feat: initial project setup - Next.js 16, Payload CMS v3, palette Mapuche

Next.js 16 App Router + TypeScript + Tailwind CSS v4. Payload CMS v3 with PostgreSQL adapter. Mapuche Corporate palette. Public pages, Docker Compose + Caddy, security middleware.

Co-authored-by: Cursor <cursoragent@cursor.com>

1 files changed, 40 insertions, 0 deletions

diff --git a/src/middleware.ts b/src/middleware.ts
new file mode 100644
index 0000000..74f5aed
--- /dev/null
+++ b/src/middleware.ts
@@ -0,0 +1,40 @@
+import { NextResponse } from "next/server";
+import type { NextRequest } from "next/server";
+
+export function middleware(request: NextRequest) {
+  const response = NextResponse.next();
+  const { pathname } = request.nextUrl;
+
+  const nonce = Buffer.from(crypto.randomUUID()).toString("base64");
+
+  const cspDirectives = [
+    "default-src 'self'",
+    `script-src 'self' 'nonce-${nonce}' 'strict-dynamic'`,
+    `style-src 'self' 'unsafe-inline'`,
+    "img-src 'self' data: blob:",
+    "font-src 'self'",
+    `connect-src 'self' ${process.env.KEYCLOAK_ISSUER || ""}`,
+    "frame-ancestors 'none'",
+    "base-uri 'self'",
+    "form-action 'self'",
+    "upgrade-insecure-requests",
+  ];
+
+  if (pathname.startsWith("/admin")) {
+    return response;
+  }
+
+  response.headers.set(
+    "Content-Security-Policy",
+    cspDirectives.join("; ")
+  );
+  response.headers.set("X-Nonce", nonce);
+
+  return response;
+}
+
+export const config = {
+  matcher: [
+    "/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
+  ],
+};