services:
  api:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: cryptowallet-api
    restart: unless-stopped
    # Bind to loopback only — TLS termination + WAF на reverse proxy (Caddy/Nginx).
    # Если нужно direct exposure для dev — поменяй на "3001:3001" локально.
    ports:
      - "127.0.0.1:3001:3001"
    env_file:
      - .env
    environment:
      API_PORT: "3001"
    volumes:
      - ./logs:/app/logs
    # Container hardening — post-RCE blast radius minimization
    read_only: true
    tmpfs:
      - /tmp
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges:true
    pids_limit: 256
    mem_limit: 512m
    cpus: "1.0"
    healthcheck:
      test: ["CMD", "wget", "-qO-", "--tries=1", "--timeout=3", "http://localhost:3001/api/health"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 15s
    logging:
      driver: json-file
      options:
        max-size: "20m"
        max-file: "5"