Keysat
edeb1eb148
v1.0.0:1 shipped a per-request nonce-based CSP via Next.js middleware. In production it produced a blank first paint: Next 14.2.x's bootstrap inline scripts weren't picking up the nonce reliably from the x-nonce request header, so the browser blocked them. This release reverts to the pre-experiment posture: - middleware.ts back to auth gating only (no nonce, no CSP). - next.config.js restores the static CSP with `'unsafe-inline'` allowed for script-src and style-src. Same headers (HSTS, Referrer-Policy, Permissions-Policy, frame-ancestors 'none', etc.) all stay. - New startos/versions/v1.0.0.2.ts with empty up/down migrations and a release note explaining the bug + revert. Promoted to `current` in the version graph; v1.0.0:1 moves to `other` so existing installs upgrade in place. No schema changes, no data migration. Existing v1.0.0:1 installs keep their /data. Re-attempt path documented in middleware.ts and next.config.js comments: future PR can revisit nonce CSP using Next's documented pattern verbatim (notably setting CSP on BOTH request headers and response headers — we only set it on response).
22 lines
731 B
TypeScript
22 lines
731 B
TypeScript
import { VersionGraph } from '@start9labs/start-sdk'
|
|
import { v_1_0_0_1 } from './v1.0.0.1'
|
|
import { v_1_0_0_2 } from './v1.0.0.2'
|
|
|
|
/**
|
|
* Version graph for the `proof-of-work` package.
|
|
*
|
|
* v1.0.0:1 — initial release, seeded cutover from the legacy
|
|
* `workout-log` package.
|
|
* v1.0.0:2 — CSP fix (reverts the over-strict nonce-based CSP that
|
|
* broke first paint in v1.0.0:1).
|
|
*
|
|
* StartOS picks `current` as the install target; `other` lists every
|
|
* node that can upgrade into `current`. Hosts on v1.0.0:1 upgrade to
|
|
* v1.0.0:2 via the no-op up migration; fresh installs land directly
|
|
* on v1.0.0:2.
|
|
*/
|
|
export const versionGraph = VersionGraph.of({
|
|
current: v_1_0_0_2,
|
|
other: [v_1_0_0_1],
|
|
})
|