feat: add flexible docker-compose architecture with profiles

- Add OpenBao services to docker-compose.yml with profiles (openbao, full)
- Add docker-compose.build.yml for local builds vs registry pulls
- Make PostgreSQL and Valkey optional via profiles (database, cache)
- Create example compose files for common deployment scenarios:
  - docker/docker-compose.example.turnkey.yml (all bundled)
  - docker/docker-compose.example.external.yml (all external)
  - docker/docker.example.hybrid.yml (mixed deployment)
- Update documentation:
  - Enhance .env.example with profiles and external service examples
  - Update README.md with deployment mode quick starts
  - Add deployment scenarios to docs/OPENBAO.md
  - Create docker/DOCKER-COMPOSE-GUIDE.md with comprehensive guide
- Clean up repository structure:
  - Move shell scripts to scripts/ directory
  - Move documentation to docs/ directory
  - Move docker compose examples to docker/ directory
- Configure for external Authentik with internal services:
  - Comment out Authentik services (using external OIDC)
  - Comment out unused volumes for disabled services
  - Keep postgres, valkey, openbao as internal services

This provides a flexible deployment architecture supporting turnkey,
production (all external), and hybrid configurations via Docker Compose
profiles.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

README.md

@@ -70,10 +70,12 @@ pnpm prisma:seed
 pnpm dev
 ```
 
-### Docker Deployment (Turnkey)
+### Docker Deployment
 
 **Recommended for quick setup and production deployments.**
 
+#### Development (Turnkey - All Services Bundled)
+
 ```bash
 # Clone repository
 git clone https://git.mosaicstack.dev/mosaic/stack mosaic-stack
@@ -81,26 +83,63 @@ cd mosaic-stack
 
 # Copy and configure environment
 cp .env.example .env
-# Edit .env with your settings
+# Set COMPOSE_PROFILES=full in .env
 
-# Start core services (PostgreSQL, Valkey, API, Web)
+# Start all services (PostgreSQL, Valkey, OpenBao, Authentik, Ollama, API, Web)
 docker compose up -d
 
-# Or start with optional services
-docker compose --profile full up -d  # Includes Authentik and Ollama
-
 # View logs
 docker compose logs -f
 
-# Check service status
-docker compose ps
-
 # Access services
 # Web:  http://localhost:3000
 # API:  http://localhost:3001
-# Auth: http://localhost:9000 (if Authentik enabled)
+# Auth: http://localhost:9000
+```
 
-# Stop services
+#### Production (External Managed Services)
+
+```bash
+# Clone repository
+git clone https://git.mosaicstack.dev/mosaic/stack mosaic-stack
+cd mosaic-stack
+
+# Copy environment template and example
+cp .env.example .env
+cp docker/docker-compose.example.external.yml docker-compose.override.yml
+
+# Edit .env with external service URLs:
+# - DATABASE_URL=postgresql://... (RDS, Cloud SQL, etc.)
+# - VALKEY_URL=redis://... (ElastiCache, Memorystore, etc.)
+# - OPENBAO_ADDR=https://... (HashiCorp Vault, etc.)
+# - OIDC_ISSUER=https://... (Auth0, Okta, etc.)
+# - Set COMPOSE_PROFILES= (empty)
+
+# Start API and Web only
+docker compose up -d
+
+# View logs
+docker compose logs -f
+```
+
+#### Hybrid (Mix of Bundled and External)
+
+```bash
+# Use bundled database/cache, external auth/secrets
+cp docker/docker-compose.example.hybrid.yml docker-compose.override.yml
+
+# Edit .env:
+# - COMPOSE_PROFILES=database,cache,ollama
+# - OPENBAO_ADDR=https://... (external vault)
+# - OIDC_ISSUER=https://... (external auth)
+
+# Start mixed deployment
+docker compose up -d
+```
+
+**Stop services:**
+
+```bash
 docker compose down
 ```