Clean nextjs config file

[simo6529]

Summary by CodeRabbit

Release Notes

• Refactor
  • Consolidated and enhanced security configuration management into a dedicated, reusable module for improved application security.
  • Strengthened overall configuration handling with improved type safety and validation for better runtime reliability.
  • Optimized configuration and environment management patterns for enhanced code consistency, maintainability, and long-term stability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Introduces a new security headers module and refactors the Next.js configuration to add explicit TypeScript type annotations, strengthen environment variable access patterns with bracket notation, and import the extracted security headers logic into the main config file.

Changes

Cohort / File(s)	Summary
Security Headers Module config/securityHeaders.ts	New TypeScript module exporting createSecurityHeaders(apiEndpoint) function that returns an array of security header configurations including HSTS, CSP with dynamic endpoint, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy directives.
Next.js Configuration Refactoring next.config.ts	Enhanced type safety with explicit TypeScript annotations on all public and internal functions. Replaced direct environment variable access with bracket notation (process.env["VAR_NAME"]). Imported and integrated external createSecurityHeaders function. Strengthened signatures for sharedConfig, persistBakedArtifacts, loadBakedRuntimeConfig, nextConfigFactory, and webpack handler with parameter and return types. Updated internal references to use typed values and publicRuntime map assignments.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Fix process.env use #1495 — Modifies Next.js configuration and environment variable handling by updating process.env access patterns and publicEnv-style configuration exposure affecting the same config flow.
• Added Sentry to FE #1622 — Updates next.config with Sentry integration changes and environment variable access/typing modifications overlapping with this refactoring.

Suggested reviewers

• ragnep

Poem

🐰 A rabbit hops through configs bright,
Where types now dance and headers might,
Security locked, no strings left loose,
TypeScript guards are now on the goose! ✨

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Clean nextjs config file' is vague and generic, using a broad term ('Clean') that doesn't specify what improvements or changes were made to the configuration.	Use a more specific title that describes the actual changes, such as 'Add type annotations to Next.js config and extract security headers' or 'Refactor Next.js config with TypeScript types and security headers module'.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

next.config.ts (1)

54-68: Type mismatch: publicEnv parameter typed as string but receives an object.

The publicEnv parameter is typed as string, but at line 189 it receives parsed.data which is an object (result of Zod schema parse). The function works at runtime because JSON.stringify(publicEnv) handles objects, but the type annotation is incorrect.

Suggested fix

-function persistBakedArtifacts(publicEnv: string, ASSETS_FROM_S3: boolean) {
+function persistBakedArtifacts(publicEnv: Record<string, unknown>, ASSETS_FROM_S3: boolean) {

🧹 Nitpick comments (2)

config/securityHeaders.ts (1)

1-46: Add explicit return type annotation for type safety.

The function lacks a return type annotation. Per coding guidelines for TypeScript, consider adding explicit typing.

Suggested improvement

-export function createSecurityHeaders(apiEndpoint = "") {
+export function createSecurityHeaders(apiEndpoint = ""): Array<{ key: string; value: string }> {

next.config.ts (1)

135-138: Consider stronger typing for webpack config.

The config: any type loses type safety. While Next.js webpack config typing can be complex, you could use Configuration from webpack if stricter typing is desired.

Optional: Import webpack Configuration type

import type { Configuration } from "webpack";
// ...
webpack: (
  config: Configuration,
  { dev, isServer }: { dev: boolean; isServer: boolean }
) => {

Note: This may require handling type narrowing for some config properties.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 50d61c6 and f0d3f07.

📒 Files selected for processing (2)

• config/securityHeaders.ts
• next.config.ts

🧰 Additional context used

📓 Path-based instructions (11)

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursorrules)

**/*.{ts,tsx,js,jsx}: Do not include any comments in the code; it should be self-explanatory
Write correct, up-to-date, bug-free, fully componentized, secure, and efficient code
Include all required imports and ensure proper naming of key components
Use NextJS features that match the current version

**/*.{ts,tsx,js,jsx}: Remove unnecessary Effects. If the Effect's only job is to derive or sync internal state, calculate during render or use useMemo instead.
Use useEffectEvent for non-reactive logic inside Effects to read the latest props/state without turning them into dependencies or causing unnecessary re-runs.
Use explicit caching with "use cache" directive at the top of Server Components, routes, or functions. Configure cacheComponents: true in next.config.ts as needed.

