Skip to content

v1.3.35.2 -- Demo seed: production-density data

A patch on top of v1.3.35 that expands the argos demo seed output from "minimal scaffold" to "looks like a real deployment that's been running for two weeks." Per-surface row counts grow ~3-10x, two new surfaces (notification rules + deliveries + backups + login attempts + country expansion job history) are added, and a new read-only argos demo stats subcommand prints per-surface counts so you can verify the density before opening the screenshot capture window.

argosVersion and frontend/package.json bumped from 1.3.35 to 1.3.35.2. The image must be rebuilt (make build-prod-image) for the new CLI surface to land.

Why

The v1.3.35 demo seed was deliberately minimal — enough rows to prove every panel surface had a non-zero state, but not enough to make the screenshots look like a real production deployment. Operators reviewing the captured screenshots noted the AppSec metrics page rendered a flat sparkline, the notifications deliveries tab had no rows at all, the country bans Settings section showed cidr counts that looked like rounding errors, and the activity log barely filled half a viewport.

v1.3.35.2 closes that gap. Every surface is seeded with a count that matches what an argos deployment running for ~14 days would naturally accumulate.

Per-surface count deltas (v1.3.35 → v1.3.35.2)

Surface v1.3.35 v1.3.35.2 Notes
Hosts 8 14 Mix of TLS modes, true_detect_mode (3 hosts), auth_required, lan_only
Country bans 5 8 BR, CN, KR, RU, IR, NG, VN, TR. RU has state='drifted' for the reconciler banner.
Country expansion job history 0 10 8 completed (matching the active countries) + 2 failed (panel restart + LAPI 503 mid-chunk)
Whitelist 4 8 Office network range + monitoring + VPN + CI runners + bastion
Activity log 15 100 14-day spread, 4-user attribution (admin, operator1, operator2, monitor), realistic event mix (host edits, country bans, drift, cert renewals, target health)
Settings 6 keys 6 keys (changed values) AppSec inbound 12 (was 22), outbound 5; drift_detected:true on BOTH scenarios + appsec_tuning so the drift banner + per-tab amber dot both render
Disabled scenarios 2 5 http-cve, aws-bf, ssh-slow-bf, http-bf-wordpress_bf, http-probing
Notification channels 3 5 Telegram ops-alerts (HTML default), Telegram dev-warnings (custom HTML template with <i> italic), Webhook slack-bridge, Webhook pagerduty (with auth header), Email weekly-digest
Notification rules 0 6 bans → ops-alerts, critical → pagerduty + ops-alerts, drift → ops-alerts, login-fail → dev-warnings, weekly digest → email
Notification deliveries 0 250 30-day spread; status mix sent (~75%) + failed + rate_limited + throttled
Backups 0 7 Daily scheduled (last 7 days) + 1 manual ("pre-v1.3.35 deploy snapshot"); realistic incrementing sizes
Login attempts 0 40 30 success (4-user pool) + 10 failures (admin/root/operator1/guest from suspicious IPs)
LAPI banned IPs (via cscli) 10 100 30 CAPI samples + 25 cscli scenarios (http-bf, http-probing, ssh-bf, http-cve-probing, http-sensitive-files) + 15 AppSec WAF (sql_injection, xss, lfi, rce, anomaly) + 30 generic baseline. Parallelized in batches of 10 to stay under ~30s total seed time.

What ships

Backend

  • backend/cmd/argos/cli_demo.go rewritten as modular per- surface seed functions: seedHosts, seedWhitelist, seedCountryBans, seedActivityLog, seedSettings, seedNotificationChannels, seedNotificationRules (new), seedNotificationDeliveries (new), seedBackups (new), seedLoginAttempts (new). Each one is independently idempotent. seedDemoDB orchestrates them with optional --verbose per-surface counter output.
  • backend/cmd/argos/cli_demo_stats.go (new). Read-only argos demo stats subcommand prints a count summary per surface (demo-marked count + table total) so you can verify the seed produced the expected density before screenshots, or confirm the clear path cleaned what it should. Also surfaces the demo-relevant settings keys (truncated for legibility). Uses gateDemoStats (env + path safety, no --yes because it's read-only).
  • argos demo seed-self-block + argos demo clear-self-block. New subcommands that toggle a demo.self_block settings row — purely operator-facing state, not a real ban — so the SelfBlockBanner v2 can be captured on demand without faking a CrowdSec ban on the operator's own IP.
  • Idempotency improvements:
  • notification_deliveries now scoped via event_payload LIKE '%"demo":true%' (the rule_id JOIN raced with seedNotificationRules' DELETE since rule_id cascades to NULL on the deliveries side).
  • login_attempts DELETE IN-clause now covers both the success-username pool and the failure-username pool ('admin','operator1','operator2','monitor','root','guest').
  • Deterministic randomness: the seed uses a rand.New with a fixed seed (0xa1605) so successive seed runs produce the same payload — predictable counts make the count-assertion smoke phase reliable.

Smoke

scripts/smoke/demo-environment.sh --yes — phase 3 extended with:

  • 3a (count assertions): invokes argos demo stats and asserts each surface's demo count meets the spec minimum (hosts ≥ 12, country_ban_expansions ≥ 6, security_whitelist ≥ 6, log_entries ≥ 80, notification_channels ≥ 4, notification_rules ≥ 5, notification_deliveries ≥ 200, backups ≥ 5, login_attempts ≥ 30).
  • 3b (self-block round-trip): invokes argos demo seed-self-block --yes then argos demo clear-self-block --yes to confirm the subcommands run cleanly.

The non-interference invariant (phases 0/4/7) is unchanged. Self-executed against the live host pre-tag for v1.3.35.2; PASS.

Init script

scripts/demo/init.sh — the LAPI seed loop is rewritten to populate 100 banned IPs across realistic scenario distribution in 4 parallelized batches (CAPI samples, cscli scenarios, AppSec WAF blocks, generic). Runs ~10-15 seconds total (parallelized via & + wait in groups of 10) vs. the ~30+ seconds the linear-loop version of v1.3.35 took for just 10 IPs.

Mid-impl gotchas (caught + fixed pre-tag)

  • Schema drift on country_expansion_jobs: my first seed pass referenced updated_at which the table doesn't have (the real columns are started_at + completed_at per migration 032). Fixed; test schema mirror updated.
  • Sanitization re-paradox: my CLAUDE.md update for the v1.3.34.3 audit accidentally inlined the operator's email in the "Author cmos486" rule, which scripts/check-no-personal-data.sh correctly flagged. Fix: reference the email lives in feedback_commit_format.md (memory file, outside the scanned tree) without inlining.

Documentation

docs/operations/demo-environment.md updated with:

  • New argos demo stats subcommand reference.
  • The four new self-block subcommands documented under "Self- block surface".
  • Updated count table reflecting v1.3.35.2 production-density numbers.

docs/screenshots/README.md notes the v1.3.35.2 density delta in the "Capture environment" preamble; the per-screenshot inventory tables are otherwise unchanged (the surfaces themselves haven't moved, just the row counts behind them).

Files changed

  • backend/cmd/argos/cli_demo.go (rewritten as modular)
  • backend/cmd/argos/cli_demo_stats.go (new)
  • backend/cmd/argos/cli_demo_test.go (extended for new surfaces)
  • backend/cmd/argos/main.go (argosVersion 1.3.35.2; demo dispatch already in place from v1.3.35)
  • frontend/package.json (version 1.3.35.2)
  • scripts/demo/init.sh (100-IP LAPI seed loop)
  • scripts/demo/docker-compose.override.yml (image pin argos-prod-argos:1.3.35.2)
  • scripts/smoke/demo-environment.sh (phase 3a + 3b additions)
  • docs/operations/demo-environment.md
  • docs/screenshots/README.md
  • docs/release-notes/v1.3.35.2.md (this file)
  • CHANGELOG.md, mkdocs.yml

Smoke gate

scripts/smoke/demo-environment.sh --yes — PASS end-to-end:

phase 0: capturing argos-prod baseline...        PASS
phase 1: running scripts/demo/init.sh...         PASS
phase 2: demo health checks...                   PASS
phase 3: asserting 10 surfaces populated...      PASS
  3a: argos demo stats count assertions          9/9 PASS
  3b: self-block round-trip                      PASS
phase 4: prod stack non-interference (mid)...    PASS
phase 5: running scripts/demo/teardown.sh...     PASS
phase 6: demo cleanup checks...                  PASS
phase 7: prod stack non-interference (final)...  PASS

scripts/check-no-personal-data.sh clean. mkdocs build --strict clean. go test ./... green (10 demo CLI tests + 4 new tests for drift state, drift appsec, delivery status mix, schema coverage).

Upgrade

cd ~/argos-edge
git pull
make sync-prod && make build-prod-image
# Or chained: make deploy-prod (also bumps prod to v1.3.35.2 by
# rewriting the override image: pin; if you'd rather keep prod
# pinned to the previous tag, edit ~/argos-prod/docker-compose.
# override.yml back manually after build-prod-image runs).

scripts/demo/init.sh
# panel ready at http://localhost:9181  login: demo / demo1234

# Confirm the production density landed:
docker exec -e ARGOS_DEMO_SEED=1 argos-demo-panel /argos demo stats

When the screenshot session is done:

scripts/demo/teardown.sh --purge

What this enables

After v1.3.35.2 + the operator's screenshot capture session, the docs portal will render with embedded captures showing panel UIs that look like real deployments — populated activity logs, full notification deliveries lists, country bans with realistic CIDR counts, drift indicators visible on both scenario and AppSec surfaces, etc. No more "demo screenshot" visual cues that signal "this is fake data."