KNEL/TSYSDevStack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: KNEL:50b250e78f8790f334fcc05b62031efb0b6ae6b7
Branches Tags
KNEL:main
...
compare: KNEL:main
Branches Tags
KNEL:main

12 Commits
50b250e78f ... main

Author SHA1 Message Date
ReachableCEO
d27cf46606 feat: Add .gitkeep files to empty toolbox directories and update QWEN.md files 
- Add .gitkeep files to maintain empty toolbox-* directories in git
- Update top-level QWEN.md with project-wide guidelines
- Refine ToolboxStack/QWEN.md removing redundant content
- Add .gitkeep files to: toolbox-base, toolbox-docstack, toolbox-etl,
  toolbox-gis, toolbox-lifecycle-buildandtest,
  toolbox-lifecycle-packageandrelease, toolbox-weather
 2025-11-03 09:32:47 -06:00
ReachableCEO
2253aa01c8 docs: update QWEN.md for toolbox-qadocker integration and rebuild preparation 
- Update current status to reflect toolbox-qadocker is fully implemented and working
- Add QA Process Integration and Rebuild Process with QA Integration sections
- Update directory structure to show current toolbox-qadocker implementation
- Add Development Cycle with QA-First Approach section
- Update Key Components to include toolbox-docstack and toolbox-qadocker
- Add Toolbox Management with QA Integration section
- Update date to current day (October 31, 2025)
- Emphasize mandatory QA process with toolbox-qadocker throughout development
- Prepare document for rebuild process with integrated QA workflows
- Update Toolbox Template and SEED Files section with current practices
 2025-10-31 16:25:43 -05:00
ReachableCEO
f6deeb670f docs: improve QWEN.md structure and remove duplicate sections 
- Remove duplicate Git Operations, README Maintenance, Development Cycle,
  Toolbox Management, Parallel QA Chat, and Conventional Commit Format sections
- Fix inconsistent naming references (DocStack → dockstack)
- Update references to removed NewToolbox.sh script
- Fix malformed headers in code blocks
- Clarify discontinued PROMPT files in favor of QWEN.md approach
- Improve overall document organization and flow
- Reduce document length from 404 to 339 lines by removing redundancies
- Ensure all information is consistent with current project state
 2025-10-31 16:14:21 -05:00
ReachableCEO
124d51ebff feat: implement toolbox-qadocker for Docker image auditing and QA 
- Create specialized toolbox container for auditing Docker images and related files
- Include essential QA tools: Hadolint, Dive, ShellCheck, Trivy, Dockle, Docker client, Node.js
- Implement comprehensive build, run, release, and test scripts
- Add detailed documentation with usage examples
- Ensure all tools work correctly within the container
- Rename directory from toolbox-QADocker to toolbox-qadocker for consistency
- Update QWEN.md with comprehensive QA workflow using toolbox-qadocker
- Add mandatory pre-build audit process using QA tools
- Add validation process for testing from inside container environment
- Add comprehensive testing to verify all tools are working
- Optimize Dockerfile for best practices and security
- Ensure container runs as non-root user for security
- Add release script for versioned releases to registry
- Add test script to verify all tools are working correctly
 2025-10-31 15:53:38 -05:00
ReachableCEO
3ec443eef8 docs: beautify all documentation files with icons, tables, and improved formatting 
This commit significantly enhances all documentation files in the ToolboxStack to follow the new beautiful documentation standards:

- Updated README.md with comprehensive table of contents, beautiful formatting and icon usage
- Enhanced QWEN.md to include instructions on using toolbox-qadocker:release-current for audits
- Added section about beautiful documentation requirements (icons, headers, tables, graphics)
- Updated toolbox-qadocker README with beautiful formatting, tables, and icon usage
- Enhanced toolbox-base README with detailed tables and beautiful formatting
- Improved WORKLOG.md with consistent formatting using icons and tables
- Added change logs to all documentation files
- Followed beautiful documentation principles with consistent icon usage, tables, headers, etc.

All documentation now follows the beautiful documentation standard with:
-  Use icons (emoji or font-awesome) for better visual appeal
- 📊 Use tables to organize information clearly
- 🖼️ Include graphics when helpful (ASCII art, diagrams, or links to visual assets)
- 🏷️ Use headers to structure content logically
- 📝 Include comprehensive change logs with version history
- 📋 Include checklists for setup processes
- 📊 Add comparison tables when relevant
- 📌 Cross-reference related documents clearly
 2025-10-31 15:06:41 -05:00
ReachableCEO
becd640c86 fix: Address Dockerfile issues identified by toolbox-qadocker audit 
This commit fixes several issues in the toolbox-base Dockerfile that were identified during the audit:

- Added SHELL directive with pipefail option where pipes are used
- Fixed syntax error in user creation logic by changing 'else if' to 'elif'
- Removed problematic 'cd' usage, replacing with 'git -C' for directory-specific operations
- Added SHELL directive to second stage where pipes are used
- Improved multi-line RUN command formatting with proper semicolon usage

These changes resolve the following Hadolint errors:
- DL4006: Missing pipefail in RUN commands with pipes
- SC1075: Incorrect use of 'else if' instead of 'elif'
- DL3003: Usage of 'cd' instead of WORKDIR

The Dockerfile now passes Hadolint validation when ignoring version pinning
and multiple RUN command warnings, which are expected in this context.
 2025-10-31 14:56:53 -05:00
ReachableCEO
343534ac12 feat: Create comprehensive toolbox-qadocker for Docker image auditing 
This commit introduces the complete toolbox-qadocker implementation with the following features:

- Creates a minimal Docker image specifically for auditing Docker images
- Does not use toolbox-base as foundation (bootstrap purpose)
- Includes essential audit tools: hadolint, shellcheck, trivy, dive, docker client, buildctl
- Adds additional tooling: dockerlint and Node.js for extended capabilities
- Implements custom audit script to check for minimal root usage in Dockerfiles
- Ensures proper user permissions with non-root qadocker user
- Includes build.sh, run.sh, docker-compose.yml for complete workflow
- Provides comprehensive README and PROMPT documentation
- Adds QA test script for validation
- Creates run-audit.sh for easy Dockerfile analysis
- Optimized for fast rebuilds and effective Dockerfile validation
- Configured to check for best practices regarding root usage
- Ready to audit toolbox-base and other custom toolboxes

This bootstrap image is designed to audit Docker images in the TSYSDevStack ecosystem, ensuring they follow security best practices, particularly regarding minimal root usage in builds.
 2025-10-31 14:44:43 -05:00
ReachableCEO
ac80431292 docs(QWEN): explicitly state filesystem as source of truth principle 
- Add clear statement that filesystem is ALWAYS the source of truth
- Clarify that git should reflect filesystem state
- Document the principle that unless recovering from accidental changes, git should follow filesystem

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2025-10-31 13:30:52 -05:00
ReachableCEO
1ee39e859b chore(filesystem): capture latest filesystem changes 
- Removed multiple toolbox directories (toolbox-QADocker, toolbox-dockstack, toolbox-qadocker)
- Created new toolbox-docstack directory
- Added .gitkeep to toolbox-qadocker directory to keep it tracked in git
- The filesystem structure continues to be the authoritative source of truth
- Preserved toolbox-qadocker directory in git with .gitkeep as requested for future work

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
 2025-10-31 13:28:59 -05:00
ReachableCEO
ab54d694f2 chore(filesystem): reflect major filesystem restructuring changes 
- Renamed DocStack to dockstack
- Transformed toolbox-template into toolbox-qadocker with new functionality
- Removed NewToolbox.sh script
- Updated PROMPT and configuration files across all toolboxes
- Consolidated audit and testing scripts
- Updated QWEN.md to reflect new filesystem structure as authoritative source
- Merged PROMPT content into QWEN.md as requested

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

The filesystem structure has been intentionally restructured and is now the authoritative source of truth for the project organization.
 2025-10-31 13:26:39 -05:00
ReachableCEO
199789e2c4 chore: remove .build-cache directories from git tracking and add to gitignore 2025-10-31 12:57:11 -05:00
ReachableCEO
80d5c64eb9 chore: add .build-cache to gitignore 2025-10-31 12:52:55 -05:00
93 changed files with 1360 additions and 2577 deletions
Expand all files Collapse all files

89
QWEN.md
View File

@@ -18,42 +18,83 @@ As the Topside Qwen agent, I operate at the top level of the directory tree and
- Keeping the top-level README.md and each of the four subdirectory README.md files up to date
- Performing general housekeeping tasks
- Maintaining this top-level QWEN.md file for tracking work
- Handling ALL git operations (commits and pushes) for the entire repository
- Other agents should NOT commit or push - only Topside agent performs git operations
## Development Guidelines
## Project Wide Development Guidelines
- All commits should be verbose/beautifully formatted
- Use atomic commits
- Use conventional commit format
## Git Configuration
## Project Wide Git Configuration
- Commit template configured to enforce conventional commits across all stacks
- Template file: /home/localuser/TSYSDevStack/commit-template.txt
- Template automatically configured for all git operations in the repository
- Template ensures consistent commit format across all Qwen agents
## Task Tracking
## Enhanced Git Operations Guidelines
Current tasks and progress:
- [x] Explore the current directory structure in depth
- [x] Create a QWEN.md file to track our work
- [x] Review all subdirectory README.md files
- [x] Update README.md files as needed throughout the project
- [ ] Perform general housekeeping tasks as requested
For all project components, Qwen agents should follow these detailed git workflow practices:
## Work Log
- **Conventional Commits**: Use standard types including `feat:`, `fix:`, `chore:`, `docs:`, `refactor:`, etc.
- **Frequent Atomic Commits**: Make small, focused commits that address a single concern
- **Beautifully Formatted Messages**: Write descriptive, well-formatted commit messages that clearly explain the changes
- **Git Clean State**: Always check that the relevant directory is in a git clean state at the start of each session
- **Scope Limitation**: Only stage/commit/push files from the specific directory component being worked on - nothing outside of it
- **Regular Pushing**: Push changes regularly to maintain repository consistency
### Session 1 (2025-10-29)
- Oriented to the directory tree structure
- Analyzed all README.md files in the project
- Created QWEN.md file for tracking work
- Set up commit configuration requirements
- Updated all README.md files for consistency across the project:
- Added Working Agreement section with consistent items
- Added AI Agent section identifying the responsible bot
- Added License section with reference to main LICENSE
- Fixed CloudronStack README title and content
- Created missing collab directory in LifecycleStack
- Created top-level commit template and configured git
## Project-Wide QA-First Development Approach
All project components should implement a QA-driven development process:
- **Preemptive QA**: Run audits and validation checks before any code changes are implemented
- **Continuous Validation**: Validate changes with appropriate tools during the development process
- **Pre-Build Verification**: Ensure all code passes QA checks before any builds or releases
- **Post-Build Assurance**: Verify that all deliverables meet security and compliance standards
- **Catch Issues Early**: Use QA tools throughout development to identify and resolve problems early in the process
## Standardized Documentation Principles
All documentation in the project should follow these principles to ensure consistency and quality:
-**Use icons** (emoji or font-awesome) for better visual appeal
- 📊 **Use tables** to organize information clearly
- 🖼️ **Include graphics** when helpful (ASCII art, diagrams, or links to visual assets)
- 🏷️ **Use headers** to structure content logically
- 📝 **Include comprehensive change logs** with version history
- 📋 **Include checklists** for setup processes
- 📊 **Add comparison tables** when relevant
- 📌 **Cross-reference related documents** clearly
The goal is to make documentation that is:
- ✅ Visually appealing and modern
- ✅ Easy to scan and digest
- ✅ Comprehensive yet concise
- ✅ Professional looking
- ✅ Accessible to both technical and non-technical audiences
## Source of Truth Principle
**CRITICAL**: The filesystem is ALWAYS the source of truth. Git should reflect the state of the filesystem. Unless specifically asked to recover from an accidental filesystem operation, all changes to git should reflect the current state of the filesystem, not some previous state or desired state.
## Multi-Agent Collaboration Guidelines
To ensure effective collaboration between the different Qwen agents operating in each stack:
- **Clear Boundaries**: Each Qwen agent has defined responsibilities limited to their specific directory component
- **Coordination Protocols**: Agents should coordinate through the Topside agent for cross-component changes
- **Communication Patterns**: Use the QWEN.md files to communicate important changes and practices to other agents
- **Standardization**: Follow consistent practices across all components to ensure compatibility and maintainability
- **Shared Responsibilities**: Maintain common standards for documentation, QA processes, and development practices
## Mandatory Validation Process
All components of the TSYSDevStack project must implement mandatory validation processes:
- **Before any major changes**: Validation processes should be performed to ensure compatibility and quality
- **Cross-component compatibility**: Check that changes don't negatively impact other components
- **Security and compliance**: Perform security scans and compliance checks as appropriate for the component type
- **For new components**: All new additions to the project must pass comprehensive validation before being committed
- **Regular validation**: Conduct ongoing validation as part of maintenance and updates
This ensures that all components meet the highest standards of security, reliability, and best practices.

