fix(infra): install pgvector and uuid-ossp extensions in mosaic-db-init

Mosaic Stack API schema requires both vector (pgvector) and uuid-ossp
extensions. The mosaic user cannot CREATE EXTENSION (requires superuser),
so extensions must be installed by the admin user during db-init before
Prisma runs migrations.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose.swarm.portainer.yml

@@ -9,6 +9,8 @@
 #   - OpenBao: Standalone container (see docker-compose.openbao.yml)
 #   - Authentik: External OIDC provider
 #   - Ollama: External AI inference
+#   - PostgreSQL: Provided by the openbrain stack (openbrain_brain-db)
+#                 Deploy openbrain stack before this stack.
 #
 # Usage (Portainer):
 #   1. Stacks -> Add Stack -> Upload or paste
@@ -36,37 +38,75 @@
 # Required vars use plain ${VAR} — the app validates at startup.
 #
 # ==============================================
+# DATABASE (openbrain_brain-db — external)
+# ==============================================
+#
+# This stack uses the PostgreSQL instance from the openbrain stack.
+# The openbrain stack must be deployed first and its brain-internal
+# overlay network must exist.
+#
+# Required env vars for DB access:
+#   BRAIN_DB_ADMIN_USER     — openbrain superuser (default: openbrain)
+#   BRAIN_DB_ADMIN_PASSWORD — openbrain superuser password
+#                             (must match openbrain stack POSTGRES_PASSWORD)
+#   POSTGRES_USER           — mosaic application DB user (created by mosaic-db-init)
+#   POSTGRES_PASSWORD       — mosaic application DB password
+#   POSTGRES_DB             — mosaic application database name (default: mosaic)
+#
+# ==============================================
 
 services:
   # ============================================
-  #  CORE INFRASTRUCTURE
+  #  DATABASE INIT
   # ============================================
 
   # ======================
-  # PostgreSQL Database
+  # Mosaic Database Init
   # ======================
-  postgres:
+  # Creates the mosaic application user and database in the shared
-    image: git.mosaicstack.dev/mosaic/stack-postgres:${IMAGE_TAG:-latest}
+  # openbrain PostgreSQL instance (openbrain_brain-db).
+  # Runs once and exits. Idempotent — safe to run on every deploy.
+  mosaic-db-init:
+    image: postgres:17-alpine
     environment:
-      POSTGRES_USER: ${POSTGRES_USER}
+      PGHOST: openbrain_brain-db
-      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      PGPORT: 5432
-      POSTGRES_DB: ${POSTGRES_DB}
+      PGUSER: ${BRAIN_DB_ADMIN_USER:-openbrain}
-      POSTGRES_SHARED_BUFFERS: ${POSTGRES_SHARED_BUFFERS:-256MB}
+      PGPASSWORD: ${BRAIN_DB_ADMIN_PASSWORD}
-      POSTGRES_EFFECTIVE_CACHE_SIZE: ${POSTGRES_EFFECTIVE_CACHE_SIZE:-1GB}
+      MOSAIC_USER: ${POSTGRES_USER}
-      POSTGRES_MAX_CONNECTIONS: ${POSTGRES_MAX_CONNECTIONS:-100}
+      MOSAIC_PASSWORD: ${POSTGRES_PASSWORD}
-    volumes:
+      MOSAIC_DB: ${POSTGRES_DB:-mosaic}
-      - postgres_data:/var/lib/postgresql/data
+    entrypoint: ["sh", "-c"]
-    healthcheck:
+    command:
-      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
+      - |
-      interval: 10s
+        until pg_isready -h openbrain_brain-db -p 5432 -U $${PGUSER}; do
-      timeout: 5s
+          echo "Waiting for openbrain_brain-db..."
-      retries: 5
+          sleep 2
-      start_period: 30s
+        done
+        echo "Database ready. Creating mosaic user and database..."
+
+        psql -h openbrain_brain-db -U $${PGUSER} -tc "SELECT 1 FROM pg_roles WHERE rolname='$${MOSAIC_USER}'" | grep -q 1 || \
+          psql -h openbrain_brain-db -U $${PGUSER} -c "CREATE USER $${MOSAIC_USER} WITH PASSWORD '$${MOSAIC_PASSWORD}';"
+
+        psql -h openbrain_brain-db -U $${PGUSER} -tc "SELECT 1 FROM pg_database WHERE datname='$${MOSAIC_DB}'" | grep -q 1 || \
+          psql -h openbrain_brain-db -U $${PGUSER} -c "CREATE DATABASE $${MOSAIC_DB} OWNER $${MOSAIC_USER} ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0;"
+
+        echo "Enabling required extensions in $${MOSAIC_DB}..."
+        psql -h openbrain_brain-db -U $${PGUSER} -d $${MOSAIC_DB} -c "CREATE EXTENSION IF NOT EXISTS vector;"
+        psql -h openbrain_brain-db -U $${PGUSER} -d $${MOSAIC_DB} -c "CREATE EXTENSION IF NOT EXISTS \"uuid-ossp\";"
+
+        echo "Mosaic database ready: $${MOSAIC_DB}"
     networks:
-      - internal
+      - openbrain-brain-internal
     deploy:
       restart_policy:
         condition: on-failure
+        delay: 5s
+        max_attempts: 5
+
+  # ============================================
+  #  CORE INFRASTRUCTURE
+  # ============================================
 
