feat: Update toolbox-base and template with latest Docker configurations and documentation

\n- Updated Dockerfiles in both toolbox-base and toolbox-template - Modified build scripts and docker-compose configurations - Added new audit tools and documentation files - Created new toolbox-DocStack and toolbox-QADocker implementations - Updated README and maintenance documentation
2025-10-31 12:46:36 -05:00
parent 48530814d5
commit ab57e3a3a1
92 changed files with 4610 additions and 190 deletions
--- a/ToolboxStack/output/toolbox-base/Dockerfile
+++ b/ToolboxStack/output/toolbox-base/Dockerfile
@@ -1,4 +1,5 @@
-FROM ubuntu:24.04
+# Multi-stage approach to minimize final image size and attack surface
+FROM ubuntu:24.04 AS installer

 ARG USER_ID=1000
 ARG GROUP_ID=1000
@@ -7,7 +8,7 @@ ARG TEA_VERSION=0.11.1

 ENV DEBIAN_FRONTEND=noninteractive

-# Install base packages with proper caching
+# ROOT STAGE 1: System package installation only
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
    --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
    apt-get update \
@@ -30,6 +31,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
        fd-find \
        bat \
        httpie \
+        # Build dependencies needed for Node.js native modules \
        build-essential \
        pkg-config \
        libssl-dev \
@@ -39,50 +41,38 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
        libreadline-dev \
        wget \
        zsh \
-        # Additional packages for better tool support
        unzip \
        zip \
        gnupg \
        software-properties-common \
        apt-transport-https \
-        ca-certificates \
-        curl \
-        gnupg-agent \
-        software-properties-common \
+        python3 \
+        python3-pip \
+        python3-dev \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

-# Provide common aliases for fd and bat binaries
+# ROOT: System-wide utilities
 RUN ln -sf /usr/bin/fdfind /usr/local/bin/fd \
    && ln -sf /usr/bin/batcat /usr/local/bin/bat

-# Install Gitea tea CLI
+# ROOT: Install Gitea tea CLI (system-wide)
 RUN curl -fsSL "https://dl.gitea.io/tea/${TEA_VERSION}/tea-${TEA_VERSION}-linux-amd64" -o /tmp/tea \
    && curl -fsSL "https://dl.gitea.io/tea/${TEA_VERSION}/tea-${TEA_VERSION}-linux-amd64.sha256" -o /tmp/tea.sha256 \
    && sed -n 's/ .*//p' /tmp/tea.sha256 | awk '{print $1 "  /tmp/tea"}' | sha256sum -c - \
    && install -m 0755 /tmp/tea /usr/local/bin/tea \
    && rm -f /tmp/tea /tmp/tea.sha256

-# Configure locale to ensure consistent tool behavior
+# ROOT: Configure locale
 RUN locale-gen en_US.UTF-8
 ENV LANG=en_US.UTF-8 \
    LANGUAGE=en_US:en \
    LC_ALL=en_US.UTF-8

-# Install Starship prompt
+# ROOT: Install Starship prompt (system-wide)
 RUN curl -fsSL https://starship.rs/install.sh | sh -s -- -y -b /usr/local/bin

-# Install aqua package manager (manages additional CLI tooling)
-RUN curl -sSfL https://raw.githubusercontent.com/aquaproj/aqua-installer/v2.3.1/aqua-installer | AQUA_ROOT_DIR=/usr/local/share/aquaproj-aqua bash \
-    && ln -sf /usr/local/share/aquaproj-aqua/bin/aqua /usr/local/bin/aqua
-
-# Install mise for runtime management (no global toolchains pre-installed)
-RUN curl -sSfL https://mise.jdx.dev/install.sh | env MISE_INSTALL_PATH=/usr/local/bin/mise MISE_INSTALL_HELP=0 sh
-
-# Install Node.js via mise to enable npm package installation
-RUN mise install node@22.13.0 && mise global node@22.13.0
-
-# Create non-root user with matching UID/GID for host mapping
+# ROOT: Create non-root user with matching UID/GID for host mapping
 RUN if getent passwd "${USER_ID}" >/dev/null; then \
        existing_user="$(getent passwd "${USER_ID}" | cut -d: -f1)"; \
        userdel --remove "${existing_user}"; \
@@ -92,67 +82,183 @@ RUN if getent passwd "${USER_ID}" >/dev/null; then \
    fi \
    && useradd --uid "${USER_ID}" --gid "${GROUP_ID}" --shell /usr/bin/zsh --create-home "${USERNAME}"

