perf(secrets): lazy-load provider env var exports

src/secrets/provider-env-vars.dynamic.test.ts

@@ -51,6 +51,33 @@ describe("provider env vars dynamic manifest metadata", () => {
     expect(mod.listKnownSecretEnvVarNames()).toContain("FIREWORKS_ALT_API_KEY");
   });
 
+  it("keeps lazy manifest-backed exports cold until accessed and resolves them once", async () => {
+    loadPluginManifestRegistry.mockReturnValue({
+      plugins: [
+        {
+          id: "external-fireworks",
+          origin: "global",
+          providerAuthEnvVars: {
+            fireworks: ["FIREWORKS_ALT_API_KEY"],
+          },
+        },
+      ],
+      diagnostics: [],
+    });
+
+    const mod = await import("./provider-env-vars.js");
+
+    expect(loadPluginManifestRegistry).not.toHaveBeenCalled();
+    expect(mod.PROVIDER_ENV_VARS.fireworks).toEqual(["FIREWORKS_ALT_API_KEY"]);
+    expect(mod.PROVIDER_AUTH_ENV_VAR_CANDIDATES.fireworks).toEqual(["FIREWORKS_ALT_API_KEY"]);
+    const initialLoads = loadPluginManifestRegistry.mock.calls.length;
+    expect(initialLoads).toBeGreaterThan(0);
+
+    void mod.PROVIDER_ENV_VARS.fireworks;
+    void mod.PROVIDER_AUTH_ENV_VAR_CANDIDATES.fireworks;
+    expect(loadPluginManifestRegistry).toHaveBeenCalledTimes(initialLoads);
+  });
+
   it("keeps workspace plugin env vars in default lookups", async () => {
     loadPluginManifestRegistry.mockReturnValue({
       plugins: [

src/secrets/provider-env-vars.ts

@@ -163,6 +163,46 @@ export function resolveProviderEnvVars(
   };
 }
 
+function createLazyReadonlyRecord(
+  resolve: () => Record<string, readonly string[]>,
+): Record<string, readonly string[]> {
+  let cached: Record<string, readonly string[]> | undefined;
+  const getResolved = (): Record<string, readonly string[]> => {
+    cached ??= resolve();
+    return cached;
+  };
+
+  return new Proxy({} as Record<string, readonly string[]>, {
+    get(_target, prop) {
+      if (typeof prop !== "string") {
+        return undefined;
+      }
+      return getResolved()[prop];
+    },
+    has(_target, prop) {
+      return typeof prop === "string" && Object.hasOwn(getResolved(), prop);
+    },
+    ownKeys() {
+      return Reflect.ownKeys(getResolved());
+    },
+    getOwnPropertyDescriptor(_target, prop) {
+      if (typeof prop !== "string") {
+        return undefined;
+      }
+      const value = getResolved()[prop];
+      if (value === undefined) {
+        return undefined;
+      }
+      return {
+        configurable: true,
+        enumerable: true,
+        value,
+        writable: false,
+      };
+    },
+  });
+}
+
 /**
  * Provider auth env candidates used by generic auth resolution.
  *
@@ -170,9 +210,9 @@ export function resolveProviderEnvVars(
  * `resolveEnvApiKey()`. Bundled providers source this from plugin manifest
  * metadata so auth probes do not need to load plugin runtime.
  */
-export const PROVIDER_AUTH_ENV_VAR_CANDIDATES: Record<string, readonly string[]> = {
-  ...resolveProviderAuthEnvVarCandidates(),
-};
+export const PROVIDER_AUTH_ENV_VAR_CANDIDATES = createLazyReadonlyRecord(() =>
+  resolveProviderAuthEnvVarCandidates(),
+);
 
 /**
  * Provider env vars used for setup/default secret refs and broad secret
@@ -183,9 +223,7 @@ export const PROVIDER_AUTH_ENV_VAR_CANDIDATES: Record<string, readonly string[]>
  * is only for true core/non-plugin providers and a few setup-specific ordering
  * overrides where generic onboarding wants a different preferred env var.
  */
-export const PROVIDER_ENV_VARS: Record<string, readonly string[]> = {
-  ...resolveProviderEnvVars(),
-};
+export const PROVIDER_ENV_VARS = createLazyReadonlyRecord(() => resolveProviderEnvVars());
 
 export function getProviderEnvVars(
   providerId: string,