docker-compose.yml

services:
  broker:
    # Two ways to source the broker image:
    #
    #   1. LOCAL BUILD (default) — builds from this checkout. Use during
    #      development or when hacking on broker code.
    #   2. PRE-BUILT — pull the signed multi-arch image from Docker Hub.
    #      To use, comment out the `build:` block below and uncomment the
    #      `image:` line. Pin to a specific tag for production
    #      (e.g. devonartis/agentwrit:v2.0.0 or devonartis/agentwrit:main-<sha>).
    #
    # image: devonartis/agentwrit:latest
    build:
      context: .
      target: broker
    ports:
      - "${AA_HOST_PORT:-8080}:8080"
    environment:
      - AA_PORT=8080
      # Container must bind 0.0.0.0 for Docker port forwarding to work.
      # The secure default (127.0.0.1) is for VPS mode only — Docker's
      # network isolation handles security instead.
      - AA_BIND_ADDRESS=${AA_BIND_ADDRESS:-0.0.0.0}
      # Admin secret: use awrit init + config file mount, or set AA_ADMIN_SECRET in .env
      - AA_ADMIN_SECRET=${AA_ADMIN_SECRET:-}
      - AA_SEED_TOKENS=${AA_SEED_TOKENS:-false}
      - AA_LOG_LEVEL=${AA_LOG_LEVEL:-standard}
      - AA_DB_PATH=${AA_DB_PATH:-/data/data.db}
      - AA_SIGNING_KEY_PATH=${AA_SIGNING_KEY_PATH:-/data/signing.key}
      - AA_CONFIG_PATH=${AA_CONFIG_PATH:-}
      - AA_TLS_MODE=${AA_TLS_MODE:-none}
      - AA_TLS_CERT=${AA_TLS_CERT:-}
      - AA_TLS_KEY=${AA_TLS_KEY:-}
      - AA_TLS_CLIENT_CA=${AA_TLS_CLIENT_CA:-}
      - AA_AUDIENCE=${AA_AUDIENCE:-}
      - AA_APP_TOKEN_TTL=${AA_APP_TOKEN_TTL:-}
    volumes:
      - broker-data:/data
    healthcheck:
      test: ["CMD", "wget", "--spider", "-q", "http://localhost:8080/v1/health"]
      interval: 2s
      timeout: 3s
      retries: 10
    networks:
      - agentwrit-net


volumes:
  broker-data:

networks:
  agentwrit-net:
    driver: bridge