networks:
  internal:
    driver: bridge

volumes:
  docugen-data:
  caddy-data:
  caddy-config:

x-common-security: &common-security
  cap_drop: [ALL]
  security_opt:
    - no-new-privileges:true
  restart: unless-stopped
  networks: [internal]

services:

  # ========================================================
  # GATEWAY — unica porta host, reverse proxy + landing page
  # ========================================================
  gateway:
    image: caddy:2-alpine
    restart: unless-stopped
    networks: [internal]
    security_opt:
      - no-new-privileges:true
    ports: ["${GATEWAY_PORT:-8080}:8080"]
    volumes:
      - ./gateway/Caddyfile:/etc/caddy/Caddyfile:ro
      - ./gateway/public:/srv:ro
      - caddy-data:/data
      - caddy-config:/config
    depends_on:
      mcp-docugen: { condition: service_healthy }
    healthcheck:
      test: ["CMD", "wget", "-q", "--spider", "http://localhost:8080/"]
      interval: 30s
      timeout: 5s
      retries: 3

  # ========================================================
  # MCP — accessibili solo via gateway (nessuna porta host)
  # ========================================================
  mcp-docugen:
    image: arca-mcp-docugen:dev
    build:
      context: .
      dockerfile: docker/mcp-docugen.Dockerfile
    <<: *common-security
    user: "1000:1000"
    environment:
      API_KEY: ${DOCUGEN_API_KEY}
      OPENROUTER_API_KEY: ${OPENROUTER_API_KEY}
      PUBLIC_BASE_URL: ${PUBLIC_BASE_URL:-http://localhost:8080/mcp-docugen}
      DATA_DIR: /data
    volumes:
      - docugen-data:/data