feat(toolbox): update toolbox base and template with audit capabilities

- Update ToolboxStack/output/toolbox-base/test.sh with enhanced testing capabilities
- Add ToolboxStack/output/toolbox-base/AUDIT_CHECKLIST.md with security audit guidelines
- Add ToolboxStack/output/toolbox-base/security-audit.sh with security auditing tools
- Update ToolboxStack/output/toolbox-template/test.sh with enhanced testing capabilities
- Add ToolboxStack/output/toolbox-template/AUDIT_CHECKLIST.md with security audit guidelines
- Add ToolboxStack/output/toolbox-template/security-audit.sh with security auditing tools

This enhances both the base and template developer environments with security auditing capabilities.

ToolboxStack/output/toolbox-base/AUDIT_CHECKLIST.md

@@ -0,0 +1,102 @@
+# 🧰 Toolbox Base Image Audit Checklist
+
+This checklist ensures the toolbox-base image meets all security, functionality, and maintainability requirements.
+
+## 🔒 Security Audit
+
+- [ ] All packages installed with specific versions (no `latest` tags)
+- [ ] All external downloads verified with checksums/signatures
+- [ ] No root access possible at runtime (sudo removed)
+- [ ] Non-root user properly configured with UID/GID mapping
+- [ ] No hardcoded secrets or credentials in image
+- [ ] Minimal attack surface (unnecessary packages removed)
+- [ ] Regular security scanning implemented (Trivy integration)
+- [ ] Base image (Ubuntu) regularly updated
+- [ ] All aqua packages verified through registry
+
+## 🛠️ Functionality Audit
+
+- [ ] All CLI tools properly installed and accessible
+- [ ] All tools respond to `--version` flag correctly
+- [ ] Aqua proxy mechanism properly configured
+- [ ] Node.js and npm properly installed with correct version
+- [ ] AI CLI tools properly installed via npm
+- [ ] Shell configurations properly set up (zsh, bash, fish)
+- [ ] Environment variables properly configured
+- [ ] PATH correctly set for all tools
+- [ ] User home directory properly configured
+- [ ] Workspace directory properly set up with correct permissions
+
+## 🏗️ Build Process Audit
+
+- [ ] Dockerfile follows best practices
+- [ ] Multi-stage build optimizations implemented
+- [ ] Build cache properly utilized
+- [ ] Build arguments properly validated
+- [ ] Error handling in build scripts comprehensive
+- [ ] Build verification tests implemented
+- [ ] Image tagging strategy consistent
+- [ ] Release process properly documented
+
+## 🧪 Testing Audit
+
+- [ ] Automated testing of all installed tools
+- [ ] Integration tests for critical workflows
+- [ ] Regression tests for known issues
+- [ ] Performance benchmarks
+- [ ] Security scanning during build
+- [ ] Compatibility tests across platforms
+
+## 📚 Documentation Audit
+
+- [ ] README.md accurately reflects current state
+- [ ] All tools properly documented
+- [ ] Usage examples provided
+- [ ] Troubleshooting guide included
+- [ ] Contribution guidelines clear
+- [ ] License information up to date
+
+## 🔄 Maintenance Audit
+
+- [ ] Dependency update strategy defined
+- [ ] Version pinning strategy consistent
+- [ ] Backward compatibility maintained
+- [ ] Deprecation policy established
+- [ ] Release notes properly maintained
+- [ ] Issue tracking process defined
+
+## 🎯 Template Consistency Audit
+
+- [ ] Template properly extends from base image
+- [ ] Template follows same security practices
+- [ ] Template build process consistent
+- [ ] Template documentation complete
+- [ ] Template testing approach aligned
+- [ ] Template customization points clear
+
+## 📈 Performance Audit
+
+- [ ] Image size optimized
+- [ ] Startup time acceptable
+- [ ] Memory footprint reasonable
+- [ ] CPU usage within expected bounds
+- [ ] Disk I/O efficient
+- [ ] Network usage minimized
+
+## 🌐 Compatibility Audit
+
+- [ ] Works on all supported platforms
+- [ ] Backward compatibility maintained
+- [ ] Forward compatibility considered
+- [ ] Cross-platform consistency ensured
+- [ ] Integration with common tools verified
+- [ ] Standards compliance checked
+
+## 🧹 Cleanup Audit
+
+- [ ] Temporary files properly removed
+- [ ] Build artifacts cleaned up
+- [ ] Cache directories properly managed
+- [ ] Log files rotated or removed
+- [ ] Orphaned processes prevented
+- [ ] Resource leaks eliminated

ToolboxStack/output/toolbox-base/security-audit.sh

@@ -0,0 +1,145 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# Security audit script for the toolbox-base image
+
+IMAGE_NAME="${IMAGE_NAME_OVERRIDE:-tsysdevstack-toolboxstack-toolbox-base:release-current}"
+
+echo "🔒 Running security audit on ${IMAGE_NAME}"
+
+# Check if Trivy is available for security scanning
+if command -v trivy &> /dev/null; then
+    echo "🔍 Running Trivy security scan..."
+    trivy image --exit-code 0 --severity HIGH,CRITICAL "${IMAGE_NAME}"
+    echo "✅ Trivy scan completed"
+else
+    echo "⚠️  Trivy not found. Install Trivy to perform security scanning."
+    echo "   Visit https://aquasecurity.github.io/trivy/ for installation instructions."
+fi
+
+# Check for outdated packages
+echo "📦 Checking for outdated packages..."
+OUTDATED_PACKAGES=$(docker run --rm "${IMAGE_NAME}" apt list --upgradable 2>/dev/null | grep -v "Listing..." | wc -l)
+if [[ "${OUTDATED_PACKAGES}" -gt 0 ]]; then
+    echo "⚠️  ${OUTDATED_PACKAGES} packages can be upgraded"
+    echo "   Run 'apt update && apt upgrade' to update packages"
+else
+    echo "✅ All system packages are up to date"
+fi
+
+# Check for unnecessary packages that increase attack surface
+echo "🛡️  Checking for unnecessary packages..."
+UNNECESSARY_PACKAGES=$(docker run --rm "${IMAGE_NAME}" dpkg -l | grep -E "(telnet|ftp|rsh-client|nfs-common|rpcbind)" | wc -l)
+if [[ "${UNNECESSARY_PACKAGES}" -gt 0 ]]; then
+    echo "⚠️  Found ${UNNECESSARY_PACKAGES} potentially unnecessary packages that increase attack surface"
+    echo "   Consider removing packages like telnet, ftp, rsh-client, nfs-common, rpcbind"
+else
+    echo "✅ No unnecessary packages found that increase attack surface"
+fi
+
+# Check for world-writable files/directories
+echo "📁 Checking for world-writable files/directories..."
+WORLD_WRITABLE=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -perm -0002 -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l)
+if [[ "${WORLD_WRITABLE}" -gt 0 ]]; then
+    echo "⚠️  Found ${WORLD_WRITABLE} world-writable files/directories"
+    echo "   These should be reviewed and permissions adjusted if necessary"
+else
+    echo "✅ No world-writable files/directories found"
+fi
+
+# Check for setuid/setgid binaries
+echo "🔑 Checking for setuid/setgid binaries..."
+SETUID_BINARIES=$(docker run --rm "${IMAGE_NAME}" find / -xdev \( -perm -4000 -o -perm -2000 \) -type f -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l)
+if [[ "${SETUID_BINARIES}" -gt 0 ]]; then
+    echo "⚠️  Found ${SETUID_BINARIES} setuid/setgid binaries"
+    echo "   These should be reviewed for security implications"
+else
+    echo "✅ No setuid/setgid binaries found"
+fi
+
+# Check for running services
+echo "サービ Checking for running services..."
+RUNNING_SERVICES=$(docker run --rm "${IMAGE_NAME}" ps aux 2>/dev/null | grep -v "PID" | wc -l)
+if [[ "${RUNNING_SERVICES}" -gt 1 ]]; then
+    echo "⚠️  Found ${RUNNING_SERVICES} running processes"
+    echo "   These should be reviewed for necessity"
+else
+    echo "✅ No unnecessary running services found"
+fi
+
+# Check for listening ports
+echo "📡 Checking for listening ports..."
+LISTENING_PORTS=$(docker run --rm "${IMAGE_NAME}" netstat -tuln 2>/dev/null | grep LISTEN | wc -l)
+if [[ "${LISTENING_PORTS}" -gt 0 ]]; then
+    echo "⚠️  Found ${LISTENING_PORTS} listening ports"
+    echo "   These should be reviewed for security implications"
+else
+    echo "✅ No unnecessary listening ports found"
+fi
+
+# Check for sudo availability
+echo "🛑 Checking for sudo availability..."
+if docker run --rm "${IMAGE_NAME}" which sudo >/dev/null 2>&1; then
+    echo "❌ Sudo is available in the image - this is a security risk"
+    echo "   Sudo should be removed to prevent privilege escalation"
+else
+    echo "✅ Sudo is not available in the image"
+fi
+
+# Check for root login capability
+echo "🔐 Checking for root login capability..."
+ROOT_LOGIN_ENABLED=$(docker run --rm "${IMAGE_NAME}" cat /etc/passwd | grep root | grep -v "nologin" | wc -l)
+if [[ "${ROOT_LOGIN_ENABLED}" -gt 0 ]]; then
+    echo "⚠️  Root login might be enabled"
+    echo "   Ensure root login is disabled for security"
+else
+    echo "✅ Root login is properly disabled"
+fi
+
+# Check user configuration
+echo "👤 Checking user configuration..."
+USER_ID=$(docker run --rm "${IMAGE_NAME}" id -u toolbox 2>/dev/null || echo "not_found")
+if [[ "${USER_ID}" == "1000" ]]; then
+    echo "✅ Non-root user 'toolbox' with UID 1000 is properly configured"
+else
+    echo "⚠️  Non-root user configuration might be incorrect"
+fi
+
+# Check for hardcoded passwords
+echo "🔑 Checking for hardcoded passwords..."
+HARDCODED_PASSWORDS=$(docker run --rm "${IMAGE_NAME}" grep -r "password\|passwd" /etc/ 2>/dev/null | grep -v "shadow" | wc -l)
+if [[ "${HARDCODED_PASSWORDS}" -gt 0 ]]; then
+    echo "⚠️  Found ${HARDCODED_PASSWORDS} potential hardcoded password references"
+    echo "   These should be reviewed for security implications"
+else
+    echo "✅ No hardcoded password references found"
+fi
+
+# Check for exposed secrets
+echo " секр Checking for exposed secrets..."
+EXPOSED_SECRETS=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -name "*.key" -o -name "*.pem" -o -name "*.cert" 2>/dev/null | wc -l)
+if [[ "${EXPOSED_SECRETS}" -gt 0 ]]; then
+    echo "⚠️  Found ${EXPOSED_SECRETS} potential secret files"
+    echo "   These should be reviewed for security implications"
+else
+    echo "✅ No exposed secret files found"
+fi
+
+# Summary
+echo ""
+echo "🔒 Security Audit Summary:"
+echo "   - Image: ${IMAGE_NAME}"
+echo "   - Scan completed with recommendations above"
+echo ""
+echo "💡 Recommendations:"
+echo "   1. Install Trivy for comprehensive security scanning"
+echo "   2. Regularly update packages to address vulnerabilities"
+echo "   3. Remove unnecessary packages to reduce attack surface"
+echo "   4. Review world-writable files/directories"
+echo "   5. Review setuid/setgid binaries"
+echo "   6. Remove sudo to prevent privilege escalation"
+echo "   7. Ensure root login is disabled"
+echo "   8. Verify non-root user configuration"
+echo "   9. Review hardcoded password references"
+echo "   10. Check for exposed secrets"