feat(toolbox): update toolbox base and template with audit capabilities

- Update ToolboxStack/output/toolbox-base/test.sh with enhanced testing capabilities
- Add ToolboxStack/output/toolbox-base/AUDIT_CHECKLIST.md with security audit guidelines
- Add ToolboxStack/output/toolbox-base/security-audit.sh with security auditing tools
- Update ToolboxStack/output/toolbox-template/test.sh with enhanced testing capabilities
- Add ToolboxStack/output/toolbox-template/AUDIT_CHECKLIST.md with security audit guidelines
- Add ToolboxStack/output/toolbox-template/security-audit.sh with security auditing tools

This enhances both the base and template developer environments with security auditing capabilities.

ToolboxStack/output/toolbox-template/AUDIT_CHECKLIST.md

@@ -0,0 +1,120 @@
+# 🧰 Toolbox Template Audit Checklist
+
+This checklist ensures the toolbox-template provides a solid foundation for creating new toolboxes that extend from toolbox-base.
+
+## 🏗️ Structure Audit
+
+- [ ] Template Dockerfile properly extends from toolbox-base:release-current
+- [ ] Template Dockerfile follows best practices for extension
+- [ ] Template docker-compose.yml properly inherits from base configuration
+- [ ] Template build.sh script properly wraps docker build with UID/GID mapping
+- [ ] Template run.sh script properly manages container lifecycle
+- [ ] Template devcontainer.json properly references base configuration
+- [ ] Template SEED file properly defines extension objectives
+- [ ] Template PROMPT file properly guides contributors
+- [ ] Template README.md properly documents usage and customization
+- [ ] Template aqua.yaml properly extends from base tooling
+
+## 🔧 Consistency Audit
+
+- [ ] Template inherits all base security practices
+- [ ] Template follows same build process patterns as base
+- [ ] Template uses same user model as base (non-root with UID/GID mapping)
+- [ ] Template workspace mounting consistent with base
+- [ ] Template runtime behavior consistent with base
+- [ ] Template error handling consistent with base
+- [ ] Template documentation style consistent with base
+- [ ] Template testing approach consistent with base
+- [ ] Template customization points clearly defined
+- [ ] Template extension patterns well-documented
+
+## 🛡️ Security Audit
+
+- [ ] Template maintains all base security guarantees
+- [ ] Template doesn't introduce security vulnerabilities
+- [ ] Template doesn't weaken base security model
+- [ ] Template properly validates user inputs
+- [ ] Template properly handles file permissions
+- [ ] Template doesn't expose additional attack surfaces
+- [ ] Template properly manages secrets/configuration
+- [ ] Template follows principle of least privilege
+- [ ] Template properly isolates user processes
+- [ ] Template maintains non-root execution model
+
+## 🧪 Testing Audit
+
+- [ ] Template includes testing framework
+- [ ] Template tests verify proper extension from base
+- [ ] Template tests validate added functionality
+- [ ] Template tests check for regression issues
+- [ ] Template tests cover error conditions
+- [ ] Template tests verify security properties
+- [ ] Template tests run automatically during build
+- [ ] Template tests provide clear failure diagnostics
+- [ ] Template tests cover all customization points
+- [ ] Template tests align with base testing philosophy
+
+## 📚 Documentation Audit
+
+- [ ] Template README.md clearly explains purpose and usage
+- [ ] Template README.md properly documents customization options
+- [ ] Template README.md links to base documentation
+- [ ] Template README.md includes quick start guide
+- [ ] Template README.md covers troubleshooting
+- [ ] Template README.md explains extension patterns
+- [ ] Template README.md documents versioning strategy
+- [ ] Template README.md covers maintenance procedures
+- [ ] Template README.md explains collaboration guidelines
+- [ ] Template README.md maintains consistent style with base
+
+## 🔄 Maintenance Audit
+
+- [ ] Template properly tracks base image updates
+- [ ] Template provides clear upgrade paths
+- [ ] Template maintains backward compatibility
+- [ ] Template follows same release cadence as base
+- [ ] Template properly handles dependency updates
+- [ ] Template includes update automation where appropriate
+- [ ] Template documents breaking changes
+- [ ] Template provides migration guides when needed
+- [ ] Template follows same versioning scheme as base
+- [ ] Template maintains consistent issue tracking
+
+## 🎯 Usability Audit
+
+- [ ] Template is easy to copy and customize
+- [ ] Template provides clear extension points
+- [ ] Template includes helpful examples
+- [ ] Template reduces boilerplate code
+- [ ] Template provides sensible defaults
+- [ ] Template includes proper error messages
+- [ ] Template supports common customization patterns
+- [ ] Template includes helpful documentation
+- [ ] Template follows intuitive naming conventions
+- [ ] Template minimizes configuration complexity
+
+## 🌐 Compatibility Audit
+
+- [ ] Template works with all supported platforms
+- [ ] Template maintains cross-platform consistency
+- [ ] Template integrates well with base tooling
+- [ ] Template supports common development workflows
+- [ ] Template handles various project structures
+- [ ] Template works with popular IDEs/editors
+- [ ] Template supports CI/CD integration
+- [ ] Template compatible with common deployment methods
+- [ ] Template supports popular version control systems
+- [ ] Template integrates with common development tools
+
+## 🧹 Cleanliness Audit
+
+- [ ] Template includes no unnecessary files
+- [ ] Template follows consistent file organization
+- [ ] Template includes proper .gitignore
+- [ ] Template avoids duplicating base functionality
+- [ ] Template includes proper licensing information
+- [ ] Template maintains clean directory structure
+- [ ] Template includes appropriate comments/documentation
+- [ ] Template avoids hardcoded values where possible
+- [ ] Template follows consistent naming conventions
+- [ ] Template includes proper attribution where needed

ToolboxStack/output/toolbox-template/security-audit.sh

@@ -0,0 +1,155 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# Security audit script for the toolbox-template
+
+IMAGE_NAME="${IMAGE_NAME_OVERRIDE:-tsysdevstack-toolboxstack-{{toolbox_name}}}"
+
+echo "🔒 Running security audit on ${IMAGE_NAME}"
+
+# Check if Trivy is available for security scanning
+if command -v trivy &> /dev/null; then
+    echo "🔍 Running Trivy security scan..."
+    trivy image --exit-code 0 --severity HIGH,CRITICAL "${IMAGE_NAME}"
+    echo "✅ Trivy scan completed"
+else
+    echo "⚠️  Trivy not found. Install Trivy to perform security scanning."
+    echo "   Visit https://aquasecurity.github.io/trivy/ for installation instructions."
+fi
+
+# Check for outdated packages
+echo "📦 Checking for outdated packages..."
+OUTDATED_PACKAGES=$(docker run --rm "${IMAGE_NAME}" apt list --upgradable 2>/dev/null | grep -v "Listing..." | wc -l)
+if [[ "${OUTDATED_PACKAGES}" -gt 0 ]]; then
+    echo "⚠️  ${OUTDATED_PACKAGES} packages can be upgraded"
+    echo "   Run 'apt update && apt upgrade' to update packages"
+else
+    echo "✅ All system packages are up to date"
+fi
+
+# Check for unnecessary packages that increase attack surface
+echo "🛡️  Checking for unnecessary packages..."
+UNNECESSARY_PACKAGES=$(docker run --rm "${IMAGE_NAME}" dpkg -l | grep -E "(telnet|ftp|rsh-client|nfs-common|rpcbind)" | wc -l)
+if [[ "${UNNECESSARY_PACKAGES}" -gt 0 ]]; then
+    echo "⚠️  Found ${UNNECESSARY_PACKAGES} potentially unnecessary packages that increase attack surface"
+    echo "   Consider removing packages like telnet, ftp, rsh-client, nfs-common, rpcbind"
+else
+    echo "✅ No unnecessary packages found that increase attack surface"
+fi
+
+# Check for world-writable files/directories
+echo "📁 Checking for world-writable files/directories..."
