# arifOS Sovereign Caddyfile
# DITEMPA BUKAN DIBERI
# 3 Main Sites: arif-fazil.com | arifos.arif-fazil.com | aaa.arif-fazil.com
# Federation MCP: arifos (13 canonical) | geox (21) | wealth (17) | well (13 canonical, 77 total)
# Last reconcile: 2026-05-01
{
	admin unix//var/run/caddy-admin.sock
	email arif@arif-fazil.com
}

(tls_origin) {
	header {
		Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
		X-Content-Type-Options "nosniff"
		X-Frame-Options "SAMEORIGIN"
		Referrer-Policy "strict-origin-when-cross-origin"
	}
}

(shared_assets) {
	handle /_shared/* {
		root * /var/www/html
		file_server
	}
}

(cors_public) {
	header Access-Control-Allow-Origin *
	header Access-Control-Allow-Methods "GET, POST, OPTIONS"
}

# ═══════════════════════════════════════════════════════════════════════
# MAIN SITE 1 — Ψ HUMAN SURFACE
# ═══════════════════════════════════════════════════════════════════════
www.arif-fazil.com {
	import tls_origin
	redir https://arif-fazil.com{uri} permanent
}

arif-fazil.com {
	import tls_origin
	encode zstd gzip
	root * /var/www/html/arif

	handle /_shared/* {
		root * /var/www/html
		file_server
	}

	@well-known path /.well-known/*
	handle @well-known {
		uri strip_prefix /.well-known
		root * /var/www/html/arif/.well-known
		try_files {path} /index.html
		file_server
	}

	@validation path /999/*
	handle @validation {
		uri strip_prefix /999
		root * /var/www/html/arif/999
		try_files {path} /index.html
		file_server
	}

	handle {
		try_files {path} /index.html
		file_server
	}
}

# ═══════════════════════════════════════════════════════════════════════
# MAIN SITE 2 — Ω ARIFOS OBSERVATORY
# ═══════════════════════════════════════════════════════════════════════
arifos.arif-fazil.com {
	import tls_origin
	import shared_assets
	encode zstd gzip
	root * /var/www/html/arifos

	@wk path /.well-known/mcp/server.json
	handle @wk {
		reverse_proxy 127.0.0.1:8080
	}

	handle /mcp* {
		reverse_proxy 127.0.0.1:8080 {
			header_up Accept "text/event-stream, application/json, application/json-rpc"
		}
	}
	handle /health {
		reverse_proxy 127.0.0.1:8080
	}
    handle /ready {
        reverse_proxy 127.0.0.1:8080
    }
    handle /dashboard* {
        reverse_proxy 127.0.0.1:8080
    }
    handle /dashboard/* {
        reverse_proxy 127.0.0.1:8080
    }
    handle /tools {
		reverse_proxy 127.0.0.1:8080
	}
	handle /tools/* {
		reverse_proxy 127.0.0.1:8080
	}
	handle /tools.json {
		reverse_proxy 127.0.0.1:8080
	}
	handle /sse* {
		reverse_proxy 127.0.0.1:8080 {
			header_up Accept "text/event-stream, application/json, application/json-rpc"
		}
	}
	handle /api/* {
		reverse_proxy 127.0.0.1:8080
	}
	handle /inspector/* {
		reverse_proxy 127.0.0.1:8080
	}

	handle {
		try_files {path} /index.html
		file_server
	}
}

# ═══════════════════════════════════════════════════════════════════════
# MAIN SITE 3 — Δ AAA COCKPIT
# ═══════════════════════════════════════════════════════════════════════
aaa.arif-fazil.com {
	import tls_origin
	import shared_assets
	encode zstd gzip
	root * /var/www/html/aaa

	# Static agent discovery (public, no auth)
	handle /a2a/agents.json {
		root * /var/www/html/aaa
		file_server
	}
	handle /a2a {
		rewrite * /a2a/
		reverse_proxy 127.0.0.1:3001
	}
	handle /a2a/* {
		reverse_proxy 127.0.0.1:3001
	}
	handle /api/* {
		reverse_proxy 127.0.0.1:3001
	}
	handle /health {
		reverse_proxy 127.0.0.1:3001
	}
	handle /ready {
		rewrite * /health
		reverse_proxy 127.0.0.1:3001
	}
	handle /.well-known/* {
		reverse_proxy 127.0.0.1:3001
	}
	handle {
		try_files {path} /index.html
		file_server
	}
}

ai.arif-fazil.com {
	import tls_origin
	encode zstd gzip

	handle /api/* {
		reverse_proxy 127.0.0.1:50001
	}
	handle /mcp/* {
		reverse_proxy 127.0.0.1:50001
	}
	handle {
		reverse_proxy 127.0.0.1:50001
	}
}

