{
	skip_install_trust

	{$CADDY_GLOBAL_OPTIONS}

	frankenphp {
		{$FRANKENPHP_CONFIG}
	}
}

{$CADDY_EXTRA_CONFIG}

{$SERVER_NAME:localhost} {
	log {
		{$CADDY_SERVER_LOG_OPTIONS}
		# Redact the authorization query parameter that can be set by Mercure
		format filter {
			request>uri query {
				replace authorization REDACTED
			}
		}
	}

	root /app/public
	encode zstd br gzip

	mercure {
		# Publisher JWT key
		publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
		# Subscriber JWT key
		subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
		# Allow anonymous subscribers (double-check that it's what you want)
		anonymous
		# Enable the subscription API (double-check that it's what you want)
		subscriptions
		# Extra directives
		{$MERCURE_EXTRA_DIRECTIVES}
	}

	vulcain

	{$CADDY_SERVER_EXTRA_DIRECTIVES}

	# Disable Topics tracking if not enabled explicitly: https://github.com/jkarlin/topics
	header ?Permissions-Policy "browsing-topics=()"

	# Backend (Symfony) owns /api/* and Mercure; everything else is the SPA.
	# `route` preserves declaration order so the backend matchers win before the
	# SPA catch-all.
	@backend path /api/* /.well-known/mercure*

	handle @backend {
		@phpRoute {
			not path /.well-known/mercure*
			not file {path}
		}
		rewrite @phpRoute index.php

		@frontController path index.php
		php @frontController {
			{$FRANKENPHP_SITE_CONFIG}

			worker {
				file ./public/index.php
				{$FRANKENPHP_WORKER_CONFIG}
			}
		}

		file_server {
			hide *.php
		}
	}

	# Single-page app: serve built static assets, falling back to index.html so
	# client-side routes (/login, /register, …) resolve. The dist is copied to
	# /app/frontend-dist by the prod image build (see Dockerfile).
	handle {
		root * /app/frontend-dist
		try_files {path} /index.html
		file_server
	}
}
