services:
  # Keep this override aligned with hocuspocus/docker-compose.yaml: the Dockerfile
  # expects repository-root context so it can `COPY hocuspocus/...`.
  hocuspocus:
    build:
      context: .
      dockerfile: hocuspocus/Dockerfile

  workflow-worker:
    build:
      context: .
      dockerfile: services/workflow-worker/Dockerfile
    environment:
      EDITION: ${APP_EDITION:-community}
      DB_NAME: server
      PGBOSS_DATABASE: server
      DB_NAME_SERVER: server
      DB_USER_SERVER: app_user
      DB_USER_ADMIN: ${DB_USER_ADMIN:-postgres}
      VERSION: ${VERSION}
      APP_NAME: ${APP_NAME}
      APP_ENV: ${APP_ENV:-development}
      NODE_ENV: ${APP_ENV:-development}
      HOST: ${HOST}
      REDIS_HOST: ${REDIS_HOST:-redis}
      REDIS_PORT: ${REDIS_PORT:-6379}
      DB_TYPE: ${DB_TYPE:-postgres}
      DB_HOST: ${PGBOUNCER_HOST:-pgbouncer}
      DB_PORT: ${PGBOUNCER_PORT:-6432}
      LOG_LEVEL: ${LOG_LEVEL:-INFO}
      LOG_IS_FORMAT_JSON: ${LOG_IS_FORMAT_JSON:-false}
      LOG_IS_FULL_DETAILS: ${LOG_IS_FULL_DETAILS:-false}
      # Secret provider configuration for workflow-worker (CE edition)
      SECRET_READ_CHAIN: ${SECRET_READ_CHAIN:-env,filesystem}
      SECRET_WRITE_PROVIDER: ${SECRET_WRITE_PROVIDER:-filesystem}
      # Workflow-specific configuration
      # Run v2 runtime by default (legacy can be re-enabled via WORKFLOW_WORKER_MODE=all|legacy)
      WORKFLOW_WORKER_MODE: ${WORKFLOW_WORKER_MODE:-v2}
      WORKFLOW_DISTRIBUTED_MODE: "true"
      WORKFLOW_REDIS_STREAM_PREFIX: "workflow:events:"
      WORKFLOW_REDIS_CONSUMER_GROUP: "workflow-workers"
      WORKFLOW_REDIS_BATCH_SIZE: "10"
      WORKFLOW_REDIS_IDLE_TIMEOUT_MS: "60000"
    volumes:
      - type: bind
        source: ./secrets/db_password_server
        target: /run/secrets/db_password_server
        read_only: true
      - type: bind
        source: ./services/workflow-worker/entrypoint.sh
        target: /app/entrypoint.sh
        read_only: true
    entrypoint: ["/app/entrypoint.sh"]
    secrets:
      - postgres_password
      - db_password_server
      - redis_password
      - crypto_key
      - token_secret_key
      - nextauth_secret
    networks:
      - app-network
    depends_on:
      postgres:
        condition: service_started
      pgbouncer:
        condition: service_started
      redis:
        condition: service_started
      server:
        condition: service_started
    deploy:
      replicas: ${WORKFLOW_WORKER_REPLICAS:-1}

