vibeoscore 1.0.2

package/mcp-server.ts

@@ -0,0 +1,364 @@
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: 2026 vibeOS <https://github.com/DrunkkToys/vibeOS>
+
+import http from "node:http"
+import { IncomingMessage, ServerResponse } from "node:http"
+import { parse as parseUrl } from "node:url"
+import { URLSearchParams } from "node:url"
+import { createReadStream, existsSync, statSync } from "node:fs"
+import { extname, join, dirname } from "node:path"
+import { fileURLToPath } from "node:url"
+
+const MIME_MAP: Record<string, string> = {
+  ".html": "text/html; charset=utf-8",
+  ".js": "application/javascript; charset=utf-8",
+  ".css": "text/css; charset=utf-8",
+  ".json": "application/json; charset=utf-8",
+  ".png": "image/png",
+  ".ico": "image/x-icon",
+}
+
+type Deps = {
+  getState: () => unknown
+  getSavings: () => unknown
+  getTodos: () => unknown
+  getSessionMetrics: (sessionId: string) => unknown
+  getCurrentSessionId: () => string
+  listReports: (params: { type?: string; project?: string; hours?: number; fingerprint?: string }) => unknown
+  readReport: (id: string) => unknown
+  runDiagnose: () => unknown
+  runProject: () => unknown
+  runTrinity: (action: string, opts: { slot?: string; level?: string }) => Promise<unknown>
+  runResearchAudit: (hours: number) => unknown
+  saveReport: (params: { type: string; summary: string; findings: unknown[]; metrics: Record<string, unknown>; narrative: string; tags: unknown[] }) => string | null
+  generateSessionCheckout: () => unknown
+}
+
+type McpServer = {
+  start: (port: number) => Promise<http.Server>
+  close: () => Promise<void>
+}
+
+function json(res: ServerResponse, statusCode: number, data: unknown): void {
+  res.statusCode = statusCode
+  res.setHeader("Content-Type", "application/json")
+  res.end(JSON.stringify(data))
+}
+
+function parseBody(req: IncomingMessage): Promise<Record<string, unknown>> {
+  return new Promise((resolve, reject) => {
+    let raw = ""
+    req.on("data", (chunk: Buffer) => {
+      raw += String(chunk || "")
+      if (raw.length > 1024 * 1024) {
+        reject(new Error("payload too large"))
+      }
+    })
+    req.on("end", () => {
+      if (!raw.trim()) {
+        resolve({})
+        return
+      }
+      try {
+        resolve(JSON.parse(raw))
+      } catch {
+        reject(new Error("invalid request"))
+      }
+    })
+    req.on("error", reject)
+  })
+}
+
+const _MCP_FILENAME = fileURLToPath(import.meta.url)
+const _MCP_DIR = dirname(_MCP_FILENAME)
+
+function resolveDashboardDir(): string {
+  const c = [
+    join(_MCP_DIR, "dashboard", "dist"),
+  ]
+  for (const p of c) { if (existsSync(join(p, "index.html"))) return p }
+  return c[0]
+}
+
+const DASHBOARD_DIR = resolveDashboardDir()
+
+const BACKEND_HEALTH_URL = process.env.VIBEOS_BACKEND_HEALTH_URL || "https://api.vibetheog.com/health"
+const BACKEND_HEALTH_TTL_MS = 5_000
+
+let backendHealth: { ok: boolean | null; checkedAt: number } = { ok: null, checkedAt: 0 }
+
+async function probeBackendHealth(force = false): Promise<boolean | null> {
+  const now = Date.now()
+  if (!force && backendHealth.ok !== null && (now - backendHealth.checkedAt) < BACKEND_HEALTH_TTL_MS) {
+    return backendHealth.ok
+  }
+  try {
+    const ctl = new AbortController()
+    const timer = setTimeout(() => ctl.abort(), 1500)
+    const res = await fetch(BACKEND_HEALTH_URL, { signal: ctl.signal })
+    clearTimeout(timer)
+    backendHealth = { ok: res.ok, checkedAt: now }
+    return res.ok
+  } catch {
+    backendHealth = { ok: false, checkedAt: now }
+    return false
+  }
+}
+
+function sendFile(res: ServerResponse, fp: string): void {
+  if (!existsSync(fp)) { res.statusCode = 404; res.setHeader("Content-Type", "text/plain; charset=utf-8"); res.end("not found"); return }
+  const ext = extname(fp).toLowerCase(); const mime = MIME_MAP[ext] || "application/octet-stream"; const st = statSync(fp)
+  res.statusCode = 200; res.setHeader("Content-Type", mime); res.setHeader("Content-Length", st.size); res.setHeader("Cache-Control", "no-cache")
+  const s = createReadStream(fp); s.pipe(res); s.on("error", () => { res.statusCode = 500; res.end() })
+}
+
+function serveDashboard(res: ServerResponse, p: string): void {
+  const idx = join(DASHBOARD_DIR, "index.html"); let fp = join(DASHBOARD_DIR, p === "/" ? "index.html" : p)
+  if (existsSync(fp) && statSync(fp).isFile()) { sendFile(res, fp); return }
+  if (existsSync(idx)) { sendFile(res, idx); return }
+  res.statusCode = 404; res.setHeader("Content-Type", "text/plain; charset=utf-8"); res.end("not found")
+}
+
+export function createMcpServer(deps: Deps): McpServer {
+  let server: http.Server | null = null
+  let startPromise: Promise<http.Server> | null = null
+  let closePromise: Promise<void> | null = null
+
+  const handler = async (req: IncomingMessage, res: ServerResponse): Promise<void> => {
+    try {
+      const method = (req.method || "GET").toUpperCase()
+      const parsed = parseUrl(req.url || "/", true)
+      const path = parsed.pathname || "/"
+
+      if (method === "GET" && path === "/status") {
+        const state = deps.getState() as Record<string, unknown>
+        const ok = await probeBackendHealth()
+        json(res, 200, { ...state, backend_connected: ok === true, backend_health_url: BACKEND_HEALTH_URL })
+        return
+      }
+      if (method === "GET" && path === "/savings") {
+        json(res, 200, deps.getSavings())
+        return
+      }
+      if (method === "GET" && path === "/todos") {
+        json(res, 200, deps.getTodos())
+        return
+      }
+      if (method === "GET" && path === "/sessions") {
+        const state = deps.getState() as Record<string, unknown> | null
+        const sessionsMap = state?.sessions_raw as Record<string, Record<string, unknown>> | undefined || {}
+        const sessions = Object.entries(sessionsMap).map(([id, ses]) => ({
+          id,
+          started: ses?.started || null,
+          cost_usd: Number(ses?.cost_usd ?? 0) || 0,
+          delegation_savings_usd: Array.isArray(ses?.warns)
+            ? (ses.warns as Array<Record<string, unknown>>).reduce((sum, w) => sum + (Number(w?.est_savings_usd ?? 0) || 0), 0)
+            : ses?.total_savings_usd || 0,
+          cache_savings_usd: Number(ses?.cache_savings_usd ?? 0) || 0,
+          warns_count: Array.isArray(ses?.warns) ? ses.warns.length : 0,
+        }))
+        json(res, 200, { sessions, total_sessions: sessions.length })
+        return
+      }
+      if (method === "GET" && path === "/sessions/current") {
+        json(res, 200, deps.getSessionMetrics(deps.getCurrentSessionId()))
+        return
+      }
+      if (method === "GET" && path === "/reports") {
+        try {
+          const query = parsed.query as Record<string, string | undefined>
+          const type = typeof query.type === "string" ? query.type : undefined
+          const project = typeof query.project === "string" ? query.project : undefined
+          const hoursRaw = query.hours
+          const hours = hoursRaw != null ? Number(hoursRaw) : undefined
+          const fingerprint = typeof query.fingerprint === "string" ? query.fingerprint : undefined
+          const reports = deps.listReports({ type, project, hours: Number.isFinite(hours as number) ? hours : undefined, fingerprint })
+          json(res, 200, reports)
+        } catch (err: unknown) {
+          const error = err as { status?: number }
+          if (error?.status === 404) {
+            json(res, 404, { error: "not found", status: 404 })
+            return
+          }
+          throw err
+        }
+        return
+      }
+      if (method === "GET" && path.startsWith("/reports/")) {
+        const id = decodeURIComponent(path.replace(/^\/reports\//, "")).trim()
+        const report = deps.readReport(id)
+        if (!report) {
+          json(res, 404, { error: "not found", status: 404 })
+          return
+        }
+        json(res, 200, report)
+        return
+      }
+      if (method === "GET" && path === "/diagnose") {
+        json(res, 200, deps.runDiagnose())
+        return
+      }
+      if (method === "GET" && path === "/project") {
+        json(res, 200, deps.runProject())
+        return
+      }
+      if (method === "POST" && path === "/trinity") {
+        let body: Record<string, unknown>
+        try {
+          body = await parseBody(req)
+        } catch {
+          json(res, 400, { error: "invalid request", status: 400 })
+          return
+        }
+        const action = body?.action as string | undefined
+        const slot = body?.slot as string | undefined
+        const level = body?.level as string | undefined
+        if (!action || typeof action !== "string") {
+          json(res, 400, { error: "invalid request", status: 400 })
+          return
+        }
+        const result = await deps.runTrinity(action, { slot, level })
+        const txt = typeof result === "string" ? result : JSON.stringify(result)
+        const ok = !(txt.startsWith("❌") || txt.toLowerCase().includes("unknown action"))
+        json(res, ok ? 200 : 400, ok ? { ok: true, result } : { ok: false, error: txt })
+        return
+      }
+      if (method === "POST" && path === "/research-audit") {
+        let body: Record<string, unknown>
+        try {
+          body = await parseBody(req)
+        } catch {
+          json(res, 400, { error: "invalid request", status: 400 })
+          return
+        }
+        const hours = Number(body?.hours ?? 24)
+        const report = deps.runResearchAudit(Number.isFinite(hours) ? hours : 24)
+        json(res, 200, report)
+        return
+      }
+      if (method === "POST" && path === "/reports") {
+        let body: Record<string, unknown>
+        try {
+          body = await parseBody(req)
+        } catch {
+          json(res, 400, { error: "invalid request", status: 400 })
+          return
+        }
+        if (!body || typeof body !== "object") {
+          json(res, 400, { error: "invalid request", status: 400 })
+          return
+        }
+        const id = deps.saveReport({
+          type: "manual",
+          summary: (body.summary as string) || "",
+          findings: (body.findings as unknown[]) || [],
+          metrics: (body.metrics as Record<string, unknown>) || {},
+          narrative: (body.narrative as string) || "",
+          tags: Array.isArray(body.tags) ? body.tags : [],
+        })
+        if (!id) {
+          json(res, 500, { error: "failed to save report", status: 500 })
+          return
+        }
+        json(res, 200, { ok: true, id })
+        return
+      }
+      if (method === "POST" && path === "/sessions/checkout") {
+        const result = deps.generateSessionCheckout()
+        json(res, 200, result)
+        return
+      }
+      if (method === "GET" && path === "/events") {
+        res.writeHead(200, { "Content-Type": "text/event-stream", "Cache-Control": "no-cache", "Connection": "keep-alive", "Access-Control-Allow-Origin": "*" })
+        const push = async () => { const state = deps.getState() as Record<string, unknown>; const ok = await probeBackendHealth(); res.write(`data: ${JSON.stringify({ status: { ...state, backend_connected: ok === true, backend_health_url: BACKEND_HEALTH_URL }, savings: deps.getSavings(), todos: deps.getTodos() })}\n\n`) }; push()
+        const iv = setInterval(push, 1500)
+        req.on("close", () => { clearInterval(iv) })
+        return
+      }
+
+      if (existsSync(join(DASHBOARD_DIR, "index.html"))) { serveDashboard(res, path); return }
+      json(res, 404, { error: "not found", status: 404 })
+    } catch (err: unknown) {
+      const error = err as { message?: string }
+      json(res, 500, { error: error?.message || "internal error", status: 500 })
+    }
+  }
+
+  return {
+    async start(port: number): Promise<http.Server> {
+      if (closePromise) await closePromise
+      if (server) return server
+      if (startPromise) return startPromise
+
+      const listen = (listenPort: number): Promise<http.Server> => new Promise((resolve, reject) => {
+        const nextServer = http.createServer((req: IncomingMessage, res: ServerResponse) => {
+          void handler(req, res)
+        })
+        const onListening = () => resolve(nextServer)
+        const onError = (err: Error) => {
+          try { nextServer.close() } catch { }
+          reject(err)
+        }
+        nextServer.once("listening", onListening)
+        nextServer.once("error", onError)
+        try {
+          nextServer.listen(listenPort, "127.0.0.1")
+        } catch (err: unknown) {
+          onError(err as Error)
+        }
+      })
+
+      startPromise = (async () => {
+        try {
+          server = await listen(port)
+          return server
+        } catch (err: unknown) {
+          const error = err as { code?: string; message: string }
+          if (error?.code !== "EADDRINUSE" || port === 0) {
+            startPromise = null
+            server = null
+            console.error(`[vibeOS] MCP server bind failed: ${error.message}`)
+            throw err
+          }
+          try {
+            const fallback = await listen(0)
+            server = fallback
+            const bound = fallback.address()
+            const actualPort = typeof bound === "object" && bound ? (bound as { port: number }).port : 0
+            console.error(`[vibeOS] MCP server port ${port} busy; fell back to ${actualPort}`)
+            return fallback
+          } catch (fallbackErr: unknown) {
+            const fbError = fallbackErr as { message: string }
+            startPromise = null
+            server = null
+            console.error(`[vibeOS] MCP server bind failed: ${fbError.message}`)
+            throw fallbackErr
+          }
+        } finally {
+          startPromise = null
+        }
+      })()
+      return startPromise
+    },
+
+    close(): Promise<void> {
+      if (!server) return closePromise || Promise.resolve()
+      if (closePromise) return closePromise
+      const current = server
+      closePromise = new Promise((resolve) => {
+        try {
+          current.close(() => {
+            if (server === current) server = null
+            closePromise = null
+            resolve()
+          })
+        } catch {
+          if (server === current) server = null
+          closePromise = null
+          resolve()
+        }
+      })
+      return closePromise
+    },
+  }
+}

package/middleware/auth.js

@@ -0,0 +1,75 @@
+import crypto from "node:crypto";
+import { getDb } from "../lib/db.js";
+const MASTER_KEY = process.env.VIBEOS_API_MASTER_KEY;
+export function authMiddleware(fastify) {
+    fastify.addHook("onRequest", async (request, reply) => {
+        if (request.url.startsWith("/health") || request.url.startsWith("/favicon")) {
+            return;
+        }
+        if (request.url.startsWith("/admin/")) {
+            const authHeader = request.headers["authorization"];
+            if (!authHeader || !authHeader.startsWith("Bearer ")) {
+                return reply.code(401).send({ error: "unauthorized", message: "Missing or invalid Authorization header" });
+            }
+            const providedKey = authHeader.slice(7);
+            const keyBuffer = Buffer.from(providedKey);
+            const expectedBuffer = Buffer.from(MASTER_KEY);
+            if (keyBuffer.length !== expectedBuffer.length || !crypto.timingSafeEqual(keyBuffer, expectedBuffer)) {
+                return reply.code(403).send({ error: "forbidden", message: "Invalid master key" });
+            }
+            request.adminAuth = true;
+            return;
+        }
+        if (request.url.startsWith("/api/v1/")) {
+            const authHeader = request.headers["authorization"];
+            if (!authHeader || !authHeader.startsWith("Bearer ")) {
+                return reply.code(401).send({ error: "unauthorized", message: "Missing or invalid Authorization header" });
+            }
+            const providedToken = authHeader.slice(7);
+            const db = getDb();
+            const tokenRow = db.prepare(`
+        SELECT t.id, t.token, t.seat_id, t.status, t.expires_at, t.label,
+               s.status as seat_status
+        FROM api_tokens t
+        JOIN seats s ON t.seat_id = s.id
+        WHERE t.token = ?
+      `).get(providedToken);
+            if (!tokenRow) {
+                return reply.code(401).send({ error: "unauthorized", message: "Invalid API token" });
+            }
+            if (tokenRow.status === "revoked") {
+                return reply.code(403).send({
+                    error: "forbidden",
+                    message: "API token has been revoked",
+                    code: "TOKEN_REVOKED"
+                });
+            }
+            if (tokenRow.status === "expired") {
+                return reply.code(403).send({
+                    error: "forbidden",
+                    message: "API token has expired",
+                    code: "TOKEN_EXPIRED"
+                });
+            }
+            if (tokenRow.seat_status !== "active") {
+                return reply.code(403).send({
+                    error: "forbidden",
+                    message: "License seat is not active. Contact support.",
+                    code: "SEAT_INACTIVE"
+                });
+            }
+            if (tokenRow.expires_at && new Date(tokenRow.expires_at) < new Date()) {
+                db.prepare("UPDATE api_tokens SET status = 'expired', revoked_at = datetime('now') WHERE id = ?").run(tokenRow.id);
+                return reply.code(403).send({
+                    error: "forbidden",
+                    message: "API token has expired",
+                    code: "TOKEN_EXPIRED"
+                });
+            }
+            db.prepare("UPDATE api_tokens SET last_used_at = datetime('now') WHERE id = ?").run(tokenRow.id);
+            request.tokenId = tokenRow.id;
+            request.seatId = tokenRow.seat_id;
+            request.tokenLabel = tokenRow.label;
+        }
+    });
+}

