import type { Metadata } from "next";
import { Plus_Jakarta_Sans, Spline_Sans_Mono } from "next/font/google";
import { BrandNav } from "@/components/brand-nav";
import { FrameworkProvider } from "@/components/framework-provider";
import { getIntegrations } from "@/lib/registry";
import { getRuntimeConfig } from "@/lib/runtime-config";
import "./globals.css";
/**
* Serialize the runtime config for inline injection. We must
* JSON.stringify-then-escape because the value lands inside a
* `` tag, where three substrings would otherwise
* break out of (or corrupt) the parser:
*
* - `<` — guards against the `` breakout (XSS).
* `JSON.stringify` does NOT escape `<` by default, so a URL
* containing `` (e.g. a hostile env value) would
* terminate the inline script and inject HTML. Escape every
* `<` to `<` so the substring `` can never appear.
* - `
` (LINE SEPARATOR) and `
` (PARAGRAPH SEPARATOR) —
* legal inside JSON strings, but a syntax error inside a JS
* string literal in older engines / when the page is parsed as
* `text/javascript`. Escape both.
*
* IMPORTANT: the regex sources below use explicit `
` / `
`
* ECMAScript-Unicode escapes — the regex engine resolves the escape at
* compile time, so `/
/` matches the actual U+2028 codepoint.
* Using a literal U+2028 / U+2029 character in the regex source would
* break the parser (those codepoints terminate a regex literal in
* pre-ES2019 engines, and are visually invisible — easy to ship
* accidentally). Reviewers MUST confirm these regexes are written with
* `
` / `
` escapes literally.
*
* Canonical OWASP-recommended escape for inline JSON in HTML.
*/
function serializeRuntimeConfig(cfg: unknown): string {
return JSON.stringify(cfg)
.replace(/ i.slug);
// Server-side: read live env at request time. `unstable_noStore()`
// inside getRuntimeConfig opts this segment out of the static cache
// so the inline