From 1ee39e859b78e70996a89fdf963b709d38942b5d Mon Sep 17 00:00:00 2001 From: ReachableCEO Date: Fri, 31 Oct 2025 13:28:59 -0500 Subject: [PATCH] chore(filesystem): capture latest filesystem changes - Removed multiple toolbox directories (toolbox-QADocker, toolbox-dockstack, toolbox-qadocker) - Created new toolbox-docstack directory - Added .gitkeep to toolbox-qadocker directory to keep it tracked in git - The filesystem structure continues to be the authoritative source of truth - Preserved toolbox-qadocker directory in git with .gitkeep as requested for future work Co-authored-by: Qwen-Coder --- .../.devcontainer/devcontainer.json | 14 -- .../output/toolbox-QADocker/Dockerfile | 77 -------- ToolboxStack/output/toolbox-QADocker/PROMPT | 27 --- .../output/toolbox-QADocker/README.md | 107 ----------- ToolboxStack/output/toolbox-QADocker/SEED | 38 ---- .../output/toolbox-QADocker/aqua.yaml | 24 --- ToolboxStack/output/toolbox-QADocker/build.sh | 175 ------------------ .../toolbox-QADocker/docker-compose.yml | 35 ---- ToolboxStack/output/toolbox-QADocker/run.sh | 74 -------- .../output/toolbox-QADocker/security-audit.sh | 155 ---------------- ToolboxStack/output/toolbox-QADocker/test.sh | 112 ----------- .../toolbox-dockstack/AUDIT_CHECKLIST.md | 120 ------------ .../output/toolbox-dockstack/release.sh | 111 ----------- .../.devcontainer/devcontainer.json | 0 .../AUDIT_CHECKLIST.md | 0 .../Dockerfile | 0 .../PROMPT | 0 .../README.md | 0 .../SEED | 0 .../aqua.yaml | 0 .../build.sh | 0 .../docker-compose.yml | 0 .../release.sh | 0 .../run.sh | 0 .../security-audit.sh | 0 .../test.sh | 0 ToolboxStack/output/toolbox-qadocker/.gitkeep | 0 .../toolbox-qadocker/AUDIT_CHECKLIST.md | 120 ------------ .../output/toolbox-qadocker/Dockerfile | 81 -------- ToolboxStack/output/toolbox-qadocker/PROMPT | 27 --- .../output/toolbox-qadocker/README.md | 79 -------- ToolboxStack/output/toolbox-qadocker/SEED | 38 ---- .../output/toolbox-qadocker/aqua.yaml | 24 --- ToolboxStack/output/toolbox-qadocker/build.sh | 175 ------------------ .../toolbox-qadocker/docker-compose.yml | 35 ---- .../output/toolbox-qadocker/release.sh | 111 ----------- ToolboxStack/output/toolbox-qadocker/run.sh | 74 -------- .../output/toolbox-qadocker/security-audit.sh | 155 ---------------- ToolboxStack/output/toolbox-qadocker/test.sh | 112 ----------- 39 files changed, 2100 deletions(-) delete mode 100644 ToolboxStack/output/toolbox-QADocker/.devcontainer/devcontainer.json delete mode 100644 ToolboxStack/output/toolbox-QADocker/Dockerfile delete mode 100644 ToolboxStack/output/toolbox-QADocker/PROMPT delete mode 100644 ToolboxStack/output/toolbox-QADocker/README.md delete mode 100644 ToolboxStack/output/toolbox-QADocker/SEED delete mode 100644 ToolboxStack/output/toolbox-QADocker/aqua.yaml delete mode 100755 ToolboxStack/output/toolbox-QADocker/build.sh delete mode 100644 ToolboxStack/output/toolbox-QADocker/docker-compose.yml delete mode 100755 ToolboxStack/output/toolbox-QADocker/run.sh delete mode 100755 ToolboxStack/output/toolbox-QADocker/security-audit.sh delete mode 100755 ToolboxStack/output/toolbox-QADocker/test.sh delete mode 100644 ToolboxStack/output/toolbox-dockstack/AUDIT_CHECKLIST.md delete mode 100755 ToolboxStack/output/toolbox-dockstack/release.sh rename ToolboxStack/output/{toolbox-dockstack => toolbox-docstack}/.devcontainer/devcontainer.json (100%) rename ToolboxStack/output/{toolbox-QADocker => toolbox-docstack}/AUDIT_CHECKLIST.md (100%) rename ToolboxStack/output/{toolbox-dockstack => toolbox-docstack}/Dockerfile (100%) rename ToolboxStack/output/{toolbox-dockstack => toolbox-docstack}/PROMPT (100%) rename ToolboxStack/output/{toolbox-dockstack => toolbox-docstack}/README.md (100%) rename ToolboxStack/output/{toolbox-dockstack => toolbox-docstack}/SEED (100%) rename ToolboxStack/output/{toolbox-dockstack => toolbox-docstack}/aqua.yaml (100%) rename ToolboxStack/output/{toolbox-dockstack => toolbox-docstack}/build.sh (100%) rename ToolboxStack/output/{toolbox-dockstack => toolbox-docstack}/docker-compose.yml (100%) rename ToolboxStack/output/{toolbox-QADocker => toolbox-docstack}/release.sh (100%) rename ToolboxStack/output/{toolbox-dockstack => toolbox-docstack}/run.sh (100%) rename ToolboxStack/output/{toolbox-dockstack => toolbox-docstack}/security-audit.sh (100%) rename ToolboxStack/output/{toolbox-dockstack => toolbox-docstack}/test.sh (100%) create mode 100644 ToolboxStack/output/toolbox-qadocker/.gitkeep delete mode 100644 ToolboxStack/output/toolbox-qadocker/AUDIT_CHECKLIST.md delete mode 100644 ToolboxStack/output/toolbox-qadocker/Dockerfile delete mode 100644 ToolboxStack/output/toolbox-qadocker/PROMPT delete mode 100644 ToolboxStack/output/toolbox-qadocker/README.md delete mode 100644 ToolboxStack/output/toolbox-qadocker/SEED delete mode 100644 ToolboxStack/output/toolbox-qadocker/aqua.yaml delete mode 100755 ToolboxStack/output/toolbox-qadocker/build.sh delete mode 100644 ToolboxStack/output/toolbox-qadocker/docker-compose.yml delete mode 100755 ToolboxStack/output/toolbox-qadocker/release.sh delete mode 100755 ToolboxStack/output/toolbox-qadocker/run.sh delete mode 100755 ToolboxStack/output/toolbox-qadocker/security-audit.sh delete mode 100755 ToolboxStack/output/toolbox-qadocker/test.sh diff --git a/ToolboxStack/output/toolbox-QADocker/.devcontainer/devcontainer.json b/ToolboxStack/output/toolbox-QADocker/.devcontainer/devcontainer.json deleted file mode 100644 index bc4715c..0000000 --- a/ToolboxStack/output/toolbox-QADocker/.devcontainer/devcontainer.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "name": "TSYSDevStack {{toolbox_name}}", - "dockerComposeFile": [ - "../docker-compose.yml" - ], - "service": "{{toolbox_name}}", - "workspaceFolder": "/workspace", - "remoteUser": "toolbox", - "runServices": [ - "{{toolbox_name}}" - ], - "overrideCommand": false, - "postCreateCommand": "zsh -lc 'starship --version >/dev/null'" -} \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-QADocker/Dockerfile b/ToolboxStack/output/toolbox-QADocker/Dockerfile deleted file mode 100644 index e830a06..0000000 --- a/ToolboxStack/output/toolbox-QADocker/Dockerfile +++ /dev/null @@ -1,77 +0,0 @@ -# Use Ubuntu 24.04 as base for the QA Docker toolbox -FROM ubuntu:24.04 - -# Set build arguments (these can be overridden at build time) -ARG USER_ID=1000 -ARG GROUP_ID=1000 -ARG USERNAME=toolbox - -# Set up environment and install essential packages -ENV DEBIAN_FRONTEND=noninteractive -RUN apt-get update && apt-get install -y --no-install-recommends \ - ca-certificates \ - curl \ - gnupg \ - lsb-release \ - git \ - unzip \ - wget \ - && rm -rf /var/lib/apt/lists/* - -# Install Docker CLI -RUN install -m 0755 -d /etc/apt/keyrings \ - && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg \ - && chmod a+r /etc/apt/keyrings/docker.gpg \ - && echo \ - "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \ - $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ - tee /etc/apt/sources.list.d/docker.list > /dev/null \ - && apt-get update \ - && apt-get install -y --no-install-recommends docker-ce-cli \ - && rm -rf /var/lib/apt/lists/* - -# Install hadolint for Dockerfile linting -RUN wget -O /usr/bin/hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 \ - && chmod +x /usr/bin/hadolint - -# Install dive for exploring Docker image layers -RUN wget -O /tmp/dive_0.10.0_linux_amd64.deb https://github.com/wagoodman/dive/releases/download/v0.10.0/dive_0.10.0_linux_amd64.deb \ - && dpkg -i /tmp/dive_0.10.0_linux_amd64.deb \ - && rm /tmp/dive_0.10.0_linux_amd64.deb - -# Create non-root user -RUN if ! getent group "${USERNAME}" >/dev/null; then \ - groupadd --gid "${GROUP_ID}" "${USERNAME}"; \ - fi && \ - if ! id "${USERNAME}" >/dev/null 2>&1; then \ - useradd --uid "${USER_ID}" --gid "${GROUP_ID}" --shell /bin/bash --create-home "${USERNAME}"; \ - fi - -# Install aqua for package management -RUN curl -sSfL https://raw.githubusercontent.com/aquaproj/aqua-installer/v3.0.0/aqua-installer | bash -s -- -v v3.0.0 \ - && mv /usr/local/bin/aqua /usr/local/bin/aqua-tmp \ - && mkdir -p /root/.local/share/aquaproj-aqua/bin \ - && mv /usr/local/bin/aqua-tmp /root/.local/share/aquaproj-aqua/bin/aqua \ - && ln -s /root/.local/share/aquaproj-aqua/bin/aqua /usr/local/bin/aqua - -# Copy the aqua.yaml configuration for the non-root user and install packages -COPY aqua.yaml /tmp/aqua.yaml -RUN chown "${USER_ID}:${GROUP_ID}" /tmp/aqua.yaml \ - && mkdir -p /home/${USERNAME}/.config/aquaproj-aqua \ - && chown "${USER_ID}:${GROUP_ID}" /home/${USERNAME}/.config/aquaproj-aqua \ - && su - "${USERNAME}" -c 'cp /tmp/aqua.yaml /home/${USERNAME}/.config/aquaproj-aqua/aqua.yaml' \ - && su - "${USERNAME}" -c 'AQUA_GLOBAL_CONFIG=/home/${USERNAME}/.config/aquaproj-aqua/aqua.yaml aqua install' - -# Prepare workspace directory with appropriate ownership -RUN mkdir -p /workspace \ - && chown "${USER_ID}:${GROUP_ID}" /workspace - -# Remove sudo to ensure no root escalation is possible at runtime -RUN apt-get remove -y sudo 2>/dev/null || true && apt-get autoremove -y 2>/dev/null || true && rm -rf /var/lib/apt/lists/* 2>/dev/null || true - -ENV PATH=/root/.local/share/aquaproj-aqua/bin:/home/${USERNAME}/.local/share/aquaproj-aqua/bin:/usr/local/bin:${PATH} - -WORKDIR /workspace -USER ${USERNAME} - -CMD ["/bin/bash"] \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-QADocker/PROMPT b/ToolboxStack/output/toolbox-QADocker/PROMPT deleted file mode 100644 index c919e69..0000000 --- a/ToolboxStack/output/toolbox-QADocker/PROMPT +++ /dev/null @@ -1,27 +0,0 @@ -You are Codex, collaborating with a human on the TSYSDevStack ToolboxStack project. - -- Seed context: - - `SEED` captures the initial scope. Edit it once to define goals, then treat it as read-only unless the high-level objectives change. - - Start each session by reading it (`cat SEED`) and summarize progress or adjustments here in PROMPT. - -Context snapshot ({{toolbox_name}}): -- Working directory: artifacts/ToolboxStack/{{toolbox_name}} -- Image: tsysdevstack-toolboxstack-{{toolbox_name}} (extends from tsysdevstack-toolboxstack-toolbox-base:release-current) -- Container user: toolbox (non-root, UID/GID mapped to host) -- Mounted workspace: current repo at /workspace (rw) - -Current state: -- Extends from the standard toolbox-base image, inheriting all base tooling (shells, CLIs, package managers). -- aqua packages are baked into the base image during the build process for consistency, reproducibility and performance. -- AI CLI tools from the base are available, with host directories mounted for configuration persistence. -- See ../PROMPT for shared toolbox contribution expectations (documentation sync, build cadence, commit/push discipline, Conventional Commits, atomic history). - -Collaboration checklist: -1. Translate SEED goals into concrete tooling decisions; mirror outcomes in README.md and this PROMPT (do not rewrite SEED unless the scope resets). -2. Prefer aqua-managed CLIs and mise-managed runtimes for reproducibility. -3. After each tooling change, update README/PROMPT, run ./build.sh, commit (Conventional Commit message, focused diff), and push only once the build succeeds per ../PROMPT. -4. Record verification steps (build/test commands) as they are performed. -5. Maintain UID/GID mapping and non-root execution. - -Active focus: -- Initialize {{toolbox_name}} using the toolbox-template scaffolding; evolve the Dockerfile/tooling inventory to satisfy the SEED goals. \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-QADocker/README.md b/ToolboxStack/output/toolbox-QADocker/README.md deleted file mode 100644 index 716bdb6..0000000 --- a/ToolboxStack/output/toolbox-QADocker/README.md +++ /dev/null @@ -1,107 +0,0 @@ -# 🧰 TSYSDevStack Toolbox Template - -Template