version: '3.8'

services:
  # PostgreSQL Database
  postgres:
    image: postgres:16-alpine
    container_name: wcag-ada-postgres
    environment:
      POSTGRES_USER: wcag_user
      POSTGRES_PASSWORD: wcag_password
      POSTGRES_DB: wcag_ada
    volumes:
      - postgres_data:/var/lib/postgresql/data
    ports:
      - "5432:5432"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U wcag_user -d wcag_ada"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - wcag-ada-network

  # Redis
  redis:
    image: redis:7-alpine
    container_name: wcag-ada-redis
    command: redis-server --appendonly yes
    volumes:
      - redis_data:/data
    ports:
      - "6379:6379"
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - wcag-ada-network

  # API Service
  api:
    build:
      context: ../..
      dockerfile: apps/wcag-ada/api/Dockerfile
    container_name: wcag-ada-api
    environment:
      NODE_ENV: production
      DATABASE_URL: postgresql://wcag_user:wcag_password@postgres:5432/wcag_ada
      REDIS_HOST: redis
      REDIS_PORT: 6379
      API_PORT: 3001
      API_JWT_SECRET: ${API_JWT_SECRET:-change-this-in-production}
      API_CORS_ORIGIN: ${API_CORS_ORIGIN:-http://localhost:8080}
    ports:
      - "3001:3001"
    depends_on:
      postgres:
        condition: service_healthy
      redis:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3001/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s
    networks:
      - wcag-ada-network
    restart: unless-stopped

  # Worker Service
  worker:
    build:
      context: ../..
      dockerfile: apps/wcag-ada/worker/Dockerfile
    container_name: wcag-ada-worker
    environment:
      NODE_ENV: production
      DATABASE_URL: postgresql://wcag_user:wcag_password@postgres:5432/wcag_ada
      REDIS_HOST: redis
      REDIS_PORT: 6379
      WORKER_PORT: 3002
      WORKER_CONCURRENCY: ${WORKER_CONCURRENCY:-5}
      SCANNER_HEADLESS: "true"
    ports:
      - "3002:3002"
    depends_on:
      postgres:
        condition: service_healthy
      redis:
        condition: service_healthy
      api:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3002/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s
    networks:
      - wcag-ada-network
    restart: unless-stopped
    # Additional security options for Chromium
    security_opt:
      - seccomp:unconfined
    cap_add:
      - SYS_ADMIN

  # Dashboard
  dashboard:
    build:
      context: ../..
      dockerfile: apps/wcag-ada/dashboard/Dockerfile
    container_name: wcag-ada-dashboard
    ports:
      - "8080:8080"
    depends_on:
      api:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s
    networks:
      - wcag-ada-network
    restart: unless-stopped

  # Database migrations (one-time job)
  migrate:
    build:
      context: ../..
      dockerfile: apps/wcag-ada/api/Dockerfile
    container_name: wcag-ada-migrate
    command: ["bunx", "prisma", "migrate", "deploy"]
    environment:
      DATABASE_URL: postgresql://wcag_user:wcag_password@postgres:5432/wcag_ada
    depends_on:
      postgres:
        condition: service_healthy
    networks:
      - wcag-ada-network
    restart: "no"

networks:
  wcag-ada-network:
    driver: bridge

volumes:
  postgres_data:
  redis_data: