# Dynamic routing configuration

http:
  middlewares:
    # ForwardAuth: validates JWT via Auth Service, injects identity headers
    auth-forward:
      forwardAuth:
        address: "http://auth:8000/api/v1/auth/verify"
        trustForwardHeader: true
        authResponseHeaders:
          - "X-User-Id"
          - "X-User-Email"
          - "X-User-Tier"

    # Rate limiting (basic — per-client IP; upgrade to per-tier later)
    rate-limit:
      rateLimit:
        average: 60
        burst: 20
        period: "1m"

    # Strip /api/v1 prefix before forwarding to services
    strip-api-prefix:
      stripPrefix:
        prefixes:
          - "/api/v1"

  routers:
    # ── Auth (no ForwardAuth on public endpoints) ──────────────
    auth-public:
      rule: "PathPrefix(`/api/v1/auth/register`) || PathPrefix(`/api/v1/auth/login`) || PathPrefix(`/api/v1/auth/refresh`)"
      entryPoints:
        - websecure
      middlewares:
        - rate-limit
        - strip-api-prefix
      service: auth-svc
      tls: {}

    auth-protected:
      rule: "PathPrefix(`/api/v1/auth`)"
      entryPoints:
        - websecure
      middlewares:
        - auth-forward
        - rate-limit
        - strip-api-prefix
      service: auth-svc
      tls: {}

    # ── WebSocket Gateway (sticky sessions) ────────────────────
    ws-gateway:
      rule: "PathPrefix(`/api/v1/ws`)"
      entryPoints:
        - websecure
      middlewares:
        - rate-limit
      service: ws-gateway-svc
      tls: {}

    # ── Chat Service ───────────────────────────────────────────
    chat:
      rule: "PathPrefix(`/api/v1/chat`)"
      entryPoints:
        - websecure
      middlewares:
        - auth-forward
        - rate-limit
        - strip-api-prefix
      service: chat-svc
      tls: {}

    # ── Batch Agent Service ────────────────────────────────────
    batch-agent:
      rule: "PathPrefix(`/api/v1/agents`)"
      entryPoints:
        - websecure
      middlewares:
        - auth-forward
        - rate-limit
        - strip-api-prefix
      service: batch-agent-svc
      tls: {}

    # ── Billing Service ────────────────────────────────────────
    billing-webhook:
      rule: "PathPrefix(`/api/v1/billing/webhook`)"
      entryPoints:
        - websecure
      middlewares:
        - rate-limit
        - strip-api-prefix
      service: billing-svc
      tls: {}
      priority: 10

    billing:
      rule: "PathPrefix(`/api/v1/billing`)"
      entryPoints:
        - websecure
      middlewares:
        - auth-forward
        - rate-limit
        - strip-api-prefix
      service: billing-svc
      tls: {}

    # ── Health (no auth) ───────────────────────────────────────
    health:
      rule: "Path(`/api/v1/health`)"
      entryPoints:
        - websecure
      service: auth-svc
      tls: {}

  services:
    auth-svc:
      loadBalancer:
        servers:
          - url: "http://auth:8000"

    ws-gateway-svc:
      loadBalancer:
        sticky:
          cookie:
            name: "ws_affinity"
        servers:
          - url: "http://ws-gateway:8000"

    chat-svc:
      loadBalancer:
        servers:
          - url: "http://chat:8000"

    batch-agent-svc:
      loadBalancer:
        servers:
          - url: "http://batch-agent:8000"

    billing-svc:
      loadBalancer:
        servers:
          - url: "http://billing:8000"