# BMM per-runner proxy via PATH routing on mcp.buildmymcpserver.com.
# The combined snippet file (regenerated by the bmm-api and bmm-generator
# containers + reloaded by the systemd inotify watcher) is a sequence of
# `if ($bmm_slug = "<slug>") { set $bmm_port <port>; }` lines that map the
# slug captured from the URL path to the local runner port.

server {
  listen 80;
  listen [::]:80;
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name mcp.buildmymcpserver.com;

  ssl_certificate     /etc/ssl/buildmymcpserver/mcp-runners.crt;
  ssl_certificate_key /etc/ssl/buildmymcpserver/mcp-runners.key;

  client_max_body_size 4M;

  # Cheap health probe for monitoring — doesn't go through the slug router.
  location = /health {
    return 200 "ok\n";
    add_header Content-Type text/plain;
  }

  # RFC 9728 for path-routed resources:
  # /<slug>/mcp derives metadata at /.well-known/oauth-protected-resource/<slug>/mcp.
  # Route that well-known URL back to the same runner while preserving only the
  # resource sub-path after the slug.
  location ~ ^/\.well-known/oauth-protected-resource/(?<bmm_slug>[a-z0-9][a-z0-9-]*)(?<bmm_path>/.*)?$ {
    set $bmm_port "";
    include /opt/buildmymcpserver/runner-map.combined;

    if ($bmm_port = "") {
      return 404;
    }

    proxy_pass http://127.0.0.1:$bmm_port/.well-known/oauth-protected-resource$bmm_path;
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_buffering off;
    proxy_cache off;
    proxy_read_timeout 600s;
  }

  # /<slug>/<rest> → 127.0.0.1:<port>/<rest>
  location ~ ^/(?<bmm_slug>[a-z0-9][a-z0-9-]*)(?<bmm_path>/.*)?$ {
    set $bmm_port "";
    include /opt/buildmymcpserver/runner-map.combined;

    # Unknown slug — return 404 instead of a confusing default.
    if ($bmm_port = "") {
      return 404;
    }

    # Default sub-path to /  when client asked for /<slug> with no trailing slash.
    set $bmm_target_path $bmm_path;
    if ($bmm_target_path = "") {
      set $bmm_target_path "/";
    }

    proxy_pass http://127.0.0.1:$bmm_port$bmm_target_path;
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    # MCP uses Streamable HTTP — disable buffering so response chunks flow.
    proxy_buffering off;
    proxy_cache off;
    proxy_read_timeout 600s;
  }

  # Root of mcp.buildmymcpserver.com — nothing to serve here.
  location = / {
    return 404;
  }
}