# The domain comes from the AUGUR_DOMAIN env var (set in deploy/.env), so you
# don't edit the domain here. Caddy auto-issues a Let's Encrypt certificate
# (GitHub webhooks require valid HTTPS). The App's webhook URL is then:
#   https://$AUGUR_DOMAIN/github/webhook
#
# SECURITY: only the two paths the outside world needs are proxied. The read-only
# inspection endpoints (/pellet, /marketplace, /score, /webhook) are NOT exposed to
# the internet — they would leak stored repo/prediction/subscriber data. Reach them
# from the server itself via `docker compose exec` instead.
{$AUGUR_DOMAIN} {
	@public path /github/webhook /health
	handle @public {
		reverse_proxy augur:8000
	}
	handle {
		respond 404
	}
}
