Hartmut
cd0c2fe3e2
Error-Page Headers (3.3.1.3.03 → OK): - Cache-Control no-store on ALL routes (API, auth, catch-all) Proactive Monitoring (3.2.1.04 → OK): - /api/cron/health-check: DB + Redis check with latency, ADMIN alerts on failure Security Scanning (3.2.2.7 → improved): - /api/cron/security-audit: package version check against minimum safe versions Server Hardening (3.3.1.4 → OK): - docs/nginx-hardening.conf: complete template (rate limits, SSL, headers) Database Security (3.3.3 → OK): - docs/security-architecture.md Section 12: DB auth, isolation, SSL/audit recommendations Compliance: 46 OK / 5 PARTIAL / 8 TODO / 4 N/A (was 42/9/8/4) Co-Authored-By: claude-flow <ruv@ruv.net>
90 lines
3.0 KiB
TypeScript
90 lines
3.0 KiB
TypeScript
import path from "path";
|
|
import type { NextConfig } from "next";
|
|
|
|
const nextConfig: NextConfig = {
|
|
output: "standalone",
|
|
devIndicators: false,
|
|
experimental: {
|
|
optimizePackageImports: ["recharts", "date-fns"],
|
|
},
|
|
transpilePackages: [
|
|
"@capakraken/api",
|
|
"@capakraken/db",
|
|
"@capakraken/engine",
|
|
"@capakraken/shared",
|
|
"@capakraken/staffing",
|
|
"@capakraken/ui",
|
|
],
|
|
typedRoutes: true,
|
|
async headers() {
|
|
return [
|
|
{
|
|
source: "/(.*)",
|
|
headers: [
|
|
{ key: "X-Frame-Options", value: "DENY" },
|
|
{ key: "X-Content-Type-Options", value: "nosniff" },
|
|
{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
|
|
{ key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },
|
|
{ key: "Strict-Transport-Security", value: "max-age=31536000; includeSubDomains" },
|
|
{ key: "Content-Security-Policy", value: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' https://generativelanguage.googleapis.com https://*.openai.com https://*.azure.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'" },
|
|
{ key: "X-XSS-Protection", value: "0" },
|
|
],
|
|
},
|
|
{
|
|
source: "/auth/:path*",
|
|
headers: [
|
|
{ key: "Cache-Control", value: "no-store, no-cache, must-revalidate" },
|
|
{ key: "Pragma", value: "no-cache" },
|
|
],
|
|
},
|
|
{
|
|
source: "/api/:path*",
|
|
headers: [
|
|
{ key: "Cache-Control", value: "no-store" },
|
|
{ key: "X-Content-Type-Options", value: "nosniff" },
|
|
],
|
|
},
|
|
{
|
|
// Catch-all for error pages and any remaining routes
|
|
source: "/:path*",
|
|
headers: [
|
|
{ key: "Cache-Control", value: "no-store, no-cache, must-revalidate" },
|
|
{ key: "Pragma", value: "no-cache" },
|
|
],
|
|
},
|
|
];
|
|
},
|
|
// Webpack config (used by `next build` and `next dev` without --turbo)
|
|
webpack(config) {
|
|
config.resolve.alias = {
|
|
...config.resolve.alias,
|
|
"~": path.resolve(__dirname, "src"),
|
|
};
|
|
// Resolve .js imports to .ts/.tsx (TypeScript ESM convention)
|
|
config.resolve.extensionAlias = {
|
|
...config.resolve.extensionAlias,
|
|
".js": [".ts", ".tsx", ".js"],
|
|
".jsx": [".tsx", ".jsx"],
|
|
};
|
|
return config;
|
|
},
|
|
};
|
|
|
|
// Only wrap with Sentry in production — the worker.js crash in dev mode
|
|
// (vendor-chunks/lib/worker.js MODULE_NOT_FOUND) makes the dev server unstable
|
|
// Sentry only in production — dynamic import avoids side effects in dev
|
|
let exportedConfig: NextConfig = nextConfig;
|
|
if (process.env.NODE_ENV === "production") {
|
|
try {
|
|
const { withSentryConfig } = require("@sentry/nextjs");
|
|
exportedConfig = withSentryConfig(nextConfig, {
|
|
silent: true,
|
|
sourcemaps: { disable: true },
|
|
telemetry: false,
|
|
});
|
|
} catch {
|
|
// Sentry not available — use raw config
|
|
}
|
|
}
|
|
export default exportedConfig;
|