From ad0b0e181fc90ef2ba749b547c5205f1f25f9c71 Mon Sep 17 00:00:00 2001
From: Agent <agent@example.com>
Date: Wed, 1 Apr 2026 18:14:18 +0000
Subject: [PATCH 1/3] =?UTF-8?q?fix:=20bug:=20agents=20Dockerfile=20build?=
 =?UTF-8?q?=20fails=20=E2=80=94=20SOPS=20checksum=20download=20unreachable?=
 =?UTF-8?q?=20(#120)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .gitignore               |  4 ++-
 bin/disinto              | 57 ++++++++++++++++++++++++++++++++++++++++
 docker/agents/Dockerfile | 18 +++++--------
 3 files changed, 67 insertions(+), 12 deletions(-)

diff --git a/.gitignore b/.gitignore
index b828cf5..fc2d715 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,4 +25,6 @@ gardener/dust.jsonl
 
 # Individual encrypted secrets (managed by disinto secrets add)
 secrets/
-.woodpecker/smoke-init.yml
+
+# Pre-built binaries for Docker builds (avoid network calls during build)
+docker/agents/bin/
diff --git a/bin/disinto b/bin/disinto
index 530cf1f..74faa68 100755
--- a/bin/disinto
+++ b/bin/disinto
@@ -2367,6 +2367,55 @@ disinto_run() {
   return "$rc"
 }
 
+# ── Pre-build: download binaries to docker/agents/bin/ ────────────────────────
+# This avoids network calls during docker build (needed for Docker-in-LXD builds)
+# Returns 0 on success, 1 on failure
+download_agent_binaries() {
+  local bin_dir="${FACTORY_ROOT}/docker/agents/bin"
+  mkdir -p "$bin_dir"
+
+  echo "Downloading agent binaries to ${bin_dir}..."
+
+  # Download SOPS
+  local sops_file="${bin_dir}/sops"
+  if [ ! -f "$sops_file" ]; then
+    echo "  Downloading SOPS v3.9.4..."
+    curl -sL https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64 -o "$sops_file"
+    if [ ! -f "$sops_file" ]; then
+      echo "Error: failed to download SOPS" >&2
+      return 1
+    fi
+  fi
+  # Verify checksum
+  echo "  Verifying SOPS checksum..."
+  if ! echo "5488e32bc471de7982ad895dd054bbab3ab91c417a118426134551e9626e4e85  ${sops_file}" | sha256sum -c - >/dev/null 2>&1; then
+    echo "Error: SOPS checksum verification failed" >&2
+    return 1
+  fi
+  chmod +x "$sops_file"
+
+  # Download tea CLI
+  local tea_file="${bin_dir}/tea"
+  if [ ! -f "$tea_file" ]; then
+    echo "  Downloading tea CLI v0.9.2..."
+    curl -sL https://dl.gitea.com/tea/0.9.2/tea-0.9.2-linux-amd64 -o "$tea_file"
+    if [ ! -f "$tea_file" ]; then
+      echo "Error: failed to download tea CLI" >&2
+      return 1
+    fi
+  fi
+  # Verify checksum
+  echo "  Verifying tea CLI checksum..."
+  if ! echo "be10cdf9a619e3c0f121df874960ed19b53e62d1c7036cf60313a28b5227d54d  ${tea_file}" | sha256sum -c - >/dev/null 2>&1; then
+    echo "Error: tea CLI checksum verification failed" >&2
+    return 1
+  fi
+  chmod +x "$tea_file"
+
+  echo "Binaries downloaded and verified successfully"
+  return 0
+}
+
 # ── up command ────────────────────────────────────────────────────────────────
 
 disinto_up() {
@@ -2377,6 +2426,14 @@ disinto_up() {
     exit 1
   fi
 
+  # Pre-build: download binaries to docker/agents/bin/ to avoid network calls during docker build
+  echo "── Pre-build: downloading agent binaries ────────────────────────"
+  if ! download_agent_binaries; then
+    echo "Error: failed to download agent binaries" >&2
+    exit 1
+  fi
+  echo ""
+
   # Decrypt secrets to temp .env if SOPS available and .env.enc exists
   local tmp_env=""
   local enc_file="${FACTORY_ROOT}/.env.enc"
diff --git a/docker/agents/Dockerfile b/docker/agents/Dockerfile
index 0b6fad5..8d675d4 100644
--- a/docker/agents/Dockerfile
+++ b/docker/agents/Dockerfile
@@ -3,20 +3,16 @@ FROM debian:bookworm-slim
 RUN apt-get update && apt-get install -y --no-install-recommends \
     bash curl git jq tmux cron python3 python3-pip openssh-client ca-certificates age shellcheck \
     && pip3 install --break-system-packages networkx \
-    && curl -sL https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64 \
-       -o /usr/local/bin/sops \
-    && curl -sL https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.checksums.txt \
-       -o /tmp/sops-checksums.txt \
-    && sha256sum -c --ignore-missing /tmp/sops-checksums.txt \
-    && rm -f /tmp/sops-checksums.txt \
-    && chmod +x /usr/local/bin/sops \
     && rm -rf /var/lib/apt/lists/*
 
