Update version badge from 2.3.4 to 2.3.5

Revise versioning and commit message guidelines
Updated versioning instructions to include README.md updates and clarified commit message guidelines.
2026-05-09 02:51:46 +00:00 · 2026-04-07 10:53:10 -03:00 · 2026-04-07 10:52:39 -03:00 · 2026-04-07 13:49:23 +00:00 · 2026-04-05 20:33:55 -03:00
6 changed files with 45 additions and 18 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,12 @@ e este projeto adere ao [Versionamento Semântico](https://semver.org/lang/pt-BR

 ## [Unreleased]

+## [2.3.5] - 2026-04-07
+
+### Corrigido
+
+- CSP: movido `Content-Security-Policy` do `next.config.ts` (build time) para `proxy.ts` (runtime), corrigindo bloqueio de upload de anexos quando `S3_ENDPOINT` não estava disponível durante o build do Docker
+
 ## [2.3.4] - 2026-04-05

 ### Corrigido
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -16,9 +16,10 @@
 3. **Periods** usam formato `YYYY-MM` (ex: `"2025-11"`). Utils em `src/shared/utils/period/`.
 4. **Moeda**: R$ com 2 decimais. DB: `numeric(12, 2)`. Utils em `src/shared/utils/currency.ts`.
 5. **Revalidation**: usar `revalidateForEntity("entity")` de `src/shared/lib/actions/helpers.ts` apos mutations.
-6. **Versionamento**: registrar mudancas no `CHANGELOG.md` seguindo Keep a Changelog, também altere o `package.json`.
+6. **Versionamento**: registrar mudancas no `CHANGELOG.md` seguindo Keep a Changelog, também altere o `package.json` e `readme.md`.
 7. **Comunicacao**: responder em portugues clara e direta com o time.
 8. **Commit messages**: agrupar por natureza. em pt-br. seguindo o padrao do sistema.
+9. **README.md**: sempre que fizer alteracoes significativas, atualize o README.md.

 ---

--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@

 > **⚠️ Não há versão online hospedada.** Você precisa clonar o repositório e rodar localmente ou no seu próprio servidor.

-[![Version](https://img.shields.io/badge/version-2.1.2-blue?style=flat-square)](CHANGELOG.md)
+[![Version](https://img.shields.io/badge/version-2.3.5-blue?style=flat-square)](CHANGELOG.md)
 [![Next.js](https://img.shields.io/badge/Next.js-black?style=flat-square&logo=next.js)](https://nextjs.org/)
 [![TypeScript](https://img.shields.io/badge/TypeScript-blue?style=flat-square&logo=typescript)](https://www.typescriptlang.org/)
 [![PostgreSQL](https://img.shields.io/badge/PostgreSQL-blue?style=flat-square&logo=postgresql)](https://www.postgresql.org/)
--- a/next.config.ts
+++ b/next.config.ts
@@ -4,8 +4,6 @@ import type { NextConfig } from "next";
 // Carregar variáveis de ambiente explicitamente
 dotenv.config();

-const isDev = process.env.NODE_ENV === "development";
-
 const nextConfig: NextConfig = {
 	output: "standalone",
 	cacheComponents: true,
@@ -44,18 +42,6 @@ const nextConfig: NextConfig = {
 						key: "X-Frame-Options",
 						value: "DENY",
 					},
-					{
-						key: "Content-Security-Policy",
-						value: [
-							"default-src 'self'",
-							`script-src 'self' 'unsafe-inline'${isDev ? " 'unsafe-eval'" : ""} https://umami.felipecoutinho.com`,
-							"style-src 'self' 'unsafe-inline'",
-							"img-src 'self' https://lh3.googleusercontent.com data: blob:",
-							"font-src 'self'",
-							`connect-src 'self' https://umami.felipecoutinho.com ${process.env.S3_ENDPOINT ? new URL(process.env.S3_ENDPOINT).origin : ""}`.trim(),
-							"frame-ancestors 'none'",
-						].join("; "),
-					},
 					{
 						key: "Referrer-Policy",
 						value: "strict-origin-when-cross-origin",
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "openmonetis",
-	"version": "2.3.4",
+	"version": "2.3.5",
 	"private": true,
 	"packageManager": "pnpm@10.33.0",
 	"scripts": {
--- a/src/proxy.ts
+++ b/src/proxy.ts
@@ -21,6 +21,38 @@ const PROTECTED_ROUTES = [
 // Rotas públicas (não requerem autenticação)
 const PUBLIC_AUTH_ROUTES = ["/login", "/signup"];

+function buildCsp(): string {
+	const isDev = process.env.NODE_ENV === "development";
+
+	const s3Origin = (() => {
+		try {
+			return process.env.S3_ENDPOINT
+				? new URL(process.env.S3_ENDPOINT).origin
+				: "";
+		} catch {
+			return "";
+		}
+	})();
+
+	const connectExtras = ["https://umami.felipecoutinho.com", s3Origin]
+		.filter(Boolean)
+		.join(" ");
+
+	const imgExtras = ["https://lh3.googleusercontent.com", s3Origin]
+		.filter(Boolean)
+		.join(" ");
+
+	return [
+		"default-src 'self'",
+		`script-src 'self' 'unsafe-inline'${isDev ? " 'unsafe-eval'" : ""} https://umami.felipecoutinho.com`,
+		"style-src 'self' 'unsafe-inline'",
+		`img-src 'self' ${imgExtras} data: blob:`,
+		"font-src 'self'",
+		`connect-src 'self' ${connectExtras}`,
+		"frame-ancestors 'none'",
+	].join("; ");
+}
+
 export default async function proxy(request: NextRequest) {
 	const { pathname } = request.nextUrl;

@@ -63,7 +95,9 @@ export default async function proxy(request: NextRequest) {
 		return NextResponse.redirect(new URL("/login", request.url));
 	}

-	return NextResponse.next();
+	const response = NextResponse.next();
+	response.headers.set("Content-Security-Policy", buildCsp());
+	return response;
 }

 export const config = {
Author	SHA1	Message	Date
Felipe Coutinho	98fe6a0f4f	Update version badge from 2.3.4 to 2.3.5	2026-04-07 10:53:10 -03:00
Felipe Coutinho	d10eae13e5	Revise versioning and commit message guidelines Updated versioning instructions to include README.md updates and clarified commit message guidelines.	2026-04-07 10:52:39 -03:00
Felipe Coutinho	43697b4fd2	fix(csp): mover CSP para proxy.ts para leitura em runtime Content-Security-Policy estava em next.config.ts (build time), então S3_ENDPOINT nunca era incluído no connect-src ao buildar via Docker no CI. Movido para proxy.ts que avalia em runtime. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-07 13:49:23 +00:00
Felipe Coutinho	27e3ba5f0d	Update version badge from 2.1.2 to 2.3.4	2026-04-05 20:33:55 -03:00