dev: add Kratos + Mailpit local-dev stack

docker-compose.dev.yml gains a Kratos identity service (public :4433 / admin
:4434) and a Mailpit SMTP catcher for local onboarding email codes, plus a
postgres-init mount. deploy/local/kratos/ holds the local Kratos config +
identity schema (placeholder dev cookie secret only). Supports the local
backend the XCUITest suite seeds against.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

docker-compose.dev.yml

@@ -14,6 +14,7 @@ services:
       POSTGRES_DB: ${POSTGRES_DB:-honeydue}
     volumes:
       - postgres_data:/var/lib/postgresql/data
+      - ./deploy/local/postgres-init:/docker-entrypoint-initdb.d:ro
     ports:
       - "${DB_PORT:-5433}:5432"  # 5433 externally to avoid conflicts with local postgres
     healthcheck:
@@ -91,6 +92,10 @@ services:
 
       # Storage encryption
       STORAGE_ENCRYPTION_KEY: ${STORAGE_ENCRYPTION_KEY}
+
+      # Kratos (identity service)
+      KRATOS_PUBLIC_URL: "http://kratos:4433"
+      KRATOS_ADMIN_URL: "http://kratos:4434"
     volumes:
       - ./push_certs:/certs:ro
       - ./uploads:/app/uploads
@@ -99,6 +104,8 @@ services:
         condition: service_healthy
       redis:
         condition: service_healthy
+      kratos:
+        condition: service_healthy
     healthcheck:
       test: ["CMD", "curl", "-f", "http://127.0.0.1:8000/api/health/"]
       interval: 30s
@@ -184,6 +191,59 @@ services:
     networks:
       - honeydue-network
 
+  # Mailpit — local SMTP catcher (for Kratos email codes during onboarding)
+  mailpit:
+    image: axllent/mailpit:latest
+    container_name: honeydue-mailpit
+    restart: unless-stopped
+    ports:
+      - "${MAILPIT_SMTP_PORT:-1025}:1025"
+      - "${MAILPIT_HTTP_PORT:-8025}:8025"
+    networks:
+      - honeydue-network
+
+  # Kratos schema migration (one-shot, runs before kratos starts)
+  kratos-migrate:
+    image: oryd/kratos:v1.3.0
+    container_name: honeydue-kratos-migrate
+    command: ["migrate", "sql", "-e", "--yes"]
+    environment:
+      DSN: "postgres://${POSTGRES_USER:-honeydue}:${POSTGRES_PASSWORD:-honeydue_dev_password}@db:5432/kratos?sslmode=disable"
+    depends_on:
+      db:
+        condition: service_healthy
+    networks:
+      - honeydue-network
+    restart: "no"
+
+  # Ory Kratos — identity service
+  kratos:
+    image: oryd/kratos:v1.3.0
+    container_name: honeydue-kratos
+    restart: unless-stopped
+    command: ["serve", "--config", "/etc/config/kratos/kratos.yml", "--watch-courier", "--dev"]
+    ports:
+      - "${KRATOS_PUBLIC_PORT:-4433}:4433"
+      - "${KRATOS_ADMIN_PORT:-4434}:4434"
+    environment:
+      DSN: "postgres://${POSTGRES_USER:-honeydue}:${POSTGRES_PASSWORD:-honeydue_dev_password}@db:5432/kratos?sslmode=disable"
+      LOG_LEVEL: "debug"
+    volumes:
+      - ./deploy/local/kratos:/etc/config/kratos:ro
+    depends_on:
+      kratos-migrate:
+        condition: service_completed_successfully
+      mailpit:
+        condition: service_started
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://127.0.0.1:4434/health/ready"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+      start_period: 10s
+    networks:
+      - honeydue-network
+
   # Dozzle — lightweight real-time log viewer
   dozzle:
     image: amir20/dozzle:latest