From d3d9271426c9494df7e0c8d21fa9c4ae2b20bef6 Mon Sep 17 00:00:00 2001
From: Till JS <tills95@gmail.com>
Date: Mon, 11 May 2026 18:49:49 +0200
Subject: [PATCH] =?UTF-8?q?feat(cloudflared):=20split=20auth.mana.how=20?=
 =?UTF-8?q?=E2=80=94=20/api/*=20=E2=86=92=20mana-auth,=20rest=20=E2=86=92?=
 =?UTF-8?q?=20mana-auth-web?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Auth portal is now live: API calls (Better Auth endpoints) still hit
mana-auth (:3001) directly; all UI routes (login, register, reset,
verify-email) are served by the new mana-auth-web SvelteKit app on
host port 3042.

Also updates the duplicate-hostname validator to allow path-based split
routing rules for the same hostname.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 cloudflared-config.yml                  |  9 ++++++++-
 scripts/validate-cloudflared-config.mjs | 14 +++++++++-----
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/cloudflared-config.yml b/cloudflared-config.yml
index d0d13a4ba..593d08729 100644
--- a/cloudflared-config.yml
+++ b/cloudflared-config.yml
@@ -125,10 +125,17 @@ ingress:
     service: http://localhost:5000
 
   # ============================================
-  # Auth Service (Hono/Bun)
+  # Auth (Split: Portal-UI :3042, API :3001)
   # ============================================
+  # /api/* geht direkt an mana-auth (Hono/Bun, JWT-Ausstellung, Better Auth).
+  # Alles andere (Login, Register, Reset, Verify-Email) → mana-auth-web (SvelteKit).
+  # mana-auth-web läuft auf Host-Port 3042 (3002 belegt durch legacy mana-credits).
+  # Reihenfolge zählt: spezifischere Pfad-Regeln zuerst.
   - hostname: auth.mana.how
+    path: /api/.*
     service: http://localhost:3001
+  - hostname: auth.mana.how
+    service: http://localhost:3042
 
   # ============================================
   # Unified Backend API (Hono/Bun, port 3060)
diff --git a/scripts/validate-cloudflared-config.mjs b/scripts/validate-cloudflared-config.mjs
index fb293bfa6..26864c6f2 100755
--- a/scripts/validate-cloudflared-config.mjs
+++ b/scripts/validate-cloudflared-config.mjs
@@ -131,11 +131,15 @@ if (!Array.isArray(ingress)) {
 				err(
 					`${where}: hostname "${r.hostname}" looks invalid (lowercase, dot-separated, no spaces)`
 				);
-			} else if (seen.has(r.hostname)) {
-				err(
-					`${where}: duplicate hostname "${r.hostname}" (also at ingress[${seen.get(r.hostname)}])`
-				);
-			} else {
+			} else if (seen.has(r.hostname) && !r.path) {
+				// Duplicate hostnames are allowed when the earlier rule uses a `path:`
+				// matcher (path-based split routing, e.g. /api/* → backend, rest → UI).
+				// Only flag true duplicates: same hostname, neither rule has a path.
+				const prevIdx = seen.get(r.hostname);
+				if (!ingress[prevIdx].path) {
+					err(`${where}: duplicate hostname "${r.hostname}" (also at ingress[${prevIdx}])`);
+				}
+			} else if (!seen.has(r.hostname)) {
 				seen.set(r.hostname, i);
 			}
 		}