+WORLD_WRITABLE=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -perm -0002 -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l)
+if [[ "${WORLD_WRITABLE}" -gt 0 ]]; then
+    echo "⚠️  Found ${WORLD_WRITABLE} world-writable files/directories"
+    echo "   These should be reviewed and permissions adjusted if necessary"
+else
+    echo "✅ No world-writable files/directories found"
+fi
+
+# Check for setuid/setgid binaries
+echo "🔑 Checking for setuid/setgid binaries..."
+SETUID_BINARIES=$(docker run --rm "${IMAGE_NAME}" find / -xdev \( -perm -4000 -o -perm -2000 \) -type f -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l)
+if [[ "${SETUID_BINARIES}" -gt 0 ]]; then
+    echo "⚠️  Found ${SETUID_BINARIES} setuid/setgid binaries"
+    echo "   These should be reviewed for security implications"
+else
+    echo "✅ No setuid/setgid binaries found"
+fi
+
+# Check for running services
+echo "サービ Checking for running services..."
+RUNNING_SERVICES=$(docker run --rm "${IMAGE_NAME}" ps aux 2>/dev/null | grep -v "PID" | wc -l)
+if [[ "${RUNNING_SERVICES}" -gt 1 ]]; then
+    echo "⚠️  Found ${RUNNING_SERVICES} running processes"
+    echo "   These should be reviewed for necessity"
+else
+    echo "✅ No unnecessary running services found"
+fi
+
+# Check for listening ports
+echo "📡 Checking for listening ports..."
+LISTENING_PORTS=$(docker run --rm "${IMAGE_NAME}" netstat -tuln 2>/dev/null | grep LISTEN | wc -l)
+if [[ "${LISTENING_PORTS}" -gt 0 ]]; then
+    echo "⚠️  Found ${LISTENING_PORTS} listening ports"
+    echo "   These should be reviewed for security implications"
+else
+    echo "✅ No unnecessary listening ports found"
+fi
+
+# Check for sudo availability
+echo "🛑 Checking for sudo availability..."
+if docker run --rm "${IMAGE_NAME}" which sudo >/dev/null 2>&1; then
+    echo "❌ Sudo is available in the image - this is a security risk"
+    echo "   Sudo should be removed to prevent privilege escalation"
+else
+    echo "✅ Sudo is not available in the image"
+fi
+
+# Check for root login capability
+echo "🔐 Checking for root login capability..."
+ROOT_LOGIN_ENABLED=$(docker run --rm "${IMAGE_NAME}" cat /etc/passwd | grep root | grep -v "nologin" | wc -l)
+if [[ "${ROOT_LOGIN_ENABLED}" -gt 0 ]]; then
+    echo "⚠️  Root login might be enabled"
+    echo "   Ensure root login is disabled for security"
+else
+    echo "✅ Root login is properly disabled"
+fi
+
+# Check user configuration
+echo "👤 Checking user configuration..."
+USER_ID=$(docker run --rm "${IMAGE_NAME}" id -u toolbox 2>/dev/null || echo "not_found")
+if [[ "${USER_ID}" == "1000" ]]; then
+    echo "✅ Non-root user 'toolbox' with UID 1000 is properly configured"
+else
+    echo "⚠️  Non-root user configuration might be incorrect"
+fi
+
+# Check for hardcoded passwords
+echo "🔑 Checking for hardcoded passwords..."
+HARDCODED_PASSWORDS=$(docker run --rm "${IMAGE_NAME}" grep -r "password\|passwd" /etc/ 2>/dev/null | grep -v "shadow" | wc -l)
+if [[ "${HARDCODED_PASSWORDS}" -gt 0 ]]; then
+    echo "⚠️  Found ${HARDCODED_PASSWORDS} potential hardcoded password references"
+    echo "   These should be reviewed for security implications"
+else
+    echo "✅ No hardcoded password references found"
+fi
+
+# Check for exposed secrets
+echo " секр Checking for exposed secrets..."
