services:
  server:
    build:
      context: .
      dockerfile: Dockerfile
      target: server-runtime
    environment:
      HOST: 0.0.0.0
      PORT: 8787
      DATABASE_URL: file:/data/dev.db
      # Set ADMIN_TOKEN only when you actually want token auth enabled.
      OPENAI_API_KEY: ${OPENAI_API_KEY:-}
      ANTHROPIC_API_KEY: ${ANTHROPIC_API_KEY:-}
      XAI_API_KEY: ${XAI_API_KEY:-}
      EXA_API_KEY: ${EXA_API_KEY:-}
      CHAT_WEB_SEARCH_ENGINE: ${CHAT_WEB_SEARCH_ENGINE:-exa}
      SEARXNG_BASE_URL: ${SEARXNG_BASE_URL:-}
      CHAT_MAX_TOOL_ROUNDS: ${CHAT_MAX_TOOL_ROUNDS:-100}
      CHAT_CODEX_TOOL_ENABLED: ${CHAT_CODEX_TOOL_ENABLED:-false}
      CHAT_CODEX_REMOTE_HOST: ${CHAT_CODEX_REMOTE_HOST:-}
      CHAT_CODEX_REMOTE_USER: ${CHAT_CODEX_REMOTE_USER:-}
      CHAT_CODEX_REMOTE_PORT: ${CHAT_CODEX_REMOTE_PORT:-22}
      CHAT_CODEX_REMOTE_WORKDIR: ${CHAT_CODEX_REMOTE_WORKDIR:-/workspace/sybil-codex}
      # Prefer mounting a private key read-only and pointing CHAT_CODEX_SSH_KEY_PATH at it.
      CHAT_CODEX_SSH_KEY_PATH: ${CHAT_CODEX_SSH_KEY_PATH:-}
      CHAT_CODEX_SSH_PRIVATE_KEY_B64: ${CHAT_CODEX_SSH_PRIVATE_KEY_B64:-}
      CHAT_CODEX_EXEC_TIMEOUT_MS: ${CHAT_CODEX_EXEC_TIMEOUT_MS:-600000}
      CHAT_SHELL_TOOL_ENABLED: ${CHAT_SHELL_TOOL_ENABLED:-false}
      CHAT_SHELL_EXEC_TIMEOUT_MS: ${CHAT_SHELL_EXEC_TIMEOUT_MS:-120000}
    volumes:
      - sybil_data:/data
      # Example key mount for codex_exec:
      # - ./secrets/devbox_id_ed25519:/run/secrets/codex_ssh_key:ro
    expose:
      - "8787"
    restart: unless-stopped

  web:
    build:
      context: .
      dockerfile: Dockerfile
      target: web-runtime
      args:
        VITE_API_BASE_URL: ${VITE_API_BASE_URL:-/api}
        VITE_ADMIN_TOKEN: ${VITE_ADMIN_TOKEN:-}
    depends_on:
      - server
    ports:
      - "5173:80"
    restart: unless-stopped

volumes:
  sybil_data: