/** @type {import('next').NextConfig} */
const nextConfig = {
  // Standalone output so PM2 can run `node .next/standalone/server.js` on the Plesk VPS.
  output: "standalone",
  reactStrictMode: true,
  eslint: {
    // Lint is run as its own step in CI; don't fail production builds on lint.
    ignoreDuringBuilds: true,
  },
  images: {
    remotePatterns: [
      // DALL·E asset URLs (OpenAI blob storage) used before they are persisted to local disk.
      // Scoped to the single OpenAI host actually used — no broad *.blob.core.windows.net wildcard.
      { protocol: "https", hostname: "oaidalleapiprodscus.blob.core.windows.net" },
      // Marketing imagery (features/about pages).
      { protocol: "https", hostname: "images.unsplash.com" },
    ],
  },
  // Server-only packages that should be required at runtime, not bundled by webpack.
  // better-auth ships internal adapters (kysely) that break webpack's ESM analysis.
  serverExternalPackages: ["pg-boss", "@prisma/client", "better-auth"],
  // Security headers applied to every route.
  async headers() {
    // Pragmatic CSP: Next.js's inline/runtime bootstrap currently requires
    // 'unsafe-inline'/'unsafe-eval' in script-src. Future improvement: tighten
    // to per-request nonces (and drop 'unsafe-*') once the app is migrated.
    const csp = [
      "default-src 'self'",
      "img-src 'self' data: https://*.blob.core.windows.net https://images.unsplash.com",
      "media-src 'self'",
      "style-src 'self' 'unsafe-inline'",
      "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
      "connect-src 'self'",
      "frame-ancestors 'none'",
      "base-uri 'self'",
      "form-action 'self'",
    ].join("; ");
    return [
      {
        source: "/:path*",
        headers: [
          { key: "X-Frame-Options", value: "DENY" },
          { key: "X-Content-Type-Options", value: "nosniff" },
          { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
          { key: "X-DNS-Prefetch-Control", value: "off" },
          { key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },
          {
            key: "Strict-Transport-Security",
            value: "max-age=63072000; includeSubDomains; preload",
          },
          { key: "Content-Security-Policy", value: csp },
        ],
      },
    ];
  },
};

export default nextConfig;