feat: Production readiness improvements for WHOOSH council formation

Major security, observability, and configuration improvements:

## Security Hardening
- Implemented configurable CORS (no more wildcards)
- Added comprehensive auth middleware for admin endpoints
- Enhanced webhook HMAC validation
- Added input validation and rate limiting
- Security headers and CSP policies

## Configuration Management
- Made N8N webhook URL configurable (WHOOSH_N8N_BASE_URL)
- Replaced all hardcoded endpoints with environment variables
- Added feature flags for LLM vs heuristic composition
- Gitea fetch hardening with EAGER_FILTER and FULL_RESCAN options

## API Completeness
- Implemented GetCouncilComposition function
- Added GET /api/v1/councils/{id} endpoint
- Council artifacts API (POST/GET /api/v1/councils/{id}/artifacts)
- /admin/health/details endpoint with component status
- Database lookup for repository URLs (no hardcoded fallbacks)

## Observability & Performance
- Added OpenTelemetry distributed tracing with goal/pulse correlation
- Performance optimization database indexes
- Comprehensive health monitoring
- Enhanced logging and error handling

## Infrastructure
- Production-ready P2P discovery (replaces mock implementation)
- Removed unused Redis configuration
- Enhanced Docker Swarm integration
- Added migration files for performance indexes

## Code Quality
- Comprehensive input validation
- Graceful error handling and failsafe fallbacks
- Backwards compatibility maintained
- Following security best practices

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

docker-compose.swarm.yml.backup

@@ -0,0 +1,227 @@
+version: '3.8'
+
+services:
+  whoosh:
+    image: anthonyrawlins/whoosh:council-deployment-v3
+    user: "0:0"  # Run as root to access Docker socket across different node configurations
+    ports:
+      - target: 8080
+        published: 8800
+        protocol: tcp
+        mode: ingress
+    environment:
+      # Database configuration  
+      WHOOSH_DATABASE_DB_HOST: postgres
+      WHOOSH_DATABASE_DB_PORT: 5432
+      WHOOSH_DATABASE_DB_NAME: whoosh
+      WHOOSH_DATABASE_DB_USER: whoosh
+      WHOOSH_DATABASE_DB_PASSWORD_FILE: /run/secrets/whoosh_db_password
+      WHOOSH_DATABASE_DB_SSL_MODE: disable
+      WHOOSH_DATABASE_DB_AUTO_MIGRATE: "true"
+      
+      # Server configuration
+      WHOOSH_SERVER_LISTEN_ADDR: ":8080"
+      WHOOSH_SERVER_READ_TIMEOUT: "30s"
+      WHOOSH_SERVER_WRITE_TIMEOUT: "30s"
+      WHOOSH_SERVER_SHUTDOWN_TIMEOUT: "30s"
+      
+      # GITEA configuration
+      WHOOSH_GITEA_BASE_URL: https://gitea.chorus.services  
+      WHOOSH_GITEA_TOKEN_FILE: /run/secrets/gitea_token
+      WHOOSH_GITEA_WEBHOOK_TOKEN_FILE: /run/secrets/webhook_token
+      WHOOSH_GITEA_WEBHOOK_PATH: /webhooks/gitea
+      
+      # Auth configuration
+      WHOOSH_AUTH_JWT_SECRET_FILE: /run/secrets/jwt_secret
+      WHOOSH_AUTH_SERVICE_TOKENS_FILE: /run/secrets/service_tokens
+      WHOOSH_AUTH_JWT_EXPIRY: "24h"
+      
+      # Logging
+      WHOOSH_LOGGING_LEVEL: debug
+      WHOOSH_LOGGING_ENVIRONMENT: production
+      
+      # Redis configuration
+      WHOOSH_REDIS_ENABLED: "true"
+      WHOOSH_REDIS_HOST: redis
+      WHOOSH_REDIS_PORT: 6379
+      WHOOSH_REDIS_PASSWORD_FILE: /run/secrets/redis_password
+      WHOOSH_REDIS_DATABASE: 0
+      
+      # BACKBEAT configuration - enabled for full integration
+      WHOOSH_BACKBEAT_ENABLED: "true"
+      WHOOSH_BACKBEAT_NATS_URL: "nats://backbeat-nats:4222"
+      
+      # Docker integration - enabled for council agent deployment  
+      WHOOSH_DOCKER_ENABLED: "true"
+    volumes:
+      # Docker socket access for council agent deployment
+      - /var/run/docker.sock:/var/run/docker.sock:rw
+      # Council prompts and configuration
+      - /rust/containers/WHOOSH/prompts:/app/prompts:ro
+    secrets:
+      - whoosh_db_password
+      - gitea_token
+      - webhook_token
+      - jwt_secret
+      - service_tokens
+      - redis_password
+    deploy:
+      replicas: 2
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+        window: 120s
+      update_config:
+        parallelism: 1
+        delay: 10s
+        failure_action: rollback
+        monitor: 60s
+        order: start-first
+      # rollback_config:
+      #   parallelism: 1
+      #   delay: 0s
+      #   failure_action: pause
+      #   monitor: 60s
+      #   order: stop-first
+      placement:
+        preferences:
+          - spread: node.hostname
+      resources:
+        limits:
+          memory: 256M
+          cpus: '0.5'
+        reservations:
+          memory: 128M
+          cpus: '0.25'
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.whoosh.rule=Host(`whoosh.chorus.services`)
+        - traefik.http.routers.whoosh.tls=true
+        - traefik.http.routers.whoosh.tls.certresolver=letsencryptresolver
+        - traefik.http.services.whoosh.loadbalancer.server.port=8080
+        - traefik.http.middlewares.whoosh-auth.basicauth.users=admin:$$2y$$10$$example_hash
+    networks:
+      - tengig
+      - whoosh-backend
+      - chorus_net  # Connect to CHORUS network for BACKBEAT integration
+    healthcheck:
+      test: ["CMD", "/app/whoosh", "--health-check"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+
+  postgres:
+    image: postgres:15-alpine
+    environment:
+      POSTGRES_DB: whoosh
+      POSTGRES_USER: whoosh
+      POSTGRES_PASSWORD_FILE: /run/secrets/whoosh_db_password
+      POSTGRES_INITDB_ARGS: --auth-host=scram-sha-256
+    secrets:
+      - whoosh_db_password
+    volumes:
+      - whoosh_postgres_data:/var/lib/postgresql/data
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+        window: 120s
+      placement:
+        preferences:
+          - spread: node.hostname
+      resources:
+        limits:
+          memory: 512M
+          cpus: '1.0'
+        reservations:
+          memory: 256M
+          cpus: '0.5'
+    networks:
+      - whoosh-backend
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U whoosh"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+      start_period: 30s
+
+  redis:
+    image: redis:7-alpine
+    command: sh -c 'redis-server --requirepass "$$(cat /run/secrets/redis_password)" --appendonly yes'
+    secrets:
+      - redis_password
+    volumes:
+      - whoosh_redis_data:/data
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+        window: 120s
+      placement:
+        preferences:
+          - spread: node.hostname
+      resources:
+        limits:
+          memory: 128M
+          cpus: '0.25'
+        reservations:
+          memory: 64M
+          cpus: '0.1'
+    networks:
+      - whoosh-backend
+    healthcheck:
+      test: ["CMD", "sh", "-c", "redis-cli --no-auth-warning -a $$(cat /run/secrets/redis_password) ping"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+
+networks:
+  tengig:
+    external: true
+  whoosh-backend:
+    driver: overlay
+    attachable: false
+  chorus_net:
+    external: true
+    name: CHORUS_chorus_net
+
+volumes:
+  whoosh_postgres_data:
+    driver: local
+    driver_opts:
+      type: none
+      o: bind
+      device: /rust/containers/WHOOSH/postgres
+  whoosh_redis_data:
+    driver: local
+    driver_opts:
+      type: none
+      o: bind
+      device: /rust/containers/WHOOSH/redis
+
+secrets:
+  whoosh_db_password:
+    external: true
+    name: whoosh_db_password
+  gitea_token:
+    external: true
+    name: gitea_token
+  webhook_token:
+    external: true
+    name: whoosh_webhook_token
+  jwt_secret:
+    external: true
+    name: whoosh_jwt_secret
+  service_tokens:
+    external: true
+    name: whoosh_service_tokens
+  redis_password:
+    external: true
+    name: whoosh_redis_password