(auth) {
	# Permission check (named arg: perm=...)
	forward_auth localhost:4401 {
		uri /auth/forward-auth?{args.0}
		copy_headers x-auth-*
	}
}

localhost {
	# Single definition for auth service endpoints (avoid duplicate matcher names)
	@auth_api path /auth/*
	handle @auth_api {
		reverse_proxy localhost:4401
	}

	# Admin-protected paths
	handle_path /admin/* {
		import auth perm=auth:admin
		# Respond with a message for the admin area
		respond "Admin area (protected)" 200
	}

	# Reports-protected paths
	handle_path /reports/* {
		import auth perm=reports:view
		# Respond with a message for the reports area
		respond "Reports area (protected)" 200
	}

	# Unprotected (fallback)
	handle {
		# Respond with a public content message
		respond "Public content" 200
	}
}