fix(website-v2): address review - CSP headers, typed props, error boundary, skeletons

- Add Content-Security-Policy, X-Frame-Options, X-Content-Type-Options,
  and Referrer-Policy headers in next.config.ts
- Replace all `any` types in playground components with proper interfaces
  (AstTab, FormatTab, LintTab, AnalyzeTab, Playground)
- Add WasmErrorBoundary React error boundary for graceful WASM failures
- Add Skeleton and DocsSkeleton loading UI components
- Add loading.tsx for docs and blog routes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 2 people

website/next.config.ts

@@ -1,6 +1,31 @@
 import type { NextConfig } from 'next';
 
 const nextConfig: NextConfig = {
+  async headers() {
+    return [
+      {
+        source: '/(.*)',
+        headers: [
+          {
+            key: 'Content-Security-Policy',
+            value: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' https://img.shields.io https://goreportcard.com https://*.shields.io data:; connect-src 'self'; worker-src 'self' blob:",
+          },
+          {
+            key: 'X-Frame-Options',
+            value: 'DENY',
+          },
+          {
+            key: 'X-Content-Type-Options',
+            value: 'nosniff',
+          },
+          {
+            key: 'Referrer-Policy',
+            value: 'strict-origin-when-cross-origin',
+          },
+        ],
+      },
+    ];
+  },
   async redirects() {
     return [
       { source: '/docs/getting_started', destination: '/docs/getting-started', permanent: true },

website/src/app/blog/loading.tsx

@@ -0,0 +1,12 @@
+import { Skeleton } from '@/components/ui/Skeleton';
+export default function Loading() {
+  return (
+    <div className="max-w-4xl mx-auto px-6 py-20 space-y-6">
+      <Skeleton className="h-10 w-64" />
+      <Skeleton className="h-5 w-96" />
+      <div className="space-y-4 pt-8">
+        {[1,2,3,4,5].map(i => <Skeleton key={i} className="h-20 w-full" />)}
+      </div>
+    </div>
+  );
+}

website/src/app/docs/loading.tsx

@@ -0,0 +1,2 @@
+import { DocsSkeleton } from '@/components/ui/Skeleton';
+export default function Loading() { return <DocsSkeleton />; }

website/src/app/playground/PlaygroundLoader.tsx

@@ -1,11 +1,16 @@
 'use client';
 import dynamic from 'next/dynamic';
+import { WasmErrorBoundary } from '@/components/playground/WasmErrorBoundary';
 
 const Playground = dynamic(
   () => import('@/components/playground/Playground'),
   { ssr: false }
 );
 
 export default function PlaygroundLoader() {
-  return <Playground />;
+  return (
+    <WasmErrorBoundary>
+      <Playground />
+    </WasmErrorBoundary>
+  );
 }

website/src/components/playground/AnalyzeTab.tsx

@@ -1,7 +1,42 @@
 'use client';
 
+interface SecurityAnalysis {
+  critical?: number;
+  high?: number;
+  medium?: number;
+  low?: number;
+}
+
+interface OptimizationResult {
+  score?: number;
+}
+
+interface ComplexityResult {
+  level?: string;
+  rating?: string;
+}
+
+interface Suggestion {
+  message?: string;
+  description?: string;
+  text?: string;
+}
+
+export interface AnalysisData {
+  error?: string;
+  security?: SecurityAnalysis;
+  security_analysis?: SecurityAnalysis;
+  optimization?: number | OptimizationResult;
+  optimization_score?: number;
+  performance?: OptimizationResult;
+  query_complexity?: string | ComplexityResult;
+  complexity?: string | ComplexityResult;
+  suggestions?: (string | Suggestion)[];
+  recommendations?: (string | Suggestion)[];
+}
+
 interface AnalyzeTabProps {
-  data: any;
+  data: AnalysisData | null;
 }
 
 function scoreColor(score: number): string {
@@ -117,7 +152,7 @@ export default function AnalyzeTab({ data }: AnalyzeTabProps) {
         <div>
           <h3 className="text-sm font-medium text-slate-300 mb-3">Suggestions</h3>
           <div className="space-y-2">
-            {allSuggestions.map((s: any, i: number) => {
+            {allSuggestions.map((s: string | Suggestion, i: number) => {
               const text = typeof s === "string" ? s : s.message || s.description || s.text || JSON.stringify(s);
               return (
                 <div

website/src/components/playground/AstTab.tsx

@@ -138,7 +138,7 @@ function AstNode({ data, depth = 0, label }: AstNodeProps) {
 }
 
 interface AstTabProps {
-  data: any;
+  data: (Record<string, unknown> & { error?: string }) | null;
 }
 
 export default function AstTab({ data }: AstTabProps) {

website/src/components/playground/FormatTab.tsx

@@ -2,7 +2,7 @@
 import SqlEditor from "./SqlEditor";
 
 interface FormatTabProps {
-  data: any;
+  data: string | { result?: string; formatted?: string; error?: string } | null;
 }
 
 export default function FormatTab({ data }: FormatTabProps) {
@@ -14,7 +14,7 @@ export default function FormatTab({ data }: FormatTabProps) {
     );
   }
 
