services:
  web:
    build: .
    # network_mode: host so paliad inherits mLake's tailscale0 interface
    # and can reach mRiver (100.99.98.203) for the Paliadin remote route
    # (t-paliad-151). With host mode, `expose` is meaningless — paliad
    # listens on host port 8080 directly. traefik routing under host mode
    # is gated by Phase A.5 (see docs/design-paliadin-tailscale-ssh-2026
    # -05-07.md §4.2 + §7); if that test fails, revert this commit and
    # revisit decision 1.
    network_mode: host
    environment:
      - PORT=8080
      - SUPABASE_URL=${SUPABASE_URL}
      - SUPABASE_ANON_KEY=${SUPABASE_ANON_KEY}
      - SUPABASE_JWT_SECRET=${SUPABASE_JWT_SECRET}
      - GITEA_TOKEN=${GITEA_TOKEN}
      - DATABASE_URL=${DATABASE_URL}
      - CALDAV_ENCRYPTION_KEY=${CALDAV_ENCRYPTION_KEY}
      - ALLOWED_EMAIL_DOMAINS=${ALLOWED_EMAIL_DOMAINS}
      - PALIAD_BASE_URL=${PALIAD_BASE_URL}
      - SMTP_HOST=${SMTP_HOST}
      - SMTP_PORT=${SMTP_PORT}
      - SMTP_USERNAME=${SMTP_USERNAME}
      - SMTP_PASSWORD=${SMTP_PASSWORD}
      - SMTP_FROM=${SMTP_FROM}
      - SMTP_FROM_NAME=${SMTP_FROM_NAME}
      - SMTP_USE_TLS=${SMTP_USE_TLS}
      # Paliadin remote routing (t-paliad-151). When PALIADIN_REMOTE_HOST
      # is set, paliad forwards each turn to mRiver via SSH on port 22022
      # (Tailscale-SSH bypass, see design §4.5). Without these vars,
      # paliad falls back to local tmux (or DisabledPaliadinService).
      # The PRIVATE_KEY and KNOWN_HOSTS values are multi-line — register
      # them in Dokploy as secret env vars, not in plain compose text.
      - PALIADIN_REMOTE_HOST=${PALIADIN_REMOTE_HOST}
      - PALIADIN_REMOTE_PORT=${PALIADIN_REMOTE_PORT}
      - PALIADIN_REMOTE_USER=${PALIADIN_REMOTE_USER}
      - PALIADIN_SSH_PRIVATE_KEY=${PALIADIN_SSH_PRIVATE_KEY}
      - PALIADIN_KNOWN_HOSTS=${PALIADIN_KNOWN_HOSTS}
      # - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}  # Phase H (AI Frist-Extraktion), currently deferred
    restart: unless-stopped