Fix spec self-review issues in install script design

Resolve TBD placeholder (Docker minimum versions), clarify TLS cert flow after traefik-certs init container merge, note Traefik env var substitution for dynamic config, and document Docker socket path differences between Linux and Windows. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-13 15:38:59 +02:00
parent 16a2ff3174
commit 0a06615ae2
1 changed files with 33 additions and 2 deletions
--- a/docs/superpowers/specs/2026-04-13-install-script-design.md
+++ b/docs/superpowers/specs/2026-04-13-install-script-design.md
@@ -14,7 +14,7 @@ The current architecture uses 7 services with 10+ bind-mounted config files. Thi
 | Image | Base | Bakes in |
 |---|---|---|
-| `cameleer-traefik` | `traefik:v3` | Static/dynamic Traefik config, cert generation entrypoint (`openssl`), self-signed cert logic |
+| `cameleer-traefik` | `traefik:v3` | Static/dynamic Traefik config (uses Traefik env var substitution for dynamic values like ports), cert generation entrypoint (`openssl`), self-signed cert logic |
 | `cameleer-postgres` | `postgres:16-alpine` | `init-databases.sh` (creates `cameleer_saas`, `logto` databases) |
 | `cameleer-clickhouse` | `clickhouse/clickhouse-server` | Init SQL (`CREATE DATABASE cameleer`), `clickhouse-users.xml`, `clickhouse-config.xml` (Prometheus metrics) |
 | `cameleer-logto` | `ghcr.io/logto-io/logto` | Custom sign-in UI, bootstrap logic (app/user/role/scope creation), vendor seed (env-var gated). Replaces the separate `logto-bootstrap` init container. |
@@ -69,7 +69,7 @@ Both implement identical logic and produce identical output. They share a config
 The installer checks (does not install) these prerequisites:
- Docker Engine (Linux) or Docker Desktop (Windows) — minimum version TBD
+- Docker Engine 24+ (Linux) or Docker Desktop 4.25+ (Windows)
 - Docker Compose v2 (`docker compose` subcommand)
 - `openssl` (Linux, for password generation) — PowerShell uses `[System.Security.Cryptography.RandomNumberGenerator]`
 - Ports 80, 443, 3002 are free (or custom ports if specified)
@@ -411,3 +411,34 @@ main()
 ```
 Each function has a direct equivalent in both bash and PowerShell. The logic, prompts, and output are identical across platforms.
 ## TLS Certificate Flow (Simplified)
 With the `traefik-certs` init container merged into `cameleer-traefik`, the certificate flow works as follows:
 **Shared `certs` Docker volume** remains the mechanism for sharing TLS state between `cameleer-traefik` and `cameleer-saas` (which mounts it read-only for per-tenant server provisioning).
 **Self-signed mode (default):**
 1. `cameleer-traefik` entrypoint checks if `/certs/cert.pem` exists in the volume
 2. If not, generates a self-signed cert for `${PUBLIC_HOST}` with wildcard SAN using `openssl`
 3. Writes `cert.pem`, `key.pem`, `meta.json` to the `certs` volume
 4. Starts Traefik normally
 **Custom cert mode:**
 1. The installer copies user-supplied cert files to `./cameleer/certs/` on the host
 2. The generated `docker-compose.yml` bind-mounts `./certs/:/user-certs:ro` on the `cameleer-traefik` service
 3. `cameleer-traefik` entrypoint detects `CERT_FILE=/user-certs/cert.pem` and `KEY_FILE=/user-certs/key.pem`
 4. Validates and copies them to the shared `certs` Docker volume
 5. Writes `meta.json` with certificate metadata
 6. Starts Traefik normally
 **Runtime cert replacement** (via vendor UI) continues to work unchanged — `cameleer-saas` writes to the `certs` volume's `staged/` directory and performs atomic swaps.
 ## Docker Socket Path
 The generated `docker-compose.yml` uses the platform-appropriate Docker socket path:
 - Linux: `/var/run/docker.sock:/var/run/docker.sock`
 - Windows (Docker Desktop): `//./pipe/docker_engine://./pipe/docker_engine`
 The installer detects the platform and generates the correct bind mount. The `docker_socket` config key allows overriding this in expert mode.