fix(docker): upgrade persisted bundled nginx-ui.conf safely (#1696)

* test(self_check): add fixed-default bundled nginx-ui.conf fixture

* test(self_check): add unfixed-default bundled nginx-ui.conf fixture

* test(self_check): add customized and partial-fix fixtures

* feat(self_check): add error codes for bundled nginx-ui.conf upgrade

* feat(self_check): add CheckBundledNginxUIConf

* feat(self_check): add idempotent applyBundledConfPatch

* feat(self_check): add transactional patch-on-disk with backup restore

* feat(self_check): wire FixBundledNginxUIConf with verify+reload

* feat(self_check): register bundled nginx-ui.conf WS-fix task

* test(docker): add init-config bats fixtures

* feat(docker): hash-whitelist sync for bundled nginx-ui.conf

* feat(docker): seed nginx-ui.conf known-hashes list

* chore(docker): add maintainer script for nginx-ui.conf hash list

* ci(docker): add bats + hash-consistency workflow for init-config.sh

* feat(docker): ship nginx-ui.conf known-hashes inside the image

* feat(self-check): banner button shows Fix when all failures are fixable

* docs: add docker websocket fix guide (en)

* docs: add docker websocket fix guide (zh_CN, zh_TW)

* docs: link docker-websocket-fix page in all locale sidebars

* docs(readme): link docker websocket fix guide

* docs(readme): link docker websocket fix guide (translations)

* fix(self_check): WS-fix check independent of NGINX_UI_IGNORE_DOCKER_SOCKET

* fix(docker): respect bundled nginx host mode

Keep bundled nginx-ui.conf self-checks aligned with Docker host mode and prevent config sync failures from blocking startup.

* fix(docker): tighten bundled conf review fixes

Co-authored-by: Jacky <me@jackyu.cn>

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Jacky <me@jackyu.cn>

.github/workflows/docker-init-config-test.yml

@@ -0,0 +1,62 @@
+name: docker init-config tests
+
+on:
+  push:
+    paths:
+      - 'resources/docker/init-config.sh'
+      - 'resources/docker/nginx-ui.conf'
+      - 'resources/docker/nginx-ui.conf.known-hashes'
+      - 'resources/docker/scripts/**'
+      - 'resources/docker/tests/**'
+      - 'internal/helper/docker.go'
+      - 'internal/self_check/**'
+      - 'Dockerfile'
+      - 'demo.Dockerfile'
+      - '.github/workflows/docker-init-config-test.yml'
+  pull_request:
+    paths:
+      - 'resources/docker/init-config.sh'
+      - 'resources/docker/nginx-ui.conf'
+      - 'resources/docker/nginx-ui.conf.known-hashes'
+      - 'resources/docker/scripts/**'
+      - 'resources/docker/tests/**'
+      - 'internal/helper/docker.go'
+      - 'internal/self_check/**'
+      - 'Dockerfile'
+      - 'demo.Dockerfile'
+      - '.github/workflows/docker-init-config-test.yml'
+
+jobs:
+  hash-consistency:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Verify last known-hash equals current template
+        run: |
+          expected=$(sha256sum resources/docker/nginx-ui.conf | awk '{print $1}')
+          latest=$(grep -vE '^[[:space:]]*(#|$)' resources/docker/nginx-ui.conf.known-hashes \
+                   | awk '{print $1}' | tail -n1)
+          if [ "$expected" != "$latest" ]; then
+            echo "::error::nginx-ui.conf changed without updating known-hashes file."
+            echo "Run: bash resources/docker/scripts/update-nginx-ui-conf-hash.sh"
+            exit 1
+          fi
+
+  bats:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Install bats
+        run: sudo apt-get update && sudo apt-get install -y bats
+      - name: Run bats tests
+        run: bats resources/docker/tests/
+
+  go-self-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+      - name: Run bundled config self-check tests
+        run: go test -tags=unembed ./internal/helper ./internal/self_check -count=1