**/*.{ts,tsx,js,jsx}: Remove unnecessary Effects; if the Effect only derives state, compute during render instead
Use useEffectEvent when listening to external events but needing the latest props/state without re-running the Effect
Move data fetching from client Effects to Server Components; mutations go through Server Actions ('use server')

Files:

• config/securityHeaders.ts
• next.config.ts

{.env*,*.env,**/config/**}

📄 CodeRabbit inference engine (.cursor/rules/dev_workflow.mdc)

Configure Task Master behavior via environment variables: ANTHROPIC_API_KEY (required), MODEL, MAX_TOKENS, TEMPERATURE, DEBUG, LOG_LEVEL, DEFAULT_SUBTASKS, DEFAULT_PRIORITY, PROJECT_NAME, PROJECT_VERSION, PERPLEXITY_API_KEY, and PERPLEXITY_MODEL

Files:

• config/securityHeaders.ts

**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (GEMINI.md)

Run npm run lint to ensure code satisfies ESLint (Next's Core Web Vitals + React Hooks). Code must pass linting before completing any task.

**/*.{js,ts,jsx,tsx}: Code must satisfy ESLint with Next's Core Web Vitals and React Hooks rules by running npm run lint
Do not add eslint-disable comments unless explicitly instructed; prefer refactors aligned with React 19.2, React Compiler, and Next.js 16 conventions

Files:

• config/securityHeaders.ts
• next.config.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (GEMINI.md)

Use TypeScript with React functional components and hooks. Follow existing code style and naming conventions.

Files:

• config/securityHeaders.ts
• next.config.ts

**/*.{tsx,ts}

📄 CodeRabbit inference engine (AGENTS.md)

Use TypeScript with React functional components and hooks

Files:

• config/securityHeaders.ts
• next.config.ts

**/*.{ts,js}

📄 CodeRabbit inference engine (AGENTS.md)

When parsing Seize URLs or similar, fail fast if base origin is unavailable instead of falling back to placeholder origins

Files:

• config/securityHeaders.ts
• next.config.ts

**/*.{tsx,ts,jsx,js}

📄 CodeRabbit inference engine (AGENTS.md)

Prefer direct named imports from React (useMemo, useRef, FC) over React. namespace usage

Files:

• config/securityHeaders.ts
• next.config.ts

next.config.{js,ts,mjs,mts}

📄 CodeRabbit inference engine (GEMINI.md)

next.config.{js,ts,mjs,mts}: With Next.js 16, next lint is removed. Use the ESLint CLI driven by eslint-config-next (flat config). Remove any eslint options from next.config.*.
Enable React Compiler in next.config.ts once CI is green by setting reactCompiler: true to auto-memoize components and reduce manual useMemo/useCallback usage.

Files:

• next.config.ts

{eslint.config.js,next.config.ts}

📄 CodeRabbit inference engine (AGENTS.md)

Use ESLint CLI driven by eslint-config-next (flat config) instead of next lint (removed in Next.js 16)

Files:

• next.config.ts

next.config.ts

📄 CodeRabbit inference engine (AGENTS.md)

Enable React Compiler in next.config.ts by setting reactCompiler: true when CI is green

Files:

• next.config.ts

next.config.{ts,js,mjs}

📄 CodeRabbit inference engine (AGENTS.md)

Remove any eslint options from next.config.* files in Next.js 16

Files:

• next.config.ts

🧠 Learnings (15)

📓 Common learnings

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T14:32:19.360Z
Learning: Applies to next.config.{ts,js,mjs} : Remove any `eslint` options from `next.config.*` files in Next.js 16

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: GEMINI.md:0-0
Timestamp: 2025-12-30T14:31:53.006Z
Learning: Fix issues with modernization aligned to React 19.2, React Compiler, and Next.js 16 conventions. Do not add `// eslint-disable` comments unless explicitly instructed.

