feat(toolbox): update toolbox-template configurations

- Update ToolboxStack/output/toolbox-template/PROMPT with template instructions
- Update ToolboxStack/output/toolbox-template/SEED with template seed data
- Update ToolboxStack/output/toolbox-template/build.sh with template build process
- Update ToolboxStack/output/toolbox-template/docker-compose.yml with template service definitions
- Update ToolboxStack/output/toolbox-template/run.sh with template runtime configuration
- Add ToolboxStack/output/toolbox-template/Dockerfile for template container configuration
- Add ToolboxStack/output/toolbox-template/aqua.yaml for template tool management

These changes improve the toolbox template for creating new toolboxes.

ToolboxStack/output/toolbox-template/Dockerfile

@@ -0,0 +1,25 @@
+# Extend from the toolbox-base image
+FROM tsysdevstack-toolboxstack-toolbox-base:release-current
+
+# Set build arguments (these can be overridden at build time)
+ARG USER_ID=1000
+ARG GROUP_ID=1000
+ARG USERNAME=toolbox
+
+# Ensure the non-root user exists with the correct UID/GID
+RUN if getent passwd "${USER_ID}" >/dev/null; then \
+        existing_user="$(getent passwd "${USER_ID}" | cut -d: -f1)"; \
+        userdel --remove "${existing_user}" 2>/dev/null || true; \
+    fi \
+    && if ! getent group "${GROUP_ID}" >/dev/null; then \
+        groupadd --gid "${GROUP_ID}" "${USERNAME}"; \
+    fi \
+    && useradd --uid "${USER_ID}" --gid "${GROUP_ID}" --shell /usr/bin/zsh --create-home "${USERNAME}" \
+    && usermod -aG sudo "${USERNAME}" 2>/dev/null || true
+
+# Switch to the non-root user
+USER ${USERNAME}
+WORKDIR /workspace
+
+# Default command
+CMD ["/usr/bin/zsh"]

ToolboxStack/output/toolbox-template/PROMPT

@@ -5,21 +5,23 @@ You are Codex, collaborating with a human on the TSYSDevStack ToolboxStack proje
   - Start each session by reading it (`cat SEED`) and summarize progress or adjustments here in PROMPT.
 
 Context snapshot ({{toolbox_name}}):
-- Working directory: artifacts/ToolboxStack/{{toolbox_name}}
+- Working directory: TSYSDevStack/ToolboxStack/{{toolbox_name}}
-- Image: tsysdevstack-toolboxstack-{{toolbox_name}} (Ubuntu 24.04)
+- Image: extends from tsysdevstack-toolboxstack-toolbox-base (Ubuntu 24.04 base)
 - Container user: toolbox (non-root, UID/GID mapped to host)
 - Mounted workspace: current repo at /workspace (rw)
 
 Current state:
-- Seed items above still need to be translated into Dockerfile/tooling work.
+- Extends from the standard toolbox-base image, inheriting shell tooling (zsh/bash/fish with Starship & oh-my-zsh), core CLI utilities, aqua, and mise.
+- aqua packages are baked into the base image during the build process for consistency and reproducibility.
+- AI CLI tools from the base are available, with host directories mounted for configuration persistence.
 - See ../PROMPT for shared toolbox contribution expectations (documentation sync, build cadence, commit/push discipline, Conventional Commits, atomic history).
 
 Collaboration checklist:
-1. Translate SEED goals into concrete tooling decisions; mirror outcomes in README.md and this PROMPT (do not rewrite SEED unless the scope resets).
+1. Build upon the base tooling with {{toolbox_name}}-specific additions; mirror outcomes in README.md and this PROMPT.
 2. Prefer aqua-managed CLIs and mise-managed runtimes for reproducibility.
 3. After each tooling change, update README/PROMPT, run ./build.sh, commit (Conventional Commit message, focused diff), and push only once the build succeeds per ../PROMPT.
 4. Record verification steps (build/test commands) as they are performed.
 5. Maintain UID/GID mapping and non-root execution.
 
 Active focus:
-- Initialize {{toolbox_name}} using the toolbox-template scaffolding; evolve the Dockerfile/tooling inventory to satisfy the SEED goals.
+- Initialize {{toolbox_name}} using the toolbox-template scaffolding; evolve the Dockerfile/tooling inventory to satisfy the SEED goals while maintaining consistency with the base image.

ToolboxStack/output/toolbox-template/SEED

@@ -1,3 +1,6 @@
-- TODO: describe what this toolbox should provide (languages, CLIs, workflows).
+- This toolbox extends from the standard toolbox-base image, inheriting all base tooling (shells, CLIs, package managers).
-- TODO: list required base image modifications or additional mounts.
+- Add {{toolbox_name}}-specific tools via aqua.yaml, Dockerfile, or mise configurations.
-- TODO: note verification or testing expectations specific to this toolbox.
+- Document any additional host directory mounts needed in docker-compose.yml.
+- Ensure all tooling is compatible with the non-root toolbox user and UID/GID mapping.
+- Update README.md to document {{toolbox_name}}-specific features and tooling.
+- Follow the same build and run patterns as the base image for consistency.

