{$DOMAIN:localhost} {
	# Cert-file mode (corporate CA path). For Let's Encrypt, drop the
	# `tls` directive entirely so Caddy auto-issues. See docs/DEPLOYMENT.md.
	tls /certs/fullchain.pem /certs/privkey.pem {
		# Modern TLS only. Caddy default already excludes 1.0/1.1 in
		# most builds, but pin explicitly so a future Caddy default
		# change can't silently weaken our posture.
		protocols tls1.2 tls1.3
	}

	# HSTS: tell compliant browsers to refuse plain-HTTP for this host
	# for a year. Skipping `preload` so we keep an escape hatch (preload
	# submission is hard-bound and blocks rollback). Skipping
	# `includeSubDomains` because we don't control subdomains.
	header Strict-Transport-Security "max-age=31536000"

	reverse_proxy app:8000 {
		# App's uvicorn runs with --proxy-headers, so stamping these
		# ourselves makes OAuth callback URLs and Set-Cookie Secure
		# flags resolve to https consistently. X-Forwarded-Host is
		# also Caddy's default, but pinning it explicitly insures
		# against future default changes.
		header_up X-Forwarded-Proto https
		header_up X-Forwarded-Host {host}
	}
}
