fix(compose): wire CERTCTL_BOOTSTRAP_TOKEN interpolation (cold-DB smoke fix #3)

Third latent bug surfaced by the Auditable Codebase Bundle's cold-DB
compose smoke. Server cold-boot and migration re-runs are now clean
after the prior two fixes (6d0f774 DEMO_MODE_ACK, 910097e migration
000043 idempotency); the smoke now makes it through cold boot,
force-recreate, and the second healthcheck pass — then dies at step
4 (mint day-0 admin) because:

  POST /api/v1/auth/bootstrap returns 410 Gone
  → strategy disabled (no token configured)
  → Python json.load fails with KeyError: 'key_value' on the
    error response body
  → step exits 1

Root cause: the documented manual smoke flow at
cowork/manual-testing-bundle-2.html (Part 2) injects the bootstrap
token via:

  echo "CERTCTL_BOOTSTRAP_TOKEN=$TOKEN" > /tmp/_smoke.env
  docker compose --env-file /tmp/_smoke.env up -d --force-recreate certctl-server

This only populates compose's own interpolation environment — NOT
the container's runtime environment. For the variable to reach the
container, the compose file's environment: block must explicitly
reference it. The certctl-server environment: block listed every
other CERTCTL_* var the demo path needs but missed
CERTCTL_BOOTSTRAP_TOKEN.

Fix: add an explicit interpolation line:

  CERTCTL_BOOTSTRAP_TOKEN: ${CERTCTL_BOOTSTRAP_TOKEN:-}

Default empty value = bootstrap strategy disabled (safe default;
server returns 410 on POST /api/v1/auth/bootstrap when no token is
set, which is correct steady-state behavior). The variable only
gets populated when an operator/CI explicitly sets it before
compose up — same model as CERTCTL_CONFIG_ENCRYPTION_KEY one line
above.

Verified:
  - YAML parse clean.
  - scripts/ci-guards/complete-path-config-coverage.sh green —
    CERTCTL_BOOTSTRAP_TOKEN now has a non-config consumer in deploy/.
  - Same fix unblocks both CI's cold-DB smoke AND the operator's
    manual smoke walkthrough (which had the same latent gap; the
    operator must have been setting the env var via a shell export
    or a local override compose, since the documented flow doesn't
    work against this file as-shipped).

Pattern note (THIRD complete-path gap on the demo compose in this
bundle): the demo compose is the documented entry point for new
users, and three different env-var contract surfaces had to be
wired before its documented manual smoke flow worked end-to-end
on a true cold boot. A future follow-up should add a CI guard
that asserts every documented-in-manual-testing-bundle-2.html
env var also has a corresponding interpolation line in
deploy/docker-compose.yml.

Audit-Closes: post-v2.1.0-anti-rot/item-6

deploy/docker-compose.yml

@@ -151,6 +151,20 @@ services:
       # compat. Production deploys override CERTCTL_AUTH_TYPE +
       # KEYGEN_MODE + DEMO_SEED via their own compose.
       CERTCTL_DEMO_SEED: "true"
+      # Bootstrap token interpolation surface (Auditable Codebase Bundle
+      # cold-DB smoke closure, 2026-05-12). Pre-fix, the `env-file +
+      # --force-recreate certctl-server` pattern documented in
+      # cowork/manual-testing-bundle-2.html (and used by the cold-DB
+      # smoke job in .github/workflows/ci.yml::cold-db-compose-smoke)
+      # set CERTCTL_BOOTSTRAP_TOKEN in compose's own interpolation
+      # environment but the container never received it because this
+      # block didn't reference the variable. Wiring it as an explicit
+      # interpolation (default empty) makes the documented manual flow
+      # actually work end-to-end. Empty value = bootstrap strategy
+      # disabled (server returns 410 Gone on POST /api/v1/auth/bootstrap),
+      # which is the safe default — only set the var when you intend to
+      # mint a day-0 admin via the bootstrap path.
+      CERTCTL_BOOTSTRAP_TOKEN: ${CERTCTL_BOOTSTRAP_TOKEN:-}
     ports:
       - "8443:8443"
     volumes: