feat: add space subdomain routing and ownership support

- Traefik wildcard HostRegexp for <space>.r*.online subdomains
- Middleware subdomain extraction and path rewriting
- Provision endpoint with owner_did acknowledgement
- Registry enforces space ownership via EncryptID JWT

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/api/internal/provision/route.ts

@@ -4,6 +4,9 @@ import { NextResponse } from "next/server";
  * Internal provision endpoint — called by rSpace Registry when activating
  * this app for a space. No auth required (only reachable from Docker network).
  *
+ * Payload: { space, description, admin_email, public, owner_did }
+ * The owner_did identifies who registered the space via the registry.
+ *
  * rfunds has no server-side database — spaces are managed client-side.
  * This endpoint acknowledges the provisioning request.
  */
@@ -13,5 +16,6 @@ export async function POST(request: Request) {
   if (!space) {
     return NextResponse.json({ error: "Missing space name" }, { status: 400 });
   }
-  return NextResponse.json({ status: "ok", space, message: "rfunds is client-side, no provisioning needed" });
+  const ownerDid: string = body.owner_did || "";
+  return NextResponse.json({ status: "ok", space, owner_did: ownerDid, message: "rfunds space acknowledged" });
 }

middleware.ts

@@ -3,18 +3,46 @@ import type { NextRequest } from 'next/server'
 import { isDemoRequest } from '@encryptid/sdk/server/nextjs'
 
 /**
- * Middleware to protect /space routes.
+ * Middleware to handle subdomain-based space routing and protect /space routes.
  *
- * Client-side auth enforcement: the space page itself checks auth state via
- * Zustand store. This middleware adds a cookie-based check for server-rendered
- * requests — if no encryptid_token cookie is present on /space, redirect to
- * the home page with a login hint.
+ * Subdomain routing:
+ * - rfunds.online -> home/landing page
+ * - www.rfunds.online -> home/landing page
+ * - <space>.rfunds.online -> rewrite to /s/<space>
  *
- * Demo spaces (ENCRYPTID_DEMO_SPACES env var) bypass auth.
+ * Auth protection:
+ * - /space routes require auth (cookie or Bearer token)
+ * - Demo spaces (ENCRYPTID_DEMO_SPACES env var) bypass auth
+ *
+ * Also handles localhost for development.
  */
 export function middleware(request: NextRequest) {
+  const url = request.nextUrl.clone()
+  const hostname = request.headers.get('host') || ''
   const { pathname } = request.nextUrl
 
+  // --- Subdomain routing ---
+  let subdomain: string | null = null
+
+  // Match production: <space>.rfunds.online
+  const match = hostname.match(/^([a-z0-9][a-z0-9-]*[a-z0-9]|[a-z0-9])\.\w+\.online/)
+  if (match && match[1] !== 'www') {
+    subdomain = match[1]
+  } else if (hostname.includes('localhost')) {
+    // Development: <space>.localhost:port
+    const parts = hostname.split('.localhost')[0].split('.')
+    if (parts.length > 0 && parts[0] !== 'localhost') {
+      subdomain = parts[parts.length - 1]
+    }
+  }
+
+  // If we have a subdomain, rewrite root path to space page
+  if (subdomain && subdomain.length > 0 && pathname === '/') {
+    url.pathname = `/s/${subdomain}`
+    return NextResponse.rewrite(url)
+  }
+
+  // --- Auth protection for /space routes ---
   // Only protect /space routes (not /tbff which is a public demo)
   if (pathname.startsWith('/space')) {
     // Demo spaces get anonymous access — SDK provides synthetic claims
@@ -30,7 +58,6 @@ export function middleware(request: NextRequest) {
     const bearerToken = authHeader?.startsWith('Bearer ') ? authHeader.slice(7) : null
 
     if (!token && !bearerToken) {
-      const url = request.nextUrl.clone()
       url.pathname = '/'
       url.searchParams.set('login', 'required')
       url.searchParams.set('return', pathname)
@@ -42,5 +69,7 @@ export function middleware(request: NextRequest) {
 }
 
 export const config = {
-  matcher: ['/space/:path*'],
+  matcher: [
+    '/((?!_next/static|_next/image|favicon.ico|.*\\..*|api).*)',
+  ],
 }