fix(devops): make OpenBao compose Swarm/Portainer compatible

Convert docker-compose.openbao.yml from standalone Docker Compose
to Swarm-compatible format:
- Remove container_name, depends_on, restart (not supported in Swarm)
- Add deploy.restart_policy sections
- Remove 127.0.0.1 port binding (use overlay network instead)
- Remove env_file (use Portainer environment instead)
- Init sidecar limited to 5 restart attempts with 10s delay

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docker-compose.openbao.yml

@@ -1,18 +1,12 @@
 # ==============================================
-# OpenBao Standalone Deployment
+# OpenBao Secrets Vault - Swarm / Portainer Stack
 # ==============================================
 #
-# IMPORTANT: This file deploys OpenBao as a STANDALONE container.
+# Deploy via Portainer or Docker Swarm:
-# Do NOT include this in docker stack deploy - it will fail due to port binding conflicts.
+#   docker stack deploy -c docker-compose.openbao.yml stack-openbao
 #
-# Usage:
+# Connects to the main Mosaic stack's overlay network (mosaic_internal).
-#   docker compose -f docker-compose.openbao.yml up -d
+# The init sidecar auto-initializes and unseals OpenBao on first run.
-#
-# This is required when:
-#   - Using Docker Swarm (stateful services don't work well in swarm)
-#   - You want OpenBao isolated from the main stack
-#
-# Alternative: Use external HashiCorp Vault or managed secrets service
 # ==============================================
 
 services:
@@ -21,13 +15,9 @@ services:
   # ======================
   openbao:
     image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
-    container_name: mosaic-openbao
     command: server -config=/openbao/config/config.hcl
-    env_file: .env
     environment:
       OPENBAO_ADDR: http://0.0.0.0:8200
-    ports:
-      - "127.0.0.1:${OPENBAO_PORT:-8200}:8200" # Localhost only for security
     volumes:
       - openbao_data:/openbao/data
       - openbao_logs:/openbao/logs
@@ -36,37 +26,43 @@ services:
       - IPC_LOCK
     healthcheck:
       test:
-        - CMD
+        [
-        - wget
+          "CMD",
-        - --spider
+          "wget",
-        - --quiet
+          "--spider",
-        - http://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200
+          "--quiet",
+          "http://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200",
+        ]
       interval: 10s
       timeout: 5s
       retries: 5
       start_period: 30s
-    restart: unless-stopped
     networks:
       - mosaic_internal
+    deploy:
+      restart_policy:
+        condition: on-failure
 
   # ======================
   # OpenBao Init Sidecar
   # ======================
-  # Auto-initializes and unseals OpenBao on first run
+  # Auto-initializes and unseals OpenBao on first run.
+  # Has built-in retry logic (polls OpenBao API for 60 seconds).
+  # After init, runs an unseal watch loop to handle container restarts.
   openbao-init:
     image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
-    container_name: mosaic-openbao-init
-    env_file: .env
     command: /openbao/init.sh
     environment:
-      OPENBAO_ADDR: http://openbao:8200
+      VAULT_ADDR: http://openbao:8200
     volumes:
       - openbao_init:/openbao/init
-    depends_on:
-      - openbao
-    restart: "no"
     networks:
       - mosaic_internal
+    deploy:
+      restart_policy:
+        condition: on-failure
+        max_attempts: 5
+        delay: 10s
 
 # ======================
 # Volumes
@@ -85,7 +81,6 @@ volumes:
 # ======================
 # Networks
 # ======================
-# Connect to the swarm stack's internal network
 networks:
   mosaic_internal:
     external: true