services:
  aegis-mcp:
    build:
      context: ..
      dockerfile: docker/Dockerfile
    container_name: aegis-gitea-mcp
    restart: unless-stopped
    env_file:
      - ../.env
    environment:
      ENVIRONMENT: production
      MCP_HOST: ${MCP_HOST:-127.0.0.1}
      ALLOW_INSECURE_BIND: ${ALLOW_INSECURE_BIND:-false}
    ports:
      - "127.0.0.1:${MCP_PORT:-8080}:8080"
    volumes:
      - aegis-mcp-logs:/var/log/aegis-mcp
      - ../policy.yaml:/app/policy.yaml:ro
    read_only: true
    tmpfs:
      - /tmp
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    user: "1000:1000"
    networks:
      - proxy
    healthcheck:
      test:
        [
          "CMD",
          "python",
          "-c",
          "import httpx; httpx.get('http://127.0.0.1:8080/health', timeout=5)",
        ]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s

volumes:
  aegis-mcp-logs:
    driver: local

networks:
  proxy:
    external: true