services:

  # ─── Claude Max API Proxy ───────────────────────────────
  proxy:
    image: node:22-alpine
    container_name: aria-proxy
    extra_hosts:
      - "host.docker.internal:host-gateway"        # Zugriff auf die VM via SSH
    command: >-
      sh -c "apk add --no-cache openssh-client bash curl &&
      npm install -g @anthropic-ai/claude-code claude-max-api-proxy &&
      DIST=$(find /usr/local/lib -path '*/claude-max-api-proxy/dist' -type d | head -1) &&
      sed -i 's/startServer({ port })/startServer({ port, host: process.env.HOST || \"127.0.0.1\" })/' $$DIST/server/standalone.js &&
      sed -i 's/if (model\.includes/if ((model||\"claude-sonnet-4\").includes/g' $$DIST/adapter/cli-to-openai.js &&
      sed -i '1i\\function _t(c){return typeof c===\"string\"?c:Array.isArray(c)?c.filter(function(b){return b.type===\"text\"}).map(function(b){return b.text||\"\"}).join(\"\"):String(c)}' $$DIST/adapter/openai-to-cli.js &&
      sed -i 's/msg\\.content/_t(msg.content)/g' $$DIST/adapter/openai-to-cli.js &&
      sed -i 's/\"--no-session-persistence\",/\"--no-session-persistence\",\"--dangerously-skip-permissions\",/' $$DIST/subprocess/manager.js &&
      claude-max-api"
    volumes:
      - ~/.claude:/root/.claude                      # Claude CLI Auth (Credentials in /root/.claude/.credentials.json)
      - ./aria-data/ssh:/root/.ssh                    # SSH Keys fuer VM-Zugriff (aria-wohnung, rw fuer ARIA)
      - aria-shared:/shared                          # Shared Volume fuer Datei-Austausch (Uploads von App)
    environment:
      - HOST=0.0.0.0
      - SHELL=/bin/bash                              # Claude Code Bash-Tool braucht bash (nicht nur sh/ash)
      - CLAUDE_CODE_BUBBLEWRAP=1                    # Erlaubt --dangerously-skip-permissions als root
    restart: unless-stopped
    networks:
      - aria-net

  # ─── OpenClaw (ARIA Gehirn) ─────────────────────────────
  aria:
    image: ghcr.io/openclaw/openclaw:latest
    container_name: aria-core
    hostname: aria-wohnung
    privileged: true                               # ARIAs Wohnung — sie hat die Schlüssel
    extra_hosts:
      - "host.docker.internal:host-gateway"        # Zugriff auf die VM via SSH
    depends_on:
      - proxy
    ports:
      - "3001:3001"                                # Diagnostic Web-UI (laeuft im shared network)
    environment:
      - CANVAS_HOST=127.0.0.1
      - OPENCLAW_GATEWAY_TOKEN=${ARIA_AUTH_TOKEN}
      - DEFAULT_MODEL=proxy/claude-sonnet-4
      - RATE_LIMIT_PER_USER=30
      - DISPLAY=:0
    volumes:
      - openclaw-config:/home/node/.openclaw       # OpenClaw Config (persistiert Model + Auth)
      - ./aria-data/brain:/home/node/.openclaw/workspace/memory
      - ./aria-data/skills:/home/node/.openclaw/workspace/skills
      - ./aria-data/config/AGENT.md:/home/node/.openclaw/workspace/AGENT.md
      - ./aria-data/config/USER.md:/home/node/.openclaw/workspace/USER.md
      - ./aria-data/config/BOOTSTRAP.md:/home/node/.openclaw/workspace/BOOTSTRAP.md
      - ./aria-data/config/BOOTSTRAP.md:/home/node/.openclaw/workspace/CLAUDE.md
      - ./aria-data/config/openclaw.env:/home/node/.openclaw/workspace/.env
      - claude-config:/home/node/.claude               # Claude Code Settings (Permissions)
      - ./aria-data/ssh:/home/node/.ssh                # SSH Keys fuer VM-Zugriff
      - /tmp/.X11-unix:/tmp/.X11-unix
      - /var/run/docker.sock:/var/run/docker.sock  # VM von innen verwalten
      - aria-shared:/shared                        # Shared Volume fuer Datei-Austausch (Bridge <> Core)
    restart: unless-stopped
    networks:
      - aria-net

  # ─── ARIA Voice Bridge ──────────────────────────────────
  bridge:
    build: ./bridge
    container_name: aria-bridge
    depends_on:
      - aria
    network_mode: "service:aria"                   # Teilt Netzwerk mit aria-core → localhost:18789
    volumes:
      - ./aria-data/config/aria.env:/config/aria.env
      - aria-shared:/shared                        # Shared Volume fuer Datei-Austausch (Bridge <> Core)
      # Audio-Zugriff
      - /run/user/1000/pulse:/run/user/1000/pulse
      - /dev/snd:/dev/snd
    devices:
      - /dev/snd
    environment:
      - PULSE_SERVER=unix:/run/user/1000/pulse/native
      - ARIA_AUTH_TOKEN=${ARIA_AUTH_TOKEN:-}
      - RVS_HOST=${RVS_HOST:-}
      - RVS_PORT=${RVS_PORT:-443}
      - RVS_TLS=${RVS_TLS:-true}
      - RVS_TLS_FALLBACK=${RVS_TLS_FALLBACK:-true}
      - RVS_TOKEN=${RVS_TOKEN:-}
    restart: unless-stopped

  # ─── Diagnostic (Selbstcheck-UI und Einstellungen) ────
  diagnostic:
    build: ./diagnostic
    container_name: aria-diagnostic
    depends_on:
      - aria
    network_mode: "service:aria"                   # Teilt Netzwerk mit aria-core → localhost:18789
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./aria-data/config/diag-state:/data           # Persistenter State (aktive Session etc.)
      - aria-shared:/shared                            # Shared Volume (Uploads + Config)
    environment:
      - ARIA_AUTH_TOKEN=${ARIA_AUTH_TOKEN:-}
      - PROXY_URL=http://proxy:3456
      - RVS_HOST=${RVS_HOST:-}
      - RVS_PORT=${RVS_PORT:-443}
      - RVS_TLS=${RVS_TLS:-true}
      - RVS_TLS_FALLBACK=${RVS_TLS_FALLBACK:-true}
      - RVS_TOKEN=${RVS_TOKEN:-}
    restart: unless-stopped

volumes:
  openclaw-config:                                 # Persistiert ~/.openclaw (Model, Auth, Sessions)
  claude-config:                                   # Persistiert ~/.claude (Permissions, Settings)
  aria-shared:                                     # Datei-Austausch zwischen Bridge und Core

networks:
  aria-net:
    driver: bridge