services:
  aegis-mcp:
    profiles: ["prod"]
    build:
      context: .
      dockerfile: docker/Dockerfile
    container_name: aegis-gitea-mcp
    restart: unless-stopped
    env_file:
      - .env
    environment:
      ENVIRONMENT: production
      MCP_HOST: ${MCP_HOST:-127.0.0.1}
      ALLOW_INSECURE_BIND: ${ALLOW_INSECURE_BIND:-false}
    expose:
      - "8080"
    volumes:
      - aegis-mcp-logs:/var/log/aegis-mcp
      - ./policy.yaml:/app/policy.yaml:ro
    read_only: true
    tmpfs:
      - /tmp
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    user: "1000:1000"
    networks:
      - proxy
    healthcheck:
      test:
        [
          "CMD",
          "python",
          "-c",
          "import httpx; httpx.get('http://127.0.0.1:8080/health', timeout=5)",
        ]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s

  aegis-mcp-dev:
    profiles: ["dev"]
    build:
      context: .
      dockerfile: docker/Dockerfile
    container_name: aegis-gitea-mcp-dev
    restart: unless-stopped
    env_file:
      - .env
    environment:
      ENVIRONMENT: development
      MCP_HOST: 127.0.0.1
      ALLOW_INSECURE_BIND: false
      LOG_LEVEL: DEBUG
      EXPOSE_ERROR_DETAILS: true
    ports:
      - "127.0.0.1:${MCP_PORT:-8080}:8080"
    volumes:
      - ./src:/app/src:ro
      - ./policy.yaml:/app/policy.yaml:ro
      - aegis-mcp-logs:/var/log/aegis-mcp
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    user: "1000:1000"
    networks:
      - proxy

volumes:
  aegis-mcp-logs:
    driver: local

networks:
  proxy:
    external: true