services:
  agent:
    image: code.letsbe.solutions/letsbe/sysadmin-agent:latest
    container_name: {{ customer }}-agent

    # Join orchestrator network for container-to-container communication
    networks:
      - {{ customer }}-orchestrator

    # Enable host.docker.internal on Linux (for accessing host services)
    extra_hosts:
      - "host.docker.internal:host-gateway"

    environment:
      # Required: Orchestrator connection
      # In LOCAL_MODE, connect via shared Docker network
      - ORCHESTRATOR_URL=http://{{ customer }}-orchestrator-api:8000

      # ============================================================
      # AUTHENTICATION - Supports two modes (choose one)
      # ============================================================

      # LOCAL_MODE: Single-tenant local deployment
      # When LOCAL_MODE=true, agent uses LOCAL_AGENT_KEY to register
      # via the /register-local endpoint (Phase 2 secure flow)
      - LOCAL_MODE=true
      - LOCAL_AGENT_KEY={{ local_agent_key }}

      # Multi-tenant mode: Registration token from orchestrator
      # When LOCAL_MODE=false (default), agent uses REGISTRATION_TOKEN
      # to register via the standard /register endpoint
      # This token is obtained from the orchestrator's registration-tokens API
      - REGISTRATION_TOKEN={{ sysadmin_registration_token }}

      # Note: After first registration, credentials are persisted to
      # ~/.letsbe-agent/credentials.json and tokens are no longer needed
      # ============================================================

      # Timing (seconds)
      - HEARTBEAT_INTERVAL=${HEARTBEAT_INTERVAL:-30}
      - POLL_INTERVAL=${POLL_INTERVAL:-5}

      # Logging
      - LOG_LEVEL=${LOG_LEVEL:-INFO}
      - LOG_JSON=${LOG_JSON:-true}

      # Resilience
      - MAX_CONCURRENT_TASKS=${MAX_CONCURRENT_TASKS:-3}
      - BACKOFF_BASE=${BACKOFF_BASE:-1.0}
      - BACKOFF_MAX=${BACKOFF_MAX:-60.0}
      - CIRCUIT_BREAKER_THRESHOLD=${CIRCUIT_BREAKER_THRESHOLD:-5}
      - CIRCUIT_BREAKER_COOLDOWN=${CIRCUIT_BREAKER_COOLDOWN:-300}

      # Security
      - ALLOWED_FILE_ROOT=${ALLOWED_FILE_ROOT:-/opt/letsbe}
      - MAX_FILE_SIZE=${MAX_FILE_SIZE:-10485760}
      - SHELL_TIMEOUT=${SHELL_TIMEOUT:-60}

      # Playwright browser automation
      - PLAYWRIGHT_ARTIFACTS_DIR=/opt/letsbe/playwright-artifacts
      - PLAYWRIGHT_DEFAULT_TIMEOUT_MS=60000
      - PLAYWRIGHT_NAVIGATION_TIMEOUT_MS=120000

      # MCP Browser Sidecar connection (for LLM-driven browser control)
      - MCP_BROWSER_URL=http://mcp-browser:8931
      - MCP_BROWSER_API_KEY={{ mcp_browser_api_key }}

    volumes:
      # Docker socket for container management
      - /var/run/docker.sock:/var/run/docker.sock:ro

      # Host directory mounts for real infrastructure access
      - /opt/letsbe/env:/opt/letsbe/env
      - /opt/letsbe/stacks:/opt/letsbe/stacks
      - /opt/letsbe/nginx:/opt/letsbe/nginx

      # Credential persistence (survives restarts without re-registration)
      - agent_home:/home/agent/.letsbe-agent

      # Playwright artifacts storage
      - playwright_artifacts:/opt/letsbe/playwright-artifacts

    # Security options for Chromium sandboxing
    security_opt:
      - seccomp=./chromium-seccomp.json

    # Run as root for Docker socket access
    # TODO: Use Docker group membership instead for better security
    user: root

    restart: unless-stopped

    # Resource limits (increased for Playwright browser automation)
    deploy:
      resources:
        limits:
          cpus: '1.5'
          memory: 1G
        reservations:
          cpus: '0.25'
          memory: 256M

  mcp-browser:
    image: code.letsbe.solutions/letsbe/mcp-browser:latest
    container_name: {{ customer }}-mcp-browser

    # Join orchestrator network (shared with agent)
    networks:
      - {{ customer }}-orchestrator

    environment:
      # Session limits
      - MAX_SESSIONS=${MAX_SESSIONS:-3}
      - IDLE_TIMEOUT_SECONDS=${IDLE_TIMEOUT_SECONDS:-300}
      - MAX_SESSION_LIFETIME_SECONDS=${MAX_SESSION_LIFETIME_SECONDS:-1800}
      - MAX_ACTIONS_PER_SESSION=${MAX_ACTIONS_PER_SESSION:-50}

      # Logging
      - LOG_LEVEL=${LOG_LEVEL:-INFO}
      - LOG_JSON=${LOG_JSON:-true}

      # Screenshots
      - SCREENSHOTS_DIR=/screenshots

      # Authentication
      - API_KEY={{ mcp_browser_api_key }}

    volumes:
      # Screenshots storage
      - mcp_screenshots:/screenshots

    # Security options for Chromium sandboxing
    security_opt:
      - seccomp=./chromium-seccomp.json

    restart: unless-stopped

    # Resource limits for browser automation
    deploy:
      resources:
        limits:
          cpus: '1.5'
          memory: 1G
        reservations:
          cpus: '0.25'
          memory: 256M

volumes:
  agent_home:
    name: {{ customer }}-agent-home
  playwright_artifacts:
    name: {{ customer }}-playwright-artifacts
  mcp_screenshots:
    name: {{ customer }}-mcp-screenshots

networks:
  {{ customer }}-orchestrator:
    external: true