mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 15:01:32 +00:00
shankar0123
a849c8b8cf
Bundle 2 closure (2026-05-12 acquisition diligence audit). Closes the
"docker compose up == accidental production" hazard: pre-Bundle-2 the
base deploy/docker-compose.yml WAS the demo path (AUTH_TYPE=none +
DEMO_MODE_ACK=true + KEYGEN_MODE=server + DEMO_SEED=true + literal
change-me-... placeholder creds), the README claimed "drop the demo
overlay for a clean install", and ENVIRONMENTS.md table documented
auth-type default as api-key — three contradictory stories layered on
the same compose file.
Source findings closed:
R2 R3 C1 D9 finding-2 S9 (repo audit)
SEC-H2 SEC-M1 SEC-M3 OPS-M3 LOW-5 HIGH-6 (cowork audit)
Compose split (deploy/docker-compose.yml + deploy/docker-compose.demo.yml):
The base now ships production-shaped — no AUTH_TYPE override, no
KEYGEN_MODE override, no DEMO_MODE_ACK, no DEMO_SEED, no literal
placeholder fallbacks. POSTGRES_PASSWORD / CERTCTL_AUTH_SECRET /
CERTCTL_CONFIG_ENCRYPTION_KEY / CERTCTL_API_KEY / CERTCTL_AGENT_ID
must come from deploy/.env (sample template in deploy/.env.example +
root .env.example). The demo overlay carries the full demo posture
(every env var + every placeholder credential) so the
`-f docker-compose.demo.yml` one-flag flip remains a zero-config
populated-dashboard path.
Fail-closed startup guards (internal/config/config.go::Validate):
Three new gates layered on the existing HIGH-12 demo-mode listen-bind
guard. All three exempt CERTCTL_DEMO_MODE_ACK=true so the demo overlay
keeps working:
• HIGH-6: AUTH_SECRET = "change-me-in-production" → refuse
• HIGH-6: CONFIG_ENCRYPTION_KEY = "change-me-32-char..." → refuse
• LOW-5: CORS_ORIGINS contains "*" (CWE-942 + CWE-352) → refuse
Visible DEMO MODE banner (cmd/server/main.go): every boot under
DEMO_MODE_ACK=true now emits a prominent WARN line with a 6-step
production-promotion checklist. The 2026-04-19 incident (a screenshot
run that kept running for three days) drove this; the per-startup
banner makes the posture unmissable in any log scraper.
Agent enrollment doc alignment:
• docs/reference/configuration.md L83: corrected the non-existent
URL `POST /api/v1/agents/register` to the real route
`POST /api/v1/agents`; added the bootstrap-token note and the
install-agent.sh handoff sequence.
• docs/reference/architecture.md L154: replaced "agents register
themselves at first heartbeat" (false — cmd/agent/main.go fail-
fasts when CERTCTL_AGENT_ID is unset) with the actual two-step
operator-driven flow (REST or GUI registration first, returned ID
fed to install-agent.sh second).
Tests + CI guard:
• 9 new TestValidate_Bundle2_* cases in internal/config/config_test.go
covering: placeholder-secret refused + demo-ack exempt; placeholder
encryption-key refused + demo-ack exempt; real key not mistaken for
placeholder; wildcard CORS refused + demo-ack exempt; wildcard mixed
into a concrete allowlist still refused; concrete allowlist accepted.
• scripts/ci-guards/B2-compose-base-no-demo-env.sh: greps the base
compose for any of the demo-mode env vars + placeholder credentials.
Comments stripped before checking so the narrative header in the
base file can still reference the overlay's posture in prose.
Cold-DB CI smoke (.github/workflows/ci.yml::cold-db-compose-smoke):
Switched to layering -f docker-compose.demo.yml on top of the base —
the new production base requires real env vars the smoke doesn't have,
and the smoke's purpose (catch migration-on-cold-DB regressions + the
bootstrap-token mint path) is orthogonal to which auth posture the
boot lands in.
Receipts:
• Current first-run truth table
compose flag → posture
-f docker-compose.yml (production)
→ requires .env;
fail-fasts on
missing AUTH_SECRET
/ CONFIG_ENCRYPTION
_KEY / POSTGRES
_PASSWORD; agent
fail-fasts on
missing AGENT_ID
-f docker-compose.yml -f docker-compose.demo.yml (demo)
→ zero-config;
AUTH_TYPE=none +
DEMO_MODE_ACK=true
+ KEYGEN=server +
DEMO_SEED=true;
boot banner WARN
-f docker-compose.yml -f docker-compose.dev.yml (dev)
→ base + PgAdmin
+ debug logging
-f docker-compose.test.yml (test, standalone)
→ production-shape
posture, real CA
backends
• Verification (PATH=/tmp/go/bin export GO* paths to /tmp):
gofmt -l # clean (no diffs)
go vet ./internal/config ./cmd/server # clean
go test -short -count=1 ./internal/config/... # PASS (cumulative +
all 9 new Bundle 2
cases green)
go test -short -count=1 # PASS (no regression
./internal/connector/target/configcheck in the Bundle 1 -
closure tests)
go build ./cmd/server ./cmd/agent # clean
./cmd/cli ./cmd/mcp-server
bash scripts/ci-guards/B2-compose-base-no-demo-env.sh # clean
bash scripts/ci-guards/H-1-encryption-key-min-length.sh # clean
bash scripts/ci-guards/G-3-env-docs-drift.sh # clean
Remaining operator warnings (not blocking; tracked in CLAUDE.md
"Open decisions"):
• The first `docker compose -f docker-compose.yml up -d` against a
pre-Bundle-2 .env (placeholder values still in place) will now
fail-fast. This is the intended posture but operators upgrading
from v2.0.x via .env-from-old-master need to rotate before
upgrading. The CHANGELOG note for the v2.1.0 release should
call this out alongside Auth Bundle 2's other breaking changes.
