npm - threadforge - Versions diffs - 0.1.1 → 0.2.1 - Mend

threadforge 0.1.1 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (358) hide show

package/README.md +52 -20
package/bin/forge.js +2 -1058
package/bin/host-commands.d.ts +2 -0
package/bin/host-commands.d.ts.map +1 -0
package/bin/host-commands.js +7 -8
package/bin/platform-commands.d.ts +2 -0
package/bin/platform-commands.d.ts.map +1 -0
package/bin/platform-commands.js +118 -36
package/dist/cli/base-command.d.ts +12 -0
package/dist/cli/base-command.d.ts.map +1 -0
package/dist/cli/base-command.js +25 -0
package/dist/cli/base-command.js.map +1 -0
package/dist/cli/commands/build.d.ts +10 -0
package/dist/cli/commands/build.d.ts.map +1 -0
package/dist/cli/commands/build.js +110 -0
package/dist/cli/commands/build.js.map +1 -0
package/dist/cli/commands/deploy.d.ts +12 -0
package/dist/cli/commands/deploy.d.ts.map +1 -0
package/dist/cli/commands/deploy.js +143 -0
package/dist/cli/commands/deploy.js.map +1 -0
package/dist/cli/commands/dev.d.ts +10 -0
package/dist/cli/commands/dev.d.ts.map +1 -0
package/dist/cli/commands/dev.js +138 -0
package/dist/cli/commands/dev.js.map +1 -0
package/dist/cli/commands/generate.d.ts +10 -0
package/dist/cli/commands/generate.d.ts.map +1 -0
package/dist/cli/commands/generate.js +76 -0
package/dist/cli/commands/generate.js.map +1 -0
package/dist/cli/commands/host.d.ts +8 -0
package/dist/cli/commands/host.d.ts.map +1 -0
package/dist/cli/commands/host.js +20 -0
package/dist/cli/commands/host.js.map +1 -0
package/dist/cli/commands/init.d.ts +16 -0
package/dist/cli/commands/init.d.ts.map +1 -0
package/dist/cli/commands/init.js +246 -0
package/dist/cli/commands/init.js.map +1 -0
package/dist/cli/commands/platform.d.ts +8 -0
package/dist/cli/commands/platform.d.ts.map +1 -0
package/dist/cli/commands/platform.js +20 -0
package/dist/cli/commands/platform.js.map +1 -0
package/dist/cli/commands/restart.d.ts +8 -0
package/dist/cli/commands/restart.d.ts.map +1 -0
package/dist/cli/commands/restart.js +13 -0
package/dist/cli/commands/restart.js.map +1 -0
package/dist/cli/commands/scaffold/frontend.d.ts +10 -0
package/dist/cli/commands/scaffold/frontend.d.ts.map +1 -0
package/dist/cli/commands/scaffold/frontend.js +130 -0
package/dist/cli/commands/scaffold/frontend.js.map +1 -0
package/dist/cli/commands/scaffold/react.d.ts +7 -0
package/dist/cli/commands/scaffold/react.d.ts.map +1 -0
package/dist/cli/commands/scaffold/react.js +12 -0
package/dist/cli/commands/scaffold/react.js.map +1 -0
package/dist/cli/commands/scale.d.ts +8 -0
package/dist/cli/commands/scale.d.ts.map +1 -0
package/dist/cli/commands/scale.js +13 -0
package/dist/cli/commands/scale.js.map +1 -0
package/dist/cli/commands/start.d.ts +10 -0
package/dist/cli/commands/start.d.ts.map +1 -0
package/dist/cli/commands/start.js +71 -0
package/dist/cli/commands/start.js.map +1 -0
package/dist/cli/commands/status.d.ts +11 -0
package/dist/cli/commands/status.d.ts.map +1 -0
package/dist/cli/commands/status.js +60 -0
package/dist/cli/commands/status.js.map +1 -0
package/dist/cli/commands/stop.d.ts +10 -0
package/dist/cli/commands/stop.d.ts.map +1 -0
package/dist/cli/commands/stop.js +89 -0
package/dist/cli/commands/stop.js.map +1 -0
package/dist/cli/util/config-discovery.d.ts +8 -0
package/dist/cli/util/config-discovery.d.ts.map +1 -0
package/dist/cli/util/config-discovery.js +70 -0
package/dist/cli/util/config-discovery.js.map +1 -0
package/dist/cli/util/config-patcher.d.ts +17 -0
package/dist/cli/util/config-patcher.d.ts.map +1 -0
package/dist/cli/util/config-patcher.js +439 -0
package/dist/cli/util/config-patcher.js.map +1 -0
package/dist/cli/util/frontend-dev.d.ts +8 -0
package/dist/cli/util/frontend-dev.d.ts.map +1 -0
package/dist/cli/util/frontend-dev.js +117 -0
package/dist/cli/util/frontend-dev.js.map +1 -0
package/dist/cli/util/process.d.ts +5 -0
package/dist/cli/util/process.d.ts.map +1 -0
package/dist/cli/util/process.js +17 -0
package/dist/cli/util/process.js.map +1 -0
package/dist/cli/util/templates.d.ts +10 -0
package/dist/cli/util/templates.d.ts.map +1 -0
package/dist/cli/util/templates.js +157 -0
package/dist/cli/util/templates.js.map +1 -0
package/dist/core/AlertSink.d.ts +83 -0
package/dist/core/AlertSink.d.ts.map +1 -0
package/dist/core/AlertSink.js +126 -0
package/dist/core/AlertSink.js.map +1 -0
package/dist/core/DirectMessageBus.d.ts +88 -0
package/dist/core/DirectMessageBus.d.ts.map +1 -0
package/dist/core/DirectMessageBus.js +352 -0
package/dist/core/DirectMessageBus.js.map +1 -0
package/dist/core/EndpointResolver.d.ts +111 -0
package/dist/core/EndpointResolver.d.ts.map +1 -0
package/dist/core/EndpointResolver.js +336 -0
package/dist/core/EndpointResolver.js.map +1 -0
package/dist/core/ForgeContext.d.ts +221 -0
package/dist/core/ForgeContext.d.ts.map +1 -0
package/dist/core/ForgeContext.js +1169 -0
package/dist/core/ForgeContext.js.map +1 -0
package/dist/core/ForgeEndpoints.d.ts +71 -0
package/dist/core/ForgeEndpoints.d.ts.map +1 -0
package/dist/core/ForgeEndpoints.js +442 -0
package/dist/core/ForgeEndpoints.js.map +1 -0
package/dist/core/ForgeHost.d.ts +82 -0
package/dist/core/ForgeHost.d.ts.map +1 -0
package/dist/core/ForgeHost.js +107 -0
package/dist/core/ForgeHost.js.map +1 -0
package/dist/core/ForgePlatform.d.ts +96 -0
