Sessions 5-7a: 955 tests, deployment ready

web/next.config.ts

@@ -1,7 +1,73 @@
 import type { NextConfig } from 'next';
+import path from 'path';
+import withSerwistInit from '@serwist/next';
+
+// Content-Security-Policy: scoped to what the app actually loads.
+// - 'unsafe-eval' / 'unsafe-inline' on script-src: Next.js dev runtime and
+//   the inline bootstrap script require these. They can be tightened later
+//   with a nonce-based approach if needed.
+// - js.stripe.com: Stripe.js (loaded on checkout)
+// - PostHog assets/connect: web/src/components/PostHogProvider.tsx
+// - Google Fonts: layout.tsx <link> tags
+// - Supabase wss: AuthContext realtime + push subscriptions
+const CSP = [
+  "default-src 'self'",
+  "script-src 'self' 'unsafe-eval' 'unsafe-inline' https://js.stripe.com https://us-assets.i.posthog.com",
+  "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+  "font-src 'self' https://fonts.gstatic.com",
+  "img-src 'self' data: blob: https://*.supabase.co https://cdn.nba.com https://a.espncdn.com",
+  "connect-src 'self' https://*.supabase.co wss://*.supabase.co https://api.stripe.com https://us.i.posthog.com https://us-assets.i.posthog.com",
+  "frame-src https://js.stripe.com https://hooks.stripe.com",
+  "worker-src 'self' blob:",
+  "manifest-src 'self'",
+  "object-src 'none'",
+  "base-uri 'self'",
+  "form-action 'self'",
+].join('; ');
 
 const nextConfig: NextConfig = {
   output: 'standalone',
+  turbopack: {
+    root: path.join(__dirname),
+  },
+  images: {
+    remotePatterns: [],
+  },
+  poweredByHeader: false,
+  reactStrictMode: true,
+  async headers() {
+    return [
+      {
+        source: '/(.*)',
+        headers: [
+          { key: 'Content-Security-Policy', value: CSP },
+          { key: 'X-Frame-Options', value: 'DENY' },
+          { key: 'X-Content-Type-Options', value: 'nosniff' },
+          { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
+          { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
+          { key: 'X-DNS-Prefetch-Control', value: 'on' },
+          { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains' },
+        ],
+      },
+      // The service worker must be served with no-cache or browsers will pin
+      // an outdated SW for days. Override the global Cache-Control here.
+      {
+        source: '/sw.js',
+        headers: [
+          { key: 'Cache-Control', value: 'no-cache, no-store, must-revalidate' },
+          { key: 'Service-Worker-Allowed', value: '/' },
+        ],
+      },
+    ];
+  },
 };
 
-export default nextConfig;
+const withSerwist = withSerwistInit({
+  swSrc: 'src/sw.ts',
+  swDest: 'public/sw.js',
+  // Serwist only ships in production builds — dev requests bypass the SW so
+  // hot-reload and source maps work normally.
+  disable: process.env.NODE_ENV === 'development',
+});
+
+export default withSerwist(nextConfig);