package/middleware/auth.ts

@@ -0,0 +1,87 @@
+import crypto from "node:crypto"
+import { getDb } from "../lib/db.js"
+
+const MASTER_KEY = process.env.VIBEOS_API_MASTER_KEY
+
+export function authMiddleware(fastify: any) {
+  fastify.addHook("onRequest", async (request: any, reply: any) => {
+    if (request.url.startsWith("/health") || request.url.startsWith("/favicon")) {
+      return
+    }
+
+    if (request.url.startsWith("/admin/")) {
+      const authHeader = request.headers["authorization"]
+      if (!authHeader || !authHeader.startsWith("Bearer ")) {
+        return reply.code(401).send({ error: "unauthorized", message: "Missing or invalid Authorization header" })
+      }
+      const providedKey = authHeader.slice(7)
+      const keyBuffer = Buffer.from(providedKey)
+      const expectedBuffer = Buffer.from(MASTER_KEY)
+      if (keyBuffer.length !== expectedBuffer.length || !crypto.timingSafeEqual(keyBuffer, expectedBuffer)) {
+        return reply.code(403).send({ error: "forbidden", message: "Invalid master key" })
+      }
+      request.adminAuth = true
+      return
+    }
+
+    if (request.url.startsWith("/api/v1/")) {
+      const authHeader = request.headers["authorization"]
+      if (!authHeader || !authHeader.startsWith("Bearer ")) {
+        return reply.code(401).send({ error: "unauthorized", message: "Missing or invalid Authorization header" })
+      }
+      const providedToken = authHeader.slice(7)
+
+      const db = getDb()
+      const tokenRow = db.prepare(`
+        SELECT t.id, t.token, t.seat_id, t.status, t.expires_at, t.label,
+               s.status as seat_status
+        FROM api_tokens t
+        JOIN seats s ON t.seat_id = s.id
+        WHERE t.token = ?
+      `).get(providedToken)
+
+      if (!tokenRow) {
+        return reply.code(401).send({ error: "unauthorized", message: "Invalid API token" })
+      }
+
+      if (tokenRow.status === "revoked") {
+        return reply.code(403).send({
+          error: "forbidden",
+          message: "API token has been revoked",
+          code: "TOKEN_REVOKED"
+        })
+      }
+
+      if (tokenRow.status === "expired") {
+        return reply.code(403).send({
+          error: "forbidden",
+          message: "API token has expired",
+          code: "TOKEN_EXPIRED"
+        })
+      }
+
+      if (tokenRow.seat_status !== "active") {
+        return reply.code(403).send({
+          error: "forbidden",
+          message: "License seat is not active. Contact support.",
+          code: "SEAT_INACTIVE"
+        })
+      }
+
+      if (tokenRow.expires_at && new Date(tokenRow.expires_at) < new Date()) {
+        db.prepare("UPDATE api_tokens SET status = 'expired', revoked_at = datetime('now') WHERE id = ?").run(tokenRow.id)
+        return reply.code(403).send({
+          error: "forbidden",
+          message: "API token has expired",
+          code: "TOKEN_EXPIRED"
+        })
+      }
+
+      db.prepare("UPDATE api_tokens SET last_used_at = datetime('now') WHERE id = ?").run(tokenRow.id)
+
+      request.tokenId = tokenRow.id
+      request.seatId = tokenRow.seat_id
+      request.tokenLabel = tokenRow.label
+    }
+  })
+}

