feat(openbao): add standalone deployment for swarm compatibility

- Create docker-compose.openbao.yml for standalone OpenBao deployment
  - Includes openbao and openbao-init services
  - Auto-initialization on first run
  - Connects to swarm's mosaic_internal network
  - Binds to localhost:8200 for security

- Update docker-compose.swarm.yml
  - Comment out OpenBao service (cannot run in swarm)
  - Add clear note about standalone requirement
  - Update volumes section
  - Update header with current config

- Create docs/OPENBAO-DEPLOYMENT.md
  - Comprehensive deployment guide
  - 4 deployment options: standalone, bundled, external, fallback
  - Clear explanation why OpenBao can't run in swarm
  - Deployment workflows for each scenario
  - Troubleshooting section

- Update docs/SWARM-DEPLOYMENT.md
  - Add Step 1: Deploy OpenBao standalone FIRST
  - Remove manual initialization (now automatic)
  - Update expected services list
  - Reference OpenBao deployment guide

- Update README.md
  - Clarify OpenBao standalone requirement for swarm
  - Update deployment steps
  - Highlight critical requirement at top of notes

Key changes:
- OpenBao MUST be deployed standalone when using swarm
- Automatic initialization via openbao-init sidecar
- Clear documentation for all deployment options
- Swarm stack no longer includes OpenBao

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docker-compose.openbao.yml

@@ -0,0 +1,93 @@
+# ==============================================
+# OpenBao Standalone Deployment
+# ==============================================
+#
+# IMPORTANT: This file deploys OpenBao as a STANDALONE container.
+# Do NOT include this in docker stack deploy - it will fail due to port binding conflicts.
+#
+# Usage:
+#   docker compose -f docker-compose.openbao.yml up -d
+#
+# This is required when:
+#   - Using Docker Swarm (stateful services don't work well in swarm)
+#   - You want OpenBao isolated from the main stack
+#
+# Alternative: Use external HashiCorp Vault or managed secrets service
+# ==============================================
+
+services:
+  # ======================
+  # OpenBao Secrets Vault
+  # ======================
+  openbao:
+    image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
+    container_name: mosaic-openbao
+    env_file: .env
+    environment:
+      OPENBAO_ADDR: http://0.0.0.0:8200
+      OPENBAO_DEV_ROOT_TOKEN_ID: ${OPENBAO_DEV_ROOT_TOKEN_ID:-root}
+    ports:
+      - "127.0.0.1:${OPENBAO_PORT:-8200}:8200" # Localhost only for security
+    volumes:
+      - openbao_data:/openbao/data
+      - openbao_logs:/openbao/logs
+      - openbao_init:/openbao/init
+    cap_add:
+      - IPC_LOCK
+    healthcheck:
+      test:
+        - CMD
+        - wget
+        - --spider
+        - --quiet
+        - http://localhost:8200/v1/sys/health?standbyok=true
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+    restart: unless-stopped
+    networks:
+      - mosaic_internal
+
+  # ======================
+  # OpenBao Init Sidecar
+  # ======================
+  # Auto-initializes and unseals OpenBao on first run
+  openbao-init:
+    image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
+    container_name: mosaic-openbao-init
+    env_file: .env
+    command: /openbao/init.sh
+    environment:
+      OPENBAO_ADDR: http://openbao:8200
+    volumes:
+      - openbao_init:/openbao/init
+    depends_on:
+      openbao:
+        condition: service_healthy
+    restart: "no"
+    networks:
+      - mosaic_internal
+
+# ======================
+# Volumes
+# ======================
+volumes:
+  openbao_data:
+    name: mosaic-openbao-data
+    driver: local
+  openbao_logs:
+    name: mosaic-openbao-logs
+    driver: local
+  openbao_init:
+    name: mosaic-openbao-init
+    driver: local
+
+# ======================
+# Networks
+# ======================
+# Connect to the swarm stack's internal network
+networks:
+  mosaic_internal:
+    external: true
+    name: mosaic_internal