fix(demo): route Dockhand through socket proxy, add resource limits

- Route Dockhand Docker access through docker-socket-proxy via
  DOCKER_HOST=tcp://docker-socket-proxy:2375 instead of direct
  socket mount, enforcing the security model documented in AGENTS.md
- Add POST, DELETE, ALLOW_START, ALLOW_STOP, ALLOW_RESTARTS
  permissions to socket proxy for Dockhand container management
- Add deploy.resources.limits.memory to all 16 services
  (128M-1024M depending on service needs)
- Add MailHog SMTP port 4019 mapping (1025 internal) so applications
  can actually send test emails to MailHog
- Remove stale config/portainer/ directory

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

demo/demo.env.template

@@ -24,6 +24,7 @@ ARCHIVEBOX_PORT=4013
 TUBE_ARCHIVIST_PORT=4014
 WAKAPI_PORT=4015
 MAILHOG_PORT=4017
+MAILHOG_SMTP_PORT=4019
 ATUIN_PORT=4018
 
 # Network Configuration

demo/docker-compose.yml.template

@@ -66,6 +66,15 @@ services:
       - SECRETS=${DOCKER_SOCKET_PROXY_SECRETS}
       - CONFIGS=${DOCKER_SOCKET_PROXY_CONFIGS}
       - PLUGINS=${DOCKER_SOCKET_PROXY_PLUGINS}
+      - POST=1
+      - DELETE=1
+      - ALLOW_START=1
+      - ALLOW_STOP=1
+      - ALLOW_RESTARTS=1
+    deploy:
+      resources:
+        limits:
+          memory: 128M
     labels:
       homepage.group: "Infrastructure"
       homepage.name: "Docker Socket Proxy"
@@ -93,6 +102,10 @@ services:
       homepage.icon: "homepage"
       homepage.href: "http://localhost:${HOMEPAGE_PORT}"
       homepage.description: "Central dashboard for service discovery"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
     healthcheck:
       test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider",
              "http://localhost:3000"]
@@ -123,6 +136,10 @@ services:
       homepage.icon: "pihole"
       homepage.href: "http://localhost:${PIHOLE_PORT}"
       homepage.description: "DNS management with ad blocking"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
     healthcheck:
       test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider",
              "http://localhost/admin"]
@@ -141,16 +158,23 @@ services:
       - "${DOCKHAND_PORT}:3000"
     volumes:
       - ${COMPOSE_PROJECT_NAME}_dockhand_data:/app/data
-      - /var/run/docker.sock:/var/run/docker.sock
     environment:
+      - DOCKER_HOST=tcp://docker-socket-proxy:2375
       - PUID=${DEMO_UID}
       - PGID=${DEMO_GID}
+    depends_on:
+      docker-socket-proxy:
+        condition: service_started
     labels:
       homepage.group: "Infrastructure"
       homepage.name: "Dockhand"
       homepage.icon: "dockhand"
       homepage.href: "http://localhost:${DOCKHAND_PORT}"
       homepage.description: "Modern Docker management UI"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
     healthcheck:
       test: ["CMD", "curl", "-f", "--silent",
              "http://localhost:3000"]
@@ -184,6 +208,10 @@ services:
       homepage.icon: "influxdb"
       homepage.href: "http://localhost:${INFLUXDB_PORT}"
       homepage.description: "Time series database for metrics"
+    deploy:
+      resources:
+        limits:
+          memory: 512M
     healthcheck:
       test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider",
              "http://localhost:8086/ping"]
@@ -216,6 +244,10 @@ services:
       homepage.icon: "grafana"
       homepage.href: "http://localhost:${GRAFANA_PORT}"
       homepage.description: "Analytics and visualization platform"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
     healthcheck:
       test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider",
              "http://localhost:3000/api/health"]
@@ -243,6 +275,10 @@ services:
       homepage.icon: "drawio"
       homepage.href: "http://localhost:${DRAWIO_PORT}"
       homepage.description: "Web-based diagramming application"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
     healthcheck:
       test: ["CMD", "curl", "-f", "--silent",
              "http://localhost:8080"]
@@ -271,6 +307,10 @@ services:
       homepage.icon: "kroki"
       homepage.href: "http://localhost:${KROKI_PORT}"
       homepage.description: "Diagrams as a service"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
     healthcheck:
       test: ["CMD", "curl", "-f", "--silent",
              "http://localhost:8000/health"]
@@ -299,6 +339,14 @@ services:
       homepage.icon: "atomic-tracker"
       homepage.href: "http://localhost:${ATOMIC_TRACKER_PORT}"
       homepage.description: "Habit tracking and personal dashboard"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+    deploy:
+      resources:
+        limits:
+          memory: 256M
     healthcheck:
       test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider",
              "http://localhost:8080"]
@@ -333,6 +381,10 @@ services:
       homepage.icon: "archivebox"
       homepage.href: "http://localhost:${ARCHIVEBOX_PORT}"
       homepage.description: "Web archiving solution"
+    deploy:
+      resources:
+        limits:
+          memory: 512M
     healthcheck:
       test: ["CMD", "curl", "-fsS",
              "http://localhost:8000/health/"]
@@ -350,6 +402,10 @@ services:
       - ${COMPOSE_NETWORK_NAME}
     volumes:
       - ${COMPOSE_PROJECT_NAME}_ta_redis_data:/data
+    deploy:
+      resources:
+        limits:
+          memory: 256M
     healthcheck:
       test: ["CMD", "redis-cli", "ping"]
       interval: ${HEALTH_CHECK_INTERVAL}
@@ -376,6 +432,10 @@ services:
       memlock:
         soft: -1
         hard: -1
+    deploy:
+      resources:
+        limits:
+          memory: 1024M
     healthcheck:
       test: ["CMD-SHELL", "curl -sf http://localhost:9200/_cluster/health || exit 1"]
       interval: ${HEALTH_CHECK_INTERVAL}
@@ -415,6 +475,10 @@ services:
       homepage.icon: "tube-archivist"
       homepage.href: "http://localhost:${TUBE_ARCHIVIST_PORT}"
       homepage.description: "YouTube video archiving"
+    deploy:
+      resources:
+        limits:
+          memory: 512M
     healthcheck:
       test: ["CMD", "curl", "-f", "--silent",
              "http://localhost:8000/api/health/"]
@@ -444,6 +508,10 @@ services:
       homepage.icon: "wakapi"
       homepage.href: "http://localhost:${WAKAPI_PORT}"
       homepage.description: "Open-source WakaTime alternative"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
     healthcheck:
       test: ["CMD", "/app/healthcheck"]
       interval: ${HEALTH_CHECK_INTERVAL}
@@ -459,6 +527,7 @@ services:
       - ${COMPOSE_NETWORK_NAME}
     ports:
       - "${MAILHOG_PORT}:8025"
+      - "${MAILHOG_SMTP_PORT}:1025"
     volumes:
       - ${COMPOSE_PROJECT_NAME}_mailhog_data:/maildir
     environment:
@@ -470,6 +539,10 @@ services:
       homepage.icon: "mailhog"
       homepage.href: "http://localhost:${MAILHOG_PORT}"
       homepage.description: "Web and API based SMTP testing"
+    deploy:
+      resources:
+        limits:
+          memory: 128M
     healthcheck:
       test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider",
              "http://localhost:8025"]
@@ -503,6 +576,10 @@ services:
       homepage.icon: "atuin"
       homepage.href: "http://localhost:${ATUIN_PORT}"
       homepage.description: "Magical shell history synchronization"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
     healthcheck:
       test: ["CMD", "bash", "-c", "echo > /dev/tcp/localhost/8888"]
       interval: ${HEALTH_CHECK_INTERVAL}