services:
  web:
    build: .
    expose:
      - "8080"
    environment:
      - PORT=8080
      - SUPABASE_URL=${SUPABASE_URL}
      - SUPABASE_ANON_KEY=${SUPABASE_ANON_KEY}
      - SUPABASE_JWT_SECRET=${SUPABASE_JWT_SECRET}
      - GITEA_TOKEN=${GITEA_TOKEN}
      - DATABASE_URL=${DATABASE_URL}
      - CALDAV_ENCRYPTION_KEY=${CALDAV_ENCRYPTION_KEY}
      - ALLOWED_EMAIL_DOMAINS=${ALLOWED_EMAIL_DOMAINS}
      - PALIAD_BASE_URL=${PALIAD_BASE_URL}
      - SMTP_HOST=${SMTP_HOST}
      - SMTP_PORT=${SMTP_PORT}
      - SMTP_USERNAME=${SMTP_USERNAME}
      - SMTP_PASSWORD=${SMTP_PASSWORD}
      - SMTP_FROM=${SMTP_FROM}
      - SMTP_FROM_NAME=${SMTP_FROM_NAME}
      - SMTP_USE_TLS=${SMTP_USE_TLS}
      # Paliadin remote routing (t-paliad-151). When PALIADIN_REMOTE_HOST
      # is set, paliad forwards each turn to mRiver via SSH on port 22022.
      # The container reaches mRiver over Tailscale via mLake's host-side
      # tailscale0 + Docker source NAT — no network_mode override needed
      # (verified Phase A.5: a plain alpine container on Dokploy's
      # default bridge SSHs to mriver:22022 in 3 s, source IP NAT'd to
      # mLake's tailnet IP, matches the from="100.99.98.201" clause on
      # mRiver's authorized_keys).
      # PRIVATE_KEY and KNOWN_HOSTS are multi-line Dokploy secrets.
      - PALIADIN_REMOTE_HOST=${PALIADIN_REMOTE_HOST}
      - PALIADIN_REMOTE_PORT=${PALIADIN_REMOTE_PORT}
      - PALIADIN_REMOTE_USER=${PALIADIN_REMOTE_USER}
      - PALIADIN_SSH_PRIVATE_KEY=${PALIADIN_SSH_PRIVATE_KEY}
      - PALIADIN_KNOWN_HOSTS=${PALIADIN_KNOWN_HOSTS}
      # - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}  # Phase H (AI Frist-Extraktion), currently deferred
    restart: unless-stopped