import { NextRequest, NextResponse } from "next/server";

export function middleware(req: NextRequest) {
  const path = req.nextUrl.pathname;

  // Block all /api/* except a small set of read-only endpoints.
  // Mutations happen via Server Actions which post to page URLs, not /api/*.
  const allowed =
    path === "/api/events" ||
    path === "/api/health" ||
    path.startsWith("/api/qr/");
  if (path.startsWith("/api/") && !allowed) {
    return new NextResponse("Not Found", { status: 404 });
  }

  return NextResponse.next();
}

export const config = {
  matcher: ["/((?!_next/static|_next/image|favicon.ico|icon-).*)"],
};