-  if (data.error) {
+  if (typeof data !== "string" && data.error) {
     return (
       <div className="p-4">
         <div className="bg-red-500/10 border border-red-500/30 rounded-lg p-4">

website/src/components/playground/LintTab.tsx

@@ -1,7 +1,24 @@
 'use client';
 
+export interface LintViolation {
+  severity?: string;
+  level?: string;
+  rule?: string;
+  code?: string;
+  rule_code?: string;
+  line?: number;
+  column?: number;
+  location?: { line: number; column: number };
+  message?: string;
+  description?: string;
+  msg?: string;
+  suggestion?: string;
+  fix?: string;
+  hint?: string;
+}
+
 interface LintTabProps {
-  data: any;
+  data: { error?: string; violations?: LintViolation[]; results?: LintViolation[] } | LintViolation[] | null;
 }
 
 function SeverityBadge({ severity }: { severity: string }) {
@@ -29,7 +46,7 @@ export default function LintTab({ data }: LintTabProps) {
     );
   }
 
-  if (data.error) {
+  if (!Array.isArray(data) && data.error) {
     return (
       <div className="p-4">
         <div className="bg-red-500/10 border border-red-500/30 rounded-lg p-4">
@@ -72,7 +89,7 @@ export default function LintTab({ data }: LintTabProps) {
       <div className="text-sm text-slate-400 mb-2">
         {violations.length} violation{violations.length !== 1 ? "s" : ""} found
       </div>
-      {violations.map((v: any, i: number) => (
+      {violations.map((v: LintViolation, i: number) => (
         <div
           key={i}
           className="bg-slate-800/50 border border-slate-700 rounded-lg p-3 space-y-2"

website/src/components/playground/Playground.tsx

@@ -5,7 +5,8 @@ import { useWasm } from "./WasmLoader";
 import SqlEditor from "./SqlEditor";
 import AstTab from "./AstTab";
 import FormatTab from "./FormatTab";
-import LintTab from "./LintTab";
+import LintTab, { type LintViolation } from "./LintTab";
+import type { AnalysisData } from "./AnalyzeTab";
 const AnalyzeTab = React.lazy(() => import("./AnalyzeTab"));
 
 const DEFAULT_SQL = `SELECT u.id, u.name, COUNT(o.id) AS order_count
@@ -36,10 +37,10 @@ const TABS: { id: TabId; label: string }[] = [
 ];
 
 interface Results {
-  ast: any;
-  format: any;
-  lint: any;
-  analyze: any;
+  ast: (Record<string, unknown> & { error?: string }) | null;
+  format: string | { result?: string; formatted?: string; error?: string } | null;
+  lint: { error?: string; violations?: LintViolation[]; results?: LintViolation[] } | LintViolation[] | null;
+  analyze: AnalysisData | null;
 }
 
 export default function Playground() {
@@ -67,18 +68,19 @@ export default function Playground() {
       const safeCall = (fn: () => unknown) => {
         try {
           return fn();
-        } catch (e: any) {
-          return { error: e.message || String(e) };
+        } catch (e: unknown) {
+          const message = e instanceof Error ? e.message : String(e);
+          return { error: message };
         }
       };
 
       Promise.resolve().then(() => {
         if (runId !== runIdRef.current) return;
 
-        const astResult = safeCall(() => api.parse(query, dial));
-        const formatResult = safeCall(() => api.format(query, dial));
-        const lintResult = safeCall(() => api.lint(query, dial));
-        const analyzeResult = safeCall(() => api.analyze(query, dial));
+        const astResult = safeCall(() => api.parse(query, dial)) as Results['ast'];
+        const formatResult = safeCall(() => api.format(query, dial)) as Results['format'];
+        const lintResult = safeCall(() => api.lint(query, dial)) as Results['lint'];
+        const analyzeResult = safeCall(() => api.analyze(query, dial)) as Results['analyze'];
 
         if (runId === runIdRef.current) {
           setResults({

website/src/components/playground/WasmErrorBoundary.tsx

@@ -0,0 +1,38 @@
+'use client';
+import { Component, ReactNode } from 'react';
+
+interface Props { children: ReactNode; }
+interface State { hasError: boolean; error: Error | null; }
+
+export class WasmErrorBoundary extends Component<Props, State> {
+  state: State = { hasError: false, error: null };
+
+  static getDerivedStateFromError(error: Error): State {
+    return { hasError: true, error };
+  }
+
+  render() {
+    if (this.state.hasError) {
+      return (
+        <div className="flex items-center justify-center h-full bg-primary">
+          <div className="text-center space-y-4 max-w-md">
+            <div className="w-12 h-12 rounded-full bg-red-500/20 flex items-center justify-center mx-auto">
+              <svg className="w-6 h-6 text-red-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 8v4m0 4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+              </svg>
+            </div>
+            <p className="text-red-400 font-medium">Something went wrong</p>
+            <p className="text-zinc-500 text-sm">{this.state.error?.message}</p>
+            <button
+              onClick={() => this.setState({ hasError: false, error: null })}
+              className="px-4 py-2 bg-white/[0.06] border border-white/[0.1] rounded-lg text-sm text-zinc-300 hover:bg-white/[0.1] transition-colors"
+            >
+              Try Again
+            </button>
+          </div>
+        </div>
+      );
+    }
+    return this.props.children;
+  }
+}