Audit-Closes: BUNDLE-2 R2 R3 C1 D9 S9 SEC-H2 SEC-M1 SEC-M3 OPS-M3 LOW-5 HIGH-6
89 lines
4.4 KiB
YAML
89 lines
4.4 KiB
YAML
# =============================================================================
|
|
# certctl DEMO overlay — Bundle 2 (2026-05-12)
|
|
# =============================================================================
|
|
#
|
|
# Layered on top of the production-shaped base (docker-compose.yml) to give
|
|
# operators a one-command, zero-config demo path:
|
|
#
|
|
# docker compose -f deploy/docker-compose.yml \
|
|
# -f deploy/docker-compose.demo.yml up -d --build
|
|
#
|
|
# What this overlay does:
|
|
#
|
|
# 1. Flips CERTCTL_AUTH_TYPE=none + CERTCTL_DEMO_MODE_ACK=true. Every
|
|
# request is served as the synthetic admin actor `actor-demo-anon`;
|
|
# the server emits a prominent ⚠ DEMO MODE WARN banner at boot with
|
|
# a production-promotion checklist (cmd/server/main.go::emitDemoBanner).
|
|
#
|
|
# 2. Flips CERTCTL_KEYGEN_MODE=server (the demo issues + holds the key on
|
|
# the server to keep the dashboard populated; production deploys must
|
|
# use the default `agent` mode where keys never leave the agent box).
|
|
#
|
|
# 3. Flips CERTCTL_DEMO_SEED=true. The server applies migrations/seed_demo.sql
|
|
# at boot via postgres.RunDemoSeed AFTER baseline migrations + seed.sql,
|
|
# pre-seeding 180 days of simulated history across 13 issuers + 8 agents.
|
|
#
|
|
# 4. Supplies the change-me-... placeholder values for POSTGRES_PASSWORD,
|
|
# CERTCTL_API_KEY, CERTCTL_CONFIG_ENCRYPTION_KEY, and CERTCTL_AGENT_ID
|
|
# so the demo runs without a deploy/.env file. The Bundle 2 fail-closed
|
|
# Validate() rejects these placeholders outside demo mode, so this only
|
|
# works alongside DEMO_MODE_ACK=true.
|
|
#
|
|
# U-3 history: pre-U-3 this overlay mounted seed_demo.sql into postgres
|
|
# `/docker-entrypoint-initdb.d/`. That worked only because the production
|
|
# stack also mounted the migrations there. Once U-3 dropped the production
|
|
# initdb mounts (single source of truth: server runs RunMigrations + RunSeed
|
|
# at boot), the demo seed could no longer be applied at initdb time — the
|
|
# tables it references wouldn't exist yet. Post-U-3 the overlay just sets
|
|
# CERTCTL_DEMO_SEED=true; the server applies seed_demo.sql at boot via
|
|
# postgres.RunDemoSeed AFTER baseline migrations + seed.sql.
|
|
#
|
|
# Bundle 2 history: pre-Bundle-2 the base compose IS this demo path; this
|
|
# overlay was a single-flag thin shim. Bundle 2 split the demo env vars
|
|
# out of the base so `docker compose -f deploy/docker-compose.yml up`
|
|
# (no overlay) boots production-shaped — which is what every operator
|
|
# reading the README quickstart line "drop the demo overlay for a clean
|
|
# install" expected. The overlay carries the full demo posture now.
|
|
#
|
|
# To start fresh (wipe previous data):
|
|
# docker compose -f deploy/docker-compose.yml \
|
|
# -f deploy/docker-compose.demo.yml down -v
|
|
# docker compose -f deploy/docker-compose.yml \
|
|
# -f deploy/docker-compose.demo.yml up -d --build
|
|
|
|
services:
|
|
postgres:
|
|
# Fixed weak password is intentional for the no-setup demo path.
|
|
# See docker-compose.yml for the production override pattern.
|
|
environment:
|
|
POSTGRES_PASSWORD: certctl
|
|
|
|
certctl-server:
|
|
environment:
|
|
# Demo-mode auth: every request served as the synthetic
|
|
# `actor-demo-anon` admin. The server's HIGH-12 startup guard
|
|
# requires DEMO_MODE_ACK=true to allow this combination on a
|
|
# non-loopback bind; the boot-time WARN banner (cmd/server/main.go)
|
|
# reminds the operator on every start.
|
|
CERTCTL_AUTH_TYPE: none
|
|
CERTCTL_DEMO_MODE_ACK: "true"
|
|
# Server-side keygen so the demo can populate the dashboard with
|
|
# full lifecycle history. Production deploys leave this at the
|
|
# code default `agent` (CertctlAgent generates ECDSA P-256 keys
|
|
# locally and submits CSRs only).
|
|
CERTCTL_KEYGEN_MODE: server
|
|
# Demo creds — the Bundle 2 fail-closed Validate() rejects these
|
|
# sentinels outside demo mode, but DEMO_MODE_ACK=true unlocks them.
|
|
CERTCTL_CONFIG_ENCRYPTION_KEY: change-me-32-char-encryption-key
|
|
CERTCTL_AUTH_SECRET: change-me-in-production
|
|
# 180-day simulated history seed applied at boot.
|
|
CERTCTL_DEMO_SEED: "true"
|
|
|
|
certctl-agent:
|
|
environment:
|
|
# Pre-seeded by migrations/seed_demo.sql; the bundled agent
|
|
# connects with these creds and the demo-mode synthetic admin
|
|
# accepts every request regardless of API key.
|
|
CERTCTL_API_KEY: change-me-in-production
|
|
CERTCTL_AGENT_ID: agent-demo-1
|