stage-9: consolidate into one compose stack behind nginx-proxy

psyc now runs as a single docker compose stack — cockpit + mock-cert +
(gpu-profile) inference — on the shared external `backend` network, fronted
by nginx-proxy as psyc.neuronetz.ai. Replaces the venv processes + one-off
docker run. MOCK_CERT_BASE and INFERENCE_URL are now env-configurable
(PSYC_MOCK_CERT_URL / PSYC_INFERENCE_URL) so the cockpit reaches the other
services by compose service name. Restart policies + healthchecks. deploy.md
rewritten to match.

Verified: cockpit serves directly and via the proxy; the full
scout→…→courier→ledger chain runs over the compose network.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docs/deploy.md

@@ -1,57 +1,59 @@
 # psyc — deployment
 
-Deploying the psyc platform (cockpit + workers) as Docker containers — e.g. on a
-Proxmox-hosted VM in the company network.
+psyc deploys as a three-service Docker Compose stack, fronted by an existing
+`jwilder/nginx-proxy` on the shared external `backend` network and served as
+`psyc.neuronetz.ai`.
 
 ## Read this before deploying
 
 - **No built-in authentication.** The cockpit exposes cases, the ledger, and
-  sealed-package metadata to anyone who can reach port 8767. Deploy it **behind
-  the company reverse proxy / SSO / VPN**, or firewall the ports to the SOC
-  subnet. Do not expose 8767 to the open network. (If you want in-app auth
-  instead of relying on the perimeter, that's a feature to add — not present today.)
-- **The live model is separate.** This image has no GPU and no torch. The
-  fine-tuned-model bot needs `serve_model.py` running in the CUDA container on a
-  GPU host (Proxmox GPU passthrough to a VM). Without it the Classifier bot
-  falls back to rules — the platform works fine, just rules-only.
+  sealed-package metadata to anyone who can reach it. The reverse proxy / network
+  perimeter **is** the security boundary — keep `psyc.neuronetz.ai` on the
+  internal network or behind SSO. nginx-proxy can add per-vhost basic auth via a
+  mounted `htpasswd` file if you need a quick gate. (In-app auth is not built.)
+- **The live model is GPU-only.** The `inference` service needs an NVIDIA GPU
+  and the `psyc-trainer` image (`docker build -f Dockerfile.train`). It is gated
+  behind the `gpu` compose profile. Without it the Classifier bot falls back to
+  rules — the platform runs fine.
 - **Outbound network.** Scoutline (URLhaus / CISA KEV / Feodo) and Mapline
   (ip-api.com) make outbound HTTPS. Behind a company egress proxy, set
-  `HTTPS_PROXY` / `HTTP_PROXY` in the container environment (see the commented
-  block in `docker-compose.yml`).
-- **mock-cert is a stand-in.** It accepts submissions for testing — it is not a
-  real destination. Wire real CERT / MISP / abuse endpoints (and their
-  credentials, per `docs/dossier.md` §18) before relying on routing in production.
+  `HTTPS_PROXY` / `HTTP_PROXY` on the `cockpit` service.
+- **mock-cert is a stand-in** for real destinations — wire real CERT / MISP /
+  abuse endpoints (and credentials, per `docs/dossier.md` §18) before relying on
+  routing in production.
 
-## Proxmox
+## Prerequisites
 
-Docker is not native to Proxmox. Run it inside a Proxmox **VM** (recommended —
-clean isolation, simplest Docker support) or a privileged LXC. Install Docker +
-the Compose plugin in that guest, give it outbound network for the feeds, then
-deploy as below. The GPU inference server, if used, needs a separate VM with
-GPU passthrough.
+- A Docker host (on Proxmox: a VM running Docker — cleanest; or a privileged LXC).
+- The external `backend` network and an `nginx-proxy` on it (the shared
+  reverse-proxy stack). psyc joins that network; the proxy auto-discovers the
+  cockpit by its `VIRTUAL_HOST`.
+- DNS: point `psyc.neuronetz.ai` at the proxy host.
+- For the live model: an NVIDIA GPU + the NVIDIA container runtime, and the
+  `psyc-trainer` image built.
 
 ## Deploy
 
 ```bash
 git clone ssh://git@gitea.neuronetz.ai:222/m17hr1l/psyc.git
 cd psyc
-docker compose up -d --build
+
+docker compose up -d --build                  # cockpit + mock-cert
+docker compose --profile gpu up -d --build     # + the live model (GPU host)
 ```
 
-Starts two containers from one `psyc:latest` image:
-
-| Service | Port | Role |
+| Service | Exposure | Role |
 |---|---|---|
-| `cockpit` | 8767 | operator UI |
-| `mock-cert` | 8770 | stand-in destination receiver (testing) |
+| `cockpit` | `psyc.neuronetz.ai` via the proxy (+ `:8767` direct, debug) | operator UI |
+| `mock-cert` | internal to `backend` only | stand-in destination receiver |
+| `inference` | internal to `backend` only · `gpu` profile | live fine-tuned model |
 
-The sqlite db, sealed packages, and recipient keys persist in the `psyc-data`
-named volume — they survive container restarts and rebuilds.
+Data (sqlite db, sealed packages, recipient keys, model adapters) is bind-mounted
+from `./data` and persists across restarts and rebuilds.
 
 ## First run
 
-The schema is created on cockpit startup, but there are no cases until you
-ingest. Run inside the container:
+The schema is created on cockpit startup; ingest to populate it:
 
 ```bash
 docker compose exec cockpit psyc fetch-all
@@ -59,21 +61,18 @@ docker compose exec cockpit psyc classify-all
 docker compose exec cockpit psyc map-all
 ```
 
-Keep it ingesting by scheduling `fetch-all` — a host cron entry calling
-`docker compose exec cockpit psyc fetch-all`, e.g. hourly.
+Schedule `fetch-all` (host cron → `docker compose exec`) to keep ingesting.
 
 ## Updating
 
 ```bash
 git pull
-docker compose up -d --build
+docker compose --profile gpu up -d --build
 ```
 
-The `psyc-data` volume is preserved across updates.
-
 ## Health
 
 ```bash
-curl http://<host>:8767/healthz      # cockpit
-curl http://<host>:8770/healthz      # mock-cert
+curl -H 'Host: psyc.neuronetz.ai' http://<proxy-host>/healthz
+docker compose ps
 ```