Address CK-DOCS-ASKS-HYBRID findings and Tim's diagram feedback

Diagrams:
- overview-fig-2: add LB/proxy, HTTPS/HTTP labels, fix token flow
  direction, split data layer into labeled nodes, fix label positioning
- complete-guide-fig-1: reduce to single replica (+N), add HTTPS labels,
  add read/write labels to data layer connections
- complete-guide-fig-2: remove bare-metal option, rename to
  "Container orchestrator"
- database-setup-fig-1: remove bare-metal, clarify native DB path

Critical fixes (from CK-DOCS-ASKS-HYBRID):
- G6: Fix WEBSEARCH_HEADERS from broken JSON to colon-CSV format
- G1: Add ai:conversations:webSearch to JWT permissions table

High-severity:
- D2: Add Postgres TLS known-issue warning (managed PG + missing SSL)
- B4: Add Bedrock API-key billing trap note
- E1: Document I/O-bound workload shape for HPA guidance
- E2: Add HA primitives section (PDB, anti-affinity, topology spread)
- E3: Add Azure (AKS) and GCP (GKE) cluster bring-up pointers

Medium/Low:
- D3: MySQL role-inherited grants note for Cloud SQL
- E7: License key shared across replicas statement
- G7: host.docker.internal loopback-bind warning
- Network requirements: license.container.tiny.cloud firewall whitelist
- MCP page: web search prominence TIP

Author: kemister85

modules/ROOT/images/tinymceai-on-premises/complete-guide-fig-1.mmd

@@ -1,17 +1,13 @@
 flowchart TB
     Browser["Browser<br>TinyMCE editor + tinymceai plugin"]
     TokenEP["Your token endpoint<br>signs HS256 JWTs"]
-    Browser -->|"fetch JWT"| TokenEP
+    Browser -->|"HTTPS"| TokenEP
     Browser -->|"HTTPS + Bearer JWT"| LB
 
-    subgraph App["Application layer (stateless, N replicas)"]
+    subgraph App["Application layer (stateless, +N replicas)"]
         LB["Reverse proxy / Load balancer<br>nginx · ALB · K8s Ingress<br>TLS termination · SSE pass-through"]
-        AIN["ai-service replica N"]
-        AI2["ai-service replica 2"]
-        AI1["ai-service replica 1"]
-        LB --> AIN
-        LB --> AI2
-        LB --> AI1
+        AI1["ai-service"]
+        LB -->|"HTTP"| AI1
     end
 
     subgraph Data["Shared data layer"]
@@ -20,7 +16,9 @@ flowchart TB
         Storage[("File storage<br>S3 · Azure Blob · filesystem")]
     end
 
-    AI1 --> Data
+    AI1 <-->|"read/write"| DB
+    AI1 <-->|"read/write"| Cache
+    AI1 <-->|"read/write"| Storage
 
     AI1 -->|"HTTPS"| LLM["LLM provider<br>OpenAI · Anthropic · Google ·<br>Azure · Bedrock · Vertex ·<br>self-hosted"]
 

modules/ROOT/images/tinymceai-on-premises/complete-guide-fig-1.svg

@@ -1,16 +1,14 @@
 flowchart TD
     Start([New deployment]) --> Q1{Evaluating or<br>going to production?}
     Q1 -->|Evaluating locally| Compose[Docker Compose<br>all services on one host<br>Getting started guide]
-    Q1 -->|Production| Q2{Orchestrator?}
+    Q1 -->|Production| Q2{Container orchestrator?}
     Q2 -->|Kubernetes| K8s[Kubernetes deployment<br>Production guide]
     Q2 -->|AWS ECS / Fargate| ECS[ECS task definition<br>Production guide]
     Q2 -->|Docker / Podman on VMs| VMs[Docker or Podman compose<br>Database guide]
-    Q2 -->|Bare metal / no containers| Bare[Native install for<br>data layer; container<br>for AI service<br>Database guide]
     Compose --> DB{Database?}
     K8s --> DB
     ECS --> DB
     VMs --> DB
-    Bare --> DB
     DB -->|Managed cloud DB| Managed[RDS · Cloud SQL ·<br>Azure Database]
     DB -->|Self-managed| Self[Containers or native install]
     Managed --> Done([Continue with<br>LLM providers guide])

modules/ROOT/images/tinymceai-on-premises/complete-guide-fig-2.mmd

@@ -5,7 +5,7 @@ flowchart TD
     Q2 -->|Cloud / managed services| Managed[AWS RDS · Cloud SQL ·<br>Azure Database<br>+ ElastiCache · Memorystore ·<br>Azure Cache for Redis]
     Q2 -->|Self-managed| Q3{Container runtime<br>available?}
     Q3 -->|Docker or Podman| Containers[Containers on the same<br>network or pod as ai-service]
-    Q3 -->|None - bare metal or VM| Native[Native install<br>brew · apt · yum · dnf<br>service runs on host]
+    Q3 -->|Native on host| Native[Native install<br>brew · apt · yum · dnf<br>AI service connects via<br>host.docker.internal]
     Compose --> Verify([Verify: nc -zv host port<br>then start ai-service])
     Managed --> Verify
     Containers --> Verify

modules/ROOT/images/tinymceai-on-premises/complete-guide-fig-2.svg

@@ -6,18 +6,25 @@ flowchart LR
     end
 
     subgraph Service["Application layer"]
+        LB["Load balancer /\nreverse proxy\n(TLS termination)"]
         AI["AI service\n(container)"]
     end
 
     subgraph Data["Data layer"]
-        DB[("Database\n+ Redis\n+ Storage")]
+        DB[("SQL database\n(conversations, configs)")]
+        Redis[("Redis\n(cache, coordination)")]
+        Storage[("File storage\n(uploads, documents)")]
     end
 
     LLM["LLM provider"]
 
-    Token -->|"1. signed JWT"| App
-    App -->|"2. prompt + JWT"| AI
-    AI -->|"5. SSE stream"| App
-    AI -->|"3. forward"| LLM
+    App -->|"1. request JWT"| Token
+    Token -->|"JWT"| App
+    App -->|"2. HTTPS"| LB
+    LB -->|"HTTP"| AI
+    AI -->|"3. HTTPS"| LLM
     LLM -->|"4. stream"| AI
-    AI --- DB
+    AI -->|"5. SSE response"| App
+    AI <-->|"read/write"| DB
+    AI <-->|"read/write"| Redis
+    AI <-->|"read/write"| Storage

modules/ROOT/images/tinymceai-on-premises/database-setup-fig-1.mmd

@@ -127,6 +127,8 @@ GRANT ALL PRIVILEGES ON ai_service.* TO 'ai_service'@'%';
 [NOTE]
 --
 Some versions of the AI service image report false-positive "Not enough permissions to access database" errors even with `ALL PRIVILEGES`. If this occurs, grant the privileges globally rather than per-database, or use the MySQL `root` user for development.
+
+On Cloud SQL MySQL, grant privileges to the service user **directly** — not via a role (e.g. `cloudsqlsuperuser`). The startup grant check runs `SHOW GRANTS FOR user` and does not resolve role-inherited grants.
 --
 
 === PostgreSQL
@@ -157,7 +159,10 @@ GRANT ALL ON SCHEMA "cs-on-premises" TO ai_service;
 ----
 ====
 
-
+[WARNING]
+--
+*Managed PostgreSQL TLS issue:* Amazon RDS, Cloud SQL, and Azure Database for PostgreSQL default to requiring TLS (`rds.force_ssl=1` / `require_secure_transport=ON`). When TLS is enforced and the AI service has not been configured with `DATABASE_SSL_CA`, the connection is rejected — but the error message surfaces as a generic "permissions" error, not a TLS error. If the service fails to start with a permissions-related database error after grants have been verified, check whether TLS is the underlying cause.
+--
 
 == Database setup
 

modules/ROOT/images/tinymceai-on-premises/database-setup-fig-1.svg

@@ -95,10 +95,11 @@ This is the canonical permission list for the AI service.
 [cols=",",options="header",]
 |===
 |Permission |Grants
-|`ai:conversations:*` |All conversation operations: create, list, send message, delete
+|`ai:conversations:*` |All conversation operations: create, list, send message, delete, and web search
 |`ai:conversations:create` |Create new conversations
 |`ai:conversations:read` |List and read existing conversations
 |`ai:conversations:delete` |Delete conversations
+|`ai:conversations:webSearch` |Enable the web search toggle in conversations. Without this permission, `GET /v1/models/1` reports `capabilities.webSearch.allowed: false` even when `WEBSEARCH_ENABLED=true` and `capabilities.webSearch: true` is set on the model.
 |`ai:models:agent` |Access the built-in agent model (model ID `agent-1`)
 |`ai:models:<provider>:<model-id>` |Access a specific custom model configured through the `MODELS` env var
 |`ai:actions:system:*` |All built-in quick actions (rewrite, summarize, expand, translate, change tone, and related operations)