fix: allow /embed/ and /.well-known/ routes on self-hosted instances

[bskthefirst]

Summary

Self-hosted instances currently redirect /embed/* and /.well-known/* requests to /login because the proxy whitelist does not include these paths.

Changes

• Added path.startsWith("/embed/") and path.startsWith("/.well-known/") to the self-hosted whitelist in apps/web/proxy.ts

Issues Fixed

• Fixes /embed/* routes redirect to /login on self-hosted, breaking iframe embeds #1768 (embed routes blocked on self-hosted)
• Fixes /.well-known/workflow/v1/* routes blocked by proxy whitelist on self-hosted #1774 (.well-known/workflow routes blocked on self-hosted)

Notes

• This PR was created with AI assistance (Codex/Hermes) and manually reviewed before submission.
• The existing open PR #906 Fix video embedding. #1415 attempted to fix the embed issue in the old middleware.ts location; this applies the fix to the current proxy.ts file.

Test Plan

• Verify /embed/[videoId] loads without redirect on a self-hosted instance
• Verify /.well-known/workflow/v1/* loads without redirect on a self-hosted instance

Greptile Summary

This PR adds /embed/ and /.well-known/ to the self-hosted proxy whitelist in apps/web/proxy.ts, fixing two issues where those routes were incorrectly redirected to /login on self-hosted instances.

• Embed routes: /embed/ is now whitelisted so embedded video pages load correctly without an auth redirect on self-hosted deployments.
• Well-known routes: /.well-known/ is now whitelisted, enabling ACME challenges, OpenID Connect discovery, and similar standard discovery paths to function as expected.

Confidence Score: 4/5

Safe to merge — the change is small and targeted, only affecting the self-hosted path whitelist with no impact on the main Cap cloud deployment.

The fix is correct and well-scoped. The only minor inconsistency is that /embed/ is whitelisted with a trailing slash while all other entries in the same list use no trailing slash, which means a bare /embed request would still redirect to /login. This is unlikely to matter in practice but is worth aligning with the surrounding pattern.

Only apps/web/proxy.ts changed — a quick check on the trailing-slash consistency on line 53 is worthwhile.

Important Files Changed

Filename	Overview
apps/web/proxy.ts	Adds /embed/ and /.well-known/ to the self-hosted proxy whitelist so those routes are no longer redirected to /login on self-hosted instances. The logic change is minimal and correct, though /embed without the trailing slash remains blocked.

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
apps/web/proxy.ts:53
**Trailing-slash mismatch on `/embed/`**

The check uses `path.startsWith("/embed/")` (with a trailing slash), so a request to `/embed` (no trailing slash) would still be redirected to `/login`. All other "section" entries in this whitelist (e.g. `/dashboard`, `/onboarding`, `/terms`) omit the trailing slash and match both the root path and any sub-paths. To be consistent and safe, consider dropping the trailing slash so it reads `path.startsWith("/embed")`.

_{Reviews (1): Last reviewed commit: "fix: allow /embed/ and /.well-known/ rou..." | Re-trigger Greptile}

Greptile also left 1 inline comment on this PR.

[greptile-apps]

Trailing-slash mismatch on /embed/

The check uses path.startsWith("/embed/") (with a trailing slash), so a request to /embed (no trailing slash) would still be redirected to /login. All other "section" entries in this whitelist (e.g. /dashboard, /onboarding, /terms) omit the trailing slash and match both the root path and any sub-paths. To be consistent and safe, consider dropping the trailing slash so it reads path.startsWith("/embed").

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/web/proxy.ts
Line: 53

Comment:
**Trailing-slash mismatch on `/embed/`**

The check uses `path.startsWith("/embed/")` (with a trailing slash), so a request to `/embed` (no trailing slash) would still be redirected to `/login`. All other "section" entries in this whitelist (e.g. `/dashboard`, `/onboarding`, `/terms`) omit the trailing slash and match both the root path and any sub-paths. To be consistent and safe, consider dropping the trailing slash so it reads `path.startsWith("/embed")`.

How can I resolve this? If you propose a fix, please make it concise.