This directory contains local Docker Compose stacks for exercising Proofline Server backend combinations before release work.
These stacks are for local smoke testing only. They use fixed local test credentials, publish the main and private-admin listeners on loopback by default, and do not make Proofline production-ready public infrastructure.
The smoke script starts the server with a local bootstrap secret, creates a
temporary admin account over the private-admin loopback listener, and runs the
simulator against the main API/viewer listener with that account. The default
bootstrap secret and password are placeholders for local throwaway smoke volumes
only. The script waits for token-neutral /admin/static/styles.css on the
private-admin loopback port before bootstrapping the test account through
POST /admin/bootstrap. The relay smoke variant starts a core server and
cmd/stream-ingress, waits for relay liveness/readiness, and checks relay
route-surface exclusions instead of running simulator relay uploads.
The full stack loads the server's primary settings from
compose/smoke/proofline-full.toml and mounts fake local secret files under
/run/proofline-secrets for the bootstrap secret, PostgreSQL DSN, S3
credentials, and Valkey password. The committed files in
compose/smoke/secrets/*.example are example-only placeholders so
docker compose config works before the smoke runner executes. The runner
creates an ignored runtime secrets directory from the current
PROOFLINE_SMOKE_* environment variables before starting the stack.
| Variant | File | Metadata | Blob storage | Coordination |
|---|---|---|---|---|
full |
compose-full.yml |
PostgreSQL | MinIO S3-compatible bucket | Valkey |
sqlite-local |
compose-sqlite-local.yml |
SQLite | Local filesystem | none |
postgresql-local |
compose-postgresql-local.yml |
PostgreSQL | Local filesystem | none |
sqlite-s3 |
compose-sqlite-s3.yml |
SQLite | MinIO S3-compatible bucket | none |
relay-sqlite-local |
compose-relay-sqlite-local.yml |
SQLite | Local filesystem | none |
Run the default full-stack smoke test from the repository root:
compose/smoke-test.shRun a specific variant:
compose/smoke-test.sh sqlite-local
compose/smoke-test.sh postgresql-local
compose/smoke-test.sh sqlite-s3
compose/smoke-test.sh relay-sqlite-localThe relay variant builds the main server image from Dockerfile, builds the
relay image from Dockerfile.ingress, binds the relay to
127.0.0.1:${PROOFLINE_RELAY_PORT:-18090}, and checks that /admin,
/admin/api/..., /v1/..., viewer, and /metrics routes are not mounted on
the relay. It is a packaging/readiness smoke path only; simulator relay upload
mode is a separate explicit simulator feature documented in
simulator.md.
Pass additional simulator arguments after --:
compose/smoke-test.sh full -- --chunks 5 --simulate-failure-every 2The script uses PROOFLINE_MAIN_PORT and PROOFLINE_ADMIN_PORT when set,
defaulting to 18080 and 18081. PROOFLINE_PRIVATE_PORT and
PROOFLINE_PUBLIC_PORT remain accepted by the script as legacy aliases for
those local host ports. The relay smoke variant also accepts
PROOFLINE_RELAY_PORT, defaulting to 18090.
PROOFLINE_MAIN_PORT=28080 PROOFLINE_ADMIN_PORT=28081 compose/smoke-test.sh fullThe local smoke auth values can also be overridden:
PROOFLINE_SMOKE_BOOTSTRAP_SECRET='replace-with-local-compose-bootstrap-secret' \
PROOFLINE_SMOKE_USERNAME=admin \
PROOFLINE_SMOKE_PASSWORD='replace-with-a-long-local-password' \
compose/smoke-test.sh sqlite-localFor the full variant, the runner also writes matching runtime secret files
for PROOFLINE_SMOKE_BOOTSTRAP_SECRET,
PROOFLINE_SMOKE_POSTGRES_DSN, PROOFLINE_SMOKE_S3_ACCESS_KEY_ID,
PROOFLINE_SMOKE_S3_SECRET_ACCESS_KEY, and
PROOFLINE_SMOKE_VALKEY_PASSWORD. By default those files are written under
the ignored compose/.smoke-secrets/ directory; set
PROOFLINE_SMOKE_SECRETS_DIR to use another disposable directory. Do not point
these values at production services or real credentials.
Set KEEP_COMPOSE=1 to leave containers and volumes running after the smoke
test for manual inspection.
Validate the full stack Compose model without starting containers:
docker compose -f compose/compose-full.yml config
docker compose -f compose/compose-relay-sqlite-local.yml configThe default Go test suite does not require MinIO or any object-store service. To verify incident deletion against a real S3-compatible object-store path, run the opt-in HTTP API smoke test with a disposable local MinIO bucket.
One local setup shape is:
docker network create proofline-s3-smoke
docker run --rm -d \
--name proofline-s3-smoke-minio \
--network proofline-s3-smoke \
-p 127.0.0.1:19000:9000 \
-e MINIO_ROOT_USER=proofline \
-e MINIO_ROOT_PASSWORD=proofline-minio-password \
quay.io/minio/minio:latest server /data
docker run --rm \
--entrypoint /bin/sh \
--network proofline-s3-smoke \
-e MINIO_ROOT_USER=proofline \
-e MINIO_ROOT_PASSWORD=proofline-minio-password \
-e MINIO_BUCKET=proofline-evidence \
quay.io/minio/mc:latest -c '
until mc alias set proofline http://proofline-s3-smoke-minio:9000 "$MINIO_ROOT_USER" "$MINIO_ROOT_PASSWORD"; do
sleep 1
done
mc mb --ignore-existing "proofline/$MINIO_BUCKET"
'Then run the opt-in test from the repository root:
SAFE_S3_DELETION_SMOKE=1 \
SAFE_S3_ENDPOINT=http://127.0.0.1:19000 \
SAFE_S3_REGION=us-east-1 \
SAFE_S3_BUCKET=proofline-evidence \
SAFE_S3_PREFIX=smoke/httpapi-deletion \
SAFE_S3_ACCESS_KEY_ID=proofline \
SAFE_S3_SECRET_ACCESS_KEY=proofline-minio-password \
SAFE_S3_FORCE_PATH_STYLE=true \
go test ./internal/httpapi -run TestS3DeletionSmokeRemovesObjectsAndHidesViewer -count=1Clean up the disposable local service afterwards:
docker rm -f proofline-s3-smoke-minio
docker network rm proofline-s3-smokeThe smoke test uploads encrypted test chunks through the main API handler, checks the objects through server-controlled stored paths, requests private incident deletion, runs one deletion-worker pass, confirms the objects are gone or already absent from the object store, and verifies public viewer routes keep returning the generic fail-closed token error. Do not use production credentials, non-disposable buckets, private endpoints, raw tokens, uploaded bytes, plaintext, raw keys, object keys, stored paths, or private deployment details in public issue comments, logs, screenshots, or support material from this smoke run.