for creating new toolboxes that extend from the `toolbox-base` image. - ---- - -## πŸš€ Quick Start - -1. **Create a new toolbox** - ```bash - cp -r /path/to/toolbox-template /path/to/new-toolbox - cd /path/to/new-toolbox - ``` - -2. **Customize the toolbox** - - Edit `Dockerfile` to add toolbox-specific tooling - - Modify `docker-compose.yml` to adjust service configuration - - Update `SEED` to define the toolbox's purpose and goals - -3. **Build the toolbox** - ```bash - ./build.sh - ``` - -4. **Start the toolbox** - ```bash - ./run.sh up - ``` - -5. **Access the toolbox** - ```bash - docker exec -it tsysdevstack-toolboxstack-{{toolbox_name}} zsh - ``` - -6. **Stop the toolbox** - ```bash - ./run.sh down - ``` - ---- - -## 🧱 Architecture - -- **Base Image**: Extends from `tsysdevstack-toolboxstack-toolbox-base:release-current` -- **User**: Runs as non-root `toolbox` user (UID/GID mapped to host) -- **Workspace**: Mounts current directory to `/workspace` (read/write) -- **Runtime**: Inherits all tooling from base plus toolbox-specific additions - ---- - -## πŸ› οΈ Customization - -### Dockerfile -Extend the base image with toolbox-specific tooling: -```dockerfile -# Extend from the toolbox-base image -FROM tsysdevstack-toolboxstack-toolbox-base:release-current - -# Add toolbox-specific packages or configurations -RUN apt-get update && apt-get install -y --no-install-recommends \ - specific-package \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* -``` - -### docker-compose.yml -Adjust service configuration for toolbox-specific needs: -```yaml -services: - my-toolbox: - # Inherits all base configuration - # Add toolbox-specific volumes, ports, etc. - volumes: - - ./custom-config:/home/toolbox/.config/custom-tool -``` - -### SEED -Define the toolbox's purpose and goals: -```markdown -- Describe what this toolbox should provide (languages, CLIs, workflows) -- List required base image modifications or additional mounts -- Note verification or testing expectations specific to this toolbox -``` - ---- - -## πŸ“‚ Project Layout - -| Path | Purpose | -|------|---------| -| `Dockerfile` | Extends base image with toolbox-specific tooling | -| `docker-compose.yml` | Service configuration for the toolbox | -| `build.sh` | Wrapper around `docker build` with host UID/GID mapping | -| `run.sh` | Helper to bring the service up/down | -| `.devcontainer/devcontainer.json` | VS Code remote container definition | -| `SEED` | Defines the toolbox's purpose and goals | -| `PROMPT` | LLM onboarding prompt for future contributors | - ---- - -## 🀝 Collaboration Notes - -- Inherits all collaboration policies from `toolbox-base` -- Document toolbox-specific additions in `README.md` and `PROMPT` -- Update `SEED` only when the high-level objectives change -- Prefer aqua/mise for new tooling to keep installations reproducible -- Keep documentation synchronized for future contributors \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-QADocker/SEED b/ToolboxStack/output/toolbox-QADocker/SEED deleted file mode 100644 index 009667c..0000000 --- a/ToolboxStack/output/toolbox-QADocker/SEED +++ /dev/null @@ -1,38 +0,0 @@ -# Toolbox Template SEED - -This SEED file defines the high-level objectives for all toolboxes created from this template. - -## 🎯 Goals - -- **Extensibility**: Each toolbox should extend from `toolbox-base` to inherit core tooling -- **Consistency**: All toolboxes should follow the same patterns and conventions -- **Reproducibility**: Toolbox builds should be deterministic and cache-efficient -- **Security**: Toolboxes should run as non-root users with minimal privileges -- **Portability**: Toolboxes should work identically across different host environments - -## 🧰 Requirements - -- **Base Image**: Extend from `tsysdevstack-toolboxstack-toolbox-base:release-current` -- **User Model**: Run as non-root `toolbox` user (UID/GID mapped to host) -- **Workspace**: Mount current directory to `/workspace` (read/write) -- **Runtime**: Inherit all base tooling plus toolbox-specific additions -- **Configuration**: Preserve user configs/mise toolchains via volume mounts - -## πŸ› οΈ Implementation - -- **Dockerfile**: Extend from base with toolbox-specific tooling -- **docker-compose.yml**: Configure service with inherited + custom settings -- **build.sh**: Wrapper around `docker build` with UID/GID mapping -- **run.sh**: Helper to bring service up/down -- **devcontainer.json**: VS Code remote container definition -- **SEED**: Define toolbox-specific objectives (this file) -- **PROMPT**: LLM onboarding prompt for future contributors - -## βœ… Verification - -- Toolboxes should build without errors -- Toolboxes should start and run indefinitely -- Toolboxes should be accessible via `docker exec` -- Toolboxes should inherit all base tooling -- Toolboxes should support toolbox-specific additions -- Toolboxes should preserve user configurations across restarts \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-QADocker/aqua.yaml b/ToolboxStack/output/toolbox-QADocker/aqua.yaml deleted file mode 100644 index db3aeb9..0000000 --- a/ToolboxStack/output/toolbox-QADocker/aqua.yaml +++ /dev/null @@ -1,24 +0,0 @@ -version: 1.0.0 -registries: - - type: standard - ref: v4.431.0 -packages: - # Docker auditing and security tools - - name: hadolint/hadolint@v2.12.0 - - name: aquasecurity/trivy@v0.56.2 - - name: anchore/grype@v0.84.1 - - name: docker/docker-bench-security@v1.8.0 - - name: snyk/snyk@v1.1308.0 - # General utility tools - - name: jesseduffield/lazygit@v0.44.0 - - name: direnv/direnv@v2.35.0 - - name: dandavison/delta@0.18.2 - - name: ajeetdsouza/zoxide@v0.9.6 - - name: mikefarah/yq@v4.44.3 - - name: ducaale/xh@v0.22.3 - - name: rs/curlie@v1.8.6 - - name: koalaman/shellcheck@v0.10.0 - - name: mvdan/sh@v3.7.0 - - name: golangci/golangci-lint@v1.60.3 - - name: golang/go@go1.23.0 - - name: cli/cli@v2.57.0 \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-QADocker/build.sh b/ToolboxStack/output/toolbox-QADocker/build.sh deleted file mode 100755 index e6a62ce..0000000 --- a/ToolboxStack/output/toolbox-QADocker/build.sh +++ /dev/null @@ -1,175 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -# Security: Validate input parameters to prevent command injection -sanitized_input() { - local input="$1" - # Check for potentially dangerous characters/commands - case "$input" in - *[\;\|\&\`\$]*) - echo "Error: Invalid input detected: $input" >&2 - exit 1 - ;; - esac -} - -# Validate dependencies -if ! command -v docker &> /dev/null; then - echo "Error: docker is required but not installed." >&2 - exit 1 -fi - -if ! docker buildx version &> /dev/null; then - echo "Error: docker buildx is required but not available." >&2 - exit 1 -fi - -# Get the toolbox name from the directory name (or you can pass it as an argument) -TOOLBOX_NAME="${TOOLBOX_NAME_OVERRIDE:-$(basename "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")}" -sanitized_input "$TOOLBOX_NAME" -# Convert to lowercase and replace any uppercase letters to ensure valid Docker image name -IMAGE_NAME_RAW="tsysdevstack-toolboxstack-${TOOLBOX_NAME#toolbox-}" -IMAGE_NAME=$(echo "$IMAGE_NAME_RAW" | tr '[:upper:]' '[:lower:]') -SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" - -# Sanitize user input -USER_ID="${USER_ID_OVERRIDE:-$(id -u)}" -sanitized_input "$USER_ID" -GROUP_ID="${GROUP_ID_OVERRIDE:-$(id -g)}" -sanitized_input "$GROUP_ID" -USERNAME="${USERNAME_OVERRIDE:-toolbox}" -sanitized_input "$USERNAME" -TEA_VERSION="${TEA_VERSION_OVERRIDE:-0.11.1}" -sanitized_input "$TEA_VERSION" -BUILDER_NAME="${BUILDER_NAME:-tsysdevstack-toolboxstack-builder}" -sanitized_input "$BUILDER_NAME" -CACHE_DIR="${SCRIPT_DIR}/.build-cache" -TAG="${TAG_OVERRIDE:-dev}" -sanitized_input "$TAG" -RELEASE_TAG="${RELEASE_TAG_OVERRIDE:-release-current}" -sanitized_input "$RELEASE_TAG" -VERSION_TAG="${VERSION_TAG_OVERRIDE:-}" -if [[ -n "$VERSION_TAG" ]]; then - sanitized_input "$VERSION_TAG" -fi -PUSH="${PUSH_OVERRIDE:-false}" - -echo "Building ${IMAGE_NAME} with UID=${USER_ID} GID=${GROUP_ID} USERNAME=${USERNAME}" -echo "Primary tag: ${TAG}" - -# Ensure builder exists -if ! docker buildx inspect "${BUILDER_NAME}" >/dev/null 2>&1; then - echo "Creating builder: ${BUILDER_NAME}" - if ! docker buildx create --driver docker-container --name "${BUILDER_NAME}" --use >/dev/null; then - echo "Error: Failed to create Docker buildx builder." >&2 - exit 1 - fi -else - echo "Using existing builder: ${BUILDER_NAME}" - if ! docker buildx use "${BUILDER_NAME}" >/dev/null; then - echo "Error: Failed to use Docker buildx builder." >&2 - exit 1 - fi -fi - -# Ensure cache directory exists -if ! mkdir -p "${CACHE_DIR}"; then - echo "Error: Failed to create cache directory: ${CACHE_DIR}" >&2 - exit 1 -fi - -echo "Starting build..." -BUILD_OUTPUT=$(mktemp) -trap 'rm -f "$BUILD_OUTPUT"' EXIT - -# Build the image -if ! docker buildx build \ - --builder "${BUILDER_NAME}" \ - --load \ - --progress=plain \ - --build-arg USER_ID="${USER_ID}" \ - --build-arg GROUP_ID="${GROUP_ID}" \ - --build-arg USERNAME="${USERNAME}" \ - --build-arg TEA_VERSION="${TEA_VERSION}" \ - --cache-from "type=local,src=${CACHE_DIR}" \ - --cache-to "type=local,dest=${CACHE_DIR},mode=max" \ - --tag "${IMAGE_NAME}:${TAG}" \ - "${SCRIPT_DIR}" 2>&1 | tee "${BUILD_OUTPUT}"; then - echo "Error: Docker build failed. Check output above for details." >&2 - exit 1 -fi - -echo "Build completed successfully." - -# Run post-build verification -echo "Running post-build verification..." -if ! docker run --rm "${IMAGE_NAME}:${TAG}" bash -c 'echo "Container starts successfully"'; then - echo "Error: Failed to start container with basic test." >&2 - exit 1 -fi - -# Verify critical tools for Docker auditing are available -echo "Verifying Docker auditing tools..." -CRITICAL_TOOLS=("git" "curl" "wget" "docker" "hadolint" "dive" "bash") -for tool in "${CRITICAL_TOOLS[@]}"; do - if ! docker run --rm "${IMAGE_NAME}:${TAG}" which "$tool" >/dev/null 2>&1; then - echo "Error: Critical Docker auditing tool '$tool' not found in PATH." >&2 - exit 1 - fi -done - -# Verify additional aqua tools for QA are available -echo "Verifying QA aqua tools..." -AQUA_TOOLS=("lazygit" "direnv" "delta" "zoxide" "yq" "xh" "curlie" "shellcheck" "trivy" "grype" "docker-bench-security") -for tool in "${AQUA_TOOLS[@]}"; do - if ! docker run --rm "${IMAGE_NAME}:${TAG}" which "$tool" >/dev/null 2>&1; then - echo "Error: QA aqua tool '$tool' not found in PATH." >&2 - exit 1 - fi -done - -echo "All verifications passed." - -# Push if requested -if [[ "${PUSH}" == "true" ]]; then - echo "Pushing ${IMAGE_NAME}:${TAG}" - if ! docker push "${IMAGE_NAME}:${TAG}"; then - echo "Error: Failed to push ${IMAGE_NAME}:${TAG}" >&2 - exit 1 - fi - - if [[ "${TAG}" == "dev" && -n "${VERSION_TAG}" ]]; then - if ! docker tag "${IMAGE_NAME}:${TAG}" "${IMAGE_NAME}:${VERSION_TAG}"; then - echo "Error: Failed to tag ${IMAGE_NAME}:${VERSION_TAG}" >&2 - exit 1 - fi - echo "Pushing ${IMAGE_NAME}:${VERSION_TAG}" - if ! docker push "${IMAGE_NAME}:${VERSION_TAG}"; then - echo "Error: Failed to push ${IMAGE_NAME}:${VERSION_TAG}" >&2 - exit 1 - fi - fi - - if [[ "${TAG}" == "dev" ]]; then - if ! docker tag "${IMAGE_NAME}:${TAG}" "${IMAGE_NAME}:${RELEASE_TAG}"; then - echo "Error: Failed to tag ${IMAGE_NAME}:${RELEASE_TAG}" >&2 - exit 1 - fi - echo "Pushing ${IMAGE_NAME}:${RELEASE_TAG}" - if ! docker push "${IMAGE_NAME}:${RELEASE_TAG}"; then - echo "Error: Failed to push ${IMAGE_NAME}:${RELEASE_TAG}" >&2 - exit 1 - fi - fi -fi - -# Run security scan if TRIVY is available -if command -v trivy &> /dev/null; then - echo "Running security scan with Trivy..." - trivy image --exit-code 0 --severity HIGH,CRITICAL "${IMAGE_NAME}:${TAG}" -else - echo "Trivy not found. Install