URL \
-            --build-arg NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL=$MITX_ONLINE_LEGACY_BASE_URL \
-            --build-arg NEXT_PUBLIC_SITE_NAME="$SITE_NAME" \
-            --build-arg NEXT_PUBLIC_MITOL_SUPPORT_EMAIL=$SUPPORT_EMAIL \
-            --build-arg NEXT_PUBLIC_MITOL_AXIOS_WITH_CREDENTIALS=$MITOL_AXIOS_WITH_CREDENTIALS \
-            --build-arg NEXT_PUBLIC_CSRF_COOKIE_NAME=$CSRF_COOKIE_NAME \
-            --build-arg NEXT_PUBLIC_POSTHOG_API_HOST=$POSTHOG_API_HOST \
-            --build-arg NEXT_PUBLIC_POSTHOG_UI_HOST=$POSTHOG_UI_HOST \
-            --build-arg NEXT_PUBLIC_POSTHOG_PROJECT_ID=$POSTHOG_PROJECT_ID \
-            --build-arg NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
-            --build-arg NEXT_PUBLIC_SENTRY_DSN=$SENTRY_DSN \
-            --build-arg NEXT_PUBLIC_SENTRY_ENV=$SENTRY_ENV \
-            --build-arg NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE=$SENTRY_PROFILES_SAMPLE_RATE \
-            --build-arg NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE=$SENTRY_TRACES_SAMPLE_RATE \
-            --build-arg NEXT_PUBLIC_APPZI_URL=$APPZI_URL \
-            --build-arg NEXT_PUBLIC_LEARN_AI_RECOMMENDATION_ENDPOINT=$LEARN_AI_RECOMMENDATION_ENDPOINT \
-            --build-arg NEXT_PUBLIC_LEARN_AI_SYLLABUS_ENDPOINT=$LEARN_AI_SYLLABUS_ENDPOINT \
-            --build-arg NEXT_PUBLIC_HUBSPOT_PORTAL_ID=$HUBSPOT_PORTAL_ID \
-            --build-arg NEXT_PUBLIC_VERSION=$VERSION \
+            --build-arg GIT_REF=$VERSION \
             -t mitodl/mit-learn-frontend:$VERSION .
 
   build-storybook:
diff --git a/frontends/main/src/app/robots.ts b/frontends/main/src/app/robots.ts
index bd872e74a2..d1d75150f7 100644
--- a/frontends/main/src/app/robots.ts
+++ b/frontends/main/src/app/robots.ts
@@ -1,9 +1,8 @@
 import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
 
-const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
-
 export default function robots(): MetadataRoute.Robots {
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   const shouldIndex = process.env.MITOL_NOINDEX === "false"
 
   if (shouldIndex) {
diff --git a/frontends/main/src/app/sitemaps/static/sitemap.ts b/frontends/main/src/app/sitemaps/static/sitemap.ts
index a0d3c97d2a..94c78201e9 100644
--- a/frontends/main/src/app/sitemaps/static/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/static/sitemap.ts
@@ -1,9 +1,8 @@
 import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
 
-const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
-
 export default function sitemap(): MetadataRoute.Sitemap {
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   return [
     {
       url: BASE_URL,

From bbee37a3a80ab51b5d6dd757872f09fa90c97513 Mon Sep 17 00:00:00 2001
From: Tobias Macey <tmacey@mit.edu>
Date: Fri, 22 May 2026 12:28:31 -0400
Subject: [PATCH 08/13] fix: move remaining module-scope requiredEnv; fix
 extension regex; add libc6-compat and TZ=UTC to runner

- sitemap-index.xml/route.ts: move requiredEnv("NEXT_PUBLIC_ORIGIN") from
  module scope into buildSitemapIndex(). Turbopack bundles server-side modules
  into shared SSR chunks; the top-level requiredEnv() call was ending up in
  the same chunk as code needed by /_not-found, causing the invariant to fire
  when that chunk was evaluated during 'Collecting page data'. force-dynamic
  only controls render strategy, not whether the module itself is evaluated
  at build time.

- next.config.js: widen the extension exclusion regex from {2,4} to + so
  that assets with longer extensions (.woff2, .webmanifest, etc.) are not
  tagged with Surrogate-Key: html-pages and incorrectly purged on deploy.

- Dockerfile.web runner stage: install libc6-compat so that sharp (used by
  Next.js image optimisation) works correctly on Alpine. Add ENV TZ=UTC to
  preserve the UTC timezone that the old 'TZ=UTC next start' startup command
  provided.
---
 frontends/main/Dockerfile.web                              | 4 ++++
 frontends/main/next.config.js                              | 2 +-
 frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts | 5 +++--
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/frontends/main/Dockerfile.web b/frontends/main/Dockerfile.web
index 68231125de..dffc86f98d 100644
--- a/frontends/main/Dockerfile.web
+++ b/frontends/main/Dockerfile.web
@@ -110,6 +110,9 @@ FROM node:24-alpine AS runner
 
 WORKDIR /app
 
+# sharp (Next.js image optimisation) requires glibc-compatible libs on Alpine.
+RUN apk add --no-cache libc6-compat
+
 # Copy the standalone server (includes a minimal node_modules)
 COPY --from=build /app/frontends/main/.next/standalone ./
 
@@ -122,6 +125,7 @@ COPY --from=build /app/frontends/main/public ./frontends/main/public
 EXPOSE 3000
 
 ENV NODE_ENV=production
+ENV TZ=UTC
 ENV PORT=3000
 ENV HOSTNAME="0.0.0.0"
 
diff --git a/frontends/main/next.config.js b/frontends/main/next.config.js
index 8e38e4c41e..e8ea014cf4 100644
--- a/frontends/main/next.config.js
+++ b/frontends/main/next.config.js
@@ -88,7 +88,7 @@ const nextConfig = {
        * should not be tagged as an HTML page for Fastly surrogate-key purges.
        */
       {
-        source: "/((?!.*\\.[a-zA-Z0-9]{2,4}$)(?!healthcheck$).*)",
+        source: "/((?!.*\\.[a-zA-Z0-9]+$)(?!healthcheck$).*)",
         headers: [
           {
             key: "Cache-Control",
diff --git a/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts b/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
index 33ba2a8e2b..5d0c38b582 100644
--- a/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
+++ b/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
@@ -6,8 +6,6 @@ import * as productsSitemap from "../products/sitemap"
 import * as videoSitemap from "../video/sitemap"
 import * as podcastSitemap from "../podcast/sitemap"
 
-const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
-
 export async function GET() {
   const content = await buildSitemapIndex()
   return new NextResponse(content, {
@@ -19,6 +17,9 @@ export async function GET() {
 }
 
 async function buildSitemapIndex(): Promise<string> {
+  // Read at request time so this works in the standalone Docker image where
+  // NEXT_PUBLIC_ORIGIN is injected by Kubernetes, not baked at build time.
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   const sitemaps = await Promise.all([
     resourceSitemap.generateSitemaps(),
     channelsSitemap.generateSitemaps(),

From 6a6ac3fcd570b2186f368649bdac956fc067a6a6 Mon Sep 17 00:00:00 2001
From: Tobias Macey <tmacey@mit.edu>
Date: Fri, 22 May 2026 12:52:12 -0400
Subject: [PATCH 09/13] fix: remove all module-scope invariant calls that fire
 during next build

The standalone Docker image does not pass NEXT_PUBLIC_* vars at build time;
they are injected by Kubernetes at runtime. Turbopack evaluates server-side
modules during 'collecting page data', and Next.js 16 executes metadata routes
(robots.ts, sitemaps) during 'generating static pages' even when force-dynamic
is set (known Next.js bug). Any invariant() or requiredEnv() call at module
scope or inside a route function would throw before the env vars are available.

Changes:
- sitemaps/{resources,channels,podcast,products,video}/sitemap.ts: remove
  module-scope env()+invariant() pattern; add requiredEnv() inside each
  function after the dangerouslyDetectProductionBuildPhase() early-exit.
  channels and products default sitemap() did not use BASE_URL at all;
  removed those unnecessary declarations.
- robots.ts, sitemaps/static/sitemap.ts: add force-dynamic + build-phase
  guard consistent with all other sitemap modules; requiredEnv() is only
  reached at request time when NEXT_PUBLIC_ORIGIN is available.
- common/urls.ts: remove module-scope invariant(ORIGIN) calls; fix
  stringifyUrlDescriptor to read env() locally instead of closed-over const.
- common/mitxonline/index.ts: remove module-scope invariant() call and
  now-unused tiny-invariant import.
- common/certificateUtils.ts: remove module-scope invariant() call and
  now-unused tiny-invariant import.
- page-components/.../CallToActionSection.tsx: remove module-scope invariant();
  add null-safe fallback for the string comparison using NEXT_PUBLIC_ORIGIN.

Build verified locally: docker build completes successfully.
---
 frontends/main/src/app/robots.ts                   | 13 +++++++++++++
 .../main/src/app/sitemaps/channels/sitemap.ts      |  7 ++-----
 frontends/main/src/app/sitemaps/podcast/sitemap.ts |  8 +++-----
 .../main/src/app/sitemaps/products/sitemap.ts      |  9 +++------
 .../main/src/app/sitemaps/resources/sitemap.ts     | 10 ++++------
 frontends/main/src/app/sitemaps/static/sitemap.ts  | 10 ++++++++++
 frontends/main/src/app/sitemaps/video/sitemap.ts   |  8 +++-----
 frontends/main/src/common/certificateUtils.ts      |  3 ---
 frontends/main/src/common/mitxonline/index.ts      |  2 --
 frontends/main/src/common/urls.ts                  | 11 +++--------
 .../CallToActionSection.tsx                        | 14 +++++++++-----
 11 files changed, 50 insertions(+), 45 deletions(-)

diff --git a/frontends/main/src/app/robots.ts b/frontends/main/src/app/robots.ts
index d1d75150f7..702bb7e17f 100644
--- a/frontends/main/src/app/robots.ts
+++ b/frontends/main/src/app/robots.ts
@@ -1,7 +1,20 @@
 import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
+import { dangerouslyDetectProductionBuildPhase } from "./sitemaps/util"
+
+/**
+ * As of NextJS 15.5.3, metadata routes like robots.ts are ALWAYS executed at
+ * build time even with force-dynamic (this may be a NextJS bug). We guard
+ * against that here so requiredEnv() is not called before NEXT_PUBLIC_ORIGIN
+ * is injected at runtime by Kubernetes.
+ */
+export const dynamic = "force-dynamic"
 
 export default function robots(): MetadataRoute.Robots {
+  if (dangerouslyDetectProductionBuildPhase()) {
+    // Safe fallback during `next build`: never served in production.
+    return { rules: { userAgent: "*", disallow: "/" } }
+  }
   const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   const shouldIndex = process.env.MITOL_NOINDEX === "false"
 
diff --git a/frontends/main/src/app/sitemaps/channels/sitemap.ts b/frontends/main/src/app/sitemaps/channels/sitemap.ts
index 7aea1a816c..c8ee20485a 100644
--- a/frontends/main/src/app/sitemaps/channels/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/channels/sitemap.ts
@@ -1,14 +1,10 @@
-import { env } from "@/env"
+import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
-import invariant from "tiny-invariant"
 import type { GenerateSitemapResult } from "../types"
 import { dangerouslyDetectProductionBuildPhase } from "../util"
 import { getQueryClient } from "@/app/getQueryClient"
 import { channelQueries } from "api/hooks/channels"
 
-const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
-invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
-
 const PAGE_SIZE = 100
 
 /**
@@ -24,6 +20,7 @@ export async function generateSitemaps(): Promise<GenerateSitemapResult[]> {
    * Early exit here to avoid the useless build-time API calls.
    */
   if (dangerouslyDetectProductionBuildPhase()) return []
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   const queryClient = getQueryClient()
   const { count } = await queryClient.fetchQuery(
     channelQueries.list({ limit: PAGE_SIZE }),
diff --git a/frontends/main/src/app/sitemaps/podcast/sitemap.ts b/frontends/main/src/app/sitemaps/podcast/sitemap.ts
index aea4b26602..6394daac5b 100644
--- a/frontends/main/src/app/sitemaps/podcast/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/podcast/sitemap.ts
@@ -1,15 +1,11 @@
-import { env } from "@/env"
+import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
 import { getQueryClient } from "@/app/getQueryClient"
 import { learningResourceQueries } from "api/hooks/learningResources"
 import { ResourceTypeEnum } from "api"
-import invariant from "tiny-invariant"
 import type { GenerateSitemapResult } from "../types"
 import { dangerouslyDetectProductionBuildPhase } from "../util"
 