# ═══════════════════════════════════════════════════════════════════════
# APEX — INTERNAL DELIBERATIVE RELAY (no public surface)
# TEMPORARY REDIRECT — All public traffic redirected to AAA.
# TODO: Remove this block after all clients updated to aaa.arif-fazil.com.
# APEX remains running internally at apex-prime:3002 for federation use.
# ═══════════════════════════════════════════════════════════════════════
apex.arif-fazil.com {
	import tls_origin
	redir https://aaa.arif-fazil.com{uri} 308
}

# TEMPORARY REDIRECT — legacy hostname kept for compatibility only.
hermes.arif-fazil.com {
	import tls_origin
	redir https://aaa.arif-fazil.com{uri} 308
}

# ═══════════════════════════════════════════════════════════════════════
# FEDERATION MCP — GEOX
# Keep at geox.arif-fazil.com — ChatGPT registered here
# ═══════════════════════════════════════════════════════════════════════
geox.arif-fazil.com {
	import tls_origin
	import shared_assets
	encode zstd gzip
	root * /var/www/html/geox

	handle /mcp {
		import cors_public
		reverse_proxy 127.0.0.1:8081 {
			header_up Host geox.arif-fazil.com
		}
	}
	handle /mcp/* {
		import cors_public
		reverse_proxy 127.0.0.1:8081 {
			header_up Host geox.arif-fazil.com
		}
	}
	handle /health {
		import cors_public
		reverse_proxy 127.0.0.1:8081 {
			header_up Host geox.arif-fazil.com
		}
	}
	handle /ready {
		import cors_public
		reverse_proxy 127.0.0.1:8081 {
			header_up Host geox.arif-fazil.com
		}
	}
	handle /sse* {
		reverse_proxy 127.0.0.1:8081 {
			header_up Host geox.arif-fazil.com
		}
	}
	handle /status {
		import cors_public
		reverse_proxy 127.0.0.1:8081 {
			header_up Host geox.arif-fazil.com
		}
	}
	handle /.well-known/mcp/server.json {
		import cors_public
		reverse_proxy 127.0.0.1:8081 {
			header_up Host geox.arif-fazil.com
		}
	}
	handle /tools {
		import cors_public
		reverse_proxy 127.0.0.1:8081 {
			header_up Host geox.arif-fazil.com
		}
	}
	handle {
		try_files {path} /index.html
		file_server
	}
}

# ═══════════════════════════════════════════════════════════════════════
# FEDERATION MCP — WEALTH
# Keep at wealth.arif-fazil.com — ChatGPT registered here
# Note: wealth-organ internal port is 8082
# ═══════════════════════════════════════════════════════════════════════
wealth.arif-fazil.com {
	import tls_origin
	import shared_assets
	encode zstd gzip
	root * /var/www/html/wealth

	handle /mcp* {
		import cors_public
		reverse_proxy 127.0.0.1:8082
	}
	handle /health {
		import cors_public
		reverse_proxy 127.0.0.1:8082
	}
	handle /sse* {
		reverse_proxy 127.0.0.1:8082
	}
	handle /.well-known/mcp/server.json {
		import cors_public
		reverse_proxy 127.0.0.1:8082
	}
	handle /tools {
		import cors_public
		reverse_proxy 127.0.0.1:8082
	}
	handle /ready {
		import cors_public
		reverse_proxy 127.0.0.1:8082
	}
	handle {
		try_files {path} /index.html
		file_server
	}
}

# ═══════════════════════════════════════════════════════════════════════
# FEDERATION MCP — WELL
# Add this — was completely missing from Caddyfile
# ChatGPT registered at well.arif-fazil.com/mcp
# ═══════════════════════════════════════════════════════════════════════
well.arif-fazil.com {
	import tls_origin
	encode zstd gzip

	handle /mcp* {
		import cors_public
		reverse_proxy 127.0.0.1:8083
	}
	handle /health {
		import cors_public
		reverse_proxy 127.0.0.1:8083
	}
	handle /ready {
		import cors_public
		reverse_proxy 127.0.0.1:8083
	}
	handle /sse* {
		reverse_proxy 127.0.0.1:8083
	}
	handle /.well-known/* {
		import cors_public
		reverse_proxy 127.0.0.1:8083
	}
	handle /tools {
		import cors_public
		reverse_proxy 127.0.0.1:8083
	}
	handle {
		reverse_proxy 127.0.0.1:8083
	}
}

