orchestrator/docker-compose.yml

services:
  orchestrator:
    build: .
    container_name: orchestrator
    restart: unless-stopped
    # ORCH-040: бежим под uid:gid хоста (slin=1000:1000), а не root, чтобы
    # артефакты конвейера (worktree + docs) создавались как slin:slin и git на
    # хосте работал без ручного chown. Доступ к docker.sock сохранён через
    # group_add: ["999"] (МИНА 1 — НЕ удалять). См. ADR-001 ORCH-040.
    user: "1000:1000"
    # init: true injects docker-init (tini) as PID 1 so reparented grandchild
    # processes from the claude/node subprocess tree are reaped (no zombies, B-2).
    init: true
    network_mode: host
    volumes:
      - ./data:/app/data
      - /home/slin/repos:/repos
      - /var/run/docker.sock:/var/run/docker.sock
      - /usr/lib/node_modules/@anthropic-ai/claude-code:/opt/claude-code:ro
      - /usr/bin/node:/usr/bin/node:ro
      - /home/slin/.claude:/home/slin/.claude
      - /home/slin/.claude.json:/home/slin/.claude.json:ro
      # ORCH-040: target согласован с HOME=/home/slin (launcher), не /root/.ssh.
      - /home/slin/.orchestrator-ssh:/home/slin/.ssh:ro
    env_file: .env
    environment:
      - ORCH_REPOS_DIR=/repos
      - ORCH_HOST_REPOS_DIR=/home/slin/repos
      # legacy enduro deployer (read via os.environ, keep as-is):
      - DEPLOY_SSH_USER=slin
      - DEPLOY_SSH_HOST=127.0.0.1
      - DEPLOY_HOOK_SCRIPT=/home/slin/bin/enduro-deploy-hook.sh
      # ORCH-036 self-deploy (read via pydantic ORCH_ prefix; host-network -> 127.0.0.1, ssh key mounted):
      - ORCH_DEPLOY_SSH_USER=slin
      - ORCH_DEPLOY_SSH_HOST=127.0.0.1
      - ORCH_DEPLOY_HOOK_SCRIPT=scripts/orchestrator-deploy-hook.sh
      - ORCH_DEPLOY_HOST_REPO_PATH=/home/slin/repos/orchestrator
    group_add:
      - "999"

  # ORCH-31: staging instance (port 8501, isolated DB).
  # Starts ONLY with: docker compose --profile staging up -d orchestrator-staging
  # Normal "docker compose up -d" does NOT start this service.
  orchestrator-staging:
    profiles:
      - staging
    build: .
    container_name: orchestrator-staging
    restart: unless-stopped
    # ORCH-040: тот же uid хоста, что и у prod (см. комментарий выше / ADR-001).
    user: "1000:1000"
    init: true
    network_mode: host
    command: ["uvicorn", "src.main:app", "--host", "0.0.0.0", "--port", "8501"]
    volumes:
      - ./data/staging:/app/data
      - /home/slin/repos:/repos
      - /var/run/docker.sock:/var/run/docker.sock
      - /usr/lib/node_modules/@anthropic-ai/claude-code:/opt/claude-code:ro
      - /usr/bin/node:/usr/bin/node:ro
      - /home/slin/.claude:/home/slin/.claude
      - /home/slin/.claude.json:/home/slin/.claude.json:ro
      # ORCH-040: target согласован с HOME=/home/slin (launcher), не /root/.ssh.
      - /home/slin/.orchestrator-ssh:/home/slin/.ssh:ro
    env_file: .env.staging
    environment:
      - ORCH_REPOS_DIR=/repos
      - ORCH_HOST_REPOS_DIR=/home/slin/repos
      - DEPLOY_SSH_USER=slin
      - DEPLOY_SSH_HOST=127.0.0.1
      - DEPLOY_HOOK_SCRIPT=/home/slin/bin/enduro-deploy-hook.sh
      # Staging DB is isolated via ./data/staging volume mount.
      # Inside the container the path remains /app/data/orchestrator.db (same default),
      # but on the host it physically lives at ./data/staging/orchestrator.db — 
      # completely separate from prod ./data/orchestrator.db.
      - ORCH_DB_PATH=/app/data/orchestrator.db
    group_add:
      - "999"