feat(openbao): add standalone deployment for swarm compatibility

- Create docker-compose.openbao.yml for standalone OpenBao deployment
  - Includes openbao and openbao-init services
  - Auto-initialization on first run
  - Connects to swarm's mosaic_internal network
  - Binds to localhost:8200 for security

- Update docker-compose.swarm.yml
  - Comment out OpenBao service (cannot run in swarm)
  - Add clear note about standalone requirement
  - Update volumes section
  - Update header with current config

- Create docs/OPENBAO-DEPLOYMENT.md
  - Comprehensive deployment guide
  - 4 deployment options: standalone, bundled, external, fallback
  - Clear explanation why OpenBao can't run in swarm
  - Deployment workflows for each scenario
  - Troubleshooting section

- Update docs/SWARM-DEPLOYMENT.md
  - Add Step 1: Deploy OpenBao standalone FIRST
  - Remove manual initialization (now automatic)
  - Update expected services list
  - Reference OpenBao deployment guide

- Update README.md
  - Clarify OpenBao standalone requirement for swarm
  - Update deployment steps
  - Highlight critical requirement at top of notes

Key changes:
- OpenBao MUST be deployed standalone when using swarm
- Automatic initialization via openbao-init sidecar
- Clear documentation for all deployment options
- Swarm stack no longer includes OpenBao

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/SWARM-DEPLOYMENT.md

@@ -98,13 +98,40 @@ docker login git.mosaicstack.dev
 
 ## Deployment
 
-### Deploy the Stack
+### Step 1: Deploy OpenBao (Standalone)
+
+**CRITICAL:** OpenBao CANNOT run in swarm mode due to port binding conflicts. Deploy it as a standalone container first.
+
+```bash
+cd /opt/mosaic/stack
+
+# Deploy OpenBao standalone
+docker compose -f docker-compose.openbao.yml up -d
+
+# Verify OpenBao is running
+docker ps | grep openbao
+
+# Check initialization (should complete in ~30 seconds)
+docker logs mosaic-openbao-init --follow
+
+# Wait for OpenBao to be ready
+sleep 30
+```
+
+**Alternative Options:**
+
+- **External Vault:** Skip this step and configure `OPENBAO_ADDR` to point to your external Vault instance
+- **Fallback Mode:** Skip this step - API will use AES-256-GCM encryption with `ENCRYPTION_KEY`
+
+See [OpenBao Deployment Guide](OPENBAO-DEPLOYMENT.md) for detailed options.
+
+### Step 2: Deploy the Swarm Stack
 
 ```bash
 cd /opt/mosaic/stack
 
 # Using the deploy script (recommended)
-./scripts/deploy-swarm.sh mosaic
+IMAGE_TAG=dev ./scripts/deploy-swarm.sh mosaic
 
 # Or manually
 IMAGE_TAG=dev docker stack deploy \
@@ -122,10 +149,11 @@ docker stack services mosaic
 # ID             NAME                         MODE         REPLICAS   IMAGE
 # abc123         mosaic_postgres              replicated   1/1        git.mosaicstack.dev/mosaic/stack-postgres:dev
 # def456         mosaic_valkey                replicated   1/1        valkey/valkey:8-alpine
-# ghi789         mosaic_openbao               replicated   1/1        git.mosaicstack.dev/mosaic/stack-openbao:dev
 # jkl012         mosaic_api                   replicated   1/1        git.mosaicstack.dev/mosaic/stack-api:dev
 # mno345         mosaic_web                   replicated   1/1        git.mosaicstack.dev/mosaic/stack-web:dev
 # pqr678         mosaic_orchestrator          replicated   1/1        git.mosaicstack.dev/mosaic/stack-orchestrator:dev
+#
+# Note: OpenBao runs as standalone container, not in swarm stack
 
 # Check detailed task status
 docker stack ps mosaic --no-trunc
@@ -137,71 +165,28 @@ docker service logs mosaic_web --follow
 
 ## Post-Deployment Configuration
 
-### 1. Initialize OpenBao (CRITICAL)
+### 1. Verify OpenBao Initialization
 
-**Important:** Unlike docker-compose, the swarm file does NOT include the `openbao-init` sidecar. You must manually initialize OpenBao:
+OpenBao was deployed as a standalone container with automatic initialization. Verify it completed:
 
 ```bash
-# Wait for OpenBao to be healthy
-sleep 30
+# Check OpenBao container is running
+docker ps | grep openbao
 
-# Get the OpenBao container ID
-OPENBAO_CONTAINER=$(docker ps -q -f label=com.docker.swarm.service.name=mosaic_openbao)
+# Verify initialization completed
+docker logs mosaic-openbao-init
 
-# Initialize OpenBao
-docker exec $OPENBAO_CONTAINER bao operator init -key-shares=1 -key-threshold=1
+# Expected output:
+# ✓ OpenBao initialized successfully
+# ✓ Transit engine enabled
+# ✓ Encryption key created: mosaic-credentials
+# ✓ AppRole authentication configured
 
-# Save the output - you'll need the Unseal Key and Root Token!
-# Example output:
-# Unseal Key 1: abc123...
-# Initial Root Token: xyz789...
-
-# Unseal OpenBao
-docker exec $OPENBAO_CONTAINER bao operator unseal <unseal-key-from-above>
-
-# Enable Transit engine
-docker exec -e BAO_TOKEN=<root-token> $OPENBAO_CONTAINER \
-  bao secrets enable transit
-
-# Create encryption key
-docker exec -e BAO_TOKEN=<root-token> $OPENBAO_CONTAINER \
-  bao write -f transit/keys/mosaic-credentials
-
-# Create AppRole for API
-docker exec -e BAO_TOKEN=<root-token> $OPENBAO_CONTAINER \
-  bao auth enable approle
-
-docker exec -e BAO_TOKEN=<root-token> $OPENBAO_CONTAINER \
-  bao write auth/approle/role/mosaic-api \
-    token_policies="default" \
-    token_ttl=1h \
-    token_max_ttl=4h
-
-# Get Role ID and Secret ID
-docker exec -e BAO_TOKEN=<root-token> $OPENBAO_CONTAINER \
-  bao read auth/approle/role/mosaic-api/role-id
-
-docker exec -e BAO_TOKEN=<root-token> $OPENBAO_CONTAINER \
-  bao write -f auth/approle/role/mosaic-api/secret-id
-
-# Update API service with AppRole credentials (optional - or store in volume)
-docker service update mosaic_api \
-  --env-add OPENBAO_ROLE_ID=<role-id> \
-  --env-add OPENBAO_SECRET_ID=<secret-id>
+# Test OpenBao connectivity from host
+curl http://localhost:8200/v1/sys/health
 ```
 
-**Automated Alternative:** Create an init script and run it as a Docker container:
-
-```bash
-# See docker/openbao/init.sh for reference
-# Create a one-time task that runs initialization
-docker service create --name openbao-init \
-  --network mosaic_internal \
-  --restart-condition=none \
-  --mount type=volume,source=mosaic_openbao_init,target=/openbao/init \
-  git.mosaicstack.dev/mosaic/stack-openbao:dev \
-  /openbao/init.sh
-```
+**If using external Vault:** Skip this step - verify your external Vault is configured per [OpenBao Deployment Guide](OPENBAO-DEPLOYMENT.md#option-3-external-hashicorp-vault).
 
 ### 2. Run Database Migrations