import { IMPOSSIBLE, VersionInfo } from '@start9labs/start-sdk'

/**
 * v1.0.0:2 — CSP nonce revert.
 *
 * v1.0.0:1 shipped a per-request nonce-based Content-Security-Policy
 * via Next.js middleware. In production, the bootstrap inline scripts
 * weren't picking up the nonce reliably (Next 14.2.x), so the browser
 * blocked them and the app showed a blank first paint.
 *
 * This release reverts to a static CSP with `'unsafe-inline'` allowed
 * for script-src and style-src — the same posture that worked through
 * the v1.0.0:1 cutover smoke build. All other security headers (HSTS,
 * Referrer-Policy, Permissions-Policy, etc.) and every other v1.0.0:1
 * change are unchanged.
 *
 * No schema changes, no data migration. /data on existing v1.0.0:1
 * installs is left exactly as-is.
 */
export const v_1_0_0_2 = VersionInfo.of({
  version: '1.0.0:2',
  releaseNotes: {
    en_US:
      'Bug fix: blank first paint on v1.0.0:1 caused by an over-strict Content-Security-Policy. Reverts CSP to the same posture that worked through the cutover smoke build. No data migration; /data is untouched.',
  },
  migrations: {
    up: async () => {},
    down: IMPOSSIBLE,
  },
})