threadforge 0.1.0

package/src/deploy/NginxGenerator.js

@@ -0,0 +1,865 @@
+import path from "node:path";
+
+/**
+ * Nginx Config Generator v2
+ *
+ * Routes directly to edge services by path prefix.
+ * No JS gateway in the middle.
+ *
+ *   /api/users/*    → users service (port 3001)
+ *   /api/billing/*  → billing service (port 3002)
+ *   /auth/*         → auth service (port 3003)
+ *
+ * Each service can be on multiple machines (multiple upstreams).
+ * nginx load-balances across them with least_conn.
+ *
+ * If a service has type: 'edge' and a prefix, nginx routes
+ * that path to it. If no prefix, it's a catch-all.
+ */
+
+const SAFE_DOMAIN_RE = /^[a-zA-Z0-9]([a-zA-Z0-9.-]*[a-zA-Z0-9])?$/;
+const SAFE_PREFIX_RE = /^\/[a-zA-Z0-9\/_-]*$/;
+const SAFE_SERVICE_NAME_RE = /^[a-zA-Z0-9_-]+$/;
+
+function resolveStaticPath(staticPath, label = "staticDir") {
+  if (typeof staticPath !== "string" || staticPath.trim() === "") {
+    throw new Error(`${label} must be a non-empty string`);
+  }
+  if (staticPath.includes("\0")) {
+    throw new Error(`${label} contains an invalid null byte`);
+  }
+  const containsTraversal = staticPath
+    .replace(/\\/g, "/")
+    .split("/")
+    .some((segment) => segment === "..");
+  if (containsTraversal) {
+    throw new Error(`${label} must not include path traversal segments`);
+  }
+  return path.resolve(staticPath).replace(/\/+$/, "");
+}
+
+function validateDomain(domain) {
+  if (domain && !SAFE_DOMAIN_RE.test(domain)) {
+    throw new Error(`Invalid domain name: "${domain}". Only alphanumeric, dots, and hyphens allowed.`);
+  }
+}
+
+/**
+ * @param {Object} options
+ * @param {string} options.domain
+ * @param {Object} options.services    - service name → { port, prefix, upstreams: [{host, port}] }
+ * @param {Object} [options.ssl]       - { cert, key }
+ * @param {Object} [options.rateLimits]
+ * @param {string} [options.staticDir]
+ * @param {boolean} [options.websockets]
+ * @param {string[]} [options.websocketPaths] - Array of WebSocket paths (default ['/ws'])
+ * @param {{path: string, service: string}[]} [options.websocketRoutes]
+ * @param {number} [options.maxBodySize]
+ */
+export function generateNginxConfig(options = {}) {
+  const domain = options.domain ?? "localhost";
+  validateDomain(domain);
+
+  const services = options.services ?? {};
+  const ssl = options.ssl;
+  const maxBodySize = options.maxBodySize ?? 10;
+  const rateLimits = options.rateLimits ?? {};
+
+  let config = `# nginx.conf — Auto-generated by ThreadForge
+# Domain: ${domain}
+# Edge services: ${Object.keys(services).length}
+#
+# nginx routes directly to edge services — no JS gateway bottleneck.
+# Each service handles its own routes. Cross-service calls go via IPC/HTTP.
+
+worker_processes auto;
+worker_rlimit_nofile 65535;
+
+events {
+    worker_connections 16384;
+    multi_accept on;
+    # Nginx auto-selects the optimal event method (epoll on Linux, kqueue on BSD)
+}
+
+http {
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    keepalive_requests 1000;
+    types_hash_max_size 2048;
+    server_tokens off;
+    include /etc/nginx/mime.types;
+    default_type application/json;
+
+    # Structured JSON logging
+    log_format json escape=json '{'
+        '"time":"$time_iso8601",'
+        '"addr":"$remote_addr",'
+        '"method":"$request_method",'
+        '"uri":"$request_uri",'
+        '"status":$status,'
+        '"bytes":$body_bytes_sent,'
+        '"ms":$request_time,'
+        '"upstream":"$upstream_addr",'
+        '"upstream_ms":"$upstream_response_time"'
+    '}';
+    access_log /var/log/nginx/access.log json;
+    error_log /var/log/nginx/error.log warn;
+
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 4;
+    gzip_types text/plain text/css application/json application/javascript text/xml;
+
+    # Rate limiting zones
+    limit_req_zone $binary_remote_addr zone=general:10m rate=${rateLimits.requestsPerSecond ?? 30}r/s;
+    limit_req_zone $binary_remote_addr zone=auth:10m rate=${rateLimits.authPerSecond ?? 5}r/s;
+    limit_conn_zone $binary_remote_addr zone=connlimit:10m;
+`;
+
+  // Add real_ip configuration if proxy addresses provided
+  if (options.trustedProxies?.length > 0) {
+    for (const proxy of options.trustedProxies) {
+      config += `    set_real_ip_from ${proxy};\n`;
+    }
+    config += `    real_ip_header X-Forwarded-For;\n`;
+    config += `    real_ip_recursive on;\n`;
+  }
+
+  config += `
+
+    client_max_body_size ${maxBodySize}m;
+    client_body_timeout 15s;
+    client_header_timeout 15s;
+    send_timeout 30s;
+
+`;
+
+  // Generate an upstream block for each edge service
+  for (const [name, svc] of Object.entries(services)) {
+    const safeName = name.replace(/:/g, "_");
+    if (!SAFE_SERVICE_NAME_RE.test(safeName)) {
+      throw new Error(`Invalid service name for nginx upstream: "${name}"`);
+    }
+    config += `    # ── ${safeName} service ──\n`;
+    config += `    upstream forge_${safeName} {\n`;
+    config += `        least_conn;\n`;
+    for (const up of svc.upstreams) {
+      config += `        server ${up.host}:${up.port} max_fails=3 fail_timeout=30s;\n`;
+    }
+    config += `        keepalive 32;\n`;
+    config += `        keepalive_requests 1000;\n`;
+    config += `        keepalive_timeout 60s;\n`;
+    config += `    }\n\n`;
+  }
+
+  // HTTPS redirect
+  if (ssl) {
+    config += `    server {
+        listen 80;
+        server_name ${domain};
+        return 301 https://$host$request_uri;
+    }
+
+`;
+  }
+
+  // Main server block
+  config += `    server {\n`;
+  if (ssl) {
+    config += `        listen 443 ssl http2;\n`;
+    config += `        server_name ${domain};\n`;
+    config += `        ssl_certificate ${ssl.cert};\n`;
+    config += `        ssl_certificate_key ${ssl.key};\n`;
+    config += `        ssl_protocols TLSv1.2 TLSv1.3;\n`;
+    config += `        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;\n`;
+    config += `        ssl_prefer_server_ciphers off;\n`;
+    config += `        ssl_session_cache shared:SSL:10m;\n`;
+  } else {
+    config += `        listen 80;\n`;
+    config += `        server_name ${domain};\n`;
+  }
+
+  config += `
+        # Security headers
+        add_header X-Frame-Options "DENY" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Content-Security-Policy "frame-ancestors 'none'" always;
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+        # Per-IP connection limit
+        limit_conn connlimit ${rateLimits.maxConnsPerIP ?? 100};
+
+`;
+
+  // Static files (Bug #6: path traversal + Bug #2: security headers in child block)
+  if (options.staticDir) {
+    const staticDir = resolveStaticPath(options.staticDir, "staticDir");
+    config += `        # Static files (served by nginx, never touches Node)
+        location /static/ {
+            alias ${staticDir}/;
+            add_header Cache-Control "public, max-age=86400";
+            add_header X-Content-Type-Options nosniff always;
+            add_header X-Frame-Options DENY always;
+            add_header Content-Security-Policy "frame-ancestors 'none'" always;
+            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        }
+
+`;
+  }
+
+  // Route each service by its prefix
