agent-studio/next.config.ts at main · CUNY-AI-Lab/agent-studio · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
import type { NextConfig } from "next";

const prod = process.env.NODE_ENV === 'production';

const nextConfig: NextConfig = {
  // Base path for deployment at a subpath (e.g., /studio)
  basePath: process.env.NEXT_PUBLIC_BASE_PATH || '',
  serverExternalPackages: ["pdf-parse"],
  // Expand Turbopack's filesystem root to handle .venv symlinks
  turbopack: {
    // Keep root scoped to the project directory to avoid scanning the entire FS
    root: process.cwd(),
  },
  async headers() {
    return [
      {
        source: '/:path*',
        headers: [
          {
            key: 'X-Content-Type-Options',
            value: 'nosniff',
          },
          {
            key: 'X-Frame-Options',
            value: 'SAMEORIGIN',
          },
          {
            key: 'X-XSS-Protection',
            value: '1; mode=block',
          },
          {
            key: 'Referrer-Policy',
            value: 'strict-origin-when-cross-origin',
          },
          {
            key: 'Permissions-Policy',
            value: 'camera=(), microphone=(), geolocation=()',
          },
          // Note: CSP is relaxed for Next.js inline scripts and Recharts
          // In production, remove unsafe-eval
          {
            key: 'Content-Security-Policy',
            value: [
              "default-src 'self'",
              prod
                ? "script-src 'self' 'unsafe-inline' https://unpkg.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net"
                : "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://unpkg.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net",
              "style-src 'self' 'unsafe-inline' https://unpkg.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://fonts.googleapis.com", // Required for Tailwind + CDNs + Google Fonts
              "img-src 'self' data: blob: https: http:", // Allow images from anywhere (maps, etc)
              "font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com",
              "connect-src 'self' https://api.openalex.org https://api-na.hosted.exlibrisgroup.com https://oauth.oclc.org https://lgapi-us.libapps.com https://worldcat.org https://*.tile.openstreetmap.org https://unpkg.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://*.openstreetmap.org https://threejs.org",
              "frame-src 'self' blob:",
              "object-src 'none'",
              "base-uri 'self'",
              "form-action 'self'",
              "frame-ancestors 'self'",
            ].join('; '),
          },
        ],
      },
    ];
  },
};

export default nextConfig;