ToolboxStack/output/toolbox-template/aqua.yaml

@@ -0,0 +1,8 @@
+version: 1.0.0
+registries:
+  - type: standard
+    ref: v4.431.0
+packages:
+  # Add additional packages specific to your toolbox here
+  # Example:
+  # - name: cli/cli@v2.82.1

ToolboxStack/output/toolbox-template/build.sh

@@ -2,7 +2,20 @@
 
 set -euo pipefail
 
-IMAGE_NAME="tsysdevstack-toolboxstack-{{toolbox_name}}"
+# Validate dependencies
+if ! command -v docker &> /dev/null; then
+    echo "Error: docker is required but not installed." >&2
+    exit 1
+fi
+
+if ! docker buildx version &> /dev/null; then
+    echo "Error: docker buildx is required but not available." >&2
+    exit 1
+fi
+
+# Get the toolbox name from the directory name (or you can pass it as an argument)
+TOOLBOX_NAME="${TOOLBOX_NAME_OVERRIDE:-$(basename "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")}"
+IMAGE_NAME="tsysdevstack-toolboxstack-${TOOLBOX_NAME#toolbox-}"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 USER_ID="${USER_ID_OVERRIDE:-$(id -u)}"
@@ -15,13 +28,16 @@ CACHE_DIR="${SCRIPT_DIR}/.build-cache"
 echo "Building ${IMAGE_NAME} with UID=${USER_ID} GID=${GROUP_ID} USERNAME=${USERNAME}"
 
 if ! docker buildx inspect "${BUILDER_NAME}" >/dev/null 2>&1; then
+    echo "Creating builder: ${BUILDER_NAME}"
     docker buildx create --driver docker-container --name "${BUILDER_NAME}" --use >/dev/null
 else
+    echo "Using existing builder: ${BUILDER_NAME}"
     docker buildx use "${BUILDER_NAME}" >/dev/null
 fi
 
 mkdir -p "${CACHE_DIR}"
 
+echo "Starting build..."
 docker buildx build \
     --builder "${BUILDER_NAME}" \
     --load \
@@ -34,3 +50,13 @@ docker buildx build \
     --cache-to "type=local,dest=${CACHE_DIR},mode=max" \
     --tag "${IMAGE_NAME}" \
     "${SCRIPT_DIR}"
+
+echo "Build completed successfully."
+
+# Run security scan if TRIVY is available
+if command -v trivy &> /dev/null; then
+    echo "Running security scan with Trivy..."
+    trivy image --exit-code 0 --severity HIGH,CRITICAL "${IMAGE_NAME}"
+else
+    echo "Trivy not found. Install Trivy to perform security scanning."
+fi

ToolboxStack/output/toolbox-template/docker-compose.yml

@@ -18,3 +18,14 @@ services:
       - .:/workspace:rw
       - ${HOME}/.local/share/mise:/home/toolbox/.local/share/mise:rw
       - ${HOME}/.cache/mise:/home/toolbox/.cache/mise:rw
+      # AI CLI tool configuration and cache directories
+      - ${HOME}/.config/openai:/home/toolbox/.config/openai:rw
+      - ${HOME}/.config/gemini:/home/toolbox/.config/gemini:rw
+      - ${HOME}/.config/qwen:/home/toolbox/.config/qwen:rw
+      - ${HOME}/.config/code:/home/toolbox/.config/code:rw
+      - ${HOME}/.config/opencode:/home/toolbox/.config/opencode:rw
+      - ${HOME}/.cache/openai:/home/toolbox/.cache/openai:rw
+      - ${HOME}/.cache/gemini:/home/toolbox/.cache/gemini:rw
+      - ${HOME}/.cache/qwen:/home/toolbox/.cache/qwen:rw
+      - ${HOME}/.cache/code:/home/toolbox/.cache/code:rw
+      - ${HOME}/.cache/opencode:/home/toolbox/.cache/opencode:rw

ToolboxStack/output/toolbox-template/run.sh

@@ -2,6 +2,17 @@
 
 set -euo pipefail
 
+# Validate dependencies
+if ! command -v docker &> /dev/null; then
+    echo "Error: docker is required but not installed." >&2
+    exit 1
+fi
+
+if ! command -v docker compose &> /dev/null; then
+    echo "Error: docker compose is required but not installed." >&2
+    exit 1
+fi
+
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 COMPOSE_FILE="${SCRIPT_DIR}/docker-compose.yml"
 
@@ -18,15 +29,21 @@ ACTION="${1:-up}"
 shift || true
 
 if [[ "${ACTION}" == "up" ]]; then
+    # Create necessary directories for the toolbox tools
     mkdir -p "${HOME}/.local/share/mise" "${HOME}/.cache/mise"
+    mkdir -p "${HOME}/.config" "${HOME}/.local/share"
+    mkdir -p "${HOME}/.cache/openai" "${HOME}/.cache/gemini" "${HOME}/.cache/qwen" "${HOME}/.cache/code" "${HOME}/.cache/opencode"
+    mkdir -p "${HOME}/.config/openai" "${HOME}/.config/gemini" "${HOME}/.config/qwen" "${HOME}/.config/code" "${HOME}/.config/opencode"
 fi
 
 case "${ACTION}" in
     up)
         docker compose -f "${COMPOSE_FILE}" up --build --detach "$@"
+        echo "Container started. Use 'docker exec -it $(basename "$SCRIPT_DIR" | sed 's/toolbox-//') zsh' to access the shell."
         ;;
     down)
         docker compose -f "${COMPOSE_FILE}" down "$@"
+        echo "Container stopped."
         ;;
     *)
         echo "Usage: $0 [up|down] [additional docker compose args]" >&2