version: "0.5"

log_level: info
# Logs to stdout when log_location not set (required for Docker visibility)

environment:
  - HOME=/home/user
  - PATH=/home/user/.local/bin:/usr/local/bin:/usr/bin:/bin

processes:
  tailscale:
    command: >-
      sh -c '
      if [ -n "$TS_AUTHKEY" ]; then
        echo "[vpn] Starting mesh network (userspace)..."
        tailscaled --tun=userspace-networking --state=/tmp/tailscaled --socket=/tmp/tailscaled.sock --socks5-server=localhost:1055 &
        sleep 3
        tailscale --socket=/tmp/tailscaled.sock up --authkey="$TS_AUTHKEY" --hostname=neural-runner
        echo "[vpn] Up: $(tailscale --socket=/tmp/tailscaled.sock ip -4 2>/dev/null)"
        tail -f /dev/null
      else
        echo "[vpn] No TS_AUTHKEY — skipping"
        tail -f /dev/null
      fi'
    availability:
      restart: on_failure
      backoff_seconds: 10
      max_restarts: 3

  nextjs:
    command: sh -c 'node /home/user/app/frontend/server.js 2>&1 | sed -u "s/^/[nextjs] [${GIT_COMMIT:-unknown}] /"'
    working_dir: /home/user/app/frontend
    availability:
      restart: always
      backoff_seconds: 2
      max_restarts: 0  # unlimited
    environment:
      - PORT=7860
      - HOSTNAME=0.0.0.0
      - MCP_GARMIN_URL=http://localhost:8080/mcp
      - MCP_COROS_URL=http://localhost:8081/mcp
      - MCP_AGENT_URL=http://localhost:8082/mcp
      - NODE_ENV=production
    readiness_probe:
      http_get:
        host: localhost
        port: 7860
        path: /api/healthz
      initial_delay_seconds: 2
      period_seconds: 30
      timeout_seconds: 5
      success_threshold: 1
      failure_threshold: 3

  garmin-mcp:
    command: sh -c 'python3 -m garmin_mcp --http --port 8080 2>&1 | sed -u "s/^/[garmin-mcp] [${GIT_COMMIT:-unknown}] /"'
    working_dir: /home/user/app
    environment:
      - TS_SOCKS_PROXY=socks5h://localhost:1055
    depends_on:
      tailscale:
        condition: process_started
    availability:
      restart: on_failure
      backoff_seconds: 5
      max_restarts: 3

  coros-mcp:
    command: sh -c 'python3 -m coros_mcp --http --port 8081 2>&1 | sed -u "s/^/[coros-mcp] [${GIT_COMMIT:-unknown}] /"'
    working_dir: /home/user/app
    availability:
      restart: on_failure
      backoff_seconds: 5
      max_restarts: 3
    # No environment variables needed - fully stateless (memory-only)

  agent-tools:
    # bwrap sandbox: agent-tools can only write to /tmp/neural-runner/sessions/ (per-session dirs).
    # Tokens, app source, and secrets are invisible. Python/libs/fonts are read-only.
    command: >-
      sh -c 'mkdir -p /tmp/neural-runner/sessions && bwrap
      --ro-bind /usr /usr
      --ro-bind /lib /lib
      --ro-bind /bin /bin
      --ro-bind /sbin /sbin
      --symlink /usr/lib64 /lib64
      --ro-bind /usr/local /usr/local
      --ro-bind /etc/resolv.conf /etc/resolv.conf
      --ro-bind /etc/ssl /etc/ssl
      --ro-bind /etc/nsswitch.conf /etc/nsswitch.conf
      --proc /proc
      --dev /dev
      --tmpfs /tmp
      --bind /tmp/neural-runner/sessions /tmp/neural-runner/sessions
      --
      python3 -m agent_tools --http --port 8082 2>&1 | sed -u "s/^/[agent-tools] [${GIT_COMMIT:-unknown}] /"'
    working_dir: /home/user/app
    availability:
      restart: on_failure
      backoff_seconds: 5
      max_restarts: 3

  hf-storage-sync:
    command: sh -c 'python3 /home/user/app/hf-storage-sync.py 2>&1 | sed -u "s/^/[hf-storage-sync] /"'
    working_dir: /home/user/app
    environment:
      - SYNC_ROOT=/tmp/neural-runner
      - SYNC_DIRS=tokens,subagents
    availability:
      restart: on_failure
      backoff_seconds: 10
      max_restarts: 3