Motivation

• Ensure Vercel builds do not fail due to parser-fragile configuration files and to make the web frontend deployable without production secrets present.
• Provide a complete, secure Next.js web console scaffold (UI, API proxying, auth hooks, and rate limiting) for the ARIV control plane.
• Defer runtime-only enforcement of backend and OAuth secrets so build-time page collection and CI do not crash.

Description

• Rewrote web/next.config.js into an explicit CommonJS shape, extracted securityHeaders, and implemented a standard async headers() to avoid the SyntaxError: Unexpected token ';' seen in CI.
• Added a build-safe environment layer in web/lib/env.ts that parses envs with zod, makes auth and ARIV variables optional at import time, and exposes requireArivApiBaseUrl() to enforce the backend URL at request time.
• Implemented NextAuth initialization in web/auth.ts that conditionally registers GitHub/Google providers and injects a disabled Credentials fallback when no providers are configured so auth can initialize during builds.
• Added API route proxies (/api/command, /api/config, /api/logs) that forward requests to the ARIV backend via web/lib/ariv.ts, plus request validation/sanitization in web/lib/security.ts, an in-memory rate limiter in web/lib/rate-limit.ts, middleware for auth + rate limiting in web/middleware.ts, Type definitions, UI components, pages, styles, and project config files (package.json, tsconfig.json, tailwind.config.ts, etc.).

Testing

• Ran node -c web/next.config.js to validate JavaScript syntax of the rewritten config and it passed.
• Attempted to run cd web && npm install to perform a full next build, but npm install failed due to an external registry policy error (403 Forbidden for @hookform/resolvers), preventing a local next build run.
• Verified the fix by committing the updated file and confirming node -c validation; full build verification remains blocked by the external npm registry error.

Codex Task