
{
    admin off
    auto_https {$AUTO_HTTPS}
    http_port {$HTTP_PORT}
}

:{$HTTP_PORT} {
    log {
        format console
        level {$LOG_LEVEL}
    }

    # Redirect /hatchet to dedicated Hatchet dashboard port
    handle /hatchet {
        redir http://localhost:{$HATCHET_DASHBOARD_PORT}/ permanent
    }

    # Redirect /registry to dedicated Verdaccio port
    handle /registry {
        redir http://localhost:{$VERDACCIO_PORT}/ permanent
    }

    # Redirect /studio to dedicated Studio port (IP-restricted)
    handle /studio {
        redir http://localhost:{$STUDIO_PORT}/ permanent
    }

    # Supabase auth endpoints (for OAuth callbacks and direct auth API)
    handle /auth/v1* {
        reverse_proxy {$SUPABASE_URL}
    }

    # Block direct REST API access (clients use the server API; server reaches PostgREST
    # over the internal docker network via supabase-kong:8000)
    handle /rest/* {
        respond "Not Found" 404
    }

    # Development-specific handlers
    handle /debug* {
        respond "Debug endpoint"
    }

    # Default: Route everything to app server (API + SPA)
    # The app server handles:
    # - /sfp/* API routes
    # - /* SPA routes (serves index.html with client-side routing)
    handle /* {
        reverse_proxy server:3029
    }

    handle_errors {
        respond "Error: {err.status_code} {err.message}"
    }
}

# Hatchet dashboard on dedicated port (no IP restriction in dev)
localhost:{$HATCHET_DASHBOARD_PORT} {
    reverse_proxy hatchet-dashboard:80
}

# Verdaccio npm registry on dedicated port (no IP restriction in dev)
localhost:{$VERDACCIO_PORT} {
    reverse_proxy verdaccio:4873
}

# Supabase Studio on dedicated port (no IP restriction in dev)
localhost:{$STUDIO_PORT} {
    reverse_proxy supabase-studio:3000
}