fix(routing): proxy /encryptid/* to encryptid container

The encryptid API routes live on the separate encryptid container, not
rspace. Clients on space subdomains (jeff.rspace.online) fetch
/encryptid/* relative to the rspace server. Add a catch-all proxy that
forwards these requests to the internal encryptid service.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

server/index.ts

@@ -402,6 +402,26 @@ app.route("/api/notifications", notificationRouter);
 app.route("/api/mi", miRoutes);
 
 
+// ── EncryptID proxy (forward /encryptid/* to encryptid container) ──
+const ENCRYPTID_INTERNAL = process.env.ENCRYPTID_INTERNAL_URL || "http://encryptid:3000";
+app.all("/encryptid/*", async (c) => {
+	const targetUrl = `${ENCRYPTID_INTERNAL}${c.req.path}${new URL(c.req.url).search}`;
+	const headers = new Headers(c.req.raw.headers);
+	headers.delete("host");
+	try {
+		const res = await fetch(targetUrl, {
+			method: c.req.method,
+			headers,
+			body: c.req.method !== "GET" && c.req.method !== "HEAD" ? c.req.raw.body : undefined,
+			// @ts-ignore duplex needed for streaming request bodies
+			duplex: "half",
+		});
+		return new Response(res.body, { status: res.status, headers: res.headers });
+	} catch (e: any) {
+		return c.json({ error: "EncryptID service unavailable" }, 502);
+	}
+});
+
 // ── Existing /api/communities/* routes (backward compatible) ──
 
 /** Resolve a community slug to SpaceAuthConfig for the SDK guard */