fix(devops): enable OpenBao in Swarm and fix healthchecks

- Enable OpenBao + init sidecar in Swarm compose (was commented out)
- Fix healthcheck to accept uninitialized/sealed vault states
  (add ?uninitcode=200&sealedcode=200 to /v1/sys/health)
- Replace nc-based healthcheck with wget in dev compose
- Add ORCHESTRATOR_URL env var to API service in Swarm compose
- Uncomment OpenBao volumes in Swarm compose

The healthcheck was returning HTTP 501 for uninitialized vault,
causing Swarm to restart OpenBao before init sidecar could run.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docker-compose.openbao.yml

@@ -40,7 +40,7 @@ services:
         - wget
         - --spider
         - --quiet
-        - http://localhost:8200/v1/sys/health?standbyok=true
+        - http://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200
       interval: 10s
       timeout: 5s
       retries: 5

docker-compose.swarm.yml

@@ -80,38 +80,59 @@ services:
         condition: on-failure
 
   # ======================
-  # OpenBao Secrets Vault - COMMENTED OUT
+  # OpenBao Secrets Vault
   # ======================
-  # IMPORTANT: OpenBao CANNOT run in swarm mode due to port binding conflicts.
-  # Deploy OpenBao as a standalone container instead:
-  #   docker compose -f docker-compose.openbao.yml up -d
-  #
-  # Alternative: Use external HashiCorp Vault or managed secrets service
-  #
-  # openbao:
-  #   image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-latest}
-  #   env_file: .env
-  #   environment:
-  #     OPENBAO_ADDR: ${OPENBAO_ADDR:-http://0.0.0.0:8200}
-  #     OPENBAO_DEV_ROOT_TOKEN_ID: ${OPENBAO_DEV_ROOT_TOKEN_ID:-root}
-  #   volumes:
-  #     - openbao_data:/openbao/data
-  #     - openbao_logs:/openbao/logs
-  #     - openbao_init:/openbao/init
-  #   cap_add:
-  #     - IPC_LOCK
-  #   healthcheck:
-  #     test:
-  #       ["CMD", "wget", "--spider", "--quiet", "http://localhost:8200/v1/sys/health?standbyok=true"]
-  #     interval: 10s
-  #     timeout: 5s
-  #     retries: 5
-  #     start_period: 30s
-  #   networks:
-  #     - internal
-  #   deploy:
-  #     restart_policy:
-  #       condition: on-failure
+  openbao:
+    image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-latest}
+    command: server -config=/openbao/config/config.hcl
+    env_file: .env
+    environment:
+      OPENBAO_ADDR: http://0.0.0.0:8200
+    volumes:
+      - openbao_data:/openbao/data
+      - openbao_logs:/openbao/logs
+      - openbao_init:/openbao/init
+    cap_add:
+      - IPC_LOCK
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "wget",
+          "--spider",
+          "--quiet",
+          "http://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200",
+        ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+    networks:
+      - internal
+    deploy:
+      restart_policy:
+        condition: on-failure
+
+  # ======================
+  # OpenBao Init Sidecar
+  # ======================
+  # Auto-initializes and unseals OpenBao on first run.
+  # The init script has built-in retry logic (waits for OpenBao API).
+  openbao-init:
+    image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-latest}
+    command: /openbao/init.sh
+    env_file: .env
+    environment:
+      VAULT_ADDR: http://openbao:8200
+    volumes:
+      - openbao_init:/openbao/init
+    networks:
+      - internal
+    deploy:
+      restart_policy:
+        condition: on-failure
+        max_attempts: 5
+        delay: 10s
 
   # ======================
   # Authentik - COMMENTED OUT (Using External Authentik)
@@ -302,6 +323,7 @@ services:
       JWT_EXPIRATION: ${JWT_EXPIRATION:-24h}
       OLLAMA_ENDPOINT: ${OLLAMA_ENDPOINT:-http://ollama:11434}
       OPENBAO_ADDR: ${OPENBAO_ADDR:-http://openbao:8200}
+      ORCHESTRATOR_URL: ${ORCHESTRATOR_URL:-http://orchestrator:3001}
       ENCRYPTION_KEY: ${ENCRYPTION_KEY}
     healthcheck:
       test:
@@ -403,10 +425,9 @@ services:
 volumes:
   postgres_data:
   valkey_data:
-  # OpenBao volumes - commented out (using standalone deployment)
-  # openbao_data:
-  # openbao_logs:
-  # openbao_init:
+  openbao_data:
+  openbao_logs:
+  openbao_init:
   # Authentik volumes - commented out (using external Authentik)
   # authentik_postgres_data:
   # authentik_redis_data:

docker/docker-compose.yml

@@ -87,7 +87,14 @@ services:
     cap_add:
       - IPC_LOCK
     healthcheck:
-      test: ["CMD-SHELL", "nc -z 127.0.0.1 8200 || exit 1"]
+      test:
+        [
+          "CMD",
+          "wget",
+          "--spider",
+          "--quiet",
+          "http://127.0.0.1:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200",
+        ]
       interval: 10s
       timeout: 5s
       retries: 5