/** @type {import('next').NextConfig} */
const nextConfig = {
  // Standalone output so PM2 can run `node .next/standalone/server.js` on the Plesk VPS.
  output: "standalone",
  reactStrictMode: true,
  eslint: {
    // Lint is run as its own step in CI; don't fail production builds on lint.
    ignoreDuringBuilds: true,
  },
  images: {
    remotePatterns: [
      // DALL·E asset URLs (OpenAI blob storage) used before they are persisted to local disk.
      // Scoped to the single OpenAI host actually used — no broad *.blob.core.windows.net wildcard.
      { protocol: "https", hostname: "oaidalleapiprodscus.blob.core.windows.net" },
      // Marketing imagery (features/about pages).
      { protocol: "https", hostname: "images.unsplash.com" },
    ],
  },
  // Server-only packages that should be required at runtime, not bundled by webpack.
  // better-auth ships internal adapters (kysely) that break webpack's ESM analysis.
  serverExternalPackages: ["pg-boss", "@prisma/client", "better-auth"],
  // Static security headers applied to every route. The Content-Security-Policy is
  // intentionally NOT set here — it is built per-request with a nonce in middleware.ts
  // so script-src can drop 'unsafe-inline'/'unsafe-eval' (nonce + 'strict-dynamic').
  async headers() {
    return [
      {
        source: "/:path*",
        headers: [
          { key: "X-Frame-Options", value: "DENY" },
          { key: "X-Content-Type-Options", value: "nosniff" },
          { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
          { key: "X-DNS-Prefetch-Control", value: "off" },
          { key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },
          {
            key: "Strict-Transport-Security",
            value: "max-age=63072000; includeSubDomains; preload",
          },
        ],
      },
    ];
  },
};

export default nextConfig;