package/dist/core/ForgePlatform.d.ts.map +1 -0
package/dist/core/ForgePlatform.js +136 -0
package/dist/core/ForgePlatform.js.map +1 -0
package/dist/core/ForgeWebSocket.d.ts +56 -0
package/dist/core/ForgeWebSocket.d.ts.map +1 -0
package/dist/core/ForgeWebSocket.js +415 -0
package/dist/core/ForgeWebSocket.js.map +1 -0
package/dist/core/Ingress.d.ts +329 -0
package/dist/core/Ingress.d.ts.map +1 -0
package/dist/core/Ingress.js +694 -0
package/dist/core/Ingress.js.map +1 -0
package/dist/core/Interceptors.d.ts +134 -0
package/dist/core/Interceptors.d.ts.map +1 -0
package/dist/core/Interceptors.js +416 -0
package/dist/core/Interceptors.js.map +1 -0
package/dist/core/Logger.d.ts +20 -0
package/dist/core/Logger.d.ts.map +1 -0
package/dist/core/Logger.js +77 -0
package/dist/core/Logger.js.map +1 -0
package/dist/core/MessageBus.d.ts +15 -0
package/dist/core/MessageBus.d.ts.map +1 -0
package/dist/core/MessageBus.js +18 -0
package/dist/core/MessageBus.js.map +1 -0
package/dist/core/Prometheus.d.ts +80 -0
package/dist/core/Prometheus.d.ts.map +1 -0
package/dist/core/Prometheus.js +332 -0
package/dist/core/Prometheus.js.map +1 -0
package/dist/core/RequestContext.d.ts +214 -0
package/dist/core/RequestContext.d.ts.map +1 -0
package/dist/core/RequestContext.js +556 -0
package/dist/core/RequestContext.js.map +1 -0
package/dist/core/Router.d.ts +45 -0
package/dist/core/Router.d.ts.map +1 -0
package/dist/core/Router.js +285 -0
package/dist/core/Router.js.map +1 -0
package/dist/core/RoutingStrategy.d.ts +116 -0
package/dist/core/RoutingStrategy.d.ts.map +1 -0
package/dist/core/RoutingStrategy.js +306 -0
package/dist/core/RoutingStrategy.js.map +1 -0
package/dist/core/RpcConfig.d.ts +72 -0
package/dist/core/RpcConfig.d.ts.map +1 -0
package/dist/core/RpcConfig.js +127 -0
package/dist/core/RpcConfig.js.map +1 -0
package/dist/core/SignatureCache.d.ts +81 -0
package/dist/core/SignatureCache.d.ts.map +1 -0
package/dist/core/SignatureCache.js +172 -0
package/dist/core/SignatureCache.js.map +1 -0
package/dist/core/StaticFileServer.d.ts +34 -0
package/dist/core/StaticFileServer.d.ts.map +1 -0
package/dist/core/StaticFileServer.js +497 -0
package/dist/core/StaticFileServer.js.map +1 -0
package/dist/core/Supervisor.d.ts +198 -0
package/dist/core/Supervisor.d.ts.map +1 -0
package/dist/core/Supervisor.js +1418 -0
package/dist/core/Supervisor.js.map +1 -0
package/dist/core/ThreadAllocator.d.ts +52 -0
package/dist/core/ThreadAllocator.d.ts.map +1 -0
package/dist/core/ThreadAllocator.js +174 -0
package/dist/core/ThreadAllocator.js.map +1 -0
package/dist/core/WorkerChannelManager.d.ts +130 -0
package/dist/core/WorkerChannelManager.d.ts.map +1 -0
package/dist/core/WorkerChannelManager.js +956 -0
package/dist/core/WorkerChannelManager.js.map +1 -0
package/dist/core/config-enums.d.ts +41 -0
package/dist/core/config-enums.d.ts.map +1 -0
package/dist/core/config-enums.js +59 -0
package/dist/core/config-enums.js.map +1 -0
package/dist/core/config.d.ts +159 -0
package/dist/core/config.d.ts.map +1 -0
package/dist/core/config.js +694 -0
package/dist/core/config.js.map +1 -0
package/dist/core/host-config.d.ts +146 -0
package/dist/core/host-config.d.ts.map +1 -0
package/dist/core/host-config.js +312 -0
package/dist/core/host-config.js.map +1 -0
package/dist/core/ipc-errors.d.ts +27 -0
package/dist/core/ipc-errors.d.ts.map +1 -0
package/dist/core/ipc-errors.js +36 -0
package/dist/core/ipc-errors.js.map +1 -0
package/dist/core/network-utils.d.ts +35 -0
package/dist/core/network-utils.d.ts.map +1 -0
package/dist/core/network-utils.js +145 -0
package/dist/core/network-utils.js.map +1 -0
package/dist/core/platform-config.d.ts +142 -0
package/dist/core/platform-config.d.ts.map +1 -0
package/dist/core/platform-config.js +299 -0
package/dist/core/platform-config.js.map +1 -0
package/dist/decorators/ServiceProxy.d.ts +175 -0
package/dist/decorators/ServiceProxy.d.ts.map +1 -0
package/dist/decorators/ServiceProxy.js +969 -0
package/dist/decorators/ServiceProxy.js.map +1 -0
package/dist/decorators/index.d.ts +146 -0
package/dist/decorators/index.d.ts.map +1 -0
package/dist/decorators/index.js +545 -0
package/dist/decorators/index.js.map +1 -0
package/dist/deploy/NginxGenerator.d.ts +165 -0
package/dist/deploy/NginxGenerator.d.ts.map +1 -0
package/dist/deploy/NginxGenerator.js +781 -0
package/dist/deploy/NginxGenerator.js.map +1 -0
package/dist/deploy/PlatformManifestGenerator.d.ts +43 -0
package/dist/deploy/PlatformManifestGenerator.d.ts.map +1 -0
package/dist/deploy/PlatformManifestGenerator.js +80 -0
package/dist/deploy/PlatformManifestGenerator.js.map +1 -0
package/dist/deploy/RouteManifestGenerator.d.ts +42 -0
package/dist/deploy/RouteManifestGenerator.d.ts.map +1 -0
package/dist/deploy/RouteManifestGenerator.js +105 -0
package/dist/deploy/RouteManifestGenerator.js.map +1 -0
package/dist/deploy/index.d.ts +210 -0
package/dist/deploy/index.d.ts.map +1 -0
package/dist/deploy/index.js +918 -0
package/dist/deploy/index.js.map +1 -0
package/dist/frontend/FrontendDevLifecycle.d.ts +26 -0
package/dist/frontend/FrontendDevLifecycle.d.ts.map +1 -0
package/dist/frontend/FrontendDevLifecycle.js +60 -0
package/dist/frontend/FrontendDevLifecycle.js.map +1 -0
package/dist/frontend/FrontendPluginOrchestrator.d.ts +64 -0
package/dist/frontend/FrontendPluginOrchestrator.d.ts.map +1 -0
package/dist/frontend/FrontendPluginOrchestrator.js +167 -0
package/dist/frontend/FrontendPluginOrchestrator.js.map +1 -0
package/dist/frontend/SiteResolver.d.ts +33 -0
package/dist/frontend/SiteResolver.d.ts.map +1 -0
package/dist/frontend/SiteResolver.js +53 -0
package/dist/frontend/SiteResolver.js.map +1 -0
package/dist/frontend/StaticMountRegistry.d.ts +36 -0
package/dist/frontend/StaticMountRegistry.d.ts.map +1 -0
package/dist/frontend/StaticMountRegistry.js +94 -0
package/dist/frontend/StaticMountRegistry.js.map +1 -0
package/dist/frontend/index.d.ts +7 -0
package/dist/frontend/index.d.ts.map +1 -0
package/{src → dist}/frontend/index.js +4 -2
package/dist/frontend/index.js.map +1 -0
package/dist/frontend/pathUtils.d.ts +8 -0
package/dist/frontend/pathUtils.d.ts.map +1 -0
package/dist/frontend/pathUtils.js +17 -0
package/dist/frontend/pathUtils.js.map +1 -0
package/dist/frontend/plugins/index.d.ts +2 -0
package/dist/frontend/plugins/index.d.ts.map +1 -0
package/{src → dist}/frontend/plugins/index.js +1 -1
package/dist/frontend/plugins/index.js.map +1 -0
package/dist/frontend/plugins/viteFrontend.d.ts +51 -0
package/dist/frontend/plugins/viteFrontend.d.ts.map +1 -0
package/dist/frontend/plugins/viteFrontend.js +134 -0
package/dist/frontend/plugins/viteFrontend.js.map +1 -0
package/dist/frontend/types.d.ts +25 -0
package/dist/frontend/types.d.ts.map +1 -0
package/dist/frontend/types.js +2 -0
package/dist/frontend/types.js.map +1 -0
package/dist/index.d.ts +17 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +32 -0
package/dist/index.js.map +1 -0
package/dist/internals.d.ts +21 -0
package/dist/internals.d.ts.map +1 -0
package/{src → dist}/internals.js +12 -14
package/dist/internals.js.map +1 -0
package/dist/plugins/PluginManager.d.ts +209 -0
package/dist/plugins/PluginManager.d.ts.map +1 -0
package/dist/plugins/PluginManager.js +365 -0
package/dist/plugins/PluginManager.js.map +1 -0
package/dist/plugins/ScopedPostgres.d.ts +78 -0
package/dist/plugins/ScopedPostgres.d.ts.map +1 -0
package/dist/plugins/ScopedPostgres.js +190 -0
package/dist/plugins/ScopedPostgres.js.map +1 -0
package/dist/plugins/ScopedRedis.d.ts +88 -0
package/dist/plugins/ScopedRedis.d.ts.map +1 -0
package/dist/plugins/ScopedRedis.js +169 -0
package/dist/plugins/ScopedRedis.js.map +1 -0
package/dist/plugins/index.d.ts +289 -0
package/dist/plugins/index.d.ts.map +1 -0
package/dist/plugins/index.js +1942 -0
package/dist/plugins/index.js.map +1 -0
package/dist/plugins/types.d.ts +59 -0
package/dist/plugins/types.d.ts.map +1 -0
package/dist/plugins/types.js +2 -0
package/dist/plugins/types.js.map +1 -0
package/dist/registry/ServiceRegistry.d.ts +305 -0
package/dist/registry/ServiceRegistry.d.ts.map +1 -0
package/dist/registry/ServiceRegistry.js +735 -0
package/dist/registry/ServiceRegistry.js.map +1 -0
package/dist/scaling/ScaleAdvisor.d.ts +214 -0
package/dist/scaling/ScaleAdvisor.d.ts.map +1 -0
package/dist/scaling/ScaleAdvisor.js +526 -0
package/dist/scaling/ScaleAdvisor.js.map +1 -0
package/dist/services/Service.d.ts +164 -0
package/dist/services/Service.d.ts.map +1 -0
package/dist/services/Service.js +106 -0
package/dist/services/Service.js.map +1 -0
package/dist/services/worker-bootstrap.d.ts +15 -0
package/dist/services/worker-bootstrap.d.ts.map +1 -0
package/dist/services/worker-bootstrap.js +744 -0
package/dist/services/worker-bootstrap.js.map +1 -0
package/dist/templates/auth-service.d.ts +42 -0
package/dist/templates/auth-service.d.ts.map +1 -0
package/dist/templates/auth-service.js +54 -0
package/dist/templates/auth-service.js.map +1 -0
package/dist/templates/identity-service.d.ts +50 -0
package/dist/templates/identity-service.d.ts.map +1 -0
package/dist/templates/identity-service.js +62 -0
package/dist/templates/identity-service.js.map +1 -0
package/dist/types/contract.d.ts +120 -0
package/dist/types/contract.d.ts.map +1 -0
package/dist/types/contract.js +69 -0
package/dist/types/contract.js.map +1 -0
package/package.json +78 -20
package/src/core/DirectMessageBus.js +0 -364
package/src/core/EndpointResolver.js +0 -259
package/src/core/ForgeContext.js +0 -2236
package/src/core/ForgeHost.js +0 -122
package/src/core/ForgePlatform.js +0 -145
package/src/core/Ingress.js +0 -768
package/src/core/Interceptors.js +0 -420
package/src/core/MessageBus.js +0 -321
package/src/core/Prometheus.js +0 -305
package/src/core/RequestContext.js +0 -413
package/src/core/RoutingStrategy.js +0 -330
package/src/core/Supervisor.js +0 -1349
package/src/core/ThreadAllocator.js +0 -196
package/src/core/WorkerChannelManager.js +0 -879
package/src/core/config.js +0 -637
package/src/core/host-config.js +0 -311
package/src/core/network-utils.js +0 -166
package/src/core/platform-config.js +0 -308
package/src/decorators/ServiceProxy.js +0 -904
package/src/decorators/index.js +0 -571
package/src/deploy/NginxGenerator.js +0 -865
package/src/deploy/PlatformManifestGenerator.js +0 -96
package/src/deploy/RouteManifestGenerator.js +0 -112
package/src/deploy/index.js +0 -984
package/src/frontend/FrontendDevLifecycle.js +0 -65
package/src/frontend/FrontendPluginOrchestrator.js +0 -187
package/src/frontend/SiteResolver.js +0 -63
package/src/frontend/StaticMountRegistry.js +0 -90
package/src/frontend/plugins/viteFrontend.js +0 -79
package/src/frontend/types.js +0 -35
package/src/index.js +0 -58
package/src/plugins/PluginManager.js +0 -537
package/src/plugins/ScopedPostgres.js +0 -192
package/src/plugins/ScopedRedis.js +0 -142
package/src/plugins/index.js +0 -1756
package/src/registry/ServiceRegistry.js +0 -797
package/src/scaling/ScaleAdvisor.js +0 -442
package/src/services/Service.js +0 -195
package/src/services/worker-bootstrap.js +0 -679
package/src/templates/auth-service.js +0 -65
package/src/templates/identity-service.js +0 -75

package/dist/deploy/NginxGenerator.js ADDED Viewed

@@ -0,0 +1,781 @@
+import path from "node:path";
+import { ServiceType } from "../core/config-enums.js";
+// ── Regex constants ─────────────────────────────────────────────────
+const SAFE_DOMAIN_RE = /^[a-zA-Z0-9]([a-zA-Z0-9.-]*[a-zA-Z0-9])?$/;
+const SAFE_PREFIX_RE = /^\/[a-zA-Z0-9/_-]*$/;
+const SAFE_SERVICE_NAME_RE = /^[a-zA-Z0-9_-]+$/;
+const SAFE_PROXY_HOST_RE = /^[a-zA-Z0-9.-]+$/;
+// ── Internal helpers ────────────────────────────────────────────────
+function resolveStaticPath(staticPath, label = "staticDir") {
+    if (typeof staticPath !== "string" || staticPath.trim() === "") {
+        throw new Error(`${label} must be a non-empty string`);
+    }
+    if (staticPath.includes("\0")) {
+        throw new Error(`${label} contains an invalid null byte`);
+    }
+    const containsTraversal = staticPath
+        .replace(/\\/g, "/")
+        .split("/")
+        .some((segment) => segment === "..");
+    if (containsTraversal) {
+        throw new Error(`${label} must not include path traversal segments`);
+    }
+    return path.resolve(staticPath).replace(/\/+$/, "");
+}
+function validateDomain(domain) {
+    if (domain && !SAFE_DOMAIN_RE.test(domain)) {
+        throw new Error(`Invalid domain name: "${domain}". Only alphanumeric, dots, and hyphens allowed.`);
+    }
+}
+function validateStaticDir(staticDir, appId) {
+    try {
+        return resolveStaticPath(staticDir, `static dir for app "${appId}"`);
+    }
+    catch (err) {
+        if (err instanceof Error && /path traversal/i.test(err.message)) {
+            throw new Error(`Invalid static dir for app "${appId}": path traversal not allowed`);
+        }
+        throw new Error(`Invalid static dir for app "${appId}": ${err instanceof Error ? err.message : String(err)}`);
+    }
+}
+function normalizeMountBasePath(basePath = "/") {
+    if (!basePath || basePath === "/")
+        return "/";
+    let normalized = basePath;
+    if (!normalized.startsWith("/"))
+        normalized = `/${normalized}`;
+    if (normalized.length > 1 && normalized.endsWith("/"))
+        normalized = normalized.slice(0, -1);
+    return normalized;
+}
+function cacheControlFromPolicy(policy = "short") {
+    if (policy === "immutable")
+        return "public, max-age=31536000, immutable";
+    if (policy === "none")
+        return "no-store";
+    return "public, max-age=300";
+}
+function normalizeForgeProxyTargetConfig(forgeProxy, modeLabel = "this mode") {
+    const defaults = {
+        host: "127.0.0.1",
+        port: 8080,
+        keepalive: 64,
+    };
+    if (forgeProxy === undefined || forgeProxy === null || forgeProxy === true) {
+        return defaults;
+    }
+    if (forgeProxy === false) {
+        throw new Error(`forgeProxy cannot be false in ${modeLabel}`);
+    }
+    if (typeof forgeProxy !== "object" || Array.isArray(forgeProxy)) {
+        throw new Error("forgeProxy must be true or an object");
+    }
+    if (forgeProxy.enabled === false) {
+        throw new Error(`forgeProxy.enabled cannot be false in ${modeLabel}`);
+    }
+    if (forgeProxy.enabled !== undefined && forgeProxy.enabled !== true) {
+        throw new Error("forgeProxy.enabled must be true when provided");
+    }
+    const host = forgeProxy.host ?? defaults.host;
+    if (typeof host !== "string" || host.trim() === "" || !SAFE_PROXY_HOST_RE.test(host)) {
+        throw new Error("forgeProxy.host must be a valid hostname or IPv4 address");
+    }
+    const port = forgeProxy.port ?? defaults.port;
+    if (!Number.isInteger(port) || port < 1 || port > 65535) {
+        throw new Error("forgeProxy.port must be an integer between 1 and 65535");
+    }
+    const keepalive = forgeProxy.keepalive ?? defaults.keepalive;
+    if (!Number.isInteger(keepalive) || keepalive < 1) {
+        throw new Error("forgeProxy.keepalive must be a positive integer");
+    }
+    return {
+        host,
+        port,
+        keepalive,
+    };
+}
+// ── Exports ─────────────────────────────────────────────────────────
+/**
+ * Generate nginx.conf for a standard (non-platform) deployment.
+ */
+export function generateNginxConfig(options = {}) {
+    const domain = options.domain ?? "localhost";
+    validateDomain(domain);
+    const services = options.services ?? {};
+    const ssl = options.ssl;
+    const maxBodySize = options.maxBodySize ?? 10;
+    const rateLimits = options.rateLimits ?? {};
+    const forgeProxyTarget = normalizeForgeProxyTargetConfig(options.forgeProxy, "deploy mode");
+    let config = `# nginx.conf — Auto-generated by ThreadForge
+# Domain: ${domain}
+# Edge services: ${Object.keys(services).length}
+#
+# nginx routes ingress through ForgeProxy.
