fix(demo): harden deployment scripts, remove duplicate fix-and-ship.sh

demo-stack.sh:
- Add ensure_env() to create demo.env from template if missing
- Add envsubst prerequisite check
- Fix wait_healthy() to use docker inspect instead of fragile
  sed/awk parsing of docker ps output
- Fix smoke_test() to use env vars instead of hardcoded ports
- Remove fix_env() which overwrote TA_HOST with wrong value
- Add MailHog SMTP port to display_summary()
- Add service names to smoke test output

demo-test.sh:
- Fix security compliance test to expect only 1 socket mount
  (proxy only, now that Dockhand uses DOCKER_HOST)
- Add Dockhand proxy routing check
- Fix arithmetic increment operators for set -e compatibility

- Remove scripts/fix-and-ship.sh (was identical copy of demo-stack.sh)

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

demo/scripts/demo-stack.sh

@@ -3,6 +3,7 @@ set -euo pipefail
 
 DEMO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 ENV_FILE="$DEMO_DIR/demo.env"
+ENV_TEMPLATE="$DEMO_DIR/demo.env.template"
 TEMPLATE_FILE="$DEMO_DIR/docker-compose.yml.template"
 COMPOSE_FILE="$DEMO_DIR/docker-compose.yml"
 
@@ -17,17 +18,16 @@ log_success() { echo -e "${GREEN}[OK]${NC} $1"; }
 log_warn()    { echo -e "${YELLOW}[WARN]${NC} $1"; }
 log_error()   { echo -e "${RED}[ERROR]${NC} $1"; }
 
-fix_env() {
-    log_info "Ensuring demo.env is complete..."
-    grep -q '^TA_USERNAME=' "$ENV_FILE" || echo "TA_USERNAME=demo" >> "$ENV_FILE"
-    grep -q '^TA_PASSWORD=' "$ENV_FILE" || echo "TA_PASSWORD=demo_password" >> "$ENV_FILE"
-    grep -q '^ELASTIC_PASSWORD=' "$ENV_FILE" || echo "ELASTIC_PASSWORD=demo_password" >> "$ENV_FILE"
-    grep -q '^ES_JAVA_OPTS=' "$ENV_FILE" || echo 'ES_JAVA_OPTS="-Xms512m -Xmx512m"' >> "$ENV_FILE"
-    grep -q '^ARCHIVEBOX_ADMIN_USER=' "$ENV_FILE" || echo "ARCHIVEBOX_ADMIN_USER=admin" >> "$ENV_FILE"
-    grep -q '^ARCHIVEBOX_ADMIN_PASSWORD=' "$ENV_FILE" || echo "ARCHIVEBOX_ADMIN_PASSWORD=demo_password" >> "$ENV_FILE"
-    sed -i 's/^ATUIN_HOST=.*/ATUIN_HOST=0.0.0.0/' "$ENV_FILE"
-    sed -i 's|^TA_HOST=.*|TA_HOST=http://localhost:4014|' "$ENV_FILE"
-    log_success "demo.env ready"
+ensure_env() {
+    if [[ ! -f "$ENV_FILE" ]]; then
+        if [[ -f "$ENV_TEMPLATE" ]]; then
+            log_info "Creating demo.env from template..."
+            cp "$ENV_TEMPLATE" "$ENV_FILE"
+        else
+            log_error "No demo.env or demo.env.template found"
+            exit 1
+        fi
+    fi
 }
 
