fix(demo): harden deployment scripts, remove duplicate fix-and-ship.sh

demo-stack.sh:
- Add ensure_env() to create demo.env from template if missing
- Add envsubst prerequisite check
- Fix wait_healthy() to use docker inspect instead of fragile
  sed/awk parsing of docker ps output
- Fix smoke_test() to use env vars instead of hardcoded ports
- Remove fix_env() which overwrote TA_HOST with wrong value
- Add MailHog SMTP port to display_summary()
- Add service names to smoke test output

demo-test.sh:
- Fix security compliance test to expect only 1 socket mount
  (proxy only, now that Dockhand uses DOCKER_HOST)
- Add Dockhand proxy routing check
- Fix arithmetic increment operators for set -e compatibility

- Remove scripts/fix-and-ship.sh (was identical copy of demo-stack.sh)

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

demo/scripts/demo-test.sh

@@ -21,10 +21,10 @@ TESTS_FAILED=0
 TESTS_TOTAL=0
 
 log_info()    { echo -e "${BLUE}[INFO]${NC} $1"; }
-log_success() { echo -e "${GREEN}[PASS]${NC} $1"; ((TESTS_PASSED++)); }
+log_success() { echo -e "${GREEN}[PASS]${NC} $1"; ((TESTS_PASSED++)) || true; }
 log_warning() { echo -e "${YELLOW}[WARN]${NC} $1"; }
-log_error()   { echo -e "${RED}[FAIL]${NC} $1"; ((TESTS_FAILED++)); }
-log_test()    { echo -e "${BLUE}[TEST]${NC} $1"; ((TESTS_TOTAL++)); }
+log_error()   { echo -e "${RED}[FAIL]${NC} $1"; ((TESTS_FAILED++)) || true; }
+log_test()    { echo -e "${BLUE}[TEST]${NC} $1"; ((TESTS_TOTAL++)) || true; }
 
 test_file_ownership() {
     log_test "File ownership (no root-owned files)"
@@ -83,7 +83,7 @@ test_service_health() {
             log_success "$name running"
         else
             log_error "$name not running: $line"
-            ((unhealthy++))
+            ((unhealthy++)) || true
         fi
     done < <(docker ps --filter "name=${COMPOSE_PROJECT_NAME:-kneldevstack}" --format "{{.Names}} {{.Status}}" 2>/dev/null)
     if [[ $unhealthy -eq 0 ]]; then
@@ -120,7 +120,7 @@ test_port_accessibility() {
             log_success "$svc (:$port)"
         else
             log_error "$svc (:$port) not accessible"
-            ((failed++))
+            ((failed++)) || true
         fi
     done
     if [[ $failed -eq 0 ]]; then
@@ -168,14 +168,20 @@ test_security_compliance() {
         log_error "Docker socket proxy not found"
     fi
 
-    # Count direct socket mounts - proxy + dockhand are expected
+    # Count direct socket mounts - only proxy should have one
     local socket_mounts
-    socket_mounts=$(grep -c "/var/run/docker.sock" "$COMPOSE_FILE" || echo "0")
-    local expected_mounts=2  # proxy (ro) + dockhand (rw for management)
-    if [[ "$socket_mounts" -le "$expected_mounts" ]]; then
-        log_success "Socket mounts within expected range ($socket_mounts)"
+    socket_mounts=$(grep -c '/var/run/docker.sock' "$COMPOSE_FILE" || echo "0")
+    if [[ "$socket_mounts" -le 1 ]]; then
+        log_success "Socket mount on proxy only ($socket_mounts)"
     else
-        log_warning "Unexpected socket mounts: $socket_mounts (expected <= $expected_mounts)"
+        log_error "Unexpected socket mounts: $socket_mounts (expected 1, proxy only)"
+    fi
+
+    # Dockhand uses proxy, not direct socket
+    if grep -q 'DOCKER_HOST=tcp://docker-socket-proxy' "$COMPOSE_FILE"; then
+        log_success "Dockhand routes through socket proxy"
+    else
+        log_error "Dockhand not using socket proxy"
     fi
 }