feat: Production readiness improvements for WHOOSH council formation

Major security, observability, and configuration improvements:

## Security Hardening
- Implemented configurable CORS (no more wildcards)
- Added comprehensive auth middleware for admin endpoints
- Enhanced webhook HMAC validation
- Added input validation and rate limiting
- Security headers and CSP policies

## Configuration Management
- Made N8N webhook URL configurable (WHOOSH_N8N_BASE_URL)
- Replaced all hardcoded endpoints with environment variables
- Added feature flags for LLM vs heuristic composition
- Gitea fetch hardening with EAGER_FILTER and FULL_RESCAN options

## API Completeness
- Implemented GetCouncilComposition function
- Added GET /api/v1/councils/{id} endpoint
- Council artifacts API (POST/GET /api/v1/councils/{id}/artifacts)
- /admin/health/details endpoint with component status
- Database lookup for repository URLs (no hardcoded fallbacks)

## Observability & Performance
- Added OpenTelemetry distributed tracing with goal/pulse correlation
- Performance optimization database indexes
- Comprehensive health monitoring
- Enhanced logging and error handling

## Infrastructure
- Production-ready P2P discovery (replaces mock implementation)
- Removed unused Redis configuration
- Enhanced Docker Swarm integration
- Added migration files for performance indexes

## Code Quality
- Comprehensive input validation
- Graceful error handling and failsafe fallbacks
- Backwards compatibility maintained
- Following security best practices

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

docker-compose.swarm.yml

@@ -40,12 +40,6 @@ services:
       WHOOSH_LOGGING_LEVEL: debug
       WHOOSH_LOGGING_ENVIRONMENT: production
       
-      # Redis configuration
-      WHOOSH_REDIS_ENABLED: "true"
-      WHOOSH_REDIS_HOST: redis
-      WHOOSH_REDIS_PORT: 6379
-      WHOOSH_REDIS_PASSWORD_FILE: /run/secrets/redis_password
-      WHOOSH_REDIS_DATABASE: 0
       
       # BACKBEAT configuration - enabled for full integration
       WHOOSH_BACKBEAT_ENABLED: "true"
@@ -64,7 +58,6 @@ services:
       - webhook_token
       - jwt_secret
       - service_tokens
-      - redis_password
     deploy:
       replicas: 2
       restart_policy:
@@ -149,38 +142,6 @@ services:
       retries: 5
       start_period: 30s
 
-  redis:
-    image: redis:7-alpine
-    command: sh -c 'redis-server --requirepass "$$(cat /run/secrets/redis_password)" --appendonly yes'
-    secrets:
-      - redis_password
-    volumes:
-      - whoosh_redis_data:/data
-    deploy:
-      replicas: 1
-      restart_policy:
-        condition: on-failure
-        delay: 5s
-        max_attempts: 3
-        window: 120s
-      placement:
-        preferences:
-          - spread: node.hostname
-      resources:
-        limits:
-          memory: 128M
-          cpus: '0.25'
-        reservations:
-          memory: 64M
-          cpus: '0.1'
-    networks:
-      - whoosh-backend
-    healthcheck:
-      test: ["CMD", "sh", "-c", "redis-cli --no-auth-warning -a $$(cat /run/secrets/redis_password) ping"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-      start_period: 30s
 
 networks:
   tengig:
@@ -199,12 +160,6 @@ volumes:
       type: none
       o: bind
       device: /rust/containers/WHOOSH/postgres
-  whoosh_redis_data:
-    driver: local
-    driver_opts:
-      type: none
-      o: bind
-      device: /rust/containers/WHOOSH/redis
 
 secrets:
   whoosh_db_password:
@@ -222,6 +177,3 @@ secrets:
   service_tokens:
     external: true
     name: whoosh_service_tokens
-  redis_password:
-    external: true
-    name: whoosh_redis_password