Use a fixed bootstrap password for the simplerisk-minimal stack

[jsokol]

Description

update_stack_and_workflows.sh regenerated simplerisk-minimal/stack.yml with a fresh random password on every run, written to both DB_SETUP_PASS and MYSQL_ROOT_PASSWORD. That value is the bundled MySQL bootstrap/root password used only for first-run schema setup — mysql is not exposed outside the stack network, and SimpleRisk already generates its own random application DB password (SIMPLERISK_DB_PASSWORD) at first run. Randomizing a value that is then committed to this public repo is not a secret; it also made stack.yml non-deterministic, so code-development's new bump_downstream_versions.yml force-pushed docker on every run.

This ships a fixed, documented default (simplerisk_setup): the committed file becomes deterministic (a version bump changes only the image tag), the trial one-click still works zero-input under both docker compose up and Swarm docker stack deploy, and the README now distinguishes the bootstrap vs application passwords.

No image or entrypoint change — the simplerisk-minimal image (used by the EKS deployment) is untouched. EKS supplies DB_SETUP_PASS via its own Kubernetes Secret and does not read stack.yml, so nothing in its path changes.

Design: code-development docs/superpowers/specs/2026-06-07-docker-stack-bootstrap-password-design.md.

Testing

• Generator determinism: running update_stack_and_workflows.sh <version> twice produces byte-identical output; a version-only change moves just the image tag (verified locally).
• Stack boot (docker compose -f simplerisk-minimal/stack.yml up -d): first-run setup completed with the bootstrap password ("Setup has been applied successfully!") and the log showed an auto-generated SIMPLERISK_DB_PASSWORD ("a random password has been generated (...)"), confirming the committed bootstrap value only gates setup and the application credential is random per deployment.
• container-validation.yml CI on this PR.

🤖 Generated with Claude Code