# ------------------------------------------------------------------------------
# Neo.mjs MCP Server Reference Proxy Configuration (Caddy)
# Target: Shared Topology (Multi-tenant)
# ------------------------------------------------------------------------------
# Security Threat Model:
# The Neo MCP architecture uses trustProxyIdentity, which allows the upstream
# MCP servers to trust the X-PREFERRED-USERNAME header for authorization.
# IT IS CRITICAL to strip any client-provided values for this header BEFORE
# allowing your authentication layer (e.g., oauth2-proxy) to inject it.
# ------------------------------------------------------------------------------

mcp.example.com {
    # [Out of scope: TLS termination certificates]
    # tls /path/to/cert.pem /path/to/key.pem

    route {
        # 1. SECURITY: Header manipulation block
        # Strip any client-provided identity headers first!
        request_header -X-Preferred-Username
        request_header -X-Auth-Request-Preferred-Username

        # 2. OAuth2 Proxy forward auth integration
        forward_auth 127.0.0.1:4180 {
            uri /oauth2/auth
            copy_headers X-Auth-Request-Preferred-Username
        }

        # 3. Pathname Routing: Knowledge Base Server
        handle_path /kb/* {
            reverse_proxy 127.0.0.1:3000 {
                # Inject trusted header from the forward_auth step
                header_up X-Preferred-Username {http.request.header.X-Auth-Request-Preferred-Username}
                header_up -X-Auth-Request-Preferred-Username
                # SSE streaming is natively supported by Caddy without specific buffering toggles
            }
        }

        # 4. Pathname Routing: Memory Core Server
        handle_path /mc/* {
            reverse_proxy 127.0.0.1:3001 {
                # Inject trusted header from the forward_auth step
                header_up X-Preferred-Username {http.request.header.X-Auth-Request-Preferred-Username}
                header_up -X-Auth-Request-Preferred-Username
                # SSE streaming natively supported
            }
        }
    }
}
