From 4b2a949f120c8f4e47f9fa5c0a88599a947f2e44 Mon Sep 17 00:00:00 2001
From: Ilia Denisov <evilcart@gmail.com>
Date: Sat, 16 May 2026 22:03:55 +0200
Subject: [PATCH] dev-deploy Caddy: route Connect-Web traffic to gateway :9090
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`api.galaxy.lan` was proxying every path to `galaxy-api:8080` (the
public REST listener), so authenticated Connect-Web calls
(`/galaxy.gateway.v1.EdgeGateway/ExecuteCommand`,
`/galaxy.gateway.v1.EdgeGateway/SubscribeEvents`) collapsed to a 404
from the public route table — the lobby loaded the static bundle
but every authenticated query failed silently.

Split routing by path: `/galaxy.gateway.v1.EdgeGateway/*` goes to
the authenticated listener on `:9090`, everything else stays on
`:8080`. Mirrors the Vite dev-server proxy in
`ui/frontend/vite.config.ts`.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 tools/dev-deploy/Caddyfile.dev | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tools/dev-deploy/Caddyfile.dev b/tools/dev-deploy/Caddyfile.dev
index 64758b7..eb949a1 100644
--- a/tools/dev-deploy/Caddyfile.dev
+++ b/tools/dev-deploy/Caddyfile.dev
@@ -20,6 +20,15 @@
 
     @api host api.galaxy.lan
     handle @api {
+        # Connect-Web (authenticated) lives on a separate listener
+        # (`GATEWAY_AUTHENTICATED_GRPC_ADDR=:9090`). Anything else —
+        # public auth, healthz — is the public REST listener on
+        # `:8080`. The split mirrors the Vite dev-server proxy in
+        # `ui/frontend/vite.config.ts`.
+        @connect path /galaxy.gateway.v1.EdgeGateway/*
+        handle @connect {
+            reverse_proxy galaxy-api:9090
+        }
         reverse_proxy galaxy-api:8080
     }
 }