Phase 4 + 6

inventory-server/deploy/Caddyfile.proposed

@@ -1,87 +0,0 @@
-# Phase 6.1 + 6.6 + 6.7: tools.acherryontop.com final form
-#
-# Apply on the server with:
-#   curl -X POST http://localhost:2020/load \
-#     -H 'Content-Type: text/caddyfile' \
-#     --data-binary @/home/matt/Caddyfile.new
-#   sudo cp /home/matt/Caddyfile.new /etc/caddy/Caddyfile
-#   sudo cp /etc/caddy/Caddyfile /etc/caddy/Caddyfile.bak.$(date +%F)
-#
-# Differences from current /etc/caddy/Caddyfile:
-#   1. forward_auth gate added in front of /api/* and /chat-api/* (Phase 6.1).
-#   2. /uploads/* moved behind the forward_auth gate (Phase 6.7 — was public).
-#   3. LAN wildcards / Access-Control-Allow-Origin "*" defaults dropped from /api/* (Phase 6.6).
-#   4. Removed dead /api/{aircall,gorgias,clarity}/* routes (Phase 1 — already cleaned up here).
-#
-# Phase 4 (dashboard-server merge) is NOT yet reflected — klaviyo/meta/google/typeform
-# still route to their per-vendor PM2 apps in the live Caddyfile. Update those handle
-# blocks to localhost:3015 when dashboard-server ships.
-
-tools.acherryontop.com {
-    import security_headers
-
-    # Public: login endpoint
-    handle /auth-inv/* {
-        uri strip_prefix /auth-inv
-        reverse_proxy localhost:3011
-    }
-
-    # Public: static frontend assets (long-cache)
-    @static path *.js *.css *.png *.jpg *.jpeg *.gif *.ico *.svg *.woff *.woff2
-    handle @static {
-        header Cache-Control "public, max-age=2592000"
-        root * /var/www/inventory/frontend/build
-        file_server
-    }
-
-    # ----- Authenticated zone -----
-    # Phase 6.1: forward_auth subrequest to auth-server:/verify. 2xx → proceeds.
-    # 401/403 → Caddy returns auth-server response to client; backend never sees it.
-    @gated path /api/* /chat-api/* /uploads/*
-    handle @gated {
-        forward_auth localhost:3011 {
-            uri /verify
-            copy_headers Authorization
-        }
-
-        # Phase 6.7: /uploads/* now behind the gate (was a public file_server before)
-        handle /uploads/* {
-            root * /var/www/inventory
-            file_server
-        }
-
-        # Vendor dashboard routes
-        # NOTE: pre-Phase-4 these are still on separate ports; updates here when merged.
-        handle /api/klaviyo/*           { reverse_proxy localhost:3015 }
-        handle /api/meta/*              { reverse_proxy localhost:3015 }
-        handle /api/google-analytics/*  { reverse_proxy localhost:3015 }
-        handle /api/typeform/*          { reverse_proxy localhost:3015 }
-
-        # ACOT
-        handle /api/acot/*              { reverse_proxy localhost:3012 }
-
-        # Chat
-        handle /chat-api/* {
-            uri strip_prefix /chat-api
-            reverse_proxy localhost:3014
-        }
-
-        # Catch-all: inventory-server
-        handle /api/* { reverse_proxy localhost:3010 }
-    }
-
-    # Out-of-band probes (unauthenticated)
-    handle /health { reverse_proxy localhost:3010 }
-
-    # SPA fallback (public assets)
-    handle {
-        root * /var/www/inventory/frontend/build
-        try_files {path} /index.html
-        file_server
-        encode gzip
-    }
-
-    handle_errors {
-        respond "{err.status_code} {err.status_text}"
-    }
-}