feat(caddy): support HTTPS upstreams via https:// prefix

When a route's upstream starts with https://, buildCaddyfile emits a
transport http { tls_insecure_skip_verify } block so Caddy connects over TLS
and accepts the self-signed certificate typical of backends like Semaphore.
Added a UI hint explaining the https:// prefix.

ARCHITECTURE.md

@@ -464,6 +464,9 @@ Manual:  POST /api/semaphore/trigger/{bookingId}  body { type: 'setup'|'teardown
 buildCaddyfile():
   { local_certs }                          # global block
   per custom route { [encode] [tls internal] reverse_proxy <upstream> }
+  upstream prefixed with https:// → reverse_proxy gets a
+    transport http { tls_insecure_skip_verify } block
+    (for self-signed TLS backends like Semaphore)
 
 importCaddyfileRoutes():  reads /etc/caddy/Caddyfile on first Caddy enable
   parses hostname/upstream blocks → seeds caddy table as custom routes

server.ts

@@ -82,7 +82,17 @@ function buildCaddyfile(): string {
     lines.push(`${route.hostname} {`);
     if (route.compress) lines.push('    encode zstd gzip');
     if (route.tls) lines.push('    tls internal');
+    if (/^https:\/\//i.test(route.upstream)) {
+      // HTTPS upstream (e.g. Semaphore) — connect over TLS and skip certificate
+      // verification, since such backends typically use a self-signed cert.
+      lines.push(`    reverse_proxy ${route.upstream} {`);
+      lines.push('        transport http {');
+      lines.push('            tls_insecure_skip_verify');
+      lines.push('        }');
+      lines.push('    }');
+    } else {
       lines.push(`    reverse_proxy ${route.upstream}`);
+    }
     lines.push('}', '');
   }
 

src/components/Settings.tsx

@@ -930,6 +930,7 @@ export default function Settings({ currentUser: _currentUser }: SettingsProps) {
           {caddyEnabled && (
             <div className="space-y-2">
               <Label>Proxy Routes</Label>
+              <Hint>Prefix the upstream with https:// for TLS backends (e.g. Semaphore) — the certificate is not verified.</Hint>
 
               {caddyStatus === 'unavailable' && (
                 <p className="text-[11px] font-mono text-amber-400 mb-2">