From 0ccecf6ae5d6c0b412a946e337343b5ec41500fb Mon Sep 17 00:00:00 2001
From: Agent <agent@example.com>
Date: Sat, 28 Mar 2026 19:57:19 +0000
Subject: [PATCH] fix: restore tea CLI and add sops checksum verification (#30)

---
 docker/agents/Dockerfile | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/docker/agents/Dockerfile b/docker/agents/Dockerfile
index 927b076..947af02 100644
--- a/docker/agents/Dockerfile
+++ b/docker/agents/Dockerfile
@@ -4,9 +4,20 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     bash curl git jq tmux cron python3 python3-pip openssh-client ca-certificates age \
     && pip3 install --break-system-packages networkx \
     && curl -sL https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64 \
-       -o /usr/local/bin/sops && chmod +x /usr/local/bin/sops \
+       -o /usr/local/bin/sops \
+    && curl -sL https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.checksums.txt \
+       -o /tmp/sops-checksums.txt \
+    && sha256sum -c --ignore-missing /tmp/sops-checksums.txt \
+    && rm -f /tmp/sops-checksums.txt \
+    && chmod +x /usr/local/bin/sops \
     && rm -rf /var/lib/apt/lists/*
 
+# tea CLI — official Gitea/Forgejo CLI for issue/label/comment operations
+# Checksum from https://dl.gitea.com/tea/0.9.2/tea-0.9.2-linux-amd64.sha256
+RUN curl -sL https://dl.gitea.com/tea/0.9.2/tea-0.9.2-linux-amd64 -o /usr/local/bin/tea \
+    && echo "be10cdf9a619e3c0f121df874960ed19b53e62d1c7036cf60313a28b5227d54d  /usr/local/bin/tea" | sha256sum -c - \
+    && chmod +x /usr/local/bin/tea
+
 # Claude CLI is mounted from the host via docker-compose volume.
 # No internet access to cli.anthropic.com required at build time.