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: app/api/AGENTS.md:0-0
Timestamp: 2025-12-30T14:32:44.885Z
Learning: Applies to app/api/**/*.{ts,tsx} : When needing custom headers or timeouts for external requests, pass them via the `@/lib/security/urlGuard` helper options rather than re-implementing your own wrapper.

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: .cursorrules:0-0
Timestamp: 2025-11-25T08:35:58.729Z
Learning: Applies to **/*.{ts,tsx,js,jsx} : Use NextJS features that match the current version

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: GEMINI.md:0-0
Timestamp: 2025-12-30T14:31:53.006Z
Learning: Applies to **/*.{ts,tsx,js,jsx} : Use explicit caching with `"use cache"` directive at the top of Server Components, routes, or functions. Configure `cacheComponents: true` in `next.config.ts` as needed.

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T14:32:19.360Z
Learning: Applies to proxy.ts : Rename `middleware.ts` to `proxy.ts` for request boundary logic and export `proxy` function (Next.js 16+)

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T14:32:19.360Z
Learning: Applies to app/**/*.{ts,tsx} : Use `'use cache'` directive at the top of Server Components, routes, or functions to opt-in caching (Next.js 16+)

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: .cursorrules:0-0
Timestamp: 2025-11-25T08:35:58.729Z
Learning: Applies to **/*.{ts,tsx,js,jsx} : Write correct, up-to-date, bug-free, fully componentized, secure, and efficient code

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: .cursorrules:0-0
Timestamp: 2025-11-25T08:35:58.729Z
Learning: Applies to **/*.{ts,tsx,js,jsx} : Include all required imports and ensure proper naming of key components

📚 Learning: 2025-12-30T14:32:44.885Z

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: app/api/AGENTS.md:0-0
Timestamp: 2025-12-30T14:32:44.885Z
Learning: Applies to app/api/**/*.{ts,tsx} : When needing custom headers or timeouts for external requests, pass them via the `@/lib/security/urlGuard` helper options rather than re-implementing your own wrapper.

Applied to files:

• config/securityHeaders.ts
• next.config.ts

📚 Learning: 2025-11-25T08:35:58.729Z

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: .cursorrules:0-0
Timestamp: 2025-11-25T08:35:58.729Z
Learning: Applies to **/*.{ts,tsx,js,jsx} : Use NextJS features that match the current version

Applied to files:

• next.config.ts

📚 Learning: 2025-12-30T14:32:19.360Z

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T14:32:19.360Z
Learning: Applies to next.config.{ts,js,mjs} : Remove any `eslint` options from `next.config.*` files in Next.js 16

Applied to files:

• next.config.ts

📚 Learning: 2025-12-30T14:32:19.360Z

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T14:32:19.360Z
Learning: Applies to {eslint.config.js,next.config.ts} : Use ESLint CLI driven by `eslint-config-next` (flat config) instead of `next lint` (removed in Next.js 16)

Applied to files:

• next.config.ts

📚 Learning: 2025-12-30T14:31:53.006Z

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: GEMINI.md:0-0
Timestamp: 2025-12-30T14:31:53.006Z
Learning: Applies to next.config.{js,ts,mjs,mts} : With Next.js 16, `next lint` is removed. Use the ESLint CLI driven by `eslint-config-next` (flat config). Remove any `eslint` options from `next.config.*`.

Applied to files:

• next.config.ts

📚 Learning: 2025-12-30T14:31:53.006Z

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: GEMINI.md:0-0
Timestamp: 2025-12-30T14:31:53.006Z
Learning: Applies to **/*.{ts,tsx,js,jsx} : Use explicit caching with `"use cache"` directive at the top of Server Components, routes, or functions. Configure `cacheComponents: true` in `next.config.ts` as needed.