+# Pre-built binaries (copied from docker/agents/bin/)
+# SOPS — encrypted data decryption tool
+COPY bin/sops /usr/local/bin/sops
+RUN chmod +x /usr/local/bin/sops
+
 # tea CLI — official Gitea/Forgejo CLI for issue/label/comment operations
-# Checksum from https://dl.gitea.com/tea/0.9.2/tea-0.9.2-linux-amd64.sha256
-RUN curl -sL https://dl.gitea.com/tea/0.9.2/tea-0.9.2-linux-amd64 -o /usr/local/bin/tea \
-    && echo "be10cdf9a619e3c0f121df874960ed19b53e62d1c7036cf60313a28b5227d54d  /usr/local/bin/tea" | sha256sum -c - \
-    && chmod +x /usr/local/bin/tea
+COPY bin/tea /usr/local/bin/tea
+RUN chmod +x /usr/local/bin/tea
 
 # Claude CLI is mounted from the host via docker-compose volume.
 # No internet access to cli.anthropic.com required at build time.

From e617999074ba0a73d351f4706f05ff207014eb11 Mon Sep 17 00:00:00 2001
From: Agent <agent@example.com>
Date: Wed, 1 Apr 2026 18:16:56 +0000
Subject: [PATCH 2/3] fix: correct build context for agents Dockerfile

---
 bin/disinto              | 8 ++++++--
 docker/agents/Dockerfile | 4 ++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/bin/disinto b/bin/disinto
index 74faa68..3c7507d 100755
--- a/bin/disinto
+++ b/bin/disinto
@@ -226,7 +226,9 @@ services:
       - woodpecker
 
   agents:
-    build: ./docker/agents
+    build:
+      context: .
+      dockerfile: docker/agents/Dockerfile
     restart: unless-stopped
     security_opt:
       - apparmor=unconfined
@@ -256,7 +258,9 @@ services:
       - disinto-net
 
   runner:
-    build: ./docker/agents
+    build:
+      context: .
+      dockerfile: docker/agents/Dockerfile
     profiles: ["vault"]
     security_opt:
       - apparmor=unconfined
diff --git a/docker/agents/Dockerfile b/docker/agents/Dockerfile
index 8d675d4..31bcaa2 100644
--- a/docker/agents/Dockerfile
+++ b/docker/agents/Dockerfile
@@ -7,11 +7,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 # Pre-built binaries (copied from docker/agents/bin/)
 # SOPS — encrypted data decryption tool
-COPY bin/sops /usr/local/bin/sops
+COPY docker/agents/bin/sops /usr/local/bin/sops
 RUN chmod +x /usr/local/bin/sops
 
 # tea CLI — official Gitea/Forgejo CLI for issue/label/comment operations
-COPY bin/tea /usr/local/bin/tea
+COPY docker/agents/bin/tea /usr/local/bin/tea
 RUN chmod +x /usr/local/bin/tea
 
 # Claude CLI is mounted from the host via docker-compose volume.

From 1eefd5ac72f3eec3430e3d8ff7cd2ddf1d83d07e Mon Sep 17 00:00:00 2001
From: Agent <agent@example.com>
Date: Wed, 1 Apr 2026 18:28:45 +0000
Subject: [PATCH 3/3] fix: correct entrypoint.sh COPY path for root build
 context

---
 docker/agents/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/agents/Dockerfile b/docker/agents/Dockerfile
index 31bcaa2..f58af00 100644
--- a/docker/agents/Dockerfile
+++ b/docker/agents/Dockerfile
@@ -23,7 +23,7 @@ RUN useradd -m -u 1000 -s /bin/bash agent
 # Copy disinto code into the image
 COPY . /home/agent/disinto
 
-COPY entrypoint.sh /entrypoint.sh
+COPY docker/agents/entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 
 # Entrypoint runs as root to start the cron daemon;