Harden explorer AI runtime and API ownership

scripts/fix-nginx-serve-custom-frontend.sh

@@ -32,7 +32,21 @@ server {
         try_files $uri =404;
     }
 
-    # API endpoint - MUST come before the redirect location
+    # Explorer backend API (auth, features, AI, explorer-owned v1 helpers)
+    location /explorer-api/v1/ {
+        proxy_pass http://127.0.0.1:8081/api/v1/;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 60s;
+        add_header Access-Control-Allow-Origin *;
+        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
+        add_header Access-Control-Allow-Headers "Content-Type, Authorization";
+    }
+
+    # Blockscout API endpoint - MUST come before the redirect location
     location /api/ {
         proxy_pass http://127.0.0.1:4000;
         proxy_http_version 1.1;
@@ -199,9 +213,9 @@ server {
         add_header Cache-Control "public, immutable";
     }
 
-    # Token-aggregation API at /api/v1/ for the Snap site. Service runs on port 3001.
-    location /api/v1/ {
-        proxy_pass http://127.0.0.1:3001/api/v1/;
+    # Explorer backend API (auth, features, AI, explorer-owned v1 helpers)
+    location /explorer-api/v1/ {
+        proxy_pass http://127.0.0.1:8081/api/v1/;
         proxy_http_version 1.1;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
@@ -209,6 +223,8 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_read_timeout 60s;
         add_header Access-Control-Allow-Origin *;
+        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
+        add_header Access-Control-Allow-Headers "Content-Type, Authorization";
     }
 
     # Token-aggregation API for the explorer SPA live route-tree and pool intelligence.