# Provenance edge. Site address is env-driven: ':80' for local http://localhost,
# a domain in production for automatic HTTPS. Behind a Cloudflare Tunnel you can
# keep this on plain HTTP and let the tunnel terminate TLS.

{$PROVENANCE_SITE_ADDRESS::80} {
	encode gzip

	# Versioned API surface (FastAPI). The assistant mounts under /assistant later.
	handle /api/* {
		reverse_proxy backend:8000
	}

	# Liveness/readiness probes, proxied for external monitoring.
	handle /health* {
		reverse_proxy backend:8000
	}

	# Everything else -> the Next.js frontend.
	handle {
		reverse_proxy frontend:3000
	}
}
