feat(chorus): run chorus-agent (replace deprecated wrapper); deterministic council role-claim shuffle; compose: WHOOSH UI env + Traefik label fixes + rotated JWT secret

docker/Dockerfile

@@ -11,18 +11,18 @@ WORKDIR /build
 # Copy go mod files first (for better caching)
 COPY go.mod go.sum ./
 
-# Download dependencies
-RUN go mod download
+# Skip go mod download; we rely on vendored deps to avoid local replaces
+RUN echo "Using vendored dependencies (skipping go mod download)"
 
 # Copy source code
 COPY . .
 
-# Build the CHORUS binary with mod mode
+# Build the CHORUS agent binary with vendored deps
 RUN CGO_ENABLED=0 GOOS=linux go build \
-    -mod=mod \
+    -mod=vendor \
     -ldflags='-w -s -extldflags "-static"' \
-    -o chorus \
-    ./cmd/chorus
+    -o chorus-agent \
+    ./cmd/agent
 
 # Final minimal runtime image
 FROM alpine:3.18
@@ -42,8 +42,8 @@ RUN mkdir -p /app/data && \
     chown -R chorus:chorus /app
 
 # Copy binary from builder stage
-COPY --from=builder /build/chorus /app/chorus
-RUN chmod +x /app/chorus
+COPY --from=builder /build/chorus-agent /app/chorus-agent
+RUN chmod +x /app/chorus-agent
 
 # Switch to non-root user
 USER chorus
@@ -64,5 +64,5 @@ ENV LOG_LEVEL=info \
     CHORUS_HEALTH_PORT=8081 \
     CHORUS_P2P_PORT=9000
 
-# Start CHORUS
-ENTRYPOINT ["/app/chorus"]
+# Start CHORUS Agent
+ENTRYPOINT ["/app/chorus-agent"]

docker/docker-compose.yml

@@ -29,8 +29,8 @@ services:
       - CHORUS_MAX_CONCURRENT_DHT=16  # Limit concurrent DHT queries
 
       # Election stability windows (Medium-risk fix 2.1)
-      - CHORUS_ELECTION_MIN_TERM=30s  # Minimum time between elections to prevent churn
-      - CHORUS_LEADER_MIN_TERM=45s    # Minimum time before challenging healthy leader
+      - CHORUS_ELECTION_MIN_TERM=120s  # Minimum time between elections to prevent churn
+      - CHORUS_LEADER_MIN_TERM=240s    # Minimum time before challenging healthy leader
 
       # Assignment system for runtime configuration (Medium-risk fix 2.2)
       - ASSIGN_URL=${ASSIGN_URL:-}  # Optional: WHOOSH assignment endpoint
@@ -61,7 +61,7 @@ services:
       - CHORUS_LIGHTRAG_ENABLED=${CHORUS_LIGHTRAG_ENABLED:-false}
       - CHORUS_LIGHTRAG_BASE_URL=${CHORUS_LIGHTRAG_BASE_URL:-http://lightrag:9621}
       - CHORUS_LIGHTRAG_TIMEOUT=${CHORUS_LIGHTRAG_TIMEOUT:-30s}
-      - CHORUS_LIGHTRAG_API_KEY=${CHORUS_LIGHTRAG_API_KEY:-}
+      - CHORUS_LIGHTRAG_API_KEY=${CHORUS_LIGHTRAG_API_KEY:-your-secure-api-key-here}
       - CHORUS_LIGHTRAG_DEFAULT_MODE=${CHORUS_LIGHTRAG_DEFAULT_MODE:-hybrid}
 
       # Logging configuration
@@ -102,7 +102,7 @@ services:
     # Container resource limits
     deploy:
       mode: replicated
-      replicas: ${CHORUS_REPLICAS:-9}
+      replicas: ${CHORUS_REPLICAS:-20}
       update_config:
         parallelism: 1
         delay: 10s
@@ -173,6 +173,8 @@ services:
       WHOOSH_SERVER_READ_TIMEOUT: "30s"
       WHOOSH_SERVER_WRITE_TIMEOUT: "30s"
       WHOOSH_SERVER_SHUTDOWN_TIMEOUT: "30s"
+      # UI static directory (served at site root by WHOOSH)
+      WHOOSH_UI_DIR: "/app/ui"
 
       # GITEA configuration
       WHOOSH_GITEA_BASE_URL: https://gitea.chorus.services  
@@ -217,7 +219,8 @@ services:
       - jwt_secret
       - service_tokens
       - redis_password
-    # volumes:
+    volumes:
+      - whoosh_ui:/app/ui:ro
       # - /var/run/docker.sock:/var/run/docker.sock  # Disabled for agent assignment architecture
     deploy:
       replicas: 2
@@ -254,11 +257,11 @@ services:
         - traefik.enable=true
         - traefik.docker.network=tengig
         - traefik.http.routers.whoosh.rule=Host(`whoosh.chorus.services`)
+        - traefik.http.routers.whoosh.entrypoints=web,web-secured
         - traefik.http.routers.whoosh.tls=true
         - traefik.http.routers.whoosh.tls.certresolver=letsencryptresolver
-        - traefik.http.routers.photoprism.entrypoints=web,web-secured
         - traefik.http.services.whoosh.loadbalancer.server.port=8080
-        - traefik.http.services.photoprism.loadbalancer.passhostheader=true
+        - traefik.http.services.whoosh.loadbalancer.passhostheader=true
         - traefik.http.middlewares.whoosh-auth.basicauth.users=admin:$2y$10$example_hash
     networks:
       - tengig
@@ -414,7 +417,7 @@ services:
   # REQ: BACKBEAT-REQ-001 - Single BeatFrame publisher per cluster
   # REQ: BACKBEAT-OPS-001 - One replica prefers leadership
   backbeat-pulse:
-    image: anthonyrawlins/backbeat-pulse:v1.0.5
+    image: anthonyrawlins/backbeat-pulse:v1.0.6
     command: >
       ./pulse
       -cluster=chorus-production
@@ -581,6 +584,14 @@ services:
         max-file: "3"
         tag: "nats/{{.Name}}/{{.ID}}"
 
+  watchtower:
+    image: containrrr/watchtower
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    command: --interval 300 --cleanup --revive-stopped --include-stopped
+    restart: always
+
+
   # KACHING services are deployed separately in their own stack
   # License validation will access https://kaching.chorus.services/api
 
@@ -618,6 +629,12 @@ volumes:
       type: none
       o: bind
       device: /rust/containers/WHOOSH/redis
+  whoosh_ui:
+    driver: local
+    driver_opts:
+      type: none
+      o: bind
+      device: /rust/containers/WHOOSH/ui
 
 
 # Networks for CHORUS communication
@@ -652,7 +669,7 @@ secrets:
     name: whoosh_webhook_token
   jwt_secret:
     external: true
-    name: whoosh_jwt_secret
+    name: whoosh_jwt_secret_v4
   service_tokens:
     external: true
     name: whoosh_service_tokens