+EXPOSED_SECRETS=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -name "*.key" -o -name "*.pem" -o -name "*.cert" 2>/dev/null | wc -l)
+if [[ "${EXPOSED_SECRETS}" -gt 0 ]]; then
+    echo "⚠️  Found ${EXPOSED_SECRETS} potential secret files"
+    echo "   These should be reviewed for security implications"
+else
+    echo "✅ No exposed secret files found"
+fi
+
+# Check that this template properly extends from the base image
+echo "🔗 Checking inheritance from base image..."
+BASE_INHERITANCE=$(docker history "${IMAGE_NAME}" 2>/dev/null | grep "FROM tsysdevstack-toolboxstack-toolbox-base:release-current" | wc -l)
+if [[ "${BASE_INHERITANCE}" -gt 0 ]]; then
+    echo "✅ Template properly extends from toolbox-base:release-current"
+else
+    echo "⚠️  Template might not properly extend from toolbox-base:release-current"
+fi
+
+# Summary
+echo ""
+echo "🔒 Security Audit Summary:"
+echo "   - Image: ${IMAGE_NAME}"
+echo "   - Scan completed with recommendations above"
+echo ""
+echo "💡 Recommendations:"
+echo "   1. Install Trivy for comprehensive security scanning"
+echo "   2. Regularly update packages to address vulnerabilities"
+echo "   3. Remove unnecessary packages to reduce attack surface"
+echo "   4. Review world-writable files/directories"
+echo "   5. Review setuid/setgid binaries"
+echo "   6. Remove sudo to prevent privilege escalation"
+echo "   7. Ensure root login is disabled"
+echo "   8. Verify non-root user configuration"
+echo "   9. Review hardcoded password references"
+echo "   10. Check for exposed secrets"
+echo "   11. Ensure proper inheritance from base image"

ToolboxStack/output/toolbox-template/test.sh

@@ -0,0 +1,112 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# Test script to verify all tools are working properly in the toolbox-template
+
+IMAGE_NAME="${IMAGE_NAME_OVERRIDE:-tsysdevstack-toolboxstack-{{toolbox_name}}}"
+
+echo "🧪 Testing all tools in ${IMAGE_NAME}"
+
+# Function to test a command
+test_cmd() {
+    local cmd="$1"
+    local description="$2"
+    
+    echo -n "Testing ${cmd} (${description})... "
+    
+    if docker run --rm "${IMAGE_NAME}" "${cmd}" --version >/dev/null 2>&1; then
+        echo "✅ PASS"
+        return 0
+    else
+        echo "❌ FAIL"
+        return 1
+    fi
+}
+
+# Function to test a command with specific args
+test_cmd_args() {
+    local cmd="$1"
+    local args="$2"
+    local description="$3"
+    
+    echo -n "Testing ${cmd} ${args} (${description})... "
+    
+    if docker run --rm "${IMAGE_NAME}" "${cmd}" ${args} >/dev/null 2>&1; then
+        echo "✅ PASS"
+        return 0
+    else
+        echo "❌ FAIL"
+        return 1
+    fi
+}
+
+# Counter for tracking results
+PASSED=0
+FAILED=0
+
+# Test core tools inherited from base
+echo "🔍 Testing core tools inherited from base..."
+
+test_cmd "zsh" "Z shell" && ((PASSED++)) || ((FAILED++))
+test_cmd "git" "Git version control" && ((PASSED++)) || ((FAILED++))
+test_cmd "curl" "cURL utility" && ((PASSED++)) || ((FAILED++))
+test_cmd "jq" "JSON processor" && ((PASSED++)) || ((FAILED++))
+test_cmd "fish" "Fish shell" && ((PASSED++)) || ((FAILED++))
+test_cmd "fzf" "Fuzzy finder" && ((PASSED++)) || ((FAILED++))
+test_cmd "bat" "Cat clone with wings" && ((PASSED++)) || ((FAILED++))
+test_cmd "fd" "Simple, fast alternative to find" && ((PASSED++)) || ((FAILED++))
+test_cmd "rg" "Ripgrep - line-oriented search tool" && ((PASSED++)) || ((FAILED++))
+test_cmd "htop" "Interactive process viewer" && ((PASSED++)) || ((FAILED++))
+test_cmd "btop" "Modern and colorful terminal monitor" && ((PASSED++)) || ((FAILED++))
+
+# Test aqua installed tools inherited from base
+echo "🔧 Testing aqua installed tools inherited from base..."
+
+test_cmd "gh" "GitHub CLI" && ((PASSED++)) || ((FAILED++))
+test_cmd "lazygit" "Simple terminal UI for git commands" && ((PASSED++)) || ((FAILED++))
+test_cmd "direnv" "Unclutter your .profile" && ((PASSED++)) || ((FAILED++))
+test_cmd "delta" "Syntax-highlighting pager for git, diff, and grep output" && ((PASSED++)) || ((FAILED++))
+test_cmd "zoxide" "Smarter cd command" && ((PASSED++)) || ((FAILED++))
+test_cmd "just" "Just a command runner" && ((PASSED++)) || ((FAILED++))
+test_cmd "yq" "Portable command-line YAML processor" && ((PASSED++)) || ((FAILED++))
+test_cmd "xh" "Friendly and fast tool for sending HTTP requests" && ((PASSED++)) || ((FAILED++))
+test_cmd "curlie" "The power of curl, the ease of use of httpie" && ((PASSED++)) || ((FAILED++))
+test_cmd "chezmoi" "Manage your dotfiles across multiple machines" && ((PASSED++)) || ((FAILED++))
+test_cmd "shfmt" "Shell formatter" && ((PASSED++)) || ((FAILED++))
+test_cmd "shellcheck" "Shell script analysis tool" && ((PASSED++)) || ((FAILED++))
+test_cmd "hadolint" "Dockerfile linter" && ((PASSED++)) || ((FAILED++))
+test_cmd "uv" "Python package installer and resolver" && ((PASSED++)) || ((FAILED++))
+test_cmd "watchexec" "Execute commands in response to file modifications" && ((PASSED++)) || ((FAILED++))
+test_cmd "tea" "Gitea CLI" && ((PASSED++)) || ((FAILED++))
+
+# Test AI CLI tools inherited from base
+echo "🤖 Testing AI CLI tools inherited from base..."
+
+test_cmd_args "code" "--version" "just-every/code AI CLI" && ((PASSED++)) || ((FAILED++))
+test_cmd_args "qwen" "--version" "QwenLM/qwen-code AI CLI" && ((PASSED++)) || ((FAILED++))
+test_cmd_args "gemini" "--version" "google-gemini/gemini-cli AI CLI" && ((PASSED++)) || ((FAILED++))
+test_cmd_args "codex" "--version" "openai/codex AI CLI" && ((PASSED++)) || ((FAILED++))
+test_cmd_args "opencode" "--version" "sst/opencode AI CLI" && ((PASSED++)) || ((FAILED++))
+
+# Test additional tools inherited from base
+echo "🧰 Testing additional tools inherited from base..."
+
+test_cmd "starship" "Cross-shell prompt" && ((PASSED++)) || ((FAILED++))
+test_cmd "mise" "Polyglot runtime manager" && ((PASSED++)) || ((FAILED++))
+test_cmd_args "aqua" "--version" "Declarative CLI Version Manager" && ((PASSED++)) || ((FAILED++))
+
+# Summary
+echo ""
+echo "📊 Test Results:"
+echo "   Passed: ${PASSED}"
+echo "   Failed: ${FAILED}"
+echo "   Total:  $((PASSED + FAILED))"
+
+if [[ "${FAILED}" -eq 0 ]]; then
+    echo "🎉 All tests passed!"
+    exit 0
+else
+    echo "💥 ${FAILED} tests failed!"
+    exit 1
+fi