Trivy to perform security scanning." -fi - -echo "Build process completed successfully with all verifications." \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-QADocker/docker-compose.yml b/ToolboxStack/output/toolbox-QADocker/docker-compose.yml deleted file mode 100644 index bfb5501..0000000 --- a/ToolboxStack/output/toolbox-QADocker/docker-compose.yml +++ /dev/null @@ -1,35 +0,0 @@ -services: - {{toolbox_name}}: - container_name: tsysdevstack-toolboxstack-{{toolbox_name}} - image: tsysdevstack-toolboxstack-{{toolbox_name}} - build: - context: . - dockerfile: Dockerfile - args: - USER_ID: ${LOCAL_UID:-1000} - GROUP_ID: ${LOCAL_GID:-1000} - USERNAME: ${LOCAL_USERNAME:-toolbox} - user: "${LOCAL_UID:-1000}:${LOCAL_GID:-1000}" - working_dir: /workspace - command: ["sleep", "infinity"] - init: true - tty: true - stdin_open: true - volumes: - - .:/workspace:rw - - ${HOME}/.local/share/mise:/home/toolbox/.local/share/mise:rw - - ${HOME}/.cache/mise:/home/toolbox/.cache/mise:rw - # AI CLI tool configuration and cache directories - - ${HOME}/.config/openai:/home/toolbox/.config/openai:rw - - ${HOME}/.config/gemini:/home/toolbox/.config/gemini:rw - - ${HOME}/.config/qwen:/home/toolbox/.config/qwen:rw - - ${HOME}/.config/code:/home/toolbox/.config/code:rw - - ${HOME}/.config/opencode:/home/toolbox/.config/opencode:rw - - ${HOME}/.cache/openai:/home/toolbox/.cache/openai:rw - - ${HOME}/.cache/gemini:/home/toolbox/.cache/gemini:rw - - ${HOME}/.cache/qwen:/home/toolbox/.cache/qwen:rw - - ${HOME}/.cache/code:/home/toolbox/.cache/code:rw - - ${HOME}/.cache/opencode:/home/toolbox/.cache/opencode:rw - # Additional AI tool directories - - ${HOME}/.config/codex:/home/toolbox/.config/codex:rw - - ${HOME}/.cache/codex:/home/toolbox/.cache/codex:rw \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-QADocker/run.sh b/ToolboxStack/output/toolbox-QADocker/run.sh deleted file mode 100755 index 8433cdd..0000000 --- a/ToolboxStack/output/toolbox-QADocker/run.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -# Security: Validate input parameters to prevent command injection -sanitized_input() { - local input="$1" - # Check for potentially dangerous characters/commands - case "$input" in - *[\;\|\&\`\$]*) - echo "Error: Invalid input detected: $input" >&2 - exit 1 - ;; - esac -} - -# Validate dependencies -if ! command -v docker &> /dev/null; then - echo "Error: docker is required but not installed." >&2 - exit 1 -fi - -if ! command -v docker compose &> /dev/null; then - echo "Error: docker compose is required but not installed." >&2 - exit 1 -fi - -SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -COMPOSE_FILE="${SCRIPT_DIR}/docker-compose.yml" - -export LOCAL_UID="${USER_ID_OVERRIDE:-$(id -u)}" -sanitized_input "$LOCAL_UID" -export LOCAL_GID="${GROUP_ID_OVERRIDE:-$(id -g)}" -sanitized_input "$LOCAL_GID" -export LOCAL_USERNAME="${USERNAME_OVERRIDE:-toolbox}" -sanitized_input "$LOCAL_USERNAME" -export TOOLBOX_IMAGE="${TOOLBOX_IMAGE_OVERRIDE:-tsysdevstack-toolboxstack-{{toolbox_name}}}" -sanitized_input "$TOOLBOX_IMAGE" - -if [[ ! -f "${COMPOSE_FILE}" ]]; then - echo "Error: docker-compose.yml not found at ${COMPOSE_FILE}" >&2 - exit 1 -fi - -ACTION="${1:-up}" -sanitized_input "$ACTION" -shift || true - -if [[ "${ACTION}" == "up" ]]; then - # Create necessary directories for the toolbox tools with proper permissions - mkdir -p "${HOME}/.local/share/mise" "${HOME}/.cache/mise" - mkdir -p "${HOME}/.config" "${HOME}/.local/share" - mkdir -p "${HOME}/.cache/openai" "${HOME}/.cache/gemini" "${HOME}/.cache/qwen" "${HOME}/.cache/code" "${HOME}/.cache/opencode" - mkdir -p "${HOME}/.config/openai" "${HOME}/.config/gemini" "${HOME}/.config/qwen" "${HOME}/.config/code" "${HOME}/.config/opencode" - mkdir -p "${HOME}/.config/codex" "${HOME}/.cache/codex" - - # Set proper permissions for created directories - chmod 700 "${HOME}/.config" "${HOME}/.local/share" "${HOME}/.cache" 2>/dev/null || true -fi - -case "${ACTION}" in - up) - docker compose -f "${COMPOSE_FILE}" up --build --detach "$@" - echo "Container started. Use 'docker exec -it tsysdevstack-toolboxstack-{{toolbox_name}} zsh' to access the shell." - ;; - down) - docker compose -f "${COMPOSE_FILE}" down "$@" - echo "Container stopped." - ;; - *) - echo "Usage: $0 [up|down] [additional docker compose args]" >&2 - exit 1 - ;; -esac \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-QADocker/security-audit.sh b/ToolboxStack/output/toolbox-QADocker/security-audit.sh deleted file mode 100755 index 3c036fa..0000000 --- a/ToolboxStack/output/toolbox-QADocker/security-audit.sh +++ /dev/null @@ -1,155 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -# Security audit script for the toolbox-template - -IMAGE_NAME="${IMAGE_NAME_OVERRIDE:-tsysdevstack-toolboxstack-{{toolbox_name}}}" - -echo "πŸ”’ Running security audit on ${IMAGE_NAME}" - -# Check if Trivy is available for security scanning -if command -v trivy &> /dev/null; then - echo "πŸ” Running Trivy security scan..." - trivy image --exit-code 0 --severity HIGH,CRITICAL "${IMAGE_NAME}" - echo "βœ… Trivy scan completed" -else - echo "⚠️ Trivy not found. Install Trivy to perform security scanning." - echo " Visit https://aquasecurity.github.io/trivy/ for installation instructions." -fi - -# Check for outdated packages -echo "πŸ“¦ Checking for outdated packages..." -OUTDATED_PACKAGES=$(docker run --rm "${IMAGE_NAME}" apt list --upgradable 2>/dev/null | grep -v "Listing..." | wc -l) -if [[ "${OUTDATED_PACKAGES}" -gt 0 ]]; then - echo "⚠️ ${OUTDATED_PACKAGES} packages can be upgraded" - echo " Run 'apt update && apt upgrade' to update packages" -else - echo "βœ… All system packages are up to date" -fi - -# Check for unnecessary packages that increase attack surface -echo "πŸ›‘οΈ Checking for unnecessary packages..." -UNNECESSARY_PACKAGES=$(docker run --rm "${IMAGE_NAME}" dpkg -l | grep -E "(telnet|ftp|rsh-client|nfs-common|rpcbind)" | wc -l) -if [[ "${UNNECESSARY_PACKAGES}" -gt 0 ]]; then - echo "⚠️ Found ${UNNECESSARY_PACKAGES} potentially unnecessary packages that increase attack surface" - echo " Consider removing packages like telnet, ftp, rsh-client, nfs-common, rpcbind" -else - echo "βœ… No unnecessary packages found that increase attack surface" -fi - -# Check for world-writable files/directories -echo "πŸ“ Checking for world-writable files/directories..." -WORLD_WRITABLE=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -perm -0002 -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l) -if [[ "${WORLD_WRITABLE}" -gt 0 ]]; then - echo "⚠️ Found ${WORLD_WRITABLE} world-writable files/directories" - echo " These should be reviewed and permissions adjusted if necessary" -else - echo "βœ… No world-writable files/directories found" -fi - -# Check for setuid/setgid binaries -echo "πŸ”‘ Checking for setuid/setgid binaries..." -SETUID_BINARIES=$(docker run --rm "${IMAGE_NAME}" find / -xdev \( -perm -4000 -o -perm -2000 \) -type f -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l) -if [[ "${SETUID_BINARIES}" -gt 0 ]]; then - echo "⚠️ Found ${SETUID_BINARIES} setuid/setgid binaries" - echo " These should be reviewed for security implications" -else - echo "βœ… No setuid/setgid binaries found" -fi - -# Check for running services -echo "ァービ Checking for running services..." -RUNNING_SERVICES=$(docker run --rm "${IMAGE_NAME}" ps aux 2>/dev/null | grep -v "PID" | wc -l) -if [[ "${RUNNING_SERVICES}" -gt 1 ]]; then - echo "⚠️ Found ${RUNNING_SERVICES} running processes" - echo " These should be reviewed for necessity" -else - echo "βœ… No unnecessary running services found" -fi - -# Check for listening ports -echo "πŸ“‘ Checking for listening ports..." -LISTENING_PORTS=$(docker run --rm "${IMAGE_NAME}" netstat -tuln 2>/dev/null | grep LISTEN | wc -l) -if [[ "${LISTENING_PORTS}" -gt 0 ]]; then - echo "⚠️ Found ${LISTENING_PORTS} listening ports" - echo " These should be reviewed for security implications" -else - echo "βœ… No unnecessary listening ports found" -fi - -# Check for sudo availability -echo "πŸ›‘ Checking for sudo availability..." -if docker run --rm "${IMAGE_NAME}" which sudo >/dev/null 2>&1; then - echo "❌ Sudo is available in the image - this is a security risk" - echo " Sudo should be removed to prevent privilege escalation" -else - echo "βœ… Sudo is not available in the image" -fi - -# Check for root login capability -echo "πŸ” Checking for root login capability..." -ROOT_LOGIN_ENABLED=$(docker run --rm "${IMAGE_NAME}" cat /etc/passwd | grep root | grep -v "nologin" | wc -l) -if [[ "${ROOT_LOGIN_ENABLED}" -gt 0 ]]; then - echo "⚠️ Root login might be enabled" - echo " Ensure root login is disabled for security" -else - echo "βœ… Root login is properly disabled" -fi - -# Check user configuration -echo "πŸ‘€ Checking user configuration..." -USER_ID=$(docker run --rm "${IMAGE_NAME}" id -u toolbox 2>/dev/null || echo "not_found") -if [[ "${USER_ID}" == "1000" ]]; then - echo "βœ… Non-root user 'toolbox' with UID 1000 is properly configured" -else - echo "⚠️ Non-root user configuration might be incorrect" -fi - -# Check for hardcoded passwords -echo "πŸ”‘ Checking for hardcoded passwords..." -HARDCODED_PASSWORDS=$(docker run --rm "${IMAGE_NAME}" grep -r "password\|passwd" /etc/ 2>/dev/null | grep -v "shadow" | wc -l) -if [[ "${HARDCODED_PASSWORDS}" -gt 0 ]]; then - echo "⚠️ Found ${HARDCODED_PASSWORDS} potential hardcoded password references" - echo " These should be reviewed for security implications" -else - echo "βœ… No hardcoded password references found" -fi - -# Check for exposed secrets -echo " сСкр Checking for exposed secrets..." -EXPOSED_SECRETS=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -name "*.key" -o -name "*.pem" -o -name "*.cert" 2>/dev/null | wc -l) -if [[ "${EXPOSED_SECRETS}" -gt 0 ]]; then - echo "⚠️ Found ${EXPOSED_SECRETS} potential secret files" - echo " These should be reviewed for security implications" -else - echo "βœ… No exposed secret files found" -fi - -# Check that this template properly extends from the base image -echo "πŸ”— Checking inheritance from base image..." -BASE_INHERITANCE=$(docker history "${IMAGE_NAME}" 2>/dev/null | grep "FROM tsysdevstack-toolboxstack-toolbox-base:release-current" | wc -l) -if [[ "${BASE_INHERITANCE}" -gt 0 ]]; then - echo "βœ… Template properly extends from toolbox-base:release-current" -else - echo "⚠️ Template might not properly extend from toolbox-base:release-current" -fi - -# Summary -echo "" -echo "πŸ”’ Security Audit Summary:" -echo " - Image: ${IMAGE_NAME}" -echo " - Scan completed with recommendations above" -echo "" -echo "πŸ’‘ Recommendations:" -echo " 1. Install Trivy for comprehensive security scanning" -echo " 2. Regularly update packages to address vulnerabilities" -echo " 3. Remove unnecessary packages to reduce attack surface" -echo " 4. Review world-writable files/directories" -echo " 5. Review setuid/setgid binaries" -echo " 6. Remove sudo to prevent privilege escalation" -echo " 7. Ensure root login is disabled" -echo " 8. Verify non-root user configuration" -echo " 9. Review hardcoded password references" -echo " 10. Check for exposed secrets" -echo " 11. Ensure proper inheritance from base image" \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-QADocker/test.sh b/ToolboxStack/output/toolbox-QADocker/test.sh deleted file mode 100755 index 605e3ea..0000000 --- a/ToolboxStack/output/toolbox-QADocker/test.sh +++ /dev/null @@ -1,112 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -# Test script to verify all tools are working properly in the toolbox-template - -IMAGE_NAME="${IMAGE_NAME_OVERRIDE:-tsysdevstack-toolboxstack-{{toolbox_name}}}" - -echo "πŸ§ͺ Testing all tools in ${IMAGE_NAME}" - -# Function to test a command -test_cmd() { - local cmd="$1" - local