fix: resolve Portainer deployment Redis and CORS failures

Remove Docker Compose profiles from postgres and valkey services so they
start by default without --profile flag. Add NEXT_PUBLIC_APP_URL,
NEXT_PUBLIC_API_URL, and TRUSTED_ORIGINS to the API service environment
so CORS works in production.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.env.example

@@ -19,7 +19,7 @@ NEXT_PUBLIC_API_URL=http://localhost:3001
 # ======================
 # PostgreSQL Database
 # ======================
-# Bundled PostgreSQL (when database profile enabled)
+# Bundled PostgreSQL
 # SECURITY: Change POSTGRES_PASSWORD to a strong random password in production
 DATABASE_URL=postgresql://mosaic:REPLACE_WITH_SECURE_PASSWORD@postgres:5432/mosaic
 POSTGRES_USER=mosaic
@@ -28,7 +28,7 @@ POSTGRES_DB=mosaic
 POSTGRES_PORT=5432
 
 # External PostgreSQL (managed service)
-# Disable 'database' profile and point DATABASE_URL to your external instance
+# To use an external instance, update DATABASE_URL above
 # Example: DATABASE_URL=postgresql://user:pass@rds.amazonaws.com:5432/mosaic
 
 # PostgreSQL Performance Tuning (Optional)
@@ -39,7 +39,7 @@ POSTGRES_MAX_CONNECTIONS=100
 # ======================
 # Valkey Cache (Redis-compatible)
 # ======================
-# Bundled Valkey (when cache profile enabled)
+# Bundled Valkey
 VALKEY_URL=redis://valkey:6379
 VALKEY_HOST=valkey
 VALKEY_PORT=6379
@@ -47,7 +47,7 @@ VALKEY_PORT=6379
 VALKEY_MAXMEMORY=256mb
 
 # External Redis/Valkey (managed service)
-# Disable 'cache' profile and point VALKEY_URL to your external instance
+# To use an external instance, update VALKEY_URL above
 # Example: VALKEY_URL=redis://elasticache.amazonaws.com:6379
 # Example with auth: VALKEY_URL=redis://:password@redis.example.com:6379
 
@@ -244,12 +244,16 @@ MOSAIC_API_DOMAIN=api.mosaic.local
 MOSAIC_WEB_DOMAIN=mosaic.local
 MOSAIC_AUTH_DOMAIN=auth.mosaic.local
 
-# External Traefik network name (for upstream mode)
+# External Traefik network name (for upstream mode and swarm)
 # Must match the network name of your existing Traefik instance
 TRAEFIK_NETWORK=traefik-public
+TRAEFIK_DOCKER_NETWORK=traefik-public
 
 # TLS/SSL Configuration
 TRAEFIK_TLS_ENABLED=true
+TRAEFIK_ENTRYPOINT=websecure
+# Cert resolver name (leave empty if TLS is handled externally or using self-signed certs)
+TRAEFIK_CERTRESOLVER=
 # For Let's Encrypt (production):
 TRAEFIK_ACME_EMAIL=admin@example.com
 # For self-signed certificates (development), leave TRAEFIK_ACME_EMAIL empty
@@ -285,6 +289,15 @@ GITEA_WEBHOOK_SECRET=REPLACE_WITH_RANDOM_WEBHOOK_SECRET
 # The coordinator service uses this key to authenticate with the API
 COORDINATOR_API_KEY=REPLACE_WITH_RANDOM_API_KEY_MINIMUM_32_CHARS
 
+# Anthropic API Key (used by coordinator for issue parsing)
+# Get your API key from: https://console.anthropic.com/
+ANTHROPIC_API_KEY=REPLACE_WITH_ANTHROPIC_API_KEY
+
+# Coordinator tuning
+COORDINATOR_POLL_INTERVAL=5.0
+COORDINATOR_MAX_CONCURRENT_AGENTS=10
+COORDINATOR_ENABLED=true
+
 # ======================
 # Rate Limiting
 # ======================
@@ -329,16 +342,34 @@ RATE_LIMIT_STORAGE=redis
 # ======================
 # Matrix bot integration for chat-based control via Matrix protocol
 # Requires a Matrix account with an access token for the bot user
-# MATRIX_HOMESERVER_URL=https://matrix.example.com
+# Set these AFTER deploying Synapse and creating the bot account.
-# MATRIX_ACCESS_TOKEN=
-# MATRIX_BOT_USER_ID=@mosaic-bot:example.com
-# MATRIX_CONTROL_ROOM_ID=!roomid:example.com
-# MATRIX_WORKSPACE_ID=your-workspace-uuid
 #
 # SECURITY: MATRIX_WORKSPACE_ID must be a valid workspace UUID from your database.
 # All Matrix commands will execute within this workspace context for proper
 # multi-tenant isolation. Each Matrix bot instance should be configured for
 # a single workspace.
+MATRIX_HOMESERVER_URL=http://synapse:8008
+MATRIX_ACCESS_TOKEN=
+MATRIX_BOT_USER_ID=@mosaic-bot:matrix.example.com
+MATRIX_SERVER_NAME=matrix.example.com
+# MATRIX_CONTROL_ROOM_ID=!roomid:matrix.example.com
+# MATRIX_WORKSPACE_ID=your-workspace-uuid
+
+# ======================
+# Matrix / Synapse Deployment
+# ======================
+# Domains for Traefik routing to Matrix services
+MATRIX_DOMAIN=matrix.example.com
+ELEMENT_DOMAIN=chat.example.com
+
+# Synapse database (created automatically by synapse-db-init in the swarm compose)
+SYNAPSE_POSTGRES_DB=synapse
+SYNAPSE_POSTGRES_USER=synapse
+SYNAPSE_POSTGRES_PASSWORD=REPLACE_WITH_SECURE_SYNAPSE_DB_PASSWORD
+
+# Image tags for Matrix services
+SYNAPSE_IMAGE_TAG=latest
+ELEMENT_IMAGE_TAG=latest
 
