chore(nitro): add Nitro config with security headers and CI build

[kegren]

Add nitro.config.ts configured for the Bun preset and compress public
assets. Apply global routeRules that set security and privacy headers:
X-Content-Type-Options, X-Frame-Options, Referrer-Policy,
Strict-Transport-Security, Permissions-Policy, and a restrictive
Content-Security-Policy allowing only necessary Cloudflare Turnstile
endpoints. These headers harden MIME sniffing, clickjacking, referrer
leakage, mixed-content, and hardware access.

Update CI workflow to run a final Build step (bun run build) after tests
to verify the project can be built before deployment.

[greptile-apps]

Greptile Summary

This PR adds a Nitro configuration file with comprehensive security headers and updates the CI pipeline to include a build step.

Key Changes:

• Added nitro.config.ts with security headers (HSTS, CSP, X-Frame-Options, etc.) and Cloudflare Turnstile integration
• Updated CI workflow to run bun run build as final verification step before deployment
• Configured asset compression for better performance

Minor Improvements Suggested:

• Consider removing duplicate Bun preset configuration (already set in vite.config.ts)
• CSP uses 'unsafe-inline' for scripts/styles which weakens security protections

Confidence Score: 4/5

• This PR is safe to merge with very low risk
• Score reflects solid security improvements and CI enhancements. Minor deductions for duplicate preset config and 'unsafe-inline' CSP directives, but these don't block deployment.
• No files require special attention - changes are straightforward configuration additions

Important Files Changed

Filename	Overview
nitro.config.ts	Added Nitro config with security headers and Bun preset; CSP includes 'unsafe-inline' which weakens security
.github/workflows/ci.yml	Added build step to CI pipeline for deployment verification

Sequence Diagram

sequenceDiagram
    participant Developer
    participant GitHub
    participant CI
    participant Nitro
    participant Browser

    Developer->>GitHub: Push commit to PR
    GitHub->>CI: Trigger workflow
    CI->>CI: Lint code
    CI->>CI: Type check
    CI->>CI: Run tests
    CI->>CI: Build project (NEW)
    Note over CI: Validates deployment readiness
    CI-->>GitHub: Report status
    
    Note over Nitro: Runtime behavior (after deployment)
    Browser->>Nitro: HTTP Request
    Nitro->>Nitro: Apply security headers
    Note over Nitro: X-Content-Type-Options: nosniff<br/>X-Frame-Options: DENY<br/>Referrer-Policy<br/>HSTS<br/>Permissions-Policy<br/>CSP
    Nitro->>Browser: Response + Headers
    Note over Browser: Headers enforce security policies

Loading

[greptile-apps]

_{2 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

style: 'unsafe-inline' for script-src and style-src weakens CSP by allowing inline scripts/styles. Consider using nonces or hashes instead for better security.

Prompt To Fix With AI

This is a comment left during a code review.
Path: nitro.config.ts
Line: 36:40

Comment:
**style:** `'unsafe-inline'` for `script-src` and `style-src` weakens CSP by allowing inline scripts/styles. Consider using nonces or hashes instead for better security.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

style: The Bun preset is already configured in vite.config.ts:16 via the Nitro Vite plugin. Consider removing this duplicate configuration to avoid conflicts.

Prompt To Fix With AI

This is a comment left during a code review.
Path: nitro.config.ts
Line: 4:4

Comment:
**style:** The Bun preset is already configured in `vite.config.ts:16` via the Nitro Vite plugin. Consider removing this duplicate configuration to avoid conflicts.

How can I resolve this? If you propose a fix, please make it concise.