# ═══════════════════════════════════════════════════════════════════════
# COPILOT GOVERNANCE BRIDGE — copilot.arif-fazil.com
# Layer 2 (JUDGMENT) gateway: Copilot output → arifOS 888_JUDGE → VAULT999
# ═══════════════════════════════════════════════════════════════════════
copilot.arif-fazil.com {
	import tls_origin
	encode zstd gzip

	@cors_preflight method OPTIONS
	handle @cors_preflight {
		header Access-Control-Allow-Origin "*"
		header Access-Control-Allow-Methods "GET, POST, OPTIONS"
		header Access-Control-Allow-Headers "X-API-Key, Content-Type, X-Request-ID"
		respond "" 204
	}

	handle /health {
		reverse_proxy 127.0.0.1:8090
	}
	handle /copilot/* {
		import cors_public
		reverse_proxy 127.0.0.1:8090 {
			header_up Host copilot.arif-fazil.com
		}
	}
	handle /arifos/* {
		import cors_public
		reverse_proxy 127.0.0.1:8090 {
			header_up Host copilot.arif-fazil.com
		}
	}
	handle {
		respond "Copilot Governance Gateway — use /copilot/ingest or /health" 200
	}
}

# ═══════════════════════════════════════════════════════════════════════
# TRAVEL SITE — travel.arif-fazil.com (placeholder; points to main site)
# ═══════════════════════════════════════════════════════════════════════
travel.arif-fazil.com {
	import tls_origin
	redir https://arif-fazil.com/travel permanent
}

# ═══════════════════════════════════════════════════════════════════════
# LEGACY REDIRECTS — old subdomains → main sites
# ═══════════════════════════════════════════════════════════════════════
arifosmcp.arif-fazil.com {
	import tls_origin
	redir https://arifos.arif-fazil.com/mcp{uri} permanent
}

mcp.arif-fazil.com {
	import tls_origin
	handle /mcp* {
		reverse_proxy 127.0.0.1:8080
	}
	handle {
		redir https://arifos.arif-fazil.com permanent
	}
}

# ═══════════════════════════════════════════════════════════════════════
# FORGE WEBHOOK — A-FORGE event receiver + arifOS governance gateway
# Route: forge.arif-fazil.com/webhook/forge → port 8443 (local)
# ─────────────────────────────────────────────────────────────────────
forge.arif-fazil.com {
	import tls_origin
	handle /webhook/forge* {
		reverse_proxy 127.0.0.1:8443
	}
	handle /webhook/github* {
		reverse_proxy 127.0.0.1:8443
	}
	handle /health {
		reverse_proxy 127.0.0.1:8443
	}
	handle {
		respond "forge.arif-fazil.com — A-FORGE webhook gateway"
	}
}

wiki.arif-fazil.com {
	import tls_origin
	import shared_assets
	encode zstd gzip
	root * /var/www/html/wiki
	handle {
		try_files {path} /index.html
		file_server
	}
}

# ═══════════════════════════════════════════════════════════════════════
# INFRASTRUCTURE
# ═══════════════════════════════════════════════════════════════════════
ollama.arif-fazil.com {
	import tls_origin
	reverse_proxy 127.0.0.1:11434
}

# ═══════════════════════════════════════════════════════════════════════
# INFRASTRUCTURE — Vaultwarden (Password Manager)
# ═══════════════════════════════════════════════════════════════════════
vault.arif-fazil.com {
	import tls_origin
	encode zstd gzip
	reverse_proxy 127.0.0.1:8085
}

# ═══════════════════════════════════════════════════════════════════════
# INFRASTRUCTURE — Uptime Kuma (Service Monitoring)
# ═══════════════════════════════════════════════════════════════════════
status.arif-fazil.com {
	import tls_origin
	encode zstd gzip
	reverse_proxy 127.0.0.1:8086
}

# ═══════════════════════════════════════════════════════════════════════
# INFRASTRUCTURE — Netdata (System Metrics)
# ═══════════════════════════════════════════════════════════════════════
metrics.arif-fazil.com {
	import tls_origin
	encode zstd gzip
	reverse_proxy 127.0.0.1:19999
}

# ═══════════════════════════════════════════════════════════════════════
# OPENCLAW GATEWAY
# Telegram webhook: /telegram-webhook → port 8787 (monitor-webhook process)
# UI + everything else → port 18789 (gateway)
# ═══════════════════════════════════════════════════════════════════════
openclaw.arif-fazil.com {
	import tls_origin
	encode zstd gzip
	handle /telegram-webhook {
		reverse_proxy 127.0.0.1:8787
	}
	handle /.well-known/agent-card.json {
		reverse_proxy 127.0.0.1:18795
	}
	handle {
		reverse_proxy 127.0.0.1:18789
	}
}