 # ======================
 # Orchestrator Configuration
@@ -363,11 +394,11 @@ AI_PROVIDER=ollama
 # For remote Ollama: http://your-ollama-server:11434
 OLLAMA_MODEL=llama3.1:latest
 
-# Claude API Configuration (when AI_PROVIDER=claude)
+# Claude API Key
-# OPTIONAL: Only required if AI_PROVIDER=claude
+# Required by the orchestrator service in swarm deployment.
+# Also used when AI_PROVIDER=claude for other services.
 # Get your API key from: https://console.anthropic.com/
-# Note: Claude Max subscription users should use AI_PROVIDER=ollama instead
+CLAUDE_API_KEY=REPLACE_WITH_CLAUDE_API_KEY
-# CLAUDE_API_KEY=sk-ant-...
 
 # OpenAI API Configuration (when AI_PROVIDER=openai)
 # OPTIONAL: Only required if AI_PROVIDER=openai
@@ -405,6 +436,9 @@ TTS_PREMIUM_URL=http://chatterbox-tts:8881/v1
 TTS_FALLBACK_ENABLED=false
 TTS_FALLBACK_URL=http://openedai-speech:8000/v1
 
+# Whisper model for Speaches STT engine
+SPEACHES_WHISPER_MODEL=Systran/faster-whisper-large-v3-turbo
+
 # Speech Service Limits
 # Maximum upload file size in bytes (default: 25MB)
 SPEECH_MAX_UPLOAD_SIZE=25000000
@@ -439,28 +473,6 @@ MOSAIC_TELEMETRY_INSTANCE_ID=your-instance-uuid-here
 # Useful for development and debugging telemetry payloads
 MOSAIC_TELEMETRY_DRY_RUN=false
 
-# ======================
-# Matrix Dev Environment (docker-compose.matrix.yml overlay)
-# ======================
-# These variables configure the local Matrix dev environment.
-# Only used when running: docker compose -f docker/docker-compose.yml -f docker/docker-compose.matrix.yml up
-#
-# Synapse homeserver
-# SYNAPSE_CLIENT_PORT=8008
-# SYNAPSE_FEDERATION_PORT=8448
-# SYNAPSE_POSTGRES_DB=synapse
-# SYNAPSE_POSTGRES_USER=synapse
-# SYNAPSE_POSTGRES_PASSWORD=synapse_dev_password
-#
-# Element Web client
-# ELEMENT_PORT=8501
-#
-# Matrix bridge connection (set after running docker/matrix/scripts/setup-bot.sh)
-# MATRIX_HOMESERVER_URL=http://localhost:8008
-# MATRIX_ACCESS_TOKEN=<obtained from setup-bot.sh>
-# MATRIX_BOT_USER_ID=@mosaic-bot:localhost
-# MATRIX_SERVER_NAME=localhost
-
 # ======================
 # Logging & Debugging
 # ======================

docker-compose.yml

@@ -27,9 +27,6 @@ services:
       start_period: 30s
     networks:
       - mosaic-internal
-    profiles:
-      - database
-      - full
     labels:
       - "com.mosaic.service=database"
       - "com.mosaic.description=PostgreSQL 17 with pgvector"
@@ -58,9 +55,6 @@ services:
       start_period: 10s
     networks:
       - mosaic-internal
-    profiles:
-      - cache
-      - full
     labels:
       - "com.mosaic.service=cache"
       - "com.mosaic.description=Valkey Redis-compatible cache"
@@ -384,6 +378,10 @@ services:
       MOSAIC_TELEMETRY_API_KEY: ${MOSAIC_TELEMETRY_API_KEY:-}
       MOSAIC_TELEMETRY_INSTANCE_ID: ${MOSAIC_TELEMETRY_INSTANCE_ID:-}
       MOSAIC_TELEMETRY_DRY_RUN: ${MOSAIC_TELEMETRY_DRY_RUN:-false}
+      # Frontend URLs (for CORS and auth redirects)
+      NEXT_PUBLIC_APP_URL: ${NEXT_PUBLIC_APP_URL:-http://localhost:3000}
+      NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_API_URL:-http://localhost:3001}
+      TRUSTED_ORIGINS: ${TRUSTED_ORIGINS:-}
     volumes:
       - openbao_init:/openbao/init:ro
     ports: