Session 7d: Audit fixes - rate limiting, error leak, parallel parlays, analyze cache, bundle analyzer

web/next.config.ts

@@ -1,6 +1,9 @@
 import type { NextConfig } from 'next';
 import path from 'path';
 import withSerwistInit from '@serwist/next';
+// PERF-3 (Session 7d): bundle analyzer wired but inert unless ANALYZE=true.
+// Run with: cd web && ANALYZE=true npm run build
+import withBundleAnalyzer from '@next/bundle-analyzer';
 
 // Content-Security-Policy: scoped to what the app actually loads.
 // - 'unsafe-eval' / 'unsafe-inline' on script-src: Next.js dev runtime and
@@ -70,4 +73,12 @@ const withSerwist = withSerwistInit({
   disable: process.env.NODE_ENV === 'development',
 });
 
-export default withSerwist(nextConfig);
+// Compose: Serwist wraps first, then bundle-analyzer wraps the result.
+// Analyzer only emits the HTML report when ANALYZE=true; otherwise it's
+// a no-op pass-through.
+const bundleAnalyzer = withBundleAnalyzer({
+  enabled: process.env.ANALYZE === 'true',
+  openAnalyzer: false,
+});
+
+export default bundleAnalyzer(withSerwist(nextConfig));