description="$2" - - echo -n "Testing ${cmd} (${description})... " - - if docker run --rm "${IMAGE_NAME}" "${cmd}" --version >/dev/null 2>&1; then - echo "βœ… PASS" - return 0 - else - echo "❌ FAIL" - return 1 - fi -} - -# Function to test a command with specific args -test_cmd_args() { - local cmd="$1" - local args="$2" - local description="$3" - - echo -n "Testing ${cmd} ${args} (${description})... " - - if docker run --rm "${IMAGE_NAME}" "${cmd}" ${args} >/dev/null 2>&1; then - echo "βœ… PASS" - return 0 - else - echo "❌ FAIL" - return 1 - fi -} - -# Counter for tracking results -PASSED=0 -FAILED=0 - -# Test core tools inherited from base -echo "πŸ” Testing core tools inherited from base..." - -test_cmd "zsh" "Z shell" && ((PASSED++)) || ((FAILED++)) -test_cmd "git" "Git version control" && ((PASSED++)) || ((FAILED++)) -test_cmd "curl" "cURL utility" && ((PASSED++)) || ((FAILED++)) -test_cmd "jq" "JSON processor" && ((PASSED++)) || ((FAILED++)) -test_cmd "fish" "Fish shell" && ((PASSED++)) || ((FAILED++)) -test_cmd "fzf" "Fuzzy finder" && ((PASSED++)) || ((FAILED++)) -test_cmd "bat" "Cat clone with wings" && ((PASSED++)) || ((FAILED++)) -test_cmd "fd" "Simple, fast alternative to find" && ((PASSED++)) || ((FAILED++)) -test_cmd "rg" "Ripgrep - line-oriented search tool" && ((PASSED++)) || ((FAILED++)) -test_cmd "htop" "Interactive process viewer" && ((PASSED++)) || ((FAILED++)) -test_cmd "btop" "Modern and colorful terminal monitor" && ((PASSED++)) || ((FAILED++)) - -# Test aqua installed tools inherited from base -echo "πŸ”§ Testing aqua installed tools inherited from base..." - -test_cmd "gh" "GitHub CLI" && ((PASSED++)) || ((FAILED++)) -test_cmd "lazygit" "Simple terminal UI for git commands" && ((PASSED++)) || ((FAILED++)) -test_cmd "direnv" "Unclutter your .profile" && ((PASSED++)) || ((FAILED++)) -test_cmd "delta" "Syntax-highlighting pager for git, diff, and grep output" && ((PASSED++)) || ((FAILED++)) -test_cmd "zoxide" "Smarter cd command" && ((PASSED++)) || ((FAILED++)) -test_cmd "just" "Just a command runner" && ((PASSED++)) || ((FAILED++)) -test_cmd "yq" "Portable command-line YAML processor" && ((PASSED++)) || ((FAILED++)) -test_cmd "xh" "Friendly and fast tool for sending HTTP requests" && ((PASSED++)) || ((FAILED++)) -test_cmd "curlie" "The power of curl, the ease of use of httpie" && ((PASSED++)) || ((FAILED++)) -test_cmd "chezmoi" "Manage your dotfiles across multiple machines" && ((PASSED++)) || ((FAILED++)) -test_cmd "shfmt" "Shell formatter" && ((PASSED++)) || ((FAILED++)) -test_cmd "shellcheck" "Shell script analysis tool" && ((PASSED++)) || ((FAILED++)) -test_cmd "hadolint" "Dockerfile linter" && ((PASSED++)) || ((FAILED++)) -test_cmd "uv" "Python package installer and resolver" && ((PASSED++)) || ((FAILED++)) -test_cmd "watchexec" "Execute commands in response to file modifications" && ((PASSED++)) || ((FAILED++)) -test_cmd "tea" "Gitea CLI" && ((PASSED++)) || ((FAILED++)) - -# Test AI CLI tools inherited from base -echo "πŸ€– Testing AI CLI tools inherited from base..." - -test_cmd_args "code" "--version" "just-every/code AI CLI" && ((PASSED++)) || ((FAILED++)) -test_cmd_args "qwen" "--version" "QwenLM/qwen-code AI CLI" && ((PASSED++)) || ((FAILED++)) -test_cmd_args "gemini" "--version" "google-gemini/gemini-cli AI CLI" && ((PASSED++)) || ((FAILED++)) -test_cmd_args "codex" "--version" "openai/codex AI CLI" && ((PASSED++)) || ((FAILED++)) -test_cmd_args "opencode" "--version" "sst/opencode AI CLI" && ((PASSED++)) || ((FAILED++)) - -# Test additional tools inherited from base -echo "🧰 Testing additional tools inherited from base..." - -test_cmd "starship" "Cross-shell prompt" && ((PASSED++)) || ((FAILED++)) -test_cmd "mise" "Polyglot runtime manager" && ((PASSED++)) || ((FAILED++)) -test_cmd_args "aqua" "--version" "Declarative CLI Version Manager" && ((PASSED++)) || ((FAILED++)) - -# Summary -echo "" -echo "πŸ“Š Test Results:" -echo " Passed: ${PASSED}" -echo " Failed: ${FAILED}" -echo " Total: $((PASSED + FAILED))" - -if [[ "${FAILED}" -eq 0 ]]; then - echo "πŸŽ‰ All tests passed!" - exit 0 -else - echo "πŸ’₯ ${FAILED} tests failed!" - exit 1 -fi \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-dockstack/AUDIT_CHECKLIST.md b/ToolboxStack/output/toolbox-dockstack/AUDIT_CHECKLIST.md deleted file mode 100644 index 3513885..0000000 --- a/ToolboxStack/output/toolbox-dockstack/AUDIT_CHECKLIST.md +++ /dev/null @@ -1,120 +0,0 @@ -# 🧰 Toolbox Template Audit Checklist - -This checklist ensures the toolbox-template provides a solid foundation for creating new toolboxes that extend from toolbox-base. - -## πŸ—οΈ Structure Audit - -- [ ] Template Dockerfile properly extends from toolbox-base:release-current -- [ ] Template Dockerfile follows best practices for extension -- [ ] Template docker-compose.yml properly inherits from base configuration -- [ ] Template build.sh script properly wraps docker build with UID/GID mapping -- [ ] Template run.sh script properly manages container lifecycle -- [ ] Template devcontainer.json properly references base configuration -- [ ] Template SEED file properly defines extension objectives -- [ ] Template PROMPT file properly guides contributors -- [ ] Template README.md properly documents usage and customization -- [ ] Template aqua.yaml properly extends from base tooling - -## πŸ”§ Consistency Audit - -- [ ] Template inherits all base security practices -- [ ] Template follows same build process patterns as base -- [ ] Template uses same user model as base (non-root with UID/GID mapping) -- [ ] Template workspace mounting consistent with base -- [ ] Template runtime behavior consistent with base -- [ ] Template error handling consistent with base -- [ ] Template documentation style consistent with base -- [ ] Template testing approach consistent with base -- [ ] Template customization points clearly defined -- [ ] Template extension patterns well-documented - -## πŸ›‘οΈ Security Audit - -- [ ] Template maintains all base security guarantees -- [ ] Template doesn't introduce security vulnerabilities -- [ ] Template doesn't weaken base security model -- [ ] Template properly validates user inputs -- [ ] Template properly handles file permissions -- [ ] Template doesn't expose additional attack surfaces -- [ ] Template properly manages secrets/configuration -- [ ] Template follows principle of least privilege -- [ ] Template properly isolates user processes -- [ ] Template maintains non-root execution model - -## πŸ§ͺ Testing Audit - -- [ ] Template includes testing framework -- [ ] Template tests verify proper extension from base -- [ ] Template tests validate added functionality -- [ ] Template tests check for regression issues -- [ ] Template tests cover error conditions -- [ ] Template tests verify security properties -- [ ] Template tests run automatically during build -- [ ] Template tests provide clear failure diagnostics -- [ ] Template tests cover all customization points -- [ ] Template tests align with base testing philosophy - -## πŸ“š Documentation Audit - -- [ ] Template README.md clearly explains purpose and usage -- [ ] Template README.md properly documents customization options -- [ ] Template README.md links to base documentation -- [ ] Template README.md includes quick start guide -- [ ] Template README.md covers troubleshooting -- [ ] Template README.md explains extension patterns -- [ ] Template README.md documents versioning strategy -- [ ] Template README.md covers maintenance procedures -- [ ] Template README.md explains collaboration guidelines -- [ ] Template README.md maintains consistent style with base - -## πŸ”„ Maintenance Audit - -- [ ] Template properly tracks base image updates -- [ ] Template provides clear upgrade paths -- [ ] Template maintains backward compatibility -- [ ] Template follows same release cadence as base -- [ ] Template properly handles dependency updates -- [ ] Template includes update automation where appropriate -- [ ] Template documents breaking changes -- [ ] Template provides migration guides when needed -- [ ] Template follows same versioning scheme as base -- [ ] Template maintains consistent issue tracking - -## 🎯 Usability Audit - -- [ ] Template is easy to copy and customize -- [ ] Template provides clear extension points -- [ ] Template includes helpful examples -- [ ] Template reduces boilerplate code -- [ ] Template provides sensible defaults -- [ ] Template includes proper error messages -- [ ] Template supports common customization patterns -- [ ] Template includes helpful documentation -- [ ] Template follows intuitive naming conventions -- [ ] Template minimizes configuration complexity - -## 🌐 Compatibility Audit - -- [ ] Template works with all supported platforms -- [ ] Template maintains cross-platform consistency -- [ ] Template integrates well with base tooling -- [ ] Template supports common development workflows -- [ ] Template handles various project structures -- [ ] Template works with popular IDEs/editors -- [ ] Template supports CI/CD integration -- [ ] Template compatible with common deployment methods -- [ ] Template supports popular version control systems -- [ ] Template integrates with common development tools - -## 🧹 Cleanliness Audit - -- [ ] Template includes no unnecessary files -- [ ] Template follows consistent file organization -- [ ] Template includes proper .gitignore -- [ ] Template avoids duplicating base functionality -- [ ] Template includes proper licensing information -- [ ] Template maintains clean directory structure -- [ ] Template includes appropriate comments/documentation -- [ ] Template avoids hardcoded values where possible -- [ ] Template follows consistent naming conventions -- [ ] Template includes proper attribution where needed \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-dockstack/release.sh b/ToolboxStack/output/toolbox-dockstack/release.sh deleted file mode 100755 index ce9f4ea..0000000 --- a/ToolboxStack/output/toolbox-dockstack/release.sh +++ /dev/null @@ -1,111 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -usage() { - cat <<'EOU' -Usage: ./release.sh [--dry-run] [--allow-dirty] - -Examples: - ./release.sh 0.2.0 - ./release.sh --dry-run 0.2.0 - -This script rebuilds the toolbox image, tags it as: - - tsysdevstack-toolboxstack-:dev - - tsysdevstack-toolboxstack-:release-current - - tsysdevstack-toolboxstack-:v - -When run without --dry-run it pushes all three tags. -EOU -} - -DRY_RUN=false -ALLOW_DIRTY=false -VERSION="" - -while (( $# > 0 )); do - case "$1" in - --dry-run) - DRY_RUN=true - shift - ;; - --allow-dirty) - ALLOW_DIRTY=true - shift - ;; - -h|--help) - usage - exit 0 - ;; - -*) - echo "Unknown option: $1" >&2 - usage - exit 1 - ;; - *) - VERSION="$1" - shift - ;; - esac -done - -if [[ -z "${VERSION}" ]]; then - echo "Error: semantic version is required." >&2 - usage - exit 1 -fi - -if [[ "${VERSION}" =~ ^v?([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then - SEMVER="v${BASH_REMATCH[1]}.${BASH_REMATCH[2]}.${BASH_REMATCH[3]}" -else - echo "Error: version must be semantic (e.g., 0.2.0 or v0.2.0)." >&2 - exit 1 -fi - -SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -REPO_ROOT="$(cd "${SCRIPT_DIR}" && git rev-parse --show-toplevel 2>/dev/null || true)" - -if [[ -n "${REPO_ROOT}" && "${ALLOW_DIRTY}" != "true" ]]; then - if ! git -C "${REPO_ROOT}" diff --quiet --ignore-submodules --exit-code; then - echo "Error: git working tree has uncommitted changes. Please commit or stash before releasing." >&2 - exit 1 - fi -elif [[ -z "${REPO_ROOT}" ]]; then - echo "Warning: unable to resolve git repository root; skipping clean tree check." >&2 -fi - -# Get the toolbox name from the directory name (or you can pass it as an argument) -TOOLBOX_NAME="${TOOLBOX_NAME_OVERRIDE:-$(basename "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")}" -IMAGE_NAME="tsysdevstack-toolboxstack-${TOOLBOX_NAME#toolbox-}" -SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" - -USER_ID="${USER_ID_OVERRIDE:-$(id -u)}" -GROUP_ID="${GROUP_ID_OVERRIDE:-$(id -g)}" -USERNAME="${USERNAME_OVERRIDE:-toolbox}" -TEA_VERSION="${TEA_VERSION_OVERRIDE:-0.11.1}" -BUILDER_NAME="${BUILDER_NAME:-tsysdevstack-toolboxstack-builder}" -CACHE_DIR="${SCRIPT_DIR}/.build-cache" -TAG="${TAG_OVERRIDE:-dev}" -RELEASE_TAG="${RELEASE_TAG_OVERRIDE:-release-current}" -VERSION_TAG="${VERSION_TAG_OVERRIDE:-}" -if [[ -n "$VERSION_TAG" ]]; then - VERSION_TAG="$SEMVER" -fi -PUSH="${PUSH_OVERRIDE:-false}" - -echo "Preparing release for ${SEMVER}" -echo " dry-run: ${DRY_RUN}" -echo " allow-dirty: ${ALLOW_DIRTY}" - -if [[ "${DRY_RUN}" == "true" ]]; then - echo "[dry-run] Would build ${IMAGE_NAME}:${TAG}" - TAG_OVERRIDE="${TAG}" PUSH_OVERRIDE=false "${SCRIPT_DIR}/build.sh" - echo "[dry-run] Skipped pushing tags." -else - echo "Building ${IMAGE_NAME}:${TAG}" - TAG_OVERRIDE="${TAG}" PUSH_OVERRIDE=true RELEASE_TAG_OVERRIDE="${RELEASE_TAG}" VERSION_TAG_OVERRIDE="${SEMVER}" "${SCRIPT_DIR}/build.sh" - echo "Release ${SEMVER} pushed as:" - echo " - ${IMAGE_NAME}:dev" - echo " - ${IMAGE_NAME}:release-current" - echo " - ${IMAGE_NAME}:${SEMVER}" -fi \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-dockstack/.devcontainer/devcontainer.json b/ToolboxStack/output/toolbox-docstack/.devcontainer/devcontainer.json similarity index 100% rename from ToolboxStack/output/toolbox-dockstack/.devcontainer/devcontainer.json rename to ToolboxStack/output/toolbox-docstack/.devcontainer/devcontainer.json diff --git a/ToolboxStack/output/toolbox-QADocker/AUDIT_CHECKLIST.md b/ToolboxStack/output/toolbox-docstack/AUDIT_CHECKLIST.md similarity index 100% rename from ToolboxStack/output/toolbox-QADocker/AUDIT_CHECKLIST.md rename to ToolboxStack/output/toolbox-docstack/AUDIT_CHECKLIST.md diff --git a/ToolboxStack/output/toolbox-dockstack/Dockerfile b/ToolboxStack/output/toolbox-docstack/Dockerfile similarity index 100% rename from ToolboxStack/output/toolbox-dockstack/Dockerfile rename to ToolboxStack/output/toolbox-docstack/Dockerfile diff --git a/ToolboxStack/output/toolbox-dockstack/PROMPT b/ToolboxStack/output/toolbox-docstack/PROMPT similarity index 100% rename from ToolboxStack/output/toolbox-dockstack/PROMPT rename to ToolboxStack/output/toolbox-docstack/PROMPT diff --git a/ToolboxStack/output/toolbox-dockstack/README.md b/ToolboxStack/output/toolbox-docstack/README.md similarity index 100% rename from ToolboxStack/output/toolbox-dockstack/README.md rename to ToolboxStack/output/toolbox-docstack/README.md diff --git a/ToolboxStack/output/toolbox-dockstack/SEED b/ToolboxStack/output/toolbox-docstack/SEED similarity index 100% rename from ToolboxStack/output/toolbox-dockstack/SEED rename to ToolboxStack/output/toolbox-docstack/SEED diff --git a/ToolboxStack/output/toolbox-dockstack/aqua.yaml b/ToolboxStack/output/toolbox-docstack/aqua.yaml similarity index 100% rename from ToolboxStack/output/toolbox-dockstack/aqua.yaml rename to ToolboxStack/output/toolbox-docstack/aqua.yaml diff --git a/ToolboxStack/output/toolbox-dockstack/build.sh b/ToolboxStack/output/toolbox-docstack/build.sh similarity index 100% rename from ToolboxStack/output/toolbox-dockstack/build.sh rename to ToolboxStack/output/toolbox-docstack/build.sh diff --git a/ToolboxStack/output/toolbox-dockstack/docker-compose.yml b/ToolboxStack/output/toolbox-docstack/docker-compose.yml similarity index 100% rename from ToolboxStack/output/toolbox-dockstack/docker-compose.yml rename to ToolboxStack/output/toolbox-docstack/docker-compose.yml diff --git a/ToolboxStack/output/toolbox-QADocker/release.sh b/ToolboxStack/output/toolbox-docstack/release.sh similarity index 100% rename from ToolboxStack/output/toolbox-QADocker/release.sh rename to ToolboxStack/output/toolbox-docstack/release.sh diff --git a/ToolboxStack/output/toolbox-dockstack/run.sh b/ToolboxStack/output/toolbox-docstack/run.sh similarity index 100% rename from ToolboxStack/output/toolbox-dockstack/run.sh rename to ToolboxStack/output/toolbox-docstack/run.sh diff --git a/ToolboxStack/output/toolbox-dockstack/security-audit.sh b/ToolboxStack/output/toolbox-docstack/security-audit.sh similarity index 100% rename from ToolboxStack/output/toolbox-dockstack/security-audit.sh rename to ToolboxStack/output/toolbox-docstack/security-audit.sh diff --git a/ToolboxStack/output/toolbox-dockstack/test.sh b/ToolboxStack/output/toolbox-docstack/test.sh similarity index 100% rename from ToolboxStack/output/toolbox-dockstack/test.sh rename to ToolboxStack/output/toolbox-docstack/test.sh diff --git a/ToolboxStack/output/toolbox-qadocker/.gitkeep b/ToolboxStack/output/toolbox-qadocker/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/ToolboxStack/output/toolbox-qadocker/AUDIT_CHECKLIST.md b/ToolboxStack/output/toolbox-qadocker/AUDIT_CHECKLIST.md deleted file mode 100644 index 3513885..0000000 --- a/ToolboxStack/output/toolbox-qadocker/AUDIT_CHECKLIST.md +++ /dev/null @@ -1,120 +0,0 @@ -# 🧰 Toolbox Template Audit Checklist - -This checklist ensures the toolbox-template provides a solid foundation for creating new toolboxes that extend from toolbox-base. - -## πŸ—οΈ Structure Audit - -- [ ] Template Dockerfile properly extends from toolbox-base:release-current -- [ ] Template Dockerfile follows best practices for extension -- [ ] Template docker-compose.yml properly inherits from base configuration -- [ ] Template build.sh script properly wraps docker build with UID/GID mapping -- [ ] Template run.sh script properly manages container lifecycle -- [ ] Template devcontainer.json properly references base configuration -- [ ] Template SEED file properly defines extension objectives -- [ ] Template PROMPT file properly guides contributors -- [ ] Template README.md properly documents usage and customization -- [ ] Template aqua.yaml properly extends from base tooling - -## πŸ”§ Consistency Audit - -- [ ] Template inherits all base security practices -- [ ] Template follows same build process patterns as base -- [ ] Template uses same user model as base (non-root with UID/GID mapping) -- [ ] Template workspace mounting consistent with base -- [ ] Template runtime behavior consistent with base -- [ ] Template error handling consistent with base -- [ ] Template documentation style consistent with base -- [ ] Template testing approach consistent with base -- [ ] Template customization points clearly defined -- [ ] Template extension patterns well-documented - -## πŸ›‘οΈ Security Audit - -- [ ] Template maintains all base security guarantees -- [ ] Template doesn't introduce security vulnerabilities -- [ ] Template doesn't weaken base security model -- [ ] Template properly validates user inputs -- [ ] Template properly handles file permissions -- [ ] Template doesn't expose additional attack surfaces -- [ ] Template properly manages secrets/configuration -- [ ] Template follows principle of least privilege -- [ ] Template properly isolates user processes -- [ ] Template maintains non-root execution model - -## πŸ§ͺ Testing Audit - -- [ ] Template includes testing framework -- [ ] Template tests verify proper extension from base -- [ ] Template tests validate added functionality -- [ ] Template tests check for regression issues -- [ ] Template tests cover error conditions -- [ ] Template tests verify security properties -- [ ] Template tests run automatically during build -- [ ] Template tests provide clear failure diagnostics -- [ ] Template tests cover all customization points -- [ ] Template tests align with base testing philosophy - -## πŸ“š Documentation Audit - -- [ ] Template README.md clearly explains purpose and usage -- [ ] Template README.md properly documents customization options -- [ ] Template README.md links to base documentation -- [ ] Template README.md includes quick start guide -- [ ] Template README.md covers troubleshooting -- [ ] Template README.md explains extension patterns -- [ ] Template README.md documents versioning strategy -- [ ] Template README.md covers maintenance procedures -- [ ] Template README.md explains collaboration guidelines -- [ ] Template README.md maintains consistent style with base - -## πŸ”„ Maintenance Audit - -- [ ] Template properly tracks base image updates -- [ ] Template provides clear upgrade paths -- [ ] Template maintains backward compatibility -- [ ] Template follows same release cadence as base -- [ ] Template properly handles dependency updates -- [ ] Template includes update automation where appropriate -- [ ] Template documents breaking changes -- [ ] Template provides migration guides when needed -- [ ] Template follows same versioning scheme as base -- [ ] Template maintains consistent issue tracking - -## 🎯 Usability Audit - -- [ ] Template is easy to copy and customize -- [ ] Template provides clear extension points -- [ ] Template includes helpful examples -- [ ] Template reduces boilerplate code -- [ ] Template provides sensible defaults -- [ ] Template includes proper error messages -- [ ] Template supports common customization patterns -- [ ] Template includes helpful documentation -- [ ] Template follows intuitive naming conventions -- [ ] Template minimizes configuration complexity - -## 🌐 Compatibility Audit - -- [ ] Template works with all supported platforms -- [ ] Template maintains cross-platform consistency -- [ ] Template integrates well with base tooling -- [ ] Template supports common development workflows -- [ ] Template handles various project structures -- [ ] Template works with popular IDEs/editors -- [ ] Template supports CI/CD integration -- [ ] Template compatible with common deployment methods -- [ ] Template supports popular version control systems -- [ ] Template integrates with common development tools - -## 🧹 Cleanliness Audit - -- [ ] Template includes no unnecessary files -- [ ] Template follows consistent file organization -- [ ] Template includes proper .gitignore -- [ ] Template avoids duplicating base functionality -- [ ] Template includes proper licensing information -- [ ] Template maintains clean directory structure -- [ ] Template includes appropriate comments/documentation -- [ ] Template avoids hardcoded values where possible -- [ ] Template follows consistent naming conventions -- [ ] Template includes proper attribution where needed \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-qadocker/Dockerfile b/ToolboxStack/output/toolbox-qadocker/Dockerfile deleted file mode 100644 index 052d39c..0000000 --- a/ToolboxStack/output/toolbox-qadocker/Dockerfile +++ /dev/null @@ -1,81 +0,0 @@ -# Use Ubuntu 24.04 as base for the QA Docker toolbox -FROM ubuntu:24.04 - -# Set build arguments (these can be overridden at build time) -ARG USER_ID=1000 -ARG GROUP_ID=1000 -ARG USERNAME=toolbox - -# Set up environment and install essential packages -ENV DEBIAN_FRONTEND=noninteractive -RUN apt-get update && apt-get install -y --no-install-recommends \ - ca-certificates \ - curl \ - gnupg \ - lsb-release \ - git \ - unzip \ - wget \ - zsh \ - && rm -rf /var/lib/apt/lists/* - -# Install Docker CLI -RUN install -m 0755 -d /etc/apt/keyrings \ - && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg \ - && chmod a+r /etc/apt/keyrings/docker.gpg \ - && echo \ - "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \ - $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ - tee /etc/apt/sources.list.d/docker.list > /dev/null \ - && apt-get update \ - && apt-get install -y --no-install-recommends docker-ce-cli \ - && rm -rf /var/lib/apt/lists/* - -# Install hadolint for Dockerfile linting -RUN wget -O /usr/local/bin/hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 \ - && chmod +x /usr/local/bin/hadolint - -# Install dive for exploring Docker image layers -RUN wget -O /tmp/dive_0.10.0_linux_amd64.deb https://github.com/wagoodman/dive/releases/download/v0.10.0/dive_0.10.0_linux_amd64.deb \ - && dpkg -i /tmp/dive_0.10.0_linux_amd64.deb \ - && rm /tmp/dive_0.10.0_linux_amd64.deb - -# Install git for cloning security repositories -RUN apt-get update && apt-get install -y --no-install-recommends git \ - && rm -rf /var/lib/apt/lists/* - -# Create non-root user -RUN groupadd --gid "${GROUP_ID}" "${USERNAME}" \ - && useradd --uid "${USER_ID}" --gid "${GROUP_ID}" --shell /bin/bash --create-home "${USERNAME}" - -# Set up basic shell configuration -RUN echo 'export PATH="$PATH:/usr/local/bin"' >> /home/${USERNAME}/.bashrc - -# Prepare workspace directory with appropriate ownership -RUN mkdir -p /workspace \ - && chown "${USER_ID}:${GROUP_ID}" /workspace - -# Remove sudo to ensure no root escalation is possible at runtime -RUN apt-get remove -y sudo 2>/dev/null || true && apt-get autoremove -y 2>/dev/null || true && rm -rf /var/lib/apt/lists/* 2>/dev/null || true - -# Install aqua for package management -RUN curl -sSfL https://raw.githubusercontent.com/aquaproj/aqua-installer/v3.0.0/aqua-installer | bash -s -- -v v3.0.0 \ - && mv /usr/local/bin/aqua /usr/local/bin/aqua-tmp \ - && mkdir -p /root/.local/share/aquaproj-aqua/bin \ - && mv /usr/local/bin/aqua-tmp /root/.local/share/aquaproj-aqua/bin/aqua \ - && ln -s /root/.local/share/aquaproj-aqua/bin/aqua /usr/local/bin/aqua - -# Copy the aqua.yaml configuration for the non-root user and install packages -COPY aqua.yaml /tmp/aqua.yaml -RUN chown "${USER_ID}:${GROUP_ID}" /tmp/aqua.yaml \ - && mkdir -p /home/${USERNAME}/.config/aquaproj-aqua \ - && chown "${USER_ID}:${GROUP_ID}" /home/${USERNAME}/.config/aquaproj-aqua \ - && su - "${USERNAME}" -c 'cp /tmp/aqua.yaml /home/${USERNAME}/.config/aquaproj-aqua/aqua.yaml' \ - && su - "${USERNAME}" -c 'AQUA_GLOBAL_CONFIG=/home/${USERNAME}/.config/aquaproj-aqua/aqua.yaml aqua install' - -ENV PATH=/root/.local/share/aquaproj-aqua/bin:/home/${USERNAME}/.local/share/aquaproj-aqua/bin:/usr/local/bin:${PATH} - -WORKDIR /workspace -USER ${USERNAME} - -CMD ["/bin/bash"] \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-qadocker/PROMPT b/ToolboxStack/output/toolbox-qadocker/PROMPT deleted file mode 100644 index c919e69..0000000 --- a/ToolboxStack/output/toolbox-qadocker/PROMPT +++ /dev/null @@ -1,27 +0,0 @@ -You are Codex, collaborating with a human on the TSYSDevStack ToolboxStack project. - -- Seed context: - - `SEED` captures the initial scope. Edit it once to define goals, then treat it as read-only unless the high-level objectives change. - - Start each session by reading it (`cat SEED`) and summarize progress or adjustments here in PROMPT. - -Context snapshot ({{toolbox_name}}): -- Working directory: artifacts/ToolboxStack/{{toolbox_name}} -- Image: tsysdevstack-toolboxstack-{{toolbox_name}} (extends from tsysdevstack-toolboxstack-toolbox-base:release-current) -- Container user: toolbox (non-root, UID/GID mapped to host) -- Mounted workspace: current repo at /workspace (rw) - -Current state: -- Extends from the standard toolbox-base image, inheriting all base tooling (shells, CLIs, package managers). -- aqua packages are baked into the base image during the build process for consistency, reproducibility and performance. -- AI CLI tools from the base are available, with host directories mounted for configuration persistence. -- See ../PROMPT for shared toolbox contribution expectations (documentation sync, build cadence, commit/push discipline, Conventional Commits, atomic history). - -Collaboration checklist: -1. Translate SEED goals into concrete tooling decisions; mirror outcomes in README.md and this PROMPT (do not rewrite SEED unless the scope resets). -2. Prefer aqua-managed CLIs and mise-managed runtimes for reproducibility. -3. After each tooling change, update README/PROMPT, run ./build.sh, commit (Conventional Commit message, focused diff), and push only once the build succeeds per ../PROMPT. -4. Record verification steps (build/test commands) as they are performed. -5. Maintain UID/GID mapping and non-root execution. - -Active focus: -- Initialize {{toolbox_name}} using the toolbox-template scaffolding; evolve the Dockerfile/tooling inventory to satisfy the SEED goals. \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-qadocker/README.md b/ToolboxStack/output/toolbox-qadocker/README.md deleted file mode 100644 index e67f186..0000000 --- a/ToolboxStack/output/toolbox-qadocker/README.md +++ /dev/null @@ -1,79 +0,0 @@ -# 🧰 TSYSDevStack QA Docker Toolbox - -A minimal Docker image designed for auditing, verifying, and testing Docker images and container configurations. - ---- - -## πŸš€ Quick Start - -1. **Build the toolbox** - ```bash - ./build.sh - ``` - -2. **Start the toolbox** - ```bash - ./run.sh up - ``` - -3. **Access the toolbox** - ```bash - docker exec -it tsysdevstack-toolboxstack-qadocker bash - ``` - -4. **Stop the toolbox** - ```bash - ./run.sh down - ``` - ---- - -## 🧱 Architecture - -- **Base Image**: Ubuntu 24.04 (minimal base without extending from toolbox-base) -- **User**: Runs as non-root `toolbox` user (UID/GID mapped to host) -- **Workspace**: Mounts current directory to `/workspace` (read/write) -- **Tools**: Contains essential Docker auditing and security tools - ---- - -## πŸ› οΈ Included Tools - -### Docker Auditing & Security -- **Docker CLI**: For Docker operations and container management -- **Hadolint**: Dockerfile linter for best practices and common errors -- **Dive**: Tool to explore Docker image layers and discover inefficiencies -- **Trivy**: Comprehensive security scanner for vulnerabilities -- **Grype**: Vulnerability scanner for container images -- **Docker Bench Security**: Tool for running CIS Docker benchmark tests - -### Version Control & General Tools -- **Git**: For version control operations -- **Lazygit**: Terminal UI for Git -- **Curl/Wget**: For downloading resources -- **Yq**: Command-line YAML processor -- **Xh**: Friendly and fast tool for HTTP requests - ---- - -## πŸ“‚ Project Layout - -| Path | Purpose | -|------|---------| -| `Dockerfile` | Defines the minimal QA Docker image with auditing tools | -| `docker-compose.yml` | Service configuration for the QA toolbox | -| `build.sh` | Wrapper around `docker build` with host UID/GID mapping | -| `run.sh` | Helper to bring the service up/down | -| `aqua.yaml` | Configuration for aqua-managed CLI tools | -| `SEED` | Defines the toolbox's purpose and goals | -| `PROMPT` | LLM onboarding prompt for future contributors | - ---- - -## 🀝 Collaboration Notes - -- This is the ONLY image that does NOT extend from `toolbox-base` (used for bootstrap purposes) -- Designed for use by AI CLI agents when creating and verifying container images -- Contains tools for auditing Docker images (hadolint, dive, etc.) -- Meant to be rebuilt quickly and be easy to extend -- Follows best security practices for minimal attack surface \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-qadocker/SEED b/ToolboxStack/output/toolbox-qadocker/SEED deleted file mode 100644 index 009667c..0000000 --- a/ToolboxStack/output/toolbox-qadocker/SEED +++ /dev/null @@ -1,38 +0,0 @@ -# Toolbox Template SEED - -This SEED file defines the high-level objectives for all toolboxes created from this template. - -## 🎯 Goals - -- **Extensibility**: Each toolbox should extend from `toolbox-base` to inherit core tooling -- **Consistency**: All toolboxes should follow the same patterns and conventions -- **Reproducibility**: Toolbox builds should be deterministic and cache-efficient -- **Security**: Toolboxes should run as non-root users with minimal privileges -- **Portability**: Toolboxes should work identically across different host environments - -## 🧰 Requirements - -- **Base Image**: Extend from `tsysdevstack-toolboxstack-toolbox-base:release-current` -- **User Model**: Run as non-root `toolbox` user (UID/GID mapped to host) -- **Workspace**: Mount current directory to `/workspace` (read/write) -- **Runtime**: Inherit all base tooling plus toolbox-specific additions -- **Configuration**: Preserve user configs/mise toolchains via volume mounts - -## πŸ› οΈ Implementation - -- **Dockerfile**: Extend from base with toolbox-specific tooling -- **docker-compose.yml**: Configure service with inherited + custom settings -- **build.sh**: Wrapper around `docker build` with UID/GID mapping -- **run.sh**: Helper to bring service up/down -- **devcontainer.json**: VS Code remote container definition -- **SEED**: Define toolbox-specific objectives (this file) -- **PROMPT**: LLM onboarding prompt for future contributors - -## βœ… Verification - -- Toolboxes should build without errors -- Toolboxes should start and run indefinitely -- Toolboxes should be accessible via `docker exec` -- Toolboxes should inherit all base tooling -- Toolboxes should support toolbox-specific additions -- Toolboxes should preserve user configurations across restarts \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-qadocker/aqua.yaml b/ToolboxStack/output/toolbox-qadocker/aqua.yaml deleted file mode 100644 index db3aeb9..0000000 --- a/ToolboxStack/output/toolbox-qadocker/aqua.yaml +++ /dev/null @@ -1,24 +0,0 @@ -version: 1.0.0 -registries: - - type: standard - ref: v4.431.0 -packages: - # Docker auditing and security tools - - name: hadolint/hadolint@v2.12.0 - - name: aquasecurity/trivy@v0.56.2 - - name: anchore/grype@v0.84.1 - - name: docker/docker-bench-security@v1.8.0 - - name: snyk/snyk@v1.1308.0 - # General utility tools - - name: jesseduffield/lazygit@v0.44.0 - - name: direnv/direnv@v2.35.0 - - name: dandavison/delta@0.18.2 - - name: ajeetdsouza/zoxide@v0.9.6 - - name: mikefarah/yq@v4.44.3 - - name: ducaale/xh@v0.22.3 - - name: rs/curlie@v1.8.6 - - name: koalaman/shellcheck@v0.10.0 - - name: mvdan/sh@v3.7.0 - - name: golangci/golangci-lint@v1.60.3 - - name: golang/go@go1.23.0 - - name: cli/cli@v2.57.0 \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-qadocker/build.sh b/ToolboxStack/output/toolbox-qadocker/build.sh deleted file mode 100755 index b1639f9..0000000 --- a/ToolboxStack/output/toolbox-qadocker/build.sh +++ /dev/null @@ -1,175 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -# Security: Validate input parameters to prevent command injection -sanitized_input() { - local input="$1" - # Check for potentially dangerous characters/commands - case "$input" in - *[\;\|\&\`\$]*) - echo "Error: Invalid input detected: $input" >&2 - exit 1 - ;; - esac -} - -# Validate dependencies -if ! command -v docker &> /dev/null; then - echo "Error: docker is required but not installed." >&2 - exit 1 -fi - -if ! docker buildx version &> /dev/null; then - echo "Error: docker buildx is required but not available." >&2 - exit 1 -fi - -# Get the toolbox name from the directory name (or you can pass it as an argument) -TOOLBOX_NAME="${TOOLBOX_NAME_OVERRIDE:-$(basename "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")}" -sanitized_input "$TOOLBOX_NAME" -# Convert to lowercase and replace any uppercase letters to ensure valid Docker image name -IMAGE_NAME_RAW="tsysdevstack-toolboxstack-${TOOLBOX_NAME#toolbox-}" -IMAGE_NAME=$(echo "$IMAGE_NAME_RAW" | tr '[:upper:]' '[:lower:]') -SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" - -# Sanitize user input -USER_ID="${USER_ID_OVERRIDE:-$(id -u)}" -sanitized_input "$USER_ID" -GROUP_ID="${GROUP_ID_OVERRIDE:-$(id -g)}" -sanitized_input "$GROUP_ID" -USERNAME="${USERNAME_OVERRIDE:-toolbox}" -sanitized_input "$USERNAME" -TEA_VERSION="${TEA_VERSION_OVERRIDE:-0.11.1}" -sanitized_input "$TEA_VERSION" -BUILDER_NAME="${BUILDER_NAME:-tsysdevstack-toolboxstack-builder}" -sanitized_input "$BUILDER_NAME" -CACHE_DIR="${SCRIPT_DIR}/.build-cache" -TAG="${TAG_OVERRIDE:-dev}" -sanitized_input "$TAG" -RELEASE_TAG="${RELEASE_TAG_OVERRIDE:-release-current}" -sanitized_input "$RELEASE_TAG" -VERSION_TAG="${VERSION_TAG_OVERRIDE:-}" -if [[ -n "$VERSION_TAG" ]]; then - sanitized_input "$VERSION_TAG" -fi -PUSH="${PUSH_OVERRIDE:-false}" - -echo "Building ${IMAGE_NAME} with UID=${USER_ID} GID=${GROUP_ID} USERNAME=${USERNAME}" -echo "Primary tag: ${TAG}" - -# Ensure builder exists -if ! docker buildx inspect "${BUILDER_NAME}" >/dev/null 2>&1; then - echo "Creating builder: ${BUILDER_NAME}" - if ! docker buildx create --driver docker-container --name "${BUILDER_NAME}" --use >/dev/null; then - echo "Error: Failed to create Docker buildx builder." >&2 - exit 1 - fi -else - echo "Using existing builder: ${BUILDER_NAME}" - if ! docker buildx use "${BUILDER_NAME}" >/dev/null; then - echo "Error: Failed to use Docker buildx builder." >&2 - exit 1 - fi -fi - -# Ensure cache directory exists -if ! mkdir -p "${CACHE_DIR}"; then - echo "Error: Failed to create cache directory: ${CACHE_DIR}" >&2 - exit 1 -fi - -echo "Starting build..." -BUILD_OUTPUT=$(mktemp) -trap 'rm -f "$BUILD_OUTPUT"' EXIT - -# Build the image -if ! docker buildx build \ - --builder "${BUILDER_NAME}" \ - --load \ - --progress=plain \ - --build-arg USER_ID="${USER_ID}" \ - --build-arg GROUP_ID="${GROUP_ID}" \ - --build-arg USERNAME="${USERNAME}" \ - --build-arg TEA_VERSION="${TEA_VERSION}" \ - --cache-from "type=local,src=${CACHE_DIR}" \ - --cache-to "type=local,dest=${CACHE_DIR},mode=max" \ - --tag "${IMAGE_NAME}:${TAG}" \ - "${SCRIPT_DIR}" 2>&1 | tee "${BUILD_OUTPUT}"; then - echo "Error: Docker build failed. Check output above for details." >&2 - exit 1 -fi - -echo "Build completed successfully." - -# Run post-build verification -echo "Running post-build verification..." -if ! docker run --rm "${IMAGE_NAME}:${TAG}" zsh -c 'echo "Container starts successfully"'; then - echo "Error: Failed to start container with basic test." >&2 - exit 1 -fi - -# Verify critical tools for Docker auditing are available -echo "Verifying Docker auditing tools..." -CRITICAL_TOOLS=("git" "curl" "wget" "docker" "hadolint" "dive") -for tool in "${CRITICAL_TOOLS[@]}"; do - if ! docker run --rm "${IMAGE_NAME}:${TAG}" which "$tool" >/dev/null 2>&1; then - echo "Error: Critical Docker auditing tool '$tool' not found in PATH." >&2 - exit 1 - fi -done - -# Verify additional aqua tools for QA are available -echo "Verifying QA aqua tools..." -AQUA_TOOLS=("lazygit" "direnv" "delta" "zoxide" "yq" "xh" "curlie" "shellcheck" "trivy" "grype" "docker-bench-security") -for tool in "${AQUA_TOOLS[@]}"; do - if ! docker run --rm "${IMAGE_NAME}:${TAG}" which "$tool" >/dev/null 2>&1; then - echo "Error: QA aqua tool '$tool' not found in PATH." >&2 - exit 1 - fi -done - -echo "All verifications passed." - -# Push if requested -if [[ "${PUSH}" == "true" ]]; then - echo "Pushing ${IMAGE_NAME}:${TAG}" - if ! docker push "${IMAGE_NAME}:${TAG}"; then - echo "Error: Failed to push ${IMAGE_NAME}:${TAG}" >&2 - exit 1 - fi - - if [[ "${TAG}" == "dev" && -n "${VERSION_TAG}" ]]; then - if ! docker tag "${IMAGE_NAME}:${TAG}" "${IMAGE_NAME}:${VERSION_TAG}"; then - echo "Error: Failed to tag ${IMAGE_NAME}:${VERSION_TAG}" >&2 - exit 1 - fi - echo "Pushing ${IMAGE_NAME}:${VERSION_TAG}" - if ! docker push "${IMAGE_NAME}:${VERSION_TAG}"; then - echo "Error: Failed to push ${IMAGE_NAME}:${VERSION_TAG}" >&2 - exit 1 - fi - fi - - if [[ "${TAG}" == "dev" ]]; then - if ! docker tag "${IMAGE_NAME}:${TAG}" "${IMAGE_NAME}:${RELEASE_TAG}"; then - echo "Error: Failed to tag ${IMAGE_NAME}:${RELEASE_TAG}" >&2 - exit 1 - fi - echo "Pushing ${IMAGE_NAME}:${RELEASE_TAG}" - if ! docker push "${IMAGE_NAME}:${RELEASE_TAG}"; then - echo "Error: Failed to push ${IMAGE_NAME}:${RELEASE_TAG}" >&2 - exit 1 - fi - fi -fi - -# Run security scan if TRIVY is available -if command -v trivy &> /dev/null; then - echo "Running security scan with Trivy..." - trivy image --exit-code 0 --severity HIGH,CRITICAL "${IMAGE_NAME}:${TAG}" -else - echo "Trivy not found. Install Trivy to perform security scanning." -fi - -echo "Build process completed successfully with all verifications." \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-qadocker/docker-compose.yml b/ToolboxStack/output/toolbox-qadocker/docker-compose.yml deleted file mode 100644 index bfb5501..0000000 --- a/ToolboxStack/output/toolbox-qadocker/docker-compose.yml +++ /dev/null @@ -1,35 +0,0 @@ -services: - {{toolbox_name}}: - container_name: tsysdevstack-toolboxstack-{{toolbox_name}} - image: tsysdevstack-toolboxstack-{{toolbox_name}} - build: - context: . - dockerfile: Dockerfile - args: - USER_ID: ${LOCAL_UID:-1000} - GROUP_ID: ${LOCAL_GID:-1000} - USERNAME: ${LOCAL_USERNAME:-toolbox} - user: "${LOCAL_UID:-1000}:${LOCAL_GID:-1000}" - working_dir: /workspace - command: ["sleep", "infinity"] - init: true - tty: true - stdin_open: true - volumes: - - .:/workspace:rw - - ${HOME}/.local/share/mise:/home/toolbox/.local/share/mise:rw - - ${HOME}/.cache/mise:/home/toolbox/.cache/mise:rw - # AI CLI tool configuration and cache directories - - ${HOME}/.config/openai:/home/toolbox/.config/openai:rw - - ${HOME}/.config/gemini:/home/toolbox/.config/gemini:rw - - ${HOME}/.config/qwen:/home/toolbox/.config/qwen:rw - - ${HOME}/.config/code:/home/toolbox/.config/code:rw - - ${HOME}/.config/opencode:/home/toolbox/.config/opencode:rw - - ${HOME}/.cache/openai:/home/toolbox/.cache/openai:rw - - ${HOME}/.cache/gemini:/home/toolbox/.cache/gemini:rw - - ${HOME}/.cache/qwen:/home/toolbox/.cache/qwen:rw - - ${HOME}/.cache/code:/home/toolbox/.cache/code:rw - - ${HOME}/.cache/opencode:/home/toolbox/.cache/opencode:rw - # Additional AI tool directories - - ${HOME}/.config/codex:/home/toolbox/.config/codex:rw - - ${HOME}/.cache/codex:/home/toolbox/.cache/codex:rw \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-qadocker/release.sh b/ToolboxStack/output/toolbox-qadocker/release.sh deleted file mode 100755 index ce9f4ea..0000000 --- a/ToolboxStack/output/toolbox-qadocker/release.sh +++ /dev/null @@ -1,111 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -usage() { - cat <<'EOU' -Usage: ./release.sh [--dry-run] [--allow-dirty] - -Examples: - ./release.sh 0.2.0 - ./release.sh --dry-run 0.2.0 - -This script rebuilds the toolbox image, tags it as: - - tsysdevstack-toolboxstack-:dev - - tsysdevstack-toolboxstack-:release-current - - tsysdevstack-toolboxstack-:v - -When run without --dry-run it pushes all three tags. -EOU -} - -DRY_RUN=false -ALLOW_DIRTY=false -VERSION="" - -while (( $# > 0 )); do - case "$1" in - --dry-run) - DRY_RUN=true - shift - ;; - --allow-dirty) - ALLOW_DIRTY=true - shift - ;; - -h|--help) - usage - exit 0 - ;; - -*) - echo "Unknown option: $1" >&2 - usage - exit 1 - ;; - *) - VERSION="$1" - shift - ;; - esac -done - -if [[ -z "${VERSION}" ]]; then - echo "Error: semantic version is required." >&2 - usage - exit 1 -fi - -if [[ "${VERSION}" =~ ^v?([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then - SEMVER="v${BASH_REMATCH[1]}.${BASH_REMATCH[2]}.${BASH_REMATCH[3]}" -else - echo "Error: version must be semantic (e.g., 0.2.0 or v0.2.0)." >&2 - exit 1 -fi - -SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -REPO_ROOT="$(cd "${SCRIPT_DIR}" && git rev-parse --show-toplevel 2>/dev/null || true)" - -if [[ -n "${REPO_ROOT}" && "${ALLOW_DIRTY}" != "true" ]]; then - if ! git -C "${REPO_ROOT}" diff --quiet --ignore-submodules --exit-code; then - echo "Error: git working tree has uncommitted changes. Please commit or stash before releasing." >&2 - exit 1 - fi -elif [[ -z "${REPO_ROOT}" ]]; then - echo "Warning: unable to resolve git repository root; skipping clean tree check." >&2 -fi - -# Get the toolbox name from the directory name (or you can pass it as an argument) -TOOLBOX_NAME="${TOOLBOX_NAME_OVERRIDE:-$(basename "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")}" -IMAGE_NAME="tsysdevstack-toolboxstack-${TOOLBOX_NAME#toolbox-}" -SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" - -USER_ID="${USER_ID_OVERRIDE:-$(id -u)}" -GROUP_ID="${GROUP_ID_OVERRIDE:-$(id -g)}" -USERNAME="${USERNAME_OVERRIDE:-toolbox}" -TEA_VERSION="${TEA_VERSION_OVERRIDE:-0.11.1}" -BUILDER_NAME="${BUILDER_NAME:-tsysdevstack-toolboxstack-builder}" -CACHE_DIR="${SCRIPT_DIR}/.build-cache" -TAG="${TAG_OVERRIDE:-dev}" -RELEASE_TAG="${RELEASE_TAG_OVERRIDE:-release-current}" -VERSION_TAG="${VERSION_TAG_OVERRIDE:-}" -if [[ -n "$VERSION_TAG" ]]; then - VERSION_TAG="$SEMVER" -fi -PUSH="${PUSH_OVERRIDE:-false}" - -echo "Preparing release for ${SEMVER}" -echo " dry-run: ${DRY_RUN}" -echo " allow-dirty: ${ALLOW_DIRTY}" - -if [[ "${DRY_RUN}" == "true" ]]; then - echo "[dry-run] Would build ${IMAGE_NAME}:${TAG}" - TAG_OVERRIDE="${TAG}" PUSH_OVERRIDE=false "${SCRIPT_DIR}/build.sh" - echo "[dry-run] Skipped pushing tags." -else - echo "Building ${IMAGE_NAME}:${TAG}" - TAG_OVERRIDE="${TAG}" PUSH_OVERRIDE=true RELEASE_TAG_OVERRIDE="${RELEASE_TAG}" VERSION_TAG_OVERRIDE="${SEMVER}" "${SCRIPT_DIR}/build.sh" - echo "Release ${SEMVER} pushed as:" - echo " - ${IMAGE_NAME}:dev" - echo " - ${IMAGE_NAME}:release-current" - echo " - ${IMAGE_NAME}:${SEMVER}" -fi \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-qadocker/run.sh b/ToolboxStack/output/toolbox-qadocker/run.sh deleted file mode 100755 index 8433cdd..0000000 --- a/ToolboxStack/output/toolbox-qadocker/run.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -# Security: Validate input parameters to prevent command injection -sanitized_input() { - local input="$1" - # Check for potentially dangerous characters/commands - case "$input" in - *[\;\|\&\`\$]*) - echo "Error: Invalid input detected: $input" >&2 - exit 1 - ;; - esac -} - -# Validate dependencies -if ! command -v docker &> /dev/null; then - echo "Error: docker is required but not installed." >&2 - exit 1 -fi - -if ! command -v docker compose &> /dev/null; then - echo "Error: docker compose is required but not installed." >&2 - exit 1 -fi - -SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -COMPOSE_FILE="${SCRIPT_DIR}/docker-compose.yml" - -export LOCAL_UID="${USER_ID_OVERRIDE:-$(id -u)}" -sanitized_input "$LOCAL_UID" -export LOCAL_GID="${GROUP_ID_OVERRIDE:-$(id -g)}" -sanitized_input "$LOCAL_GID" -export LOCAL_USERNAME="${USERNAME_OVERRIDE:-toolbox}" -sanitized_input "$LOCAL_USERNAME" -export TOOLBOX_IMAGE="${TOOLBOX_IMAGE_OVERRIDE:-tsysdevstack-toolboxstack-{{toolbox_name}}}" -sanitized_input "$TOOLBOX_IMAGE" - -if [[ ! -f "${COMPOSE_FILE}" ]]; then - echo "Error: docker-compose.yml not found at ${COMPOSE_FILE}" >&2 - exit 1 -fi - -ACTION="${1:-up}" -sanitized_input "$ACTION" -shift || true - -if [[ "${ACTION}" == "up" ]]; then - # Create necessary directories for the toolbox tools with proper permissions - mkdir -p "${HOME}/.local/share/mise" "${HOME}/.cache/mise" - mkdir -p "${HOME}/.config" "${HOME}/.local/share" - mkdir -p "${HOME}/.cache/openai" "${HOME}/.cache/gemini" "${HOME}/.cache/qwen" "${HOME}/.cache/code" "${HOME}/.cache/opencode" - mkdir -p "${HOME}/.config/openai" "${HOME}/.config/gemini" "${HOME}/.config/qwen" "${HOME}/.config/code" "${HOME}/.config/opencode" - mkdir -p "${HOME}/.config/codex" "${HOME}/.cache/codex" - - # Set proper permissions for created directories - chmod 700 "${HOME}/.config" "${HOME}/.local/share" "${HOME}/.cache" 2>/dev/null || true -fi - -case "${ACTION}" in - up) - docker compose -f "${COMPOSE_FILE}" up --build --detach "$@" - echo "Container started. Use 'docker exec -it tsysdevstack-toolboxstack-{{toolbox_name}} zsh' to access the shell." - ;; - down) - docker compose -f "${COMPOSE_FILE}" down "$@" - echo "Container stopped." - ;; - *) - echo "Usage: $0 [up|down] [additional docker compose args]" >&2 - exit 1 - ;; -esac \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-qadocker/security-audit.sh b/ToolboxStack/output/toolbox-qadocker/security-audit.sh deleted file mode 100755 index 3c036fa..0000000 --- a/ToolboxStack/output/toolbox-qadocker/security-audit.sh +++ /dev/null @@ -1,155 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -# Security audit script for the toolbox-template - -IMAGE_NAME="${IMAGE_NAME_OVERRIDE:-tsysdevstack-toolboxstack-{{toolbox_name}}}" - -echo "πŸ”’ Running security audit on ${IMAGE_NAME}" - -# Check if Trivy is available for security scanning -if command -v trivy &> /dev/null; then - echo "πŸ” Running Trivy security scan..." - trivy image --exit-code 0 --severity HIGH,CRITICAL "${IMAGE_NAME}" - echo "βœ… Trivy scan completed" -else - echo "⚠️ Trivy not found. Install Trivy to perform security scanning." - echo " Visit https://aquasecurity.github.io/trivy/ for installation instructions." -fi - -# Check for outdated packages -echo "πŸ“¦ Checking for outdated packages..." -OUTDATED_PACKAGES=$(docker run --rm "${IMAGE_NAME}" apt list --upgradable 2>/dev/null | grep -v "Listing..." | wc -l) -if [[ "${OUTDATED_PACKAGES}" -gt 0 ]]; then - echo "⚠️ ${OUTDATED_PACKAGES} packages can be upgraded" - echo " Run 'apt update && apt upgrade' to update packages" -else - echo "βœ… All system packages are up to date" -fi - -# Check for unnecessary packages that increase attack surface -echo "πŸ›‘οΈ Checking for unnecessary packages..." -UNNECESSARY_PACKAGES=$(docker run --rm "${IMAGE_NAME}" dpkg -l | grep -E "(telnet|ftp|rsh-client|nfs-common|rpcbind)" | wc -l) -if [[ "${UNNECESSARY_PACKAGES}" -gt 0 ]]; then - echo "⚠️ Found ${UNNECESSARY_PACKAGES} potentially unnecessary packages that increase attack surface" - echo " Consider removing packages like telnet, ftp, rsh-client, nfs-common, rpcbind" -else - echo "βœ… No unnecessary packages found that increase attack surface" -fi - -# Check for world-writable files/directories -echo "πŸ“ Checking for world-writable files/directories..." -WORLD_WRITABLE=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -perm -0002 -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l) -if [[ "${WORLD_WRITABLE}" -gt 0 ]]; then - echo "⚠️ Found ${WORLD_WRITABLE} world-writable files/directories" - echo " These should be reviewed and permissions adjusted if necessary" -else - echo "βœ… No world-writable files/directories found" -fi - -# Check for setuid/setgid binaries -echo "πŸ”‘ Checking for setuid/setgid binaries..." -SETUID_BINARIES=$(docker run --rm "${IMAGE_NAME}" find / -xdev \( -perm -4000 -o -perm -2000 \) -type f -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l) -if [[ "${SETUID_BINARIES}" -gt 0 ]]; then - echo "⚠️ Found ${SETUID_BINARIES} setuid/setgid binaries" - echo " These should be reviewed for security implications" -else - echo "βœ… No setuid/setgid binaries found" -fi - -# Check for running services -echo "ァービ Checking for running services..." -RUNNING_SERVICES=$(docker run --rm "${IMAGE_NAME}" ps aux 2>/dev/null | grep -v "PID" | wc -l) -if [[ "${RUNNING_SERVICES}" -gt 1 ]]; then - echo "⚠️ Found ${RUNNING_SERVICES} running processes" - echo " These should be reviewed for necessity" -else - echo "βœ… No unnecessary running services found" -fi - -# Check for listening ports -echo "πŸ“‘ Checking for listening ports..." -LISTENING_PORTS=$(docker run --rm "${IMAGE_NAME}" netstat -tuln 2>/dev/null | grep LISTEN | wc -l) -if [[ "${LISTENING_PORTS}" -gt 0 ]]; then - echo "⚠️ Found ${LISTENING_PORTS} listening ports" - echo " These should be reviewed for security implications" -else - echo "βœ… No unnecessary listening ports found" -fi - -# Check for sudo availability -echo "πŸ›‘ Checking for sudo availability..." -if docker run --rm "${IMAGE_NAME}" which sudo >/dev/null 2>&1; then - echo "❌ Sudo is available in the image - this is a security risk" - echo " Sudo should be removed to prevent privilege escalation" -else - echo "βœ… Sudo is not available in the image" -fi - -# Check for root login capability -echo "πŸ” Checking for root login capability..." -ROOT_LOGIN_ENABLED=$(docker run --rm "${IMAGE_NAME}" cat /etc/passwd | grep root | grep -v "nologin" | wc -l) -if [[ "${ROOT_LOGIN_ENABLED}" -gt 0 ]]; then - echo "⚠️ Root login might be enabled" - echo " Ensure root login is disabled for security" -else - echo "βœ… Root login is properly disabled" -fi - -# Check user configuration -echo "πŸ‘€ Checking user configuration..." -USER_ID=$(docker run --rm "${IMAGE_NAME}" id -u toolbox 2>/dev/null || echo "not_found") -if [[ "${USER_ID}" == "1000" ]]; then - echo "βœ… Non-root user 'toolbox' with UID 1000 is properly configured" -else - echo "⚠️ Non-root user configuration might be incorrect" -fi - -# Check for hardcoded passwords -echo "πŸ”‘ Checking for hardcoded passwords..." -HARDCODED_PASSWORDS=$(docker run --rm "${IMAGE_NAME}" grep -r "password\|passwd" /etc/ 2>/dev/null | grep -v "shadow" | wc -l) -if [[ "${HARDCODED_PASSWORDS}" -gt 0 ]]; then - echo "⚠️ Found ${HARDCODED_PASSWORDS} potential hardcoded password references" - echo " These should be reviewed for security implications" -else - echo "βœ… No hardcoded password references found" -fi - -# Check for exposed secrets -echo " сСкр Checking for exposed secrets..." -EXPOSED_SECRETS=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -name "*.key" -o -name "*.pem" -o -name "*.cert" 2>/dev/null | wc -l) -if [[ "${EXPOSED_SECRETS}" -gt 0 ]]; then - echo "⚠️ Found ${EXPOSED_SECRETS} potential secret files" - echo " These should be reviewed for security implications" -else - echo "βœ… No exposed secret files found" -fi - -# Check that this template properly extends from the base image -echo "πŸ”— Checking inheritance from base image..." -BASE_INHERITANCE=$(docker history "${IMAGE_NAME}" 2>/dev/null | grep "FROM tsysdevstack-toolboxstack-toolbox-base:release-current" | wc -l) -if [[ "${BASE_INHERITANCE}" -gt 0 ]]; then - echo "βœ… Template properly extends from toolbox-base:release-current" -else - echo "⚠️ Template might not properly extend from toolbox-base:release-current" -fi - -# Summary -echo "" -echo "πŸ”’ Security Audit Summary:" -echo " - Image: ${IMAGE_NAME}" -echo " - Scan completed with recommendations above" -echo "" -echo "πŸ’‘ Recommendations:" -echo " 1. Install Trivy for comprehensive security scanning" -echo " 2. Regularly update packages to address vulnerabilities" -echo " 3. Remove unnecessary packages to reduce attack surface" -echo " 4. Review world-writable files/directories" -echo " 5. Review setuid/setgid binaries" -echo " 6. Remove sudo to prevent privilege escalation" -echo " 7. Ensure root login is disabled" -echo " 8. Verify non-root user configuration" -echo " 9. Review hardcoded password references" -echo " 10. Check for exposed secrets" -echo " 11. Ensure proper inheritance from base image" \ No newline at end of file diff --git a/ToolboxStack/output/toolbox-qadocker/test.sh b/ToolboxStack/output/toolbox-qadocker/test.sh deleted file mode 100755 index 605e3ea..0000000 --- a/ToolboxStack/output/toolbox-qadocker/test.sh +++ /dev/null @@ -1,112 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -# Test script to verify all tools are working properly in the toolbox-template - -IMAGE_NAME="${IMAGE_NAME_OVERRIDE:-tsysdevstack-toolboxstack-{{toolbox_name}}}" - -echo "πŸ§ͺ Testing all tools in ${IMAGE_NAME}" - -# Function to test a command -test_cmd() { - local cmd="$1" - local description="$2" - - echo -n "Testing ${cmd} (${description})... " - - if docker run --rm "${IMAGE_NAME}" "${cmd}" --version >/dev/null 2>&1; then - echo "βœ… PASS" - return 0 - else - echo "❌ FAIL" - return 1 - fi -} - -# Function to test a command with specific args -test_cmd_args() { - local cmd="$1" - local args="$2" - local description="$3" - - echo -n "Testing ${cmd} ${args} (${description})... " - - if docker run --rm "${IMAGE_NAME}" "${cmd}" ${args} >/dev/null 2>&1; then - echo "βœ… PASS" - return 0 - else - echo "❌ FAIL" - return 1 - fi -} - -# Counter for tracking results -PASSED=0 -FAILED=0 - -# Test core tools inherited from base -echo "πŸ” Testing core tools inherited from base..." - -test_cmd "zsh" "Z shell" && ((PASSED++)) || ((FAILED++)) -test_cmd "git" "Git version control" && ((PASSED++)) || ((FAILED++)) -test_cmd "curl" "cURL utility" && ((PASSED++)) || ((FAILED++)) -test_cmd "jq" "JSON processor" && ((PASSED++)) || ((FAILED++)) -test_cmd "fish" "Fish shell" && ((PASSED++)) || ((FAILED++)) -test_cmd "fzf" "Fuzzy finder" && ((PASSED++)) || ((FAILED++)) -test_cmd "bat" "Cat clone with wings" && ((PASSED++)) || ((FAILED++)) -test_cmd "fd" "Simple, fast alternative to find" && ((PASSED++)) || ((FAILED++)) -test_cmd "rg" "Ripgrep - line-oriented search tool" && ((PASSED++)) || ((FAILED++)) -test_cmd "htop" "Interactive process viewer" && ((PASSED++)) || ((FAILED++)) -test_cmd "btop" "Modern and colorful terminal monitor" && ((PASSED++)) || ((FAILED++)) - -# Test aqua installed tools inherited from base -echo "πŸ”§ Testing aqua installed tools inherited from base..." - -test_cmd "gh" "GitHub CLI" && ((PASSED++)) || ((FAILED++)) -test_cmd "lazygit" "Simple terminal UI for git commands" && ((PASSED++)) || ((FAILED++)) -test_cmd "direnv" "Unclutter your .profile" && ((PASSED++)) || ((FAILED++)) -test_cmd "delta" "Syntax-highlighting pager for git, diff, and grep output" && ((PASSED++)) || ((FAILED++)) -test_cmd "zoxide" "Smarter cd command" && ((PASSED++)) || ((FAILED++)) -test_cmd "just" "Just a command runner" && ((PASSED++)) || ((FAILED++)) -test_cmd "yq" "Portable command-line YAML processor" && ((PASSED++)) || ((FAILED++)) -test_cmd "xh" "Friendly and fast tool for sending HTTP requests" && ((PASSED++)) || ((FAILED++)) -test_cmd "curlie" "The power of curl, the ease of use of httpie" && ((PASSED++)) || ((FAILED++)) -test_cmd "chezmoi" "Manage your dotfiles across multiple machines" && ((PASSED++)) || ((FAILED++)) -test_cmd "shfmt" "Shell formatter" && ((PASSED++)) || ((FAILED++)) -test_cmd "shellcheck" "Shell script analysis tool" && ((PASSED++)) || ((FAILED++)) -test_cmd "hadolint" "Dockerfile linter" && ((PASSED++)) || ((FAILED++)) -test_cmd "uv" "Python package installer and resolver" && ((PASSED++)) || ((FAILED++)) -test_cmd "watchexec" "Execute commands in response to file modifications" && ((PASSED++)) || ((FAILED++)) -test_cmd "tea" "Gitea CLI" && ((PASSED++)) || ((FAILED++)) - -# Test AI CLI tools inherited from base -echo "πŸ€– Testing AI CLI tools inherited from base..." - -test_cmd_args "code" "--version" "just-every/code AI CLI" && ((PASSED++)) || ((FAILED++)) -test_cmd_args "qwen" "--version" "QwenLM/qwen-code AI CLI" && ((PASSED++)) || ((FAILED++)) -test_cmd_args "gemini" "--version" "google-gemini/gemini-cli AI CLI" && ((PASSED++)) || ((FAILED++)) -test_cmd_args "codex" "--version" "openai/codex AI CLI" && ((PASSED++)) || ((FAILED++)) -test_cmd_args "opencode" "--version" "sst/opencode AI CLI" && ((PASSED++)) || ((FAILED++)) - -# Test additional tools inherited from base -echo "🧰 Testing additional tools inherited from base..." - -test_cmd "starship" "Cross-shell prompt" && ((PASSED++)) || ((FAILED++)) -test_cmd "mise" "Polyglot runtime manager" && ((PASSED++)) || ((FAILED++)) -test_cmd_args "aqua" "--version" "Declarative CLI Version Manager" && ((PASSED++)) || ((FAILED++)) - -# Summary -echo "" -echo "πŸ“Š Test Results:" -echo " Passed: ${PASSED}" -echo " Failed: ${FAILED}" -echo " Total: $((PASSED + FAILED))" - -if [[ "${FAILED}" -eq 0 ]]; then - echo "πŸŽ‰ All tests passed!" - exit 0 -else - echo "πŸ’₯ ${FAILED} tests failed!" - exit 1 -fi \ No newline at end of file