feat: Update toolbox-base and template with latest Docker configurations and documentation

\n- Updated Dockerfiles in both toolbox-base and toolbox-template
- Modified build scripts and docker-compose configurations
- Added new audit tools and documentation files
- Created new toolbox-DocStack and toolbox-QADocker implementations
- Updated README and maintenance documentation

ToolboxStack/output/toolbox-base/Dockerfile

@@ -72,15 +72,27 @@ ENV LANG=en_US.UTF-8 \
 # ROOT: Install Starship prompt (system-wide)
 RUN curl -fsSL https://starship.rs/install.sh | sh -s -- -y -b /usr/local/bin
 
-# ROOT: Create non-root user with matching UID/GID for host mapping
+# Install aqua package manager (manages additional CLI tooling)
+RUN curl -sSfL https://raw.githubusercontent.com/aquaproj/aqua-installer/v2.3.1/aqua-installer | AQUA_ROOT_DIR=/usr/local/share/aquaproj-aqua bash \
+    && ln -sf /usr/local/share/aquaproj-aqua/bin/aqua /usr/local/bin/aqua
+
+# Install mise for runtime management (no global toolchains pre-installed)
+RUN curl -sSfL https://mise.jdx.dev/install.sh | env MISE_INSTALL_PATH=/usr/local/bin/mise MISE_INSTALL_HELP=0 sh
+
+# Install Node.js via mise to enable npm package installation
+RUN mise install node@22.13.0 && mise global node@22.13.0
+
+# Create non-root user with matching UID/GID for host mapping
+# Check if user/group already exists and handle appropriately
 RUN if getent passwd "${USER_ID}" >/dev/null; then \
         existing_user="$(getent passwd "${USER_ID}" | cut -d: -f1)"; \
-        userdel --remove "${existing_user}"; \
-    fi \
-    && if ! getent group "${GROUP_ID}" >/dev/null; then \
-        groupadd --gid "${GROUP_ID}" "${USERNAME}"; \
-    fi \
-    && useradd --uid "${USER_ID}" --gid "${GROUP_ID}" --shell /usr/bin/zsh --create-home "${USERNAME}"
+        echo "User with UID ${USER_ID} already exists: ${existing_user}" >&2; \
+    else \
+        if ! getent group "${GROUP_ID}" >/dev/null; then \
+            groupadd --gid "${GROUP_ID}" "${USERNAME}"; \
+        fi \
+        useradd --uid "${USER_ID}" --gid "${GROUP_ID}" --shell /usr/bin/zsh --create-home "${USERNAME}"; \
+    fi
 
 # ROOT: Set up toolbox user home directory with proper permissions
 RUN chown -R "${USER_ID}:${GROUP_ID}" "/home/${USERNAME}"
@@ -98,6 +110,9 @@ ENV PATH=/home/${USERNAME}/.local/bin:/home/${USERNAME}/.local/share/mise/shims:
 # NON-ROOT: Install Node.js via mise as toolbox user
 RUN mise install node@22.13.0 && mise use -g node@22.13.0
 
+# Install AI CLI tools via npm using mise to ensure Node.js is available
+RUN mise exec -- npm install -g @just-every/code@0.4.6 @qwen-code/qwen-code@0.1.1 @google/gemini-cli@0.11.0 @openai/codex@0.50.0 opencode-ai@0.15.29
+
 # NON-ROOT: Install aqua package manager for toolbox user
 RUN curl -sSfL https://raw.githubusercontent.com/aquaproj/aqua-installer/v2.3.1/aqua-installer > /tmp/aqua-installer.sh && \
     chmod +x /tmp/aqua-installer.sh && \
@@ -156,9 +171,18 @@ RUN git clone https://github.com/bats-core/bats-core.git /tmp/bats-core \
     && ./install.sh "$HOME/.local" \
     && rm -rf /tmp/bats-core
 
-# ROOT: Set up workspace directory
-USER root
-RUN mkdir -p /workspace && chown "${USER_ID}:${GROUP_ID}" /workspace
+# Prepare workspace directory with appropriate ownership
+RUN mkdir -p /workspace \
+    && chown "${USER_ID}:${GROUP_ID}" /workspace
+
+# Remove sudo to ensure no root escalation is possible at runtime
+RUN apt-get remove -y sudo 2>/dev/null || true && apt-get autoremove -y 2>/dev/null || true && rm -rf /var/lib/apt/lists/* 2>/dev/null || true
+
+ENV SHELL=/usr/bin/zsh \
+    AQUA_GLOBAL_CONFIG=/home/${USERNAME}/.config/aquaproj-aqua/aqua.yaml \
+    PATH=/home/${USERNAME}/.local/share/aquaproj-aqua/bin:/home/${USERNAME}/.local/share/mise/shims:/home/${USERNAME}/.local/bin:${PATH}
+
+WORKDIR /workspace
 USER ${USERNAME}
 
 # NON-ROOT: Verify all tools are accessible during build