version: '3.8'

# Production deployment for docx-mcp server
# This creates a sandboxed environment with optional WebSocket bridge for remote access

services:
  # WebSocket bridge for remote access (optional)
  # Comment out this service if using local stdio transport only
  websockify:
    image: websockify/websockify
    ports:
      - "8080:8080"
    depends_on:
      - docx-mcp
    command: ["--web", "/dev/null", "8080", "docx-mcp:8080"]
    networks:
      - docx-network
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "nc", "-z", "localhost", "8080"]
      interval: 30s
      timeout: 5s
      retries: 3

  # Main docx-mcp server
  docx-mcp:
    image: docx-mcp:sandboxed
    build:
      context: .
      dockerfile: Dockerfile.sandboxed
    read_only: true
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE  # Only if exposing port for bridge
    tmpfs:
      - /tmp/docx-mcp:rw,noexec,nosuid,size=100m
    deploy:
      resources:
        limits:
          memory: 512M
          cpus: '1.0'
      replicas: 1
    environment:
      - RUST_LOG=info
      - DOCX_MCP_SANDBOX=true
      - DOCX_MCP_NO_EXTERNAL_TOOLS=true
      - DOCX_MCP_NO_NETWORK=true
      - DOCX_MCP_MAX_SIZE=52428800
      - DOCX_MCP_MAX_DOCS=20
    networks:
      - docx-network
    ports:
      - "8080:8080"  # Only needed for WebSocket bridge
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "/usr/local/bin/docx-mcp", "--version"]
      interval: 30s
      timeout: 5s
      retries: 3

networks:
  docx-network:
    driver: bridge