+# Service-to-service calls still go via ThreadForge IPC/HTTP.
+worker_processes auto;
+worker_rlimit_nofile 65535;
+events {
+    worker_connections 16384;
+    multi_accept on;
+    # Nginx auto-selects the optimal event method (epoll on Linux, kqueue on BSD)
+}
+http {
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    keepalive_requests 1000;
+    types_hash_max_size 2048;
+    server_tokens off;
+    include /etc/nginx/mime.types;
+    default_type application/json;
+    # Structured JSON logging
+    log_format json escape=json '{'
+        '"time":"$time_iso8601",'
+        '"addr":"$remote_addr",'
+        '"method":"$request_method",'
+        '"uri":"$request_uri",'
+        '"status":$status,'
+        '"bytes":$body_bytes_sent,'
+        '"ms":$request_time,'
+        '"upstream":"$upstream_addr",'
+        '"upstream_ms":"$upstream_response_time"'
+    '}';
+    access_log /var/log/nginx/access.log json;
+    error_log /var/log/nginx/error.log warn;
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 4;
+    gzip_types text/plain text/css application/json application/javascript text/xml;
+    # Rate limiting zones
+    limit_req_zone $binary_remote_addr zone=general:10m rate=${rateLimits.requestsPerSecond ?? 30}r/s;
+    limit_req_zone $binary_remote_addr zone=auth:10m rate=${rateLimits.authPerSecond ?? 5}r/s;
+    limit_conn_zone $binary_remote_addr zone=connlimit:10m;
+`;
+    // Add real_ip configuration if proxy addresses provided
+    if (options.trustedProxies && options.trustedProxies.length > 0) {
+        for (const proxy of options.trustedProxies) {
+            config += `    set_real_ip_from ${proxy};\n`;
+        }
+        config += `    real_ip_header X-Forwarded-For;\n`;
+        config += `    real_ip_recursive on;\n`;
+    }
+    config += `
+    client_max_body_size ${maxBodySize}m;
+    client_body_timeout 15s;
+    client_header_timeout 15s;
+    send_timeout 30s;
+`;
+    config += `    upstream forgeproxy {\n`;
+    config += `        server ${forgeProxyTarget.host}:${forgeProxyTarget.port};\n`;
+    config += `        keepalive ${forgeProxyTarget.keepalive};\n`;
+    config += `    }\n\n`;
+    // HTTPS redirect
+    if (ssl) {
+        config += `    server {
+        listen 80;
+        server_name ${domain};
+        return 301 https://$host$request_uri;
+    }
+`;
+    }
+    // Main server block
+    config += `    server {\n`;
+    if (ssl) {
+        config += `        listen 443 ssl http2;\n`;
+        config += `        server_name ${domain};\n`;
+        config += `        ssl_certificate ${ssl.cert};\n`;
+        config += `        ssl_certificate_key ${ssl.key};\n`;
+        config += `        ssl_protocols TLSv1.2 TLSv1.3;\n`;
+        config += `        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;\n`;
+        config += `        ssl_prefer_server_ciphers off;\n`;
+        config += `        ssl_session_cache shared:SSL:10m;\n`;
+    }
+    else {
+        config += `        listen 80;\n`;
+        config += `        server_name ${domain};\n`;
+    }
+    config += `
+        # Security headers
+        add_header X-Frame-Options "DENY" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Content-Security-Policy "frame-ancestors 'none'" always;
+`;
+    if (ssl) {
+        config += `        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;\n`;
+    }
+    config += `
+        # Per-IP connection limit
+        limit_conn connlimit ${rateLimits.maxConnsPerIP ?? 100};
+`;
+    // Static files (Bug #6: path traversal + Bug #2: security headers in child block)
+    if (options.staticDir) {
+        const staticDir = resolveStaticPath(options.staticDir, "staticDir");
+        config += `        # Static files (served by nginx, never touches Node)
+        location /static/ {
+            alias ${staticDir}/;
+            add_header Cache-Control "public, max-age=86400";
+            add_header X-Content-Type-Options nosniff always;
+            add_header X-Frame-Options DENY always;
+            add_header Content-Security-Policy "frame-ancestors 'none'" always;${ssl ? `\n            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` : ""}
+        }
+`;
+    }
+    // Route each service by its prefix
+    // Sort by prefix length descending so more specific prefixes match first
+    const sorted = Object.entries(services)
+        .filter(([, s]) => s.prefix)
+        .sort((a, b) => (b[1].prefix?.length ?? 0) - (a[1].prefix?.length ?? 0));
+    for (const [name, svc] of sorted) {
+        const safeName = name.replace(/:/g, "_");
+        if (!SAFE_SERVICE_NAME_RE.test(safeName)) {
+            throw new Error(`Invalid service name for nginx config: "${name}"`);
+        }
+        const prefix = svc.prefix;
+        if (prefix && !SAFE_PREFIX_RE.test(prefix)) {
+            throw new Error(`Invalid nginx location prefix: "${prefix}". Only alphanumeric, slashes, underscores, and hyphens allowed.`);
+        }
+        const isAuth = /auth|login|oauth/i.test(prefix ?? "");
+        const zone = isAuth ? "auth" : "general";
+        const burst = isAuth ? (rateLimits.authBurst ?? 10) : (rateLimits.burst ?? 50);
+        config += `        # ${safeName} service → ${prefix}
+        location ${prefix} {
+            limit_req zone=${zone} burst=${burst} nodelay;
+            proxy_pass http://forgeproxy;
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Request-ID $request_id;
+            proxy_connect_timeout 5s;
+            proxy_read_timeout 30s;
+            proxy_buffering on;
+            proxy_buffer_size 8k;
+            proxy_buffers 8 8k;
+            proxy_next_upstream error timeout http_502 http_503 http_504;
+            proxy_next_upstream_tries 2;
+            proxy_next_upstream_timeout 5s;
+        }
+`;
+    }
+    // WebSocket routes
+    const wsRoutes = Array.isArray(options.websocketRoutes) ? options.websocketRoutes : [];
+    if (wsRoutes.length > 0) {
+        for (const route of wsRoutes) {
+            const wsPath = route.path;
+            const wsService = route.service;
+            if (!services[wsService]) {
+                throw new Error(`WebSocket route "${wsPath}" references unknown nginx service "${wsService}"`);
+            }
+            if (!SAFE_PREFIX_RE.test(wsPath)) {
+                throw new Error(`Invalid websocket path "${wsPath}" for nginx location`);
+            }
+            config += `        # WebSocket — ${wsPath} -> ${wsService}
+        location ${wsPath} {
+            proxy_pass http://forgeproxy;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_read_timeout 3600s;
+            proxy_send_timeout 3600s;
+        }
+`;
+        }
+    }
+    else if (options.websockets) {
+        // Backward-compat fallback (manifest-level websocket toggles)
+        const wsService = Object.keys(services)[0];
+        if (!wsService) {
