# ============================================================================= # certctl DEMO overlay — Bundle 2 (2026-05-12) # ============================================================================= # # Layered on top of the production-shaped base (docker-compose.yml) to give # operators a one-command, zero-config demo path: # # docker compose -f deploy/docker-compose.yml \ # -f deploy/docker-compose.demo.yml up -d --build # # What this overlay does: # # 1. Flips CERTCTL_AUTH_TYPE=none + CERTCTL_DEMO_MODE_ACK=true. Every # request is served as the synthetic admin actor `actor-demo-anon`; # the server emits a prominent ⚠ DEMO MODE WARN banner at boot with # a production-promotion checklist (cmd/server/main.go::emitDemoBanner). # # 2. Flips CERTCTL_KEYGEN_MODE=server (the demo issues + holds the key on # the server to keep the dashboard populated; production deploys must # use the default `agent` mode where keys never leave the agent box). # # 3. Flips CERTCTL_DEMO_SEED=true. The server applies migrations/seed_demo.sql # at boot via postgres.RunDemoSeed AFTER baseline migrations + seed.sql, # pre-seeding 180 days of simulated history across 13 issuers + 8 agents. # # 4. Supplies the change-me-... placeholder values for POSTGRES_PASSWORD, # CERTCTL_API_KEY, CERTCTL_CONFIG_ENCRYPTION_KEY, and CERTCTL_AGENT_ID # so the demo runs without a deploy/.env file. The Bundle 2 fail-closed # Validate() rejects these placeholders outside demo mode, so this only # works alongside DEMO_MODE_ACK=true. # # U-3 history: pre-U-3 this overlay mounted seed_demo.sql into postgres # `/docker-entrypoint-initdb.d/`. That worked only because the production # stack also mounted the migrations there. Once U-3 dropped the production # initdb mounts (single source of truth: server runs RunMigrations + RunSeed # at boot), the demo seed could no longer be applied at initdb time — the # tables it references wouldn't exist yet. Post-U-3 the overlay just sets # CERTCTL_DEMO_SEED=true; the server applies seed_demo.sql at boot via # postgres.RunDemoSeed AFTER baseline migrations + seed.sql. # # Bundle 2 history: pre-Bundle-2 the base compose IS this demo path; this # overlay was a single-flag thin shim. Bundle 2 split the demo env vars # out of the base so `docker compose -f deploy/docker-compose.yml up` # (no overlay) boots production-shaped — which is what every operator # reading the README quickstart line "drop the demo overlay for a clean # install" expected. The overlay carries the full demo posture now. # # To start fresh (wipe previous data): # docker compose -f deploy/docker-compose.yml \ # -f deploy/docker-compose.demo.yml down -v # docker compose -f deploy/docker-compose.yml \ # -f deploy/docker-compose.demo.yml up -d --build services: postgres: # Fixed weak password is intentional for the no-setup demo path. # See docker-compose.yml for the production override pattern. environment: POSTGRES_PASSWORD: certctl certctl-server: environment: # Demo-mode auth: every request served as the synthetic # `actor-demo-anon` admin. The server's HIGH-12 startup guard # requires DEMO_MODE_ACK=true to allow this combination on a # non-loopback bind; the boot-time WARN banner (cmd/server/main.go) # reminds the operator on every start. CERTCTL_AUTH_TYPE: none CERTCTL_DEMO_MODE_ACK: "true" # Server-side keygen so the demo can populate the dashboard with # full lifecycle history. Production deploys leave this at the # code default `agent` (CertctlAgent generates ECDSA P-256 keys # locally and submits CSRs only). CERTCTL_KEYGEN_MODE: server # Demo creds — the Bundle 2 fail-closed Validate() rejects these # sentinels outside demo mode, but DEMO_MODE_ACK=true unlocks them. CERTCTL_CONFIG_ENCRYPTION_KEY: change-me-32-char-encryption-key CERTCTL_AUTH_SECRET: change-me-in-production # 180-day simulated history seed applied at boot. CERTCTL_DEMO_SEED: "true" certctl-agent: environment: # Pre-seeded by migrations/seed_demo.sql; the bundled agent # connects with these creds and the demo-mode synthetic admin # accepts every request regardless of API key. CERTCTL_API_KEY: change-me-in-production CERTCTL_AGENT_ID: agent-demo-1