feat: update all Docker Compose files for Vision primary with WIF auth (refs #127)

- Switch OCR engine config to google_vision primary / paddleocr fallback
- Mount Auth0 OCR secrets and WIF config into all OCR containers
- Add WIF config to repo (not a secret, contains no credentials)
- Remove obsolete google-vision-key.json.example

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitignore

@@ -22,6 +22,7 @@ secrets/**
 !secrets/
 !secrets/**/
 !secrets/**/*.example
+!secrets/app/google-wif-config.json
 
 # Traefik ACME certificates (contains private keys)
 data/traefik/acme.json

docker-compose.blue-green.yml

@@ -199,6 +199,10 @@ services:
   # ========================================
   mvp-ocr:
     image: ${OCR_IMAGE:-git.motovaultpro.com/egullickson/ocr:latest}
+    volumes:
+      - ./secrets/app/auth0-ocr-client-id.txt:/run/secrets/auth0-ocr-client-id:ro
+      - ./secrets/app/auth0-ocr-client-secret.txt:/run/secrets/auth0-ocr-client-secret:ro
+      - ./secrets/app/google-wif-config.json:/run/secrets/google-wif-config.json:ro
 
   # ========================================
   # Override Traefik to add dynamic config

docker-compose.prod.yml

@@ -49,10 +49,13 @@ services:
       REDIS_HOST: mvp-redis
       REDIS_PORT: 6379
       REDIS_DB: 1
-      OCR_PRIMARY_ENGINE: paddleocr
+      # OCR engine configuration (Google Vision primary, PaddleOCR fallback)
-      OCR_FALLBACK_ENGINE: ${OCR_FALLBACK_ENGINE:-none}
+      OCR_PRIMARY_ENGINE: google_vision
-      OCR_FALLBACK_THRESHOLD: ${OCR_FALLBACK_THRESHOLD:-0.6}
+      OCR_FALLBACK_ENGINE: paddleocr
-      GOOGLE_VISION_KEY_PATH: /run/secrets/google-vision-key.json
+      OCR_CONFIDENCE_THRESHOLD: "0.6"
+      OCR_FALLBACK_THRESHOLD: "0.6"
+      GOOGLE_VISION_KEY_PATH: /run/secrets/google-wif-config.json
+      VISION_MONTHLY_LIMIT: "1000"
 
   # PostgreSQL - Remove dev ports, production log level
   mvp-postgres:

docker-compose.staging.yml

@@ -69,10 +69,17 @@ services:
       REDIS_HOST: mvp-redis
       REDIS_PORT: 6379
       REDIS_DB: 1
-      OCR_PRIMARY_ENGINE: paddleocr
+      # OCR engine configuration (Google Vision primary, PaddleOCR fallback)
-      OCR_FALLBACK_ENGINE: ${OCR_FALLBACK_ENGINE:-none}
+      OCR_PRIMARY_ENGINE: google_vision
-      OCR_FALLBACK_THRESHOLD: ${OCR_FALLBACK_THRESHOLD:-0.6}
+      OCR_FALLBACK_ENGINE: paddleocr
-      GOOGLE_VISION_KEY_PATH: /run/secrets/google-vision-key.json
+      OCR_CONFIDENCE_THRESHOLD: "0.6"
+      OCR_FALLBACK_THRESHOLD: "0.6"
+      GOOGLE_VISION_KEY_PATH: /run/secrets/google-wif-config.json
+      VISION_MONTHLY_LIMIT: "1000"
+    volumes:
+      - ./secrets/app/auth0-ocr-client-id.txt:/run/secrets/auth0-ocr-client-id:ro
+      - ./secrets/app/auth0-ocr-client-secret.txt:/run/secrets/auth0-ocr-client-secret:ro
+      - ./secrets/app/google-wif-config.json:/run/secrets/google-wif-config.json:ro
 
   # ========================================
   # PostgreSQL (Staging - Separate Database)

docker-compose.yml

@@ -196,16 +196,18 @@ services:
       REDIS_HOST: mvp-redis
       REDIS_PORT: 6379
       REDIS_DB: 1
-      # OCR engine configuration (PaddleOCR primary, cloud fallback optional)
+      # OCR engine configuration (Google Vision primary, PaddleOCR fallback)
-      OCR_PRIMARY_ENGINE: paddleocr
+      OCR_PRIMARY_ENGINE: google_vision
-      OCR_FALLBACK_ENGINE: ${OCR_FALLBACK_ENGINE:-none}
+      OCR_FALLBACK_ENGINE: paddleocr
-      OCR_FALLBACK_THRESHOLD: ${OCR_FALLBACK_THRESHOLD:-0.6}
+      OCR_CONFIDENCE_THRESHOLD: "0.6"
-      GOOGLE_VISION_KEY_PATH: /run/secrets/google-vision-key.json
+      OCR_FALLBACK_THRESHOLD: "0.6"
+      GOOGLE_VISION_KEY_PATH: /run/secrets/google-wif-config.json
+      VISION_MONTHLY_LIMIT: "1000"
     volumes:
       - /tmp/vin-debug:/tmp/vin-debug
-      # Optional: Uncomment to enable Google Vision cloud fallback.
+      - ./secrets/app/auth0-ocr-client-id.txt:/run/secrets/auth0-ocr-client-id:ro
-      # Requires: secrets/app/google-vision-key.json and OCR_FALLBACK_ENGINE=google_vision
+      - ./secrets/app/auth0-ocr-client-secret.txt:/run/secrets/auth0-ocr-client-secret:ro
-      # - ./secrets/app/google-vision-key.json:/run/secrets/google-vision-key.json:ro
+      - ./secrets/app/google-wif-config.json:/run/secrets/google-wif-config.json:ro
     networks:
       - backend
       - database

secrets/app/google-vision-key.json.example

@@ -1,18 +0,0 @@
-{
-  "_comment": "Google Vision API service account key for OCR cloud fallback",
-  "_instructions": [
-    "1. Create a Google Cloud service account with Vision API access",
-    "2. Download the JSON key file",
-    "3. Save it as secrets/app/google-vision-key.json (gitignored)",
-    "4. Uncomment the volume mount in docker-compose.yml",
-    "5. Set OCR_FALLBACK_ENGINE=google_vision"
-  ],
-  "type": "service_account",
-  "project_id": "your-project-id",
-  "private_key_id": "",
-  "private_key": "",
-  "client_email": "your-sa@your-project-id.iam.gserviceaccount.com",
-  "client_id": "",
-  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
-  "token_uri": "https://oauth2.googleapis.com/token"
-}

secrets/app/google-wif-config.json

@@ -0,0 +1,14 @@
+{
+  "universe_domain": "googleapis.com",
+  "type": "external_account",
+  "audience": "//iam.googleapis.com/projects/487954699429/locations/global/workloadIdentityPools/motovaultpro-pool/providers/auth0-provider",
+  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
+  "token_url": "https://sts.googleapis.com/v1/token",
+  "credential_source": {
+    "executable": {
+      "command": "/app/scripts/fetch-auth0-token.sh",
+      "timeout_millis": 30000
+    }
+  },
+  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/mvp-svc-account@motovaultpro.iam.gserviceaccount.com:generateAccessToken"
+}