+  // Sort by prefix length descending so more specific prefixes match first
+  const sorted = Object.entries(services)
+    .filter(([, s]) => s.prefix)
+    .sort((a, b) => (b[1].prefix?.length ?? 0) - (a[1].prefix?.length ?? 0));
+
+  for (const [name, svc] of sorted) {
+    const safeName = name.replace(/:/g, "_");
+    if (!SAFE_SERVICE_NAME_RE.test(safeName)) {
+      throw new Error(`Invalid service name for nginx config: "${name}"`);
+    }
+    const prefix = svc.prefix;
+    if (prefix && !SAFE_PREFIX_RE.test(prefix)) {
+      throw new Error(`Invalid nginx location prefix: "${prefix}". Only alphanumeric, slashes, underscores, and hyphens allowed.`);
+    }
+    const isAuth = /auth|login|oauth/i.test(prefix);
+    const zone = isAuth ? "auth" : "general";
+    const burst = isAuth ? (rateLimits.authBurst ?? 10) : (rateLimits.burst ?? 50);
+
+    config += `        # ${safeName} service → ${prefix}
+        location ${prefix} {
+            limit_req zone=${zone} burst=${burst} nodelay;
+
+            proxy_pass http://forge_${safeName};
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Request-ID $request_id;
+
+            proxy_connect_timeout 5s;
+            proxy_read_timeout 30s;
+            proxy_buffering on;
+            proxy_buffer_size 8k;
+            proxy_buffers 8 8k;
+
+            proxy_next_upstream error timeout http_502 http_503 http_504;
+            proxy_next_upstream_tries 2;
+            proxy_next_upstream_timeout 5s;
+        }
+
+`;
+  }
+
+  // WebSocket routes
+  const wsRoutes = Array.isArray(options.websocketRoutes) ? options.websocketRoutes : [];
+  if (wsRoutes.length > 0) {
+    for (const route of wsRoutes) {
+      const wsPath = route.path;
+      const wsService = route.service;
+      if (!services[wsService]) {
+        throw new Error(`WebSocket route "${wsPath}" references unknown nginx service "${wsService}"`);
+      }
+      if (!SAFE_PREFIX_RE.test(wsPath)) {
+        throw new Error(`Invalid websocket path "${wsPath}" for nginx location`);
+      }
+      config += `        # WebSocket — ${wsPath} -> ${wsService}
+        location ${wsPath} {
+            proxy_pass http://forge_${wsService};
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_read_timeout 3600s;
+            proxy_send_timeout 3600s;
+        }
+
+`;
+    }
+  } else if (options.websockets) {
+    // Backward-compat fallback (manifest-level websocket toggles)
+    const wsService = Object.keys(services)[0];
+    if (!wsService) {
+      throw new Error("WebSocket routing requested but no edge services were provided");
+    }
+    const wsPaths = options.websocketPaths || ['/ws'];
+    for (const wsPath of wsPaths) {
+      config += `        # WebSocket (legacy) — ${wsPath}
+        location ${wsPath} {
+            proxy_pass http://forge_${wsService};
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_read_timeout 3600s;
+            proxy_send_timeout 3600s;
+        }
+
+`;
+    }
+  }
+
+  // Catch-all for services without a prefix (legacy gateway pattern)
+  const catchAll = Object.entries(services).find(([, s]) => !s.prefix);
+  if (catchAll) {
+    const [name] = catchAll;
+    config += `        # ${name} (catch-all)
+        location / {
+            limit_req zone=general burst=${rateLimits.burst ?? 50} nodelay;
+
+            proxy_pass http://forge_${name};
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Request-ID $request_id;
+
+            proxy_connect_timeout 5s;
+            proxy_read_timeout 30s;
+            proxy_buffering on;
+
+            proxy_next_upstream error timeout http_502 http_503 http_504;
+            proxy_next_upstream_tries 2;
+            proxy_next_upstream_timeout 5s;
+        }
+
+`;
+  }
+
+  // Health check (all services — pick the first one)
+  const firstService = Object.keys(services)[0];
+  config += `        # Health check
+        location /health {
+            proxy_pass http://forge_${firstService};
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
+            access_log off;
+        }
+
+`;
+
+  // Error pages
+  config += `        error_page 429 @rate_limited;
+        location @rate_limited {
+            default_type application/json;
+            return 429 '{"error":"Rate limit exceeded","retryAfter":1}';
+        }
+
+        error_page 502 503 504 @upstream_error;
+        location @upstream_error {
+            default_type application/json;
+            return 503 '{"error":"Service temporarily unavailable"}';
+        }
+`;
+
+  // Plugin-contributed locations (Redis Commander, pgAdmin, etc.)
+  if (options.pluginLocations) {
+    for (const loc of options.pluginLocations) {
+      // Validate plugin config doesn't contain unbalanced braces or dangerous directives
+      const configText = loc.config.trim();
+      const openBraces = (configText.match(/\{/g) || []).length;
+      const closeBraces = (configText.match(/\}/g) || []).length;
+      if (openBraces !== closeBraces) {
+        throw new Error(`Plugin location "${loc.path}" has unbalanced braces in config — potential injection`);
+      }
+      config += `
+        # Plugin: ${loc.path}
+        location ${loc.path} {
+            ${configText
+              .split("\n")
+              .map((l) => l.trim())
+              .join("\n            ")}
+        }
+`;
+    }
+  }
+
+  config += `    }
+}
+`;
+
+  return config;
+}
+
+/**
+ * Build the nginx service map from a deployment manifest.
+ *
+ * Scans the manifest and service configs to determine:
+ *   - Which services are edge (need nginx routing)
+ *   - Their prefixes
+ *   - Their upstream addresses (host:port per node)
+ */
+export function buildNginxServiceMap(manifest, serviceConfigs, deployPorts = {}) {
+  const services = {};
+
+  for (const [svcName, svcConfig] of Object.entries(serviceConfigs)) {
+    if (svcConfig.type !== "edge") continue;
+
+    // Default to 3000 if no port specified in deploy overrides or service config.
+    // This fallback is common for single-service setups but may be wrong for multi-service deployments.
+    const port = deployPorts[svcName] ?? svcConfig.port ?? 3000;
+    if (!deployPorts[svcName] && !svcConfig.port) {
+      console.warn(`[Deploy] Edge service "${svcName}" has no explicit port — defaulting to 3000. Set a port in your service config or deploy manifest.`);
+    }
+
+    const upstreams = [];
+
+    // Find all nodes that run this service
+    for (const [, node] of Object.entries(manifest.nodes)) {
+      if (node.services.includes(svcName)) {
+        upstreams.push({
+          host: node.host,
+          port,
+        });
+      }
+    }
+
+    if (upstreams.length === 0) {
+      console.warn(`[Deploy] Edge service "${svcName}" is not assigned to any node`);
+      continue;
+    }
+
+    services[svcName] = {
+      prefix: svcConfig.prefix ?? null,
+      port,
+      upstreams,
+    };
+  }
+
+  return services;
+}
+
+/**
+ * Build websocket route mappings from per-service websocket config.
+ *
+ * Supports service-level config forms:
+ *   websocket: true
+ *   websocket: ["/ws", "/ws/chat"]
+ *   websocket: { enabled: true, paths: ["/ws"] }
+ *
+ * @param {Object} serviceConfigs
+ * @param {Object} nginxServices - output from buildNginxServiceMap
+ * @param {Object} [legacy]
+ * @param {boolean} [legacy.websockets]
+ * @param {string[]} [legacy.websocketPaths]
+ * @returns {{path: string, service: string}[]}
+ */
+export function buildNginxWebSocketRoutes(serviceConfigs, nginxServices, legacy = {}) {
+  const routeMap = new Map(); // path -> service
+
+  for (const [svcName, svcConfig] of Object.entries(serviceConfigs)) {
+    if (svcConfig.type !== "edge") continue;
+    if (!nginxServices[svcName]) continue;
+
+    const raw = svcConfig.websocket;
+    if (!raw) continue;
+
+    let enabled = true;
+    let paths = ["/ws"];
+
+    if (raw === true) {
+      paths = ["/ws"];
+    } else if (Array.isArray(raw)) {
+      paths = raw;
+    } else if (typeof raw === "object") {
+      enabled = raw.enabled !== false;
+      if (raw.paths !== undefined) paths = raw.paths;
+    } else {
+      continue;
+    }
+
+    if (!enabled) continue;
+
+    for (const path of paths) {
+      if (typeof path !== "string" || !path.startsWith("/")) {
+        throw new Error(`Invalid websocket path "${path}" for service "${svcName}"`);
+      }
+      const existing = routeMap.get(path);
+      if (existing && existing !== svcName) {
+        throw new Error(
+          `WebSocket path collision: "${path}" is configured for both "${existing}" and "${svcName}"`,
+        );
+      }
+      routeMap.set(path, svcName);
+    }
+  }
+
+  // Backward compatibility for manifest-level websocket toggles
+  if (routeMap.size === 0 && legacy.websockets) {
+    const wsService = Object.keys(nginxServices)[0];
+    if (!wsService) {
+      throw new Error("WebSocket routes requested but no edge services are available for nginx routing");
+    }
+    for (const path of legacy.websocketPaths ?? ["/ws"]) {
+      routeMap.set(path, wsService);
+    }
+  }
+
+  return [...routeMap.entries()].map(([path, service]) => ({ path, service }));
+}
+
+/**
+ * Generate an nginx config for ForgeHost with per-project server blocks.
+ *
+ * Each project gets its own `server { server_name ... }` block routing
+ * to that project's service upstreams, with X-Forge-Project injected.
+ *
+ * @param {Object} options
+ * @param {Object} options.hostMeta - From resolveHostConfig().hostMeta
+ * @param {Object} options.services - Flat service map (namespaced)
+ * @param {Object} [options.ssl] - { cert, key } paths for TLS
+ * @param {number} [options.maxBodySize] - Max body size in MB (default 10)
+ */
+export function generateHostNginxConfig(options = {}) {
+  const { hostMeta, services, ssl, maxBodySize = 10 } = options;
+
+  let config = `# ForgeHost nginx config — auto-generated
+# Do not edit — regenerate with: forge host generate
+
+events {
+    worker_connections 16384;
+}
+
+http {
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml;
+
+    client_max_body_size ${maxBodySize}m;
+    client_body_timeout 15s;
+    send_timeout 30s;
+
+`;
+
+  // Generate upstream blocks for all edge services
+  for (const [svcName, svc] of Object.entries(services)) {
+    if (svc.type !== "edge") continue;
+    const safeName = svcName.replace(/:/g, "_");
+    config += `    upstream forge_${safeName} {\n`;
+    config += `        server 127.0.0.1:${svc.port};\n`;
+    config += `        keepalive 16;\n`;
+    config += `    }\n\n`;
+  }
+
+  // Generate a server block per project
+  for (const [projectId, meta] of Object.entries(hostMeta)) {
+    if (!meta.domain) continue;
+
+    // Validate domain (Bug #1)
+    validateDomain(meta.domain);
+
+    const projectServices = Object.entries(services).filter(
+      ([name]) => meta.services.includes(name),
+    );
+    const edgeServices = projectServices.filter(([, s]) => s.type === "edge");
+
+    if (edgeServices.length === 0) continue;
+
+    config += `    # ── Project: ${projectId} ──\n`;
+    config += `    server {\n`;
+
+    if (ssl) {
+      config += `        listen 443 ssl http2;\n`;
+      config += `        server_name ${meta.domain};\n`;
+      config += `        ssl_certificate ${ssl.cert};\n`;
+      config += `        ssl_certificate_key ${ssl.key};\n`;
+    } else {
+      config += `        listen 80;\n`;
+      config += `        server_name ${meta.domain};\n`;
+    }
+
+    config += `\n`;
+    config += `        # Security headers\n`;
+    config += `        add_header X-Frame-Options "SAMEORIGIN" always;\n`;
+    config += `        add_header X-Content-Type-Options "nosniff" always;\n`;
+    config += `\n`;
+
+    for (const [svcName, svc] of edgeServices) {
+      const safeName = svcName.replace(/:/g, "_");
+      const prefix = svc.prefix ?? "/";
+
+      config += `        location ${prefix} {\n`;
+      config += `            proxy_pass http://forge_${safeName};\n`;
+      config += `            proxy_http_version 1.1;\n`;
+      config += `            proxy_set_header Connection "";\n`;
+      config += `            proxy_set_header Host $host;\n`;
+      config += `            proxy_set_header X-Real-IP $remote_addr;\n`;
+      config += `            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n`;
+      config += `            proxy_set_header X-Forwarded-Proto $scheme;\n`;
+      config += `            proxy_set_header X-Forge-Project ${projectId};\n`;
+      config += `        }\n\n`;
+    }
+
+    config += `    }\n\n`;
+  }
+
+  config += `}\n`;
+  return config;
+}
+
+import { resolveAppDomains } from "../core/platform-config.js";
+
+function validateStaticDir(staticDir, appId) {
+  try {
+    return resolveStaticPath(staticDir, `static dir for app "${appId}"`);
+  } catch (err) {
+    if (/path traversal/i.test(err.message)) {
+      throw new Error(`Invalid static dir for app "${appId}": path traversal not allowed`);
+    }
+    throw new Error(`Invalid static dir for app "${appId}": ${err.message}`);
+  }
+}
+
+function normalizeMountBasePath(basePath = "/") {
+  if (!basePath || basePath === "/") return "/";
+  let normalized = basePath;
+  if (!normalized.startsWith("/")) normalized = `/${normalized}`;
+  if (normalized.length > 1 && normalized.endsWith("/")) normalized = normalized.slice(0, -1);
+  return normalized;
+}
+
+function cacheControlFromPolicy(policy = "short") {
+  if (policy === "immutable") return "public, max-age=31536000, immutable";
+  if (policy === "none") return "no-store";
+  return "public, max-age=300";
+}
+
+/**
+ * Generate an nginx config for Platform Mode with per-domain TLS,
+ * per-app static dirs, shared auth mount, and X-Forwarded-Host.
+ *
+ * Each app gets its own `server { server_name ... }` block with
+ * individual SSL certificates (defaults to Let's Encrypt paths).
+ *
+ * @param {Object} options
+ * @param {Object} options.apps - Map<appId, { domains, ssl?, static?, staticMounts?, services[] }>
+ * @param {Object} options.services - Flat namespaced service map
+ * @param {Object} options.hostMeta - From resolveHostConfig().hostMeta
+ * @param {Object} [options.defaultSsl] - Shared wildcard cert { cert, key }
+ * @param {number} [options.maxBodySize] - Max body size in MB (default 10)
+ */
+export function generatePlatformNginxConfig(options = {}) {
+  const { apps, services, hostMeta, defaultSsl, maxBodySize = 10 } = options;
+
+  // Validate all domains upfront
+  for (const app of Object.values(apps ?? {})) {
+    const domains = resolveAppDomains(app);
+    for (const d of domains) {
+      validateDomain(d);
+    }
+  }
+
+  let config = `# ForgePlatform nginx config — auto-generated
+# Do not edit — regenerate with: forge platform generate
+
+events {
+    worker_connections 16384;
+}
+
+http {
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml;
+
+    client_max_body_size ${maxBodySize}m;
+    client_body_timeout 15s;
+    send_timeout 30s;
+
+`;
+
+  // Generate upstream blocks for all edge services
+  for (const [svcName, svc] of Object.entries(services)) {
+    if (svc.type !== "edge") continue;
+    const safeName = svcName.replace(/:/g, "_");
+    config += `    upstream forge_${safeName} {\n`;
+    config += `        server 127.0.0.1:${svc.port};\n`;
+    config += `        keepalive 16;\n`;
+    config += `    }\n\n`;
+  }
+
+  // Collect all domains for HTTP->HTTPS redirect
+  const allDomains = [];
+  for (const app of Object.values(apps ?? {})) {
+    allDomains.push(...resolveAppDomains(app));
+  }
+
+  // Shared HTTP→HTTPS redirect block (only if any app has SSL)
+  const hasAnySsl = defaultSsl || Object.values(apps ?? {}).some((a) => a.ssl);
+  if (hasAnySsl && allDomains.length > 0) {
+    config += `    # HTTP → HTTPS redirect (all platform domains)\n`;
+    config += `    server {\n`;
+    config += `        listen 80;\n`;
+    config += `        server_name ${allDomains.join(" ")};\n`;
+    config += `        return 301 https://$host$request_uri;\n`;
+    config += `    }\n\n`;
+  }
+
+  // Find shared auth service (if any)
+  const authService = Object.entries(services).find(
+    ([name, svc]) => (name === "auth" || name.endsWith(":auth")) && svc.type === "edge",
+  );
+
+  // Generate a server block per app
+  for (const [appId, app] of Object.entries(apps ?? {})) {
+    const domains = resolveAppDomains(app);
+    if (domains.length === 0) continue;
+
+    const meta = hostMeta?.[appId];
+    const projectServices = Object.entries(services).filter(
+      ([name]) => meta?.services?.includes(name),
+    );
+    const edgeServices = projectServices.filter(([, s]) => s.type === "edge");
+
+    config += `    # ── App: ${appId} ──\n`;
+    config += `    server {\n`;
+
+    const ssl = app.ssl ?? defaultSsl;
+    if (ssl) {
+      const certPath = ssl.cert ?? `/etc/letsencrypt/live/${domains[0]}/fullchain.pem`;
+      const keyPath = ssl.key ?? `/etc/letsencrypt/live/${domains[0]}/privkey.pem`;
+      config += `        listen 443 ssl http2;\n`;
+      config += `        server_name ${domains.join(" ")};\n`;
+      config += `        ssl_certificate ${certPath};\n`;
+      config += `        ssl_certificate_key ${keyPath};\n`;
+      config += `        ssl_protocols TLSv1.2 TLSv1.3;\n`;
+    } else {
+      config += `        listen 80;\n`;
+      config += `        server_name ${domains.join(" ")};\n`;
+    }
+
+    config += `\n`;
+    config += `        # Security headers\n`;
+    config += `        add_header X-Frame-Options "SAMEORIGIN" always;\n`;
+    config += `        add_header X-Content-Type-Options "nosniff" always;\n`;
+    config += `\n`;
+
+    const rootEdgeServices = edgeServices.filter(([, svc]) => (svc.prefix ?? "/") === "/");
+    if (rootEdgeServices.length > 1) {
+      throw new Error(
+        `App "${appId}" has multiple edge services mounted at "/". ` +
+          `Only one root edge prefix is supported per app.`,
+      );
+    }
+    const rootEdgeService = rootEdgeServices[0] ?? null;
+    const rootEdgeSafeName = rootEdgeService ? rootEdgeService[0].replace(/:/g, "_") : null;
+    let rootProxyViaNamedLocation = false;
+    let rootStaticMountDefined = false;
+
+    // Prefer explicit staticMounts (frontend plugin output), fallback to legacy static.
+    const staticMounts = Array.isArray(app.staticMounts) && app.staticMounts.length > 0
+      ? app.staticMounts
+      : (app.static
+        ? [{
+            dir: app.static,
+            basePath: "/static",
+            spaFallback: false,
+            cachePolicy: "short",
+          }]
+        : []);
+
+    for (const mount of staticMounts) {
+      const safeStatic = validateStaticDir(mount.dir, appId);
+      const basePath = normalizeMountBasePath(mount.basePath ?? "/");
+      const cacheControl = cacheControlFromPolicy(mount.cachePolicy);
+      const spaFallback = Boolean(mount.spaFallback);
+
+      if (basePath === "/") {
+        if (rootStaticMountDefined) {
+          throw new Error(`App "${appId}" defines multiple static mounts at "/"`);
+        }
+        rootStaticMountDefined = true;
+        config += `        location / {\n`;
+        config += `            root ${safeStatic};\n`;
+        if (rootEdgeSafeName) {
+          rootProxyViaNamedLocation = true;
+          if (spaFallback) {
+            config += `            try_files $uri $uri/ /index.html @forge_${rootEdgeSafeName}_root;\n`;
+          } else {
+            config += `            try_files $uri $uri/ @forge_${rootEdgeSafeName}_root;\n`;
+          }
+        } else {
+          if (spaFallback) {
+            config += `            try_files $uri $uri/ /index.html;\n`;
+          } else {
+            config += `            try_files $uri $uri/ =404;\n`;
+          }
+        }
+        config += `            add_header Cache-Control "${cacheControl}";\n`;
+        config += `            add_header X-Content-Type-Options "nosniff" always;\n`;
+        config += `        }\n\n`;
+      } else {
+        config += `        location ${basePath}/ {\n`;
+        config += `            alias ${safeStatic}/;\n`;
+        if (spaFallback) {
+          config += `            try_files $uri $uri/ ${basePath}/index.html;\n`;
+        } else {
+          config += `            try_files $uri $uri/ =404;\n`;
+        }
+        config += `            add_header Cache-Control "${cacheControl}";\n`;
+        config += `            add_header X-Content-Type-Options "nosniff" always;\n`;
+        config += `        }\n\n`;
+      }
+    }
+
+    // Shared auth mount (if auth service exists and this isn't the auth service itself)
+    if (authService) {
+      const [authName] = authService;
+      const safeAuthName = authName.replace(/:/g, "_");
+      config += `        location /auth/ {\n`;
+      config += `            proxy_pass http://forge_${safeAuthName};\n`;
+      config += `            proxy_http_version 1.1;\n`;
+      config += `            proxy_set_header Connection "";\n`;
+      config += `            proxy_set_header Host $host;\n`;
+      config += `            proxy_set_header X-Forwarded-Host $host;\n`;
+      config += `            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n`;
+      config += `            proxy_set_header X-Forwarded-Proto $scheme;\n`;
+      config += `            proxy_set_header X-Forge-Project ${appId};\n`;
+      config += `        }\n\n`;
+    }
+
+    // App-specific edge service routes
+    for (const [svcName, svc] of edgeServices) {
+      const safeName = svcName.replace(/:/g, "_");
+      const prefix = svc.prefix ?? "/";
+
+      if (prefix === "/" && rootProxyViaNamedLocation) {
+        config += `        location @forge_${safeName}_root {\n`;
+        config += `            proxy_pass http://forge_${safeName};\n`;
+        config += `            proxy_http_version 1.1;\n`;
+        config += `            proxy_set_header Connection "";\n`;
+        config += `            proxy_set_header Host $host;\n`;
+        config += `            proxy_set_header X-Real-IP $remote_addr;\n`;
+        config += `            proxy_set_header X-Forwarded-Host $host;\n`;
+        config += `            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n`;
+        config += `            proxy_set_header X-Forwarded-Proto $scheme;\n`;
+        config += `            proxy_set_header X-Forge-Project ${appId};\n`;
+        config += `        }\n\n`;
+        continue;
+      }
+
+      config += `        location ${prefix} {\n`;
+      config += `            proxy_pass http://forge_${safeName};\n`;
+      config += `            proxy_http_version 1.1;\n`;
+      config += `            proxy_set_header Connection "";\n`;
+      config += `            proxy_set_header Host $host;\n`;
+      config += `            proxy_set_header X-Real-IP $remote_addr;\n`;
+      config += `            proxy_set_header X-Forwarded-Host $host;\n`;
+      config += `            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n`;
+      config += `            proxy_set_header X-Forwarded-Proto $scheme;\n`;
+      config += `            proxy_set_header X-Forge-Project ${appId};\n`;
+      config += `        }\n\n`;
+    }
+
+    config += `    }\n\n`;
+  }
+
+  config += `}\n`;
+  return config;
+}