  email-service:
    build:
      context: .
      dockerfile: services/email-service/Dockerfile
    environment:
      EDITION: ${APP_EDITION:-community}
      DB_NAME: server
      DB_NAME_SERVER: server
      DB_USER_SERVER: app_user
      DB_USER_ADMIN: ${DB_USER_ADMIN:-postgres}
      VERSION: ${VERSION}
      APP_NAME: ${APP_NAME}
      APP_ENV: ${APP_ENV:-development}
      NODE_ENV: ${APP_ENV:-development}
      HOST: ${HOST}
      REDIS_HOST: ${REDIS_HOST:-redis}
      REDIS_PORT: ${REDIS_PORT:-6379}
      DB_TYPE: ${DB_TYPE:-postgres}
      DB_HOST: ${PGBOUNCER_HOST:-pgbouncer}
      DB_PORT: ${PGBOUNCER_PORT:-6432}
      LOG_LEVEL: ${LOG_LEVEL:-INFO}
      LOG_IS_FORMAT_JSON: ${LOG_IS_FORMAT_JSON:-false}
      LOG_IS_FULL_DETAILS: ${LOG_IS_FULL_DETAILS:-false}
      SECRET_READ_CHAIN: ${SECRET_READ_CHAIN:-env,filesystem}
      SECRET_WRITE_PROVIDER: ${SECRET_WRITE_PROVIDER:-filesystem}
      IMAP_PROVIDER_REFRESH_MS: ${IMAP_PROVIDER_REFRESH_MS:-60000}
      IMAP_POLL_INTERVAL_MS: ${IMAP_POLL_INTERVAL_MS:-30000}
      IMAP_LEASE_TTL_MS: ${IMAP_LEASE_TTL_MS:-120000}
      IMAP_MAX_CONNECTIONS_PER_TENANT: ${IMAP_MAX_CONNECTIONS_PER_TENANT:-5}
      IMAP_MAX_ATTACHMENT_BYTES: ${IMAP_MAX_ATTACHMENT_BYTES:-0}
      IMAP_FETCH_DELAY_MS: ${IMAP_FETCH_DELAY_MS:-0}
      IMAP_EVENT_CHANNEL_BY_TENANT: ${IMAP_EVENT_CHANNEL_BY_TENANT:-false}
      IMAP_OAUTH_AUTH_MECHANISM: ${IMAP_OAUTH_AUTH_MECHANISM:-XOAUTH2}
      IMAP_TLS_REJECT_UNAUTHORIZED: ${IMAP_TLS_REJECT_UNAUTHORIZED:-true}
      IMAP_WEBHOOK_URL: ${IMAP_WEBHOOK_URL:-http://server:3000/api/email/webhooks/imap}
      IMAP_WEBHOOK_TIMEOUT_MS: ${IMAP_WEBHOOK_TIMEOUT_MS:-10000}
      IMAP_WEBHOOK_MAX_ATTEMPTS: ${IMAP_WEBHOOK_MAX_ATTEMPTS:-3}
      IMAP_WEBHOOK_SECRET: ${IMAP_WEBHOOK_SECRET:-}
      STORAGE_DEFAULT_PROVIDER: ${IMAP_STORAGE_DEFAULT_PROVIDER:-s3}
      STORAGE_S3_ENDPOINT: ${IMAP_STORAGE_S3_ENDPOINT:-http://minio:9000}
      STORAGE_S3_REGION: ${IMAP_STORAGE_S3_REGION:-us-east-1}
      STORAGE_S3_BUCKET: ${IMAP_STORAGE_S3_BUCKET:-inbound-email-artifacts}
      STORAGE_S3_ACCESS_KEY: ${IMAP_STORAGE_S3_ACCESS_KEY:-minioadmin}
      STORAGE_S3_SECRET_KEY: ${IMAP_STORAGE_S3_SECRET_KEY:-minioadmin}
      STORAGE_S3_FORCE_PATH_STYLE: ${IMAP_STORAGE_S3_FORCE_PATH_STYLE:-true}
    volumes:
      - type: bind
        source: ./secrets/db_password_server
        target: /run/secrets/db_password_server
        read_only: true
      - type: bind
        source: ./secrets/tenants
        target: /run/secrets/tenants
      - type: bind
        source: ./services/email-service/entrypoint.sh
        target: /app/entrypoint.sh
        read_only: true
    entrypoint: ["/app/entrypoint.sh"]
    secrets:
      - postgres_password
      - db_password_server
      - redis_password
      - crypto_key
      - token_secret_key
      - nextauth_secret
    networks:
      - app-network
    depends_on:
      postgres:
        condition: service_started
      pgbouncer:
        condition: service_started
      redis:
        condition: service_started
      server:
        condition: service_started
      minio:
        condition: service_healthy
      minio-init:
        condition: service_completed_successfully

networks:
  app-network:
    driver: bridge