From 9c03715ce0a9c83c7a52356fb15f6e59809f5dbb Mon Sep 17 00:00:00 2001
From: Tobias Macey <tmacey@mit.edu>
Date: Wed, 20 May 2026 16:03:48 -0400
Subject: [PATCH 01/10] feat(nextjs): standalone output, deterministic builds,
 and scoped Fastly purge
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Three coordinated improvements to the Next.js deployment pipeline:

1. Scoped Fastly cache invalidation
   - Add Surrogate-Key: html-pages response header to HTML routes and
     sitemaps (excludes /_next/static/ via the existing file-extension
     regex), so purge/html-pages at deploy time no longer invalidates
     immutable content-addressed static chunks.

2. Deterministic builds
   - Add generateBuildId returning NEXT_PUBLIC_VERSION || GIT_REF || 'dev'
     so the build manifest filename is stable across identical builds.
   - Override webpack output.filename / output.chunkFilename to use
     [contenthash] instead of [chunkhash], making chunk filenames depend
     only on content rather than module graph ordering.

3. Standalone output + slimmed Docker image
   - Add output: 'standalone' to next.config.js so Next.js emits a
     self-contained server with a minimal node_modules tree.
   - Remove the build_skip_yarn Docker stage; add a new slim runner stage
     that copies .next/standalone/, .next/static/, and public/ from the
     build stage into a clean node:24-alpine image. The build is now fully
     baked in at image build time — no EFS volume or Kubernetes Job needed
     at deploy time.
   - Add ARG/ENV GIT_REF to the build stage so the git SHA passed by
     Concourse as BUILD_ARG_GIT_REF is available to next build.

BREAKING: this Dockerfile change must be deployed together with the
corresponding ol-infrastructure Pulumi change that removes the blue/green
EFS deployment and Kubernetes build Job.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 frontends/main/Dockerfile.web | 47 ++++++++++++++++++------------
 frontends/main/next.config.js | 55 +++++++++++++++++++++++++++++++++++
 2 files changed, 84 insertions(+), 18 deletions(-)

diff --git a/frontends/main/Dockerfile.web b/frontends/main/Dockerfile.web
index 2fa3a6961d..6e51225ca4 100644
--- a/frontends/main/Dockerfile.web
+++ b/frontends/main/Dockerfile.web
@@ -110,6 +110,12 @@ ENV NEXT_PUBLIC_SENTRY_ENV=$NEXT_PUBLIC_SENTRY_ENV
 ARG NEXT_PUBLIC_VERSION
 ENV NEXT_PUBLIC_VERSION=$NEXT_PUBLIC_VERSION
 
+# GIT_REF is the full commit SHA, passed by Concourse as BUILD_ARG_GIT_REF.
+# It is used by next.config.js generateBuildId as a fallback when
+# NEXT_PUBLIC_VERSION is not set (e.g. CI/main-branch builds).
+ARG GIT_REF
+ENV GIT_REF=$GIT_REF
+
 ARG NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE
 ENV NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE=$NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE
 
@@ -161,32 +167,37 @@ ENV NEXT_PUBLIC_DEFAULT_SEARCH_STALENESS_PENALTY="2.5"
 ENV NEXT_PUBLIC_DEFAULT_SEARCH_MINIMUM_SCORE_CUTOFF="0"
 ENV NEXT_PUBLIC_DEFAULT_SEARCH_MAX_INCOMPLETENESS_PENALTY="90"
 
-# NEW STAGE: build_skip_yarn
-# This stage is intended for scenarios where the 'yarn build' step
-# is not needed (e.g., build artifacts are provided externally or
-# for a development setup where 'yarn dev' might be used).
-# Note: 'yarn start' in the CMD requires a prior build to have occurred
-# and the '.next' directory to be present.
-FROM base AS build_skip_yarn
+# STAGE: build
+# Runs `next build` to compile the application. With output: "standalone" in
+# next.config.js this emits a minimal server at .next/standalone/ that includes
+# only the required runtime files and can be run with plain node.
+FROM base AS build
 
-EXPOSE 3000
+RUN yarn build
 
-ENV PORT=3000
-ENV HOSTNAME="0.0.0.0"
+# STAGE: runner (default)
+# Copies only the standalone server, static assets, and public directory from
+# the build stage into a clean image. No yarn, no node_modules, no source code.
+#
+# The standalone server is started directly with node (not `yarn start`), which
+# avoids yarn overhead and is the pattern recommended by Next.js for Docker:
+# https://github.com/vercel/next.js/tree/canary/examples/with-docker
+FROM node:24-alpine AS runner
 
-CMD ["yarn", "start"]
+WORKDIR /app
 
-# DEFAULT STAGE: build
-# This stage performs the 'yarn build' step and is the default target
-# if no --target is specified during the Docker build command.
-FROM base AS build
+# Copy the standalone server (includes a minimal node_modules)
+COPY --from=build /app/frontends/main/.next/standalone ./
 
-RUN yarn build
+# Copy static assets served by the Next.js server under /_next/static/
+COPY --from=build /app/frontends/main/.next/static ./frontends/main/.next/static
+
+# Copy the public directory (robots.txt, favicon.ico, etc.)
+COPY --from=build /app/frontends/main/public ./frontends/main/public
 
 EXPOSE 3000
 
 ENV PORT=3000
 ENV HOSTNAME="0.0.0.0"
 
-# CMD ["node", "/app/frontends/main/.next/standalone/frontends/main/server.js"]
-CMD ["yarn", "start"]
+CMD ["node", "frontends/main/server.js"]
diff --git a/frontends/main/next.config.js b/frontends/main/next.config.js
index 303a8b29f4..f9418dfbf2 100644
--- a/frontends/main/next.config.js
+++ b/frontends/main/next.config.js
@@ -31,6 +31,13 @@ const processFeatureFlags = () => {
 /** @type {import('next').NextConfig} */
 const nextConfig = {
   productionBrowserSourceMaps: true,
+  /**
+   * Standalone output emits a minimal self-contained server at
+   * .next/standalone/ with only the required runtime files. The resulting
+   * Docker image requires no node_modules and no yarn at startup.
+   * See: https://nextjs.org/docs/app/getting-started/deploying#docker
+   */
+  output: "standalone",
   async rewrites() {
     return [
       /* Static assets moved from /static, though image paths are sometimes
@@ -81,6 +88,9 @@ const nextConfig = {
             key: "Cache-Control",
             value: PAGE_CACHE_CONTROL,
           },
+          // Tag sitemaps with "html-pages" so Fastly can purge them on deploy
+          // without also purging immutable /_next/static/ chunks.
+          { key: "Surrogate-Key", value: "html-pages" },
         ],
       },
       /* This is intended to target the base HTML responses and streamed RSC
@@ -97,6 +107,11 @@ const nextConfig = {
             key: "Cache-Control",
             value: PAGE_CACHE_CONTROL,
           },
+          // Tag all HTML/page routes so Fastly can purge them on deploy
+          // without also purging immutable /_next/static/ chunks.
+          // The pattern above already excludes file extensions, so /_next/static/*.js
+          // will never receive this tag.
+          { key: "Surrogate-Key", value: "html-pages" },
         ],
       },
 
@@ -146,6 +161,46 @@ const nextConfig = {
     // Explicitly enable it for clarity (optional - already default)
     turbopackFileSystemCacheForDev: true,
   },
+
+  /**
+   * Stable, deterministic build ID based on the git SHA / version tag.
+   *
+   * Next.js embeds the build ID in manifest filenames (_buildManifest.js,
+   * _ssgManifest.js) and in page-data paths. Using the same ID across
+   * rebuilds of the same commit reduces inter-build hash drift.
+   *
+   * NEXT_PUBLIC_VERSION is set as a Kubernetes env var (and as a Docker
+   * build arg in future standalone builds). GIT_REF is the full commit SHA
+   * passed by Concourse. The 'dev' fallback is for local builds.
+   */
+  generateBuildId: async () =>
+    process.env.NEXT_PUBLIC_VERSION || process.env.GIT_REF || "dev",
+
+  /**
+   * Replace webpack's [chunkhash] with [contenthash].
+   *
+   * [chunkhash] is influenced by module ordering and internal IDs, so two
+   * builds of identical code can produce different filenames. [contenthash]
+   * is derived purely from the file's content, making chunk names stable
+   * across rebuilds when code is unchanged.
+   *
+   * See: https://github.com/vercel/next.js/discussions/65856
+   */
+  webpack: (config) => {
+    if (config.output.filename) {
+      config.output.filename = config.output.filename.replace(
+        "[chunkhash]",
+        "[contenthash]",
+      )
+    }
+    if (config.output.chunkFilename) {
+      config.output.chunkFilename = config.output.chunkFilename.replace(
+        "[chunkhash]",
+        "[contenthash]",
+      )
+    }
+    return config
+  },
 }
 
 const { withSentryConfig } = require("@sentry/nextjs")

From d44adde9f32a91cde55de3a1beae902f9a58a30d Mon Sep 17 00:00:00 2001
From: Tobias Macey <tmacey@mit.edu>
Date: Wed, 20 May 2026 16:17:44 -0400
Subject: [PATCH 02/10] fix: address PR review feedback on runner stage and
 surrogate key pattern

- Fix misleading comment: standalone bundle includes a minimal node_modules,
  not zero node_modules
- Add NODE_ENV=production to runner stage; it was previously inherited from
  the base stage but the runner uses a fresh FROM so must be set explicitly
- Exclude /healthcheck from the html-pages Surrogate-Key pattern; healthcheck
  returns JSON and should not be tagged as an HTML page for Fastly purges

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 frontends/main/Dockerfile.web | 5 ++++-
 frontends/main/next.config.js | 8 ++++----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/frontends/main/Dockerfile.web b/frontends/main/Dockerfile.web
index 6e51225ca4..4de4b1104d 100644
--- a/frontends/main/Dockerfile.web
+++ b/frontends/main/Dockerfile.web
@@ -177,7 +177,9 @@ RUN yarn build
 
 # STAGE: runner (default)
 # Copies only the standalone server, static assets, and public directory from
-# the build stage into a clean image. No yarn, no node_modules, no source code.
+# the build stage into a clean image. No workspace install is needed; the
+# standalone bundle ships with the minimal node_modules required to run the
+# server. No source code or build tooling is included.
 #
 # The standalone server is started directly with node (not `yarn start`), which
 # avoids yarn overhead and is the pattern recommended by Next.js for Docker:
@@ -197,6 +199,7 @@ COPY --from=build /app/frontends/main/public ./frontends/main/public
 
 EXPOSE 3000
 
+ENV NODE_ENV=production
 ENV PORT=3000
 ENV HOSTNAME="0.0.0.0"
 
diff --git a/frontends/main/next.config.js b/frontends/main/next.config.js
index f9418dfbf2..f1ffd01cb4 100644
--- a/frontends/main/next.config.js
+++ b/frontends/main/next.config.js
@@ -98,10 +98,12 @@ const nextConfig = {
        * sets no-cache. However we are currently serving public content that is
        * cacheable.
        *
-       * Excludes everything with a file extension so we're matching only on routes.
+       * Excludes everything with a file extension (so /_next/static/*.js is
+       * never matched) and also excludes /healthcheck, which returns JSON and
+       * should not be tagged as an HTML page for Fastly surrogate-key purges.
        */
       {
-        source: "/((?!.*\\.[a-zA-Z0-9]{2,4}$).*)",
+        source: "/((?!.*\\.[a-zA-Z0-9]{2,4}$)(?!healthcheck$).*)",
         headers: [
           {
             key: "Cache-Control",
@@ -109,8 +111,6 @@ const nextConfig = {
           },
           // Tag all HTML/page routes so Fastly can purge them on deploy
           // without also purging immutable /_next/static/ chunks.
-          // The pattern above already excludes file extensions, so /_next/static/*.js
-          // will never receive this tag.
           { key: "Surrogate-Key", value: "html-pages" },
         ],
       },

From ffe516102ffbc1a21f5af9a1c729637a4eb5e302 Mon Sep 17 00:00:00 2001
From: Tobias Macey <tmacey@mit.edu>
Date: Wed, 20 May 2026 17:10:37 -0400
Subject: [PATCH 03/10] feat(nextjs): runtime env injection via PublicEnvScript
 + env() helper
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace webpack build-time NEXT_PUBLIC_* inlining with a runtime injection
pattern that allows a single Docker image to be deployed across environments.

Problem: DefinePlugin bakes all process.env.NEXT_PUBLIC_* references as
literal values at build time. When yarn build runs in CI (without per-env
values), all NEXT_PUBLIC_* vars are empty strings in the bundle—even though
the Kubernetes pod has the correct values set.

Solution:
- PublicEnvScript: a Server Component that calls connection() (opts out of
  SSG) and renders a synchronous inline <script> setting window.__ENV to
  all NEXT_PUBLIC_* values from process.env at request time. Placed in root
  <head> so it executes before any JS bundle loads.
- env(): a helper that reads window.__ENV in the browser and uses dynamic
  process.env[key] access on the server (dynamic bracket access is NOT
  replaced by DefinePlugin). Falls back to process.env[key] in the browser
  to support test environments (jsdom) that set process.env directly.
- Migrate all 143 process.env.NEXT_PUBLIC_* usages across 56 source files
  to env(). Test files unchanged—existing vi.stubEnv / direct process.env
  assignment continues to work via the fallback.

Additional changes:
- next.config.js: gate validateEnv() with NEXT_BUILD_CI to skip at build
  time; runtime validation added to instrumentation-node.ts (runs at server
  startup via instrumentation.ts register()).
- Dockerfile: set ENV NEXT_BUILD_CI=1 in build stage.
- ConfiguredPostHogProvider: compute PostHog bootstrap feature flags from
  window.__ENV at runtime (previously baked via processFeatureFlags() in
  next.config.js which returns {} in CI builds). Remove build-time
  FEATURE_FLAGS from next.config.js env config.
- instrumentation-node.ts: use dynamic process.env[key] access for
  NEXT_PUBLIC_SENTRY_* and NEXT_PUBLIC_VERSION to avoid DefinePlugin
  inlining; add required env var check at startup.
- otel-utils.ts: same dynamic access for APP_VERSION.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 frontends/main/Dockerfile.web                 |  7 +++
 frontends/main/next.config.js                 | 28 +++---------
 .../src/app-pages/AboutPage/AboutPage.tsx     |  3 +-
 .../CertificatePage/CertificatePage.tsx       |  3 +-
 .../ChannelPage/TopicChannelTemplate.tsx      |  3 +-
 .../HomeEnrollmentsDisplay.tsx                |  3 +-
 .../DashboardPage/EnrollmentRedirectAlert.tsx |  3 +-
 .../HomePage/BrowseTopicsSection.tsx          |  5 ++-
 .../HomePage/UAIAnnouncementCard.tsx          |  3 +-
 .../app-pages/HomePage/VideoShortsModal.tsx   |  3 +-
 .../app-pages/HomePage/VideoShortsSection.tsx |  3 +-
 .../app-pages/HonorCodePage/HonorCodePage.tsx |  3 +-
 .../src/app-pages/PrivacyPage/PrivacyPage.tsx |  5 ++-
 .../ProductPages/CourseEnrollmentButton.tsx   |  3 +-
 .../ProductPages/MitxOnlineResourceCard.tsx   |  3 +-
 .../ProductPages/ProductPageTemplate.tsx      |  3 +-
 .../ProductPages/ProgramEnrollmentButton.tsx  |  3 +-
 .../TopicsListingPage/TopicsListingPage.tsx   |  3 +-
 .../app-pages/UnitsListingPage/UnitCard.tsx   |  3 +-
 .../VideoDetailPage.tsx                       |  3 +-
 .../YouTubeIframePlayer.tsx                   |  3 +-
 .../[certificateType]/[uuid]/page.tsx         |  3 +-
 .../[certificateType]/[uuid]/pdf/route.tsx    |  3 +-
 frontends/main/src/app/(site)/layout.tsx      |  9 ++--
 .../src/app/components/PublicEnvScript.tsx    | 38 ++++++++++++++++
 frontends/main/src/app/healthcheck/route.ts   |  3 +-
 frontends/main/src/app/layout.tsx             |  8 +++-
 frontends/main/src/app/robots.ts              |  5 ++-
 .../main/src/app/sitemaps/channels/sitemap.ts |  3 +-
 .../main/src/app/sitemaps/podcast/sitemap.ts  |  3 +-
 .../main/src/app/sitemaps/products/sitemap.ts |  3 +-
 .../src/app/sitemaps/resources/sitemap.ts     |  3 +-
 .../app/sitemaps/sitemap-index.xml/route.ts   |  5 ++-
 .../main/src/app/sitemaps/static/sitemap.ts   |  5 ++-
 .../main/src/app/sitemaps/video/sitemap.ts    |  3 +-
 frontends/main/src/common/certificateUtils.ts |  3 +-
 frontends/main/src/common/client-utils.ts     |  5 +--
 frontends/main/src/common/config.ts           |  5 ++-
 frontends/main/src/common/metadata.ts         |  5 ++-
 frontends/main/src/common/mitxonline/index.ts |  6 ++-
 frontends/main/src/common/urls.ts             |  7 +--
 frontends/main/src/common/utils.ts            |  3 +-
 .../components/PrivateTitle/PrivateTitle.tsx  |  3 +-
 frontends/main/src/env.ts                     | 35 +++++++++++++++
 frontends/main/src/instrumentation-client.ts  | 15 ++++---
 frontends/main/src/instrumentation-node.ts    | 37 +++++++++++++---
 frontends/main/src/otel-utils.ts              |  2 +-
 .../AiChat/AiRecommendationBotDrawer.tsx      |  5 ++-
 .../AiChat/AskTimDrawerButton.tsx             |  3 +-
 .../ConfiguredPostHogProvider.tsx             | 43 +++++++++++++++----
 .../Dialogs/AddToListDialog.tsx               |  3 +-
 .../src/page-components/Header/Header.tsx     |  3 +-
 .../page-components/HeroSearch/HeroSearch.tsx |  5 ++-
 .../LearningResourceDrawer.tsx                |  5 ++-
 .../AiChatSyllabusSlideDown.tsx               |  7 +--
 .../CallToActionSection.tsx                   |  5 ++-
 .../ResourceCarousel/ResourceCarousel.tsx     |  3 +-
 .../SearchDisplay/SearchDisplay.tsx           |  3 +-
 .../SearchDisplay/UniversalAIBanner.tsx       |  3 +-
 .../SearchField/SearchField.tsx               |  3 +-
 .../SignupPopover/SignupPopover.tsx           |  3 +-
 .../ArticleByLineInfoBar.tsx                  |  3 +-
 62 files changed, 294 insertions(+), 119 deletions(-)
 create mode 100644 frontends/main/src/app/components/PublicEnvScript.tsx
 create mode 100644 frontends/main/src/env.ts

diff --git a/frontends/main/Dockerfile.web b/frontends/main/Dockerfile.web
index 4de4b1104d..9207479635 100644
--- a/frontends/main/Dockerfile.web
+++ b/frontends/main/Dockerfile.web
@@ -171,8 +171,15 @@ ENV NEXT_PUBLIC_DEFAULT_SEARCH_MAX_INCOMPLETENESS_PENALTY="90"
 # Runs `next build` to compile the application. With output: "standalone" in
 # next.config.js this emits a minimal server at .next/standalone/ that includes
 # only the required runtime files and can be run with plain node.
+#
+# NEXT_BUILD_CI=1 skips validateEnv() in next.config.js, which would fail
+# because NEXT_PUBLIC_* vars are not available at build time — they are
+# injected at runtime by Kubernetes and surfaced to the browser via
+# PublicEnvScript. Validation runs at server startup in instrumentation-node.ts.
 FROM base AS build
 
+ENV NEXT_BUILD_CI=1
+
 RUN yarn build
 
 # STAGE: runner (default)
diff --git a/frontends/main/next.config.js b/frontends/main/next.config.js
index f1ffd01cb4..6568006ead 100644
--- a/frontends/main/next.config.js
+++ b/frontends/main/next.config.js
@@ -1,7 +1,13 @@
 // @ts-check
 const { validateEnv } = require("./validateEnv")
 
-validateEnv()
+// In CI Docker builds (NEXT_BUILD_CI=1), NEXT_PUBLIC_* vars are not available
+// at build time — they are injected at runtime via PublicEnvScript. Skip
+// build-time validation; validateEnv() runs at server startup instead (see
+// src/instrumentation-node.ts).
+if (!process.env.NEXT_BUILD_CI) {
+  validateEnv()
+}
 
 const NEXT_PUBLIC_OPTIMIZE_IMAGES = Boolean(
   (process.env.NEXT_PUBLIC_OPTIMIZE_IMAGES ?? "true") === "true",
@@ -12,22 +18,6 @@ const NEXT_CACHE_S_MAXAGE_SECONDS =
   process.env.NEXT_CACHE_S_MAXAGE_SECONDS || "1800"
 const PAGE_CACHE_CONTROL = `s-maxage=${NEXT_CACHE_S_MAXAGE_SECONDS}, stale-if-error=86400, stale-while-revalidate=86400`
 
-const processFeatureFlags = () => {
-  const featureFlagPrefix =
-    process.env.NEXT_PUBLIC_POSTHOG_FEATURE_PREFIX || "FEATURE_"
-  const bootstrapFeatureFlags = {}
-
-  for (const [key, value] of Object.entries(process.env)) {
-    if (key.startsWith(`NEXT_PUBLIC_${featureFlagPrefix}`)) {
-      bootstrapFeatureFlags[
-        key.replace(`NEXT_PUBLIC_${featureFlagPrefix}`, "").replaceAll("_", "-")
-      ] = value === "True" ? true : JSON.stringify(value)
-    }
-  }
-
-  return bootstrapFeatureFlags
-}
-
 /** @type {import('next').NextConfig} */
 const nextConfig = {
   productionBrowserSourceMaps: true,
@@ -152,10 +142,6 @@ const nextConfig = {
     qualities: [25, 50, 75, 100],
   },
 
-  env: {
-    FEATURE_FLAGS: JSON.stringify(processFeatureFlags()),
-  },
-
   experimental: {
     // Turbopack filesystem caching is enabled by default in Next.js 16.1+
     // Explicitly enable it for clarity (optional - already default)
diff --git a/frontends/main/src/app-pages/AboutPage/AboutPage.tsx b/frontends/main/src/app-pages/AboutPage/AboutPage.tsx
index 5fd4196961..0d154dcdc3 100644
--- a/frontends/main/src/app-pages/AboutPage/AboutPage.tsx
+++ b/frontends/main/src/app-pages/AboutPage/AboutPage.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import {
   Breadcrumbs,
   Container,
@@ -15,7 +16,7 @@ import Image from "next/image"
 const WHAT_IS_MIT_OPEN_FRAGMENT_IDENTIFIER = "what-is-mit-learn"
 const ACADEMIC_AND_PROFESSIONAL_CONTENT = "kinds-of-content"
 
-const SITE_NAME = process.env.NEXT_PUBLIC_SITE_NAME
+const SITE_NAME = env("NEXT_PUBLIC_SITE_NAME")
 
 const PageContainer = styled(Container)({
   color: theme.custom.colors.darkGray2,
diff --git a/frontends/main/src/app-pages/CertificatePage/CertificatePage.tsx b/frontends/main/src/app-pages/CertificatePage/CertificatePage.tsx
index f93d7b8c0f..24311f47f3 100644
--- a/frontends/main/src/app-pages/CertificatePage/CertificatePage.tsx
+++ b/frontends/main/src/app-pages/CertificatePage/CertificatePage.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React, { useRef, useEffect, useCallback, useState } from "react"
 import { notFound } from "next/navigation"
 import Image from "next/image"
@@ -556,7 +557,7 @@ const Certificate = ({
                 src={
                   signatory.signature_image.startsWith("http")
                     ? signatory.signature_image
-                    : `${process.env.NEXT_PUBLIC_MITX_ONLINE_BASE_URL}${signatory.signature_image}`
+                    : `${env("NEXT_PUBLIC_MITX_ONLINE_BASE_URL")}${signatory.signature_image}`
                 }
                 alt={signatory.name}
                 crossOrigin="anonymous"
diff --git a/frontends/main/src/app-pages/ChannelPage/TopicChannelTemplate.tsx b/frontends/main/src/app-pages/ChannelPage/TopicChannelTemplate.tsx
index e30ecd4727..c7bd475c1f 100644
--- a/frontends/main/src/app-pages/ChannelPage/TopicChannelTemplate.tsx
+++ b/frontends/main/src/app-pages/ChannelPage/TopicChannelTemplate.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import {
   styled,
@@ -110,7 +111,7 @@ const TopicChipsInternal: React.FC<TopicChipsInternalProps> = (props) => {
             key={topic.id}
             href={topic.channel_url ?? ""}
             onClick={() => {
-              if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+              if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
                 posthog.capture(posthogEvent, { topic })
               }
             }}
diff --git a/frontends/main/src/app-pages/DashboardPage/CoursewareDisplay/HomeEnrollmentsDisplay.tsx b/frontends/main/src/app-pages/DashboardPage/CoursewareDisplay/HomeEnrollmentsDisplay.tsx
index 2dc6755ba1..f1026ffb01 100644
--- a/frontends/main/src/app-pages/DashboardPage/CoursewareDisplay/HomeEnrollmentsDisplay.tsx
+++ b/frontends/main/src/app-pages/DashboardPage/CoursewareDisplay/HomeEnrollmentsDisplay.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import {
   Collapse,
@@ -89,7 +90,7 @@ const ShowAllContainer = styled.div(({ theme }) => ({
   },
 }))
 
-const SUPPORT_EMAIL = process.env.NEXT_PUBLIC_MITOL_SUPPORT_EMAIL || ""
+const SUPPORT_EMAIL = env("NEXT_PUBLIC_MITOL_SUPPORT_EMAIL") || ""
 
 const getResourceKey = (resource: DashboardResource): string => {
   if (resource.type === DashboardType.ProgramEnrollment) {
diff --git a/frontends/main/src/app-pages/DashboardPage/EnrollmentRedirectAlert.tsx b/frontends/main/src/app-pages/DashboardPage/EnrollmentRedirectAlert.tsx
index 77f73ac1ff..4a57990a6f 100644
--- a/frontends/main/src/app-pages/DashboardPage/EnrollmentRedirectAlert.tsx
+++ b/frontends/main/src/app-pages/DashboardPage/EnrollmentRedirectAlert.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React from "react"
 import { useQuery } from "@tanstack/react-query"
 import { Alert } from "@mitodl/smoot-design"
@@ -170,7 +171,7 @@ const parseAlertRequest = (
 
 const EnrollmentRedirectAlert: React.FC = () => {
   const request = useConsumeSearchParamsOnce(parseAlertRequest)
-  const supportEmail = process.env.NEXT_PUBLIC_MITOL_SUPPORT_EMAIL || ""
+  const supportEmail = env("NEXT_PUBLIC_MITOL_SUPPORT_EMAIL") || ""
 
   const mitxOnlineUserQuery = useQuery({
     ...mitxUserQueries.me(),
diff --git a/frontends/main/src/app-pages/HomePage/BrowseTopicsSection.tsx b/frontends/main/src/app-pages/HomePage/BrowseTopicsSection.tsx
index 88ef1a5fb5..244af42986 100644
--- a/frontends/main/src/app-pages/HomePage/BrowseTopicsSection.tsx
+++ b/frontends/main/src/app-pages/HomePage/BrowseTopicsSection.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import Link from "next/link"
 import {
@@ -123,7 +124,7 @@ const BrowseTopicsSection: React.FC = () => {
                   key={id}
                   href={channelUrl ? new URL(channelUrl!).pathname : ""}
                   onClick={() => {
-                    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+                    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
                       posthog.capture(PostHogEvents.HomeTopicClicked, {
                         topic: name,
                       })
@@ -143,7 +144,7 @@ const BrowseTopicsSection: React.FC = () => {
         <SeeAllButton
           href="/topics/"
           onClick={() => {
-            if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+            if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
               posthog.capture(PostHogEvents.HomeSeeAllTopicsClicked)
             }
           }}
diff --git a/frontends/main/src/app-pages/HomePage/UAIAnnouncementCard.tsx b/frontends/main/src/app-pages/HomePage/UAIAnnouncementCard.tsx
index 0d8223a9e9..dfb9b0994b 100644
--- a/frontends/main/src/app-pages/HomePage/UAIAnnouncementCard.tsx
+++ b/frontends/main/src/app-pages/HomePage/UAIAnnouncementCard.tsx
@@ -1,4 +1,5 @@
 "use client"
+import { env } from "@/env"
 import React from "react"
 import { Typography, styled } from "ol-components"
 import { ButtonLink } from "@mitodl/smoot-design"
@@ -252,7 +253,7 @@ const UAIAnnouncementCard: React.FC = () => {
   })
 
   const handleCTAClick = () => {
-    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
       posthog.capture(PostHogEvents.CallToActionClicked, {
         label: "Learn about Universal AI",
         readableId: UAI_PROGRAM_READABLE_ID,
diff --git a/frontends/main/src/app-pages/HomePage/VideoShortsModal.tsx b/frontends/main/src/app-pages/HomePage/VideoShortsModal.tsx
index f8f3437a51..26ecd21176 100644
--- a/frontends/main/src/app-pages/HomePage/VideoShortsModal.tsx
+++ b/frontends/main/src/app-pages/HomePage/VideoShortsModal.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React, { useCallback, useEffect, useRef, useState } from "react"
 import Image from "next/image"
 import { styled, Typography } from "ol-components"
@@ -8,7 +9,7 @@ import { useWindowDimensions } from "ol-utilities"
 import type { VideoShort } from "api/v0"
 import MITOpenLearningLogo from "@/public/images/mit-open-learning-logo.svg"
 
-const NEXT_PUBLIC_ORIGIN = process.env.NEXT_PUBLIC_ORIGIN
+const NEXT_PUBLIC_ORIGIN = env("NEXT_PUBLIC_ORIGIN")
 
 const Overlay = styled.div(({ theme }) => ({
   position: "fixed",
diff --git a/frontends/main/src/app-pages/HomePage/VideoShortsSection.tsx b/frontends/main/src/app-pages/HomePage/VideoShortsSection.tsx
index 0a756689d1..7be83b553d 100644
--- a/frontends/main/src/app-pages/HomePage/VideoShortsSection.tsx
+++ b/frontends/main/src/app-pages/HomePage/VideoShortsSection.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React, { useState } from "react"
 import Image from "next/image"
 import { Container, Typography, Card, styled } from "ol-components"
@@ -6,7 +7,7 @@ import { useVideoShortsList } from "api/hooks/videoShorts"
 import VideoShortsModal from "./VideoShortsModal"
 import MITOpenLearningLogo from "@/public/images/mit-open-learning-logo.svg"
 
-const NEXT_PUBLIC_ORIGIN = process.env.NEXT_PUBLIC_ORIGIN
+const NEXT_PUBLIC_ORIGIN = env("NEXT_PUBLIC_ORIGIN")
 
 const Section = styled.section(({ theme }) => ({
   padding: "80px 0",
diff --git a/frontends/main/src/app-pages/HonorCodePage/HonorCodePage.tsx b/frontends/main/src/app-pages/HonorCodePage/HonorCodePage.tsx
index 73d98f13ca..8f8271f54f 100644
--- a/frontends/main/src/app-pages/HonorCodePage/HonorCodePage.tsx
+++ b/frontends/main/src/app-pages/HonorCodePage/HonorCodePage.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import {
   Breadcrumbs,
   Container,
@@ -64,7 +65,7 @@ const UnorderedList = styled.ul(({ theme }) => ({
   marginTop: "10px",
 }))
 
-const SITE_NAME = process.env.NEXT_PUBLIC_SITE_NAME
+const SITE_NAME = env("NEXT_PUBLIC_SITE_NAME")
 
 const HonorCodePage: React.FC = () => {
   return (
diff --git a/frontends/main/src/app-pages/PrivacyPage/PrivacyPage.tsx b/frontends/main/src/app-pages/PrivacyPage/PrivacyPage.tsx
index b4df60b38c..5ab03c7388 100644
--- a/frontends/main/src/app-pages/PrivacyPage/PrivacyPage.tsx
+++ b/frontends/main/src/app-pages/PrivacyPage/PrivacyPage.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import {
   Breadcrumbs,
   Container,
@@ -64,8 +65,8 @@ const UnorderedList = styled.ul(({ theme }) => ({
   marginTop: "10px",
 }))
 
