add SQL migration to enable Row Level Security on modules table

Caddyfile

@@ -0,0 +1,16 @@
+gateway.madebypaulo.com {
+    log {
+        output stdout
+    }
+
+    reverse_proxy ai-gateway:8000
+}
+
+test.ldex.dev {
+    reverse_proxy ai_proxy_test:8000
+
+    header {
+        X-Zscaler-Test "Ready"
+        Access-Control-Allow-Origin *
+    }
+}

app/api/deps.py

@@ -1,5 +1,5 @@
 from fastapi import Security, HTTPException, status, Depends
-from fastapi.security.api_key import APIKeyHeader
+from fastapi.security.api_key import APIKeyHeader, APIKeyQuery
 from sqlalchemy.orm import Session
 from app.core.config import settings
 from app.core.database import get_db
@@ -7,34 +7,45 @@ from app.models.module import Module
 from cachetools import TTLCache
 
 api_key_header = APIKeyHeader(name="X-API-Key", auto_error=False)
+api_key_query = APIKeyQuery(name="api_key", auto_error=False)
 
 # Cache keys for 5 minutes, store up to 1000 keys
-# This prevents a Supabase round-trip on every message
 auth_cache = TTLCache(maxsize=1000, ttl=300)
 
 async def get_api_key(
-    api_key_header: str = Security(api_key_header),
+    api_key_h: str = Security(api_key_header),
+    api_key_q: str = Security(api_key_query),
     db: Session = Depends(get_db)
 ):
-    if not api_key_header:
+    # Use header if provided, otherwise fallback to query param
+    api_key = api_key_h or api_key_q
+
+    # DEBUG LOGGING FOR 403 TROUBLESHOOTING
+    print(f"DEBUG: Auth Check - Header: {'Yes' if api_key_h else 'No'}, Query: {'Yes' if api_key_q else 'No'}")
+    if api_key:
+        print(f"DEBUG: API Key received (prefix): {api_key[:5]}...")
+    else:
+        print("DEBUG: API Key is MISSING from both header and query params")
+
+    if not api_key:
         raise HTTPException(
             status_code=status.HTTP_403_FORBIDDEN, 
             detail="API Key missing"
         )
 
     # 1. Fallback to global static key (Admin)
-    if api_key_header == settings.API_KEY:
+    if api_key == settings.API_KEY:
-        return api_key_header
+        return api_key
     
     # 2. Check Cache first (VERY FAST)
-    if api_key_header in auth_cache:
+    if api_key in auth_cache:
-        return api_key_header
+        return api_key
     
     # 3. Check Database for Module key (Database round-trip)
-    module = db.query(Module).filter(Module.secret_key == api_key_header, Module.is_active == True).first()
+    module = db.query(Module).filter(Module.secret_key == api_key, Module.is_active == True).first()
     if module:
-        # Save module ID to cache for next time
+        # Save key to cache for next time
-        auth_cache[api_key_header] = module.id
+        auth_cache[api_key] = module.id
         return module
 
     raise HTTPException(
@@ -43,22 +54,31 @@ async def get_api_key(
     )
 
 async def get_current_module(
-    api_key_header: str = Security(api_key_header),
+    api_key_h: str = Security(api_key_header),
+    api_key_q: str = Security(api_key_query),
     db: Session = Depends(get_db)
 ):
+    api_key = api_key_h or api_key_q
+
+    if not api_key:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN, 
+            detail="API Key missing"
+        )
+
     # 1. Fallback to global static key (Admin) - No module tracking
-    if api_key_header == settings.API_KEY:
+    if api_key == settings.API_KEY:
         return None
     
     # 2. Check Cache
-    if api_key_header in auth_cache:
+    if api_key in auth_cache:
-        module_id = auth_cache[api_key_header]
+        module_id = auth_cache[api_key]
         return db.query(Module).filter(Module.id == module_id).first()
         
     # 3. DB Lookup
-    module = db.query(Module).filter(Module.secret_key == api_key_header, Module.is_active == True).first()
+    module = db.query(Module).filter(Module.secret_key == api_key, Module.is_active == True).first()
     if module:
-        auth_cache[api_key_header] = module.id
+        auth_cache[api_key] = module.id
         return module
         
     raise HTTPException(

app/api/endpoints/gemini.py

@@ -3,6 +3,7 @@ from app.api.deps import get_api_key, get_current_module
 from app.models.module import Module
 from sqlalchemy.orm import Session
 from app.core.database import get_db
+from fastapi.responses import PlainTextResponse
 from app.core.limiter import limiter
 from app.core.config import settings
 from pydantic import BaseModel
@@ -32,15 +33,54 @@ def get_gemini_client():
         _client = genai.Client(api_key=settings.GOOGLE_API_KEY, http_options={'api_version': 'v1alpha'})
     return _client
 
-@router.post("/chat")
+@router.api_route("/chat", methods=["GET", "POST"])
 @limiter.limit(settings.RATE_LIMIT)
 async def gemini_chat(
     request: Request,
-    chat_data: LLMRequest,
     api_key: str = Depends(get_api_key),
     module: Module = Depends(get_current_module),
     db: Session = Depends(get_db)
 ):
+    chat_data = None
+    
+    if request.method == "GET":
+        # Handle GET requests (Ultimate Simple Request)
+        params = request.query_params
+        if not params.get("prompt"):
+             return {"status": "error", "detail": "Missing 'prompt' query parameter"}
+        
+        chat_data = LLMRequest(
+            prompt=params.get("prompt"),
+            context=params.get("context", ""),
+            system_prompt=params.get("system_prompt"),
+            knowledge_base=params.get("knowledge_base"),
+            temperature=float(params.get("temperature", 0.7)),
+            top_p=float(params.get("top_p", 0.95)),
+            top_k=int(params.get("top_k", 40)),
+            max_output_tokens=int(params.get("max_output_tokens", 8192))
+        )
+    else:
+        # Handle POST requests
+        content_type = request.headers.get("Content-Type", "")
+        if "text/plain" in content_type:
+            try:
+                body = await request.body()
+                import json
+                data = json.loads(body)
+                chat_data = LLMRequest(**data)
+            except Exception as e:
+                return {"status": "error", "detail": f"Failed to parse text/plain as JSON: {str(e)}"}
+        else:
+            # Standard JSON parsing
+            try:
+                data = await request.json()
+                chat_data = LLMRequest(**data)
+            except Exception as e:
+                return {"status": "error", "detail": f"Invalid JSON: {str(e)}"}
+
+    if not chat_data:
+        return {"status": "error", "detail": "Could not determine request data"}
+
     client = get_gemini_client()
     
     try:
@@ -99,10 +139,14 @@ async def gemini_chat(
             module.total_tokens += (prompt_tokens + completion_tokens)
             db.commit()
         
+    except Exception as e:
+        return {"status": "error", "detail": str(e)}
+
+
+    # Final Response
     return {
         "status": "success",
         "model": "gemini",
         "response": response.text
     }
-    except Exception as e:
+
-        return {"status": "error", "detail": str(e)}

app/main.py

@@ -1,8 +1,14 @@
-from fastapi import FastAPI
+from fastapi import FastAPI, Request
 from fastapi.middleware.cors import CORSMiddleware
 from slowapi import _rate_limit_exceeded_handler
 from slowapi.errors import RateLimitExceeded
 
+import logging
+
+# Set up logging to stdout
+logging.basicConfig(level=logging.INFO)
+logger = logging.getLogger("ai_gateway")
+
 from app.api.router import api_router
 from app.core.config import settings
 from app.core.limiter import limiter
@@ -31,11 +37,20 @@ def create_application() -> FastAPI:
     # Mount Static Files
     application.mount("/static", StaticFiles(directory="app/static"), name="static")
 
-    # Set up CORS
+    # Debug Logger Middleware
+    @application.middleware("http")
+    async def log_requests(request: Request, call_next):
+        logger.info(f"DEBUG: Incoming {request.method} {request.url}")
+        logger.info(f"DEBUG: Origin: {request.headers.get('origin')}")
+        response = await call_next(request)
+        logger.info(f"DEBUG: Status Code: {response.status_code}")
+        return response
+
+    # Set up fully permissive CORS for standalone/tunnelling mode
     application.add_middleware(
         CORSMiddleware,
         allow_origins=["*"],
-        allow_credentials=False, # Changed to False for better compat with allow_origins=["*"]
+        allow_credentials=True,
         allow_methods=["*"],
         allow_headers=["*"],
     )
@@ -70,6 +85,10 @@ import os
 async def admin_panel():
     return FileResponse("app/static/admin.html")
 
+@app.get("/api/v1/health")
+async def health_check():
+    return {"status": "ok", "message": "Global AI Gateway is reachable"}
+
 @app.get("/")
 async def root():
     return FileResponse("app/static/index.html")

app/static/index.html

@@ -186,7 +186,7 @@
     </div>
 
     <div class="footer">
-        &copy; 2026 AI Gateway. All rights reserved.
+        &copy; 2026 Paulo Reyes. All rights reserved.
     </div>
 </body>
 

docker-compose.test.yml

@@ -0,0 +1,18 @@
+services:
+  ai-gateway:
+    build: .
+    container_name: ai-gateway
+    expose:
+      - "8191"
+    environment:
+      - PYTHONUNBUFFERED=1
+    env_file:
+      - .env
+    networks:
+      - gateway_net
+    restart: always
+    command: uvicorn app.main:app --host 0.0.0.0 --port 8191
+
+networks:
+  gateway_net:
+    external: true

docker-compose.yml

@@ -1,13 +1,37 @@
 services:
-  api:
+  ai-gateway:
     build: .
-    container_name: storyline-ai-gateway
+    container_name: ai-gateway
-    ports:
+    networks:
-      - "8191:8000"
+      - ai_network
+    environment:
+      - PYTHONUNBUFFERED=1
     env_file:
       - .env
     restart: always
+    command: uvicorn app.main:app --host 0.0.0.0 --port 8000
+
+  caddy:
+    image: caddy:latest
+    container_name: caddy
+    restart: always
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+    networks:
+      - ai_network
     volumes:
-      - .:/app
+      - ./Caddyfile:/etc/caddy/Caddyfile
-    # Override command for development/auto-reload if needed
+      - caddy_data:/data
-    command: uvicorn app.main:app --host 0.0.0.0 --port 8000 --reload
+      - caddy_config:/config
+    depends_on:
+      - ai-gateway
+
+networks:
+  ai_network:
+    driver: bridge
+
+volumes:
+  caddy_data:
+  caddy_config:

supabase/migrations/20260311_enable_rls_modules.sql

@@ -0,0 +1,24 @@
+-- Enable Row Level Security on the modules table.
+-- This blocks all direct PostgREST access by default.
+-- The backend app connects via the service role (DATABASE_URL), which bypasses RLS,
+-- so existing functionality is unaffected.
+
+ALTER TABLE public.modules ENABLE ROW LEVEL SECURITY;
+
+-- Deny all access to anonymous (unauthenticated) PostgREST callers.
+-- No policy = no access. This is the default when RLS is enabled, but
+-- the explicit policy below makes the intent clear.
+CREATE POLICY "deny_anon" ON public.modules
+    AS RESTRICTIVE
+    FOR ALL
+    TO anon
+    USING (false);
+
+-- Deny all access to authenticated PostgREST callers too.
+-- The modules table is internal admin-only and should never be
+-- queried directly via the Supabase REST API.
+CREATE POLICY "deny_authenticated" ON public.modules
+    AS RESTRICTIVE
+    FOR ALL
+    TO authenticated
+    USING (false);