:8080 {
	# Health check — unauthenticated so Fly.io can probe it
	@health path /health
	handle @health {
		reverse_proxy localhost:4747 {
			rewrite /api/info
		}
	}

	# All other routes require bearer token
	@authed {
		header Authorization "Bearer {env.API_TOKEN}"
	}

	handle @authed {
		reverse_proxy localhost:4747
	}

	# Reject unauthenticated requests
	respond "Unauthorized" 401
}