22
ToolboxStack/.gitignore vendored Normal file
View File

@@ -0,0 +1,22 @@
# Docker build caches
.build-cache/
output/*/\.build-cache/
# Backup files
*.backup*
*.bak
*.orig
# Temporary files
tmp/
*.tmp
# IDE files
.vscode/
.idea/
*.swp
*.swo
# OS generated files
.DS_Store
Thumbs.db

430
ToolboxStack/QWEN.md
View File

@@ -1,10 +1,12 @@
# QWEN Chat Context - Toolbox Component
## Overview
I am the QWEN instance operating in the ToolboxStack component of the TSYSDevStack project. My role is to help develop, maintain, and enhance the ToolboxStack functionality. ToolboxStack is now a fully independent component/sub-project of TSYSDevStack.
I am the QWEN instance operating in the ToolboxStack component of the TSYSDevStack project. My role is to help develop, maintain, and enhance the ToolboxStack functionality. ToolboxStack is a fully independent component/sub-project of TSYSDevStack.
With the successful implementation of the toolbox-qadocker image, ToolboxStack has a comprehensive QA and auditing capability built into the development workflow. This enables proactive identification and resolution of issues before they become problems during the build process.
## Current Context
- **Date**: Thursday, October 30, 2025
- **Date**: Monday, November 3, 2025
- **Directory**: /home/localuser/TSYSDevStack/ToolboxStack
- **OS**: Linux
@@ -15,158 +17,360 @@ I am the QWEN instance operating in the ToolboxStack component of the TSYSDevSta
- Design prompts and coordination notes
- Tool addition requests
- **output/** - LLM workspace for all automated work, contains:
- NewToolbox.sh script
- toolbox-base/ (base dev container)
- toolbox-template/ (template for new toolboxes)
- Generated toolboxes (toolbox-*/ directories)
- PROMPT files for AI collaboration
- toolbox-qadocker/ (Docker image auditing and QA tools)(used for QA/validation/vulnerability scanning etc of images during the creation process)
- toolbox-base/ (base dev container)(all other toolbox-* images will inherit from this image)
- toolbox-docstack/ (documentation generation tools)
- toolbox-etl/ (etl tooling)
- toolbox-gis/ (gis related data/development tooling)
- toolbox-weather/ (weather related data/development tooling)
- toolbox-lifecycle-buildandtest (build and test tooling for multiple languages)
- toolbox-lifecycle-packageandrelease (package/release tooling for Docker containers and Packer and Cloudron)
- QWEN.md files for AI collaboration
## Current Directory Tree
```
/home/localuser/TSYSDevStack/ToolboxStack/
├── README.md
├── collab/
│ ├── commit_message.txt
│ ├── GEMINI-AUDIT-TOOLBOX-20251031-0800.md
│ ├── TSYSDevStack-toolbox-prompt.md
│ ├── tool-additions/
│ │ └── AICLI.md
│ ├── README-Maintenance.md
│ ├── WORKLOG.md
── README-Maintenance.md
── audits/
│ └── prompts/
│ └── FeatureWork/
└── output/
├── NewToolbox.sh
├── PROMPT
├── toolbox-base/
│ ├── aqua.yaml
├── toolbox-docstack/
├── toolbox-etl/
├── toolbox-gis/
├── toolbox-lifecycle-buildandtest/
├── toolbox-lifecycle-packageandrelease/
├── toolbox-qadocker/
│ ├── build.sh
│ ├── docker-compose.yml
│ ├── Dockerfile
│ ├── PROMPT
│ ├── README.md
│ ├── release.sh
│ ├── run.sh
── .build-cache/
│ └── .devcontainer/
└── toolbox-template/
├── build.sh
├── docker-compose.yml
├── ...
└── ...
── test.sh
└── toolbox-weather/
```
Note: Most toolbox directories have been cleaned up. Only toolbox-qadocker currently has implementation files, while others maintain their directory structure. This may be temporary as files were recently deleted from the git repository.
## Key Components
- **toolbox-base**: The primary dev container with Ubuntu 24.04 base, shell tooling (zsh, Starship, oh-my-zsh), core CLI utilities, aqua, and mise
- **NewToolbox.sh**: Script to scaffold new toolbox-* directories from the template
- **toolbox-template**: Template directory for creating new toolboxes
- **PROMPT files**: Guidance for AI collaboration in various components
- **toolbox-base**: The primary dev container with Ubuntu 24.04 base, shell tooling (zsh, Starship, oh-my-zsh), core CLI utilities, aqua, and mise (currently with empty directory structure)
- **toolbox-docstack**: Specialized toolbox for documentation generation with quarto, mdbook, marp, typst, markwhen, and joplin (currently with empty directory structure)
- **toolbox-qadocker**: Specialized toolbox for Docker image auditing and quality assurance with Hadolint, Dive, ShellCheck, Trivy, Dockle, Docker client, and Node.js (currently implemented)
- **toolbox-template**: Template directory for creating new toolboxes (recently removed, may be restored)
- **QWEN.md files**: Guidance for AI collaboration in various components (PROMPT files have been discontinued)
Note: Many toolboxes currently have empty directory structures as files were recently deleted from the git repository. The actual implementation may be restored based on project needs.
## Build and Release Workflow
- **Pre-build mandatory QA audit**: Before building any Docker images, run comprehensive audits using the toolbox-qadocker image:
- `docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev hadolint Dockerfile`
- `docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev shellcheck *.sh`
- `docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev trivy fs --offline-scan .`
- `docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev dockle .`
- **Integrated QA process**: QA checks are now mandatory and built into the development cycle
- Default build workflow: `./build.sh` produces a `:dev` tag; `./release.sh <semver>` (clean git tree required) rebuilds and pushes `:dev`, `:release-current`, and `v<semver>` (use `--dry-run`/`--allow-dirty` to rehearse).
- Downstream Dockerfiles should inherit from `:release-current` by default; pin to version tags when reproducibility matters.
Note: Currently, only toolbox-qadocker is fully implemented with build scripts. Other toolboxes have their build scripts in the git repository but may have been deleted from the current filesystem state.
## Toolbox Template and SEED Files
- Directory layout: each toolbox-* directory carries its own Dockerfile/README/PROMPT; shared scaffolds live in toolbox-template/.devcontainer and docker-compose.yml.
- Create new toolbox-* directories by copying the toolbox-template directory directly (NewToolbox.sh script has been removed, and toolbox-template has also been recently removed).
- Keep aqua/mise usage consistent across the family; prefer aqua-managed CLIs and mise-managed runtimes.
- Each toolbox maintains a `SEED` file to seed the initial goals—edit it once before kicking off work, then rely on the toolbox PROMPT for ongoing updates (which begins by reading SEED). (Note: PROMPT and SEED files were recently deleted from most toolboxes)
- All new toolboxes must pass comprehensive QA audits using toolbox-qadocker before being committed
Note: The toolbox-template directory and NewToolbox.sh script have been recently removed from the repository. Implementation may be restored based on project needs.
## My Responsibilities
- Maintain and enhance the ToolboxStack component
- Assist with creating new toolboxes from the template using NewToolbox.sh
- Ensure documentation stays current (README.md and PROMPT files)
- Assist with creating new toolboxes from the template (NewToolbox.sh script and toolbox-template have been removed)
- Ensure documentation stays current (README.md and QWEN.md files)
- Follow collaboration guidelines for non-destructive operations
- Use proper build and release workflows (build.sh, release.sh)
- Use proper build and release workflows (build.sh, release.sh) - currently only implemented for toolbox-qadocker
- Keep WORKLOG.md up to date with detailed entries including timestamps, activities, challenges, solutions, learnings, and feelings
- Coordinate all git operations (commits and pushes) for repository consistency
- Follow the README maintenance guide in collab/README-Maintenance.md to keep documentation up to date
- Integrate toolbox-qadocker QA processes into all development workflows
- Conduct proactive audits using toolbox-qadocker before builds to prevent issues
- Address the current state where most toolbox directories have been cleaned of implementation files
## Pre-Build Audit Workflow
Before creating or updating any toolbox images, I must perform comprehensive audits using the toolbox-qadocker image:
1. **Dockerfile Audit**: Run Hadolint to check for best practices and issues
2. **Shell Script Audit**: Run ShellCheck to validate shell scripts
3. **Security Scan**: Run Trivy to identify vulnerabilities
4. **Container Linting**: Run Dockle to check for security best practices
5. **Fix Issues**: Address all flagged issues before proceeding to build
6. **Re-Audit**: Re-run audits to confirm fixes were effective
## Git Operations
- I am now responsible for all git operations (commits and pushes) for the ToolboxStack component
- All changes should be committed with clear, descriptive commit messages
- Follow conventional commit format for all commits
- Push changes regularly to maintain repository consistency
- Only stage/commit/push things from this directory (/home/localuser/TSYSDevStack/ToolboxStack) - nothing outside of it
- Make frequent atomic commits with beautifully formatted and verbose messages
- Use conventional commit style (feat:, fix:, chore:, docs:, refactor:, etc.)
## README Maintenance
- Follow the guidelines in `collab/README-Maintenance.md` to keep documentation up to date
- Update README.md for any new features or tools added
- Keep the work log current in `collab/WORKLOG.md`
- Update documentation links when files are moved or renamed
- Keep testing instructions current
- Maintain the Working Agreement section
- Cross-reference related documents
## Development Cycle
I should automatically handle the full development cycle of toolboxes:
1. **Building**: Use build.sh scripts to build toolbox images
2. **Testing**: Run comprehensive tests to verify functionality
3. **Documentation**: Keep README.md and other docs up to date
4. **Version Control**: Commit changes frequently with descriptive messages
5. **Rebuilding**: When updating the base, rebuild all dependent toolboxes
## Toolbox Management
I can easily create new toolboxes or update existing ones:
- **Create new toolbox**: Use NewToolbox.sh script with desired name
- **Update existing toolbox**: Modify Dockerfile, aqua.yaml, or other config files
- **Update base and rebuild**: Modify toolbox-base, then rebuild all dependent toolboxes
- **Testing**: Always test toolboxes after changes
## Parallel QA Chat
I should be aware that there is a parallel chat called QA-ToolboxStack whose job is to conduct in-depth audits of the work that the ToolboxStack chat is doing. I should:
- Expect my work to be audited regularly
- Be prepared for audit at all times
- Do my best work to minimize rework needed from audit findings
- Follow all best practices and guidelines meticulously
- Keep detailed logs in WORKLOG.md to aid in audits
## Conventional Commit Format
All commits should follow conventional commit format:
```
<type>[optional scope]: <description>
[optional body]
[optional footer(s)]
```
Types:
- **feat**: A new feature
- **fix**: A bug fix
- **docs**: Documentation only changes
- **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
- **refactor**: A code change that neither fixes a bug nor adds a feature
- **perf**: A code change that improves performance
- **test**: Adding missing tests or correcting existing tests
- **build**: Changes that affect the build system or external dependencies
- **ci**: Changes to our CI configuration files and scripts
- **chore**: Other changes that don't modify src or test files
- **revert**: Reverts a previous commit
## Git Operations
- I am now responsible for all git operations (commits and pushes) for the ToolboxStack component
- All changes should be committed with clear, descriptive commit messages
- Follow conventional commit format for all commits
- Push changes regularly to maintain repository consistency
- **Only stage/commit/push things from this directory (/home/localuser/TSYSDevStack/ToolboxStack) - nothing outside of it**
- **Make frequent atomic commits with beautifully formatted and verbose messages**
- **Use conventional commit style (feat:, fix:, chore:, docs:, refactor:, etc.)**
- **Always check that ToolboxStack is in a git clean state at the start of each session**
- **If not in a clean state, commit and push changes before proceeding with new work**
- Follow the project-wide git guidelines as defined in the top-level QWEN.md file
## Local Time Logging
- **All time logs need to be in local system time**
- Current system time is 14:00 (adjust as needed for actual local time)
## Current Status
The system is currently in a clean state, ready for a fresh rebuild:
-Docker build cache has been cleared
- All toolbox-base images have been removed
-System is ready for rebuild
The system is currently in a transitional state:
-Most implementation files have been removed from git repository (recent cleanup)
- ✅ toolbox-qadocker image remains fully implemented and working
-Only toolbox-qadocker has functional build/test/release scripts
- ✅ System requires restoration of implementation files or re-architecture
- ✅ Detailed worklog available in collab/WORKLOG.md
## Previous Work Summary
For detailed information about previous work, challenges, and solutions, see:
- **collab/WORKLOG.md** - Comprehensive work log with timestamps, activities, and learnings
- **collab/GEMINI-AUDIT-TOOLBOX-20251031-0800.md** - Audit of problematic changes made by Gemini
Note: Several audit files referenced in the original documentation have been recently deleted from the git repository.
## Next Steps (Awaiting Direction)
1. Fresh rebuild of toolbox-base
2. Rebuild DocStack with all documentation tools
3. Add additional tools (quarto, mdbook, marp, typst, markwhen, joplin)
4. Create comprehensive testing for all tools
5. Document all tools in README with usage examples
1. Determine whether to restore previously deleted implementation files to git
2. Decide on the approach for toolbox-template and toolbox creation workflow
3. Consider implementing missing toolboxes (docstack, base, etc.) if needed
4. Update documentation to reflect the current architecture decisions
5. Ensure all functional toolboxes pass comprehensive QA audits
## QA Process Integration
With the toolbox-qadocker image now fully implemented and working, all toolbox builds will follow a mandatory QA process:
1. **Pre-build audit**: Run comprehensive audits using toolbox-qadocker before any Docker build
2. **Continuous validation**: Use QA tools throughout the development process
3. **Post-build verification**: Validate all built images with security and compliance scans
## Ready State
I am ready to proceed with any directed tasks. Please provide specific instructions for the next steps you'd like me to take.
## Directory Structure Note
**IMPORTANT**: The filesystem structure has been recently updated. The current structure takes precedence over any previous documentation. Key changes:
- Most implementation files have been removed from git repository (recent cleanup)
- toolbox-qadocker remains fully implemented with all necessary files
- The NewToolbox.sh script has been removed
- Various PROMPT and SEED files have been removed from most toolboxes
- toolbox-template directory has been removed
## Audit and Assessment Responsibilities
As part of my role in maintaining the ToolboxStack, I may conduct ongoing audits of the directory tree with the following focus areas:
- Docker build optimization
- Dockerfile correctness
- Build caching
- Security best practices
- Docker development environment best practices
- Best common practices for (dockerized) development/tooling stacks
- Assessment of all existing toolboxes (currently only toolbox-qadocker has implementations)
- Restoration planning for deleted toolbox implementations
### QA-Driven Development Process
With toolbox-qadocker now fully implemented, all development follows a QA-driven approach:
1. **Preemptive QA**: Run audits before any code changes are implemented
2. **Continuous Validation**: Validate changes with QA tools during development
3. **Pre-Build Verification**: Ensure all code passes QA checks before Docker builds
4. **Post-Build Assurance**: Verify built images meet all security and compliance standards
### Pre-Build Audit Process
Before building any Docker images, I must run comprehensive audits using the toolbox-qadocker image to check for:
- Dockerfile best practices violations (with Hadolint)
- Shell script issues (with ShellCheck)
- Security vulnerabilities (with Trivy)
- Container image security issues (with Dockle)
- Common configuration errors
- Potential build failures
All of these tools should be used to flag as many issues as possible before starting a container image build to avoid running into problems later.
### Audit Process
When conducting audits, I will produce:
- Human-readable reports to: `collab/audits/YYYY/MM/DD/HHMM/QAReport.md` (using local system time)
- LLM-optimized reports to: `collab/audits/YYYY/MM/DD/HHMM/QAReport.LLM` (using local system time)
The human-readable reports should use icons, headers, tables, graphics and be very beautiful and easy to digest.
The LLM-optimized reports are designed to be fed to other Qwen chats for implementation.
### Using toolbox-qadocker for audits
When conducting Dockerfile audits, please use the `tsysdevstack-toolboxstack-toolbox-qadocker:dev` image (or build it locally) which includes the following tools for comprehensive auditing:
- **Hadolint**: Dockerfile linter that checks for best practices
- **ShellCheck**: Static analysis tool for shell scripts
- **Trivy**: Comprehensive vulnerability scanner for containers
- **Docker Client**: Command-line interface for Docker
- **Dive**: Tool to explore layers in Docker images
- **Buildctl**: BuildKit client for advanced builds
- **Dockle**: Container image linter for security best practices
- **Node.js**: JavaScript runtime for additional tooling
Note: This is currently the only fully implemented toolbox with the complete set of tools and functionality.
> ⚠️ **Important**: Never modify images that have a `release-current` tag already in place. Always iterate and test in `:dev` first, then use the release.sh script to promote to `:release-current` when ready.
To run audits using the toolbox-qadocker:
```bash
# Run Hadolint on a Dockerfile
docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev hadolint Dockerfile
# Run ShellCheck on script files
docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev shellcheck script.sh
# Run Trivy for vulnerability scanning
docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev trivy fs --offline-scan .
# Run Dockle for container image linter
docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev dockle .
# Run comprehensive audit on current directory
docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev /bin/bash -c "hadolint Dockerfile 2>/dev/null || echo 'No Dockerfile found or hadolint issues found'; shellcheck *.sh 2>/dev/null || echo 'No shell scripts found or shellcheck issues found'; trivy fs --offline-scan . 2>/dev/null || echo 'Trivy scan completed'; dockle . 2>/dev/null || echo 'Dockle scan completed'"
```
> 🧪 **Audit Compliance**: Both Hadolint and Dockle compliance are now mandatory for all Dockerfiles in the TSYSDevStack project and must be part of the audit process.
### Validation Process
During testing, I must also validate functionality from inside the container where the tools are available. This requires mounting the working directory as the container's working directory for the scanning tools to run successfully:
```bash
# Run validation tools from inside the container
docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev hadolint Dockerfile
```
### Testing Inside Container
Since the QA tools are installed inside the toolbox-qadocker container, I must always test from inside the container environment. This is necessary because:
- The tools (Hadolint, ShellCheck, Trivy, Dockle, etc.) are only available inside the container
- The environment may differ from the host system
- Consistent testing environment ensures reliable results
To test effectively from inside the container:
1. Mount the directory containing the files to be tested to `/workspace`
2. Set the working directory to `/workspace` using `-w /workspace`
3. Run the appropriate tool with its specific arguments
4. Check the output for any issues that need to be addressed before proceeding
Example workflow:
```bash
# Navigate to directory containing files to be tested
cd /path/to/files
# Run Dockerfile linting
docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev hadolint Dockerfile
# Run shell script analysis
docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev shellcheck *.sh
# Run security scanning
docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev trivy fs --offline-scan .
# Run container image linting
docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev dockle .
```
### Documentation Principles
Follow the project-wide documentation principles as defined in the top-level QWEN.md file when creating or updating documentation for ToolboxStack.
### Documentation Files
Documentation in this project is now maintained using:
- 📄 **QWEN.md**: Primary AI agent documentation and instructions
- 📋 **README.md**: User-facing documentation for each component
- 📝 **WORKLOG.md**: Detailed work logs and change history
The use of PROMPT files has been discontinued in favor of the QWEN.md approach for maintaining AI agent instructions and project context.
### Advisory Role
In addition to audits, I can provide advice on:
- Tools to add
- How to split up containers
- What needs to go into base toolbox vs specialized toolboxes
For advisory tasks, I will write:
- Human-readable reports to: `collab/advisor/YYYY/MM/DD/HHMM/AdvisorReport.md` (using local system time)
- LLM-optimized reports to: `collab/advisor/YYYY/MM/DD/HHMM/AdvisorReport.LLM` (using local system time)
### Enhanced Audit Process
The audit process now includes automated assessment of all existing toolboxes using the script at `collab/audit-all-toolboxes.sh`.
When performing an audit, this script will be run automatically to analyze all toolboxes in the system, and the results will be incorporated into both the human-readable and LLM-optimized reports.
The script evaluates each toolbox for:
- Dockerfile best practices and security
- Presence of required files (build.sh, run.sh, test.sh, etc.)
- Documentation completeness (README.md, PROMPT, SEED)
- Tool configuration (aqua.yaml, etc.)
The comprehensive results of the toolbox audit will be included in the QA report under a "Toolbox Ecosystem Assessment" section, with specific details about each toolbox identified in the system.
Note: The `collab/audit-all-toolboxes.sh` script has been recently deleted from the git repository.
### Project Context
The projects span:
- Extensive documentation generation needs (PDFs, websites) of governance documents, reports, proposals, project plans, budgets etc.
- Software development (full SDLC) across: node, python, php, ruby, perl, java, rust, c and c++ (including embedded development, cross compiling),
nix (embedded systems builds for aeronautical applications where we need complete reproducibility), web application development, desktop GUI development etc
The ToolboxStack is for "inner loop" operations (edit/compile/test) only.
There are other stacks for:
- Build/packaging/release operations
- Support functions (like atuin/mailhog etc)
Note: Currently, only the QA and auditing tools are fully implemented in toolbox-qadocker. Implementation of other toolboxes has been recently removed from the repository.
## Mandatory QA Process
The toolbox-qadocker image is now an integral part of the development workflow with mandatory usage:
1. **Before any Docker build**, all Dockerfiles must be validated with Hadolint
2. **Before any shell script execution**, scripts must be validated with ShellCheck
3. **Before releasing any image**, security scans must be performed with Trivy and Dockle
4. **As part of regular maintenance**, audits are performed using the automated script
5. **For all new toolboxes**, the QA process is mandatory before they can be released
This ensures that all toolboxes meet the highest standards of security, reliability, and best practices.
## Development Cycle with QA-First Approach
I should automatically handle the full development cycle of toolboxes with a QA-first approach:
1. **Preemptive Auditing**: Use the toolbox-qadocker image to check Dockerfiles and shell scripts for best practices, security issues, and common errors BEFORE any development work begins
2. **Continuous Validation**: Run QA tools throughout the development process to catch issues early
3. **Building**: Use build.sh scripts to build toolbox images with integrated QA checks (currently only available for toolbox-qadocker)
4. **Testing**: Run comprehensive tests to verify functionality, including validation from within the container
5. **Documentation**: Keep README.md and other docs up to date
6. **Version Control**: Commit changes frequently with descriptive messages
7. **Rebuilding**: When updating the base, rebuild all dependent toolboxes with QA validation
8. **Restoration**: Address the current state where most toolboxes have empty directory structures
## Toolbox Management with QA Integration
I can easily create new toolboxes or update existing ones with integrated QA processes:
- **Create new toolbox**: Use toolbox-template directly to scaffold a new toolbox-* directory (NewToolbox.sh script and toolbox-template have been recently removed)
- **Update existing toolbox**: Modify Dockerfile, aqua.yaml, or other config files with continuous QA validation (currently only available for toolbox-qadocker)
- **Update base and rebuild**: Modify toolbox-base, then rebuild all dependent toolboxes with QA checks (currently not possible as implementation files are missing)
- **Testing**: Always test toolboxes after changes, including validation from within the container where all tools are available
- **QA Validation**: Run comprehensive audits using toolbox-qadocker before committing any changes
- **Restore implementations**: Address the current state where most toolboxes have empty directory structures

