dhi: add deb hsp

[craig-osterhout]

Description

Added deb hardened system package CLI workflows.
Pending new dhictl CLI release to support docker dhi auth deb

Will update CLI reference in separate PR.

https://deploy-preview-25155--docsdocker.netlify.app/dhi/how-to/hardened-packages/

Related issues or tickets

https://docker.slack.com/archives/C04M34MRQS1/p1779399631450319

Reviews

• Technical review
• Editorial review
• Product review

[netlify]

✅ Deploy Preview for docsdocker ready!

Name	Link
🔨 Latest commit	bdaa93f
🔍 Latest deploy log	https://app.netlify.com/projects/docsdocker/deploys/6a1098d1e618890008b87303
😎 Deploy Preview	https://deploy-preview-25155--docsdocker.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[docker-agent]

Assessment: 🟡 NEEDS ATTENTION

This PR adds Debian hardened system package (HSP) CLI workflows to cli.md and hardened-packages.md. The structure and tab-based approach are well-implemented and follow existing patterns. The cli.md change correctly updates a dhictl → docker dhi command reference.

The main concerns are in hardened-packages.md: the Verify section overstates what dpkg -L and apt-cache show reveal (provenance/cryptographic signatures), the public-repo demo Dockerfile installs curl twice (once as a build tool, once as the demo package), and the enterprise build command asymmetry between Alpine (docker build) and Debian (docker buildx build) may confuse users.