Hartmut
bfdf0a82da
Tests, CSP nonce middleware, SSRF guard, perf-route hardening, Docker env isolation, migration runbook, RBAC E2E coverage. Tickets resolved: - #19: MfaSetup.test.ts — static source tests confirming local QR rendering - #20: ssrf-guard.test.ts (16 tests) + webhook-procedure-support mock fix - #21: /api/perf route.test.ts (5 tests) — header-only auth, fail-closed - #22: middleware.ts (nonce-based CSP) + middleware.test.ts (6 tests); layout.tsx async + nonce prop; CSP removed from next.config.ts - #23: Active-session registry enforcement verified (already in codebase) - #24: docker-compose.yml REDIS_URL hardcoded (no host-env substitution) - #25: docker-compose.yml REDIS_URL + docs/developer-runbook.md created - #26: e2e/dev-system/rbac-data-access.spec.ts (12 tests, 3 roles × 4 procedures) Quality gates: tsc clean, api 1447/1447, web 189/189 passing. Turbo concurrency capped at 2 (package.json) to prevent OOM under parallel test runs. Co-Authored-By: claude-flow <ruv@ruv.net>
93 lines
2.9 KiB
TypeScript
93 lines
2.9 KiB
TypeScript
import path from "path";
|
|
import type { NextConfig } from "next";
|
|
|
|
const nextConfig: NextConfig = {
|
|
distDir: process.env.NEXT_DIST_DIR ?? ".next",
|
|
output: "standalone",
|
|
outputFileTracingRoot: path.resolve(__dirname, "../.."),
|
|
devIndicators: false,
|
|
experimental: {
|
|
optimizePackageImports: ["recharts", "date-fns"],
|
|
},
|
|
transpilePackages: [
|
|
"@capakraken/api",
|
|
"@capakraken/db",
|
|
"@capakraken/engine",
|
|
"@capakraken/shared",
|
|
"@capakraken/staffing",
|
|
"@capakraken/ui",
|
|
],
|
|
typedRoutes: true,
|
|
async headers() {
|
|
return [
|
|
{
|
|
source: "/(.*)",
|
|
headers: [
|
|
{ key: "X-Frame-Options", value: "DENY" },
|
|
{ key: "X-Content-Type-Options", value: "nosniff" },
|
|
{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
|
|
{ key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },
|
|
{ key: "Strict-Transport-Security", value: "max-age=31536000; includeSubDomains" },
|
|
// Content-Security-Policy is set per-request by middleware.ts (nonce-based).
|
|
// Static CSP here would conflict and cannot carry per-request nonces.
|
|
{ key: "X-XSS-Protection", value: "0" },
|
|
],
|
|
},
|
|
{
|
|
source: "/auth/:path*",
|
|
headers: [
|
|
{ key: "Cache-Control", value: "no-store, no-cache, must-revalidate" },
|
|
{ key: "Pragma", value: "no-cache" },
|
|
],
|
|
},
|
|
{
|
|
source: "/api/:path*",
|
|
headers: [
|
|
{ key: "Cache-Control", value: "no-store" },
|
|
{ key: "X-Content-Type-Options", value: "nosniff" },
|
|
],
|
|
},
|
|
{
|
|
// Catch-all for error pages and any remaining routes
|
|
source: "/:path*",
|
|
headers: [
|
|
{ key: "Cache-Control", value: "no-store, no-cache, must-revalidate" },
|
|
{ key: "Pragma", value: "no-cache" },
|
|
],
|
|
},
|
|
];
|
|
},
|
|
// Webpack config (used by `next build` and `next dev` without --turbo)
|
|
webpack(config) {
|
|
config.resolve.alias = {
|
|
...config.resolve.alias,
|
|
"~": path.resolve(__dirname, "src"),
|
|
};
|
|
// Resolve .js imports to .ts/.tsx (TypeScript ESM convention)
|
|
config.resolve.extensionAlias = {
|
|
...config.resolve.extensionAlias,
|
|
".js": [".ts", ".tsx", ".js"],
|
|
".jsx": [".tsx", ".jsx"],
|
|
};
|
|
return config;
|
|
},
|
|
};
|
|
|
|
// Only wrap with Sentry in production — the worker.js crash in dev mode
|
|
// (vendor-chunks/lib/worker.js MODULE_NOT_FOUND) makes the dev server unstable
|
|
// Sentry only in production — dynamic import avoids side effects in dev
|
|
let exportedConfig: NextConfig = nextConfig;
|
|
if (process.env.NODE_ENV === "production") {
|
|
try {
|
|
const { withSentryConfig } = require("@sentry/nextjs");
|
|
exportedConfig = withSentryConfig(nextConfig, {
|
|
silent: true,
|
|
sourcemaps: { disable: true },
|
|
telemetry: false,
|
|
});
|
|
} catch {
|
|
// Sentry not available — use raw config
|
|
}
|
|
}
|
|
export default exportedConfig;
|