86
ToolboxStack/README.md
View File

@@ -1,22 +1,28 @@
# 🧰 ToolboxStack
> **Reproducible Developer Workspaces for TSYSDevStack**
ToolboxStack provides reproducible developer workspaces for TSYSDevStack contributors. The current `toolbox-base` image captures the daily-driver container environment used across the project.
---
## Contents
| Area | Description | Path |
|------|-------------|------|
| Dev Container Image | Ubuntu 24.04 base with shell tooling, mise, aqua-managed CLIs, and Docker socket access. | [`output/toolbox-base/Dockerfile`](output/toolbox-base/Dockerfile) |
| Build Helpers | Wrapper scripts for building (`build.sh`) and running (`run.sh`) the Compose service. | [`output/toolbox-base/`](output/toolbox-base) |
| Devcontainer Config | VS Code Remote Container definition referencing the Compose service. | [`output/toolbox-base/.devcontainer/devcontainer.json`](output/toolbox-base/.devcontainer/devcontainer.json) |
| Prompt & Docs | Onboarding prompt plus a feature-rich README for future collaborators. | [`output/toolbox-base/PROMPT`](output/toolbox-base/PROMPT), [`output/toolbox-base/README.md`](output/toolbox-base/README.md) |
| Work Log | Comprehensive record of work conducted on the ToolboxStack component. | [`collab/WORKLOG.md`](collab/WORKLOG.md) |
| Collaboration Notes | Shared design prompts and coordination notes for toolbox evolution. | [`collab/`](collab) |
## 📋 Table of Contents
| 🔧 Component | 📝 Description | 📁 Path |
|--------------|----------------|---------|
| 🖥️ **Dev Container Image** | Ubuntu 24.04 base with shell tooling, mise, aqua-managed CLIs, and Docker socket access. | [`output/toolbox-base/Dockerfile`](output/toolbox-base/Dockerfile) |
| 🛠️ **Build Helpers** | Wrapper scripts for building (`build.sh`) and running (`run.sh`) the Compose service. | [`output/toolbox-base/`](output/toolbox-base) |
| 🔌 **Devcontainer Config** | VS Code Remote Container definition referencing the Compose service. | [`output/toolbox-base/.devcontainer/devcontainer.json`](output/toolbox-base/.devcontainer/devcontainer.json) |
| 📋 **Prompt & Docs** | Onboarding prompt plus a feature-rich README for future collaborators. | [`output/toolbox-base/PROMPT`](output/toolbox-base/PROMPT), [`output/toolbox-base/README.md`](output/toolbox-base/README.md) |
| 📝 **Work Log** | Comprehensive record of work conducted on the ToolboxStack component. | [`collab/WORKLOG.md`](collab/WORKLOG.md) |
| 🤝 **Collaboration Notes** | Shared design prompts and coordination notes for toolbox evolution. | [`collab/`](collab) |
| 🔍 **Audit Tools** | Docker image auditing and quality assurance tools. | [`output/toolbox-qadocker/`](output/toolbox-qadocker/) |
---
## Quick Start
## 🚀 Quick Start
### Base Toolbox
```bash
cd output/toolbox-base
./build.sh # build the image with UID/GID matching your host
@@ -25,30 +31,68 @@ docker exec -it tsysdevstack-toolboxstack-toolbox-base zsh
```
Use `./run.sh down` to stop the container when you are finished.
### Audit Toolbox
```bash
cd output/toolbox-qadocker
./build.sh # build the audit image
./run.sh # run audit operations
```
---
## Contribution Tips
- Document every tooling change in both the `PROMPT` and `README.md`.
- Prefer installing CLIs via `aqua` and language runtimes via `mise` to keep the environment reproducible.
- Keep cache directories (`.build-cache/`, mise mounts) out of Git—they are already covered by the repo's `.gitignore`.
- Update the work log in `collab/WORKLOG.md` with detailed entries for all significant work.
- Follow the README maintenance guide in `collab/README-Maintenance.md` to keep documentation up to date.
## 🛠️ Available Toolboxes
### 🖥️ toolbox-base
- **Purpose**: Daily-driver development environment
- **Features**: Shell tooling (zsh, Starship), CLIs (aqua), runtimes (mise), Docker client
- **Base**: Ubuntu 24.04
### 🔍 toolbox-qadocker
- **Purpose**: Docker image auditing and quality assurance
- **Features**: Hadolint, ShellCheck, Trivy, Dive, Docker client, Buildctl, Dockerlint
- **Base**: Ubuntu 24.04 (independent of toolbox-base)
---
## 📊 Contribution Guidelines
| ✅ Best Practice | 📝 Details |
|------------------|------------|
| 📝 **Documentation** | Document every tooling change in both the `PROMPT` and `README.md`. |
| 📦 **Tool Management** | Prefer installing CLIs via `aqua` and language runtimes via `mise` to keep the environment reproducible. |
| 🧹 **Git Hygiene** | Keep cache directories (`.build-cache/`, mise mounts) out of Git—they are already covered by the repo's `.gitignore`. |
| 📝 **Work Log** | Update the work log in `collab/WORKLOG.md` with detailed entries for all significant work. |
| 📚 **Maintain Docs** | Follow the README maintenance guide in `collab/README-Maintenance.md` to keep documentation up to date. |
| 🔍 **Audit Process** | Use `toolbox-qadocker` to audit Dockerfiles and ensure best practices. |
---
## 🧭 Working Agreement
- **Stacks stay in sync.** When you add or modify automation, update both the relevant stack README and any linked prompts/docs.
- **Collab vs Output.** Use `collab/` for planning and prompts, keep runnable artifacts under `output/`.
- **Document forward.** New workflows should land alongside tests and a short entry in the appropriate README table.
- **AI Agent Coordination.** Use Qwen agents for documentation updates, code changes, and maintaining consistency across stacks.
- **Work Log Maintenance.** Keep `collab/WORKLOG.md` up to date with detailed entries including timestamps, activities, challenges, solutions, learnings, and feelings.
- 🔄 **Stacks stay in sync.** When you add or modify automation, update both the relevant stack README and any linked prompts/docs.
- 📁 **Collab vs Output.** Use `collab/` for planning and prompts, keep runnable artifacts under `output/`.
- 📈 **Document forward.** New workflows should land alongside tests and a short entry in the appropriate README table.
- 🤖 **AI Agent Coordination.** Use Qwen agents for documentation updates, code changes, and maintaining consistency across stacks.
- 📝 **Work Log Maintenance.** Keep `collab/WORKLOG.md` up to date with detailed entries including timestamps, activities, challenges, solutions, learnings, and feelings.
---
## 🤖 AI Agent
This stack is maintained by **ToolboxBot**, an AI agent focused on ToolboxStack workspace management.
---
## 📄 License
See [LICENSE](../LICENSE) for full terms. Contributions are welcome—open a discussion in the relevant stack's `collab/` area to kick things off.
---
## 📅 Recent Changes
| Date | Change | Author |
|------|--------|--------|
| 2025-10-31 | Added toolbox-qadocker for Docker image auditing | ToolboxBot |
| 2025-10-30 | Enhanced documentation standards for beautiful READMEs | ToolboxBot |
| 2025-10-29 | Initial ToolboxStack setup and configuration | ToolboxBot |

