fix(deploy): wire CERTCTL_DEMO_MODE_ACK_TS into the demo overlay path

Phase 2 SEC-H3 (commit 69a2b5c) added a fail-closed requirement: when
CERTCTL_DEMO_MODE_ACK=true, the server refuses to start unless
CERTCTL_DEMO_MODE_ACK_TS=<unix-epoch> is set and within the last 24h.
The demo overlay (docker-compose.demo.yml) sets DEMO_MODE_ACK=true
but didn't supply the paired TS, so:

  Failed to load configuration: phase-2 SEC-H3 fail-closed guard
  (missing TS): CERTCTL_DEMO_MODE_ACK=true requires
  CERTCTL_DEMO_MODE_ACK_TS=<unix-epoch> set within the last 24h —
  refuse to start.

This bricks the cold-DB compose smoke job, the README quickstart
(`docker compose -f .yml -f demo.yml up`), and every operator using
the demo overlay locally — symptom: certctl-server container restart
loop with the SEC-H3 message above.

Fix is three-piece:

1. deploy/docker-compose.demo.yml passes the TS through from the
   shell env via `CERTCTL_DEMO_MODE_ACK_TS: "${CERTCTL_DEMO_MODE_ACK_TS:-}"`.
   The overlay can't hardcode the value (it would rot the next day)
   and SEC-H3 is designed to refresh on every up.

2. deploy/demo-up.sh — new helper that mints
   `CERTCTL_DEMO_MODE_ACK_TS=$(date +%s)` and forwards args to
   `docker compose up`. The SEC-H3 error message points operators
   at it. Replaces the bare `docker compose -f ... up` invocation
   in the overlay's docstring + README quickstart references.

3. .github/workflows/ci.yml cold-db-compose-smoke job exports a fresh
   TS before the initial up-d AND re-emits it into /tmp/_smoke.env so
   the force-recreate at step 4 inherits the value (--env-file replaces
   the shell-env source for compose-file interpolation, so omitting the
   re-emission would re-trip the guard).

Other CI compose surfaces verified clean:
- docker-compose.test.yml uses auth=api-key (not demo-mode); not
  affected.
- security-deep-scan.yml uses the base compose without the demo
  overlay; not affected.

Verified locally: YAML parses, bash syntax check passes on demo-up.sh,
overlay's docstring + the SEC-H3 error message now agree on the helper
script's existence.

.github/workflows/ci.yml

@@ -346,6 +346,16 @@ jobs:
           # demo-mode or api-key, so the overlay is acceptable here.
           COMPOSE_FILES=(-f docker-compose.yml -f docker-compose.demo.yml)
 
+          # Phase 2 SEC-H3 (2026-05-13): the demo overlay sets
+          # CERTCTL_DEMO_MODE_ACK=true; the SEC-H3 fail-closed guard
+          # requires a paired CERTCTL_DEMO_MODE_ACK_TS within the last
+          # 24h (a static YAML value would rot). The overlay reads
+          # ${CERTCTL_DEMO_MODE_ACK_TS:-} from the shell, so we mint a
+          # fresh timestamp here and export it for every compose
+          # invocation in this job (initial up-d AND the force-recreate
+          # at step 4).
+          export CERTCTL_DEMO_MODE_ACK_TS="$(date +%s)"
+
           log "1/4 down -v --remove-orphans"
           docker compose "${COMPOSE_FILES[@]}" down -v --remove-orphans 2>&1 | tail -3 || true
 
@@ -359,7 +369,15 @@ jobs:
 
           log "4/4 minting day-0 admin (proves migration ladder + bootstrap path)"
           TOKEN="$(openssl rand -base64 32 | tr -d '\n')"
-          echo "CERTCTL_BOOTSTRAP_TOKEN=$TOKEN" > /tmp/_smoke.env
+          {
+            echo "CERTCTL_BOOTSTRAP_TOKEN=$TOKEN"
+            # Re-emit the demo-mode ACK TS into the --env-file so the
+            # force-recreate at step 4 inherits it. `--env-file` REPLACES
+            # the shell-env source for variable interpolation on compose
+            # operations that use it, so omitting this line would re-trip
+            # the SEC-H3 guard.
+            echo "CERTCTL_DEMO_MODE_ACK_TS=$CERTCTL_DEMO_MODE_ACK_TS"
+          } > /tmp/_smoke.env
           docker compose "${COMPOSE_FILES[@]}" --env-file /tmp/_smoke.env up -d --force-recreate certctl-server 2>&1 | tail -2
           sleep 5
           wait_for_service_healthy certctl-server