# arifOS Sovereign Caddyfile — Cloudflare Origin CA Edition
# DITEMPA BUKAN DIBERI

{
    admin unix//var/run/caddy-admin.sock
    email arif@arif-fazil.com
}

(tls_origin) {
    tls /data/cloudflare-origin/cert.pem /data/cloudflare-origin/key.pem
}

# Shared snippet for design assets
(shared_assets) {
    handle /_shared/* {
        root * /var/www/html
        file_server
    }
}

arif-fazil.com, www.arif-fazil.com {
    import tls_origin
    import shared_assets
    encode zstd gzip
    root * /var/www/html/arif
    file_server
    try_files {path} /index.html
}

arifos.arif-fazil.com {
    import tls_origin
    import shared_assets
    encode zstd gzip
    root * /var/www/html/arifos
    file_server
    try_files {path} /index.html
}

forge.arif-fazil.com {
    import tls_origin
    import shared_assets
    encode zstd gzip
    root * /var/www/html/forge
    file_server
    try_files {path} /index.html
}

waw.arif-fazil.com {
    import tls_origin
    import shared_assets
    encode zstd gzip
    root * /var/www/html/waw
    file_server
    try_files {path} /index.html
}

wawa.arif-fazil.com {
    import tls_origin
    redir https://waw.arif-fazil.com{uri} permanent
}

wiki.arif-fazil.com {
    import tls_origin
    import shared_assets
    encode zstd gzip
    root * /var/www/html/wiki
    file_server
    try_files {path} /index.html
}

mcp.arif-fazil.com {
    import tls_origin
    import shared_assets
    encode zstd gzip
    root * /var/www/html/mcp

    handle /mcp* {
        reverse_proxy arifosmcp:3000
    }
    handle /health {
        reverse_proxy arifosmcp:3000
    }
    handle /tools {
        reverse_proxy arifosmcp:3000
    }
    handle /metadata {
        reverse_proxy arifosmcp:3000
    }
    handle /ready {
        reverse_proxy arifosmcp:3000
    }

    # Static surfaces (Human readable)
    handle / {
        file_server
    }
    handle /privacy* {
        file_server
    }
    handle /webmcp* {
        file_server
    }
    handle /app* {
        file_server
    }
    handle /apps* {
        file_server
    }

    # Fallback
    handle {
        reverse_proxy arifosmcp:3000
    }
}

arifosmcp.arif-fazil.com {
    import tls_origin
    redir https://mcp.arif-fazil.com{uri} permanent
}

aaa.arif-fazil.com {
    import tls_origin
    import shared_assets
    encode zstd gzip
    root * /var/www/html/aaa
    handle /a2a/* {
        reverse_proxy aaa-a2a:3001
    }
    handle /api/* {
        reverse_proxy aaa-a2a:3001
    }
    handle /health {
        reverse_proxy aaa-a2a:3001
    }
    handle {
        file_server
        try_files {path} /index.html
    }
}

geox.arif-fazil.com {
    import tls_origin
    import shared_assets
    encode zstd gzip
    root * /var/www/html/geox
    handle /mcp* {
        reverse_proxy geox:8081
    }
    handle {
        file_server
        try_files {path} /index.html
    }
}

wealth.arif-fazil.com {
    import tls_origin
    import shared_assets
    encode zstd gzip
    root * /var/www/html/wealth
    handle /mcp* {
        reverse_proxy wealth-organ:8000
    }
    handle /health {
        reverse_proxy wealth-organ:8000
    }
    handle /ready {
        reverse_proxy wealth-organ:8000
    }
    handle {
        file_server
        try_files {path} /index.html
    }
}

dozzle.arif-fazil.com {
    import tls_origin
    reverse_proxy dozzle:8080
}

# TEMPORARY REDIRECT — APEX is internal-only. Redirects public traffic to AAA.
# TODO: Remove this block after all clients are updated to use aaa.arif-fazil.com directly.
apex.arif-fazil.com {
    import tls_origin
    redir https://aaa.arif-fazil.com{uri} 308
}

# TEMPORARY REDIRECT — Legacy HERMES public hostname kept only for compatibility.
# TODO: Remove once DNS record is deleted and clients are migrated.
hermes.arif-fazil.com {
    import tls_origin
    redir https://aaa.arif-fazil.com{uri} 308
}

# AAA A2A Gateway
# (aaa.arif-fazil.com is defined above with static + /a2a/* proxy)
