import { createAuthMiddleware } from "@gsc/web-kit/auth/middleware";

// Default: require auth for all routes. gscMy is the user-facing
// portal; only public surfaces are the auth entry point + the two
// branded standalone pages.
export default createAuthMiddleware({
  signInPath: "/auth/keycloak",
  publicRoutes: [
    "/api/health",
    "/access-denied",
    "/auth/keycloak",
    "/signed-out",
    // PAM approval link — token in URL is the auth. Matcher below
    // also excludes it so the kit's redirect logic doesn't fire.
    "/api/pam/approve",
  ],
});

export const config = {
  matcher: [
    "/((?!_next/static|_next/image|favicon.ico|robots.txt|api/health|access-denied|auth/keycloak|signed-out|api/pam/approve).+)",
  ],
};