   # ======================
   # Valkey Cache
@@ -105,7 +145,7 @@ services:
       NODE_ENV: production
       PORT: ${API_PORT:-3001}
       API_HOST: ${API_HOST:-0.0.0.0}
-      DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}
+      DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@openbrain_brain-db:5432/${POSTGRES_DB:-mosaic}
       VALKEY_URL: redis://valkey:6379
       # Auth (external Authentik)
       OIDC_ENABLED: ${OIDC_ENABLED:-false}
@@ -163,6 +203,7 @@ services:
     networks:
       - internal
       - traefik-public
+      - openbrain-brain-internal
     deploy:
       restart_policy:
         condition: on-failure
@@ -307,36 +348,36 @@ services:
   # ======================
   # Synapse Database Init
   # ======================
-  # Creates the 'synapse' database in the shared PostgreSQL instance.
+  # Creates the 'synapse' database in the shared openbrain PostgreSQL instance.
   # Runs once and exits. Idempotent — safe to run on every deploy.
   synapse-db-init:
     image: postgres:17-alpine
     environment:
-      PGHOST: postgres
+      PGHOST: openbrain_brain-db
       PGPORT: 5432
-      PGUSER: ${POSTGRES_USER}
+      PGUSER: ${BRAIN_DB_ADMIN_USER:-openbrain}
-      PGPASSWORD: ${POSTGRES_PASSWORD}
+      PGPASSWORD: ${BRAIN_DB_ADMIN_PASSWORD}
       SYNAPSE_DB: ${SYNAPSE_POSTGRES_DB}
       SYNAPSE_USER: ${SYNAPSE_POSTGRES_USER}
       SYNAPSE_PASSWORD: ${SYNAPSE_POSTGRES_PASSWORD}
     entrypoint: ["sh", "-c"]
     command:
       - |
-        until pg_isready -h postgres -p 5432 -U $${PGUSER}; do
+        until pg_isready -h openbrain_brain-db -p 5432 -U $${PGUSER}; do
-          echo "Waiting for PostgreSQL..."
+          echo "Waiting for openbrain_brain-db..."
           sleep 2
         done
-        echo "PostgreSQL is ready. Creating Synapse database and user..."
+        echo "Database ready. Creating Synapse user and database..."
 
-        psql -h postgres -U $${PGUSER} -tc "SELECT 1 FROM pg_roles WHERE rolname='$${SYNAPSE_USER}'" | grep -q 1 || \
+        psql -h openbrain_brain-db -U $${PGUSER} -tc "SELECT 1 FROM pg_roles WHERE rolname='$${SYNAPSE_USER}'" | grep -q 1 || \
-          psql -h postgres -U $${PGUSER} -c "CREATE USER $${SYNAPSE_USER} WITH PASSWORD '$${SYNAPSE_PASSWORD}';"
+          psql -h openbrain_brain-db -U $${PGUSER} -c "CREATE USER $${SYNAPSE_USER} WITH PASSWORD '$${SYNAPSE_PASSWORD}';"
 
-        psql -h postgres -U $${PGUSER} -tc "SELECT 1 FROM pg_database WHERE datname='$${SYNAPSE_DB}'" | grep -q 1 || \
+        psql -h openbrain_brain-db -U $${PGUSER} -tc "SELECT 1 FROM pg_database WHERE datname='$${SYNAPSE_DB}'" | grep -q 1 || \
-          psql -h postgres -U $${PGUSER} -c "CREATE DATABASE $${SYNAPSE_DB} OWNER $${SYNAPSE_USER} ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0;"
+          psql -h openbrain_brain-db -U $${PGUSER} -c "CREATE DATABASE $${SYNAPSE_DB} OWNER $${SYNAPSE_USER} ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0;"
 
         echo "Synapse database ready: $${SYNAPSE_DB}"
     networks:
-      - internal
+      - openbrain-brain-internal
     deploy:
       restart_policy:
         condition: on-failure
@@ -451,7 +492,6 @@ services:
 # Volumes
 # ======================
 volumes:
-  postgres_data:
   valkey_data:
   orchestrator_workspace:
   speaches_models:
@@ -464,3 +504,6 @@ networks:
     driver: overlay
   traefik-public:
     external: true
+  openbrain-brain-internal:
+    external: true
+    name: openbrain_brain-internal