grant/proof-of-work
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v1.0.0:2 — revert CSP nonces; restore inline-friendly CSP

Browse Source 
v1.0.0:1 shipped a per-request nonce-based CSP via Next.js middleware.
In production it produced a blank first paint: Next 14.2.x's bootstrap
inline scripts weren't picking up the nonce reliably from the x-nonce
request header, so the browser blocked them.

This release reverts to the pre-experiment posture:
- middleware.ts back to auth gating only (no nonce, no CSP).
- next.config.js restores the static CSP with `'unsafe-inline'` allowed
  for script-src and style-src. Same headers (HSTS, Referrer-Policy,
  Permissions-Policy, frame-ancestors 'none', etc.) all stay.
- New startos/versions/v1.0.0.2.ts with empty up/down migrations and
  a release note explaining the bug + revert. Promoted to `current`
  in the version graph; v1.0.0:1 moves to `other` so existing
  installs upgrade in place.

No schema changes, no data migration. Existing v1.0.0:1 installs
keep their /data.

Re-attempt path documented in middleware.ts and next.config.js
comments: future PR can revisit nonce CSP using Next's documented
pattern verbatim (notably setting CSP on BOTH request headers and
response headers — we only set it on response).
This commit is contained in:
Keysat
2026-05-09 12:05:11 -05:00
parent 990f5582b8
commit edeb1eb148
4 changed files with 98 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files
start9/0.4/startos/versions/index.ts
+11 -8
View File
@@ -1,18 +1,21 @@
import { VersionGraph } from '@start9labs/start-sdk'
import { v_1_0_0_1 } from './v1.0.0.1'
import { v_1_0_0_2 } from './v1.0.0.2'
/**
* Version graph for the `proof-of-work` package.
*
* v1.0.0:1 — initial release, seeded cutover from the legacy `workout-log`
* package. No prior version to upgrade from.
* v1.0.0:1 — initial release, seeded cutover from the legacy
* `workout-log` package.
* v1.0.0:2 — CSP fix (reverts the over-strict nonce-based CSP that
* broke first paint in v1.0.0:1).
*
* StartOS picks `current` as the install target; `other` lists every node
* that can upgrade into `current`. Fresh sideloads land directly on
* `current`. Once we ship the post-cutover cleanup release, it goes here as
* the new `current` and v1.0.0:1 moves into `other`.
* StartOS picks `current` as the install target; `other` lists every
* node that can upgrade into `current`. Hosts on v1.0.0:1 upgrade to
* v1.0.0:2 via the no-op up migration; fresh installs land directly
* on v1.0.0:2.
*/
export const versionGraph = VersionGraph.of({
current: v_1_0_0_1,
other: [],
current: v_1_0_0_2,
other: [v_1_0_0_1],
})