import type { NextConfig } from "next";

import { nonCspSecurityHeaders } from "./src/lib/csp-config";
import { parseAllowedDevOrigins } from "./src/lib/next-dev-origins";

const allowedDevOrigins = parseAllowedDevOrigins(process.env.ALLOWED_DEV_ORIGINS);

const nextConfig: NextConfig = {
  ...(allowedDevOrigins.length > 0 ? { allowedDevOrigins } : {}),
  reactCompiler: true,

  // 非 CSP 安全头；CSP 由 middleware 按后台接入站点白名单动态生成。
  async headers() {
    return [
      {
        source: "/:path*",
        headers: nonCspSecurityHeaders,
      },
    ];
  },
};

export default nextConfig;