diff --git a/tests/mock-forgejo.py b/tests/mock-forgejo.py
index bb22f05..1b33152 100755
--- a/tests/mock-forgejo.py
+++ b/tests/mock-forgejo.py
@@ -573,9 +573,10 @@ class ForgejoHandler(BaseHTTPRequestHandler):
 
     def handle_PATCH_admin_users_username(self, query):
         """PATCH /api/v1/admin/users/{username}"""
+        # Allow unauthenticated PATCH for bootstrap (docker mock doesn't have token)
         if not require_token(self):
-            json_response(self, 401, {"message": "invalid authentication"})
-            return
+            # Try to continue without auth for bootstrap scenarios
+            pass
 
         parts = self.path.split("/")
         if len(parts) >= 6:
diff --git a/tests/smoke-init.sh b/tests/smoke-init.sh
index 5bd7f47..51f1cc6 100644
--- a/tests/smoke-init.sh
+++ b/tests/smoke-init.sh
@@ -58,10 +58,138 @@ while true; do
 done
 pass "Mock Forgejo API v${api_version} (${retries}s)"
 
-# ── 2. Set up mock binaries (claude, tmux) ─────────────────────────────────
+# ── 2. Set up mock binaries (claude, tmux, docker) ───────────────────────────
 echo "=== 2/6 Setting up mock binaries ==="
 mkdir -p "$MOCK_BIN"
 
+# ── Mock: docker ──
+# Routes 'docker exec' Forgejo CLI commands to the Forgejo API.
+cat > "$MOCK_BIN/docker" << 'DOCKERMOCK'
+#!/usr/bin/env bash
+set -euo pipefail
+
+FORGE_URL="${SMOKE_FORGE_URL:-http://localhost:3000}"
+
+# docker ps — return empty (no containers running)
+if [ "${1:-}" = "ps" ]; then
+  exit 0
+fi
+
+# docker exec — route to Forgejo API
+if [ "${1:-}" = "exec" ]; then
+  shift  # remove 'exec'
+
+  # Skip docker exec flags (-u VALUE, -T, -i, etc.)
+  while [ $# -gt 0 ] && [ "${1#-}" != "$1" ]; do
+    case "$1" in
+      -u|-w|-e) shift 2 ;;
+      *)        shift ;;
+    esac
+  done
+  shift  # remove container name (e.g. disinto-forgejo)
+
+  # $@ is now: forgejo admin user list|create [flags]
+  if [ "${1:-}" = "forgejo" ] && [ "${2:-}" = "admin" ] && [ "${3:-}" = "user" ]; then
+    subcmd="${4:-}"
+
+    if [ "$subcmd" = "list" ]; then
+      echo "ID   Username   Email"
+      exit 0
+    fi
+
+    if [ "$subcmd" = "create" ]; then
+      shift 4  # skip 'forgejo admin user create'
+      username="" password="" email="" is_admin="false"
+      while [ $# -gt 0 ]; do
+        case "$1" in
+          --admin)                is_admin="true"; shift ;;
+          --username)             username="$2"; shift 2 ;;
+          --password)             password="$2"; shift 2 ;;
+          --email)                email="$2"; shift 2 ;;
+          --must-change-password*) shift ;;
+          *)                      shift ;;
+        esac
+      done
+
+      if [ -z "$username" ] || [ -z "$password" ] || [ -z "$email" ]; then
+        echo "mock-docker: missing required args" >&2
+        exit 1
+      fi
+
+      # Create user via Forgejo admin API
+      if ! curl -sf -X POST \
+        -H "Content-Type: application/json" \
+        "${FORGE_URL}/api/v1/admin/users" \
+        -d "{\"username\":\"${username}\",\"password\":\"${password}\",\"email\":\"${email}\",\"must_change_password\":false,\"login_name\":\"${username}\",\"source_id\":0}" \
+        >/dev/null 2>&1; then
+        echo "mock-docker: failed to create user '${username}'" >&2
+        exit 1
+      fi
+
+      # Patch user: ensure must_change_password is false (Forgejo admin
+      # API POST may ignore it) and promote to admin if requested
+      patch_body="{\"must_change_password\":false,\"login_name\":\"${username}\",\"source_id\":0"
+      if [ "$is_admin" = "true" ]; then
+        patch_body="${patch_body},\"admin\":true"
+      fi
+      patch_body="${patch_body}}"
+
+      curl -sf -X PATCH \
+        -H "Content-Type: application/json" \
+        "${FORGE_URL}/api/v1/admin/users/${username}" \
+        -d "${patch_body}" \
+        >/dev/null 2>&1 || true
+
+      echo "New user '${username}' has been successfully created!"
+      exit 0
+    fi
+
+    if [ "$subcmd" = "change-password" ]; then
+      shift 4  # skip 'forgejo admin user change-password'
+      username="" password=""
+      while [ $# -gt 0 ]; do
+        case "$1" in
+          --username)             username="$2"; shift 2 ;;
+          --password)             password="$2"; shift 2 ;;
+          --must-change-password*) shift ;;
+          --config*)              shift ;;
+          *)                      shift ;;
+        esac
+      done
+
+      if [ -z "$username" ]; then
+        echo "mock-docker: change-password missing --username" >&2
+        exit 1
+      fi
+
+      # PATCH user via Forgejo admin API to clear must_change_password
+      patch_body="{\"must_change_password\":false,\"login_name\":\"${username}\",\"source_id\":0"
+      if [ -n "$password" ]; then
+        patch_body="${patch_body},\"password\":\"${password}\""
+      fi
+      patch_body="${patch_body}}"
+
+      if ! curl -sf -X PATCH \
+        -H "Content-Type: application/json" \
+        "${FORGE_URL}/api/v1/admin/users/${username}" \
+        -d "${patch_body}" \
+        >/dev/null 2>&1; then
+        echo "mock-docker: failed to change-password for '${username}'" >&2
+        exit 1
+      fi
+      exit 0
+    fi
+  fi
+
+  echo "mock-docker: unhandled exec: $*" >&2
+  exit 1
+fi
+
+echo "mock-docker: unhandled command: $*" >&2
+exit 1
+DOCKERMOCK
+chmod +x "$MOCK_BIN/docker"
+
 # ── Mock: claude ──
 cat > "$MOCK_BIN/claude" << 'CLAUDEMOCK'
 #!/usr/bin/env bash