-# Install Oh My Zsh and configure shells for the unprivileged user
-RUN su - "${USERNAME}" -c 'git clone --depth=1 https://github.com/ohmyzsh/ohmyzsh.git ~/.oh-my-zsh' \
-    && su - "${USERNAME}" -c 'cp ~/.oh-my-zsh/templates/zshrc.zsh-template ~/.zshrc' \
-    && su - "${USERNAME}" -c 'mkdir -p ~/.config' \
-    && su - "${USERNAME}" -c 'sed -i "s/^plugins=(git)$/plugins=(git fzf)/" ~/.zshrc' \
-    && su - "${USERNAME}" -c 'printf "\nexport PATH=\"\$HOME/.local/share/aquaproj-aqua/bin:\$HOME/.local/share/mise/shims:\$HOME/.local/bin:\$PATH\"\n" >> ~/.zshrc' \
-    && su - "${USERNAME}" -c 'printf "\nexport AQUA_GLOBAL_CONFIG=\"\$HOME/.config/aquaproj-aqua/aqua.yaml\"\n" >> ~/.zshrc' \
-    && su - "${USERNAME}" -c 'printf "\n# Starship prompt\neval \"\$(starship init zsh)\"\n" >> ~/.zshrc' \
-    && su - "${USERNAME}" -c 'printf "\n# mise runtime manager\neval \"\$(mise activate zsh)\"\n" >> ~/.zshrc' \
-    && su - "${USERNAME}" -c 'printf "\n# direnv\nexport DIRENV_LOG_FORMAT=\"\"\neval \"\$(direnv hook zsh)\"\n" >> ~/.zshrc' \
-    && su - "${USERNAME}" -c 'printf "\n# zoxide\neval \"\$(zoxide init zsh)\"\n" >> ~/.zshrc' \
-    && su - "${USERNAME}" -c 'printf "\nexport AQUA_GLOBAL_CONFIG=\"\$HOME/.config/aquaproj-aqua/aqua.yaml\"\n" >> ~/.bashrc' \
-    && su - "${USERNAME}" -c 'printf "\n# mise runtime manager (bash)\neval \"\$(mise activate bash)\"\n" >> ~/.bashrc' \
-    && su - "${USERNAME}" -c 'printf "\n# direnv\nexport DIRENV_LOG_FORMAT=\"\"\neval \"\$(direnv hook bash)\"\n" >> ~/.bashrc' \
-    && su - "${USERNAME}" -c 'printf "\n# zoxide\neval \"\$(zoxide init bash)\"\n" >> ~/.bashrc' \
-    && su - "${USERNAME}" -c 'mkdir -p ~/.config/fish' \
-    && su - "${USERNAME}" -c 'printf "\nset -gx AQUA_GLOBAL_CONFIG \$HOME/.config/aquaproj-aqua/aqua.yaml\n# Shell prompt and runtime manager\nstarship init fish | source\nmise activate fish | source\ndirenv hook fish | source\nzoxide init fish | source\n" >> ~/.config/fish/config.fish'
+# ROOT: Set up toolbox user home directory with proper permissions
+RUN chown -R "${USER_ID}:${GROUP_ID}" "/home/${USERNAME}"

-# Install Node.js for the toolbox user and set up the environment
-RUN su - "${USERNAME}" -c 'mise install node@22.13.0 && mise use -g node@22.13.0'
+# SWITCH TO NON-ROOT USER: All further operations as toolbox user
+USER ${USERNAME}
+WORKDIR /home/${USERNAME}

-COPY aqua.yaml /tmp/aqua.yaml
+# NON-ROOT: Install mise runtime manager for toolbox user
+RUN curl -sSfL https://mise.jdx.dev/install.sh | sh

-# Install aqua packages at both root and user level to ensure they're baked into the image
-RUN chown "${USER_ID}:${GROUP_ID}" /tmp/aqua.yaml \
-    && su - "${USERNAME}" -c 'mkdir -p ~/.config/aquaproj-aqua' \
-    && su - "${USERNAME}" -c 'cp /tmp/aqua.yaml ~/.config/aquaproj-aqua/aqua.yaml' \
-    && AQUA_GLOBAL_CONFIG=/tmp/aqua.yaml aqua install \
-    && su - "${USERNAME}" -c 'AQUA_GLOBAL_CONFIG=~/.config/aquaproj-aqua/aqua.yaml aqua install'
+# NON-ROOT: Update PATH for mise tools
+ENV PATH=/home/${USERNAME}/.local/bin:/home/${USERNAME}/.local/share/mise/shims:$PATH

-# Install AI CLI tools via npm using mise to ensure Node.js is available
-# These are installed via npm because they're not available through aqua
-RUN mise exec -- npm install -g @just-every/code@0.4.6 @qwen-code/qwen-code@0.1.1 @google/gemini-cli@0.11.0 @openai/codex@0.50.0 opencode-ai@0.15.29
+# NON-ROOT: Install Node.js via mise as toolbox user
+RUN mise install node@22.13.0 && mise use -g node@22.13.0

-# Install the same AI CLI tools for the toolbox user so they are available in the container runtime
-RUN su - "${USERNAME}" -c 'mise exec -- npm install -g @just-every/code@0.4.6 @qwen-code/qwen-code@0.1.1 @google/gemini-cli@0.11.0 @openai/codex@0.50.0 opencode-ai@0.15.29' && \
-    # Ensure mise shims are properly generated for the installed tools
-    su - "${USERNAME}" -c 'mise reshim'
+# NON-ROOT: Install aqua package manager for toolbox user
+RUN curl -sSfL https://raw.githubusercontent.com/aquaproj/aqua-installer/v2.3.1/aqua-installer > /tmp/aqua-installer.sh && \
+    chmod +x /tmp/aqua-installer.sh && \
+    AQUA_ROOT_DIR=/home/${USERNAME}/.local/share/aquaproj-aqua /tmp/aqua-installer.sh && \
+    rm /tmp/aqua-installer.sh

-# Install BATS for testing framework
+# NON-ROOT: Update PATH for aqua tools
+ENV PATH=/home/${USERNAME}/.local/share/aquaproj-aqua/bin:$PATH
+
+# NON-ROOT: Install Oh My Zsh
+RUN git clone --depth=1 https://github.com/ohmyzsh/ohmyzsh.git ~/.oh-my-zsh
+
+# NON-ROOT: Configure shells (zsh, bash, fish) with all customizations
+RUN cp ~/.oh-my-zsh/templates/zshrc.zsh-template ~/.zshrc \
+    && mkdir -p ~/.config \
+    && sed -i "s/^plugins=(git)$/plugins=(git fzf)/" ~/.zshrc \
+    && printf "\nexport PATH=\"\$HOME/.local/share/aquaproj-aqua/bin:\$HOME/.local/share/mise/shims:\$HOME/.local/bin:\$PATH\"\n" >> ~/.zshrc \
+    && printf "\nexport AQUA_GLOBAL_CONFIG=\"\$HOME/.config/aquaproj-aqua/aqua.yaml\"\n" >> ~/.zshrc \
+    && printf "\n# Starship prompt\neval \"\$(starship init zsh)\"\n" >> ~/.zshrc \
+    && printf "\n# mise runtime manager\neval \"\$(mise activate zsh)\"\n" >> ~/.zshrc \
+    && printf "\n# direnv\nexport DIRENV_LOG_FORMAT=\"\"\neval \"\$(direnv hook zsh)\"\n" >> ~/.zshrc \
+    && printf "\n# zoxide\neval \"\$(zoxide init zsh)\"\n" >> ~/.zshrc \
+    && printf "\nexport AQUA_GLOBAL_CONFIG=\"\$HOME/.config/aquaproj-aqua/aqua.yaml\"\n" >> ~/.bashrc \
+    && printf "\n# mise runtime manager (bash)\neval \"\$(mise activate bash)\"\n" >> ~/.bashrc \
+    && printf "\n# direnv\nexport DIRENV_LOG_FORMAT=\"\"\neval \"\$(direnv hook bash)\"\n" >> ~/.bashrc \
+    && printf "\n# zoxide\neval \"\$(zoxide init bash)\"\n" >> ~/.bashrc \
+    && mkdir -p ~/.config/fish \
+    && printf "\nset -gx AQUA_GLOBAL_CONFIG \$HOME/.config/aquaproj-aqua/aqua.yaml\n# Shell prompt and runtime manager\nstarship init fish | source\nmise activate fish | source\ndirenv hook fish | source\nzoxide init fish | source\n" >> ~/.config/fish/config.fish
+
+# NON-ROOT: Install aqua packages from aqua.yaml (all tools baked into image)
+COPY --chown=${USER_ID}:${GROUP_ID} aqua.yaml /tmp/aqua.yaml
+RUN mkdir -p ~/.config/aquaproj-aqua \
+    && cp /tmp/aqua.yaml ~/.config/aquaproj-aqua/aqua.yaml \
+    && aqua install
+
+# NON-ROOT: Install all AI CLI tools during build using mise (baked into image)
+RUN mise exec -- npm install -g \
+    @just-every/code@0.4.6 \
+    @qwen-code/qwen-code@0.1.1 \
+    @google/gemini-cli@0.11.0 \
+    @openai/codex@0.50.0 \
+    opencode-ai@0.15.29 && \
+    mise reshim
+
+# NON-ROOT: Install Joplin CLI during build using mise (baked into image)
+# Skipping Joplin due to build issues with sqlite3 dependencies
+# RUN mise exec -- npm install -g joplin-cli@latest --legacy-peer-deps && mise reshim
+
+# NON-ROOT: Install additional testing tools during build
+RUN mise exec -- npm install -g bats@1.11.0 && mise reshim
+
+# NON-ROOT: Install BATS testing framework from source (baked into image)
 RUN git clone https://github.com/bats-core/bats-core.git /tmp/bats-core \
    && cd /tmp/bats-core \
    && git checkout v1.11.0 \
-    && ./install.sh /usr/local \
+    && ./install.sh "$HOME/.local" \
    && rm -rf /tmp/bats-core

-# Install additional testing tools
-RUN npm install -g bats@1.11.0
-
-# Prepare workspace directory with appropriate ownership
-RUN mkdir -p /workspace \
-    && chown "${USER_ID}:${GROUP_ID}" /workspace
-
-# Remove sudo to ensure no root escalation is possible at runtime (if installed)
-RUN apt-get remove -y sudo 2>/dev/null || true && apt-get autoremove -y 2>/dev/null || true && rm -rf /var/lib/apt/lists/* 2>/dev/null || true
-
-ENV SHELL=/usr/bin/zsh \
-    AQUA_GLOBAL_CONFIG=/home/${USERNAME}/.config/aquaproj-aqua/aqua.yaml \
-    PATH=/home/${USERNAME}/.local/share/aquaproj-aqua/bin:/home/${USERNAME}/.local/share/mise/shims:/home/${USERNAME}/.local/bin:${PATH}
-
-WORKDIR /workspace
+# ROOT: Set up workspace directory
+USER root
+RUN mkdir -p /workspace && chown "${USER_ID}:${GROUP_ID}" /workspace
 USER ${USERNAME}

