Add WHOOSH search service with BACKBEAT integration

Complete implementation:
- Go-based search service with PostgreSQL and Redis backend
- BACKBEAT SDK integration for beat-aware search operations
- Docker containerization with multi-stage builds
- Comprehensive API endpoints for project analysis and search
- Database migrations and schema management
- GITEA integration for repository management
- Team composition analysis and recommendations

Key features:
- Beat-synchronized search operations with timing coordination
- Phase-based operation tracking (started → querying → ranking → completed)
- Docker Swarm deployment configuration
- Health checks and monitoring
- Secure configuration with environment variables

Architecture:
- Microservice design with clean API boundaries
- Background processing for long-running analysis
- Modular internal structure with proper separation of concerns
- Integration with CHORUS ecosystem via BACKBEAT timing

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

docs/API_SPECIFICATION.md

@@ -1,6 +1,13 @@
 # WHOOSH API Specification
 ## Autonomous AI Development Teams API
 
+Auth & Scope Revision (MVP)
+- Humans: authenticate via Gitea OIDC; WHOOSH should not issue long-lived user JWTs. Maintain short-lived sessions or signed service tokens as needed.
+- Agents/services: use scoped service tokens (PAT-like), revocable, with minimal permissions.
+- MVP endpoints: focus on tasks intake (from Gitea), team state, PR linkage/status, and a proxy for SLURP submissions. WebSocket streams are read-only status.
+- Envelopes: include `version`, `schema_version`, and `request_id`. Enforce JSON Schema validation and size limits. References only (UCXL/CIDs), no large artefacts.
+- Rate limiting: per token and IP, with 429 + Retry-After. Idempotency keys for mutating endpoints.
+
 ### Overview
 
 This document defines the comprehensive API specification for WHOOSH's transformation into an Autonomous AI Development Teams orchestration platform. The API enables team formation, agent coordination, task management, and integration with CHORUS, GITEA, and SLURP systems.
@@ -18,28 +25,14 @@ WebSocket Endpoint: wss://whoosh.chorus.services/ws
 
 ## 🔐 Authentication
 
-### JWT Token Structure
-```json
-{
-  "sub": "user_id_or_agent_id",
-  "type": "user" | "agent" | "system",
-  "iat": 1625097600,
-  "exp": 1625184000,
-  "roles": ["admin", "team_lead", "agent", "viewer"],
-  "permissions": [
-    "teams.create",
-    "agents.manage",
-    "tasks.assign"
-  ],
-  "capabilities": ["security", "backend", "frontend"], // For agents
-  "agent_metadata": { // For agent tokens
-    "node_id": "12D3KooW...",
-    "hardware": {...},
-    "models": [...],
-    "specialization": "security_expert"
-  }
-}
-```
+Note: Prefer OIDC for humans; if JWTs are used, scope narrowly and keep short expiry. Agents should use service tokens bound to explicit scopes.
+
+### MVP Endpoints (v1)
+- POST `/api/v1/tasks/ingest` (internal, from webhook) – accept `bzzz-task` issue payloads
+- GET `/api/v1/teams/:id` – team state summary
+- GET `/api/v1/teams/:id/activity` (WS) – read-only status stream
+- POST `/api/v1/teams/:id/submissions` – forward to SLURP with UCXL address
+- GET `/api/v1/status` – health/status
 
 ### Authentication Endpoints
 
@@ -1174,4 +1167,4 @@ ws.send(JSON.stringify({
 }
 ```
 
-This API specification provides the complete interface for WHOOSH's transformation into an Autonomous AI Development Teams platform, enabling sophisticated team orchestration, agent coordination, and collaborative development processes across the CHORUS ecosystem.
+This API specification provides the complete interface for WHOOSH's transformation into an Autonomous AI Development Teams platform, enabling sophisticated team orchestration, agent coordination, and collaborative development processes across the CHORUS ecosystem.