-const SITE_NAME = process.env.NEXT_PUBLIC_SITE_NAME
-const MITOL_SUPPORT_EMAIL = process.env.NEXT_PUBLIC_MITOL_SUPPORT_EMAIL
+const SITE_NAME = env("NEXT_PUBLIC_SITE_NAME")
+const MITOL_SUPPORT_EMAIL = env("NEXT_PUBLIC_MITOL_SUPPORT_EMAIL")
 
 const PrivacyPage: React.FC = () => {
   return (
diff --git a/frontends/main/src/app-pages/ProductPages/CourseEnrollmentButton.tsx b/frontends/main/src/app-pages/ProductPages/CourseEnrollmentButton.tsx
index 1973e9c2cd..4c8b04821d 100644
--- a/frontends/main/src/app-pages/ProductPages/CourseEnrollmentButton.tsx
+++ b/frontends/main/src/app-pages/ProductPages/CourseEnrollmentButton.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import { styled, Stack, LoadingSpinner } from "ol-components"
 import { useQuery } from "@tanstack/react-query"
@@ -94,7 +95,7 @@ const CourseEnrollmentButton: React.FC<CourseEnrollmentButtonProps> = ({
     if (me.isLoading) {
       return
     }
-    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
       posthog.capture(PostHogEvents.CallToActionClicked, {
         readableId: course.readable_id,
         resourceType: "course",
diff --git a/frontends/main/src/app-pages/ProductPages/MitxOnlineResourceCard.tsx b/frontends/main/src/app-pages/ProductPages/MitxOnlineResourceCard.tsx
index 2c07c18beb..e93a8f11c5 100644
--- a/frontends/main/src/app-pages/ProductPages/MitxOnlineResourceCard.tsx
+++ b/frontends/main/src/app-pages/ProductPages/MitxOnlineResourceCard.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React from "react"
 import { usePostHog } from "posthog-js/react"
 import { BaseLearningResourceCard } from "ol-components"
@@ -217,7 +218,7 @@ const MitxOnlineResourceCard: React.FC<MitxOnlineResourceCardProps> = (
       ariaLabel={`${data.displayType}: ${data.title}`}
       list={list}
       onClick={() => {
-        if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+        if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
           posthog.capture(PostHogEvents.CourseCardClicked, {
             label,
             resourceId: props.resource?.id,
diff --git a/frontends/main/src/app-pages/ProductPages/ProductPageTemplate.tsx b/frontends/main/src/app-pages/ProductPages/ProductPageTemplate.tsx
index ad2c32555e..8b8400f512 100644
--- a/frontends/main/src/app-pages/ProductPages/ProductPageTemplate.tsx
+++ b/frontends/main/src/app-pages/ProductPages/ProductPageTemplate.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React from "react"
 import {
   Container,
@@ -311,7 +312,7 @@ const ProductPageTemplate: React.FC<ProductPageTemplateProps> = ({
 
   const handleStayUpdatedClick = () => {
     if (!showStayUpdated || !resource) return
-    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
       posthog.capture(PostHogEvents.CallToActionClicked, {
         label: "Stay Updated",
         readableId: resource.readable_id,
diff --git a/frontends/main/src/app-pages/ProductPages/ProgramEnrollmentButton.tsx b/frontends/main/src/app-pages/ProductPages/ProgramEnrollmentButton.tsx
index d3571fe900..8b66fe1adc 100644
--- a/frontends/main/src/app-pages/ProductPages/ProgramEnrollmentButton.tsx
+++ b/frontends/main/src/app-pages/ProductPages/ProgramEnrollmentButton.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import { LoadingSpinner, Stack } from "ol-components"
 import {
@@ -84,7 +85,7 @@ const ProgramEnrollmentButton: React.FC<ProgramEnrollmentButtonProps> = ({
     if (enrollments.isLoading || me.isLoading) {
       return
     }
-    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
       posthog.capture(PostHogEvents.CallToActionClicked, {
         readableId: program.readable_id,
         resourceType: "program",
diff --git a/frontends/main/src/app-pages/TopicsListingPage/TopicsListingPage.tsx b/frontends/main/src/app-pages/TopicsListingPage/TopicsListingPage.tsx
index db6bb0f58b..6540bf8a02 100644
--- a/frontends/main/src/app-pages/TopicsListingPage/TopicsListingPage.tsx
+++ b/frontends/main/src/app-pages/TopicsListingPage/TopicsListingPage.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React, { useMemo } from "react"
 import {
   Container,
@@ -34,7 +35,7 @@ const captureTopicClicked = (
   event: string,
   topic: string,
 ) => {
-  if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+  if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
     posthog.capture(event, { topic })
   }
 }
diff --git a/frontends/main/src/app-pages/UnitsListingPage/UnitCard.tsx b/frontends/main/src/app-pages/UnitsListingPage/UnitCard.tsx
index 6afee621b4..a7ef3c1167 100644
--- a/frontends/main/src/app-pages/UnitsListingPage/UnitCard.tsx
+++ b/frontends/main/src/app-pages/UnitsListingPage/UnitCard.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import type { OfferedByEnum } from "api"
 import type { UnitChannel } from "api/v0"
@@ -98,7 +99,7 @@ const UnitCard: React.FC<UnitCardProps> = (props) => {
               <Link
                 href={href}
                 onClick={() => {
-                  if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+                  if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
                     posthog.capture(PostHogEvents.ProviderLinkClicked, {
                       provider: unit,
                     })
diff --git a/frontends/main/src/app-pages/VideoPlaylistCollectionPage/VideoDetailPage.tsx b/frontends/main/src/app-pages/VideoPlaylistCollectionPage/VideoDetailPage.tsx
index bd2f3b9084..086850fd6c 100644
--- a/frontends/main/src/app-pages/VideoPlaylistCollectionPage/VideoDetailPage.tsx
+++ b/frontends/main/src/app-pages/VideoPlaylistCollectionPage/VideoDetailPage.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React, { useEffect, useRef, useState } from "react"
 import Link from "next/link"
 import Image from "next/image"
@@ -19,7 +20,7 @@ import SharePopover from "@/components/SharePopover/SharePopover"
 import { buildVideoStructuredData } from "./videoStructuredData"
 import VideoResourcePlayer from "./VideoResourcePlayer"
 
-const NEXT_PUBLIC_ORIGIN = process.env.NEXT_PUBLIC_ORIGIN
+const NEXT_PUBLIC_ORIGIN = env("NEXT_PUBLIC_ORIGIN")
 
 const PageWrapper = styled.div({
   backgroundColor: "#fff",
diff --git a/frontends/main/src/app-pages/VideoPlaylistCollectionPage/YouTubeIframePlayer.tsx b/frontends/main/src/app-pages/VideoPlaylistCollectionPage/YouTubeIframePlayer.tsx
index 7913907813..434b028913 100644
--- a/frontends/main/src/app-pages/VideoPlaylistCollectionPage/YouTubeIframePlayer.tsx
+++ b/frontends/main/src/app-pages/VideoPlaylistCollectionPage/YouTubeIframePlayer.tsx
@@ -1,9 +1,10 @@
 "use client"
 
+import { env } from "@/env"
 import React from "react"
 import invariant from "tiny-invariant"
 
-const NEXT_PUBLIC_ORIGIN = process.env.NEXT_PUBLIC_ORIGIN
+const NEXT_PUBLIC_ORIGIN = env("NEXT_PUBLIC_ORIGIN")
 invariant(NEXT_PUBLIC_ORIGIN, "NEXT_PUBLIC_ORIGIN must be defined")
 
 export type YouTubeIframePlayerProps = {
diff --git a/frontends/main/src/app/(site)/certificate/[certificateType]/[uuid]/page.tsx b/frontends/main/src/app/(site)/certificate/[certificateType]/[uuid]/page.tsx
index c0c53d21e5..7c07074586 100644
--- a/frontends/main/src/app/(site)/certificate/[certificateType]/[uuid]/page.tsx
+++ b/frontends/main/src/app/(site)/certificate/[certificateType]/[uuid]/page.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import { Metadata } from "next"
 import CertificatePage from "@/app-pages/CertificatePage/CertificatePage"
@@ -9,7 +10,7 @@ import { safeGenerateMetadata, standardizeMetadata } from "@/common/metadata"
 import { getQueryClient } from "@/app/getQueryClient"
 import { getCertificateInfo } from "@/common/certificateUtils"
 
-const NEXT_PUBLIC_ORIGIN = process.env.NEXT_PUBLIC_ORIGIN
+const NEXT_PUBLIC_ORIGIN = env("NEXT_PUBLIC_ORIGIN")
 
 enum CertificateType {
   Course = "course",
diff --git a/frontends/main/src/app/(site)/certificate/[certificateType]/[uuid]/pdf/route.tsx b/frontends/main/src/app/(site)/certificate/[certificateType]/[uuid]/pdf/route.tsx
index 0dc1b61203..63e991d512 100644
--- a/frontends/main/src/app/(site)/certificate/[certificateType]/[uuid]/pdf/route.tsx
+++ b/frontends/main/src/app/(site)/certificate/[certificateType]/[uuid]/pdf/route.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 /* eslint-disable no-restricted-syntax */
 import React from "react"
 import type { AxiosError } from "axios"
@@ -384,7 +385,7 @@ const CertificateDoc = ({
                     source={
                       signatory.signature_image.startsWith("http")
                         ? signatory.signature_image
-                        : `${process.env.NEXT_PUBLIC_MITX_ONLINE_BASE_URL}${signatory.signature_image}`
+                        : `${env("NEXT_PUBLIC_MITX_ONLINE_BASE_URL")}${signatory.signature_image}`
                     }
                     style={{
                       width: "100px",
diff --git a/frontends/main/src/app/(site)/layout.tsx b/frontends/main/src/app/(site)/layout.tsx
index 982058ea30..32f941e427 100644
--- a/frontends/main/src/app/(site)/layout.tsx
+++ b/frontends/main/src/app/(site)/layout.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import Script from "next/script"
 import Header from "@/page-components/Header/Header"
@@ -86,13 +87,13 @@ j=d.createElement(s),dl=l!=='dataLayer'?'&l='+l:'';j.async=true;j.src=
           <Footer />
         </PageWrapper>
       </SiteProviders>
-      {process.env.NEXT_PUBLIC_APPZI_URL ? (
-        <Script async src={process.env.NEXT_PUBLIC_APPZI_URL} />
+      {env("NEXT_PUBLIC_APPZI_URL") ? (
+        <Script async src={env("NEXT_PUBLIC_APPZI_URL")} />
       ) : null}
-      {process.env.NEXT_PUBLIC_HUBSPOT_PORTAL_ID ? (
+      {env("NEXT_PUBLIC_HUBSPOT_PORTAL_ID") ? (
         <Script
           id="hs-script-loader"
-          src={`https://js.hs-scripts.com/${process.env.NEXT_PUBLIC_HUBSPOT_PORTAL_ID}.js`}
+          src={`https://js.hs-scripts.com/${env("NEXT_PUBLIC_HUBSPOT_PORTAL_ID")}.js`}
           strategy="afterInteractive"
         />
       ) : null}
diff --git a/frontends/main/src/app/components/PublicEnvScript.tsx b/frontends/main/src/app/components/PublicEnvScript.tsx
new file mode 100644
index 0000000000..8709bdbfe1
--- /dev/null
+++ b/frontends/main/src/app/components/PublicEnvScript.tsx
@@ -0,0 +1,38 @@
+/**
+ * Server Component that injects all NEXT_PUBLIC_* environment variables into
+ * the page HTML as a synchronous inline <script> before any JS bundle loads.
+ *
+ * This enables the `env()` helper (src/env.ts) to read per-environment values
+ * at runtime in the browser, decoupling them from webpack's build-time
+ * DefinePlugin substitution.
+ *
+ * Placement: render inside <head> in the root app/layout.tsx.
+ *
+ * Execution order guarantee: a plain <script> (not next/script) in <head>
+ * runs synchronously during HTML parsing — before any deferred or async JS
+ * module loads. `window.__ENV` is therefore available when
+ * instrumentation-client.ts (Sentry) and all React component modules evaluate.
+ *
+ * Security: JSON output is sanitized to prevent </script> injection. The app
+ * currently has no CSP; if one is added, this script will need a nonce.
+ */
+import React from "react"
+import { connection } from "next/server"
+
+export async function PublicEnvScript() {
+  // `connection()` opts this route out of static prerendering so that
+  // process.env is read fresh on every request (not baked at build time).
+  await connection()
+
+  const publicEnv = Object.fromEntries(
+    Object.entries(process.env).filter(([k]) => k.startsWith("NEXT_PUBLIC_")),
+  )
+
+  // Escape `<` to prevent a value like `</script><script>...` from breaking
+  // out of the script tag.
+  const json = JSON.stringify(publicEnv).replace(/</g, "\\u003c")
+
+  return (
+    <script dangerouslySetInnerHTML={{ __html: `window.__ENV=${json};` }} />
+  )
+}
diff --git a/frontends/main/src/app/healthcheck/route.ts b/frontends/main/src/app/healthcheck/route.ts
index 2eb9277042..04d5009f5a 100644
--- a/frontends/main/src/app/healthcheck/route.ts
+++ b/frontends/main/src/app/healthcheck/route.ts
@@ -1,4 +1,5 @@
-const VERSION = process.env.NEXT_PUBLIC_VERSION || "unknown"
+import { env } from "@/env"
+const VERSION = env("NEXT_PUBLIC_VERSION") || "unknown"
 export async function GET() {
   return Response.json(
     {
diff --git a/frontends/main/src/app/layout.tsx b/frontends/main/src/app/layout.tsx
index 3ae2f503ff..e952b67382 100644
--- a/frontends/main/src/app/layout.tsx
+++ b/frontends/main/src/app/layout.tsx
@@ -1,9 +1,11 @@
 import React from "react"
 import Providers from "./providers"
+import { PublicEnvScript } from "./components/PublicEnvScript"
+import { env } from "@/env"
 
 import "./GlobalStyles"
 
-const NEXT_PUBLIC_ORIGIN = process.env.NEXT_PUBLIC_ORIGIN
+const NEXT_PUBLIC_ORIGIN = env("NEXT_PUBLIC_ORIGIN")
 
 /**
  * As part of the root layout, this metadata object is site-wide defaults
@@ -42,8 +44,10 @@ export default function RootLayout({
         ></link>
         <meta
           name="application-version"
-          content={process.env.NEXT_PUBLIC_VERSION || "unknown"}
+          content={env("NEXT_PUBLIC_VERSION") || "unknown"}
         />
+        {/* Inject all NEXT_PUBLIC_* env vars for runtime access via env() */}
+        <PublicEnvScript />
       </head>
       <body>
         <Providers>{children}</Providers>
diff --git a/frontends/main/src/app/robots.ts b/frontends/main/src/app/robots.ts
index 6893b369a8..f41a82dbfb 100644
--- a/frontends/main/src/app/robots.ts
+++ b/frontends/main/src/app/robots.ts
@@ -1,8 +1,9 @@
+import { env } from "@/env"
 import type { MetadataRoute } from "next"
 import invariant from "tiny-invariant"
 
-invariant(process.env.NEXT_PUBLIC_ORIGIN, "NEXT_PUBLIC_ORIGIN must be defined")
-const BASE_URL: string = process.env.NEXT_PUBLIC_ORIGIN
+invariant(env("NEXT_PUBLIC_ORIGIN"), "NEXT_PUBLIC_ORIGIN must be defined")
+const BASE_URL: string = env("NEXT_PUBLIC_ORIGIN")
 
 export default function robots(): MetadataRoute.Robots {
   const shouldIndex = process.env.MITOL_NOINDEX === "false"
diff --git a/frontends/main/src/app/sitemaps/channels/sitemap.ts b/frontends/main/src/app/sitemaps/channels/sitemap.ts
index 76e9b5b6ac..7aea1a816c 100644
--- a/frontends/main/src/app/sitemaps/channels/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/channels/sitemap.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import type { MetadataRoute } from "next"
 import invariant from "tiny-invariant"
 import type { GenerateSitemapResult } from "../types"
@@ -5,7 +6,7 @@ import { dangerouslyDetectProductionBuildPhase } from "../util"
 import { getQueryClient } from "@/app/getQueryClient"
 import { channelQueries } from "api/hooks/channels"
 
-const BASE_URL = process.env.NEXT_PUBLIC_ORIGIN
+const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
 invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
 
 const PAGE_SIZE = 100
diff --git a/frontends/main/src/app/sitemaps/podcast/sitemap.ts b/frontends/main/src/app/sitemaps/podcast/sitemap.ts
index 3257123ef7..aea4b26602 100644
--- a/frontends/main/src/app/sitemaps/podcast/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/podcast/sitemap.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import type { MetadataRoute } from "next"
 import { getQueryClient } from "@/app/getQueryClient"
 import { learningResourceQueries } from "api/hooks/learningResources"
@@ -6,7 +7,7 @@ import invariant from "tiny-invariant"
 import type { GenerateSitemapResult } from "../types"
 import { dangerouslyDetectProductionBuildPhase } from "../util"
 
-const BASE_URL = process.env.NEXT_PUBLIC_ORIGIN
+const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
 invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
 
 const PAGE_SIZE = 1_000
diff --git a/frontends/main/src/app/sitemaps/products/sitemap.ts b/frontends/main/src/app/sitemaps/products/sitemap.ts
index 5e421625f6..48f66ed942 100644
--- a/frontends/main/src/app/sitemaps/products/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/products/sitemap.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import type { MetadataRoute } from "next"
 import { getQueryClient } from "@/app/getQueryClient"
 import { learningResourceQueries } from "api/hooks/learningResources"
@@ -6,7 +7,7 @@ import invariant from "tiny-invariant"
 import { GenerateSitemapResult } from "../types"
 import { dangerouslyDetectProductionBuildPhase } from "../util"
 
-const BASE_URL = process.env.NEXT_PUBLIC_ORIGIN
+const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
 invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
 
 const PAGE_SIZE = 1_000
diff --git a/frontends/main/src/app/sitemaps/resources/sitemap.ts b/frontends/main/src/app/sitemaps/resources/sitemap.ts
index 3c28f7ad3a..2da7e6b195 100644
--- a/frontends/main/src/app/sitemaps/resources/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/resources/sitemap.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import type { MetadataRoute } from "next"
 import { getQueryClient } from "@/app/getQueryClient"
 import { learningResourceQueries } from "api/hooks/learningResources"
@@ -5,7 +6,7 @@ import invariant from "tiny-invariant"
 import { GenerateSitemapResult } from "../types"
 import { dangerouslyDetectProductionBuildPhase } from "../util"
 
-const BASE_URL = process.env.NEXT_PUBLIC_ORIGIN
+const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
 invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
 
 const PAGE_SIZE = 1_000
diff --git a/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts b/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
index 7fd20af808..c8141e6f65 100644
--- a/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
+++ b/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import { NextResponse } from "next/server"
 import invariant from "tiny-invariant"
 import * as resourceSitemap from "../resources/sitemap"
@@ -6,8 +7,8 @@ import * as productsSitemap from "../products/sitemap"
 import * as videoSitemap from "../video/sitemap"
 import * as podcastSitemap from "../podcast/sitemap"
 
-invariant(process.env.NEXT_PUBLIC_ORIGIN, "NEXT_PUBLIC_ORIGIN must be defined")
-const BASE_URL: string = process.env.NEXT_PUBLIC_ORIGIN
+invariant(env("NEXT_PUBLIC_ORIGIN"), "NEXT_PUBLIC_ORIGIN must be defined")
+const BASE_URL: string = env("NEXT_PUBLIC_ORIGIN")
 
 export async function GET() {
   const content = await buildSitemapIndex()
diff --git a/frontends/main/src/app/sitemaps/static/sitemap.ts b/frontends/main/src/app/sitemaps/static/sitemap.ts
index 62aa1466cf..8b0806edee 100644
--- a/frontends/main/src/app/sitemaps/static/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/static/sitemap.ts
@@ -1,8 +1,9 @@
+import { env } from "@/env"
 import type { MetadataRoute } from "next"
 import invariant from "tiny-invariant"
 
-invariant(process.env.NEXT_PUBLIC_ORIGIN)
-const BASE_URL: string = process.env.NEXT_PUBLIC_ORIGIN
+invariant(env("NEXT_PUBLIC_ORIGIN"))
+const BASE_URL: string = env("NEXT_PUBLIC_ORIGIN")
 
 export default function sitemap(): MetadataRoute.Sitemap {
   return [
diff --git a/frontends/main/src/app/sitemaps/video/sitemap.ts b/frontends/main/src/app/sitemaps/video/sitemap.ts
index 42a3077ac4..75ed529455 100644
--- a/frontends/main/src/app/sitemaps/video/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/video/sitemap.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import type { MetadataRoute } from "next"
 import { getQueryClient } from "@/app/getQueryClient"
 import { learningResourceQueries } from "api/hooks/learningResources"
@@ -6,7 +7,7 @@ import invariant from "tiny-invariant"
 import type { GenerateSitemapResult } from "../types"
 import { dangerouslyDetectProductionBuildPhase } from "../util"
 
-const BASE_URL = process.env.NEXT_PUBLIC_ORIGIN
+const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
 invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
 
 const PAGE_SIZE = 1_000
diff --git a/frontends/main/src/common/certificateUtils.ts b/frontends/main/src/common/certificateUtils.ts
index 08c66b752d..8dfd184b56 100644
--- a/frontends/main/src/common/certificateUtils.ts
+++ b/frontends/main/src/common/certificateUtils.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import type {
   V2ProgramCertificate,
   V2CourseRunCertificate,
@@ -24,7 +25,7 @@ export enum CertificateType {
  * The below matches my naive expectations but we need to confirm that since we need unauthenticated access
  */
 
-const API_BASE_URL = process.env.NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL
+const API_BASE_URL = env("NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL")
 invariant(API_BASE_URL, "NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL must be set")
 
 /* This is the Organization ID for MIT OpenLearning on LinkedIn as far as I can tell. We could parameterize this if needed */
diff --git a/frontends/main/src/common/client-utils.ts b/frontends/main/src/common/client-utils.ts
index 0a93fd759f..3320136dba 100644
--- a/frontends/main/src/common/client-utils.ts
+++ b/frontends/main/src/common/client-utils.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import { ChannelCounts } from "api/v0"
 import { auth } from "./urls"
 import { redirect, usePathname, useSearchParams } from "next/navigation"
@@ -46,9 +47,7 @@ function getCookie(name: string) {
  * Returns CsrfToken from cookie if it is present
  */
 const getCsrfToken = () => {
-  return (
-    getCookie(process.env.NEXT_PUBLIC_CSRF_COOKIE_NAME || "csrftoken") ?? ""
-  )
+  return getCookie(env("NEXT_PUBLIC_CSRF_COOKIE_NAME") || "csrftoken") ?? ""
 }
 
 /**
diff --git a/frontends/main/src/common/config.ts b/frontends/main/src/common/config.ts
index 69e32cbf43..15a717655c 100644
--- a/frontends/main/src/common/config.ts
+++ b/frontends/main/src/common/config.ts
@@ -1,5 +1,6 @@
+import { env } from "@/env"
 export const getRecaptchaSiteKey = (): string | undefined =>
-  (process.env.NEXT_PUBLIC_RECAPTCHA_SITE_KEY ?? "").trim() || undefined
+  (env("NEXT_PUBLIC_RECAPTCHA_SITE_KEY") ?? "").trim() || undefined
 
 export const getStayUpdatedHubspotFormId = (): string =>
-  (process.env.NEXT_PUBLIC_STAY_UPDATED_HUBSPOT_FORM_ID ?? "").trim()
+  (env("NEXT_PUBLIC_STAY_UPDATED_HUBSPOT_FORM_ID") ?? "").trim()
diff --git a/frontends/main/src/common/metadata.ts b/frontends/main/src/common/metadata.ts
index 29b796cb64..74ebe0ab51 100644
--- a/frontends/main/src/common/metadata.ts
+++ b/frontends/main/src/common/metadata.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import {
   canonicalResourceDrawerUrl,
   RESOURCE_DRAWER_PARAMS,
@@ -117,13 +118,13 @@ export const standardizeMetadata = ({
   social = true,
   ...otherMeta
 }: MetadataProps = {}): Metadata => {
-  title = `${title} | ${process.env.NEXT_PUBLIC_SITE_NAME}`
+  title = `${title} | ${env("NEXT_PUBLIC_SITE_NAME")}`
   const socialMetadata = social
     ? {
         openGraph: {
           title,
           description,
-          siteName: process.env.NEXT_PUBLIC_SITE_NAME,
+          siteName: env("NEXT_PUBLIC_SITE_NAME"),
           images: [
             {
               url: image,
diff --git a/frontends/main/src/common/mitxonline/index.ts b/frontends/main/src/common/mitxonline/index.ts
index 5e53f0c62c..243c8e8daa 100644
--- a/frontends/main/src/common/mitxonline/index.ts
+++ b/frontends/main/src/common/mitxonline/index.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import type {
   BaseProduct,
   CourseRunV2,
@@ -13,8 +14,9 @@ import {
 } from "@mitodl/mitxonline-api-axios/v2"
 import invariant from "tiny-invariant"
 
-const NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL =
-  process.env.NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL
+const NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL = env(
+  "NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL",
+)
 invariant(NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL)
 
 const upgradeRunUrl = (product: ProductFlexiblePrice): string => {
diff --git a/frontends/main/src/common/urls.ts b/frontends/main/src/common/urls.ts
index f697fd5927..d8fbef6b36 100644
--- a/frontends/main/src/common/urls.ts
+++ b/frontends/main/src/common/urls.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import type { BaseProgramDisplayMode } from "@mitodl/mitxonline-api-axios/v2"
 import { DisplayModeEnum } from "@mitodl/mitxonline-api-axios/v2"
 import invariant from "tiny-invariant"
@@ -64,13 +65,13 @@ export const makeChannelManageWidgetsPath = (
   name: string,
 ) => generatePath(CHANNEL_EDIT_WIDGETS, { channelType, name })
 
-const ORIGIN = process.env.NEXT_PUBLIC_ORIGIN
+const ORIGIN = env("NEXT_PUBLIC_ORIGIN")
 invariant(ORIGIN, "NEXT_PUBLIC_ORIGIN must be set")
 if (process.env.NODE_ENV !== "production") {
   invariant(!ORIGIN?.endsWith("/"), "NEXT_PUBLIC_ORIGIN should not end with /")
 }
 
-const MITOL_API_BASE_URL = process.env.NEXT_PUBLIC_MITOL_API_BASE_URL
+const MITOL_API_BASE_URL = env("NEXT_PUBLIC_MITOL_API_BASE_URL")
 
 export const DASHBOARD_VIEW = "/dashboard/[tab]"
 const dashboardView = (tab: string) => generatePath(DASHBOARD_VIEW, { tab })
@@ -118,7 +119,7 @@ export const RESOURCE_DRAWER_PARAMS = {
 } as const
 
 export const canonicalResourceDrawerUrl = (resourceId: number) =>
-  `${process.env.NEXT_PUBLIC_ORIGIN}/search?${RESOURCE_DRAWER_PARAMS.resource}=${resourceId}`
+  `${env("NEXT_PUBLIC_ORIGIN")}/search?${RESOURCE_DRAWER_PARAMS.resource}=${resourceId}`
 
 export const querifiedSearchUrl = (
   params:
diff --git a/frontends/main/src/common/utils.ts b/frontends/main/src/common/utils.ts
index 2652f5946c..4864d38372 100644
--- a/frontends/main/src/common/utils.ts
+++ b/frontends/main/src/common/utils.ts
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import { OrganizationPage } from "@mitodl/mitxonline-api-axios/v2"
 import type { VideoPlaylistResource } from "api/v1"
 
@@ -136,7 +137,7 @@ function hexToRgba(hex: string, alpha: number): string | undefined {
 const isOcwPlaylist = (resource: VideoPlaylistResource | undefined) =>
   resource?.offered_by?.code === "ocw" ? true : false
 
-const ORIGIN = process.env.NEXT_PUBLIC_ORIGIN
+const ORIGIN = env("NEXT_PUBLIC_ORIGIN")
 
 /**
  * Returns `{ target: "_blank", rel: "noopener noreferrer", ...extra }` for URLs
diff --git a/frontends/main/src/components/PrivateTitle/PrivateTitle.tsx b/frontends/main/src/components/PrivateTitle/PrivateTitle.tsx
index 3d0bb6e37a..2875727060 100644
--- a/frontends/main/src/components/PrivateTitle/PrivateTitle.tsx
+++ b/frontends/main/src/components/PrivateTitle/PrivateTitle.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 
 /**
@@ -9,7 +10,7 @@ import React from "react"
  * See [title](https://react.dev/reference/react-dom/components/title)
  */
 const PrivateTitle: React.FC<{ title: string }> = ({ title }) => {
-  return <title>{[title, process.env.NEXT_PUBLIC_SITE_NAME].join(" | ")}</title>
+  return <title>{[title, env("NEXT_PUBLIC_SITE_NAME")].join(" | ")}</title>
 }
 
 export default PrivateTitle
diff --git a/frontends/main/src/env.ts b/frontends/main/src/env.ts
new file mode 100644
index 0000000000..43e77625eb
--- /dev/null
+++ b/frontends/main/src/env.ts
@@ -0,0 +1,35 @@
+/**
+ * Runtime environment variable accessor for NEXT_PUBLIC_* vars.
+ *
+ * Problem: webpack's DefinePlugin inlines `process.env.NEXT_PUBLIC_FOO` at
+ * *build* time. When the Docker image is built in CI without per-environment
+ * values, every NEXT_PUBLIC_* reference in the compiled bundle becomes an
+ * empty string, even though the Kubernetes pod has the correct values set.
+ *
+ * Solution: `PublicEnvScript` (a Server Component in app/layout.tsx) renders
+ * a synchronous inline <script> that sets `window.__ENV = { NEXT_PUBLIC_*:
+ * <runtime value> }` before any JS bundle loads. This function reads from
+ * that object in the browser and from process.env (dynamic bracket access,
+ * not inlined by DefinePlugin) on the server.
+ *
+ * Test compatibility: jsdom sets `window` but not `window.__ENV`. The
+ * `?? process.env[key]` fallback lets existing tests that mutate
+ * `process.env.NEXT_PUBLIC_*` directly continue to work with no changes.
+ */
+declare global {
+  interface Window {
+    __ENV?: Record<string, string | undefined>
+  }
+}
+
+export const env = (key: `NEXT_PUBLIC_${string}`): string | undefined => {
+  if (typeof window !== "undefined") {
+    // Browser: read from server-injected window.__ENV; fall back to
+    // process.env (which webpack polyfills — safe in webpack bundles, and
+    // allows test environments that set process.env directly to work).
+    return window.__ENV?.[key] ?? process.env[key]
+  }
+  // Server: dynamic bracket access is NOT replaced by DefinePlugin, so this
+  // reads the actual Kubernetes env var at request time.
+  return process.env[key]
+}
diff --git a/frontends/main/src/instrumentation-client.ts b/frontends/main/src/instrumentation-client.ts
index 7ac33843c9..398a51581b 100644
--- a/frontends/main/src/instrumentation-client.ts
+++ b/frontends/main/src/instrumentation-client.ts
@@ -1,3 +1,4 @@
+import { env } from "./env"
 // Client-side Sentry initialization.
 //
 // This file replaces sentry.client.config.ts, which relied on Sentry's webpack
@@ -9,20 +10,20 @@ import * as Sentry from "@sentry/nextjs"
 import { parseSampleRate } from "./sentry-utils"
 
 Sentry.init({
-  dsn: process.env.NEXT_PUBLIC_SENTRY_DSN,
-  release: process.env.NEXT_PUBLIC_VERSION,
-  environment: process.env.NEXT_PUBLIC_SENTRY_ENV,
+  dsn: env("NEXT_PUBLIC_SENTRY_DSN"),
+  release: env("NEXT_PUBLIC_VERSION"),
+  environment: env("NEXT_PUBLIC_SENTRY_ENV"),
   profilesSampleRate: parseSampleRate(
-    process.env.NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE,
+    env("NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE"),
     0,
   ),
   tracesSampleRate: parseSampleRate(
-    process.env.NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE,
+    env("NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE"),
     1,
   ),
   tracePropagationTargets: [
-    process.env.NEXT_PUBLIC_MITOL_API_BASE_URL,
-    process.env.NEXT_PUBLIC_MITX_ONLINE_BASE_URL,
+    env("NEXT_PUBLIC_MITOL_API_BASE_URL"),
+    env("NEXT_PUBLIC_MITX_ONLINE_BASE_URL"),
   ].filter((url) => url !== undefined),
   integrations: [
     Sentry.browserTracingIntegration(),
diff --git a/frontends/main/src/instrumentation-node.ts b/frontends/main/src/instrumentation-node.ts
index 4170536032..2c729cc882 100644
--- a/frontends/main/src/instrumentation-node.ts
+++ b/frontends/main/src/instrumentation-node.ts
@@ -23,11 +23,36 @@ import {
 } from "./otel-utils"
 import { parseSampleRate } from "./sentry-utils"
 
+// Validate required NEXT_PUBLIC_* env vars at server startup. These are
+// injected by Kubernetes (not baked at build time), so they must be present
+// when the server starts. validateEnv() is skipped in next.config.js during
+// Docker builds (NEXT_BUILD_CI=1) since standalone mode does not re-run
+// next.config.js at startup.
+const REQUIRED_ENV_VARS = [
+  "NEXT_PUBLIC_ORIGIN",
+  "NEXT_PUBLIC_MITOL_API_BASE_URL",
+  "NEXT_PUBLIC_SITE_NAME",
+  "NEXT_PUBLIC_MITOL_SUPPORT_EMAIL",
+  "NEXT_PUBLIC_CSRF_COOKIE_NAME",
+] as const
+
+for (const key of REQUIRED_ENV_VARS) {
+  if (!process.env[key]) {
+    // Log clearly then exit so the pod crash-loops and ops can see it
+    // immediately, rather than silently serving broken pages.
+    console.error(
+      `[startup] Required environment variable ${key} is not set. ` +
+        "Exiting to prevent broken deployment.",
+    )
+    process.exit(1)
+  }
+}
+
 // Inject service.version into OTEL_RESOURCE_ATTRIBUTES so the OTEL SDK's
 // EnvDetector picks it up alongside any other attributes set via env.
 // Simpler than interpolating OTEL_RESOURCE_ATTRIBUTES in ol-infrastructure.
-if (process.env.NEXT_PUBLIC_VERSION) {
-  const prefix = `service.version=${encodeURIComponent(process.env.NEXT_PUBLIC_VERSION)}`
+if (process.env["NEXT_PUBLIC_VERSION"]) {
+  const prefix = `service.version=${encodeURIComponent(process.env["NEXT_PUBLIC_VERSION"])}`
   const existing = process.env.OTEL_RESOURCE_ATTRIBUTES
   process.env.OTEL_RESOURCE_ATTRIBUTES = existing
     ? `${prefix},${existing}`
@@ -172,14 +197,14 @@ const otelSampleRate = parseSampleRate(process.env.OTEL_TRACES_SAMPLER_ARG, 1)
 // sent to the Sentry backend. Defaults to 1.0 when unset.
 // This lets you run Alloy at 100% while keeping Sentry costs/quota lower.
 const sentrySampleRate = parseSampleRate(
-  process.env.NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE,
+  process.env["NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE"],
   1,
 )
 
 Sentry.init({
-  dsn: process.env.NEXT_PUBLIC_SENTRY_DSN,
-  release: process.env.NEXT_PUBLIC_VERSION,
-  environment: process.env.NEXT_PUBLIC_SENTRY_ENV,
+  dsn: process.env["NEXT_PUBLIC_SENTRY_DSN"],
+  release: process.env["NEXT_PUBLIC_VERSION"],
+  environment: process.env["NEXT_PUBLIC_SENTRY_ENV"],
 
   // Controls the OTEL sampler — spans not sampled here never reach any
   // processor. Set via OTEL_TRACES_SAMPLER_ARG at runtime (K8s/Helm).
diff --git a/frontends/main/src/otel-utils.ts b/frontends/main/src/otel-utils.ts
index 7cf3369d2b..5add725404 100644
--- a/frontends/main/src/otel-utils.ts
+++ b/frontends/main/src/otel-utils.ts
@@ -16,7 +16,7 @@ export type RequestLogEntry = {
   version: string | null
 }
 
-const APP_VERSION = process.env.NEXT_PUBLIC_VERSION ?? null
+const APP_VERSION = process.env["NEXT_PUBLIC_VERSION"] ?? null
 
 type OtelEnvSubset = Readonly<Record<string, string | undefined>>
 
diff --git a/frontends/main/src/page-components/AiChat/AiRecommendationBotDrawer.tsx b/frontends/main/src/page-components/AiChat/AiRecommendationBotDrawer.tsx
index 6787cfb2fc..69729be2cf 100644
--- a/frontends/main/src/page-components/AiChat/AiRecommendationBotDrawer.tsx
+++ b/frontends/main/src/page-components/AiChat/AiRecommendationBotDrawer.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React, { useState } from "react"
 import { styled, RoutedDrawer } from "ol-components"
 import { RiCloseLine } from "@remixicon/react"
@@ -70,9 +71,9 @@ const DrawerContent: React.FC<{
         askTimTitle="to recommend a course"
         scrollElement={scrollElement}
         requestOpts={{
-          apiUrl: process.env.NEXT_PUBLIC_LEARN_AI_RECOMMENDATION_ENDPOINT!,
+          apiUrl: env("NEXT_PUBLIC_LEARN_AI_RECOMMENDATION_ENDPOINT")!,
           csrfCookieName:
-            process.env.NEXT_PUBLIC_LEARN_AI_CSRF_COOKIE_NAME || "csrftoken",
+            env("NEXT_PUBLIC_LEARN_AI_CSRF_COOKIE_NAME") || "csrftoken",
           csrfHeaderName: "X-CSRFToken",
           fetchOpts: {
             credentials: "include",
diff --git a/frontends/main/src/page-components/AiChat/AskTimDrawerButton.tsx b/frontends/main/src/page-components/AiChat/AskTimDrawerButton.tsx
index bcb980d82a..4b132bd9d7 100644
--- a/frontends/main/src/page-components/AiChat/AskTimDrawerButton.tsx
+++ b/frontends/main/src/page-components/AiChat/AskTimDrawerButton.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React from "react"
 import { Typography, styled, LinkAdapter } from "ol-components"
 import { RiSparkling2Line } from "@remixicon/react"
@@ -33,7 +34,7 @@ const AskTIMButton = () => {
         shallow
         href={`?${RECOMMENDER_QUERY_PARAM}`}
         onClick={() => {
-          if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+          if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
             posthog.capture(PostHogEvents.AskTimClicked, {
               type: "recommendation_bot",
             })
diff --git a/frontends/main/src/page-components/ConfiguredPostHogProvider/ConfiguredPostHogProvider.tsx b/frontends/main/src/page-components/ConfiguredPostHogProvider/ConfiguredPostHogProvider.tsx
index 08f2452e59..30545360c3 100644
--- a/frontends/main/src/page-components/ConfiguredPostHogProvider/ConfiguredPostHogProvider.tsx
+++ b/frontends/main/src/page-components/ConfiguredPostHogProvider/ConfiguredPostHogProvider.tsx
@@ -3,11 +3,34 @@ import posthog from "posthog-js"
 import { PostHogProvider, usePostHog } from "posthog-js/react"
 import { useUserMe } from "api/hooks/user"
 import { INTERNAL_BOOTSTRAPPING_FLAG } from "@/common/feature_flags"
+import { env } from "@/env"
 
-const POSTHOG_API_KEY = process.env.NEXT_PUBLIC_POSTHOG_API_KEY
-const POSTHOG_API_HOST = process.env.NEXT_PUBLIC_POSTHOG_API_HOST
-const POSTHOG_UI_HOST = process.env.NEXT_PUBLIC_POSTHOG_UI_HOST
-const FEATURE_FLAGS = process.env.FEATURE_FLAGS
+/**
+ * Compute PostHog bootstrap feature flags from window.__ENV at runtime.
+ * Previously this was computed at build time from process.env in next.config.js
+ * (as FEATURE_FLAGS), but that approach bakes empty values when the Docker
+ * image is built in CI without per-environment values. Reading from
+ * window.__ENV gives the correct per-env flags injected by PublicEnvScript.
+ */
+const getBootstrapFeatureFlags = (): Record<
+  string,
+  boolean | string
+> | null => {
+  if (typeof window === "undefined") return null
+  const envSource = window.__ENV ?? {}
+  const prefix = envSource["NEXT_PUBLIC_POSTHOG_FEATURE_PREFIX"] ?? "FEATURE_"
+  const fullPrefix = `NEXT_PUBLIC_${prefix}`
+  const flags: Record<string, boolean | string> = {}
+
+  for (const [key, value] of Object.entries(envSource)) {
+    if (value !== undefined && key.startsWith(fullPrefix)) {
+      const flagName = key.replace(fullPrefix, "").replaceAll("_", "-")
+      flags[flagName] = value === "True" ? true : JSON.stringify(value)
+    }
+  }
+
+  return Object.keys(flags).length > 0 ? flags : null
+}
 
 const PosthogIdentifier = () => {
   const { data: user } = useUserMe()
@@ -39,23 +62,27 @@ const ConfiguredPostHogProvider: React.FC<{ children: React.ReactNode }> = ({
   children,
 }) => {
   useEffect(() => {
+    const POSTHOG_API_KEY = env("NEXT_PUBLIC_POSTHOG_API_KEY")
+    const POSTHOG_API_HOST = env("NEXT_PUBLIC_POSTHOG_API_HOST")
+    const POSTHOG_UI_HOST = env("NEXT_PUBLIC_POSTHOG_UI_HOST")
     if (POSTHOG_API_KEY) {
+      const featureFlags = getBootstrapFeatureFlags()
       posthog.init(POSTHOG_API_KEY, {
         api_host: POSTHOG_API_HOST,
         ui_host: POSTHOG_UI_HOST,
         bootstrap: {
-          featureFlags: FEATURE_FLAGS
+          featureFlags: featureFlags
             ? {
-                ...JSON.parse(FEATURE_FLAGS),
+                ...featureFlags,
                 [INTERNAL_BOOTSTRAPPING_FLAG]: true,
               }
-            : null,
+            : undefined,
         },
       })
     }
   }, [])
 
-  if (!POSTHOG_API_KEY) {
+  if (!env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
     return children
   }
 
diff --git a/frontends/main/src/page-components/Dialogs/AddToListDialog.tsx b/frontends/main/src/page-components/Dialogs/AddToListDialog.tsx
index 04980d9c56..b489b4087a 100644
--- a/frontends/main/src/page-components/Dialogs/AddToListDialog.tsx
+++ b/frontends/main/src/page-components/Dialogs/AddToListDialog.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React, { useCallback } from "react"
 import {
   LoadingSpinner,
@@ -100,7 +101,7 @@ const AddToListDialogInner: React.FC<AddToListDialogInnerProps> = ({
     },
     onSubmit: async (values) => {
       if (resource) {
-        if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+        if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
           posthog.capture(PostHogEvents.LRAddToList, {
             listType: listType,
             resourceId: resource?.id,
diff --git a/frontends/main/src/page-components/Header/Header.tsx b/frontends/main/src/page-components/Header/Header.tsx
index 0552408c4f..701109d69c 100644
--- a/frontends/main/src/page-components/Header/Header.tsx
+++ b/frontends/main/src/page-components/Header/Header.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React, { FunctionComponent } from "react"
 import type { NavData } from "ol-components"
 import {
@@ -286,7 +287,7 @@ const Header: FunctionComponent = () => {
     ? PostHogEvents.ClosedNavDrawer
     : PostHogEvents.OpenedNavDrawer
   const posthogCapture = (event: string) => {
-    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
       posthog.capture(event)
     }
   }
diff --git a/frontends/main/src/page-components/HeroSearch/HeroSearch.tsx b/frontends/main/src/page-components/HeroSearch/HeroSearch.tsx
index c058b7cc2d..19323a0460 100644
--- a/frontends/main/src/page-components/HeroSearch/HeroSearch.tsx
+++ b/frontends/main/src/page-components/HeroSearch/HeroSearch.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React, { useState, useCallback } from "react"
 import { useRouter } from "next-nprogress-bar"
 import { FeatureFlags } from "@/common/feature_flags"
@@ -202,7 +203,7 @@ const TrendingContainer = styled.div({
 const HeroSearch: React.FC<{ imageIndex: number }> = ({ imageIndex }) => {
   const posthog = usePostHog()
   const posthogCapture = (event: string) => {
-    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
       posthog.capture(event)
     }
   }
@@ -252,7 +253,7 @@ const HeroSearch: React.FC<{ imageIndex: number }> = ({ imageIndex }) => {
                 <TopicLink
                   href="/topics/"
                   onClick={() => {
-                    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+                    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
                       posthogCapture(PostHogEvents.HeroBrowseTopics)
                     }
                   }}
diff --git a/frontends/main/src/page-components/LearningResourceDrawer/LearningResourceDrawer.tsx b/frontends/main/src/page-components/LearningResourceDrawer/LearningResourceDrawer.tsx
index 33ee4f33d4..940fd9f6e5 100644
--- a/frontends/main/src/page-components/LearningResourceDrawer/LearningResourceDrawer.tsx
+++ b/frontends/main/src/page-components/LearningResourceDrawer/LearningResourceDrawer.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React, { Suspense, useEffect, useId, useMemo } from "react"
 import { RoutedDrawer, imgConfigs } from "ol-components"
 import { LearningResourceExpanded } from "../LearningResourceExpanded/LearningResourceExpanded"
@@ -35,7 +36,7 @@ const ALL_PARAMS = [
 const useCapturePageView = (resourceId: number) => {
   const { data, isSuccess } = useLearningResourcesDetail(Number(resourceId))
   const posthog = usePostHog()
-  const apiKey = process.env.NEXT_PUBLIC_POSTHOG_API_KEY
+  const apiKey = env("NEXT_PUBLIC_POSTHOG_API_KEY")
 
   useEffect(() => {
     if (!apiKey || apiKey.length < 1) return
@@ -72,7 +73,7 @@ const DrawerContent: React.FC<{
    */
   const posthog = usePostHog()
   const resource = useLearningResourcesDetail(Number(resourceId))
-  if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+  if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
     posthog.capture(PostHogEvents.LearningResourceDrawerOpen, {
       resource: resource?.data,
     })
diff --git a/frontends/main/src/page-components/LearningResourceExpanded/AiChatSyllabusSlideDown.tsx b/frontends/main/src/page-components/LearningResourceExpanded/AiChatSyllabusSlideDown.tsx
index fa70037fbe..f6874a2bb4 100644
--- a/frontends/main/src/page-components/LearningResourceExpanded/AiChatSyllabusSlideDown.tsx
+++ b/frontends/main/src/page-components/LearningResourceExpanded/AiChatSyllabusSlideDown.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React, { useRef, useEffect } from "react"
 import { Typography, styled } from "ol-components"
 import { Button } from "@mitodl/smoot-design"
@@ -152,7 +153,7 @@ export const AiChatSyllabusOpener = ({
         aria-pressed={open}
         open={open}
         onClick={() => {
-          if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+          if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
             posthog.capture(PostHogEvents.AskTimClicked, {
               type: "syllabus_bot",
               resourceId: resource.id,
@@ -223,9 +224,9 @@ const AiChatSyllabusSlideDown = ({
         topPosition={contentTopPosition}
         scrollElement={scrollElement}
         requestOpts={{
-          apiUrl: process.env.NEXT_PUBLIC_LEARN_AI_SYLLABUS_ENDPOINT!,
+          apiUrl: env("NEXT_PUBLIC_LEARN_AI_SYLLABUS_ENDPOINT")!,
           csrfCookieName:
-            process.env.NEXT_PUBLIC_LEARN_AI_CSRF_COOKIE_NAME || "csrftoken",
+            env("NEXT_PUBLIC_LEARN_AI_CSRF_COOKIE_NAME") || "csrftoken",
           csrfHeaderName: "X-CSRFToken",
           fetchOpts: {
             credentials: "include",
diff --git a/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx b/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx
index 37f0ccab2d..4adc867844 100644
--- a/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx
+++ b/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React, { useState } from "react"
 import styled from "@emotion/styled"
 import { default as NextImage } from "next/image"
@@ -50,7 +51,7 @@ import { FeatureFlags } from "@/common/feature_flags"
 import { externalLinkProps } from "@/common/utils"
 import invariant from "tiny-invariant"
 
-const NEXT_PUBLIC_ORIGIN = process.env.NEXT_PUBLIC_ORIGIN
+const NEXT_PUBLIC_ORIGIN = env("NEXT_PUBLIC_ORIGIN")
 invariant(NEXT_PUBLIC_ORIGIN, "NEXT_PUBLIC_ORIGIN must be defined")
 
 const showChatClass = "show-chat"
@@ -456,7 +457,7 @@ const CallToActionSection = ({
           size="medium"
           href={url}
           onClick={() => {
-            if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+            if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
               posthog.capture(PostHogEvents.CallToActionClicked, {
                 resource,
                 label: cta,
diff --git a/frontends/main/src/page-components/ResourceCarousel/ResourceCarousel.tsx b/frontends/main/src/page-components/ResourceCarousel/ResourceCarousel.tsx
index 3d08a8ee58..00b11eae43 100644
--- a/frontends/main/src/page-components/ResourceCarousel/ResourceCarousel.tsx
+++ b/frontends/main/src/page-components/ResourceCarousel/ResourceCarousel.tsx
@@ -1,5 +1,6 @@
 "use client"
 
+import { env } from "@/env"
 import React from "react"
 import { learningResourceQueries } from "api/hooks/learningResources"
 import {
@@ -326,7 +327,7 @@ const ResourceCarousel: React.FC<ResourceCarouselProps> = ({
                           parentHeadingEl={titleComponent}
                           {...tabConfig.cardProps}
                           onCardClick={() => {
-                            if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+                            if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
                               posthog.capture(PostHogEvents.CourseCardClicked, {
                                 label: title,
                                 resourceId: resource.id,
diff --git a/frontends/main/src/page-components/SearchDisplay/SearchDisplay.tsx b/frontends/main/src/page-components/SearchDisplay/SearchDisplay.tsx
index cc0c9df830..2aafbebab2 100644
--- a/frontends/main/src/page-components/SearchDisplay/SearchDisplay.tsx
+++ b/frontends/main/src/page-components/SearchDisplay/SearchDisplay.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React, { useEffect, useMemo, useRef, useState } from "react"
 import {
   styled,
@@ -867,7 +868,7 @@ const SearchDisplay: React.FC<SearchDisplayProps> = ({
 
   const posthog = usePostHog()
 
-  const NEXT_PUBLIC_POSTHOG_API_KEY = process.env.NEXT_PUBLIC_POSTHOG_API_KEY
+  const NEXT_PUBLIC_POSTHOG_API_KEY = env("NEXT_PUBLIC_POSTHOG_API_KEY")
 
   const toggleMobileDrawer = (newOpen: boolean) => () => {
     setMobileDrawerOpen(newOpen)
diff --git a/frontends/main/src/page-components/SearchDisplay/UniversalAIBanner.tsx b/frontends/main/src/page-components/SearchDisplay/UniversalAIBanner.tsx
index 3972f078d3..95d8c226ea 100644
--- a/frontends/main/src/page-components/SearchDisplay/UniversalAIBanner.tsx
+++ b/frontends/main/src/page-components/SearchDisplay/UniversalAIBanner.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React, { useMemo } from "react"
 import Link from "next/link"
 import { styled, Typography } from "ol-components"
@@ -111,7 +112,7 @@ const UniversalAIBanner: React.FC<UniversalAIBannerProps> = ({
   })
 
   const handleCTAClick = () => {
-    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
       posthog.capture(PostHogEvents.CallToActionClicked, {
         label: "Learn more about Universal AI",
         readableId: UAI_PROGRAM_READABLE_ID,
diff --git a/frontends/main/src/page-components/SearchField/SearchField.tsx b/frontends/main/src/page-components/SearchField/SearchField.tsx
index 71d0ad8d9d..062e6737e9 100644
--- a/frontends/main/src/page-components/SearchField/SearchField.tsx
+++ b/frontends/main/src/page-components/SearchField/SearchField.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import { SearchInput } from "ol-components"
 import type { SearchInputProps, SearchSubmissionEvent } from "ol-components"
@@ -26,7 +27,7 @@ const SearchField: React.FC<SearchFieldProps> = ({
   ) => {
     onSubmit(event)
     setPage?.(1)
-    if (process.env.NEXT_PUBLIC_POSTHOG_API_KEY) {
+    if (env("NEXT_PUBLIC_POSTHOG_API_KEY")) {
       posthog.capture(PostHogEvents.SearchUpdate, { isEnter: isEnter })
     }
   }
diff --git a/frontends/main/src/page-components/SignupPopover/SignupPopover.tsx b/frontends/main/src/page-components/SignupPopover/SignupPopover.tsx
index 98e38f498c..710580517a 100644
--- a/frontends/main/src/page-components/SignupPopover/SignupPopover.tsx
+++ b/frontends/main/src/page-components/SignupPopover/SignupPopover.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React from "react"
 import { Popover, Typography, styled } from "ol-components"
 import { ButtonLink } from "@mitodl/smoot-design"
@@ -25,7 +26,7 @@ const Footer = styled.div({
   justifyContent: "end",
 })
 
-const SITE_NAME = process.env.NEXT_PUBLIC_SITE_NAME
+const SITE_NAME = env("NEXT_PUBLIC_SITE_NAME")
 
 type SignupPopoverProps = Pick<
   PopoverProps,
diff --git a/frontends/main/src/page-components/TiptapEditor/extensions/node/ArticleByLineInfoBar/ArticleByLineInfoBar.tsx b/frontends/main/src/page-components/TiptapEditor/extensions/node/ArticleByLineInfoBar/ArticleByLineInfoBar.tsx
index 92d32c516e..ae30eed8c0 100644
--- a/frontends/main/src/page-components/TiptapEditor/extensions/node/ArticleByLineInfoBar/ArticleByLineInfoBar.tsx
+++ b/frontends/main/src/page-components/TiptapEditor/extensions/node/ArticleByLineInfoBar/ArticleByLineInfoBar.tsx
@@ -1,3 +1,4 @@
+import { env } from "@/env"
 import React, { useState, useRef, useEffect } from "react"
 import { NodeViewWrapper } from "@tiptap/react"
 import type { ReactNodeViewProps } from "@tiptap/react"
@@ -10,7 +11,7 @@ import { useArticle } from "../../../ArticleContext"
 import { calculateReadTime } from "../../utils"
 import SharePopover from "@/components/SharePopover/SharePopover"
 
-const NEXT_PUBLIC_ORIGIN = process.env.NEXT_PUBLIC_ORIGIN
+const NEXT_PUBLIC_ORIGIN = env("NEXT_PUBLIC_ORIGIN")
 
 const StyledWrapper = styled.div(({ theme }) => ({
   width: "100vw",

From 9e82cc7f66bc29fc11925af49fd71ed3fa15b570 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 20 May 2026 22:06:20 +0000
Subject: [PATCH 04/10] fix: narrow required public env vars for sitemap build

Agent-Logs-Url: https://github.com/mitodl/mit-learn/sessions/03f963fb-4658-4987-87e4-3a7610eee518

Co-authored-by: blarghmatey <479088+blarghmatey@users.noreply.github.com>
---
 frontends/main/src/app/robots.ts                          | 6 ++----
 .../main/src/app/sitemaps/sitemap-index.xml/route.ts      | 6 ++----
 frontends/main/src/app/sitemaps/static/sitemap.ts         | 6 ++----
 frontends/main/src/env.ts                                 | 8 ++++++++
 4 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/frontends/main/src/app/robots.ts b/frontends/main/src/app/robots.ts
index f41a82dbfb..4a0aa64216 100644
--- a/frontends/main/src/app/robots.ts
+++ b/frontends/main/src/app/robots.ts
@@ -1,9 +1,7 @@
-import { env } from "@/env"
+import { env, requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
-import invariant from "tiny-invariant"
 
-invariant(env("NEXT_PUBLIC_ORIGIN"), "NEXT_PUBLIC_ORIGIN must be defined")
-const BASE_URL: string = env("NEXT_PUBLIC_ORIGIN")
+const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
 
 export default function robots(): MetadataRoute.Robots {
   const shouldIndex = process.env.MITOL_NOINDEX === "false"
diff --git a/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts b/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
index c8141e6f65..33ba2a8e2b 100644
--- a/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
+++ b/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
@@ -1,14 +1,12 @@
-import { env } from "@/env"
+import { requiredEnv } from "@/env"
 import { NextResponse } from "next/server"
-import invariant from "tiny-invariant"
 import * as resourceSitemap from "../resources/sitemap"
 import * as channelsSitemap from "../channels/sitemap"
 import * as productsSitemap from "../products/sitemap"
 import * as videoSitemap from "../video/sitemap"
 import * as podcastSitemap from "../podcast/sitemap"
 
-invariant(env("NEXT_PUBLIC_ORIGIN"), "NEXT_PUBLIC_ORIGIN must be defined")
-const BASE_URL: string = env("NEXT_PUBLIC_ORIGIN")
+const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
 
 export async function GET() {
   const content = await buildSitemapIndex()
diff --git a/frontends/main/src/app/sitemaps/static/sitemap.ts b/frontends/main/src/app/sitemaps/static/sitemap.ts
index 8b0806edee..a0d3c97d2a 100644
--- a/frontends/main/src/app/sitemaps/static/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/static/sitemap.ts
@@ -1,9 +1,7 @@
-import { env } from "@/env"
+import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
-import invariant from "tiny-invariant"
 
-invariant(env("NEXT_PUBLIC_ORIGIN"))
-const BASE_URL: string = env("NEXT_PUBLIC_ORIGIN")
+const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
 
 export default function sitemap(): MetadataRoute.Sitemap {
   return [
diff --git a/frontends/main/src/env.ts b/frontends/main/src/env.ts
index 43e77625eb..994e2be3f0 100644
--- a/frontends/main/src/env.ts
+++ b/frontends/main/src/env.ts
@@ -1,3 +1,5 @@
+import invariant from "tiny-invariant"
+
 /**
  * Runtime environment variable accessor for NEXT_PUBLIC_* vars.
  *
@@ -33,3 +35,9 @@ export const env = (key: `NEXT_PUBLIC_${string}`): string | undefined => {
   // reads the actual Kubernetes env var at request time.
   return process.env[key]
 }
+
+export const requiredEnv = (key: `NEXT_PUBLIC_${string}`): string => {
+  const value = env(key)
+  invariant(value, `${key} must be defined`)
+  return value
+}

From c7c08883516bc039b4c6ed412290a5992d09a02a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 20 May 2026 22:09:10 +0000
Subject: [PATCH 05/10] fix: remove unused robots env import

Agent-Logs-Url: https://github.com/mitodl/mit-learn/sessions/03f963fb-4658-4987-87e4-3a7610eee518

Co-authored-by: blarghmatey <479088+blarghmatey@users.noreply.github.com>
---
 frontends/main/src/app/robots.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontends/main/src/app/robots.ts b/frontends/main/src/app/robots.ts
index 4a0aa64216..bd872e74a2 100644
--- a/frontends/main/src/app/robots.ts
+++ b/frontends/main/src/app/robots.ts
@@ -1,4 +1,4 @@
-import { env, requiredEnv } from "@/env"
+import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
 
 const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")

From 8d2b823ff86de19ab7835fbf5d60d4c4cbf6d7b8 Mon Sep 17 00:00:00 2001
From: Tobias Macey <tmacey@mit.edu>
Date: Fri, 22 May 2026 10:59:31 -0400
Subject: [PATCH 06/10] fix: address PR review feedback on Dockerfile build
 args and required env vars

- Remove all obsolete NEXT_PUBLIC_* ARG/ENV build-arg pairs from
  Dockerfile.web base stage; env vars are now runtime-injected via
  PublicEnvScript and do not need to be present at build time.
  Only GIT_REF is retained (used by generateBuildId in next.config.js).
  Header comment updated to reflect the correct build invocation.

- Fix duplicate ARG/ENV declarations for NEXT_PUBLIC_SENTRY_DSN,
  NEXT_PUBLIC_SENTRY_ENV, NEXT_PUBLIC_VERSION,
  NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE, and
  NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE (removed as part of the above).

- Extract REQUIRED_PUBLIC_ENV_VARS from validateEnv.js as a shared
  exported constant. instrumentation-node.ts now imports it instead of
  maintaining its own inline copy, so both the local-dev yup schema and
  the Kubernetes startup check stay in sync from a single source of truth.
---
 frontends/main/Dockerfile.web              | 100 ++-------------------
 frontends/main/src/instrumentation-node.ts |  24 +++--
 frontends/main/validateEnv.js              |  26 +++++-
 3 files changed, 40 insertions(+), 110 deletions(-)

diff --git a/frontends/main/Dockerfile.web b/frontends/main/Dockerfile.web
index 9207479635..03281bb886 100644
--- a/frontends/main/Dockerfile.web
+++ b/frontends/main/Dockerfile.web
@@ -2,25 +2,12 @@
 # Build: \
 # docker build \
 #   -f frontends/main/Dockerfile.web \
-#   --build-arg NEXT_PUBLIC_ORIGIN=http://api.open.odl.local:8062 \
-#   --build-arg NEXT_PUBLIC_MITOL_API_BASE_URL=http://open.odl.local:8063 \
-#   --build-arg NEXT_PUBLIC_SITE_NAME="MIT Learn" \
-#   --build-arg NEXT_PUBLIC_MITOL_SUPPORT_EMAIL=mitlearn-support@mit.edu \
-#   --build-arg NEXT_PUBLIC_EMBEDLY_KEY= \
-#   --build-arg NEXT_PUBLIC_MITOL_AXIOS_WITH_CREDENTIALS=true \
-#   --build-arg NEXT_PUBLIC_CSRF_COOKIE_NAME=csrftoken-local \
-#   --build-arg NEXT_PUBLIC_POSTHOG_API_HOST= \
-#   --build-arg NEXT_PUBLIC_POSTHOG_PROJECT_ID= \
-#   --build-arg NEXT_PUBLIC_POSTHOG_API_KEY= \
-#   --build-arg NEXT_PUBLIC_POSTHOG_ENABLE_SESSION_RECORDING= \
-#   --build-arg NEXT_PUBLIC_SENTRY_DSN= \
-#   --build-arg NEXT_PUBLIC_SENTRY_ENV= \
-#   --build-arg NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE= \
-#   --build-arg NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE= \
-#   --build-arg NEXT_PUBLIC_APPZI_URL= \
-#   --build-arg NEXT_PUBLIC_LEARN_AI_RECOMMENDATION_ENDPOINT= \
-#   --build-arg NEXT_PUBLIC_LEARN_AI_SYLLABUS_ENDPOINT= \  --build-arg NEXT_PUBLIC_HUBSPOT_PORTAL_ID= \#   --build-arg NEXT_PUBLIC_VERSION= \
+#   --build-arg GIT_REF=$(git rev-parse HEAD) \
 #   -t mitodl/mit-learn-frontend:latest .
+#
+# NEXT_PUBLIC_* vars are NOT passed as build args — they are injected at
+# runtime by Kubernetes and surfaced to the browser via PublicEnvScript.
+# Only GIT_REF is needed at build time (for generateBuildId in next.config.js).
 
 
 # Run:
@@ -83,84 +70,13 @@ WORKDIR /app/frontends/main
 
 ENV NODE_ENV=production
 
-ARG NEXT_PUBLIC_ORIGIN
-ENV NEXT_PUBLIC_ORIGIN=$NEXT_PUBLIC_ORIGIN
-
-ARG NEXT_PUBLIC_MITOL_API_BASE_URL
-ENV NEXT_PUBLIC_MITOL_API_BASE_URL=$NEXT_PUBLIC_MITOL_API_BASE_URL
-
-ARG NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL
-ENV NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL=$NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL
-
-ARG NEXT_PUBLIC_SITE_NAME
-ENV NEXT_PUBLIC_SITE_NAME=$NEXT_PUBLIC_SITE_NAME
-
-ARG NEXT_PUBLIC_MITOL_SUPPORT_EMAIL
-ENV NEXT_PUBLIC_MITOL_SUPPORT_EMAIL=$NEXT_PUBLIC_MITOL_SUPPORT_EMAIL
-
-ARG NEXT_PUBLIC_EMBEDLY_KEY=None
-ENV NEXT_PUBLIC_EMBEDLY_KEY=$NEXT_PUBLIC_EMBEDLY_KEY
-
-ARG NEXT_PUBLIC_SENTRY_DSN
-ENV NEXT_PUBLIC_SENTRY_DSN=$NEXT_PUBLIC_SENTRY_DSN
-
-ARG NEXT_PUBLIC_SENTRY_ENV
-ENV NEXT_PUBLIC_SENTRY_ENV=$NEXT_PUBLIC_SENTRY_ENV
-
-ARG NEXT_PUBLIC_VERSION
-ENV NEXT_PUBLIC_VERSION=$NEXT_PUBLIC_VERSION
-
 # GIT_REF is the full commit SHA, passed by Concourse as BUILD_ARG_GIT_REF.
-# It is used by next.config.js generateBuildId as a fallback when
-# NEXT_PUBLIC_VERSION is not set (e.g. CI/main-branch builds).
+# It is used by next.config.js generateBuildId to produce a stable, unique
+# build manifest filename that is the same across identical builds.
+# All NEXT_PUBLIC_* vars are injected at runtime — NOT at build time.
 ARG GIT_REF
 ENV GIT_REF=$GIT_REF
 
-ARG NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE
-ENV NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE=$NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE
-
-ARG NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE
-ENV NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE=$NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE
-
-ARG NEXT_PUBLIC_MITOL_AXIOS_WITH_CREDENTIALS=true
-ENV NEXT_PUBLIC_MITOL_AXIOS_WITH_CREDENTIALS=$NEXT_PUBLIC_MITOL_AXIOS_WITH_CREDENTIALS
-
-ARG NEXT_PUBLIC_CSRF_COOKIE_NAME
-ENV NEXT_PUBLIC_CSRF_COOKIE_NAME=$NEXT_PUBLIC_CSRF_COOKIE_NAME
-
-ARG NEXT_PUBLIC_POSTHOG_API_HOST
-ENV NEXT_PUBLIC_POSTHOG_API_HOST=$NEXT_PUBLIC_POSTHOG_API_HOST
-ARG NEXT_PUBLIC_POSTHOG_UI_HOST
-ENV NEXT_PUBLIC_POSTHOG_UI_HOST=$NEXT_PUBLIC_POSTHOG_UI_HOST
-ARG NEXT_PUBLIC_POSTHOG_PROJECT_ID
-ENV NEXT_PUBLIC_POSTHOG_PROJECT_ID=$NEXT_PUBLIC_POSTHOG_PROJECT_ID
-ARG NEXT_PUBLIC_POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY=$NEXT_PUBLIC_POSTHOG_API_KEY
-
-ARG NEXT_PUBLIC_SENTRY_DSN
-ENV NEXT_PUBLIC_SENTRY_DSN=$NEXT_PUBLIC_SENTRY_DSN
-ARG NEXT_PUBLIC_SENTRY_ENV
-ENV NEXT_PUBLIC_SENTRY_ENV=$NEXT_PUBLIC_SENTRY_ENV
-ARG NEXT_PUBLIC_VERSION
-ENV NEXT_PUBLIC_VERSION=$NEXT_PUBLIC_VERSION
-ARG NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE
-ENV NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE=$NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE
-ARG NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE
-ENV NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE=$NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE
-
-ARG NEXT_PUBLIC_APPZI_URL
-ENV NEXT_PUBLIC_APPZI_URL=$NEXT_PUBLIC_APPZI_URL
-
-ARG NEXT_PUBLIC_LEARN_AI_CSRF_COOKIE_NAME
-ENV NEXT_PUBLIC_LEARN_AI_CSRF_COOKIE_NAME=$NEXT_PUBLIC_LEARN_AI_CSRF_COOKIE_NAME
-ARG NEXT_PUBLIC_LEARN_AI_RECOMMENDATION_ENDPOINT
-ENV NEXT_PUBLIC_LEARN_AI_RECOMMENDATION_ENDPOINT=$NEXT_PUBLIC_LEARN_AI_RECOMMENDATION_ENDPOINT
-ARG NEXT_PUBLIC_LEARN_AI_SYLLABUS_ENDPOINT
-ENV NEXT_PUBLIC_LEARN_AI_SYLLABUS_ENDPOINT=$NEXT_PUBLIC_LEARN_AI_SYLLABUS_ENDPOINT
-
-ARG NEXT_PUBLIC_HUBSPOT_PORTAL_ID
-ENV NEXT_PUBLIC_HUBSPOT_PORTAL_ID=$NEXT_PUBLIC_HUBSPOT_PORTAL_ID
-
 ENV NEXT_PUBLIC_DEFAULT_SEARCH_MODE="phrase"
 ENV NEXT_PUBLIC_DEFAULT_SEARCH_SLOP="6"
 ENV NEXT_PUBLIC_DEFAULT_SEARCH_STALENESS_PENALTY="2.5"
diff --git a/frontends/main/src/instrumentation-node.ts b/frontends/main/src/instrumentation-node.ts
index 2c729cc882..609c4b18b8 100644
--- a/frontends/main/src/instrumentation-node.ts
+++ b/frontends/main/src/instrumentation-node.ts
@@ -23,20 +23,16 @@ import {
 } from "./otel-utils"
 import { parseSampleRate } from "./sentry-utils"
 
