From 6d0f7747df5e25fcc8d5db3a70d39ad61c174418 Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Tue, 12 May 2026 14:58:16 +0000 Subject: [PATCH] fix(compose): set CERTCTL_DEMO_MODE_ACK=true in demo compose (cold-DB smoke fix) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The cold-db-compose-smoke job (Auditable Codebase Bundle item 6) fired on first run and surfaced a real bug: certctl-server fail-fasts at startup with: Failed to load configuration: CERTCTL_AUTH_TYPE=none with non-loopback CERTCTL_SERVER_HOST="0.0.0.0" requires CERTCTL_DEMO_MODE_ACK=true to acknowledge that every request will be served as the synthetic admin actor `actor-demo-anon`. Root cause: the 2026-05-10 HIGH-12 closure (Fix 11) added the fail-fast guard in internal/config/config.go::Validate() but did NOT update deploy/docker-compose.yml to provide the explicit ACK. The clean default compose IS the bundled demo path (CERTCTL_AUTH_TYPE=none + KEYGEN_MODE=server + DEMO_SEED=true per the inline comments on lines 137-143), so the ACK is correct here by design. Latent in master since the HIGH-12 fix landed. Nobody hit it because warm containers + warm DBs masked the boot-time validation. The cold-DB compose smoke caught it on the first true cold-boot run — exactly the bug class it was built for. Fix: - Add CERTCTL_DEMO_MODE_ACK: "true" to the certctl-server env block in deploy/docker-compose.yml. - Add a head-comment explaining why the ACK is correct in this compose (it IS the demo path) and that production deploys override AUTH_TYPE + KEYGEN_MODE + DEMO_SEED + DEMO_MODE_ACK via their own compose. Verified: - YAML parse clean. - scripts/ci-guards/complete-path-config-coverage.sh green (194 env vars; new CERTCTL_DEMO_MODE_ACK reference in deploy/ counts as a consumer). Audit-Closes: post-v2.1.0-anti-rot/item-6 Audit-Closes: audit-2026-05-10/HIGH-12-followon --- deploy/docker-compose.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml index 61771cc..e3dc433 100644 --- a/deploy/docker-compose.yml +++ b/deploy/docker-compose.yml @@ -130,6 +130,15 @@ services: CERTCTL_SERVER_TLS_KEY_PATH: /etc/certctl/tls/server.key CERTCTL_LOG_LEVEL: info CERTCTL_AUTH_TYPE: none + # Audit 2026-05-10 HIGH-12 closure: when AUTH_TYPE=none AND the + # server binds to a non-loopback address (SERVER_HOST=0.0.0.0 + # above), every request is served as the synthetic actor + # `actor-demo-anon`. The server fail-fasts at startup unless + # DEMO_MODE_ACK=true acknowledges that posture. This compose IS + # the bundled demo path (see DEMO_SEED comment below), so the + # ACK is correct here. Production deploys override AUTH_TYPE + + # KEYGEN_MODE + DEMO_SEED + DEMO_MODE_ACK via their own compose. + CERTCTL_DEMO_MODE_ACK: "true" CERTCTL_KEYGEN_MODE: server # Demo uses server-side keygen; production should use "agent" CERTCTL_NETWORK_SCAN_ENABLED: "true" # Enable network scan GUI with seeded demo targets CERTCTL_CONFIG_ENCRYPTION_KEY: ${CERTCTL_CONFIG_ENCRYPTION_KEY:-change-me-32-char-encryption-key} # AES-256-GCM for dynamic issuer/target config