feat: bundle XTM One in the default stack

[azubiolo-filigran]

Objective

Adds XTM One alongside OpenAEV in the default Docker stack so docker compose up -d brings the full XTM One + OpenAEV experience by default.

Refs XTM-One-Platform/xtm-one#1011. Companion PRs:

• feat: bundle XTM One in the unified stack FiligranHQ/xtm-docker#15 (full unified stack)
• feat: bundle XTM One in the default stack OpenCTI-Platform/docker#574

Changes

New services

• pgsql-copilot (pgvector/pgvector:pg17) — dedicated Postgres+pgvector instance for XTM One, with its own credentials, kept separate from the OpenAEV pg cluster.
• redis (redis:8.6.3) — required by XTM One (queues, cache, websockets). OpenAEV itself does not use it; it is added solely for XTM One.
• xtm-one — exposes the XTM One UI/API on ${XTM_ONE_PORT} (default 4000), reuses the existing minio.
• xtm-one-worker — async worker, depends on xtm-one being healthy.

Inter-platform wiring

• New PLATFORM_REGISTRATION_TOKEN shared secret.
• openaev service now receives OPENAEV_XTM_ONE_URL / OPENAEV_XTM_ONE_TOKEN.
• xtm-one service receives OPENAEV_* federation env vars (URL, internal API URL, admin token).

Documentation

• .env.sample gets a new XTM ONE block documenting admin credentials, image tag, dedicated Postgres credentials, S3 bucket, optional license, and the shared PLATFORM_REGISTRATION_TOKEN.

Scope

• Only docker-compose.yml is touched. docker-compose.dev.yml, docker-compose.caldera*.yml and caldera.yml are intentionally left alone for now and will be handled in follow-ups if needed.

Verification

The same configuration has been validated end-to-end inside the unified xtm-docker stack (companion PR FiligranHQ/xtm-docker#15): all services reach healthy, OpenAEV and XTM One register successfully via PLATFORM_REGISTRATION_TOKEN, and cross-platform features work as expected.

Notes

• The xtm-one yaml here is a convenience copy of what lives in FiligranHQ/xtm-docker (canonical source). Keeping it minimal so future syncs stay easy.
• During verification we found that the composite /api/health?... endpoint is flaky during startup (depends on optional subsystems like mail/ES warm-up). It still works under steady state, so this PR leaves the existing OpenAEV healthcheck unchanged — but /actuator/health/ping is a more reliable alternative if you want it in a follow-up.

[azubiolo-filigran]

Testing: OpenAEV + XTM One Docker Setup

Steps to reproduce

# 1. Clone both repos side-by-side
git clone git@github.com:OpenAEV-Platform/docker.git openaev-docker
git clone git@github.com:XTM-One-Platform/xtm-one.git xtm-one
cd openaev-docker
git checkout feat/xtm-one-default

# 2. Create .env from sample
cp .env.sample .env
# Replace mandatory values:
sed -i "s/OPENAEV_ADMIN_TOKEN=00000000-0000-0000-0000-000000000000/OPENAEV_ADMIN_TOKEN=$(uuidgen)/" .env
sed -i "s/XTM_ONE_SECRET_KEY=ChangeMeWithGeneratedRandomString/XTM_ONE_SECRET_KEY=$(openssl rand -hex 32)/" .env

# 3. Build and start (builds xtm-one from local clone)
docker compose up -d --build

# 4. Wait (~2-3 min) then verify
docker compose ps  # all services healthy

Note: The compose file has build: context: ../xtm-one directives for xtm-one and xtm-one-worker services. This requires the xtm-one repo cloned adjacent to this repo. Alternatively, remove the build: blocks and pull a pre-built image.

Credentials

Service	URL	Email	Password
OpenAEV	http://localhost:8080	admin@openaev.io	changeme
XTM One	http://localhost:4000	admin@openaev.io	changeme

Key fixes in this commit

1. OPENAEV_BASE-URL=http://openaev:8080 — JWT audience validation must match the internal hostname
2. BASE_URL=http://xtm-one:4000 — JWT issuer + JWKS fetch must use internal hostname
3. XTM_ONE_ADMIN_EMAIL=admin@openaev.io — must match OpenAEV admin so JWT email resolves
4. Build directives — build: context: ../xtm-one for local builds without registry access

Dependency

Requires XTM-One-Platform/xtm-one#1070 (fix/platform-registration-api-url-override) — adds OPENAEV_API_URL env var support so the registration stores the internal Docker URL instead of the platform-reported external URL.

Status

• ⚠️ OpenAEV JVM did not fully start during testing (stuck after banner, no Spring Boot logs after 3+ min). Likely a resource/config issue unrelated to XTM One integration. The XTM One side starts correctly.
• The JWT auth fix pattern is identical to what was verified working on the OpenCTI docker PR (#574 on OpenCTI-Platform/docker).

[azubiolo-filigran]

Closing in favor of a new PR from the upstream branch (same changes).