version: '3.9'

services:
  ai-security-agent:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: ai-security-agent
    restart: unless-stopped
    
    # CRITICAL: Need host PID namespace to see all processes
    pid: host
    
    # Need elevated privileges to kill processes
    privileged: true
    
    environment:
      - OLLAMA_BASE_URL=http://172.17.0.1:11434
      - OLLAMA_MODEL=qwen3:8b
      - CHECK_INTERVAL=300  # 5 minutes
      - ALERT_THRESHOLD=0.7  # 70% confidence for auto-mitigation
      - TELEGRAM_BOT_TOKEN=${TELEGRAM_BOT_TOKEN}
      - TELEGRAM_CHAT_ID=${TELEGRAM_CHAT_ID}
    
    volumes:
      # Mount host /tmp to scan for malware
      - /tmp:/tmp
      # Mount host /proc for process information
      - /proc:/host/proc:ro
      # Persistent logs
      - ./logs:/var/log
    
    networks:
      - dagi-network
    
    # Resource limits (agent should be lightweight)
    deploy:
      resources:
        limits:
          cpus: '1.0'
          memory: 512M
        reservations:
          cpus: '0.25'
          memory: 128M
    
    healthcheck:
      test: ["CMD", "pgrep", "-f", "security_agent.py"]
      interval: 60s
      timeout: 10s
      retries: 3
      start_period: 30s

networks:
  dagi-network:
    external: true
    name: dagi-network