-const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
-invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
-
 const PAGE_SIZE = 1_000
 
 const RESOURCE_TYPES = [
@@ -30,6 +26,7 @@ export async function generateSitemaps(): Promise<GenerateSitemapResult[]> {
    * Early exit here to avoid the useless build-time API calls.
    */
   if (dangerouslyDetectProductionBuildPhase()) return []
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
 
   const queryClient = getQueryClient()
   const { count } = await queryClient.fetchQuery(
@@ -52,6 +49,7 @@ export default async function sitemap({
 }: {
   id: string
 }): Promise<MetadataRoute.Sitemap> {
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   const queryClient = getQueryClient()
   const data = await queryClient.fetchQuery(
     learningResourceQueries.list({
diff --git a/frontends/main/src/app/sitemaps/products/sitemap.ts b/frontends/main/src/app/sitemaps/products/sitemap.ts
index 48f66ed942..e1ce256297 100644
--- a/frontends/main/src/app/sitemaps/products/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/products/sitemap.ts
@@ -1,21 +1,18 @@
-import { env } from "@/env"
+import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
 import { getQueryClient } from "@/app/getQueryClient"
 import { learningResourceQueries } from "api/hooks/learningResources"
 import { PlatformEnum, ResourceTypeEnum } from "api"
-import invariant from "tiny-invariant"
-import { GenerateSitemapResult } from "../types"
+import type { GenerateSitemapResult } from "../types"
 import { dangerouslyDetectProductionBuildPhase } from "../util"
 
-const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
-invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
-
 const PAGE_SIZE = 1_000
 
 export const dynamic = "force-dynamic"
 
 export async function generateSitemaps(): Promise<GenerateSitemapResult[]> {
   if (dangerouslyDetectProductionBuildPhase()) return []
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
 
   const queryClient = getQueryClient()
   const { count } = await queryClient.fetchQuery(
diff --git a/frontends/main/src/app/sitemaps/resources/sitemap.ts b/frontends/main/src/app/sitemaps/resources/sitemap.ts
index 2da7e6b195..e1f7801ecb 100644
--- a/frontends/main/src/app/sitemaps/resources/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/resources/sitemap.ts
@@ -1,14 +1,10 @@
-import { env } from "@/env"
+import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
 import { getQueryClient } from "@/app/getQueryClient"
 import { learningResourceQueries } from "api/hooks/learningResources"
-import invariant from "tiny-invariant"
-import { GenerateSitemapResult } from "../types"
+import type { GenerateSitemapResult } from "../types"
 import { dangerouslyDetectProductionBuildPhase } from "../util"
 
-const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
-invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
-
 const PAGE_SIZE = 1_000
 
 /**
@@ -24,6 +20,7 @@ export async function generateSitemaps(): Promise<GenerateSitemapResult[]> {
    * Early exit here to avoid the useless build-time API calls.
    */
   if (dangerouslyDetectProductionBuildPhase()) return []
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   const queryClient = getQueryClient()
   const { count } = await queryClient.fetchQuery(
     learningResourceQueries.summaryList({
@@ -45,6 +42,7 @@ export default async function sitemap({
 }: {
   id: string
 }): Promise<MetadataRoute.Sitemap> {
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   const queryClient = getQueryClient()
   const data = await queryClient.fetchQuery(
     learningResourceQueries.summaryList({
diff --git a/frontends/main/src/app/sitemaps/static/sitemap.ts b/frontends/main/src/app/sitemaps/static/sitemap.ts
index 94c78201e9..a42b2e1206 100644
--- a/frontends/main/src/app/sitemaps/static/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/static/sitemap.ts
@@ -1,7 +1,17 @@
 import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
+import { dangerouslyDetectProductionBuildPhase } from "../util"
+
+/**
+ * As of NextJS 15.5.3, metadata routes like sitemap.ts are ALWAYS executed at
+ * build time even with force-dynamic (this may be a NextJS bug). We guard
+ * against that here so requiredEnv() is not called before NEXT_PUBLIC_ORIGIN
+ * is injected at runtime by Kubernetes.
+ */
+export const dynamic = "force-dynamic"
 
 export default function sitemap(): MetadataRoute.Sitemap {
+  if (dangerouslyDetectProductionBuildPhase()) return []
   const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   return [
     {
diff --git a/frontends/main/src/app/sitemaps/video/sitemap.ts b/frontends/main/src/app/sitemaps/video/sitemap.ts
index 75ed529455..11e052e3ef 100644
--- a/frontends/main/src/app/sitemaps/video/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/video/sitemap.ts
@@ -1,15 +1,11 @@
-import { env } from "@/env"
+import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
 import { getQueryClient } from "@/app/getQueryClient"
 import { learningResourceQueries } from "api/hooks/learningResources"
 import { ResourceTypeEnum } from "api"
-import invariant from "tiny-invariant"
 import type { GenerateSitemapResult } from "../types"
 import { dangerouslyDetectProductionBuildPhase } from "../util"
 
-const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
-invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
-
 const PAGE_SIZE = 1_000
 
 const RESOURCE_TYPES = [ResourceTypeEnum.Video, ResourceTypeEnum.VideoPlaylist]
@@ -27,6 +23,7 @@ export async function generateSitemaps(): Promise<GenerateSitemapResult[]> {
    * Early exit here to avoid the useless build-time API calls.
    */
   if (dangerouslyDetectProductionBuildPhase()) return []
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
 
   const queryClient = getQueryClient()
   const { count } = await queryClient.fetchQuery(
@@ -49,6 +46,7 @@ export default async function sitemap({
 }: {
   id: string
 }): Promise<MetadataRoute.Sitemap> {
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   const queryClient = getQueryClient()
   const data = await queryClient.fetchQuery(
     learningResourceQueries.list({
diff --git a/frontends/main/src/common/certificateUtils.ts b/frontends/main/src/common/certificateUtils.ts
index 8dfd184b56..1fc511b126 100644
--- a/frontends/main/src/common/certificateUtils.ts
+++ b/frontends/main/src/common/certificateUtils.ts
@@ -5,8 +5,6 @@ import type {
 } from "@mitodl/mitxonline-api-axios/v2"
 
 import { LINKEDIN_ADD_TO_PROFILE_BASE_URL } from "@/common/urls"
-import invariant from "tiny-invariant"
-
 /**
  * Returns common display info for a certificate.
  */
@@ -26,7 +24,6 @@ export enum CertificateType {
  */
 
 const API_BASE_URL = env("NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL")
-invariant(API_BASE_URL, "NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL must be set")
 
 /* This is the Organization ID for MIT OpenLearning on LinkedIn as far as I can tell. We could parameterize this if needed */
 const ORG_ID = 74540637
diff --git a/frontends/main/src/common/mitxonline/index.ts b/frontends/main/src/common/mitxonline/index.ts
index 243c8e8daa..6bc243727e 100644
--- a/frontends/main/src/common/mitxonline/index.ts
+++ b/frontends/main/src/common/mitxonline/index.ts
@@ -12,12 +12,10 @@ import {
   EnrollmentModeEnum,
   NodeTypeEnum,
 } from "@mitodl/mitxonline-api-axios/v2"
-import invariant from "tiny-invariant"
 
 const NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL = env(
   "NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL",
 )
-invariant(NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL)
 
 const upgradeRunUrl = (product: ProductFlexiblePrice): string => {
   try {
diff --git a/frontends/main/src/common/urls.ts b/frontends/main/src/common/urls.ts
index c931364a01..2ddb0976ea 100644
--- a/frontends/main/src/common/urls.ts
+++ b/frontends/main/src/common/urls.ts
@@ -1,7 +1,6 @@
 import { env } from "@/env"
 import type { BaseProgramDisplayMode } from "@mitodl/mitxonline-api-axios/v2"
 import { DisplayModeEnum } from "@mitodl/mitxonline-api-axios/v2"
-import invariant from "tiny-invariant"
 
 // matches ! $ & ' ( ) * + , ; = : @ ~
 const SAFE_IN_PATH_SEGMENT =
@@ -89,12 +88,6 @@ export const makeChannelManageWidgetsPath = (
   name: string,
 ) => generatePath(CHANNEL_EDIT_WIDGETS, { channelType, name })
 
-const ORIGIN = env("NEXT_PUBLIC_ORIGIN")
-invariant(ORIGIN, "NEXT_PUBLIC_ORIGIN must be set")
-if (process.env.NODE_ENV !== "production") {
-  invariant(!ORIGIN?.endsWith("/"), "NEXT_PUBLIC_ORIGIN should not end with /")
-}
-
 const MITOL_API_BASE_URL = env("NEXT_PUBLIC_MITOL_API_BASE_URL")
 
 export const DASHBOARD_VIEW = "/dashboard/[tab]"
@@ -205,7 +198,9 @@ export type LoginUrlOpts = {
 }
 
 const stringifyUrlDescriptor = (val: UrlDescriptor) => {
-  const url = new URL(ORIGIN)
+  // ORIGIN is read at call time (request time) so NEXT_PUBLIC_ORIGIN is
+  // available — it is not set at build time in the standalone Docker image.
+  const url = new URL(env("NEXT_PUBLIC_ORIGIN") ?? "")
   url.pathname = val.pathname
   if (val.searchParams) {
     val.searchParams.forEach((v, k) => url.searchParams.set(k, v))
diff --git a/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx b/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx
index 4adc867844..b4483c1a89 100644
--- a/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx
+++ b/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx
@@ -1,5 +1,6 @@
 import { env } from "@/env"
-import React, { useState } from "react"
+import type React from "react"
+import { useState } from "react"
 import styled from "@emotion/styled"
 import { default as NextImage } from "next/image"
 import { useFeatureFlagEnabled, usePostHog } from "posthog-js/react"
@@ -18,7 +19,12 @@ import {
   useImageWithFallback,
 } from "ol-utilities"
 import { ResourceTypeEnum, ResourceTypeGroupEnum, PlatformEnum } from "api"
-import { Button, ButtonLink, ButtonProps, Input } from "@mitodl/smoot-design"
+import {
+  Button,
+  ButtonLink,
+  type ButtonProps,
+  Input,
+} from "@mitodl/smoot-design"
 import type { LearningResource } from "api"
 import {
   RiBookmarkFill,
@@ -49,10 +55,8 @@ import {
 import { DisplayModeEnum } from "@mitodl/mitxonline-api-axios/v2"
 import { FeatureFlags } from "@/common/feature_flags"
 import { externalLinkProps } from "@/common/utils"
-import invariant from "tiny-invariant"
 
 const NEXT_PUBLIC_ORIGIN = env("NEXT_PUBLIC_ORIGIN")
-invariant(NEXT_PUBLIC_ORIGIN, "NEXT_PUBLIC_ORIGIN must be defined")
 
 const showChatClass = "show-chat"
 const showChatSelector = `.${showChatClass} &`
@@ -295,7 +299,7 @@ const appendUtmParams = (url?: string | null, resourceTitle?: string) => {
   if (!url) return "#"
   try {
     const parsedUrl = new URL(url, NEXT_PUBLIC_ORIGIN)
-    if (parsedUrl.href.startsWith(NEXT_PUBLIC_ORIGIN)) {
+    if (parsedUrl.href.startsWith(NEXT_PUBLIC_ORIGIN ?? "")) {
       // Do not add UTM params for internal URLs
       return url
     }

From 5aa7b6ced19c9b37112bd6fe7b34827d953d26f3 Mon Sep 17 00:00:00 2001
From: Tobias Macey <tmacey@mit.edu>
Date: Fri, 22 May 2026 13:01:22 -0400
Subject: [PATCH 10/13] fix: restore React value import in CallToActionSection

Biome auto-fix split 'import React, { useState }' into a type-only
'import type React' plus a value 'import { useState }'. Jest uses the
classic JSX transform which requires React as a runtime value in scope;
the type-only import stripped it out, causing ReferenceError in tests.
---
 .../LearningResourceExpanded/CallToActionSection.tsx           | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx b/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx
index b4483c1a89..6ec9fa2acc 100644
--- a/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx
+++ b/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx
@@ -1,6 +1,5 @@
 import { env } from "@/env"
-import type React from "react"
-import { useState } from "react"
+import React, { useState } from "react"
 import styled from "@emotion/styled"
 import { default as NextImage } from "next/image"
 import { useFeatureFlagEnabled, usePostHog } from "posthog-js/react"

From cda9ccf04fa5b7e00332a56209015fdf8f85eefe Mon Sep 17 00:00:00 2001
From: Tobias Macey <tmacey@mit.edu>
Date: Tue, 26 May 2026 16:51:28 -0400
Subject: [PATCH 11/13] fix: move Cache-Control to middleware; disable image
 optimization; remove stale build-time env vars
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Replace NEXT_PUBLIC_OPTIMIZE_IMAGES env-var gate with unoptimized: true.
  The flag was baked in at Docker build time (CI default: true) but
  production runs with optimize_images=false. Since production already
  has optimization off and the long-term plan is Fastly-based image
  transforms, just disable it unconditionally.

- Move Cache-Control (s-maxage) out of next.config.js headers() into
  src/middleware.ts. next.config.js is evaluated once at build time, so
  NEXT_CACHE_S_MAXAGE_SECONDS was baked in as the CI default (1800 s)
  regardless of what Kubernetes sets. Middleware runs in the Edge Runtime
  on every request, so process.env.NEXT_CACHE_S_MAXAGE_SECONDS is read
  from the live environment. Surrogate-Key: html-pages remains in
  next.config.js (static value, safe to bake in).

- Remove NEXT_PUBLIC_DEFAULT_SEARCH_* ENV lines from Dockerfile.web.
  These vars were stale holdovers from the pre-runtime-injection build:
  they no longer need to be present at Docker build time — they are
  injected at runtime by Kubernetes and surfaced to the browser via
  PublicEnvScript / window.__ENV.

Addresses ChristopherChudzicki's blocking CHANGES_REQUESTED on #3364
and blarghmatey's in-PR commitment to remove irrelevant build args.
---
 frontends/main/Dockerfile.web    |  6 ----
 frontends/main/next.config.js    | 35 ++++++-------------
 frontends/main/src/middleware.ts | 60 ++++++++++++++++++++++++++++++++
 3 files changed, 71 insertions(+), 30 deletions(-)
 create mode 100644 frontends/main/src/middleware.ts

diff --git a/frontends/main/Dockerfile.web b/frontends/main/Dockerfile.web
index dffc86f98d..1371f0e2b8 100644
--- a/frontends/main/Dockerfile.web
+++ b/frontends/main/Dockerfile.web
@@ -76,12 +76,6 @@ ENV NODE_ENV=production
 ARG GIT_REF
 ENV GIT_REF=$GIT_REF
 
-ENV NEXT_PUBLIC_DEFAULT_SEARCH_MODE="phrase"
-ENV NEXT_PUBLIC_DEFAULT_SEARCH_SLOP="6"
-ENV NEXT_PUBLIC_DEFAULT_SEARCH_STALENESS_PENALTY="2.5"
-ENV NEXT_PUBLIC_DEFAULT_SEARCH_MINIMUM_SCORE_CUTOFF="0"
-ENV NEXT_PUBLIC_DEFAULT_SEARCH_MAX_INCOMPLETENESS_PENALTY="90"
-
 # STAGE: build
 # Runs `next build` to compile the application. With output: "standalone" in
 # next.config.js this emits a minimal server at .next/standalone/ that includes
diff --git a/frontends/main/next.config.js b/frontends/main/next.config.js
index e8ea014cf4..f9c7cc4dad 100644
--- a/frontends/main/next.config.js
+++ b/frontends/main/next.config.js
@@ -9,9 +9,6 @@ if (!process.env.NEXT_BUILD_CI) {
   validateEnv()
 }
 
-const NEXT_PUBLIC_OPTIMIZE_IMAGES = Boolean(
-  (process.env.NEXT_PUBLIC_OPTIMIZE_IMAGES ?? "true") === "true",
-)
 const IS_LOCAL_DEV = process.env.NODE_ENV === "development"
 
 // Dev-server-only: allow cross-origin requests to internal dev endpoints (HMR,
@@ -19,11 +16,6 @@ const allowedDevOrigins =
   IS_LOCAL_DEV && process.env.NEXT_PUBLIC_ORIGIN
     ? [new URL(process.env.NEXT_PUBLIC_ORIGIN).hostname]
     : undefined
-
-const NEXT_CACHE_S_MAXAGE_SECONDS =
-  process.env.NEXT_CACHE_S_MAXAGE_SECONDS || "1800"
-const PAGE_CACHE_CONTROL = `s-maxage=${NEXT_CACHE_S_MAXAGE_SECONDS}, stale-if-error=86400, stale-while-revalidate=86400`
-
 /** @type {import('next').NextConfig} */
 const nextConfig = {
   productionBrowserSourceMaps: true,
@@ -69,12 +61,11 @@ const nextConfig = {
       {
         source: "/sitemaps/:path*.xml",
         headers: [
-          {
-            key: "Cache-Control",
-            value: PAGE_CACHE_CONTROL,
-          },
           // Tag sitemaps with "html-pages" so Fastly can purge them on deploy
           // without also purging immutable /_next/static/ chunks.
+          // Cache-Control is set at runtime in src/middleware.ts so that
+          // NEXT_CACHE_S_MAXAGE_SECONDS is read from the Kubernetes env
+          // rather than baked in at Docker build time.
           { key: "Surrogate-Key", value: "html-pages" },
         ],
       },
@@ -90,12 +81,11 @@ const nextConfig = {
       {
         source: "/((?!.*\\.[a-zA-Z0-9]+$)(?!healthcheck$).*)",
         headers: [
-          {
-            key: "Cache-Control",
-            value: PAGE_CACHE_CONTROL,
-          },
           // Tag all HTML/page routes so Fastly can purge them on deploy
           // without also purging immutable /_next/static/ chunks.
+          // Cache-Control is set at runtime in src/middleware.ts so that
+          // NEXT_CACHE_S_MAXAGE_SECONDS is read from the Kubernetes env
+          // rather than baked in at Docker build time.
           { key: "Surrogate-Key", value: "html-pages" },
         ],
       },
@@ -127,14 +117,11 @@ const nextConfig = {
   transpilePackages: ["@mitodl/smoot-design/ai"],
 
   images: {
-    unoptimized: !NEXT_PUBLIC_OPTIMIZE_IMAGES,
-    dangerouslyAllowLocalIP: IS_LOCAL_DEV,
-    remotePatterns: [
-      {
-        hostname: "**",
-      },
-    ],
-    qualities: [25, 50, 75, 100],
+    // Image optimisation is disabled: the app passes images through as-is.
+    // Production uses Fastly for image transformations. Disabling also avoids
+    // baking a per-environment flag (previously NEXT_PUBLIC_OPTIMIZE_IMAGES)
+    // into the Docker image at build time.
+    unoptimized: true,
   },
 
   experimental: {
diff --git a/frontends/main/src/middleware.ts b/frontends/main/src/middleware.ts
new file mode 100644
index 0000000000..cf1a6e11b5
--- /dev/null
+++ b/frontends/main/src/middleware.ts
@@ -0,0 +1,60 @@
+import { type NextRequest, NextResponse } from "next/server"
+
+/**
+ * Matches paths that have a file extension (e.g. .js, .css, .woff2).
+ * These are static assets that should NOT receive page-level Cache-Control
+ * or Surrogate-Key headers — they are served from /_next/static/ with
+ * content-addressed filenames and are cached immutably by Fastly.
+ */
+const STATIC_FILE_EXT = /\.[a-zA-Z0-9]+$/
+
+/**
+ * Returns true if the path should receive page-level caching headers
+ * (Cache-Control with s-maxage). This mirrors the exclusion logic in the
+ * next.config.js `headers()` rules for Surrogate-Key.
+ *
+ * Sitemaps are explicitly included despite having an .xml extension because
+ * they are dynamically generated HTML-adjacent content, not static assets.
+ */
+function isPageRoute(pathname: string): boolean {
+  // JSON healthcheck — exclude from page cache headers
+  if (pathname === "/healthcheck") return false
+  // Sitemaps are dynamically generated; treat them as page content
+  if (pathname.startsWith("/sitemaps/")) return true
+  // Everything with a file extension is a static asset
+  if (STATIC_FILE_EXT.test(pathname)) return false
+  return true
+}
+
+/**
+ * Next.js middleware: sets the Cache-Control header at request time so that
+ * NEXT_CACHE_S_MAXAGE_SECONDS is read from the Kubernetes environment rather
+ * than baked into the Docker image at build time.
+ *
+ * next.config.js `headers()` runs at build time and cannot read env vars
+ * that vary across environments (QA vs production). Middleware runs in the
+ * Edge Runtime on every request, so process.env is always the live value.
+ */
+export function middleware(request: NextRequest) {
+  if (!isPageRoute(request.nextUrl.pathname)) {
+    return NextResponse.next()
+  }
+
+  const sMaxage = process.env.NEXT_CACHE_S_MAXAGE_SECONDS || "1800"
+  const cacheControl = `s-maxage=${sMaxage}, stale-if-error=86400, stale-while-revalidate=86400`
+
+  const response = NextResponse.next()
+  response.headers.set("Cache-Control", cacheControl)
+  return response
+}
+
+export const config = {
+  matcher: [
+    /*
+     * Run on all paths except Next.js internals (_next/static, _next/image)
+     * which are handled before middleware by the Next.js router. Static file
+     * requests that slip through are filtered by isPageRoute() above.
+     */
+    "/((?!_next/).*)",
+  ],
+}

From f0d876e1f2a6923a557e23bc926374bbba239050 Mon Sep 17 00:00:00 2001
From: Chris Chudzicki <christopher.chudzicki@gmail.com>
Date: Tue, 2 Jun 2026 11:41:09 -0400
Subject: [PATCH 12/13] fix(nextjs): Complete the NEXT_PUBLIC removal + misc

**Correctness fixes:**

1. Following merge of https://github.com/mitodl/mit-learn/pull/3380, all API clients are now configured via runtime env vars in frontends/main/src/bootstrap/api.ts
2. Several miscellaneous NEXT_PUBLIC direct reads were fixed, e.g., in OnboardingPage, YouTubeIframePlayer
3. Changed `env(...)` behavior to NEVER read from process.env if process or process.env are undefined.
4. backgroundImages.ts drop NEXT_PUBLIC entirely; this was unnecessary usage from the beginning.
5. validateEnv now runs at server startup and includes a few more variables as required.
6. Github actions now run with NEXT_BUILD_CI=1. This is how the container will be built in our pipelines, and can catch some odd errors, like module-level usage of env vars that would be undefined at build time.

**Config / NextJS Setup Changes**
7. Reverted to turbopack after discussion with @blarghmatey; we don't need the custom webpack config in our new true "build once" deployment.
8. Changed middleware.ts to proxy.ts; they're the same, but middleware is deprecated.

**Quality of Life, Maintanence**
9. Added typechecking constraints to env(...) and required_env(...) calls.
10. Dropped NEXT_SERVER_MITOL_API_BASE_URL entirely.
11. Added a linting rule to prevent reading NEXT_PUBLIC vars from process.env, except in test files.
---
 .github/workflows/ci.yml                      | 15 ++--
 docker-compose.apps.yml                       |  2 -
 env/codespaces.env                            |  1 -
 env/frontend.env                              |  2 +-
 frontends/.eslintrc.js                        | 89 +++++++++++++------
 frontends/api/src/test-utils/setupJest.ts     | 12 +--
 frontends/jest-shared-setup.ts                | 14 ++-
 frontends/main/next.config.js                 | 53 ++++-------
 .../OnboardingPage/OnboardingPage.tsx         |  3 +-
 .../YouTubeIframePlayer.tsx                   |  8 +-
 frontends/main/src/bootstrap/api.test.ts      | 70 +--------------
 frontends/main/src/bootstrap/api.ts           | 52 +++--------
 .../mitxonline/useReplaceBasketItem.test.tsx  | 20 -----
 frontends/main/src/common/urls.ts             |  8 +-
 frontends/main/src/env.test.ts                | 22 +++++
 frontends/main/src/env.ts                     | 53 +++++++++--
 frontends/main/src/instrumentation-node.ts    | 56 ++++++------
 frontends/main/src/instrumentation.ts         |  6 +-
 frontends/main/src/otel-utils.ts              |  3 +-
 .../main/src/{middleware.ts => proxy.ts}      | 16 ++--
 frontends/main/src/test-utils/setupJest.tsx   | 22 +++--
 frontends/main/src/validateEnv.test.ts        | 56 ++++++++++++
 frontends/main/tsconfig.json                  |  2 +
 frontends/main/validateEnv.js                 | 48 +++++-----
 .../components/NavDrawer/NavDrawer.test.tsx   |  3 -
 .../src/images/backgroundImages.ts            | 12 +--
 26 files changed, 343 insertions(+), 305 deletions(-)
 create mode 100644 frontends/main/src/env.test.ts
 rename frontends/main/src/{middleware.ts => proxy.ts} (78%)
 create mode 100644 frontends/main/src/validateEnv.test.ts

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e55813f4c5..7b650d08e3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -110,13 +110,16 @@ jobs:
       - name: Build Next.js frontend
         run: yarn workspace main build
         env:
+          # Build env-agnostically, exactly like the standalone Docker image.
+          # NEXT_BUILD_CI=1 skips validateEnv() because NEXT_PUBLIC_* values are
+          # injected at runtime (via PublicEnvScript), not baked in at build.
+          # No NEXT_PUBLIC_* vars are set here on purpose: with them unset, any
+          # code that reads one at module scope (e.g. a module-level
+          # requiredEnv(), which throws on the undefined value) fails the build.
+          # This gates such build-time env dependencies in CI rather than letting
+          # them surface only at container startup.
           NODE_ENV: production
-          NEXT_PUBLIC_ORIGIN: https://cifake.learn.mit.edu
-          NEXT_PUBLIC_MITOL_API_BASE_URL: https://api.cifake.learn.mit.edu
-          NEXT_PUBLIC_CSRF_COOKIE_NAME: cookie-monster
-          NEXT_PUBLIC_SITE_NAME: MIT Learn
-          NEXT_PUBLIC_MITOL_SUPPORT_EMAIL: help@citest.learn.mit.edu
-          NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL: https://cifake.mitxonline.mit.edu
+          NEXT_BUILD_CI: "1"
         # do this before typecheck. See https://github.com/vercel/next.js/issues/53959#issuecomment-1735563224
 
       - name: Typecheck
diff --git a/docker-compose.apps.yml b/docker-compose.apps.yml
index 338de58f24..f6211ca1b5 100644
--- a/docker-compose.apps.yml
+++ b/docker-compose.apps.yml
@@ -49,8 +49,6 @@ services:
       - "8062:8062"
       - "6006:6006"
       - "9229:9229"
-    environment:
-      - NEXT_SERVER_MITOL_API_BASE_URL=http://nginx:8063/
     volumes:
       - .:/src
     links:
diff --git a/env/codespaces.env b/env/codespaces.env
index d90e0d0912..46e255ec17 100644
--- a/env/codespaces.env
+++ b/env/codespaces.env
@@ -54,4 +54,3 @@ NEXT_PUBLIC_MITOL_SUPPORT_EMAIL=${MITOL_SUPPORT_EMAIL}
 NEXT_PUBLIC_STAY_UPDATED_HUBSPOT_FORM_ID=${STAY_UPDATED_HUBSPOT_FORM_ID}
 NEXT_PUBLIC_SITE_NAME="MIT Learn"
 NEXT_PUBLIC_MITOL_AXIOS_WITH_CREDENTIALS=true
-NEXT_SERVER_MITOL_API_BASE_URL=
diff --git a/env/frontend.env b/env/frontend.env
index 9b7765130c..30f75a262c 100644
--- a/env/frontend.env
+++ b/env/frontend.env
@@ -1,6 +1,5 @@
 NODE_ENV=development
 PORT=8062
-NEXT_PUBLIC_OPTIMIZE_IMAGES="false"
 
 # Environment variables with `NEXT_PUBLIC_` prefix are exposed to the client side
 NEXT_PUBLIC_ORIGIN=${MITOL_APP_BASE_URL}
@@ -30,6 +29,7 @@ NEXT_PUBLIC_LEARN_AI_RECOMMENDATION_ENDPOINT=https://api.rc.learn.mit.edu/ai/htt
 NEXT_PUBLIC_LEARN_AI_SYLLABUS_ENDPOINT=https://api.rc.learn.mit.edu/ai/http/syllabus_agent/
 
 NEXT_PUBLIC_MITX_ONLINE_BASE_URL=${MITX_ONLINE_BASE_URL}
+NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL=http://mitxonline.odl.local:8065/
 NEXT_PUBLIC_VERSION="local-dev"
 
 # Hubspot tracking - xprodev account for dev/RC environments
diff --git a/frontends/.eslintrc.js b/frontends/.eslintrc.js
index 5e4b7e259f..3fa9a57c30 100644
--- a/frontends/.eslintrc.js
+++ b/frontends/.eslintrc.js
@@ -135,33 +135,7 @@ module.exports = {
       },
     ],
     quotes: ["error", "double", { avoidEscape: true }],
-    "no-restricted-syntax": [
-      "error",
-      /**
-       * See https://eslint.org/docs/latest/rules/no-restricted-syntax
-       *
-       * The selectors use "ES Query", a css-like syntax for AST querying. A
-       * useful tool is  https://estools.github.io/esquery/
-       */
-      {
-        selector:
-          "Property[key.name=fontWeight][value.raw=/\\d+/], TemplateElement[value.raw=/font-weight: \\d+/]",
-        message:
-          "Do not specify `fontWeight` manually. Prefer spreading `theme.typography.subtitle1` or similar. If you MUST use a fontWeight, refer to `fontWeights` theme object.",
-      },
-      {
-        selector:
-          "Property[key.name=fontFamily][value.raw=/Neue Haas/], TemplateElement[value.raw=/Neue Haas/]",
-        message:
-          "Do not specify `fontFamily` manually. Prefer spreading `theme.typography.subtitle1` or similar. If using neue-haas-grotesk-text, this is ThemeProvider's default fontFamily.",
-      },
-      {
-        selector:
-          "FunctionDeclaration[id.name='generateMetadata'] > BlockStatement > ReturnStatement[argument.type!='CallExpression'], FunctionDeclaration[id.name='generateMetadata'] > BlockStatement > ReturnStatement[argument.callee.name!='safeGenerateMetadata']",
-        message:
-          "generateMetadata functions must return safeGenerateMetadata() to ensure proper error handling and fallback metadata.",
-      },
-    ],
+    ...restrictedSyntax(),
   },
   overrides: [
     {
@@ -170,6 +144,22 @@ module.exports = {
         ...restrictedImports(),
       },
     },
+    {
+      // Tests/setup legitimately set & read process.env.NEXT_PUBLIC_* directly
+      // (jsdom). Lift only the NEXT_PUBLIC_* ban for these; keep other selectors.
+      // next.config.js is intentionally NOT exempt: NEXT_PUBLIC_* are absent at
+      // build time, so reads there are bugs except for a couple of justified
+      // cases (NEXT_PUBLIC_VERSION, dev-only NEXT_PUBLIC_ORIGIN) allowed inline.
+      files: [
+        "./**/*.test.{ts,tsx}",
+        "./**/test-utils/**",
+        "./**/setupJest.{ts,tsx}",
+        "./**/jest-shared-setup.ts",
+      ],
+      rules: {
+        ...restrictedSyntax({ allowPublicEnv: true }),
+      },
+    },
     {
       files: ["./**/*.test.{ts,tsx}"],
       plugins: ["testing-library"],
@@ -231,3 +221,48 @@ function restrictedImports({ paths = [], patterns = [] } = {}) {
     ],
   }
 }
+
+function restrictedSyntax({ allowPublicEnv = false } = {}) {
+  /**
+   * Shared no-restricted-syntax config. Factored into a helper (like
+   * restrictedImports above) so the NEXT_PUBLIC_* process.env ban can be lifted
+   * for tests/setup (which read process.env directly under jsdom) via an
+   * override without losing the other selectors.
+   *
+   * The selectors use "ES Query", a css-like syntax for AST querying. A useful
+   * tool is https://estools.github.io/esquery/
+   * See https://eslint.org/docs/latest/rules/no-restricted-syntax
+   */
+  const selectors = [
+    {
+      selector:
+        "Property[key.name=fontWeight][value.raw=/\\d+/], TemplateElement[value.raw=/font-weight: \\d+/]",
+      message:
+        "Do not specify `fontWeight` manually. Prefer spreading `theme.typography.subtitle1` or similar. If you MUST use a fontWeight, refer to `fontWeights` theme object.",
+    },
+    {
+      selector:
+        "Property[key.name=fontFamily][value.raw=/Neue Haas/], TemplateElement[value.raw=/Neue Haas/]",
+      message:
+        "Do not specify `fontFamily` manually. Prefer spreading `theme.typography.subtitle1` or similar. If using neue-haas-grotesk-text, this is ThemeProvider's default fontFamily.",
+    },
+    {
+      selector:
+        "FunctionDeclaration[id.name='generateMetadata'] > BlockStatement > ReturnStatement[argument.type!='CallExpression'], FunctionDeclaration[id.name='generateMetadata'] > BlockStatement > ReturnStatement[argument.callee.name!='safeGenerateMetadata']",
+      message:
+        "generateMetadata functions must return safeGenerateMetadata() to ensure proper error handling and fallback metadata.",
+    },
+  ]
+  if (!allowPublicEnv) {
+    selectors.push({
+      // Matches `process.env.NEXT_PUBLIC_*` (dot) and
+      // `process.env["NEXT_PUBLIC_*"]` (string-literal bracket). Does NOT match
+      // `process.env[key]` with a variable key (e.g. the env() helper itself).
+      selector:
+        "MemberExpression[object.object.name='process'][object.property.name='env'][property.name=/^NEXT_PUBLIC_/], MemberExpression[object.object.name='process'][object.property.name='env'][property.value=/^NEXT_PUBLIC_/]",
+      message:
+        "Do not read NEXT_PUBLIC_* from process.env directly: values are inlined at build time and are empty in the standalone Docker image. Use env() or requiredEnv() from @/env instead.",
+    })
+  }
+  return { "no-restricted-syntax": ["error", ...selectors] }
+}
diff --git a/frontends/api/src/test-utils/setupJest.ts b/frontends/api/src/test-utils/setupJest.ts
index aa6698047c..26b0d1536d 100644
--- a/frontends/api/src/test-utils/setupJest.ts
+++ b/frontends/api/src/test-utils/setupJest.ts
@@ -11,18 +11,18 @@ beforeEach(() => {
   assertMockAdapterInstalled()
 })
 
+// Hardcoded test base URLs are the single source of truth for this workspace:
+// the test URL builders (test-utils/urls.ts) read them back from the configured
+// axios instance, so requests and their expected URLs stay in sync. No env vars
+// are consulted — this workspace has no runtime env injection.
 configureApiClients({
   learn: {
-    baseUrl:
-      process.env.NEXT_PUBLIC_MITOL_API_BASE_URL ??
-      "http://api.test.learn.odl.local:8065",
+    baseUrl: "http://api.test.learn.odl.local:8065",
     csrfCookieName: "csrftoken",
     withCredentials: false,
   },
   mitxonline: {
-    baseUrl:
-      process.env.NEXT_PUBLIC_MITX_ONLINE_BASE_URL ??
-      "http://api.test.learn.odl.local:8065/mitxonline",
+    baseUrl: "http://api.test.learn.odl.local:8065/mitxonline",
     csrfCookieName: "mitxcsrftoken",
     withCredentials: false,
   },
diff --git a/frontends/jest-shared-setup.ts b/frontends/jest-shared-setup.ts
index 7131aa98c4..ba3d96a412 100644
--- a/frontends/jest-shared-setup.ts
+++ b/frontends/jest-shared-setup.ts
@@ -18,15 +18,11 @@ expect.extend(matchers)
 
 setDefaultTimezone("UTC")
 
-// env vars
-process.env.NEXT_PUBLIC_MITOL_API_BASE_URL =
-  "http://api.test.learn.odl.local:8065"
-process.env.NEXT_PUBLIC_MITX_ONLINE_BASE_URL =
-  "http://api.test.learn.odl.local:8065/mitxonline"
-process.env.NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL =
-  "http://mitxonline.odl.local:8065"
-process.env.NEXT_PUBLIC_ORIGIN = "http://test.learn.odl.local:8062"
-process.env.NEXT_PUBLIC_VERSION = "test-version"
+// NEXT_PUBLIC_* test values are NOT set here. Only the `main` workspace's app
+// code reads them (via the env() helper, which falls back to process.env under
+// jsdom), so they live in main/src/test-utils/setupJest.tsx. The api workspace
+// configures its clients with hardcoded test URLs in its own setup, and leaf
+// packages (ol-*) don't read NEXT_PUBLIC_* at all.
 
 // Pulled from the docs - see https://jestjs.io/docs/manual-mocks#mocking-methods-which-are-not-implemented-in-jsdom
 
diff --git a/frontends/main/next.config.js b/frontends/main/next.config.js
index f9c7cc4dad..538bcfb596 100644
--- a/frontends/main/next.config.js
+++ b/frontends/main/next.config.js
@@ -12,10 +12,13 @@ if (!process.env.NEXT_BUILD_CI) {
 const IS_LOCAL_DEV = process.env.NODE_ENV === "development"
 
 // Dev-server-only: allow cross-origin requests to internal dev endpoints (HMR,
-const allowedDevOrigins =
-  IS_LOCAL_DEV && process.env.NEXT_PUBLIC_ORIGIN
-    ? [new URL(process.env.NEXT_PUBLIC_ORIGIN).hostname]
-    : undefined
+// etc.). Reading NEXT_PUBLIC_ORIGIN from process.env is safe here — unlike app
+// code, this config path only runs when NODE_ENV==="development", never in a
+// production build where NEXT_PUBLIC_* are absent.
+// eslint-disable-next-line no-restricted-syntax -- dev-only; see comment above
+const devOrigin = IS_LOCAL_DEV ? process.env.NEXT_PUBLIC_ORIGIN : undefined
+const allowedDevOrigins = devOrigin ? [new URL(devOrigin).hostname] : undefined
+
 /** @type {import('next').NextConfig} */
 const nextConfig = {
   productionBrowserSourceMaps: true,
@@ -131,47 +134,21 @@ const nextConfig = {
   },
 
   /**
-   * Stable, deterministic build ID based on the git SHA / version tag.
-   *
-   * Next.js embeds the build ID in manifest filenames (_buildManifest.js,
-   * _ssgManifest.js) and in page-data paths. Using the same ID across
-   * rebuilds of the same commit reduces inter-build hash drift.
+   * Pin the build ID to the git SHA / version tag for traceability — the
+   * BUILD_ID embedded in manifests and page-data paths then identifies which
+   * commit a running pod was built from.
    *
-   * NEXT_PUBLIC_VERSION is set as a Kubernetes env var (and as a Docker
-   * build arg in future standalone builds). GIT_REF is the full commit SHA
-   * passed by Concourse. The 'dev' fallback is for local builds.
+   * NEXT_PUBLIC_VERSION is set as a Kubernetes env var (and as a Docker build
+   * arg for the standalone build). GIT_REF is the full commit SHA passed by
+   * Concourse. The 'dev' fallback is for local builds.
    */
   generateBuildId: async () =>
+    // eslint-disable-next-line no-restricted-syntax -- NEXT_PUBLIC_VERSION is guaranteed present at build time by devops (set as a Docker build arg); other NEXT_PUBLIC_* are not
     process.env.NEXT_PUBLIC_VERSION || process.env.GIT_REF || "dev",
-
-  /**
-   * Replace webpack's [chunkhash] with [contenthash].
-   *
-   * [chunkhash] is influenced by module ordering and internal IDs, so two
-   * builds of identical code can produce different filenames. [contenthash]
-   * is derived purely from the file's content, making chunk names stable
-   * across rebuilds when code is unchanged.
-   *
-   * See: https://github.com/vercel/next.js/discussions/65856
-   */
-  webpack: (config) => {
-    if (config.output.filename) {
-      config.output.filename = config.output.filename.replace(
-        "[chunkhash]",
-        "[contenthash]",
-      )
-    }
-    if (config.output.chunkFilename) {
-      config.output.chunkFilename = config.output.chunkFilename.replace(
-        "[chunkhash]",
-        "[contenthash]",
-      )
-    }
-    return config
-  },
 }
 
 const { withSentryConfig } = require("@sentry/nextjs")
+/** @param {import('next').NextConfig} config */
 const withSentry = (config) =>
   withSentryConfig(config, {
     // For all available options, see:
diff --git a/frontends/main/src/app-pages/OnboardingPage/OnboardingPage.tsx b/frontends/main/src/app-pages/OnboardingPage/OnboardingPage.tsx
index 53213f3bfa..82a76ab70f 100644
--- a/frontends/main/src/app-pages/OnboardingPage/OnboardingPage.tsx
+++ b/frontends/main/src/app-pages/OnboardingPage/OnboardingPage.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React, { useEffect, useId, useMemo } from "react"
 import { useRouter } from "next-nprogress-bar"
 import { usePostHog } from "posthog-js/react"
@@ -173,7 +174,7 @@ const OnboardingPage: React.FC = () => {
         })
       }
       const label = activeStep < NUM_STEPS - 1 ? "Next" : "Finish"
-      if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+      if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
         posthog.capture(PostHogEvents.CallToActionClicked, {
           label,
           step: activeStep + 1,
diff --git a/frontends/main/src/app-pages/VideoPlaylistCollectionPage/YouTubeIframePlayer.tsx b/frontends/main/src/app-pages/VideoPlaylistCollectionPage/YouTubeIframePlayer.tsx
index 434b028913..f8e77ea146 100644
--- a/frontends/main/src/app-pages/VideoPlaylistCollectionPage/YouTubeIframePlayer.tsx
+++ b/frontends/main/src/app-pages/VideoPlaylistCollectionPage/YouTubeIframePlayer.tsx
@@ -1,11 +1,7 @@
 "use client"
 
-import { env } from "@/env"
+import { requiredEnv } from "@/env"
 import React from "react"
-import invariant from "tiny-invariant"
-
-const NEXT_PUBLIC_ORIGIN = env("NEXT_PUBLIC_ORIGIN")
-invariant(NEXT_PUBLIC_ORIGIN, "NEXT_PUBLIC_ORIGIN must be defined")
 
 export type YouTubeIframePlayerProps = {
   embedUrl: string
@@ -32,7 +28,7 @@ const YouTubeIframePlayer: React.FC<YouTubeIframePlayerProps> = ({
 }) => {
   const url = new URL(embedUrl)
   url.searchParams.set("rel", "0")
-  url.searchParams.set("origin", NEXT_PUBLIC_ORIGIN)
+  url.searchParams.set("origin", requiredEnv("NEXT_PUBLIC_ORIGIN"))
 
   const src = url.toString()
 
diff --git a/frontends/main/src/bootstrap/api.test.ts b/frontends/main/src/bootstrap/api.test.ts
index 8899785a6d..bf96459583 100644
--- a/frontends/main/src/bootstrap/api.test.ts
+++ b/frontends/main/src/bootstrap/api.test.ts
@@ -7,7 +7,6 @@ jest.mock("api/runtime", () => ({
 }))
 
 const originalEnv = process.env
-const originalWindow = global.window
 
 describe("bootstrapApiClients", () => {
   beforeEach(() => {
@@ -15,85 +14,18 @@ describe("bootstrapApiClients", () => {
     process.env = {
       ...originalEnv,
       NEXT_PUBLIC_MITOL_API_BASE_URL: "https://learn.public.example.edu",
-      NEXT_SERVER_MITOL_API_BASE_URL: "http://learn.internal:8063",
       NEXT_PUBLIC_CSRF_COOKIE_NAME: "csrftoken",
       NEXT_PUBLIC_MITX_ONLINE_BASE_URL: "https://mitx.example.edu",
       NEXT_PUBLIC_MITX_ONLINE_CSRF_COOKIE_NAME: "mitxcsrftoken",
       NEXT_PUBLIC_MITOL_AXIOS_WITH_CREDENTIALS: "true",
     }
-    Object.defineProperty(global, "window", {
-      configurable: true,
-      value: originalWindow,
-      writable: true,
-    })
   })
 
   afterAll(() => {
     process.env = originalEnv
-    Object.defineProperty(global, "window", {
-      configurable: true,
-      value: originalWindow,
-      writable: true,
-    })
   })
 
-  test("uses the server Learn URL when window is absent", () => {
-    Object.defineProperty(global, "window", {
-      configurable: true,
-      value: undefined,
-      writable: true,
-    })
-
-    try {
-      bootstrapApiClients()
-
-      expect(configureApiClients).toHaveBeenCalledWith(
-        expect.objectContaining({
-          learn: expect.objectContaining({
-            baseUrl: "http://learn.internal:8063",
-          }),
-        }),
-      )
-    } finally {
-      Object.defineProperty(global, "window", {
-        configurable: true,
-        value: originalWindow,
-        writable: true,
-      })
-    }
-  })
-
-  test("falls back to the public Learn URL when the server URL is blank", () => {
-    Object.defineProperty(global, "window", {
-      configurable: true,
-      value: undefined,
-      writable: true,
-    })
-    // env/codespaces.env ships NEXT_SERVER_MITOL_API_BASE_URL= (empty string),
-    // which must fall back to the public URL rather than being treated as a
-    // configured base (which would throw during normalization).
-    process.env = { ...process.env, NEXT_SERVER_MITOL_API_BASE_URL: "" }
-
-    try {
-      bootstrapApiClients()
-
-      expect(configureApiClients).toHaveBeenCalledWith(
-        expect.objectContaining({
-          learn: expect.objectContaining({
-            baseUrl: "https://learn.public.example.edu",
-          }),
-        }),
-      )
-    } finally {
-      Object.defineProperty(global, "window", {
-        configurable: true,
-        value: originalWindow,
-        writable: true,
-      })
-    }
-  })
-
-  test("uses the browser Learn URL when window exists", () => {
+  test("configures learn and mitxonline clients from NEXT_PUBLIC vars", () => {
     bootstrapApiClients()
 
     expect(configureApiClients).toHaveBeenCalledWith(
diff --git a/frontends/main/src/bootstrap/api.ts b/frontends/main/src/bootstrap/api.ts
index d669ad43a5..bddf5ed578 100644
--- a/frontends/main/src/bootstrap/api.ts
+++ b/frontends/main/src/bootstrap/api.ts
@@ -1,17 +1,6 @@
-import invariant from "tiny-invariant"
+import { env, requiredEnv } from "@/env"
 import { configureApiClients, isApiClientsConfigured } from "api/runtime"
 
-const isServerRuntime = () => typeof window === "undefined"
-
-// `value` must be passed as a static `process.env.NEXT_PUBLIC_*` reference, not
-// a dynamic `process.env[name]` lookup: Next inlines client-side env vars via
-// literal text substitution at build time, so dynamic access yields undefined
-// in the browser even when the var is set.
-const requireEnv = (name: string, value: string | undefined): string => {
-  invariant(value, `${name} is not set`)
-  return value
-}
-
 export const bootstrapApiClients = () => {
   // First-wins: the server calls this once at startup from instrumentation.ts;
   // the browser calls it once from instrumentation-client.ts, which can re-enter
@@ -19,42 +8,27 @@ export const bootstrapApiClients = () => {
   // no-op rather than throw.
   if (isApiClientsConfigured()) return
 
-  // NEXT_SERVER_MITOL_API_BASE_URL points the server at an internal host for
-  // split-host local-dev/docker. An explicitly blank value (as in
-  // env/codespaces.env) means "no separate server host" — fall back to the
-  // public URL. Use `||` rather than `??` so the empty string triggers the
-  // fallback instead of being treated as a configured base URL.
-  const serverLearnBaseUrl = isServerRuntime()
-    ? process.env.NEXT_SERVER_MITOL_API_BASE_URL
-    : undefined
-  const learnBaseUrl =
-    serverLearnBaseUrl ||
-    requireEnv(
-      "NEXT_PUBLIC_MITOL_API_BASE_URL",
-      process.env.NEXT_PUBLIC_MITOL_API_BASE_URL,
-    )
+  // NEXT_PUBLIC_* values are read via env()/requiredEnv() (src/env.ts) so they
+  // come from the runtime environment — window.__ENV in the browser, process.env
+  // on the server — rather than being inlined at build time. This is what lets
+  // the standalone Docker image be built once and configured per-environment by
+  // Kubernetes. bootstrapApiClients() only runs at request/startup time (never
+  // during `next build`), so requiredEnv()'s invariant is safe here.
+
+  const learnBaseUrl = requiredEnv("NEXT_PUBLIC_MITOL_API_BASE_URL")
 
   const withCredentials =
-    process.env.NEXT_PUBLIC_MITOL_AXIOS_WITH_CREDENTIALS === "true"
+    env("NEXT_PUBLIC_MITOL_AXIOS_WITH_CREDENTIALS") === "true"
 
   configureApiClients({
     learn: {
       baseUrl: learnBaseUrl,
-      csrfCookieName: requireEnv(
-        "NEXT_PUBLIC_CSRF_COOKIE_NAME",
-        process.env.NEXT_PUBLIC_CSRF_COOKIE_NAME,
-      ),
+      csrfCookieName: requiredEnv("NEXT_PUBLIC_CSRF_COOKIE_NAME"),
       withCredentials,
     },
     mitxonline: {
-      baseUrl: requireEnv(
-        "NEXT_PUBLIC_MITX_ONLINE_BASE_URL",
-        process.env.NEXT_PUBLIC_MITX_ONLINE_BASE_URL,
-      ),
-      csrfCookieName: requireEnv(
-        "NEXT_PUBLIC_MITX_ONLINE_CSRF_COOKIE_NAME",
-        process.env.NEXT_PUBLIC_MITX_ONLINE_CSRF_COOKIE_NAME,
-      ),
+      baseUrl: requiredEnv("NEXT_PUBLIC_MITX_ONLINE_BASE_URL"),
+      csrfCookieName: requiredEnv("NEXT_PUBLIC_MITX_ONLINE_CSRF_COOKIE_NAME"),
       withCredentials,
     },
   })
diff --git a/frontends/main/src/common/mitxonline/useReplaceBasketItem.test.tsx b/frontends/main/src/common/mitxonline/useReplaceBasketItem.test.tsx
index 8c7a5b3c51..18abf6543b 100644
--- a/frontends/main/src/common/mitxonline/useReplaceBasketItem.test.tsx
+++ b/frontends/main/src/common/mitxonline/useReplaceBasketItem.test.tsx
@@ -12,7 +12,6 @@ const clearMutate = jest.fn(
   (_vars: undefined, opts?: { onSuccess?: () => void }) => opts?.onSuccess?.(),
 )
 const clearMutateAsync = jest.fn().mockResolvedValue(undefined)
-const originalEnv = process.env
 
 jest.mock("api/mitxonline-hooks/baskets", () => ({
   useAddToBasket: () => ({
@@ -35,25 +34,6 @@ describe("useReplaceBasketItem", () => {
 
   beforeEach(() => {
     jest.clearAllMocks()
-    process.env = { ...originalEnv }
-  })
-
-  afterAll(() => {
-    process.env = originalEnv
-  })
-
-  test("throws at module load when NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL is missing", () => {
-    jest.resetModules()
-    delete process.env.NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL
-
-    expect(() => {
-      jest.isolateModules(() => {
-        // jest.isolateModules takes a sync callback; require is the only way
-        // to load a module synchronously inside it.
-        // eslint-disable-next-line @typescript-eslint/no-require-imports
-        require("./useReplaceBasketItem")
-      })
-    }).toThrow(/NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL/i)
   })
 
   test("redirects after the sync mutate path succeeds", () => {
diff --git a/frontends/main/src/common/urls.ts b/frontends/main/src/common/urls.ts
index 2ddb0976ea..7b68e65984 100644
--- a/frontends/main/src/common/urls.ts
+++ b/frontends/main/src/common/urls.ts
@@ -1,4 +1,4 @@
-import { env } from "@/env"
+import { env, requiredEnv } from "@/env"
 import type { BaseProgramDisplayMode } from "@mitodl/mitxonline-api-axios/v2"
 import { DisplayModeEnum } from "@mitodl/mitxonline-api-axios/v2"
 
@@ -140,7 +140,7 @@ export const RESOURCE_DRAWER_PARAMS = {
 } as const
 
 export const canonicalResourceDrawerUrl = (resourceId: number) =>
-  `${env("NEXT_PUBLIC_ORIGIN")}/search?${RESOURCE_DRAWER_PARAMS.resource}=${resourceId}`
+  `${requiredEnv("NEXT_PUBLIC_ORIGIN")}/search?${RESOURCE_DRAWER_PARAMS.resource}=${resourceId}`
 
 export const querifiedSearchUrl = (
   params:
@@ -200,7 +200,9 @@ export type LoginUrlOpts = {
 const stringifyUrlDescriptor = (val: UrlDescriptor) => {
   // ORIGIN is read at call time (request time) so NEXT_PUBLIC_ORIGIN is
   // available — it is not set at build time in the standalone Docker image.
-  const url = new URL(env("NEXT_PUBLIC_ORIGIN") ?? "")
+  // requiredEnv() is safe here: stringifyUrlDescriptor only runs when building
+  // login/signup URLs at request time, never during `next build`.
+  const url = new URL(requiredEnv("NEXT_PUBLIC_ORIGIN"))
   url.pathname = val.pathname
   if (val.searchParams) {
     val.searchParams.forEach((v, k) => url.searchParams.set(k, v))
diff --git a/frontends/main/src/env.test.ts b/frontends/main/src/env.test.ts
new file mode 100644
index 0000000000..62833fa3b7
--- /dev/null
+++ b/frontends/main/src/env.test.ts
@@ -0,0 +1,22 @@
+import { env, requiredEnv } from "@/env"
+
+test("env() reads from window.__ENV", () => {
+  window.__ENV = { NEXT_PUBLIC_ORIGIN: "https://example.test" }
+  expect(env("NEXT_PUBLIC_ORIGIN")).toBe("https://example.test")
+  delete window.__ENV
+})
+
+/*
+ * Compile-time regression guard for env.ts's schema-derived key unions. Never
+ * runs; enforced by `yarn typecheck`. If a yup/TS change breaks the InferType
+ * derivation, these assertions stop matching and CI fails loudly.
+ */
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+const _typeRegression = () => {
+  // @ts-expect-error — key not in the validateEnv schema
+  env("NEXT_PUBLIC_NOT_IN_SCHEMA")
+  // @ts-expect-error — optional key is not assignable to requiredEnv
+  requiredEnv("NEXT_PUBLIC_POSTHOG_API_KEY")
+  env("NEXT_PUBLIC_POSTHOG_API_KEY") // valid: optional key OK for env()
+  requiredEnv("NEXT_PUBLIC_ORIGIN") // valid: required key OK for requiredEnv()
+}
diff --git a/frontends/main/src/env.ts b/frontends/main/src/env.ts
index 994e2be3f0..5183cfcdb2 100644
--- a/frontends/main/src/env.ts
+++ b/frontends/main/src/env.ts
@@ -1,4 +1,5 @@
 import invariant from "tiny-invariant"
+import type { InferType } from "yup"
 
 /**
  * Runtime environment variable accessor for NEXT_PUBLIC_* vars.
@@ -24,19 +25,59 @@ declare global {
   }
 }
 
-export const env = (key: `NEXT_PUBLIC_${string}`): string | undefined => {
+/**
+ * Key unions derived from the single source of truth — the yup schema in
+ * validateEnv.js (imported as a type only, so no runtime/bundle cost).
+ *
+ * - `PublicEnvVar`: every NEXT_PUBLIC_* key the schema declares (required or
+ *   optional). Adding a new NEXT_PUBLIC_* var the app reads means adding it to
+ *   the schema; otherwise env()/requiredEnv() reject it at compile time.
+ * - `RequiredPublicEnvVar`: the subset marked `.required()` in the schema —
+ *   guaranteed present at runtime by validateEnv() at server startup.
+ */
+type EnvSchema = InferType<typeof import("../validateEnv").schema>
+type RequiredKeys<T> = {
+  [K in keyof T]-?: undefined extends T[K] ? never : K
+}[keyof T]
+type PublicEnvVar = Extract<keyof EnvSchema, `NEXT_PUBLIC_${string}`>
+type RequiredPublicEnvVar = Extract<
+  RequiredKeys<EnvSchema>,
+  `NEXT_PUBLIC_${string}`
+>
+
+/**
+ * Get the value of an environment variable at runtime.
+ * NOTES:
+ *  - Only NEXT_PUBLIC_ env vars are accessible this way. If you need a server-only
+ *    environment variable, read from process.env
+ *  - Env vars will always be undefined at build time.
+ */
+export const env = (key: PublicEnvVar): string | undefined => {
   if (typeof window !== "undefined") {
-    // Browser: read from server-injected window.__ENV; fall back to
-    // process.env (which webpack polyfills — safe in webpack bundles, and
-    // allows test environments that set process.env directly to work).
-    return window.__ENV?.[key] ?? process.env[key]
+    // Browser: read from server-injected window.__ENV. Fall back to process.env
+    // only when a `process` global actually exists (jsdom/test environments that
+    // set process.env directly). Webpack provides no `process` global for
+    // dynamic `process.env[key]` access, so an unguarded read would throw
+    // `ReferenceError: process is not defined` for any key absent from __ENV
+    // (e.g. an optional NEXT_PUBLIC_* var unset in the pod).
+    return (
+      window.__ENV?.[key] ??
+      (typeof process !== "undefined" ? process.env[key] : undefined)
+    )
   }
   // Server: dynamic bracket access is NOT replaced by DefinePlugin, so this
   // reads the actual Kubernetes env var at request time.
   return process.env[key]
 }
 
-export const requiredEnv = (key: `NEXT_PUBLIC_${string}`): string => {
+/**
+ * Get the value of a required environment variable at runtime.
+ * NOTES:
+ *  - presence of required runtime variables is validated at startup
+ *  - This function cannot be used at module scope because env vars are not set
+ *    at build time.
+ */
+export const requiredEnv = (key: RequiredPublicEnvVar): string => {
   const value = env(key)
   invariant(value, `${key} must be defined`)
   return value
diff --git a/frontends/main/src/instrumentation-node.ts b/frontends/main/src/instrumentation-node.ts
index 609c4b18b8..ba31dffcd2 100644
--- a/frontends/main/src/instrumentation-node.ts
+++ b/frontends/main/src/instrumentation-node.ts
@@ -22,33 +22,37 @@ import {
   hasOtlpEndpointConfig,
 } from "./otel-utils"
 import { parseSampleRate } from "./sentry-utils"
-
-// REQUIRED_PUBLIC_ENV_VARS is defined in validateEnv.js and shared with the
-// local-dev yup schema so both lists stay in sync from a single source of
-// truth. validateEnv() is skipped in next.config.js during Docker builds
-// (NEXT_BUILD_CI=1); this loop is the runtime equivalent for Kubernetes pods.
-// eslint-disable-next-line @typescript-eslint/no-require-imports
-const { REQUIRED_PUBLIC_ENV_VARS } = require("../validateEnv") as {
-  REQUIRED_PUBLIC_ENV_VARS: readonly string[]
-}
-
-for (const key of REQUIRED_PUBLIC_ENV_VARS) {
-  if (!process.env[key]) {
-    // Log clearly then exit so the pod crash-loops and ops can see it
-    // immediately, rather than silently serving broken pages.
-    console.error(
-      `[startup] Required environment variable ${key} is not set. ` +
-        "Exiting to prevent broken deployment.",
-    )
-    process.exit(1)
-  }
+import { env } from "@/env"
+import { validateEnv } from "../validateEnv"
+import { ValidationError } from "yup"
+
+// Validate the full environment schema once at server startup (Node runtime).
+// validateEnv() is skipped in next.config.js during Docker builds
+// (NEXT_BUILD_CI=1) because NEXT_PUBLIC_* values are injected at runtime, not
+// present at build — so this startup check is where deployed pods get validated
+// (presence AND format). `abortEarly: false` means a single failure reports
+// every bad var at once. On failure we log and exit so the pod crash-loops with
+// a clear message instead of silently serving broken pages — an uncaught throw
+// here is not guaranteed to terminate the process (Next may log and continue),
+// hence the explicit process.exit(1).
+try {
+  validateEnv()
+} catch (err) {
+  const detail =
+    err instanceof ValidationError ? err.errors.join("\n  - ") : String(err)
+  console.error(
+    `[startup] Environment validation failed:\n  - ${detail}\n` +
+      "Exiting to prevent broken deployment.",
+  )
+  process.exit(1)
 }
 
 // Inject service.version into OTEL_RESOURCE_ATTRIBUTES so the OTEL SDK's
 // EnvDetector picks it up alongside any other attributes set via env.
 // Simpler than interpolating OTEL_RESOURCE_ATTRIBUTES in ol-infrastructure.
-if (process.env["NEXT_PUBLIC_VERSION"]) {
-  const prefix = `service.version=${encodeURIComponent(process.env["NEXT_PUBLIC_VERSION"])}`
+const appVersion = env("NEXT_PUBLIC_VERSION")
+if (appVersion) {
+  const prefix = `service.version=${encodeURIComponent(appVersion)}`
   const existing = process.env.OTEL_RESOURCE_ATTRIBUTES
   process.env.OTEL_RESOURCE_ATTRIBUTES = existing
     ? `${prefix},${existing}`
@@ -193,14 +197,14 @@ const otelSampleRate = parseSampleRate(process.env.OTEL_TRACES_SAMPLER_ARG, 1)
 // sent to the Sentry backend. Defaults to 1.0 when unset.
 // This lets you run Alloy at 100% while keeping Sentry costs/quota lower.
 const sentrySampleRate = parseSampleRate(
-  process.env["NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE"],
+  env("NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE"),
   1,
 )
 
 Sentry.init({
-  dsn: process.env["NEXT_PUBLIC_SENTRY_DSN"],
-  release: process.env["NEXT_PUBLIC_VERSION"],
-  environment: process.env["NEXT_PUBLIC_SENTRY_ENV"],
+  dsn: env("NEXT_PUBLIC_SENTRY_DSN"),
+  release: env("NEXT_PUBLIC_VERSION"),
+  environment: env("NEXT_PUBLIC_SENTRY_ENV"),
 
   // Controls the OTEL sampler — spans not sampled here never reach any
   // processor. Set via OTEL_TRACES_SAMPLER_ARG at runtime (K8s/Helm).
diff --git a/frontends/main/src/instrumentation.ts b/frontends/main/src/instrumentation.ts
index 8154ac6e5e..46ec0d0f1f 100644
--- a/frontends/main/src/instrumentation.ts
+++ b/frontends/main/src/instrumentation.ts
@@ -2,9 +2,13 @@ import * as Sentry from "@sentry/nextjs"
 
 export async function register() {
   if (process.env.NEXT_RUNTIME === "nodejs") {
+    // Validate env first (instrumentation-node calls validateEnv() at module
+    // load and exits the process on failure). Running it before
+    // bootstrapApiClients() ensures the guaranteed-exit check fires ahead of
+    // bootstrap's requiredEnv() throw, which Next may otherwise swallow.
+    await import("./instrumentation-node")
     const { bootstrapApiClients } = await import("./bootstrap/api")
     bootstrapApiClients()
-    await import("./instrumentation-node")
   }
 }
 
diff --git a/frontends/main/src/otel-utils.ts b/frontends/main/src/otel-utils.ts
index 5add725404..49b9dd0b6b 100644
--- a/frontends/main/src/otel-utils.ts
+++ b/frontends/main/src/otel-utils.ts
@@ -3,6 +3,7 @@ import type { IncomingMessage, ServerResponse } from "node:http"
 import type { ReadableSpan } from "@opentelemetry/sdk-trace-base"
 import { envDetector } from "@opentelemetry/resources"
 import type { DetectedResourceAttributes } from "@opentelemetry/resources"
+import { env } from "@/env"
 
 export type RequestLogEntry = {
   message: "next_request"
@@ -16,7 +17,7 @@ export type RequestLogEntry = {
   version: string | null
 }
 
-const APP_VERSION = process.env["NEXT_PUBLIC_VERSION"] ?? null
+const APP_VERSION = env("NEXT_PUBLIC_VERSION") ?? null
 
 type OtelEnvSubset = Readonly<Record<string, string | undefined>>
 
diff --git a/frontends/main/src/middleware.ts b/frontends/main/src/proxy.ts
similarity index 78%
rename from frontends/main/src/middleware.ts
rename to frontends/main/src/proxy.ts
index cf1a6e11b5..b74f682b99 100644
--- a/frontends/main/src/middleware.ts
+++ b/frontends/main/src/proxy.ts
@@ -27,15 +27,15 @@ function isPageRoute(pathname: string): boolean {
 }
 
 /**
- * Next.js middleware: sets the Cache-Control header at request time so that
- * NEXT_CACHE_S_MAXAGE_SECONDS is read from the Kubernetes environment rather
- * than baked into the Docker image at build time.
+ * Next.js proxy (formerly "middleware"): sets the Cache-Control header at
+ * request time so that NEXT_CACHE_S_MAXAGE_SECONDS is read from the Kubernetes
+ * environment rather than baked into the Docker image at build time.
  *
- * next.config.js `headers()` runs at build time and cannot read env vars
- * that vary across environments (QA vs production). Middleware runs in the
- * Edge Runtime on every request, so process.env is always the live value.
+ * next.config.js `headers()` runs at build time and cannot read env vars that
+ * vary across environments (QA vs production). Proxy runs on the Node.js
+ * runtime on every request, so process.env is always the live value.
  */
-export function middleware(request: NextRequest) {
+export function proxy(request: NextRequest) {
   if (!isPageRoute(request.nextUrl.pathname)) {
     return NextResponse.next()
   }
@@ -52,7 +52,7 @@ export const config = {
   matcher: [
     /*
      * Run on all paths except Next.js internals (_next/static, _next/image)
-     * which are handled before middleware by the Next.js router. Static file
+     * which are handled before proxy by the Next.js router. Static file
      * requests that slip through are filtered by isPageRoute() above.
      */
     "/((?!_next/).*)",
diff --git a/frontends/main/src/test-utils/setupJest.tsx b/frontends/main/src/test-utils/setupJest.tsx
index a0373a86a8..01ab05491e 100644
--- a/frontends/main/src/test-utils/setupJest.tsx
+++ b/frontends/main/src/test-utils/setupJest.tsx
@@ -17,18 +17,28 @@ jest.mock("axios", () => mockAxiosFactory())
 
 const { configureApiClients } = jest.requireActual("api/runtime")
 
+// NEXT_PUBLIC_* test values live here (the main workspace setup) rather than the
+// shared setup: only main's app code reads them, via the env() helper which
+// falls back to process.env under jsdom. The api workspace and ol-* packages
+// don't need them.
+const LEARN_BASE_URL = "http://api.test.learn.odl.local:8065"
+const MITX_ONLINE_BASE_URL = "http://api.test.learn.odl.local:8065/mitxonline"
+
+process.env.NEXT_PUBLIC_ORIGIN = "http://test.learn.odl.local:8062"
+process.env.NEXT_PUBLIC_VERSION = "test-version"
+process.env.NEXT_PUBLIC_MITOL_API_BASE_URL = LEARN_BASE_URL
+process.env.NEXT_PUBLIC_MITX_ONLINE_BASE_URL = MITX_ONLINE_BASE_URL
+process.env.NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL =
+  "http://mitxonline.odl.local:8065"
+
 configureApiClients({
   learn: {
-    baseUrl:
-      process.env.NEXT_PUBLIC_MITOL_API_BASE_URL ??
-      "http://api.test.learn.odl.local:8065",
+    baseUrl: LEARN_BASE_URL,
     csrfCookieName: "csrftoken",
     withCredentials: false,
   },
   mitxonline: {
-    baseUrl:
-      process.env.NEXT_PUBLIC_MITX_ONLINE_BASE_URL ??
-      "http://api.test.learn.odl.local:8065/mitxonline",
+    baseUrl: MITX_ONLINE_BASE_URL,
     csrfCookieName: "mitxcsrftoken",
     withCredentials: false,
   },
diff --git a/frontends/main/src/validateEnv.test.ts b/frontends/main/src/validateEnv.test.ts
new file mode 100644
index 0000000000..3a16682ef5
--- /dev/null
+++ b/frontends/main/src/validateEnv.test.ts
@@ -0,0 +1,56 @@
+import { validateEnv } from "../validateEnv"
+
+// validateEnv() reads process.env directly, so we swap it per-test (mirrors
+// bootstrap/api.test.ts) and restore after. This is a smoke test of the schema
+// contract, not exhaustive coverage of yup.
+const REQUIRED_ENV = {
+  NEXT_PUBLIC_ORIGIN: "https://learn.test",
+  NEXT_PUBLIC_MITOL_API_BASE_URL: "https://api.learn.test",
+  NEXT_PUBLIC_SITE_NAME: "MIT Learn",
+  NEXT_PUBLIC_MITOL_SUPPORT_EMAIL: "help@learn.test",
+  NEXT_PUBLIC_CSRF_COOKIE_NAME: "csrftoken",
+  NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL: "https://legacy.mitx.test",
+  NEXT_PUBLIC_MITX_ONLINE_BASE_URL: "https://mitx.test",
+  NEXT_PUBLIC_MITX_ONLINE_CSRF_COOKIE_NAME: "csrf_mitxonline",
+}
+
+const originalEnv = process.env
+
+describe("validateEnv", () => {
+  beforeEach(() => {
+    process.env = { ...originalEnv, ...REQUIRED_ENV }
+  })
+  afterEach(() => {
+    process.env = originalEnv
+  })
+
+  test("passes when all required vars are present", () => {
+    expect(() => validateEnv()).not.toThrow()
+  })
+
+  test("throws, naming the missing required var", () => {
+    delete process.env.NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL
+    expect(() => validateEnv()).toThrow(
+      /NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL/,
+    )
+  })
+
+  test("reports every missing required var at once (abortEarly: false)", () => {
+    delete process.env.NEXT_PUBLIC_ORIGIN
+    delete process.env.NEXT_PUBLIC_SITE_NAME
+
+    let errors: string[] = []
+    try {
+      validateEnv()
+    } catch (err) {
+      errors = (err as { errors: string[] }).errors
+    }
+
+    expect(errors).toEqual(
+      expect.arrayContaining([
+        expect.stringMatching(/NEXT_PUBLIC_ORIGIN/),
+        expect.stringMatching(/NEXT_PUBLIC_SITE_NAME/),
+      ]),
+    )
+  })
+})
diff --git a/frontends/main/tsconfig.json b/frontends/main/tsconfig.json
index 9effc08715..c0e4a1306b 100644
--- a/frontends/main/tsconfig.json
+++ b/frontends/main/tsconfig.json
@@ -32,6 +32,8 @@
   },
   "include": [
     "next-env.d.ts",
+    "validateEnv.js",
+    "next.config.js",
     "**/*.ts",
     "**/*.tsx",
     ".next/types/**/*.ts",
diff --git a/frontends/main/validateEnv.js b/frontends/main/validateEnv.js
index f10dd3b858..f077a0b927 100644
--- a/frontends/main/validateEnv.js
+++ b/frontends/main/validateEnv.js
@@ -2,26 +2,17 @@
  * Validate the environment variables we use throughout the app.
  *
  * This only validates them. It does not transform them (e.g., into a boolean).
- * Env vars should still be accessed via process.env.ENV_VAR
+ * NEXT_PUBLIC_* vars should still be accessed via the env()/requiredEnv()
+ * helpers (src/env.ts); server-only vars via process.env directly.
+ *
+ * The `.required()` fields below are the single source of truth for "which
+ * vars must be present." validateEnv() is consumed by:
+ *  - next.config.js (local-dev check at `next build` / `next start`)
+ *  - src/instrumentation-node.ts (server startup check in Kubernetes pods)
  */
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const yup = require("yup")
 
-/**
- * NEXT_PUBLIC_* vars that must be present at runtime. Shared between:
- *  - validateEnv() below (local dev check at `next build` / `next start`)
- *  - src/instrumentation-node.ts (Docker startup check in Kubernetes)
- *
- * Keep this list in sync with the `.required()` fields in the schema below.
- */
-const REQUIRED_PUBLIC_ENV_VARS = /** @type {const} */ ([
-  "NEXT_PUBLIC_ORIGIN",
-  "NEXT_PUBLIC_MITOL_API_BASE_URL",
-  "NEXT_PUBLIC_SITE_NAME",
-  "NEXT_PUBLIC_MITOL_SUPPORT_EMAIL",
-  "NEXT_PUBLIC_CSRF_COOKIE_NAME",
-])
-
 const schema = yup.object().shape({
   // Server-only env vars
   MITOL_NOINDEX: yup.string().oneOf(["true", "false"]),
@@ -29,13 +20,14 @@ const schema = yup.object().shape({
     .string()
     .matches(/^\d+$/, { excludeEmptyString: true }),
   // Required client/server vars — must be present in local dev and at runtime.
-  // The list is defined above as REQUIRED_PUBLIC_ENV_VARS so that
-  // instrumentation-node.ts can import it as a single source of truth.
   NEXT_PUBLIC_ORIGIN: yup.string().required(),
   NEXT_PUBLIC_MITOL_API_BASE_URL: yup.string().required(),
   NEXT_PUBLIC_SITE_NAME: yup.string().required(),
   NEXT_PUBLIC_MITOL_SUPPORT_EMAIL: yup.string().required(),
   NEXT_PUBLIC_CSRF_COOKIE_NAME: yup.string().required(),
+  NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL: yup.string().required(),
+  NEXT_PUBLIC_MITX_ONLINE_BASE_URL: yup.string().required(),
+  NEXT_PUBLIC_MITX_ONLINE_CSRF_COOKIE_NAME: yup.string().required(),
   // Optional client or server vars
   NEXT_PUBLIC_APPZI_URL: yup.string(),
   NEXT_PUBLIC_MITOL_AXIOS_WITH_CREDENTIALS: yup
@@ -46,8 +38,24 @@ const schema = yup.object().shape({
   NEXT_PUBLIC_POSTHOG_API_HOST: yup.string(),
   NEXT_PUBLIC_POSTHOG_UI_HOST: yup.string(),
   NEXT_PUBLIC_HUBSPOT_PORTAL_ID: yup.string(),
+  NEXT_PUBLIC_VERSION: yup.string(),
+  NEXT_PUBLIC_RECAPTCHA_SITE_KEY: yup.string(),
+  NEXT_PUBLIC_STAY_UPDATED_HUBSPOT_FORM_ID: yup.string(),
+  NEXT_PUBLIC_SENTRY_DSN: yup.string(),
+  NEXT_PUBLIC_SENTRY_ENV: yup.string(),
+  NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE: yup.string(),
+  NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE: yup.string(),
+  NEXT_PUBLIC_LEARN_AI_RECOMMENDATION_ENDPOINT: yup.string(),
+  NEXT_PUBLIC_LEARN_AI_SYLLABUS_ENDPOINT: yup.string(),
+  NEXT_PUBLIC_LEARN_AI_CSRF_COOKIE_NAME: yup.string(),
 })
 
-const validateEnv = () => schema.validateSync(process.env)
+/**
+ * Validate process.env against the schema. `abortEarly: false` collects every
+ * problem into a single ValidationError (see `.errors`) so a misconfigured pod
+ * reports all bad vars at once rather than one per restart.
+ */
+const validateEnv = () =>
+  schema.validateSync(process.env, { abortEarly: false })
 
-module.exports = { validateEnv, REQUIRED_PUBLIC_ENV_VARS }
+module.exports = { validateEnv, schema }
diff --git a/frontends/ol-components/src/components/NavDrawer/NavDrawer.test.tsx b/frontends/ol-components/src/components/NavDrawer/NavDrawer.test.tsx
index b0b36262ad..08f9f85269 100644
--- a/frontends/ol-components/src/components/NavDrawer/NavDrawer.test.tsx
+++ b/frontends/ol-components/src/components/NavDrawer/NavDrawer.test.tsx
@@ -188,9 +188,6 @@ describe("NavDrawer", () => {
   it.each([{ enablePostHog: true }, { enablePostHog: false }])(
     "posthogCapture callback is called only if passed in",
     async ({ enablePostHog }) => {
-      process.env.NEXT_PUBLIC_POSTHOG_API_KEY = enablePostHog
-        ? "12345abcdef" // pragma: allowlist secret
-        : ""
       renderWithTheme(
         <NavDrawer
           onClose={jest.fn()}
diff --git a/frontends/ol-utilities/src/images/backgroundImages.ts b/frontends/ol-utilities/src/images/backgroundImages.ts
index 3991aef77b..c675006939 100644
--- a/frontends/ol-utilities/src/images/backgroundImages.ts
+++ b/frontends/ol-utilities/src/images/backgroundImages.ts
@@ -1,14 +1,14 @@
 import { getImageProps } from "next/image"
 import type { ImageProps } from "next/image"
 
-const NEXT_PUBLIC_OPTIMIZE_IMAGES = Boolean(
-  (process.env.NEXT_PUBLIC_OPTIMIZE_IMAGES ?? "true") === "true",
-)
-
 /* Generates a CSS `image-set()` declaration for a statically imported image.
  * The Next.js server optimizes the image at resolutions requested, allowing the
  * browser to select the best-suited image size based on the device's pixel density.
  *
+ * When image optimization is disabled (next.config `images.unoptimized`),
+ * getImageProps returns no `srcSet`, so we fall back to a plain `url(...)`.
+ * That single check is sufficient — there is no separate env flag to consult.
+ *
  * https://nextjs.org/docs/app/api-reference/components/image#background-css
  */
 
@@ -19,12 +19,12 @@ export const backgroundSrcSetCSS = (image: ImageProps["src"]) => {
     src: image,
   })
 
-  if (!NEXT_PUBLIC_OPTIMIZE_IMAGES || !props.srcSet) {
+  if (!props.srcSet) {
     return `url("${props.src}")`
   }
 
   const imageSet = props.srcSet
-    ?.split(", ")
+    .split(", ")
     .map((str) => {
       const [url, dpi] = str.split(" ")
       return `url("${url}") ${dpi}`

From 9020b8efc168baf58b7c8db748223b3ac4eaae83 Mon Sep 17 00:00:00 2001
From: Chris Chudzicki <christopher.chudzicki@gmail.com>
Date: Tue, 2 Jun 2026 15:56:44 -0400
Subject: [PATCH 13/13] fix(nextjs): move Surrogate-Key to proxy; fix
 asset-extension matcher

Consolidate the 'html-pages' Surrogate-Key tag out of next.config.js and
into the runtime proxy(), gated on the same isPageRoute() test as
Cache-Control so the purge tag and cache policy can never diverge.

Replace the 'any path ending in .ext' static-asset check with an
allowlist of known asset extensions. Page slugs legitimately contain
dots (e.g. course readable ids like /courses/course-v1:MITxT+5.601x),
which the old regex wrongly classified as static assets and stripped of
caching headers. Also exclude /_next/ internals explicitly.

Add proxy.test.ts covering isPageRoute() and the proxy() header tagging.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 frontends/main/next.config.js                 | 36 +++----------
 .../app/sitemaps/sitemap-index.xml/route.ts   |  3 +-
 frontends/main/src/proxy.test.ts              | 51 +++++++++++++++++++
 frontends/main/src/proxy.ts                   | 32 ++++++++----
 4 files changed, 81 insertions(+), 41 deletions(-)
 create mode 100644 frontends/main/src/proxy.test.ts

diff --git a/frontends/main/next.config.js b/frontends/main/next.config.js
index 538bcfb596..453a797611 100644
--- a/frontends/main/next.config.js
+++ b/frontends/main/next.config.js
@@ -61,37 +61,13 @@ const nextConfig = {
 
   async headers() {
     return [
-      {
-        source: "/sitemaps/:path*.xml",
-        headers: [
-          // Tag sitemaps with "html-pages" so Fastly can purge them on deploy
-          // without also purging immutable /_next/static/ chunks.
-          // Cache-Control is set at runtime in src/middleware.ts so that
-          // NEXT_CACHE_S_MAXAGE_SECONDS is read from the Kubernetes env
-          // rather than baked in at Docker build time.
-          { key: "Surrogate-Key", value: "html-pages" },
-        ],
-      },
-      /* This is intended to target the base HTML responses and streamed RSC
-       * content. Some routes are dynamically rendered, so NextJS by default
-       * sets no-cache. However we are currently serving public content that is
-       * cacheable.
-       *
-       * Excludes everything with a file extension (so /_next/static/*.js is
-       * never matched) and also excludes /healthcheck, which returns JSON and
-       * should not be tagged as an HTML page for Fastly surrogate-key purges.
+      /* The "html-pages" Surrogate-Key tag (for HTML/page routes and sitemaps)
+       * is set at runtime in src/proxy.ts, alongside Cache-Control and driven
+       * by the same isPageRoute() test, so the tag and the cache policy can
+       * never diverge. It cannot live here because page detection (and the
+       * Cache-Control value) depend on runtime state that is unavailable at
+       * build time. The rules below are genuinely static and immutable.
        */
-      {
-        source: "/((?!.*\\.[a-zA-Z0-9]+$)(?!healthcheck$).*)",
-        headers: [
-          // Tag all HTML/page routes so Fastly can purge them on deploy
-          // without also purging immutable /_next/static/ chunks.
-          // Cache-Control is set at runtime in src/middleware.ts so that
-          // NEXT_CACHE_S_MAXAGE_SECONDS is read from the Kubernetes env
-          // rather than baked in at Docker build time.
-          { key: "Surrogate-Key", value: "html-pages" },
-        ],
-      },
 
       /* Images rendered with the Next.js Image component have the cache header
        * set on them, but CSS background images do not.
diff --git a/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts b/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
index 5d0c38b582..28d84ff5e0 100644
--- a/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
+++ b/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
@@ -54,6 +54,7 @@ function formatSitemapIndex(sitemapUrls: string[]) {
 /**
  * By default in NextJS, this route would be statically generated at build time
  * since it does not access a [dynamic api](https://nextjs.org/docs/app/guides/caching#dynamic-apis)
- * We force it to be rendered for each request; caching headers are set in next.config.js
+ * We force it to be rendered for each request; caching headers (Cache-Control
+ * and the "html-pages" Surrogate-Key) are set at runtime in src/proxy.ts.
  */
 export const dynamic = "force-dynamic"
diff --git a/frontends/main/src/proxy.test.ts b/frontends/main/src/proxy.test.ts
new file mode 100644
index 0000000000..1c392bd9b3
--- /dev/null
+++ b/frontends/main/src/proxy.test.ts
@@ -0,0 +1,51 @@
+import { NextRequest } from "next/server"
+import { isPageRoute, proxy } from "./proxy"
+
+describe("isPageRoute", () => {
+  test.each([
+    "/",
+    "/about",
+    "/search",
+    // Course/program readable ids legitimately contain dots and can end in a
+    // dotted suffix (e.g. 5.601x). These are HTML pages, not static assets.
+    "/courses/course-v1:MITxT+5.601x",
+    "/programs/program-v1:MITxT+18.01x",
+    // Sitemaps are dynamically generated and tagged for purge-on-deploy.
+    "/sitemaps/products.xml",
+    "/sitemaps/sitemap-index.xml",
+  ])("treats %s as a page route", (pathname) => {
+    expect(isPageRoute(pathname)).toBe(true)
+  })
+
+  test.each([
+    // JSON healthcheck
+    "/healthcheck",
+    // Static assets served as immutable files
+    "/favicon.ico",
+    "/images/mit-dome-2.jpg",
+    "/static/app.css",
+    // Anything under the Next.js internals tree, regardless of extension —
+    // including extensionless endpoints like the image optimizer.
+    "/_next/static/chunk.js",
+    "/_next/image",
+  ])("treats %s as a non-page route", (pathname) => {
+    expect(isPageRoute(pathname)).toBe(false)
+  })
+})
+
+describe("proxy", () => {
+  const makeRequest = (pathname: string) =>
+    new NextRequest(new URL(pathname, "https://learn.mit.edu"))
+
+  test("tags page routes with both Cache-Control and Surrogate-Key", () => {
+    const response = proxy(makeRequest("/courses/course-v1:MITxT+5.601x"))
+    expect(response.headers.get("Surrogate-Key")).toBe("html-pages")
+    expect(response.headers.get("Cache-Control")).toContain("s-maxage=")
+  })
+
+  test("leaves non-page routes untagged", () => {
+    const response = proxy(makeRequest("/healthcheck"))
+    expect(response.headers.get("Surrogate-Key")).toBeNull()
+    expect(response.headers.get("Cache-Control")).toBeNull()
+  })
+})
diff --git a/frontends/main/src/proxy.ts b/frontends/main/src/proxy.ts
index b74f682b99..7dc95a2212 100644
--- a/frontends/main/src/proxy.ts
+++ b/frontends/main/src/proxy.ts
@@ -1,27 +1,35 @@
 import { type NextRequest, NextResponse } from "next/server"
 
 /**
- * Matches paths that have a file extension (e.g. .js, .css, .woff2).
- * These are static assets that should NOT receive page-level Cache-Control
- * or Surrogate-Key headers — they are served from /_next/static/ with
- * content-addressed filenames and are cached immutably by Fastly.
+ * Matches paths ending in a known static-asset extension (e.g. .js, .css,
+ * .woff2). These are served as immutable files (from /_next/static/, /images/,
+ * the /static rewrite, or public/) and must NOT receive page-level
+ * Cache-Control or Surrogate-Key headers.
+ *
+ * This is an allowlist of asset extensions rather than "any path ending in a
+ * dot + chars", because page slugs legitimately contain dots — e.g. course
+ * readable ids like /courses/course-v1:MITxT+5.601x. Matching "any extension"
+ * wrongly classified those pages as static assets and stripped their caching.
  */
-const STATIC_FILE_EXT = /\.[a-zA-Z0-9]+$/
+const STATIC_FILE_EXT =
+  /\.(js|mjs|css|map|json|txt|xml|ico|png|jpe?g|gif|svg|webp|avif|woff2?|ttf|otf|eot|webmanifest|wasm)$/i
 
 /**
- * Returns true if the path should receive page-level caching headers
- * (Cache-Control with s-maxage). This mirrors the exclusion logic in the
- * next.config.js `headers()` rules for Surrogate-Key.
+ * Returns true if the path is an HTML/page route that should receive
+ * page-level caching headers (Cache-Control with s-maxage and the "html-pages"
+ * Surrogate-Key). Both headers in proxy() are gated on this single test.
  *
  * Sitemaps are explicitly included despite having an .xml extension because
  * they are dynamically generated HTML-adjacent content, not static assets.
  */
-function isPageRoute(pathname: string): boolean {
+export function isPageRoute(pathname: string): boolean {
+  // Next.js internals (static chunks, image optimizer, ...)
+  if (pathname.startsWith("/_next/")) return false
   // JSON healthcheck — exclude from page cache headers
   if (pathname === "/healthcheck") return false
   // Sitemaps are dynamically generated; treat them as page content
   if (pathname.startsWith("/sitemaps/")) return true
-  // Everything with a file extension is a static asset
+  // Known static-asset extensions are served as immutable files
   if (STATIC_FILE_EXT.test(pathname)) return false
   return true
 }
@@ -45,6 +53,10 @@ export function proxy(request: NextRequest) {
 
   const response = NextResponse.next()
   response.headers.set("Cache-Control", cacheControl)
+  // Tag all HTML/page routes so Fastly can purge them on deploy without also
+  // purging immutable /_next/static/ chunks. Driven by the same isPageRoute()
+  // test as Cache-Control above, so the tag and the cache policy never diverge.
+  response.headers.set("Surrogate-Key", "html-pages")
   return response
 }