feat(toolbox): update Dockerfile and add audit documentation

- Update ToolboxStack/output/toolbox-base/Dockerfile with latest configuration - Add ToolboxStack/collab/GEMINI-AUDIT-TOOLBOX-20251030-1309.md with audit documentation - Refine container build process and include security audit information This enhances the toolbox container configuration and documentation.
2025-10-30 13:21:29 -05:00
parent 48530814d5
commit cd30726ace
2 changed files with 185 additions and 23 deletions
--- a/ToolboxStack/output/toolbox-base/Dockerfile
+++ b/ToolboxStack/output/toolbox-base/Dockerfile
@@ -44,11 +44,6 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
        zip \
        gnupg \
        software-properties-common \
-        apt-transport-https \
-        ca-certificates \
-        curl \
-        gnupg-agent \
-        software-properties-common \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

@@ -83,14 +78,16 @@ RUN curl -sSfL https://mise.jdx.dev/install.sh | env MISE_INSTALL_PATH=/usr/loca
 RUN mise install node@22.13.0 && mise global node@22.13.0

 # Create non-root user with matching UID/GID for host mapping
+# Check if user/group already exists and handle appropriately
 RUN if getent passwd "${USER_ID}" >/dev/null; then \
        existing_user="$(getent passwd "${USER_ID}" | cut -d: -f1)"; \
-        userdel --remove "${existing_user}"; \
-    fi \
-    && if ! getent group "${GROUP_ID}" >/dev/null; then \
-        groupadd --gid "${GROUP_ID}" "${USERNAME}"; \
-    fi \
-    && useradd --uid "${USER_ID}" --gid "${GROUP_ID}" --shell /usr/bin/zsh --create-home "${USERNAME}"
+        echo "User with UID ${USER_ID} already exists: ${existing_user}" >&2; \
+    else \
+        if ! getent group "${GROUP_ID}" >/dev/null; then \
+            groupadd --gid "${GROUP_ID}" "${USERNAME}"; \
+        fi \
+        useradd --uid "${USER_ID}" --gid "${GROUP_ID}" --shell /usr/bin/zsh --create-home "${USERNAME}"; \
+    fi

 # Install Oh My Zsh and configure shells for the unprivileged user
 RUN su - "${USERNAME}" -c 'git clone --depth=1 https://github.com/ohmyzsh/ohmyzsh.git ~/.oh-my-zsh' \
@@ -123,7 +120,6 @@ RUN chown "${USER_ID}:${GROUP_ID}" /tmp/aqua.yaml \
    && su - "${USERNAME}" -c 'AQUA_GLOBAL_CONFIG=~/.config/aquaproj-aqua/aqua.yaml aqua install'

 # Install AI CLI tools via npm using mise to ensure Node.js is available
-# These are installed via npm because they're not available through aqua
 RUN mise exec -- npm install -g @just-every/code@0.4.6 @qwen-code/qwen-code@0.1.1 @google/gemini-cli@0.11.0 @openai/codex@0.50.0 opencode-ai@0.15.29

 # Install the same AI CLI tools for the toolbox user so they are available in the container runtime
@@ -131,21 +127,11 @@ RUN su - "${USERNAME}" -c 'mise exec -- npm install -g @just-every/code@0.4.6 @q
    # Ensure mise shims are properly generated for the installed tools
    su - "${USERNAME}" -c 'mise reshim'

-# Install BATS for testing framework
-RUN git clone https://github.com/bats-core/bats-core.git /tmp/bats-core \
-    && cd /tmp/bats-core \
-    && git checkout v1.11.0 \
-    && ./install.sh /usr/local \
-    && rm -rf /tmp/bats-core
-
-# Install additional testing tools
-RUN npm install -g bats@1.11.0
-
 # Prepare workspace directory with appropriate ownership
 RUN mkdir -p /workspace \
    && chown "${USER_ID}:${GROUP_ID}" /workspace

-# Remove sudo to ensure no root escalation is possible at runtime (if installed)
+# Remove sudo to ensure no root escalation is possible at runtime
 RUN apt-get remove -y sudo 2>/dev/null || true && apt-get autoremove -y 2>/dev/null || true && rm -rf /var/lib/apt/lists/* 2>/dev/null || true

 ENV SHELL=/usr/bin/zsh \