-// Validate required NEXT_PUBLIC_* env vars at server startup. These are
-// injected by Kubernetes (not baked at build time), so they must be present
-// when the server starts. validateEnv() is skipped in next.config.js during
-// Docker builds (NEXT_BUILD_CI=1) since standalone mode does not re-run
-// next.config.js at startup.
-const REQUIRED_ENV_VARS = [
-  "NEXT_PUBLIC_ORIGIN",
-  "NEXT_PUBLIC_MITOL_API_BASE_URL",
-  "NEXT_PUBLIC_SITE_NAME",
-  "NEXT_PUBLIC_MITOL_SUPPORT_EMAIL",
-  "NEXT_PUBLIC_CSRF_COOKIE_NAME",
-] as const
-
-for (const key of REQUIRED_ENV_VARS) {
+// REQUIRED_PUBLIC_ENV_VARS is defined in validateEnv.js and shared with the
+// local-dev yup schema so both lists stay in sync from a single source of
+// truth. validateEnv() is skipped in next.config.js during Docker builds
+// (NEXT_BUILD_CI=1); this loop is the runtime equivalent for Kubernetes pods.
+// eslint-disable-next-line @typescript-eslint/no-require-imports
+const { REQUIRED_PUBLIC_ENV_VARS } = require("../validateEnv") as {
+  REQUIRED_PUBLIC_ENV_VARS: readonly string[]
+}
+
+for (const key of REQUIRED_PUBLIC_ENV_VARS) {
   if (!process.env[key]) {
     // Log clearly then exit so the pod crash-loops and ops can see it
     // immediately, rather than silently serving broken pages.
diff --git a/frontends/main/validateEnv.js b/frontends/main/validateEnv.js
index 478e6da9ac..a62d9534fc 100644
--- a/frontends/main/validateEnv.js
+++ b/frontends/main/validateEnv.js
@@ -7,23 +7,41 @@
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const yup = require("yup")
 
+/**
+ * NEXT_PUBLIC_* vars that must be present at runtime. Shared between:
+ *  - validateEnv() below (local dev check at `next build` / `next start`)
+ *  - src/instrumentation-node.ts (Docker startup check in Kubernetes)
+ *
+ * Keep this list in sync with the `.required()` fields in the schema below.
+ */
+const REQUIRED_PUBLIC_ENV_VARS = /** @type {const} */ ([
+  "NEXT_PUBLIC_ORIGIN",
+  "NEXT_PUBLIC_MITOL_API_BASE_URL",
+  "NEXT_PUBLIC_SITE_NAME",
+  "NEXT_PUBLIC_MITOL_SUPPORT_EMAIL",
+  "NEXT_PUBLIC_CSRF_COOKIE_NAME",
+])
+
 const schema = yup.object().shape({
   // Server-only env vars
   MITOL_NOINDEX: yup.string().oneOf(["true", "false"]),
   NEXT_CACHE_S_MAXAGE_SECONDS: yup
     .string()
     .matches(/^\d+$/, { excludeEmptyString: true }),
-  // Client or Server env vars
-  NEXT_PUBLIC_APPZI_URL: yup.string(),
+  // Required client/server vars — must be present in local dev and at runtime.
+  // The list is defined above as REQUIRED_PUBLIC_ENV_VARS so that
+  // instrumentation-node.ts can import it as a single source of truth.
   NEXT_PUBLIC_ORIGIN: yup.string().required(),
   NEXT_PUBLIC_MITOL_API_BASE_URL: yup.string().required(),
   NEXT_PUBLIC_SITE_NAME: yup.string().required(),
   NEXT_PUBLIC_MITOL_SUPPORT_EMAIL: yup.string().required(),
+  NEXT_PUBLIC_CSRF_COOKIE_NAME: yup.string().required(),
+  // Optional client or server vars
+  NEXT_PUBLIC_APPZI_URL: yup.string(),
   NEXT_PUBLIC_EMBEDLY_KEY: yup.string(),
   NEXT_PUBLIC_MITOL_AXIOS_WITH_CREDENTIALS: yup
     .string()
     .oneOf(["true", "false"]),
-  NEXT_PUBLIC_CSRF_COOKIE_NAME: yup.string().required(),
   NEXT_PUBLIC_POSTHOG_API_KEY: yup.string(),
   NEXT_PUBLIC_POSTHOG_FEATURE_PREFIX: yup.string(),
   NEXT_PUBLIC_POSTHOG_API_HOST: yup.string(),
@@ -33,4 +51,4 @@ const schema = yup.object().shape({
 
 const validateEnv = () => schema.validateSync(process.env)
 
-module.exports = { validateEnv }
+module.exports = { validateEnv, REQUIRED_PUBLIC_ENV_VARS }

From 0749d967fa43d761b07552cafc69792dd8c63d0c Mon Sep 17 00:00:00 2001
From: Tobias Macey <tmacey@mit.edu>
Date: Fri, 22 May 2026 12:13:05 -0400
Subject: [PATCH 07/10] fix: move requiredEnv calls inside route functions;
 clean up ci.yml build args

robots.ts and sitemaps/static/sitemap.ts called requiredEnv("NEXT_PUBLIC_ORIGIN")
at module scope. During 'next build', Next.js evaluates these modules while
collecting page data. With NEXT_PUBLIC_ORIGIN no longer injected as a Docker
build arg (it is runtime-injected via PublicEnvScript), the invariant threw
and the build failed.

Fix: move const BASE_URL = requiredEnv(...) inside each function body so it
is only evaluated at request time, when the env var is available.

Also update ci.yml to match the new Dockerfile: remove all obsolete
--build-arg NEXT_PUBLIC_* lines (the Dockerfile no longer declares
the corresponding ARG instructions) and pass only GIT_REF.
---
 .github/workflows/ci.yml                      | 41 +------------------
 frontends/main/src/app/robots.ts              |  3 +-
 .../main/src/app/sitemaps/static/sitemap.ts   |  3 +-
 3 files changed, 3 insertions(+), 44 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 32724533c5..e55813f4c5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -146,50 +146,11 @@ jobs:
 
       - name: Build the Docker image
         env:
-          ORIGIN: http://fakelearn.odl.local:8062
-          MITOL_API_BASE_URL: http://api.fakelearn.odl.local:8065
-          MITX_ONLINE_LEGACY_BASE_URL: https://cifake.mitxonline.mit.edu
-          SITE_NAME: MIT Learn
-          SUPPORT_EMAIL: mitlearn-support@mit.edu
-          EMBEDLY_KEY: fake-embedly-key
-          MITOL_AXIOS_WITH_CREDENTIALS: true
-          CSRF_COOKIE_NAME: learn_csrftoken_ci
-          POSTHOG_API_HOST: https://app.posthog.com
-          POSTHOG_UI_HOST: https://us.posthog.com
-          POSTHOG_PROJECT_ID: fake-posthog-project-id
-          POSTHOG_API_KEY: fake-posthog-api-key
-          SENTRY_DSN: fake-sentry-dsn
-          SENTRY_ENV: fake-sentry-env
-          SENTRY_PROFILES_SAMPLE_RATE: 0.1
-          SENTRY_TRACES_SAMPLE_RATE: 0.1
-          LEARN_AI_RECOMMENDATION_ENDPOINT: http://api.fakelearn.odl.local:8065/ai/http/recommendation_agent
-          LEARN_AI_SYLLABUS_ENDPOINT: http://api.fakelearn.odl.local:8065/ai/http/syllabus_agent
-          HUBSPOT_PORTAL_ID: fake-hubspot-portal-id
           VERSION: ${{ github.sha }}
         run: |
           docker build \
             -f frontends/main/Dockerfile.web \
-            --build-arg NEXT_PUBLIC_ORIGIN=$ORIGIN \
-            --build-arg NEXT_PUBLIC_MITOL_API_BASE_URL=$MITOL_API_BASE_URL \
-            --build-arg NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL=$MITX_ONLINE_LEGACY_BASE_URL \
-            --build-arg NEXT_PUBLIC_SITE_NAME="$SITE_NAME" \
-            --build-arg NEXT_PUBLIC_MITOL_SUPPORT_EMAIL=$SUPPORT_EMAIL \
-            --build-arg NEXT_PUBLIC_EMBEDLY_KEY=$EMBEDLY_KEY \
-            --build-arg NEXT_PUBLIC_MITOL_AXIOS_WITH_CREDENTIALS=$MITOL_AXIOS_WITH_CREDENTIALS \
-            --build-arg NEXT_PUBLIC_CSRF_COOKIE_NAME=$CSRF_COOKIE_NAME \
-            --build-arg NEXT_PUBLIC_POSTHOG_API_HOST=$POSTHOG_API_HOST \
-            --build-arg NEXT_PUBLIC_POSTHOG_UI_HOST=$POSTHOG_UI_HOST \
-            --build-arg NEXT_PUBLIC_POSTHOG_PROJECT_ID=$POSTHOG_PROJECT_ID \
-            --build-arg NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
-            --build-arg NEXT_PUBLIC_SENTRY_DSN=$SENTRY_DSN \
-            --build-arg NEXT_PUBLIC_SENTRY_ENV=$SENTRY_ENV \
-            --build-arg NEXT_PUBLIC_SENTRY_PROFILES_SAMPLE_RATE=$SENTRY_PROFILES_SAMPLE_RATE \
-            --build-arg NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE=$SENTRY_TRACES_SAMPLE_RATE \
-            --build-arg NEXT_PUBLIC_APPZI_URL=$APPZI_URL \
-            --build-arg NEXT_PUBLIC_LEARN_AI_RECOMMENDATION_ENDPOINT=$LEARN_AI_RECOMMENDATION_ENDPOINT \
-            --build-arg NEXT_PUBLIC_LEARN_AI_SYLLABUS_ENDPOINT=$LEARN_AI_SYLLABUS_ENDPOINT \
-            --build-arg NEXT_PUBLIC_HUBSPOT_PORTAL_ID=$HUBSPOT_PORTAL_ID \
-            --build-arg NEXT_PUBLIC_VERSION=$VERSION \
+            --build-arg GIT_REF=$VERSION \
             -t mitodl/mit-learn-frontend:$VERSION .
 
   build-storybook:
diff --git a/frontends/main/src/app/robots.ts b/frontends/main/src/app/robots.ts
index bd872e74a2..d1d75150f7 100644
--- a/frontends/main/src/app/robots.ts
+++ b/frontends/main/src/app/robots.ts
@@ -1,9 +1,8 @@
 import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
 
-const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
-
 export default function robots(): MetadataRoute.Robots {
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   const shouldIndex = process.env.MITOL_NOINDEX === "false"
 
   if (shouldIndex) {
diff --git a/frontends/main/src/app/sitemaps/static/sitemap.ts b/frontends/main/src/app/sitemaps/static/sitemap.ts
index a0d3c97d2a..94c78201e9 100644
--- a/frontends/main/src/app/sitemaps/static/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/static/sitemap.ts
@@ -1,9 +1,8 @@
 import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
 
-const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
-
 export default function sitemap(): MetadataRoute.Sitemap {
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   return [
     {
       url: BASE_URL,

From 34ddf4c81958acb5e0a4bf0deec26bbb60ac9a63 Mon Sep 17 00:00:00 2001
From: Tobias Macey <tmacey@mit.edu>
Date: Fri, 22 May 2026 12:28:31 -0400
Subject: [PATCH 08/10] fix: move remaining module-scope requiredEnv; fix
 extension regex; add libc6-compat and TZ=UTC to runner

- sitemap-index.xml/route.ts: move requiredEnv("NEXT_PUBLIC_ORIGIN") from
  module scope into buildSitemapIndex(). Turbopack bundles server-side modules
  into shared SSR chunks; the top-level requiredEnv() call was ending up in
  the same chunk as code needed by /_not-found, causing the invariant to fire
  when that chunk was evaluated during 'Collecting page data'. force-dynamic
  only controls render strategy, not whether the module itself is evaluated
  at build time.

- next.config.js: widen the extension exclusion regex from {2,4} to + so
  that assets with longer extensions (.woff2, .webmanifest, etc.) are not
  tagged with Surrogate-Key: html-pages and incorrectly purged on deploy.

- Dockerfile.web runner stage: install libc6-compat so that sharp (used by
  Next.js image optimisation) works correctly on Alpine. Add ENV TZ=UTC to
  preserve the UTC timezone that the old 'TZ=UTC next start' startup command
  provided.
---
 frontends/main/Dockerfile.web                              | 4 ++++
 frontends/main/next.config.js                              | 2 +-
 frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts | 5 +++--
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/frontends/main/Dockerfile.web b/frontends/main/Dockerfile.web
index 03281bb886..1295a2b354 100644
--- a/frontends/main/Dockerfile.web
+++ b/frontends/main/Dockerfile.web
@@ -111,6 +111,9 @@ FROM node:24-alpine AS runner
 
 WORKDIR /app
 
+# sharp (Next.js image optimisation) requires glibc-compatible libs on Alpine.
+RUN apk add --no-cache libc6-compat
+
 # Copy the standalone server (includes a minimal node_modules)
 COPY --from=build /app/frontends/main/.next/standalone ./
 
@@ -123,6 +126,7 @@ COPY --from=build /app/frontends/main/public ./frontends/main/public
 EXPOSE 3000
 
 ENV NODE_ENV=production
+ENV TZ=UTC
 ENV PORT=3000
 ENV HOSTNAME="0.0.0.0"
 
diff --git a/frontends/main/next.config.js b/frontends/main/next.config.js
index 6568006ead..584418f332 100644
--- a/frontends/main/next.config.js
+++ b/frontends/main/next.config.js
@@ -93,7 +93,7 @@ const nextConfig = {
        * should not be tagged as an HTML page for Fastly surrogate-key purges.
        */
       {
-        source: "/((?!.*\\.[a-zA-Z0-9]{2,4}$)(?!healthcheck$).*)",
+        source: "/((?!.*\\.[a-zA-Z0-9]+$)(?!healthcheck$).*)",
         headers: [
           {
             key: "Cache-Control",
diff --git a/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts b/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
index 33ba2a8e2b..5d0c38b582 100644
--- a/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
+++ b/frontends/main/src/app/sitemaps/sitemap-index.xml/route.ts
@@ -6,8 +6,6 @@ import * as productsSitemap from "../products/sitemap"
 import * as videoSitemap from "../video/sitemap"
 import * as podcastSitemap from "../podcast/sitemap"
 
-const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
-
 export async function GET() {
   const content = await buildSitemapIndex()
   return new NextResponse(content, {
@@ -19,6 +17,9 @@ export async function GET() {
 }
 
 async function buildSitemapIndex(): Promise<string> {
+  // Read at request time so this works in the standalone Docker image where
+  // NEXT_PUBLIC_ORIGIN is injected by Kubernetes, not baked at build time.
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   const sitemaps = await Promise.all([
     resourceSitemap.generateSitemaps(),
     channelsSitemap.generateSitemaps(),

From 910f98f448c158c8eb31be47cb557027dccad532 Mon Sep 17 00:00:00 2001
From: Tobias Macey <tmacey@mit.edu>
Date: Fri, 22 May 2026 12:52:12 -0400
Subject: [PATCH 09/10] fix: remove all module-scope invariant calls that fire
 during next build

The standalone Docker image does not pass NEXT_PUBLIC_* vars at build time;
they are injected by Kubernetes at runtime. Turbopack evaluates server-side
modules during 'collecting page data', and Next.js 16 executes metadata routes
(robots.ts, sitemaps) during 'generating static pages' even when force-dynamic
is set (known Next.js bug). Any invariant() or requiredEnv() call at module
scope or inside a route function would throw before the env vars are available.

Changes:
- sitemaps/{resources,channels,podcast,products,video}/sitemap.ts: remove
  module-scope env()+invariant() pattern; add requiredEnv() inside each
  function after the dangerouslyDetectProductionBuildPhase() early-exit.
  channels and products default sitemap() did not use BASE_URL at all;
  removed those unnecessary declarations.
- robots.ts, sitemaps/static/sitemap.ts: add force-dynamic + build-phase
  guard consistent with all other sitemap modules; requiredEnv() is only
  reached at request time when NEXT_PUBLIC_ORIGIN is available.
- common/urls.ts: remove module-scope invariant(ORIGIN) calls; fix
  stringifyUrlDescriptor to read env() locally instead of closed-over const.
- common/mitxonline/index.ts: remove module-scope invariant() call and
  now-unused tiny-invariant import.
- common/certificateUtils.ts: remove module-scope invariant() call and
  now-unused tiny-invariant import.
- page-components/.../CallToActionSection.tsx: remove module-scope invariant();
  add null-safe fallback for the string comparison using NEXT_PUBLIC_ORIGIN.

