Remove vault-transit service entirely. Each vault node now auto-unseals at
startup by reading the Shamir unseal key from a Docker secret managed by
vault-bootstrap.sh. Eliminates the transit token expiry failure mode and
removes the vault_transit node-pinning requirement.
Changes:
- docker-stack-vault.yml: remove vault-transit service, vault_transit_config,
vault-transit-data-vl, transit_master_token / vault_transit_unseal_key
secrets; add vault_unseal_key secret; rewrite vault entrypoint to background
start + poll + auto-unseal loop
- vault-template-v1.json, vault-template-v2.json: remove seal.transit block
- vault-template-transit.json: deleted (vault-transit is gone)
- vault-bootstrap.sh: full rewrite — node-agnostic run_vault() helper (docker
exec fallback to docker run over overlay network), 7-step Shamir flow with
SKIP_DEPLOY support and early-exit when vault is already healthy
- deploy-prod.yml: replace BE-Forecast deploy with vault stack deploy +
bootstrap (SKIP_DEPLOY=true) + cluster health check
