_format_version: '1.1'

consumers:
  - username: anon
    keyauth_credentials:
      - key: ${SUPABASE_ANON_KEY}
  - username: service_role
    keyauth_credentials:
      - key: ${SUPABASE_SERVICE_KEY}

acls:
  - consumer: anon
    group: anon
  - consumer: service_role
    group: admin

services:
  # Auth
  - name: auth-v1
    url: http://supabase-auth:9999/
    routes:
      - name: auth-v1-routes
        strip_path: true
        paths:
          - /auth/v1/
    plugins:
      - name: cors

  # REST (PostgREST)
  - name: rest-v1
    url: http://supabase-rest:3000/
    routes:
      - name: rest-v1-routes
        strip_path: true
        paths:
          - /rest/v1/
    plugins:
      - name: cors
      - name: key-auth
        config:
          hide_credentials: false
      - name: acl
        config:
          hide_groups_header: true
          allow:
            - anon
            - admin

  # Realtime
  - name: realtime-v1
    url: http://supabase-realtime:4000/socket/
    routes:
      - name: realtime-v1-routes
        strip_path: true
        paths:
          - /realtime/v1/
    plugins:
      - name: cors

  # Storage
  - name: storage-v1
    url: http://supabase-storage:5000/
    routes:
      - name: storage-v1-routes
        strip_path: true
        paths:
          - /storage/v1/
    plugins:
      - name: cors

  # pg_meta
  - name: meta
    url: http://supabase-meta:8080/
    routes:
      - name: meta-routes
        strip_path: true
        paths:
          - /pg/
    plugins:
      - name: key-auth
        config:
          hide_credentials: false
      - name: acl
        config:
          hide_groups_header: true
          allow:
            - admin

  # Next.js App (catch-all — must be last so API routes take priority)
  - name: app
    url: http://app:3000/
    routes:
      - name: app-routes
        strip_path: false
        paths:
          - /
    plugins:
      - name: cors