docs(repo): add conformance rule for NX_* env var documentation (#35353)

## Current Behavior

`NX_*` env vars can be added to Nx source without being documented in
`astro-docs/src/content/docs/reference/environment-variables.mdoc`.
Nothing catches the drift.

## Expected Behavior

Adds a conformance rule (`env-vars-documented`) that fails when an
`NX_*` var is read in source but missing from the docs. Covers TS/JS
`process.env.NX_*` and Rust `env::var` / `env!` patterns, skipping tests
and fixtures. An `ignore` list in `nx.json` handles internal markers not
meant to be documented.

Also documents the user-facing vars the first run surfaced (self-hosted
cache, provenance, plugin isolation, Nx Cloud timeouts, etc.) and marks
`NX_CLOUD_AUTH_TOKEN` and `NX_CLOUD_DISTRIBUTED_EXECUTION_AGENT_COUNT`
as deprecated.

## Related Issue(s)

N/A — internal tooling improvement.

---------

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
Co-authored-by: nx-cloud[bot] <71083854+nx-cloud[bot]@users.noreply.github.com>
Co-authored-by: barbados-clemens <[email protected]>

Author: 3 people

astro-docs/src/content/docs/concepts/nx-daemon.mdoc

@@ -49,7 +49,7 @@ To see information about the running Nx Daemon (such as its background process I
 ## Customizing the socket location
 
 The Nx Daemon uses a unix socket to communicate between the daemon and the Nx processes. By default this socket gets placed in a temp directory. If you are using Nx in a docker-compose environment, however, you may want to run the daemon manually
-and control its location to enable sharing the daemon among your docker containers. To do so, set the `NX_DAEMON_SOCKET_DIR` environment variable to a shared directory.
+and control its location to enable sharing the daemon among your docker containers. To do so, set the `NX_SOCKET_DIR` environment variable to a shared directory.
 
 ## Daemon behavior in containers
 

astro-docs/src/content/docs/reference/environment-variables.mdoc

@@ -64,10 +64,10 @@ Both environment variables work around the symptom rather than fixing the root c
 
 For advanced use cases, Nx provides environment variables to override where socket files are created:
 
-| Variable                         | Description                                                        |
-| -------------------------------- | ------------------------------------------------------------------ |
-| `NX_SOCKET_DIR`                  | Overrides the directory for both daemon and forked process sockets |
-| `NX_DAEMON_SOCKET_DIR`           | Overrides the daemon socket directory specifically                 |
-| `NX_NATIVE_FILE_CACHE_DIRECTORY` | Overrides the native file cache path                               |
+| Variable                         | Description                                                                                         |
+| -------------------------------- | --------------------------------------------------------------------------------------------------- |
+| `NX_SOCKET_DIR`                  | Overrides the directory for all Nx sockets (daemon, forked process, and plugin)                     |
+| `NX_DAEMON_SOCKET_DIR`           | Legacy alias of `NX_SOCKET_DIR`. Used only when `NX_SOCKET_DIR` is not set. Prefer `NX_SOCKET_DIR`. |
+| `NX_NATIVE_FILE_CACHE_DIRECTORY` | Overrides the native file cache path                                                                |
 
 These are primarily useful for environments with restricted temp directory access (e.g., certain Docker or CI setups). For Claude Code's sandbox, `allowAllUnixSockets: true` is simpler and more reliable.

astro-docs/src/content/docs/troubleshooting/nx-sandbox-unix-sockets.mdoc

@@ -376,6 +376,40 @@
       },
       {
         "rule": "./dist/workspace-plugin/src/conformance-rules/types-versions-exports-sync"
+      },
+      {
+        "rule": "./dist/workspace-plugin/src/conformance-rules/env-vars-documented",
+        "options": {
+          "ignore": [
+            "NX_ANALYTICS_SESSION_ID",
+            "NX_FORKED_TASK_EXECUTOR",
+            "NX_RUN_COMMANDS_DIRECTLY",
+            "NX_DAEMON_PROCESS",
+            "NX_IPC_CHANNEL_ID",
+            "NX_PSEUDO_TERMINAL_EXEC_ARGV",
+            "NX_GENERATE_DOCS_PROCESS",
+            "NX_RELEASE_INTERNAL_SUPPRESS_FILTER_LOG",
+            "NX_WORKSPACE_ROOT_PATH",
+            "NX_IMPORT_SOURCE",
+            "NX_IMPORT_DESTINATION",
+            "NX_PROJECT_GRAPH_CACHE_DIRECTORY",
+            "NX_CONSOLE",
+            "NX_DEBUG_TELEMETRY",
+            "NX_TUI_INLINE_MODE",
+            "NX_TUI_SKIP_CAPABILITY_CHECK",
+            "NX_SKIP_CHECK_REMOTE",
+            "NX_CLI_SET",
+            "NX_WORKSPACE_ROOT",
+            "NX_TERMINAL_OUTPUT_PATH",
+            "NX_TERMINAL_CAPTURE_STDERR",
+            "NX_VERSION",
+            "NX_STREAM_OUTPUT",
+            "NX_PREFIX_OUTPUT",
+            "NX_INFER_ALL_PACKAGE_JSONS",
+            "NX_AI_FILES_USE_LOCAL",
+            "NX_WINDOWS_PTY_SUPPORT"
+          ]
+        }
       }
     ]
   },

nx.json

@@ -0,0 +1,107 @@
+import { extractDocumentedVars, extractUsedVarsFromContent } from './index';
+
+describe('env-vars-documented', () => {
+  describe('extractDocumentedVars()', () => {
+    it('extracts NX_* names from table rows', () => {
+      const mdoc = [
+        '## Nx environment variables',
+        '',
+        '| Property                 | Type    | Description       |',
+        '| ------------------------ | ------- | ----------------- |',
+        '| `NX_BAIL`                | boolean | Stop on failure.  |',
+        '| `NX_DAEMON`              | boolean | Disable daemon.   |',
+        '| `SOMETHING_ELSE`         | string  | Not an Nx var.    |',
+        '',
+      ].join('\n');
+
+      const result = extractDocumentedVars(mdoc);
+
+      expect(Array.from(result).sort()).toEqual(['NX_BAIL', 'NX_DAEMON']);
+    });
+
+    it('ignores NX_* mentions in prose and descriptions', () => {
+      const mdoc = [
+        'Setting `NX_PROSE_ONLY` in your shell will not be detected here.',
+        '| `NX_REAL_ENTRY` | boolean | Some `NX_INLINE_CODE` in the description. |',
+      ].join('\n');
+
+      const result = extractDocumentedVars(mdoc);
+
+      expect(Array.from(result)).toEqual(['NX_REAL_ENTRY']);
+    });
+  });
+
+  describe('extractUsedVarsFromContent()', () => {
+    it('finds NX_* vars via process.env.X access', () => {
+      const source = `
+        if (process.env.NX_BAIL === 'true') return;
+        const token = process.env.NX_CLOUD_ACCESS_TOKEN;
+      `;
+      expect(extractUsedVarsFromContent(source, 'foo.ts').sort()).toEqual([
+        'NX_BAIL',
+        'NX_CLOUD_ACCESS_TOKEN',
+      ]);
+    });
+
+    it('finds NX_* vars via process.env["X"] and [\'X\'] access', () => {
+      const source = `
+        process.env["NX_DOUBLE_QUOTED"];
+        process.env['NX_SINGLE_QUOTED'];
+        process.env[\`NX_TEMPLATE_LITERAL\`];
+      `;
+      expect(extractUsedVarsFromContent(source, 'foo.ts').sort()).toEqual([
+        'NX_DOUBLE_QUOTED',
+        'NX_SINGLE_QUOTED',
+        'NX_TEMPLATE_LITERAL',
+      ]);
+    });
+
+    it('does not match string literals outside of process.env access', () => {
+      const source = `
+        const msg = "set NX_FAKE to true";
+        const other = 'NX_ALSO_FAKE';
+      `;
+      expect(extractUsedVarsFromContent(source, 'foo.ts')).toEqual([]);
+    });
+
+    it('finds NX_* vars in Rust via env::var and std::env::var', () => {
+      const source = `
+        let a = env::var("NX_FIRST");
+        let b = std::env::var("NX_SECOND").unwrap_or_default();
+        let c = env::var_os("NX_THIRD");
+      `;
+      expect(extractUsedVarsFromContent(source, 'foo.rs').sort()).toEqual([
+        'NX_FIRST',
+        'NX_SECOND',
+        'NX_THIRD',
+      ]);
+    });
+
+    it('does not flag Rust env! macro usage (compile-time)', () => {
+      const source = `let build_tag = env!("NX_BUILD_TAG");`;
+      expect(extractUsedVarsFromContent(source, 'foo.rs')).toEqual([]);
+    });
+
+    it('finds NX_* vars in Rust via EnvFilter::(try_)?from_env', () => {
+      const source = `
+        EnvFilter::try_from_env("NX_TRY_FROM_ENV");
+        EnvFilter::from_env("NX_FROM_ENV");
+      `;
+      expect(extractUsedVarsFromContent(source, 'foo.rs').sort()).toEqual([
+        'NX_FROM_ENV',
+        'NX_TRY_FROM_ENV',
+      ]);
+    });
+
+    it('returns duplicates when the same var is read more than once', () => {
+      const source = `
+        process.env.NX_VERBOSE_LOGGING;
+        if (process.env.NX_VERBOSE_LOGGING === 'true') {}
+      `;
+      expect(extractUsedVarsFromContent(source, 'foo.ts')).toEqual([
+        'NX_VERBOSE_LOGGING',
+        'NX_VERBOSE_LOGGING',
+      ]);
+    });
+  });
+});

tools/workspace-plugin/src/conformance-rules/env-vars-documented/index.spec.ts

@@ -0,0 +1,118 @@
+import {
+  createConformanceRule,
+  type ConformanceViolation,
+} from '@nx/conformance';
+import type { Tree } from '@nx/devkit';
+
+type Options = {
+  ignore?: string[];
+};
+
+const DOCS_PATH =
+  'astro-docs/src/content/docs/reference/environment-variables.mdoc';
+const NX_CORE_PROJECT = 'nx';
+const MAX_EXAMPLE_FILES = 3;
+
+const SCANNABLE_EXT = /\.(ts|tsx|js|mjs|cjs|rs)$/;
+const TEST_FILE = /\.(spec|test)\.(ts|tsx|js)$/;
+const EXCLUDED_SEGMENT = /(__fixtures__|__snapshots__|\/files\/|\/dist\/)/;
+
+const TS_JS_USAGE = /process\.env(?:\.|\[['"`])(NX_[A-Z0-9_]+)/g;
+const RUST_ENV_VAR = /(?:std::)?env::var(?:_os)?\s*\(\s*"(NX_[A-Z0-9_]+)"/g;
+const RUST_FROM_ENV = /(?:try_)?from_env\s*\(\s*"(NX_[A-Z0-9_]+)"/g;
+const DOCS_TABLE_ROW = /^\|\s*`(NX_[A-Z0-9_]+)`/gm;
+
+export default createConformanceRule<Options>({
+  name: 'env-vars-documented',
+  category: 'consistency',
+  description:
+    'Ensures every NX_* environment variable in source code is covered by docs',
+  implementation: async ({ tree, fileMapCache, ruleOptions }) => {
+    const ignore = new Set(ruleOptions?.ignore ?? []);
+
+    const docsContent = tree.read(DOCS_PATH, 'utf-8');
+    if (!docsContent) {
+      return {
+        severity: 'high',
+        details: {
+          violations: [
+            {
+              message: `Could not read ${DOCS_PATH}. The conformance rule expects to run from the workspace root.`,
+              file: DOCS_PATH,
+            },
+          ],
+        },
+      };
+    }
+    const documented = extractDocumentedVars(docsContent);
+
+    const nxFiles =
+      fileMapCache.fileMap.projectFileMap?.[NX_CORE_PROJECT] ?? [];
+    const filesToScan = nxFiles
+      .map(({ file }) => file)
+      .filter(isScannableSourceFile);
+    const usages = extractUsagesFromFiles(tree, filesToScan);
+
+    const violations: ConformanceViolation[] = [];
+    for (const [name, files] of usages) {
+      if (documented.has(name) || ignore.has(name)) continue;
+      const examples = [...files].join(', ');
+      violations.push({
+        message: `Env var \`${name}\` not documented. Found in ${examples}. Add a row to ${DOCS_PATH} or list \`${name}\` in the rule's "ignore" option.`,
+        file: DOCS_PATH,
+      });
+    }
+
+    return {
+      severity: violations.length > 0 ? 'medium' : 'low',
+      details: { violations },
+    };
+  },
+});
+
+function isScannableSourceFile(file: string): boolean {
+  if (!SCANNABLE_EXT.test(file)) return false;
+  if (TEST_FILE.test(file)) return false;
+  if (EXCLUDED_SEGMENT.test(file)) return false;
+  return true;
+}
+
+function extractUsagesFromFiles(
+  tree: Tree,
+  files: string[]
+): Map<string, Set<string>> {
+  const usages = new Map<string, Set<string>>();
+  for (const file of files) {
+    const content = tree.read(file, 'utf-8');
+    if (!content) continue;
+    for (const name of extractUsedVarsFromContent(content, file)) {
+      let set = usages.get(name);
+      if (!set) {
+        set = new Set();
+        usages.set(name, set);
+      }
+      if (set.size < MAX_EXAMPLE_FILES) set.add(file);
+    }
+  }
+  return usages;
+}
+
+export function extractDocumentedVars(mdocContent: string): Set<string> {
+  return new Set(Array.from(mdocContent.matchAll(DOCS_TABLE_ROW), (m) => m[1]));
+}
+
+export function extractUsedVarsFromContent(
+  content: string,
+  file: string
+): string[] {
+  const patterns = file.endsWith('.rs')
+    ? [RUST_ENV_VAR, RUST_FROM_ENV]
+    : [TS_JS_USAGE];
+  const found: string[] = [];
+  for (const pattern of patterns) {
+    for (const m of content.matchAll(pattern)) {
+      found.push(m[1]);
+    }
+  }
+  return found;
+}

tools/workspace-plugin/src/conformance-rules/env-vars-documented/index.ts

@@ -0,0 +1,12 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "properties": {
+    "ignore": {
+      "type": "array",
+      "items": { "type": "string" },
+      "description": "NX_* env var names that are intentionally not part of the user-facing documented contract (internal, test-only, or deprecated aliases)."
+    }
+  },
+  "additionalProperties": false
+}