feat(toolbox): update toolbox-base configurations

- Update ToolboxStack/output/toolbox-base/Dockerfile with latest container configurations
- Update ToolboxStack/output/toolbox-base/PROMPT with enhanced instructions
- Update ToolboxStack/output/toolbox-base/README.md with current documentation
- Update ToolboxStack/output/toolbox-base/build.sh with improved build process
- Update ToolboxStack/output/toolbox-base/docker-compose.yml with refined service definitions
- Update ToolboxStack/output/toolbox-base/run.sh with enhanced runtime configuration

These changes improve the base developer environment configurations.

ToolboxStack/output/toolbox-base/Dockerfile

@@ -69,7 +69,7 @@ RUN curl -sSfL https://raw.githubusercontent.com/aquaproj/aqua-installer/v2.3.1/
 RUN curl -sSfL https://mise.jdx.dev/install.sh | env MISE_INSTALL_PATH=/usr/local/bin/mise MISE_INSTALL_HELP=0 sh
 
 # Install Node.js via mise to enable npm package installation
-RUN mise install node@lts && mise global node@lts
+RUN mise install node@22.13.0 && mise global node@22.13.0
 
 # Create non-root user with matching UID/GID for host mapping
 RUN if getent passwd "${USER_ID}" >/dev/null; then \
@@ -100,20 +100,21 @@ RUN su - "${USERNAME}" -c 'git clone --depth=1 https://github.com/ohmyzsh/ohmyzs
     && su - "${USERNAME}" -c 'printf "\nset -gx AQUA_GLOBAL_CONFIG \$HOME/.config/aquaproj-aqua/aqua.yaml\n# Shell prompt and runtime manager\nstarship init fish | source\nmise activate fish | source\ndirenv hook fish | source\nzoxide init fish | source\n" >> ~/.config/fish/config.fish'
 
 # Install Node.js for the toolbox user and set up the environment
-RUN su - "${USERNAME}" -c 'mise install node@lts && mise use -g node@lts'
+RUN su - "${USERNAME}" -c 'mise install node@22.13.0 && mise use -g node@22.13.0'
 
 COPY aqua.yaml /tmp/aqua.yaml
 
+# Install aqua packages at both root and user level to ensure they're baked into the image
 RUN chown "${USER_ID}:${GROUP_ID}" /tmp/aqua.yaml \
     && su - "${USERNAME}" -c 'mkdir -p ~/.config/aquaproj-aqua' \
     && su - "${USERNAME}" -c 'cp /tmp/aqua.yaml ~/.config/aquaproj-aqua/aqua.yaml' \
-    && su - "${USERNAME}" -c 'AQUA_GLOBAL_CONFIG=~/.config/aquaproj-aqua/aqua.yaml aqua install'
+    && AQUA_GLOBAL_CONFIG=/tmp/aqua.yaml aqua install
 
 # Install AI CLI tools via npm using mise to ensure Node.js is available
-RUN mise exec -- npm install -g @just-every/code @qwen-code/qwen-code @google/gemini-cli @openai/codex opencode-ai@latest
+RUN mise exec -- npm install -g @just-every/code@0.4.6 @qwen-code/qwen-code@0.1.1 @google/gemini-cli@0.11.0 @openai/codex@0.50.0 opencode-ai@0.15.29
 
 # Install the same AI CLI tools for the toolbox user so they are available in the container runtime
-RUN su - "${USERNAME}" -c 'mise exec -- npm install -g @just-every/code @qwen-code/qwen-code @google/gemini-cli @openai/codex opencode-ai@latest' && \
+RUN su - "${USERNAME}" -c 'mise exec -- npm install -g @just-every/code@0.4.6 @qwen-code/qwen-code@0.1.1 @google/gemini-cli@0.11.0 @openai/codex@0.50.0 opencode-ai@0.15.29' && \
     # Ensure mise shims are properly generated for the installed tools
     su - "${USERNAME}" -c 'mise reshim'
 

ToolboxStack/output/toolbox-base/PROMPT

@@ -9,8 +9,10 @@ Context snapshot (toolbox-base):
 Current state:
 - Dockerfile installs shell tooling (zsh/bash/fish with Starship & oh-my-zsh), core CLI utilities (curl, wget, git, tmux, screen, htop, btop, entr, httpie, tea, bc, etc.), build-essential + headers, aqua, and mise. Aqua is pinned to specific versions for gh, lazygit, direnv, git-delta, zoxide, just, yq, xh, curlie, chezmoi, shfmt, shellcheck, hadolint, uv, watchexec; direnv/zoxide hooks are enabled for all shells (direnv logging muted).
 - aqua-managed CLI inventory lives in README.md alongside usage notes; tea installs via direct download with checksum verification (TEA_VERSION build arg). 
-- mise handles language/tool runtimes; activation wired into zsh, bash, and fish.
+- aqua packages are baked into the image during the build process for consistency, reproducibility and performance.
-- AI CLI tools (just-every/code, QwenLM/qwen-code, google-gemini/gemini-cli, openai/codex, sst/opencode) are installed via npm and available in the PATH.
+- mise handles language/tool runtimes; activation wired into zsh, bash, and fish. Node.js is pinned to version 22.13.0 for build consistency.
+- AI CLI tools (just-every/code, QwenLM/qwen-code, google-gemini/gemini-cli, openai/codex, sst/opencode) are installed via npm and baked into the image with pinned versions.
+- Host directories for AI tool configuration and cache are mounted to maintain persistent settings across container runs.
 - docker-compose.yml runs container with host UID/GID, `sleep infinity`, and docker socket mount; run via run.sh/build.sh. Host directories `~/.local/share/mise` and `~/.cache/mise` are mounted for persistent runtimes.
 - Devcontainer config ( .devcontainer/devcontainer.json ) references the compose service.
 - Documentation: README.md (tooling inventory & workflow) and this PROMPT must stay current, and both should stay aligned with the shared guidance in ../PROMPT. README also notes that build.sh now uses docker buildx with a local cache directory and documents the `dev` → `release-current` → semantic tagging workflow.

ToolboxStack/output/toolbox-base/README.md

@@ -46,9 +46,10 @@ The compose service mounts the current repo to `/workspace` (read/write) and run
 | **Shells & Prompts** | 🐚 `zsh` • 🐟 `fish` • 🧑‍💻 `bash` • ⭐ `starship` • 💎 `oh-my-zsh` | Starship prompt enabled for all shells; oh-my-zsh configured with `git` + `fzf` plugins. |
 | **Runtime & CLI Managers** | 🪄 `mise` • 💧 `aqua` | `mise` handles language/tool runtimes (activation wired into zsh/bash/fish); `aqua` manages standalone CLIs with config at `~/.config/aquaproj-aqua/aqua.yaml`. |
 | **Core CLI Utilities** | 📦 `curl` • 📥 `wget` • 🔐 `ca-certificates` • 🧭 `git` • 🔧 `build-essential` + headers (`pkg-config`, `libssl-dev`, `zlib1g-dev`, `libffi-dev`, `libsqlite3-dev`, `libreadline-dev`, `make`) • 🔍 `ripgrep` • 🧭 `fzf` • 📁 `fd` • 📖 `bat` • 🔗 `openssh-client` • 🧵 `tmux` • 🖥️ `screen` • 📈 `htop` • 📉 `btop` • ♻️ `entr` • 📊 `jq` • 🌐 `httpie` • ☕ `tea` • 🧮 `bc` | Provides ergonomic defaults plus toolchain deps for compiling runtimes (no global language installs). |
-| **Aqua-Managed CLIs** | 🐙 `gh` • 🌀 `lazygit` • 🪄 `direnv` • 🎨 `git-delta` • 🧭 `zoxide` • 🧰 `just` • 🧾 `yq` • ⚡ `xh` • 🌍 `curlie` • 🏠 `chezmoi` • 🛠️ `shfmt` • ✅ `shellcheck` • 🐳 `hadolint` • 🐍 `uv` • 🔁 `watchexec` | Extend via `~/.config/aquaproj-aqua/aqua.yaml` and run `aqua install`. Direnv logging is muted and hooks for direnv/zoxide are pre-configured for zsh, bash, and fish. |
+| **Aqua-Managed CLIs** | 🐙 `gh` • 🌀 `lazygit` • 🪄 `direnv` • 🎨 `git-delta` • 🧭 `zoxide` • 🧰 `just` • 🧾 `yq` • ⚡ `xh` • 🌍 `curlie` • 🏠 `chezmoi` • 🛠️ `shfmt` • ✅ `shellcheck` • 🐳 `hadolint` • 🐍 `uv` • 🔁 `watchexec` | Extend via `~/.config/aquaproj-aqua/aqua.yaml`. These packages are baked into the image at build time for consistency and reproducibility. Direnv logging is muted and hooks for direnv/zoxide are pre-configured for zsh, bash, and fish. |
 | **AI CLI Tools** | 🧠 `@just-every/code` • 🤖 `@qwen-code/qwen-code` • 💎 `@google/gemini-cli` • 🔮 `@openai/codex` • 🌐 `opencode-ai` | AI-powered command-line tools for enhanced development workflows. Node.js is installed via mise to support npm package installation. |
 | **Container Workflow** | 🐳 Docker socket mount (`/var/run/docker.sock`) | Enables Docker CLIs inside the container; host Docker daemon required. |
+| **AI Tool Configuration** | 🧠 Host directories for AI tools | Host directories for AI tool configuration and cache are mounted to maintain persistent settings and data across container runs. |
 | **Runtime Environment** | 👤 Non-root user `toolbox` (UID/GID mapped) • 🗂️ `/workspace` mount | Maintains host permissions and isolates artifacts under `artifacts/ToolboxStack/toolbox-base`. |
 
