# Phase 6.1 + 6.6 + 6.7: tools.acherryontop.com final form
#
# Apply on the server with:
#   curl -X POST http://localhost:2020/load \
#     -H 'Content-Type: text/caddyfile' \
#     --data-binary @/home/matt/Caddyfile.new
#   sudo cp /home/matt/Caddyfile.new /etc/caddy/Caddyfile
#   sudo cp /etc/caddy/Caddyfile /etc/caddy/Caddyfile.bak.$(date +%F)
#
# Differences from current /etc/caddy/Caddyfile:
#   1. forward_auth gate added in front of /api/* and /chat-api/* (Phase 6.1).
#   2. /uploads/* moved behind the forward_auth gate (Phase 6.7 — was public).
#   3. LAN wildcards / Access-Control-Allow-Origin "*" defaults dropped from /api/* (Phase 6.6).
#   4. Removed dead /api/{aircall,gorgias,clarity}/* routes (Phase 1 — already cleaned up here).
#
# Phase 4 (dashboard-server merge) is NOT yet reflected — klaviyo/meta/google/typeform
# still route to their per-vendor PM2 apps in the live Caddyfile. Update those handle
# blocks to localhost:3015 when dashboard-server ships.

tools.acherryontop.com {
    import security_headers

    # Public: login endpoint
    handle /auth-inv/* {
        uri strip_prefix /auth-inv
        reverse_proxy localhost:3011
    }

    # Public: static frontend assets (long-cache)
    @static path *.js *.css *.png *.jpg *.jpeg *.gif *.ico *.svg *.woff *.woff2
    handle @static {
        header Cache-Control "public, max-age=2592000"
        root * /var/www/inventory/frontend/build
        file_server
    }

    # ----- Authenticated zone -----
    # Phase 6.1: forward_auth subrequest to auth-server:/verify. 2xx → proceeds.
    # 401/403 → Caddy returns auth-server response to client; backend never sees it.
    @gated path /api/* /chat-api/* /uploads/*
    handle @gated {
        forward_auth localhost:3011 {
            uri /verify
            copy_headers Authorization
        }

        # Phase 6.7: /uploads/* now behind the gate (was a public file_server before)
        handle /uploads/* {
            root * /var/www/inventory
            file_server
        }

        # Vendor dashboard routes
        # NOTE: pre-Phase-4 these are still on separate ports; updates here when merged.
        handle /api/klaviyo/*           { reverse_proxy localhost:3015 }
        handle /api/meta/*              { reverse_proxy localhost:3015 }
        handle /api/google-analytics/*  { reverse_proxy localhost:3015 }
        handle /api/typeform/*          { reverse_proxy localhost:3015 }

        # ACOT
        handle /api/acot/*              { reverse_proxy localhost:3012 }

        # Chat
        handle /chat-api/* {
            uri strip_prefix /chat-api
            reverse_proxy localhost:3014
        }

        # Catch-all: inventory-server
        handle /api/* { reverse_proxy localhost:3010 }
    }

    # Out-of-band probes (unauthenticated)
    handle /health { reverse_proxy localhost:3010 }

    # SPA fallback (public assets)
    handle {
        root * /var/www/inventory/frontend/build
        try_files {path} /index.html
        file_server
        encode gzip
    }

    handle_errors {
        respond "{err.status_code} {err.status_text}"
    }
}