fix(nginx): add proxy mappings for /agent/ and /anchors to resolve 404s

[mvmax-dev]

Resolves #6693

This PR resolves the 404 errors for the agent economy endpoints (/agent/stats, /agent/jobs) and the /anchors page in the explorer:

• Added location /agent/ Nginx proxy pass block to forward Agent-to-Agent economy routes (RIP-302) to the Flask backend running on port 8099.
• Added location = /anchors and location /anchor/ Nginx proxy pass blocks to properly route/redirect Ergo Anchors endpoints.

[github-actions]

Welcome to RustChain! Thanks for your first pull request.

Before we review, please make sure:

• Non-doc PRs have a BCOS-L1 or BCOS-L2 label
• Doc-only PRs are exempt from BCOS tier labels when they only touch docs/**, *.md, or common image/PDF files
• New code files include an SPDX license header
• You've tested your changes against the live node

Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150)

A maintainer will review your PR soon. Thanks for contributing!

[qingfeng312]

Formal review for bounty #73.

This PR should not close #6693 as-is. The issue reports three separate failures: /agent/* 404s, /anchors 404, and the raw-IP explorer URL failing browser TLS validation. This patch only adds nginx proxy locations for the application routes. It does not change the certificate/default-server behavior for https://50.28.86.131/explorer/, and the checked-in config still only references the rustchain.org certbot certificate in the TLS server block.

Because the PR body says Resolves #6693, merging it would close an issue that still has one of its documented reproduction paths unresolved. Please either narrow the closing text/scope to the route 404s, or add the deployment/certificate/redirect coverage needed for the raw-IP TLS case as well.

[mvmax-dev]

I have added the redirect coverage for the raw-IP TLS case in site/nginx-rustchain-org.conf. Specifically, requests hitting the Nginx server block with the host 50.28.86.131 are now redirected (via 301) to https://rustchain.org$request_uri on both the HTTP (port 80) and HTTPS (port 443) blocks. This ensures that any direct IP requests for the explorer redirect cleanly to the canonical domain.

[thenaturelover343-jpg]

Changes requested

I found one blocker in the nginx mapping added here.

The linked issue only needs the public explorer to read /agent/stats, /agent/jobs, /anchors, and /anchor/list, but this change exposes the whole /agent/ prefix through rustchain.org. In the integrated app that prefix includes multiple mutating POST routes, including /agent/jobs, /agent/jobs/<job_id>/claim, /agent/jobs/<job_id>/deliver, /agent/jobs/<job_id>/accept, /agent/jobs/<job_id>/dispute, and /agent/jobs/<job_id>/cancel from rip302_agent_economy.py.

The new nginx block also advertises POST, GET, OPTIONS and allows X-Admin-Key in CORS for that entire prefix. That is broader than the bug report requires and could unintentionally make Agent Economy write/admin-style endpoints reachable from the public website path.

Suggested fix: split the read-only explorer endpoints from the mutable Agent Economy API. For this PR, proxy only the needed GET routes, for example exact /agent/stats and /agent/jobs, and keep methods/CORS headers read-only unless there is a separate deployment decision to expose all Agent Economy POST routes publicly.

The /anchors and /anchor/ mappings look directionally aligned with the current app routes: the integrated node has /anchors -> /anchor/list, and the anchor module exposes /anchor/status, /anchor/proof/<height>, and /anchor/list.

[jaxint]

Great work!

[mvmax-dev]

I have restricted the agent economy proxy endpoints to GET requests for /agent/stats and /agent/jobs only (with GET and OPTIONS methods), keeping the rest of the /agent/* mutable endpoints secure from public website access. Let me know if everything looks good now!

[Scottcjn]

✅ Merging — fixes /agent/ routing (read-only, public)

Adds nginx proxy mappings for /agent/stats, /agent/jobs, /anchors, /anchor/ → the local node, GET/OPTIONS only with CORS. These are public read endpoints (the RIP-302 job board + anchor data), so public CORS is appropriate and this unblocks clients (incl. the OTC bridge's /agent/ calls) hitting 404s. Aligned with the keep-GETs-public policy. (Reference config — the live nginx deploy is separate; worth a quick check that /agent/jobs doesn't echo any non-public fields.) Thanks @mvmax-dev.

[jaxint]

Great work! Thanks for contributing.