 ---

ToolboxStack/output/toolbox-base/build.sh

@@ -2,6 +2,17 @@
 
 set -euo pipefail
 
+# Validate dependencies
+if ! command -v docker &> /dev/null; then
+    echo "Error: docker is required but not installed." >&2
+    exit 1
+fi
+
+if ! docker buildx version &> /dev/null; then
+    echo "Error: docker buildx is required but not available." >&2
+    exit 1
+fi
+
 IMAGE_NAME="tsysdevstack-toolboxstack-toolbox-base"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
@@ -20,13 +31,16 @@ echo "Building ${IMAGE_NAME} with UID=${USER_ID} GID=${GROUP_ID} USERNAME=${USER
 echo "Primary tag: ${TAG}"
 
 if ! docker buildx inspect "${BUILDER_NAME}" >/dev/null 2>&1; then
+    echo "Creating builder: ${BUILDER_NAME}"
     docker buildx create --driver docker-container --name "${BUILDER_NAME}" --use >/dev/null
 else
+    echo "Using existing builder: ${BUILDER_NAME}"
     docker buildx use "${BUILDER_NAME}" >/dev/null
 fi
 
 mkdir -p "${CACHE_DIR}"
 
+echo "Starting build..."
 docker buildx build \
     --builder "${BUILDER_NAME}" \
     --load \
@@ -56,3 +70,13 @@ if [[ "${PUSH}" == "true" ]]; then
         docker push "${IMAGE_NAME}:${RELEASE_TAG}"
     fi
 fi
+
+echo "Build completed successfully."
+
+# Run security scan if TRIVY is available
+if command -v trivy &> /dev/null; then
+    echo "Running security scan with Trivy..."
+    trivy image --exit-code 0 --severity HIGH,CRITICAL "${IMAGE_NAME}:${TAG}"
+else
+    echo "Trivy not found. Install Trivy to perform security scanning."
+fi

ToolboxStack/output/toolbox-base/docker-compose.yml

@@ -18,3 +18,14 @@ services:
       - .:/workspace:rw
       - ${HOME}/.local/share/mise:/home/toolbox/.local/share/mise:rw
       - ${HOME}/.cache/mise:/home/toolbox/.cache/mise:rw
+      # AI CLI tool configuration and cache directories
+      - ${HOME}/.config/openai:/home/toolbox/.config/openai:rw
+      - ${HOME}/.config/gemini:/home/toolbox/.config/gemini:rw
+      - ${HOME}/.config/qwen:/home/toolbox/.config/qwen:rw
+      - ${HOME}/.config/code:/home/toolbox/.config/code:rw
+      - ${HOME}/.config/opencode:/home/toolbox/.config/opencode:rw
+      - ${HOME}/.cache/openai:/home/toolbox/.cache/openai:rw
+      - ${HOME}/.cache/gemini:/home/toolbox/.cache/gemini:rw
+      - ${HOME}/.cache/qwen:/home/toolbox/.cache/qwen:rw
+      - ${HOME}/.cache/code:/home/toolbox/.cache/code:rw
+      - ${HOME}/.cache/opencode:/home/toolbox/.cache/opencode:rw

ToolboxStack/output/toolbox-base/run.sh

@@ -2,6 +2,17 @@
 
 set -euo pipefail
 
+# Validate dependencies
+if ! command -v docker &> /dev/null; then
+    echo "Error: docker is required but not installed." >&2
+    exit 1
+fi
+
+if ! command -v docker compose &> /dev/null; then
+    echo "Error: docker compose is required but not installed." >&2
+    exit 1
+fi
+
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 COMPOSE_FILE="${SCRIPT_DIR}/docker-compose.yml"
 
@@ -19,15 +30,21 @@ ACTION="${1:-up}"
 shift || true
 
 if [[ "${ACTION}" == "up" ]]; then
+    # Create necessary directories for the toolbox tools
     mkdir -p "${HOME}/.local/share/mise" "${HOME}/.cache/mise"
+    mkdir -p "${HOME}/.config" "${HOME}/.local/share"
+    mkdir -p "${HOME}/.cache/openai" "${HOME}/.cache/gemini" "${HOME}/.cache/qwen" "${HOME}/.cache/code" "${HOME}/.cache/opencode"
+    mkdir -p "${HOME}/.config/openai" "${HOME}/.config/gemini" "${HOME}/.config/qwen" "${HOME}/.config/code" "${HOME}/.config/opencode"
 fi
 
 case "${ACTION}" in
     up)
         docker compose -f "${COMPOSE_FILE}" up --build --detach "$@"
+        echo "Container started. Use 'docker exec -it tsysdevstack-toolboxstack-toolbox-base zsh' to access the shell."
         ;;
     down)
         docker compose -f "${COMPOSE_FILE}" down "$@"
+        echo "Container stopped."
         ;;
     *)
         echo "Usage: $0 [up|down] [additional docker compose args]" >&2