#5866: feat: add optional Docker official repo APT source

## Summary - Adds a new `OPENCLAW_DOCKER_OFFICIAL_REPO` build arg to the Dockerfile - When set, configures Docker's official APT repository (download.docker.com) with proper GPG key verification - Plumbs the arg through `docker-setup.sh` (export, `.env` persistence, `--build-arg`) - Documents the feature in `docs/install/docker.md` (quick-reference list + dedicated subsection with usage example) The repo step runs before `OPENCLAW_DOCKER_APT_PACKAGES`, so packages like `docker-ce-cli` can be installed in the same build. ## Test plan - [x] Build image without the arg — no change in behavior - [x] Build with `--build-arg OPENCLAW_DOCKER_OFFICIAL_REPO=1` — Docker official repo is added - [x] Build with both args (e.g. `OPENCLAW_DOCKER_OFFICIAL_REPO=1 OPENCLAW_DOCKER_APT_PACKAGES=docker-ce-cli`) — package installs successfully - [x] Run `docker-setup.sh` with `OPENCLAW_DOCKER_OFFICIAL_REPO=1` exported — value persists in `.env` and is passed to build 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR adds an optional `OPENCLAW_DOCKER_OFFICIAL_REPO` build arg to the root `Dockerfile` and plumbs it through `docker-setup.sh` so users can opt into Docker’s official APT repository during image builds. Documentation in `docs/install/docker.md` is updated to describe the new env var and how it composes with `OPENCLAW_DOCKER_APT_PACKAGES` (repo configured first so packages like `docker-ce-cli` can be installed in the same build). Overall this fits cleanly into the existing Docker setup flow: `docker-setup.sh` persists env vars into `.env` and forwards them as `--build-arg`s, while the Dockerfile conditionally adds the repository and key before the existing “install extra apt packages” hook runs. <h3>Confidence Score: 4/5</h3> - This PR is likely safe to merge; changes are scoped and mostly additive. - Main functional path remains unchanged unless the new build arg is set. The primary concerns are maintainability/security-hardening details in the Docker APT repo setup (hard-coded Debian codename; key download not fingerprint-verified). - Dockerfile (APT repo configuration and key handling). <!-- greptile_other_comments_section --> _{(3/5) Reply to the agent's comments like "Can you suggest a fix for this @greptileai?" or ask follow-up questions!} **Context used:** - Context from `dashboard` - CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8)) - Context from `dashboard` - AGENTS.md ([source](https://app.greptile.com/review/custom-context?memory=0d0c8278-ef8e-4d6c-ab21-f5527e322f13)) <!-- /greptile_comment -->