events {
    worker_connections 1024;
}

# Non-root nginx: all paths redirected to /tmp
pid /tmp/nginx.pid;
error_log /tmp/nginx-error.log warn;

http {
    # Non-root temp dirs
    client_body_temp_path /tmp/nginx-tmp/client;
    proxy_temp_path        /tmp/nginx-tmp/proxy;
    fastcgi_temp_path      /tmp/nginx-tmp/fastcgi;
    uwsgi_temp_path        /tmp/nginx-tmp/uwsgi;
    scgi_temp_path         /tmp/nginx-tmp/scgi;

    access_log /dev/stdout;
    error_log  /dev/stderr warn;

    sendfile       on;
    tcp_nopush     on;
    tcp_nodelay    on;
    keepalive_timeout 65;
    server_tokens  off;

    # Gzip — compresses API JSON, HTML, JS (big win for research reports)
    gzip              on;
    gzip_vary         on;
    gzip_proxied      any;
    gzip_comp_level   5;
    gzip_min_length   1024;
    gzip_types        text/plain text/css text/xml text/javascript
                      application/json application/javascript application/xml
                      application/x-javascript image/svg+xml;

    # ── DeerFlow on HF Spaces ─────────────────────────────────────
    server {
        listen 7861 default_server;
        server_name _;

        # Allow 100 MB uploads (thread file attachments)
        client_max_body_size 100M;

        # HF Spaces embeds the app in an iframe — must allow framing
        add_header X-Frame-Options "ALLOWALL" always;
        add_header Content-Security-Policy "frame-ancestors *" always;

        # CORS: strip upstream headers to avoid duplicates, then re-add
        proxy_hide_header Access-Control-Allow-Origin;
        proxy_hide_header Access-Control-Allow-Methods;
        proxy_hide_header Access-Control-Allow-Headers;
        proxy_hide_header Access-Control-Allow-Credentials;

        add_header Access-Control-Allow-Origin  "*" always;
        add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, PATCH, OPTIONS" always;
        add_header Access-Control-Allow-Headers "*" always;

        # CORS preflight
        if ($request_method = OPTIONS) {
            return 204;
        }

        # ── LangGraph-compatible API (rewrites /api/langgraph/* → /api/*) ──
        # The backend exposes /api/* natively; the /api/langgraph/ prefix is a
        # public-facing alias used by the Next.js client and LangGraph SDK.
        location /api/langgraph/ {
            rewrite ^/api/langgraph/(.*) /api/$1 break;
            proxy_pass         http://127.0.0.1:8001;
            proxy_http_version 1.1;
            proxy_set_header Host              $host;
            proxy_set_header X-Real-IP         $remote_addr;
            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Connection        "";

            # SSE / streaming (agent responses are streamed as server-sent events)
            proxy_buffering         off;
            proxy_cache             off;
            proxy_set_header        X-Accel-Buffering no;
            chunked_transfer_encoding on;

            proxy_connect_timeout 600s;
            proxy_send_timeout    600s;
            proxy_read_timeout    600s;
        }

        # ── Health check ──────────────────────────────────────────
        location = /health {
            access_log off;
            proxy_pass         http://127.0.0.1:8001/health;
            proxy_http_version 1.1;
            proxy_set_header Host $host;
        }

        # ── API docs (Swagger / ReDoc / OpenAPI) ──────────────────
        location ~ ^/(docs|redoc|openapi\.json)$ {
            proxy_pass         http://127.0.0.1:8001;
            proxy_http_version 1.1;
            proxy_set_header Host $host;
        }

        # ── Thread file uploads (large body, no buffering) ────────
        location ~ ^/api/threads/[^/]+/uploads {
            proxy_pass              http://127.0.0.1:8001;
            proxy_http_version      1.1;
            proxy_set_header Host   $host;
            proxy_set_header X-Real-IP         $remote_addr;
            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_request_buffering off;
            client_max_body_size    100M;
        }

        # ── All remaining /api/* routes → backend ─────────────────
        location /api/ {
            proxy_pass         http://127.0.0.1:8001;
            proxy_http_version 1.1;
            proxy_set_header Host              $host;
            proxy_set_header X-Real-IP         $remote_addr;
            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Connection        "";

            # SSE support for all streaming API routes
            proxy_buffering         off;
            proxy_cache             off;
            proxy_set_header        X-Accel-Buffering no;
            chunked_transfer_encoding on;

            proxy_connect_timeout 600s;
            proxy_send_timeout    600s;
            proxy_read_timeout    600s;
        }

        # ── /app → DeerFlow workspace (convenience alias) ─────
        location = /app {
            return 302 /workspace;
        }

        # ── All other requests → Next.js frontend ─────────────
        location / {
            proxy_pass         http://127.0.0.1:3000;
            proxy_http_version 1.1;
            proxy_set_header Host              $host;
            proxy_set_header X-Real-IP         $remote_addr;
            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Upgrade           $http_upgrade;
            proxy_set_header Connection        "upgrade";
            proxy_cache_bypass                 $http_upgrade;

            proxy_connect_timeout 600s;
            proxy_send_timeout    600s;
            proxy_read_timeout    600s;
        }
    }
}