+            throw new Error("WebSocket routing requested but no edge services were provided");
+        }
+        const wsPaths = options.websocketPaths || ["/ws"];
+        for (const wsPath of wsPaths) {
+            config += `        # WebSocket (legacy) — ${wsPath}
+        location ${wsPath} {
+            proxy_pass http://forgeproxy;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_read_timeout 3600s;
+            proxy_send_timeout 3600s;
+        }
+`;
+        }
+    }
+    // Catch-all for services without a prefix (legacy gateway pattern)
+    const catchAll = Object.entries(services).find(([, s]) => !s.prefix);
+    if (catchAll) {
+        const [name] = catchAll;
+        config += `        # ${name} (catch-all)
+        location / {
+            limit_req zone=general burst=${rateLimits.burst ?? 50} nodelay;
+            proxy_pass http://forgeproxy;
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Request-ID $request_id;
+            proxy_connect_timeout 5s;
+            proxy_read_timeout 30s;
+            proxy_buffering on;
+            proxy_next_upstream error timeout http_502 http_503 http_504;
+            proxy_next_upstream_tries 2;
+            proxy_next_upstream_timeout 5s;
+        }
+`;
+    }
+    // Health check (all services — pick the first one)
+    config += `        # Health check
+        location /health {
+            proxy_pass http://forgeproxy;
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
+            access_log off;
+        }
+`;
+    // Error pages
+    config += `        error_page 429 @rate_limited;
+        location @rate_limited {
+            default_type application/json;
+            return 429 '{"error":"Rate limit exceeded","retryAfter":1}';
+        }
+        error_page 502 503 504 @upstream_error;
+        location @upstream_error {
+            default_type application/json;
+            return 503 '{"error":"Service temporarily unavailable"}';
+        }
+`;
+    // Plugin-contributed locations (Redis Commander, pgAdmin, etc.)
+    if (options.pluginLocations) {
+        for (const loc of options.pluginLocations) {
+            // Validate plugin config doesn't contain unbalanced braces or dangerous directives
+            const configText = loc.config.trim();
+            const openBraces = (configText.match(/\{/g) || []).length;
+            const closeBraces = (configText.match(/\}/g) || []).length;
+            if (openBraces !== closeBraces) {
+                throw new Error(`Plugin location "${loc.path}" has unbalanced braces in config — potential injection`);
+            }
+            config += `
+        # Plugin: ${loc.path}
+        location ${loc.path} {
+            ${configText
+                .split("\n")
+                .map((l) => l.trim())
+                .join("\n            ")}
+        }
+`;
+        }
+    }
+    config += `    }
+}
+`;
+    return config;
+}
+/**
+ * Build the nginx service map from a deployment manifest.
+ *
+ * Scans the manifest and service configs to determine:
+ *   - Which services are edge (need nginx routing)
+ *   - Their prefixes
+ *   - Their upstream addresses (host:port per node)
+ */
+export function buildNginxServiceMap(manifest, serviceConfigs, deployPorts = {}) {
+    const services = {};
+    for (const [svcName, svcConfig] of Object.entries(serviceConfigs)) {
+        if (svcConfig.type !== ServiceType.EDGE)
+            continue;
+        // Default to 3000 if no port specified in deploy overrides or service config.
+        // This fallback is common for single-service setups but may be wrong for multi-service deployments.
+        const port = deployPorts[svcName] ?? svcConfig.port ?? 3000;
+        if (!deployPorts[svcName] && !svcConfig.port) {
+            console.warn(`[Deploy] Edge service "${svcName}" has no explicit port — defaulting to 3000. Set a port in your service config or deploy manifest.`);
+        }
+        const upstreams = [];
+        // Find all nodes that run this service
+        for (const [, node] of Object.entries(manifest.nodes)) {
+            if (node.services.includes(svcName)) {
+                upstreams.push({
+                    host: node.host,
+                    port,
+                });
+            }
+        }
+        if (upstreams.length === 0) {
+            console.warn(`[Deploy] Edge service "${svcName}" is not assigned to any node`);
+            continue;
+        }
+        services[svcName] = {
+            prefix: svcConfig.prefix ?? null,
+            port,
+            upstreams,
+        };
+    }
+    return services;
+}
+/**
+ * Build websocket route mappings from per-service websocket config.
+ *
+ * Supports service-level config forms:
+ *   websocket: true
+ *   websocket: ["/ws", "/ws/chat"]
+ *   websocket: { enabled: true, paths: ["/ws"] }
+ */
+export function buildNginxWebSocketRoutes(serviceConfigs, nginxServices, legacy = {}) {
+    const routeMap = new Map(); // path -> service
+    for (const [svcName, svcConfig] of Object.entries(serviceConfigs)) {
+        if (svcConfig.type !== ServiceType.EDGE)
+            continue;
+        if (!nginxServices[svcName])
+            continue;
+        const raw = svcConfig.websocket;
+        if (!raw)
+            continue;
+        let enabled = true;
+        let paths = ["/ws"];
+        if (raw === true) {
+            paths = ["/ws"];
+        }
+        else if (Array.isArray(raw)) {
+            paths = raw;
+        }
+        else if (typeof raw === "object") {
+            enabled = raw.enabled !== false;
+            if (raw.paths !== undefined)
+                paths = raw.paths;
+        }
+        else {
+            continue;
+        }
+        if (!enabled)
+            continue;
+        for (const wsPath of paths) {
+            if (typeof wsPath !== "string" || !wsPath.startsWith("/")) {
+                throw new Error(`Invalid websocket path "${wsPath}" for service "${svcName}"`);
+            }
+            const existing = routeMap.get(wsPath);
+            if (existing && existing !== svcName) {
+                throw new Error(`WebSocket path collision: "${wsPath}" is configured for both "${existing}" and "${svcName}"`);
+            }
+            routeMap.set(wsPath, svcName);
+        }
+    }
+    // Backward compatibility for manifest-level websocket toggles
+    if (routeMap.size === 0 && legacy.websockets) {
+        const wsService = Object.keys(nginxServices)[0];
+        if (!wsService) {
+            throw new Error("WebSocket routes requested but no edge services are available for nginx routing");
+        }
+        for (const wsPath of legacy.websocketPaths ?? ["/ws"]) {
+            routeMap.set(wsPath, wsService);
+        }
+    }
+    return [...routeMap.entries()].map(([wsPath, service]) => ({ path: wsPath, service }));
+}
+/**
+ * Generate an nginx config for ForgeHost with per-project server blocks.
+ *
+ * Each project gets its own `server { server_name ... }` block. Requests
+ * are forwarded to ForgeProxy, with X-Forge-Project injected per host block.
+ */
+export function generateHostNginxConfig(options) {
+    const { hostMeta, services, ssl, maxBodySize = 10, forgeProxy } = options;
+    const forgeProxyTarget = normalizeForgeProxyTargetConfig(forgeProxy, "host mode");
+    let config = `# ForgeHost nginx config — auto-generated
+# Do not edit — regenerate with: forge host generate
+events {
+    worker_connections 16384;
+}
+http {
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml;
+    client_max_body_size ${maxBodySize}m;
+    client_body_timeout 15s;
+    send_timeout 30s;
+`;
+    config += `    upstream forgeproxy {\n`;
+    config += `        server ${forgeProxyTarget.host}:${forgeProxyTarget.port};\n`;
+    config += `        keepalive ${forgeProxyTarget.keepalive};\n`;
+    config += `    }\n\n`;
+    // Generate a server block per project
+    for (const [projectId, meta] of Object.entries(hostMeta)) {
+        if (!meta.domain)
+            continue;
+        // Validate domain (Bug #1)
+        validateDomain(meta.domain);
+        const projectServices = Object.entries(services).filter(([name]) => meta.services.includes(name));
+        const edgeServices = projectServices.filter(([, s]) => s.type === ServiceType.EDGE);
+        if (edgeServices.length === 0)
+            continue;
+        config += `    # ── Project: ${projectId} ──\n`;
+        config += `    server {\n`;
+        if (ssl) {
+            config += `        listen 443 ssl http2;\n`;
+            config += `        server_name ${meta.domain};\n`;
+            config += `        ssl_certificate ${ssl.cert};\n`;
+            config += `        ssl_certificate_key ${ssl.key};\n`;
+        }
+        else {
+            config += `        listen 80;\n`;
+            config += `        server_name ${meta.domain};\n`;
+        }
+        config += `\n`;
+        config += `        # Security headers\n`;
+        config += `        add_header X-Frame-Options "SAMEORIGIN" always;\n`;
+        config += `        add_header X-Content-Type-Options "nosniff" always;\n`;
+        config += `\n`;
+        for (const [, svc] of edgeServices) {
+            const prefix = svc.prefix ?? "/";
+            config += `        location ${prefix} {\n`;
+            config += `            proxy_pass http://forgeproxy;\n`;
+            config += `            proxy_http_version 1.1;\n`;
+            config += `            proxy_set_header Connection "";\n`;
+            config += `            proxy_set_header Host $host;\n`;
+            config += `            proxy_set_header X-Real-IP $remote_addr;\n`;
+            config += `            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n`;
+            config += `            proxy_set_header X-Forwarded-Proto $scheme;\n`;
+            config += `            proxy_set_header X-Forge-Project ${projectId};\n`;
+            config += `        }\n\n`;
+        }
+        config += `    }\n\n`;
+    }
+    config += `}\n`;
+    return config;
+}
+import { resolveAppDomains } from "../core/platform-config.js";
+/**
+ * Generate an nginx config for Platform Mode with per-domain TLS,
+ * per-app static dirs, shared auth mount, and X-Forwarded-Host.
+ *
+ * Each app gets its own `server { server_name ... }` block with
+ * individual SSL certificates (defaults to Let's Encrypt paths).
+ */
+export function generatePlatformNginxConfig(options = {}) {
+    const { apps, services, hostMeta, defaultSsl, maxBodySize = 10, forgeProxy } = options;
+    const forgeProxyTarget = normalizeForgeProxyTargetConfig(forgeProxy, "platform mode");
+    // Validate all domains upfront
+    for (const app of Object.values(apps ?? {})) {
+        const domains = resolveAppDomains(app);
+        for (const d of domains) {
+            validateDomain(d);
+        }
+    }
+    let config = `# ForgePlatform nginx config — auto-generated
+# Do not edit — regenerate with: forge platform generate
+events {
+    worker_connections 16384;
+}
+http {
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml;
+    client_max_body_size ${maxBodySize}m;
+    client_body_timeout 15s;
+    send_timeout 30s;
+`;
+    config += `    upstream forgeproxy {\n`;
+    config += `        server ${forgeProxyTarget.host}:${forgeProxyTarget.port};\n`;
+    config += `        keepalive ${forgeProxyTarget.keepalive};\n`;
+    config += `    }\n\n`;
+    // Collect all domains for HTTP->HTTPS redirect
+    const allDomains = [];
+    for (const app of Object.values(apps ?? {})) {
+        allDomains.push(...resolveAppDomains(app));
+    }
+    // Shared HTTP->HTTPS redirect block (only if any app has SSL)
+    const hasAnySsl = defaultSsl || Object.values(apps ?? {}).some((a) => a.ssl);
+    if (hasAnySsl && allDomains.length > 0) {
+        config += `    # HTTP → HTTPS redirect (all platform domains)\n`;
+        config += `    server {\n`;
+        config += `        listen 80;\n`;
+        config += `        server_name ${allDomains.join(" ")};\n`;
+        config += `        return 301 https://$host$request_uri;\n`;
+        config += `    }\n\n`;
+    }
+    // Find shared auth service (if any)
+    const authService = Object.entries(services ?? {}).find(([name, svc]) => (name === "auth" || name.endsWith(":auth")) && svc.type === ServiceType.EDGE);
+    // Generate a server block per app
+    for (const [appId, app] of Object.entries(apps ?? {})) {
+        const domains = resolveAppDomains(app);
+        if (domains.length === 0)
+            continue;
+        const meta = hostMeta?.[appId];
+        const projectServices = Object.entries(services ?? {}).filter(([name]) => meta?.services?.includes(name));
+        const edgeServices = projectServices.filter(([, s]) => s.type === ServiceType.EDGE);
+        config += `    # ── App: ${appId} ──\n`;
+        config += `    server {\n`;
+        const ssl = app.ssl ?? defaultSsl;
+        if (ssl) {
+            const certPath = ssl.cert ?? `/etc/letsencrypt/live/${domains[0]}/fullchain.pem`;
+            const keyPath = ssl.key ?? `/etc/letsencrypt/live/${domains[0]}/privkey.pem`;
+            config += `        listen 443 ssl http2;\n`;
+            config += `        server_name ${domains.join(" ")};\n`;
+            config += `        ssl_certificate ${certPath};\n`;
+            config += `        ssl_certificate_key ${keyPath};\n`;
+            config += `        ssl_protocols TLSv1.2 TLSv1.3;\n`;
+        }
+        else {
+            config += `        listen 80;\n`;
+            config += `        server_name ${domains.join(" ")};\n`;
+        }
+        config += `\n`;
+        config += `        # Security headers\n`;
+        config += `        add_header X-Frame-Options "SAMEORIGIN" always;\n`;
+        config += `        add_header X-Content-Type-Options "nosniff" always;\n`;
+        config += `\n`;
+        const rootEdgeServices = edgeServices.filter(([, svc]) => (svc.prefix ?? "/") === "/");
+        if (rootEdgeServices.length > 1) {
+            throw new Error(`App "${appId}" has multiple edge services mounted at "/". ` +
+                `Only one root edge prefix is supported per app.`);
+        }
+        const rootEdgeService = rootEdgeServices[0] ?? null;
+        const rootEdgeSafeName = rootEdgeService ? rootEdgeService[0].replace(/:/g, "_") : null;
+        let rootProxyViaNamedLocation = false;
+        let rootStaticMountDefined = false;
+        // Prefer explicit staticMounts (frontend plugin output), fallback to legacy static.
+        const staticMounts = Array.isArray(app.staticMounts) && app.staticMounts.length > 0
+            ? app.staticMounts
+            : app.static
+                ? [
+                    {
+                        dir: app.static,
+                        basePath: "/static",
+                        spaFallback: false,
+                        cachePolicy: "short",
+                    },
+                ]
+                : [];
+        for (const mount of staticMounts) {
+            const safeStatic = validateStaticDir(mount.dir, appId);
+            const basePath = normalizeMountBasePath(mount.basePath ?? "/");
+            const cacheControl = cacheControlFromPolicy(mount.cachePolicy);
+            const spaFallback = Boolean(mount.spaFallback);
+            if (basePath === "/") {
+                if (rootStaticMountDefined) {
+                    throw new Error(`App "${appId}" defines multiple static mounts at "/"`);
+                }
+                rootStaticMountDefined = true;
+                config += `        location / {\n`;
+                config += `            root ${safeStatic};\n`;
+                if (rootEdgeSafeName) {
+                    rootProxyViaNamedLocation = true;
+                    if (spaFallback) {
+                        config += `            try_files $uri $uri/ /index.html @forge_${rootEdgeSafeName}_root;\n`;
+                    }
+                    else {
+                        config += `            try_files $uri $uri/ @forge_${rootEdgeSafeName}_root;\n`;
+                    }
+                }
+                else {
+                    if (spaFallback) {
+                        config += `            try_files $uri $uri/ /index.html;\n`;
+                    }
+                    else {
+                        config += `            try_files $uri $uri/ =404;\n`;
+                    }
+                }
+                config += `            add_header Cache-Control "${cacheControl}";\n`;
+                config += `            add_header X-Content-Type-Options "nosniff" always;\n`;
+                config += `        }\n\n`;
+            }
+            else {
+                config += `        location ${basePath}/ {\n`;
+                config += `            alias ${safeStatic}/;\n`;
+                if (spaFallback) {
+                    config += `            try_files $uri $uri/ ${basePath}/index.html;\n`;
+                }
+                else {
+                    config += `            try_files $uri $uri/ =404;\n`;
+                }
+                config += `            add_header Cache-Control "${cacheControl}";\n`;
+                config += `            add_header X-Content-Type-Options "nosniff" always;\n`;
+                config += `        }\n\n`;
+            }
+        }
+        // Shared auth mount (if auth service exists and this isn't the auth service itself)
+        if (authService) {
+            config += `        location /auth/ {\n`;
+            config += `            proxy_pass http://forgeproxy;\n`;
+            config += `            proxy_http_version 1.1;\n`;
+            config += `            proxy_set_header Connection "";\n`;
+            config += `            proxy_set_header Host $host;\n`;
+            config += `            proxy_set_header X-Forwarded-Host $host;\n`;
+            config += `            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n`;
+            config += `            proxy_set_header X-Forwarded-Proto $scheme;\n`;
+            config += `            proxy_set_header X-Forge-Project ${appId};\n`;
+            config += `        }\n\n`;
+        }
+        // App-specific edge service routes
+        for (const [svcName, svc] of edgeServices) {
+            const safeName = svcName.replace(/:/g, "_");
+            const prefix = svc.prefix ?? "/";
+            if (prefix === "/" && rootProxyViaNamedLocation) {
+                config += `        location @forge_${safeName}_root {\n`;
+                config += `            proxy_pass http://forgeproxy;\n`;
+                config += `            proxy_http_version 1.1;\n`;
+                config += `            proxy_set_header Connection "";\n`;
+                config += `            proxy_set_header Host $host;\n`;
+                config += `            proxy_set_header X-Real-IP $remote_addr;\n`;
+                config += `            proxy_set_header X-Forwarded-Host $host;\n`;
+                config += `            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n`;
+                config += `            proxy_set_header X-Forwarded-Proto $scheme;\n`;
+                config += `            proxy_set_header X-Forge-Project ${appId};\n`;
+                config += `        }\n\n`;
+                continue;
+            }
+            config += `        location ${prefix} {\n`;
+            config += `            proxy_pass http://forgeproxy;\n`;
+            config += `            proxy_http_version 1.1;\n`;
+            config += `            proxy_set_header Connection "";\n`;
+            config += `            proxy_set_header Host $host;\n`;
+            config += `            proxy_set_header X-Real-IP $remote_addr;\n`;
+            config += `            proxy_set_header X-Forwarded-Host $host;\n`;
+            config += `            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n`;
+            config += `            proxy_set_header X-Forwarded-Proto $scheme;\n`;
+            config += `            proxy_set_header X-Forge-Project ${appId};\n`;
+            config += `        }\n\n`;
+        }
+        config += `    }\n\n`;
+    }
+    config += `}\n`;
+    return config;
+}
+//# sourceMappingURL=NginxGenerator.js.map