fix(cloud-iac): address Greptile review on PR #7890

Three issues raised by Greptile on the initial commit:

P1  deploy user had no SSH authorized_keys, so the auto-deploy
    workflow (which SSHes as `deploy`, not root) would fail until
    keys were copied out-of-band. cloud-init now expands the same
    operator key list into the deploy user via a Terraform-template
    loop, so first-boot the user is reachable.

P2 (sec) Replaced `curl get.docker.com | sh` with the official
    Docker apt repo + GPG-verified keyring (cloud-init handles the
    keyring). Replaced `curl bun.sh/install | bash` with a pinned
    GitHub release download whose SHA-256 is verified against the
    same release's SHASUMS256.txt before extracting.

P2  Keyed hcloud_ssh_key.operators by sha256(key) prefix instead of
    list index, so inserting an operator at the start of
    var.ssh_public_keys no longer cascades into renames/recreates
    of every subsequent SSH key resource.

Author: standujar

packages/cloud-infra/cloud/terraform/hetzner/control-plane/cloud-init/bootstrap.yaml.tftpl

@@ -23,12 +23,29 @@ users:
     shell: /bin/bash
     sudo: ALL=(ALL) NOPASSWD:ALL
     lock_passwd: true
+    # Mirror operator SSH keys onto the deploy user. Hetzner only injects
+    # `hcloud_ssh_key` entries into root by default, but the
+    # `.github/workflows/deploy-eliza-provisioning-worker.yml` workflow SSHes
+    # in as `deploy`. Without this list the first auto-deploy would fail.
+    ssh_authorized_keys:
+%{ for key in operator_ssh_keys ~}
+      - ${key}
+%{ endfor ~}
 
 package_update: true
 package_upgrade: false
 
+apt:
+  sources:
+    docker:
+      source: "deb [arch=amd64 signed-by=$KEY_FILE] https://download.docker.com/linux/ubuntu $RELEASE stable"
+      keyid: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
+
 packages:
   - curl
+  - docker-ce
+  - docker-ce-cli
+  - containerd.io
   - git
   - jq
   - nginx
@@ -44,13 +61,21 @@ write_files:
       export ELIZA_DEPLOY_BRANCH="${deploy_branch}"
 
 runcmd:
-  # Docker (official convenience installer — pin sha if you want it
-  # auditable; we keep it simple for the bootstrap).
-  - curl -fsSL https://get.docker.com | sh
+  # Docker is installed via the `apt` block above using the official
+  # Docker apt repo (GPG-verified keyring), not `curl get.docker.com | sh`.
   - systemctl enable --now docker
 
-  # Bun runtime for the deploy user (the daemons run under bun/tsx).
-  - su - deploy -c 'curl -fsSL https://bun.sh/install | bash -s "bun-v1.3.13"'
+  # Bun runtime for the deploy user. We download a pinned release tarball
+  # AND its SHASUMS256 manifest from the same GitHub release, then verify
+  # the binary against the published hash before extracting. This avoids
+  # the `curl bun.sh/install | bash` supply-chain pattern flagged in the
+  # PR review — we still trust GitHub's HTTPS, but the manifest commits
+  # the publisher to a specific hash that an attacker can't forge mid-flight.
+  - install -d -o deploy -g deploy /home/deploy/.bun /home/deploy/.bun/bin
+  - su - deploy -c 'curl -fsSL -o /tmp/bun.zip https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-linux-x64.zip'
+  - su - deploy -c 'curl -fsSL -o /tmp/bun-SHASUMS256.txt https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/SHASUMS256.txt'
+  - su - deploy -c 'cd /tmp && grep "bun-linux-x64.zip" bun-SHASUMS256.txt | sha256sum -c -'
+  - su - deploy -c 'cd /tmp && unzip -q bun.zip && install -m 0755 bun-linux-x64/bun /home/deploy/.bun/bin/bun && rm -rf /tmp/bun.zip /tmp/bun-linux-x64 /tmp/bun-SHASUMS256.txt'
 
   # Repo checkout — the GitHub deploy workflow then takes over for code updates.
   - mkdir -p /opt/eliza && chown deploy:deploy /opt/eliza

packages/cloud-infra/cloud/terraform/hetzner/control-plane/main.tf

@@ -10,7 +10,10 @@ locals {
 }
 
 resource "hcloud_ssh_key" "operators" {
-  for_each = { for idx, key in var.ssh_public_keys : idx => key }
+  # Key the map by a short SHA-256 prefix of the public key rather than the
+  # list index — keeps Terraform plans stable when operators are
+  # inserted/reordered in `var.ssh_public_keys`.
+  for_each = { for key in var.ssh_public_keys : substr(sha256(key), 0, 12) => key }
 
   name       = "eliza-cp-${var.environment}-op-${each.key}"
   public_key = each.value
@@ -30,8 +33,9 @@ resource "hcloud_server" "control_plane" {
   })
 
   user_data = templatefile("${path.module}/cloud-init/bootstrap.yaml.tftpl", {
-    hostname      = "eliza-cp-${var.environment}-${each.value}"
-    deploy_branch = var.deploy_branch
+    hostname          = "eliza-cp-${var.environment}-${each.value}"
+    deploy_branch     = var.deploy_branch
+    operator_ssh_keys = var.ssh_public_keys
   })
 
   # Keep server alive across refactors: changing labels or user_data