refactor: consolidate EncryptID into main docker-compose.yml

Merge encryptid + encryptid-db services from separate docker-compose.encryptid.yml
into the main compose file. Update Dockerfile.encryptid to use additional_contexts
for encryptid-sdk (matching main Dockerfile pattern) instead of fragile context: ..

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Dockerfile.encryptid

@@ -1,14 +1,17 @@
 # EncryptID Server Dockerfile
 # Multi-stage build for optimized production image
+# Build context: . (rspace-online root), with additional_contexts for encryptid-sdk
 
 # Build stage
 FROM oven/bun:1.1 AS builder
 
 WORKDIR /app
 
-# Copy package files and encryptid-sdk (build context is parent dir)
-COPY rspace-online/package.json rspace-online/bun.lockb* ./
-COPY encryptid-sdk /encryptid-sdk/
+# Copy package files
+COPY package.json bun.lock* ./
+
+# Copy local SDK dependency (same pattern as main Dockerfile)
+COPY --from=encryptid-sdk . /encryptid-sdk/
 
 # Rewrite file: dependency to absolute path for Docker build
 RUN sed -i 's|"file:../encryptid-sdk"|"file:/encryptid-sdk"|' package.json
@@ -17,10 +20,10 @@ RUN sed -i 's|"file:../encryptid-sdk"|"file:/encryptid-sdk"|' package.json
 RUN bun install --frozen-lockfile || bun install
 
 # Copy source
-COPY rspace-online/src/encryptid ./src/encryptid
-COPY rspace-online/shared/local-first ./shared/local-first
-COPY rspace-online/public ./public
-COPY rspace-online/tsconfig.json ./
+COPY src/encryptid ./src/encryptid
+COPY shared/local-first ./shared/local-first
+COPY public ./public
+COPY tsconfig.json ./
 
 # Build client-side modules for browser
 RUN bun build ./src/encryptid/index.ts --outdir=./src/encryptid/dist --target=browser --minify

docker-compose.yml

@@ -170,6 +170,77 @@ services:
     networks:
       - rspace-internal
 
+  # ── EncryptID auth service ──
+  encryptid:
+    build:
+      context: .
+      dockerfile: Dockerfile.encryptid
+      additional_contexts:
+        encryptid-sdk: ../encryptid-sdk
+    container_name: encryptid
+    restart: unless-stopped
+    depends_on:
+      encryptid-db:
+        condition: service_healthy
+    environment:
+      - NODE_ENV=production
+      - PORT=3000
+      - JWT_SECRET=${JWT_SECRET}
+      - DATABASE_URL=postgres://encryptid:${ENCRYPTID_DB_PASSWORD}@encryptid-db:5432/encryptid
+      - SMTP_HOST=${SMTP_HOST:-mail.rmail.online}
+      - SMTP_PORT=${SMTP_PORT:-587}
+      - SMTP_USER=${SMTP_USER:-noreply@rspace.online}
+      - SMTP_PASS=${SMTP_PASS}
+      - SMTP_FROM=${SMTP_FROM:-EncryptID <noreply@rspace.online>}
+      - RECOVERY_URL=${RECOVERY_URL:-https://auth.rspace.online/recover}
+      - MAILCOW_API_URL=${MAILCOW_API_URL:-http://nginx-mailcow:8080}
+      - MAILCOW_API_KEY=${MAILCOW_API_KEY:-}
+      - ADMIN_DIDS=${ADMIN_DIDS}
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.encryptid.rule=Host(`auth.rspace.online`) || Host(`auth.ridentity.online`) || Host(`encryptid.jeffemmett.com`)"
+      - "traefik.http.routers.encryptid.entrypoints=web"
+      - "traefik.http.routers.encryptid.priority=150"
+      - "traefik.http.services.encryptid.loadbalancer.server.port=3000"
+      # .well-known/webauthn on RP ID domains
+      - "traefik.http.routers.encryptid-wellknown.rule=Host(`rspace.online`) && PathPrefix(`/.well-known/webauthn`)"
+      - "traefik.http.routers.encryptid-wellknown.entrypoints=web"
+      - "traefik.http.routers.encryptid-wellknown.priority=200"
+      - "traefik.http.routers.encryptid-wellknown.service=encryptid"
+      - "traefik.http.routers.encryptid-wellknown-rid.rule=Host(`ridentity.online`) && PathPrefix(`/.well-known/webauthn`)"
+      - "traefik.http.routers.encryptid-wellknown-rid.entrypoints=web"
+      - "traefik.http.routers.encryptid-wellknown-rid.priority=200"
+      - "traefik.http.routers.encryptid-wellknown-rid.service=encryptid"
+    networks:
+      - traefik-public
+      - encryptid-internal
+      - rmail-mailcow
+    healthcheck:
+      test: ["CMD", "bun", "-e", "fetch('http://localhost:3000/health').then(r => r.json()).then(d => process.exit(d.database ? 0 : 1)).catch(() => process.exit(1))"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 15s
+
+  encryptid-db:
+    image: postgres:16-alpine
+    container_name: encryptid-db
+    restart: unless-stopped
+    environment:
+      - POSTGRES_DB=encryptid
+      - POSTGRES_USER=encryptid
+      - POSTGRES_PASSWORD=${ENCRYPTID_DB_PASSWORD}
+    volumes:
+      - encryptid-pgdata:/var/lib/postgresql/data
+    networks:
+      - encryptid-internal
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U encryptid -d encryptid"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 10s
+
 volumes:
   rspace-data:
   rspace-books:
@@ -179,6 +250,7 @@ volumes:
   rspace-docs:
   rspace-backups:
   rspace-pgdata:
+  encryptid-pgdata:
 
 networks:
   traefik-public:
@@ -190,3 +262,4 @@ networks:
     name: mailcowdockerized_mailcow-network
     external: true
   rspace-internal:
+  encryptid-internal: