docs: add Docker mirror guidance for restricted networks

[mason5052]

Summary

• document how restricted-network deployments should handle Docker Hub access
• clarify what PENTAGI_IMAGE, DOCKER_DEFAULT_IMAGE, and DOCKER_DEFAULT_IMAGE_FOR_PENTEST actually control
• add installer checker troubleshooting guidance for Docker registry mirrors and daemon proxy configuration

Problem

Issue #258 reports that users in restricted networks cannot reliably pull images from Docker Hub and asks whether PentAGI can be configured to use other image sources.

Right now the README documents worker image overrides, but it does not explain that these settings do not replace Docker's own registry connectivity. The installer checker docs also mention Docker Hub reachability without describing how to handle mirrored or proxied environments.

Solution

Add docs-only guidance in the two places users are most likely to look:

• README now documents PENTAGI_IMAGE alongside the worker image settings and clarifies that these variables do not rewrite other Compose service images
• README adds a restricted-network section that explains when to configure a Docker registry mirror or daemon/Desktop proxy, with an example registry-mirrors snippet and links to official Docker docs
• backend/docs/installer/checker.md now explains that the checker validates Docker Hub reachability and gives a concrete remediation order for proxy/mirror setups

This keeps the scope small and useful for Issue #258 without implying that PentAGI already supports full per-service registry remapping.

User Impact

Users deploying PentAGI behind regional restrictions, corporate egress controls, or Docker Hub access issues now have explicit guidance on what to configure before running the installer or docker compose up. The docs also make it clearer which image-related environment variables only affect PentAGI itself or worker selection.

Closes #258.

Test Plan

• Verified PENTAGI_IMAGE, DOCKER_DEFAULT_IMAGE, and DOCKER_DEFAULT_IMAGE_FOR_PENTEST against .env.example and the current compose files
• Verified the installer checker documentation matches the current Docker Hub DNS / HTTPS / pull checks in backend/cmd/installer/checker/helpers.go
• Verified the new guidance does not claim that PentAGI env vars rewrite all Compose service image sources
• git diff --check

[Copilot]

Pull request overview

This PR updates PentAGI documentation to help users in restricted networks understand Docker Hub dependencies, image override variables, and how to remediate installer checker failures caused by missing Docker proxy/mirror configuration (Issue #258).

Changes:

• Document PENTAGI_IMAGE alongside existing worker-image selection variables, and clarify what each variable does (and does not) affect in the Compose stack.
• Add restricted-network guidance in the README covering Docker daemon/Desktop registry mirrors and proxy configuration.
• Add installer checker troubleshooting guidance explaining the checker’s Docker Hub reachability validation and a recommended remediation sequence.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
backend/docs/installer/checker.md	Adds a “Restricted Network Troubleshooting” section explaining Docker Hub reachability checks and remediation steps.
README.md	Clarifies image-related env vars (PENTAGI_IMAGE, DOCKER_DEFAULT_IMAGE*) and adds a restricted-network section with mirror/proxy guidance and example daemon config.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The doc says the checker “Attempts to pull a small test image”, but the implementation pulls DefaultImage which is debian:latest (not particularly small). Also, the pull test only runs when Docker clients are available (it’s skipped when dockerClient or workerClient is nil). Consider updating this description (and the sentence below) to name the actual image and note when the pull test is executed so users don’t misinterpret what the checker is doing.

Suggested change

	3. **Docker Pull Test**: Attempts to pull a small test image
	#### Restricted Network Troubleshooting
	The current checker validates Docker Hub reachability by resolving `docker.io`, making an HTTPS connectivity check, and attempting a Docker pull with the default test image. This means the installer can fail network validation even when the host has general internet access but Docker itself is not configured for the target network.
	3. **Docker Pull Test**: When Docker clients are available, attempts to pull `DefaultImage` (currently `debian:latest`)
	#### Restricted Network Troubleshooting
	The current checker validates Docker Hub reachability by resolving `docker.io`, making an HTTPS connectivity check, and, when Docker clients are available, attempting a Docker pull with `DefaultImage` (currently `debian:latest`). This means the installer can fail network validation even when the host has general internet access but Docker itself is not configured for the target network.

[Copilot]

This remediation step mentions configuring an outbound proxy for the “installer/update path”, but doesn’t point readers to the actual installer setting. The checker code only consumes PROXY_URL for proxy-aware HTTPS checks, so it would be more actionable to reference PROXY_URL explicitly here (and keep Docker daemon/Desktop proxy configuration as a separate item).

Suggested change

	2. If your environment requires an outbound proxy, configure it for the installer/update path and for Docker itself
	3. If Docker Hub is blocked or rate-limited, configure an organization-approved Docker registry mirror or registry proxy at the Docker daemon / Docker Desktop level
	4. Restart Docker and rerun the installer checks
	2. If your environment requires an outbound proxy for the installer/update HTTPS checks, set `PROXY_URL` to the appropriate proxy URL
	3. If Docker must also use a proxy to pull images, configure the Docker daemon / Docker Desktop proxy settings separately
	4. If Docker Hub is blocked or rate-limited, configure an organization-approved Docker registry mirror or registry proxy at the Docker daemon / Docker Desktop level
	5. Restart Docker and rerun the installer checks

[Copilot]

Step 2 says to configure an outbound proxy for “PentAGI’s outbound HTTP requests”, but it doesn’t reference the project’s documented proxy variable (PROXY_URL) and could be read as suggesting Docker will honor the same setting. Consider explicitly calling out PROXY_URL for PentAGI/installer HTTP traffic, and separately pointing users to Docker daemon/Desktop proxy settings for image pulls.

Suggested change

	2. If your environment requires an outbound proxy, configure it for both PentAGI's outbound HTTP requests and the Docker daemon / Docker Desktop.
	3. If Docker Hub is blocked or heavily rate-limited, configure an organization-approved registry mirror or registry proxy before running the installer or `docker compose up`.
	4. Restart Docker after changing the daemon configuration, then rerun the installer checks or Compose startup.
	2. If your environment requires an outbound proxy for PentAGI or installer HTTP traffic, set PentAGI's documented `PROXY_URL` environment variable.
	3. If Docker image pulls must go through a proxy, configure the Docker daemon or Docker Desktop proxy settings separately; Docker does not use PentAGI's `PROXY_URL` for registry access.
	4. If Docker Hub is blocked or heavily rate-limited, configure an organization-approved registry mirror or registry proxy before running the installer or `docker compose up`.
	5. Restart Docker after changing the daemon configuration, then rerun the installer checks or Compose startup.