Applied to files:

• next.config.ts

📚 Learning: 2025-12-30T14:31:53.006Z

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: GEMINI.md:0-0
Timestamp: 2025-12-30T14:31:53.006Z
Learning: Fix issues with modernization aligned to React 19.2, React Compiler, and Next.js 16 conventions. Do not add `// eslint-disable` comments unless explicitly instructed.

Applied to files:

• next.config.ts

📚 Learning: 2025-12-30T14:31:53.006Z

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: GEMINI.md:0-0
Timestamp: 2025-12-30T14:31:53.006Z
Learning: Applies to next.config.{js,ts,mjs,mts} : Enable React Compiler in `next.config.ts` once CI is green by setting `reactCompiler: true` to auto-memoize components and reduce manual `useMemo`/`useCallback` usage.

Applied to files:

• next.config.ts

📚 Learning: 2025-12-30T14:32:19.360Z

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T14:32:19.360Z
Learning: Applies to proxy.ts : Rename `middleware.ts` to `proxy.ts` for request boundary logic and export `proxy` function (Next.js 16+)

Applied to files:

• next.config.ts

📚 Learning: 2025-12-30T14:32:19.360Z

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T14:32:19.360Z
Learning: Applies to next.config.ts : Enable React Compiler in `next.config.ts` by setting `reactCompiler: true` when CI is green

Applied to files:

• next.config.ts

📚 Learning: 2025-11-25T08:35:58.729Z

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: .cursorrules:0-0
Timestamp: 2025-11-25T08:35:58.729Z
Learning: Applies to **/*.{ts,tsx,js,jsx} : Include all required imports and ensure proper naming of key components

Applied to files:

• next.config.ts

📚 Learning: 2025-12-30T14:32:19.360Z

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T14:32:19.360Z
Learning: Applies to sentry.server.config.ts : For server-side Sentry silencing, configure filters in `sentry.server.config.ts`

Applied to files:

• next.config.ts

📚 Learning: 2025-12-30T14:32:19.360Z

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T14:32:19.360Z
Learning: Applies to sentry.edge.config.ts : For edge runtime Sentry silencing, configure filters in `sentry.edge.config.ts`

Applied to files:

• next.config.ts

📚 Learning: 2025-12-30T14:32:19.360Z

Learnt from: CR
Repo: 6529-Collections/6529seize-frontend PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T14:32:19.360Z
Learning: Applies to instrumentation-client.ts : For client-side Sentry silencing, filter errors in the `beforeSend` callback in `instrumentation-client.ts` using `noisyPatterns`, `referenceErrors`, and `filenameExceptions` arrays

Applied to files:

• next.config.ts

🧬 Code graph analysis (1)

next.config.ts (3)

config/env.ts (1)

• publicEnv (7-7)

config/securityHeaders.ts (1)

• createSecurityHeaders (1-46)

config/env.schema.ts (1)

• publicEnvSchema (10-127)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (4)

config/securityHeaders.ts (1)

9-9: Verify: CSP connect-src * weakens protection.

The connect-src * 'self' directive contains a wildcard that allows connections to any origin, which largely defeats CSP's network restriction purpose. This appears to be existing behavior extracted from the previous config. If intentional due to wallet/IPFS requirements, consider documenting why the wildcard is necessary. Otherwise, consider tightening to explicit allowed origins.

next.config.ts (3)

1-14: LGTM on imports and module setup.

The extraction of security headers to a dedicated module improves maintainability. The explicit NextConfig type import and path alias usage (@/config/securityHeaders) follow best practices.

---

90-162: LGTM on sharedConfig with proper typing.

The NextConfig return type annotation and typed parameters improve type safety. The reactCompiler: true setting aligns with coding guidelines for Next.js 16. Based on learnings, this enables auto-memoization to reduce manual useMemo/useCallback usage.

---

258-295: LGTM on Sentry configuration and export.

The bracket notation for process.env["CI"] is consistent with the codebase style. The typed default export (phase: string): NextConfig properly annotates the config factory. No eslint options are present, which aligns with Next.js 16 guidelines per learnings.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
1 Accepted issue

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud