STALE: Pre-Z2 migration topology. See reference_z2-service-catalog for current endpoints.

Hinata API Gateway (Setup C)

  period: project
  owner: Trunks + Jimmy Neutron
  status: LIVE
  created: 2026-05-27

Doctrine

The only public API hostname is api.michael-engineer.dev. The commander is the first path segment. ONE cloudflared tunnel on jimmy-vps serves the entire public API surface. There is no routing Worker, no internal.* subdomain, no per-commander subdomain anywhere.

Topology

Browser (studio.michael-engineer.dev / curl / Telegram bot / future MCP clients)
   ↓                                            (HTTPS to CF edge)
api.michael-engineer.dev                       ← CF DNS → jimmy-vps cloudflared
   ↓                                            (single tunnel, single config.yml)
   ├─ /events*    → http://localhost:8080                 (local FastAPI on jimmy-vps)
   ├─ /bulma/*    → http://nnamdis-macbook-pro:8081       (Mac via Tailscale wireguard)
   ├─ /weather/*  → http://nnamdis-macbook-pro:8082       (Mac via Tailscale)
   └─ catchall    → 404

Components

  ComponentWhereRole

    `api.michael-engineer.dev`CF DNS CNAME → tunnel 67a84c34Public host
    cloudflared tunnel `hinata-collector-api`jimmy-vps `/etc/cloudflared/config.yml`THE gateway
    events FastAPIjimmy-vps :8080/events backend
    `bulma-api.py`Mac 0.0.0.0:8081 (LaunchAgent `com.hinata.bulma-api`)/bulma backend
    `weather-api.py`Mac 0.0.0.0:8082 (LaunchAgent `com.hinata.weather-api`)/weather backend
    `weather-poller.py`Mac LaunchAgent every 30 minpopulates `latest.json` cache
    TailscaleMac ↔ jimmy-vpsprivate bridge for /bulma + /weather
    Studio Worker `hinata-studio-api`CFadds `x-hinata-key` from secret

Single Source of Truth — VPS Config

# /etc/cloudflared/config.yml on jimmy-vps
tunnel: 67a84c34-3ba0-43d6-ae39-03025a5b1c97
credentials-file: /etc/cloudflared/67a84c34-3ba0-43d6-ae39-03025a5b1c97.json

ingress:
  - hostname: api.michael-engineer.dev
    path: /events.*
    service: http://localhost:8080
  - hostname: api.michael-engineer.dev
    path: /bulma/.*
    service: http://nnamdis-macbook-pro:8081
  - hostname: api.michael-engineer.dev
    path: /weather/.*
    service: http://nnamdis-macbook-pro:8082
  - service: http_status:404

To add a new commander: SSH to jimmy-vps, add one path-based ingress block, sudo systemctl restart cloudflared. Mac side: add a wrapper + LaunchAgent bound to 0.0.0.0 on a new port. Cloudflare side: nothing.

DNS Cleanup — Complete

All three orphan CNAMEs deleted from CF DNS by Michael 2026-05-27 (~12:20):

internal.michael-engineer.dev — gone
bulma-api.michael-engineer.dev — gone
weather-api.michael-engineer.dev — gone

api.michael-engineer.dev is now the only API-purpose subdomain under michael-engineer.dev.

Retired in This Session

Worker hinata-api-router (deleted from CF)
Tunnel hinata-bulma-api (UUID 8b08522c — deleted from CF)
LaunchAgent com.hinata.cloudflared-bulma (unloaded + file removed)
Local ~/.cloudflared/bulma-api.yml + creds
Sandpit applications/hinata-api-router/ directory
DNS internal.michael-engineer.dev (deleted — see DNS cleanup above)
◆ hinata · projects/api-gateway.html · phase-18 flatten

Hinata API Gateway (Setup C) ​

Doctrine ​

Topology ​

Components ​

Single Source of Truth — VPS Config ​

DNS Cleanup — Complete ​