// apps/web-tanstack/app.config.ts
// TanStack Start / Nitro server configuration.
// Registers the core-shared security headers middleware so every response
// emits the six security headers and a per-request CSP nonce.
//
// Wire-up pattern (Nitro/H3 server hook):
//   withSecurityHeaders() generates nonce + builds six headers.
//   setHeader calls forward them to the response.
//   req.headers["x-nonce"] is set so downstream loaders can call
//   getNonce(event.node.req) from @repo/core-shared/security/tanstack.
//
// Note: @tanstack/start (and its defineConfig) is wired in a later story.
// Uncomment the export default block once @tanstack/start is added.

import { withSecurityHeaders } from "@repo/core-shared/security/tanstack";

interface H3SecurityEvent {
  node: {
    req: { headers: Record<string, string | string[] | undefined> };
    res: { setHeader: (name: string, value: string) => void };
  };
}

/**
 * Nitro/H3 server hook: emits six security headers on every response and
 * forwards the per-request nonce in req.headers["x-nonce"] for downstream
 * access via getNonce() from @repo/core-shared/security/tanstack.
 */
export function applySecurityHeaders(event: H3SecurityEvent): void {
  const { nonce, headers } = withSecurityHeaders();
  for (const [k, v] of Object.entries(headers)) {
    event.node.res.setHeader(k, v);
  }
  event.node.req.headers["x-nonce"] = nonce;
}

// Registration via TanStack Start (add @tanstack/start, then uncomment):
// import { defineConfig } from "@tanstack/start/config";
// export default defineConfig({
//   server: { hooks: { request: applySecurityHeaders } },
// });