package/middleware/usage-logging.js

@@ -0,0 +1,29 @@
+import { getDb } from "../lib/db.js";
+export function usageLoggingMiddleware(fastify) {
+    fastify.addHook("onResponse", async (request, reply) => {
+        const urlPath = request.url.split("?")[0];
+        if (!urlPath.startsWith("/api/v1/") && !urlPath.startsWith("/admin/"))
+            return;
+        try {
+            const db = getDb();
+            const duration = request.hrtime ? Math.round(request.hrtime()[1] / 1e6) : 0;
+            const requestBody = request.body ? JSON.stringify(request.body).substring(0, 4096) : null;
+            const responseSize = reply.getHeader("content-length") || 0;
+            if (request.tokenId) {
+                db.prepare([
+                    "INSERT INTO usage_log (token_id, endpoint, request_body, response_size, latency_ms)",
+                    "VALUES (?, ?, ?, ?, ?)"
+                ].join(" ")).run(request.tokenId, urlPath, requestBody, responseSize, duration);
+            }
+            else if (request.adminAuth) {
+                db.prepare([
+                    "INSERT INTO admin_audit_log (method, endpoint, request_body, response_status, response_size, latency_ms)",
+                    "VALUES (?, ?, ?, ?, ?, ?)"
+                ].join(" ")).run(request.method, urlPath, requestBody, reply.statusCode, responseSize, duration);
+            }
+        }
+        catch (err) {
+            console.error("[vibeOS-api] usage logging error: " + err.message);
+        }
+    });
+}

package/middleware/usage-logging.ts

@@ -0,0 +1,41 @@
+import { getDb } from "../lib/db.js"
+
+export function usageLoggingMiddleware(fastify: any) {
+  fastify.addHook("onResponse", async (request: any, reply: any) => {
+    const urlPath = request.url.split("?")[0]
+    if (!urlPath.startsWith("/api/v1/") && !urlPath.startsWith("/admin/")) return
+
+    try {
+      const db = getDb()
+      const duration = request.hrtime ? Math.round(request.hrtime()[1] / 1e6) : 0
+      const requestBody = request.body ? JSON.stringify(request.body).substring(0, 4096) : null
+      const responseSize = reply.getHeader("content-length") || 0
+      if (request.tokenId) {
+        db.prepare([
+          "INSERT INTO usage_log (token_id, endpoint, request_body, response_size, latency_ms)",
+          "VALUES (?, ?, ?, ?, ?)"
+        ].join(" ")).run(
+          request.tokenId,
+          urlPath,
+          requestBody,
+          responseSize,
+          duration
+        )
+      } else if (request.adminAuth) {
+        db.prepare([
+          "INSERT INTO admin_audit_log (method, endpoint, request_body, response_status, response_size, latency_ms)",
+          "VALUES (?, ?, ?, ?, ?, ?)"
+        ].join(" ")).run(
+          request.method,
+          urlPath,
+          requestBody,
+          reply.statusCode,
+          responseSize,
+          duration
+        )
+      }
+    } catch (err: any) {
+      console.error("[vibeOS-api] usage logging error: " + err.message)
+    }
+  })
+}

package/nginx-vibetheog-api.conf

@@ -0,0 +1,64 @@
+limit_req_zone $binary_remote_addr zone=vibeos_api:10m rate=30r/s;
+
+server {
+    listen 80;
+    server_name api.vibetheog.com;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+
+    # Reject requests with spoofed or missing Host header (SMG3 fix)
+    if ($host !~* ^(api\.vibetheog\.com|localhost|127\.0\.0\.1)$) {
+        return 444;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    server_name api.vibetheog.com;
+
+    ssl_certificate /etc/letsencrypt/live/vibetheog.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/vibetheog.com/privkey.pem;
+
+    client_max_body_size 10M;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "DENY" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    limit_req zone=vibeos_api burst=50 nodelay;
+
+
+    # Reject requests with spoofed or missing Host header (SMG3 fix)
+    if ($host !~* ^(api\.vibetheog\.com|localhost|127\.0\.0\.1)$) {
+        return 444;
+    }
+
+    location / {
+        proxy_pass http://127.0.0.1:3000;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+        proxy_read_timeout 30s;
+    }
+
+    location /health {
+        limit_req zone=vibeos_api burst=20 nodelay;
+        proxy_pass http://127.0.0.1:3000/health;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_read_timeout 10s;
+    }
+}