From 74ea138f0df3400e619757b95eb2a478faa8516c Mon Sep 17 00:00:00 2001
From: Mary Dickson <mary.dickson@virtru.com>
Date: Fri, 5 Jun 2026 13:37:12 -0700
Subject: [PATCH] fix(docs): add PQC key generation to quickstart
 docker-compose
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add a generate-pqc-keys service that sparse-checkouts the platform's
keygen utility and generates hybrid post-quantum key files (X-Wing,
P256+ML-KEM-768, P384+ML-KEM-1024) that opentdf-example.yaml requires
since opentdf/platform#3276.

Supersedes the stopgap pin in #337 — quickstart tracks nightly/main
again.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docs/getting-started/docker-compose.yaml | 49 ++++++++++++++++++++++--
 1 file changed, 45 insertions(+), 4 deletions(-)

diff --git a/docs/getting-started/docker-compose.yaml b/docs/getting-started/docker-compose.yaml
index 2a927f8c..fde0e988 100644
--- a/docs/getting-started/docker-compose.yaml
+++ b/docs/getting-started/docker-compose.yaml
@@ -187,7 +187,7 @@ services:
 
   # Provision Keycloak with initial configuration
   platform-provision-keycloak:
-    image: registry.opentdf.io/platform:nightly-a29f108
+    image: registry.opentdf.io/platform:nightly
     command: ["provision", "keycloak", "-e", "https://keycloak.opentdf.local:9443/auth", "-f", "/configs/keycloak_data.yaml"]
     depends_on:
       keycloak:
@@ -200,6 +200,8 @@ services:
         condition: service_completed_successfully
       generate-keys:
         condition: service_completed_successfully
+      generate-pqc-keys:
+        condition: service_completed_successfully
     volumes:
       - configs:/configs:ro
       - keys:/keys:ro
@@ -227,7 +229,7 @@ services:
 
   # Add sample attributes and metadata  
   platform-provision-fixtures:
-    image: registry.opentdf.io/platform:nightly-a29f108
+    image: registry.opentdf.io/platform:nightly
     command: ["provision", "fixtures", "--config-file", "/configs/opentdf.yaml"]
     working_dir: /configs
     depends_on:
@@ -239,6 +241,8 @@ services:
         condition: service_completed_successfully
       generate-keys:
         condition: service_completed_successfully
+      generate-pqc-keys:
+        condition: service_completed_successfully
     volumes:
       - configs:/configs:ro
       - keys:/keys:ro
@@ -274,7 +278,7 @@ services:
 
   # Main OpenTDF Platform server
   platform:
-    image: registry.opentdf.io/platform:nightly-a29f108
+    image: registry.opentdf.io/platform:nightly
     command: ["start", "--config-file", "/configs/opentdf.yaml"]
     depends_on:
       platform-provision-fixtures:
@@ -285,6 +289,8 @@ services:
         condition: service_healthy
       generate-keys:
         condition: service_completed_successfully
+      generate-pqc-keys:
+        condition: service_completed_successfully
       prepare-ca-certs:
         condition: service_completed_successfully
     ports:
@@ -320,6 +326,8 @@ services:
     depends_on:
       generate-keys:
         condition: service_completed_successfully
+      generate-pqc-keys:
+        condition: service_completed_successfully
     command:
       - sh
       - -c
@@ -336,7 +344,7 @@ services:
     depends_on:
       init-volumes:
         condition: service_completed_successfully
-    command: ['wget', '-O', '/configs/opentdf.yaml', 'https://raw.githubusercontent.com/opentdf/platform/a29f1087/opentdf-example.yaml']
+    command: ['wget', '-O', '/configs/opentdf.yaml', 'https://raw.githubusercontent.com/opentdf/platform/service/v0.16.0/opentdf-example.yaml']
     restart: "no"
 
   # Patch platform configuration to use keycloak.opentdf.local:9443
@@ -520,6 +528,39 @@ services:
       JAVA_OPTS_APPEND: "${JAVA_OPTS_APPEND:-}"
     restart: "no"
 
+  # Generate hybrid post-quantum KAS keys (X-Wing, P256+ML-KEM-768, P384+ML-KEM-1024).
+  # Uses a Go image to build and run the keygen from the platform source.
+  generate-pqc-keys:
+    image: golang:1.25-alpine
+    volumes:
+      - keys:/keys
+    depends_on:
+      generate-keys:
+        condition: service_completed_successfully
+    entrypoint: /bin/sh
+    command:
+      - -c
+      - |
+        set -e
+        apk add --no-cache git
+        WORKDIR=$$(mktemp -d)
+        cd "$$WORKDIR"
+        git init -q
+        git remote add origin https://github.com/opentdf/platform.git
+        git config core.sparseCheckout true
+        echo "lib/" >> .git/info/sparse-checkout
+        echo "service/cmd/keygen/" >> .git/info/sparse-checkout
+        echo "service/go.mod" >> .git/info/sparse-checkout
+        echo "service/go.sum" >> .git/info/sparse-checkout
+        echo "protocol/" >> .git/info/sparse-checkout
+        echo "sdk/" >> .git/info/sparse-checkout
+        git pull --depth 1 -q origin service/v0.16.0
+        cd service
+        GOWORK=off go run ./cmd/keygen -output /keys
+        echo "PQC keys generated successfully"
+        rm -rf "$$WORKDIR"
+    restart: "no"
+
 volumes:
   keys:
     name: opentdf_keys