From eee89f9f32c502dd355052a03ecd4fc64cd9c25a Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeffemmett@gmail.com>
Date: Thu, 16 Apr 2026 17:06:25 -0400
Subject: [PATCH] fix(rpast): always https for non-loopback hosts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Traefik → container hop in the rSpace stack sets x-forwarded-proto: http
even when the real client request is https. That was leaking into the
"Open in <rApp>" links emitted in chronicle.mw. Simplify: any non-local
host gets https, period.
---
 ...104 - n8n-style-automation-canvas-for-rMinders.md} |  0
 ...ask-118.5 - Add-local-first-client-to-rminders.md} |  0
 modules/rpast/mod.ts                                  | 11 +++++------
 3 files changed, 5 insertions(+), 6 deletions(-)
 rename backlog/tasks/{task-104 - n8n-style-automation-canvas-for-rSchedule.md => task-104 - n8n-style-automation-canvas-for-rMinders.md} (100%)
 rename backlog/tasks/{task-118.5 - Add-local-first-client-to-rschedule.md => task-118.5 - Add-local-first-client-to-rminders.md} (100%)

diff --git a/backlog/tasks/task-104 - n8n-style-automation-canvas-for-rSchedule.md b/backlog/tasks/task-104 - n8n-style-automation-canvas-for-rMinders.md
similarity index 100%
rename from backlog/tasks/task-104 - n8n-style-automation-canvas-for-rSchedule.md
rename to backlog/tasks/task-104 - n8n-style-automation-canvas-for-rMinders.md
diff --git a/backlog/tasks/task-118.5 - Add-local-first-client-to-rschedule.md b/backlog/tasks/task-118.5 - Add-local-first-client-to-rminders.md
similarity index 100%
rename from backlog/tasks/task-118.5 - Add-local-first-client-to-rschedule.md
rename to backlog/tasks/task-118.5 - Add-local-first-client-to-rminders.md
diff --git a/modules/rpast/mod.ts b/modules/rpast/mod.ts
index 27a53a04..2240c916 100644
--- a/modules/rpast/mod.ts
+++ b/modules/rpast/mod.ts
@@ -51,14 +51,13 @@ async function buildProjection(c: any) {
 
 	// Derive the public base URL from the request so in-timeline "Open in
 	// rApp" links resolve against the same origin the user arrived from.
-	// Default to https — rSpace always runs behind Cloudflare/Traefik TLS in
-	// production. Only fall back to http for loopback dev hosts.
+	// rSpace production is always behind Cloudflare/Traefik TLS, so for any
+	// non-loopback host we always emit https — forwarded-proto headers can
+	// be `http` (internal Traefik→container hop) even though the real client
+	// request was https.
 	const host = c.req.header('x-forwarded-host') ?? c.req.header('host');
 	const isLocal = !host || /^(localhost|127\.|\[::1\])/i.test(host);
-	const forwardedProto = c.req.header('x-forwarded-proto');
-	const proto = forwardedProto === 'http' || forwardedProto === 'https'
-		? forwardedProto
-		: (isLocal ? 'http' : 'https');
+	const proto = isLocal ? 'http' : 'https';
 	const baseUrl = host ? `${proto}://${host}` : undefined;
 
 	const sources = await enumerateCreations(space, { modules, from, to });