 detect_user() {
@@ -48,6 +48,10 @@ check_prerequisites() {
         log_error "Docker is not running"
         exit 1
     fi
+    if ! command -v envsubst >/dev/null 2>&1; then
+        log_error "envsubst not found (install gettext package)"
+        exit 1
+    fi
     local max_map_count
     max_map_count=$(sysctl -n vm.max_map_count 2>/dev/null || echo "0")
     if [[ "$max_map_count" -lt 262144 ]]; then
@@ -79,26 +83,25 @@ wait_healthy() {
     log_info "Waiting for services to become healthy (max 5 min)..."
     local elapsed=0 interval=15
     while [[ $elapsed -lt 300 ]]; do
-        local all_ok=true
-        while IFS= read -r line; do
-            local name health
-            name=$(echo "$line" | awk '{print $1}')
-            health=$(echo "$line" | awk '{print $2}')
-            [[ "$name" == "NAMES" || -z "$name" ]] && continue
-            if [[ "$health" != "healthy" && -n "$health" ]]; then
-                all_ok=false
+        local unhealthy=0
+        while IFS= read -r name; do
+            local health
+            health=$(docker inspect --format='{{.State.Health.Status}}' "$name" 2>/dev/null || echo "unknown")
+            if [[ "$health" != "healthy" ]]; then
+                unhealthy=$((unhealthy + 1))
             fi
-        done < <(docker ps --filter "name=${COMPOSE_PROJECT_NAME:-kneldevstack}" --format "{{.Names}} {{.Status}}" 2>/dev/null | sed 's/(healthy)/healthy/g; s/(unhealthy)/unhealthy/g; s/(health: starting)/starting/g')
-        if $all_ok; then
+        done < <(docker ps --filter "name=${COMPOSE_PROJECT_NAME:-kneldevstack}" --format '{{.Names}}' 2>/dev/null)
+
+        if [[ $unhealthy -eq 0 ]]; then
             log_success "All services healthy"
             return 0
         fi
-        log_info "  Still waiting... (${elapsed}s elapsed)"
+        log_info "  $unhealthy services not yet healthy (${elapsed}s elapsed)"
         sleep $interval
         elapsed=$((elapsed + interval))
     done
     log_warn "Timeout - some services may not be fully healthy"
-    docker ps --filter "name=${COMPOSE_PROJECT_NAME:-kneldevstack}" --format "table {{.Names}}\t{{.Status}}"
+    cd "$DEMO_DIR" && docker compose ps
 }
 
 display_summary() {
@@ -126,10 +129,11 @@ display_summary() {
     echo "    ArchiveBox          http://localhost:${ARCHIVEBOX_PORT}"
     echo "    Tube Archivist      http://localhost:${TUBE_ARCHIVIST_PORT}"
     echo "    Wakapi              http://localhost:${WAKAPI_PORT}"
-    echo "    MailHog             http://localhost:${MAILHOG_PORT}"
+    echo "    MailHog (Web)       http://localhost:${MAILHOG_PORT}"
+    echo "    MailHog (SMTP)      localhost:${MAILHOG_SMTP_PORT}"
     echo "    Atuin               http://localhost:${ATUIN_PORT}"
     echo ""
-    echo "  Credentials: ${DEMO_ADMIN_USER:-admin} / ${DEMO_ADMIN_PASSWORD:-demo_password}"
+    echo "  Credentials: admin / demo_password"
     echo "  FOR DEMONSTRATION PURPOSES ONLY"
     echo "========================================================"
 }
@@ -137,15 +141,31 @@ display_summary() {
 smoke_test() {
     log_info "Running smoke tests..."
     set -a; source "$ENV_FILE"; set +a
-    local ports=(4000 4006 4007 4008 4009 4010 4011 4012 4013 4014 4015 4017 4018)
+    local ports=(
+        "${HOMEPAGE_PORT}:Homepage"
+        "${PIHOLE_PORT}:Pi-hole"
+        "${DOCKHAND_PORT}:Dockhand"
+        "${INFLUXDB_PORT}:InfluxDB"
+        "${GRAFANA_PORT}:Grafana"
+        "${DRAWIO_PORT}:Draw.io"
+        "${KROKI_PORT}:Kroki"
+        "${ATOMIC_TRACKER_PORT}:AtomicTracker"
+        "${ARCHIVEBOX_PORT}:ArchiveBox"
+        "${TUBE_ARCHIVIST_PORT}:TubeArchivist"
+        "${WAKAPI_PORT}:Wakapi"
+        "${MAILHOG_PORT}:MailHog"
+        "${ATUIN_PORT}:Atuin"
+    )
     local pass=0 fail=0
-    for port in "${ports[@]}"; do
+    for pt in "${ports[@]}"; do
+        local port="${pt%:*}"
+        local svc="${pt#*:}"
         if timeout 5 bash -c "echo > /dev/tcp/localhost/$port" 2>/dev/null; then
-            log_success "Port $port accessible"
-            ((pass++))
+            log_success "$svc (:$port)"
+            ((pass++)) || true
         else
-            log_error "Port $port NOT accessible"
-            ((fail++))
+            log_error "$svc (:$port) NOT accessible"
+            ((fail++)) || true
         fi
     done
     echo ""
@@ -179,9 +199,10 @@ show_usage() {
     echo "  help     Show this help"
 }
 
+ensure_env
+
 case "${1:-deploy}" in
     deploy)
-        fix_env
         detect_user
         check_prerequisites
         generate_compose
@@ -196,8 +217,8 @@ case "${1:-deploy}" in
     restart)
         stop_stack
         sleep 5
-        fix_env
         detect_user
+        check_prerequisites
         generate_compose
         deploy_stack
         wait_healthy