Build verified locally: docker build completes successfully.
---
 frontends/main/src/app/robots.ts                   | 13 +++++++++++++
 .../main/src/app/sitemaps/channels/sitemap.ts      |  7 ++-----
 frontends/main/src/app/sitemaps/podcast/sitemap.ts |  8 +++-----
 .../main/src/app/sitemaps/products/sitemap.ts      |  9 +++------
 .../main/src/app/sitemaps/resources/sitemap.ts     | 10 ++++------
 frontends/main/src/app/sitemaps/static/sitemap.ts  | 10 ++++++++++
 frontends/main/src/app/sitemaps/video/sitemap.ts   |  8 +++-----
 frontends/main/src/common/certificateUtils.ts      |  3 ---
 frontends/main/src/common/mitxonline/index.ts      |  2 --
 frontends/main/src/common/urls.ts                  | 11 +++--------
 .../CallToActionSection.tsx                        | 14 +++++++++-----
 11 files changed, 50 insertions(+), 45 deletions(-)

diff --git a/frontends/main/src/app/robots.ts b/frontends/main/src/app/robots.ts
index d1d75150f7..702bb7e17f 100644
--- a/frontends/main/src/app/robots.ts
+++ b/frontends/main/src/app/robots.ts
@@ -1,7 +1,20 @@
 import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
+import { dangerouslyDetectProductionBuildPhase } from "./sitemaps/util"
+
+/**
+ * As of NextJS 15.5.3, metadata routes like robots.ts are ALWAYS executed at
+ * build time even with force-dynamic (this may be a NextJS bug). We guard
+ * against that here so requiredEnv() is not called before NEXT_PUBLIC_ORIGIN
+ * is injected at runtime by Kubernetes.
+ */
+export const dynamic = "force-dynamic"
 
 export default function robots(): MetadataRoute.Robots {
+  if (dangerouslyDetectProductionBuildPhase()) {
+    // Safe fallback during `next build`: never served in production.
+    return { rules: { userAgent: "*", disallow: "/" } }
+  }
   const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   const shouldIndex = process.env.MITOL_NOINDEX === "false"
 
diff --git a/frontends/main/src/app/sitemaps/channels/sitemap.ts b/frontends/main/src/app/sitemaps/channels/sitemap.ts
index 7aea1a816c..c8ee20485a 100644
--- a/frontends/main/src/app/sitemaps/channels/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/channels/sitemap.ts
@@ -1,14 +1,10 @@
-import { env } from "@/env"
+import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
-import invariant from "tiny-invariant"
 import type { GenerateSitemapResult } from "../types"
 import { dangerouslyDetectProductionBuildPhase } from "../util"
 import { getQueryClient } from "@/app/getQueryClient"
 import { channelQueries } from "api/hooks/channels"
 
-const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
-invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
-
 const PAGE_SIZE = 100
 
 /**
@@ -24,6 +20,7 @@ export async function generateSitemaps(): Promise<GenerateSitemapResult[]> {
    * Early exit here to avoid the useless build-time API calls.
    */
   if (dangerouslyDetectProductionBuildPhase()) return []
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   const queryClient = getQueryClient()
   const { count } = await queryClient.fetchQuery(
     channelQueries.list({ limit: PAGE_SIZE }),
diff --git a/frontends/main/src/app/sitemaps/podcast/sitemap.ts b/frontends/main/src/app/sitemaps/podcast/sitemap.ts
index aea4b26602..6394daac5b 100644
--- a/frontends/main/src/app/sitemaps/podcast/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/podcast/sitemap.ts
@@ -1,15 +1,11 @@
-import { env } from "@/env"
+import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
 import { getQueryClient } from "@/app/getQueryClient"
 import { learningResourceQueries } from "api/hooks/learningResources"
 import { ResourceTypeEnum } from "api"
-import invariant from "tiny-invariant"
 import type { GenerateSitemapResult } from "../types"
 import { dangerouslyDetectProductionBuildPhase } from "../util"
 
-const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
-invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
-
 const PAGE_SIZE = 1_000
 
 const RESOURCE_TYPES = [
@@ -30,6 +26,7 @@ export async function generateSitemaps(): Promise<GenerateSitemapResult[]> {
    * Early exit here to avoid the useless build-time API calls.
    */
   if (dangerouslyDetectProductionBuildPhase()) return []
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
 
   const queryClient = getQueryClient()
   const { count } = await queryClient.fetchQuery(
@@ -52,6 +49,7 @@ export default async function sitemap({
 }: {
   id: string
 }): Promise<MetadataRoute.Sitemap> {
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   const queryClient = getQueryClient()
   const data = await queryClient.fetchQuery(
     learningResourceQueries.list({
diff --git a/frontends/main/src/app/sitemaps/products/sitemap.ts b/frontends/main/src/app/sitemaps/products/sitemap.ts
index 48f66ed942..e1ce256297 100644
--- a/frontends/main/src/app/sitemaps/products/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/products/sitemap.ts
@@ -1,21 +1,18 @@
-import { env } from "@/env"
+import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
 import { getQueryClient } from "@/app/getQueryClient"
 import { learningResourceQueries } from "api/hooks/learningResources"
 import { PlatformEnum, ResourceTypeEnum } from "api"
-import invariant from "tiny-invariant"
-import { GenerateSitemapResult } from "../types"
+import type { GenerateSitemapResult } from "../types"
 import { dangerouslyDetectProductionBuildPhase } from "../util"
 
-const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
-invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
-
 const PAGE_SIZE = 1_000
 
 export const dynamic = "force-dynamic"
 
 export async function generateSitemaps(): Promise<GenerateSitemapResult[]> {
   if (dangerouslyDetectProductionBuildPhase()) return []
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
 
   const queryClient = getQueryClient()
   const { count } = await queryClient.fetchQuery(
diff --git a/frontends/main/src/app/sitemaps/resources/sitemap.ts b/frontends/main/src/app/sitemaps/resources/sitemap.ts
index 2da7e6b195..e1f7801ecb 100644
--- a/frontends/main/src/app/sitemaps/resources/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/resources/sitemap.ts
@@ -1,14 +1,10 @@
-import { env } from "@/env"
+import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
 import { getQueryClient } from "@/app/getQueryClient"
 import { learningResourceQueries } from "api/hooks/learningResources"
-import invariant from "tiny-invariant"
-import { GenerateSitemapResult } from "../types"
+import type { GenerateSitemapResult } from "../types"
 import { dangerouslyDetectProductionBuildPhase } from "../util"
 
-const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
-invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
-
 const PAGE_SIZE = 1_000
 
 /**
@@ -24,6 +20,7 @@ export async function generateSitemaps(): Promise<GenerateSitemapResult[]> {
    * Early exit here to avoid the useless build-time API calls.
    */
   if (dangerouslyDetectProductionBuildPhase()) return []
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   const queryClient = getQueryClient()
   const { count } = await queryClient.fetchQuery(
     learningResourceQueries.summaryList({
@@ -45,6 +42,7 @@ export default async function sitemap({
 }: {
   id: string
 }): Promise<MetadataRoute.Sitemap> {
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   const queryClient = getQueryClient()
   const data = await queryClient.fetchQuery(
     learningResourceQueries.summaryList({
diff --git a/frontends/main/src/app/sitemaps/static/sitemap.ts b/frontends/main/src/app/sitemaps/static/sitemap.ts
index 94c78201e9..a42b2e1206 100644
--- a/frontends/main/src/app/sitemaps/static/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/static/sitemap.ts
@@ -1,7 +1,17 @@
 import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
+import { dangerouslyDetectProductionBuildPhase } from "../util"
+
+/**
+ * As of NextJS 15.5.3, metadata routes like sitemap.ts are ALWAYS executed at
+ * build time even with force-dynamic (this may be a NextJS bug). We guard
+ * against that here so requiredEnv() is not called before NEXT_PUBLIC_ORIGIN
+ * is injected at runtime by Kubernetes.
+ */
+export const dynamic = "force-dynamic"
 
 export default function sitemap(): MetadataRoute.Sitemap {
+  if (dangerouslyDetectProductionBuildPhase()) return []
   const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   return [
     {
diff --git a/frontends/main/src/app/sitemaps/video/sitemap.ts b/frontends/main/src/app/sitemaps/video/sitemap.ts
index 75ed529455..11e052e3ef 100644
--- a/frontends/main/src/app/sitemaps/video/sitemap.ts
+++ b/frontends/main/src/app/sitemaps/video/sitemap.ts
@@ -1,15 +1,11 @@
-import { env } from "@/env"
+import { requiredEnv } from "@/env"
 import type { MetadataRoute } from "next"
 import { getQueryClient } from "@/app/getQueryClient"
 import { learningResourceQueries } from "api/hooks/learningResources"
 import { ResourceTypeEnum } from "api"
-import invariant from "tiny-invariant"
 import type { GenerateSitemapResult } from "../types"
 import { dangerouslyDetectProductionBuildPhase } from "../util"
 
-const BASE_URL = env("NEXT_PUBLIC_ORIGIN")
-invariant(BASE_URL, "NEXT_PUBLIC_ORIGIN must be defined")
-
 const PAGE_SIZE = 1_000
 
 const RESOURCE_TYPES = [ResourceTypeEnum.Video, ResourceTypeEnum.VideoPlaylist]
@@ -27,6 +23,7 @@ export async function generateSitemaps(): Promise<GenerateSitemapResult[]> {
    * Early exit here to avoid the useless build-time API calls.
    */
   if (dangerouslyDetectProductionBuildPhase()) return []
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
 
   const queryClient = getQueryClient()
   const { count } = await queryClient.fetchQuery(
@@ -49,6 +46,7 @@ export default async function sitemap({
 }: {
   id: string
 }): Promise<MetadataRoute.Sitemap> {
+  const BASE_URL = requiredEnv("NEXT_PUBLIC_ORIGIN")
   const queryClient = getQueryClient()
   const data = await queryClient.fetchQuery(
     learningResourceQueries.list({
diff --git a/frontends/main/src/common/certificateUtils.ts b/frontends/main/src/common/certificateUtils.ts
index 8dfd184b56..1fc511b126 100644
--- a/frontends/main/src/common/certificateUtils.ts
+++ b/frontends/main/src/common/certificateUtils.ts
@@ -5,8 +5,6 @@ import type {
 } from "@mitodl/mitxonline-api-axios/v2"
 
 import { LINKEDIN_ADD_TO_PROFILE_BASE_URL } from "@/common/urls"
-import invariant from "tiny-invariant"
-
 /**
  * Returns common display info for a certificate.
  */
@@ -26,7 +24,6 @@ export enum CertificateType {
  */
 
 const API_BASE_URL = env("NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL")
-invariant(API_BASE_URL, "NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL must be set")
 
 /* This is the Organization ID for MIT OpenLearning on LinkedIn as far as I can tell. We could parameterize this if needed */
 const ORG_ID = 74540637
diff --git a/frontends/main/src/common/mitxonline/index.ts b/frontends/main/src/common/mitxonline/index.ts
index 243c8e8daa..6bc243727e 100644
--- a/frontends/main/src/common/mitxonline/index.ts
+++ b/frontends/main/src/common/mitxonline/index.ts
@@ -12,12 +12,10 @@ import {
   EnrollmentModeEnum,
   NodeTypeEnum,
 } from "@mitodl/mitxonline-api-axios/v2"
-import invariant from "tiny-invariant"
 
 const NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL = env(
   "NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL",
 )
-invariant(NEXT_PUBLIC_MITX_ONLINE_LEGACY_BASE_URL)
 
 const upgradeRunUrl = (product: ProductFlexiblePrice): string => {
   try {
diff --git a/frontends/main/src/common/urls.ts b/frontends/main/src/common/urls.ts
index d8fbef6b36..e5b01b36a8 100644
--- a/frontends/main/src/common/urls.ts
+++ b/frontends/main/src/common/urls.ts
@@ -1,7 +1,6 @@
 import { env } from "@/env"
 import type { BaseProgramDisplayMode } from "@mitodl/mitxonline-api-axios/v2"
 import { DisplayModeEnum } from "@mitodl/mitxonline-api-axios/v2"
-import invariant from "tiny-invariant"
 
 // matches ! $ & ' ( ) * + , ; = : @ ~
 const SAFE_IN_PATH_SEGMENT =
@@ -65,12 +64,6 @@ export const makeChannelManageWidgetsPath = (
   name: string,
 ) => generatePath(CHANNEL_EDIT_WIDGETS, { channelType, name })
 
-const ORIGIN = env("NEXT_PUBLIC_ORIGIN")
-invariant(ORIGIN, "NEXT_PUBLIC_ORIGIN must be set")
-if (process.env.NODE_ENV !== "production") {
-  invariant(!ORIGIN?.endsWith("/"), "NEXT_PUBLIC_ORIGIN should not end with /")
-}
-
 const MITOL_API_BASE_URL = env("NEXT_PUBLIC_MITOL_API_BASE_URL")
 
 export const DASHBOARD_VIEW = "/dashboard/[tab]"
@@ -177,7 +170,9 @@ export type LoginUrlOpts = {
 }
 
 const stringifyUrlDescriptor = (val: UrlDescriptor) => {
-  const url = new URL(ORIGIN)
+  // ORIGIN is read at call time (request time) so NEXT_PUBLIC_ORIGIN is
+  // available — it is not set at build time in the standalone Docker image.
+  const url = new URL(env("NEXT_PUBLIC_ORIGIN") ?? "")
   url.pathname = val.pathname
   if (val.searchParams) {
     val.searchParams.forEach((v, k) => url.searchParams.set(k, v))
diff --git a/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx b/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx
index 4adc867844..b4483c1a89 100644
--- a/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx
+++ b/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx
@@ -1,5 +1,6 @@
 import { env } from "@/env"
-import React, { useState } from "react"
+import type React from "react"
+import { useState } from "react"
 import styled from "@emotion/styled"
 import { default as NextImage } from "next/image"
 import { useFeatureFlagEnabled, usePostHog } from "posthog-js/react"
@@ -18,7 +19,12 @@ import {
   useImageWithFallback,
 } from "ol-utilities"
 import { ResourceTypeEnum, ResourceTypeGroupEnum, PlatformEnum } from "api"
-import { Button, ButtonLink, ButtonProps, Input } from "@mitodl/smoot-design"
+import {
+  Button,
+  ButtonLink,
+  type ButtonProps,
+  Input,
+} from "@mitodl/smoot-design"
 import type { LearningResource } from "api"
 import {
   RiBookmarkFill,
@@ -49,10 +55,8 @@ import {
 import { DisplayModeEnum } from "@mitodl/mitxonline-api-axios/v2"
 import { FeatureFlags } from "@/common/feature_flags"
 import { externalLinkProps } from "@/common/utils"
-import invariant from "tiny-invariant"
 
 const NEXT_PUBLIC_ORIGIN = env("NEXT_PUBLIC_ORIGIN")
-invariant(NEXT_PUBLIC_ORIGIN, "NEXT_PUBLIC_ORIGIN must be defined")
 
 const showChatClass = "show-chat"
 const showChatSelector = `.${showChatClass} &`
@@ -295,7 +299,7 @@ const appendUtmParams = (url?: string | null, resourceTitle?: string) => {
   if (!url) return "#"
   try {
     const parsedUrl = new URL(url, NEXT_PUBLIC_ORIGIN)
-    if (parsedUrl.href.startsWith(NEXT_PUBLIC_ORIGIN)) {
+    if (parsedUrl.href.startsWith(NEXT_PUBLIC_ORIGIN ?? "")) {
       // Do not add UTM params for internal URLs
       return url
     }

From 0fefffd69a6347be7d4f0f05132113d546f12759 Mon Sep 17 00:00:00 2001
From: Tobias Macey <tmacey@mit.edu>
Date: Fri, 22 May 2026 13:01:22 -0400
Subject: [PATCH 10/10] fix: restore React value import in CallToActionSection

Biome auto-fix split 'import React, { useState }' into a type-only
'import type React' plus a value 'import { useState }'. Jest uses the
classic JSX transform which requires React as a runtime value in scope;
the type-only import stripped it out, causing ReferenceError in tests.
---
 .../LearningResourceExpanded/CallToActionSection.tsx           | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx b/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx
index b4483c1a89..6ec9fa2acc 100644
--- a/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx
+++ b/frontends/main/src/page-components/LearningResourceExpanded/CallToActionSection.tsx
@@ -1,6 +1,5 @@
 import { env } from "@/env"
-import type React from "react"
-import { useState } from "react"
+import React, { useState } from "react"
 import styled from "@emotion/styled"
 import { default as NextImage } from "next/image"
 import { useFeatureFlagEnabled, usePostHog } from "posthog-js/react"