-CMD ["/usr/bin/zsh"]
+# NON-ROOT: Verify all tools are accessible during build
+RUN bash -c 'command -v node && command -v npm && command -v mise && command -v aqua' \
+    && bash -c 'node --version && npm --version && mise --version && aqua --version'
+
+# NON-ROOT: Final mise reshim to ensure all tools are properly linked
+RUN mise reshim
+
+# FINAL STAGE: Copy completed setup to minimize image and enhance security
+FROM ubuntu:24.04
+
+ARG USER_ID=1000
+ARG GROUP_ID=1000
+ARG USERNAME=toolbox
+ARG TEA_VERSION=0.11.1
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# ROOT: Install minimal runtime dependencies only
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
+    apt-get update \
+    && apt-get install -y --no-install-recommends \
+        ca-certificates \
+        curl \
+        fish \
+        fzf \
+        git \
+        jq \
+        bc \
+        htop \
+        btop \
+        locales \
+        openssh-client \
+        ripgrep \
+        tmux \
+        screen \
+        entr \
+        fd-find \
+        bat \
+        httpie \
+        zsh \
+        wget \
+        unzip \
+        zip \
+        python3 \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# ROOT: Restore system-wide utilities
+RUN ln -sf /usr/bin/fdfind /usr/local/bin/fd \
+    && ln -sf /usr/bin/batcat /usr/local/bin/bat
+
+# ROOT: Restore system-wide configurations
+RUN locale-gen en_US.UTF-8
+ENV LANG=en_US.UTF-8 \
+    LANGUAGE=en_US:en \
+    LC_ALL=en_US.UTF-8
+
+# ROOT: Create user/group structure
+# First clean up any existing user/group with the same ID
+RUN if getent passwd "${USER_ID}" >/dev/null; then \
+        existing_user="$(getent passwd "${USER_ID}" | cut -d: -f1)"; \
+        userdel --remove "${existing_user}"; \
+    fi \
+    && if getent group "${GROUP_ID}" >/dev/null; then \
+        groupdel "$(getent group "${GROUP_ID}" | cut -d: -f1)"; \
+    fi \
+    # Create the group and user
+    && groupadd --gid "${GROUP_ID}" "${USERNAME}" \
+    && useradd --uid "${USER_ID}" --gid "${GROUP_ID}" --shell /usr/bin/zsh --create-home "${USERNAME}" \
+    # Ensure proper ownership of home directory
+    && chown -R "${USER_ID}:${GROUP_ID}" "/home/${USERNAME}"
+
+# ROOT: Copy the complete user environment from the installer stage
+COPY --from=installer --chown=${USER_ID}:${GROUP_ID} /home/${USERNAME} /home/${USERNAME}
+
+# ROOT: Create workspace directory
+RUN mkdir -p /workspace && chown "${USER_ID}:${GROUP_ID}" /workspace
+
+# ROOT: Install system-wide tools (tea and starship) which were in the source image
+RUN curl -fsSL "https://dl.gitea.io/tea/${TEA_VERSION}/tea-${TEA_VERSION}-linux-amd64" -o /tmp/tea \
+    && curl -fsSL "https://dl.gitea.io/tea/${TEA_VERSION}/tea-${TEA_VERSION}-linux-amd64.sha256" -o /tmp/tea.sha256 \
+    && sed -n 's/ .*//p' /tmp/tea.sha256 | awk '{print $1 "  /tmp/tea"}' | sha256sum -c - \
+    && install -m 0755 /tmp/tea /usr/local/bin/tea \
+    && rm -f /tmp/tea /tmp/tea.sha256
+
+RUN curl -fsSL https://starship.rs/install.sh | sh -s -- -y -b /usr/local/bin
+
+# ROOT: Security hardening - remove sudo if present
+RUN apt-get remove -y sudo 2>/dev/null || true && apt-get autoremove -y 2>/dev/null || true && rm -rf /var/lib/apt/lists/* 2>/dev/null || true
+
+# ROOT: Final environment variables
+ENV PATH=/home/${USERNAME}/.local/share/aquaproj-aqua/bin:/home/${USERNAME}/.local/share/mise/shims:/home/${USERNAME}/.local/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
+ENV SHELL=/usr/bin/zsh \
+    AQUA_GLOBAL_CONFIG=/home/${USERNAME}/.config/aquaproj-aqua/aqua.yaml
+
+# FINAL USER: Switch to toolbox user for runtime
+USER ${USERNAME}
+WORKDIR /workspace
+
+CMD ["/usr/bin/zsh"]