{$HATCH_HOSTNAME:localhost} {
	reverse_proxy hatch:8080

	# Log requests for debugging
	log {
		output stdout
		format json
	}

	# Security headers
	header {
		X-Content-Type-Options "nosniff"
		X-Frame-Options "DENY"
		Referrer-Policy "no-referrer"
	}

	# TLS: auto via Let's Encrypt when HATCH_HOSTNAME is a real domain.
	# Falls back to self-signed for localhost / internal-only names.
}