176
ToolboxStack/collab/GEMINI-AUDIT-TOOLBOX-20251030-1309.md
View File

@@ -1,176 +0,0 @@
# GEMINI-AUDIT-TOOLBOX-20251030-1309
## Audit Report: ToolboxStack Project
**Auditor:** G-Toolbox
**Date:** October 30, 2025, 13:09
This report details a comprehensive audit of the ToolboxStack project, focusing on adherence to best practices, efficiency, security, and overall code quality. The findings reveal a project riddled with fundamental flaws, inefficiencies, and a disregard for established development and security principles.
---
### 1. `docker-compose.yml` (Both `output/toolbox-base/docker-compose.yml` and `output/toolbox-template/docker-compose.yml`)
**Issue:** Excessive duplication of volume mounts.
**Details:** Both `docker-compose.yml` files contain numerous identical volume mounts for AI CLI tool configurations and cache directories. This redundancy makes the files unnecessarily long, difficult to read, and prone to errors during maintenance.
**Impact:** Increased file size, reduced readability, higher maintenance burden.
**Recommendation:** Consolidate duplicate volume mounts. Utilize YAML anchors or a more programmatic approach if dynamic volume generation is required.
---
### 2. `Dockerfile` (Both `output/toolbox-base/Dockerfile` and `output/toolbox-template/Dockerfile`)
**Issue:** Pervasive redundancy, inefficiency, and poor Dockerfile practices.
**Details:**
* **Redundant Installations:** `apt-get install` commands repeatedly install `ca-certificates` and `curl`. `mise` and `npm` packages are installed globally twice (once as root, once as the non-root user), as are `aqua` packages. This significantly inflates image size and build times.
* **Inefficient Layering:** The repeated use of `su - "${USERNAME}" -c '...'` for multiple commands creates numerous unnecessary Docker layers, further increasing image size and build complexity. A single `RUN` instruction executing a multi-command script would be far more efficient.
* **Bad Practices:**
* Global `npm` package installations (`-g`) are generally discouraged in Docker images. Local `node_modules` are preferred for better dependency management and conflict avoidance.
* The `userdel --remove` logic for user creation is a hack. Proper user management should involve checking for user existence and creating only if necessary, without resorting to potentially dangerous deletion.
* Error suppression (`2>/dev/null || true`) in `apt-get remove sudo` hides critical information.
* `starship` is installed from an unpinned script, introducing a risk of non-reproducible builds and unexpected changes.
* `BATS` installation is inefficient, involving a `git clone` followed by an `npm install` of the same tool.
* **Template Flaws:** The `toolbox-template/Dockerfile` redundantly creates the non-root user and removes `sudo`, despite inheriting from a base image that already handles these. This demonstrates a fundamental misunderstanding of Docker layering and inheritance.
**Impact:** Bloated image sizes, extended build times, reduced reproducibility, increased attack surface, potential security vulnerabilities, and a high maintenance burden.
**Recommendation:**
* Refactor `Dockerfile`s to use multi-stage builds.
* Consolidate `RUN` commands to minimize layers.
* Implement proper user management without `userdel` hacks.
* Pin all external script installations (e.g., `starship`).
* Streamline `BATS` installation.
* Remove redundant package installations.
* Ensure the template `Dockerfile` correctly leverages the base image without duplicating its setup.
---
### 3. `build.sh` (Both `output/toolbox-base/build.sh` and `output/toolbox-template/build.sh`)
**Issue:** Lack of robustness, inefficiency, and security theater.
**Details:**
* **Lack of Error Handling:** Scripts lack robust error handling, failing to check the exit status of critical commands. This allows failures to propagate silently.
* **Inefficient Verification:** The `toolbox-template/build.sh` performs multiple `docker run` commands for tool verification. This is highly inefficient; a single `docker run` executing an internal script would be significantly faster.
* **Maintenance Burden:** Hardcoded tool lists in `toolbox-template/build.sh` necessitate manual updates whenever the `Dockerfile` changes.
* **Security Theater:** The `sanitized_input` function is a prime example of security theater. Its naive approach to preventing command injection is easily bypassed and provides a false sense of security.
**Impact:** Fragile build processes, slow execution, high maintenance overhead, and a false sense of security.
**Recommendation:**
* Implement comprehensive error handling (`set -euo pipefail` is a start, but explicit checks are needed).
* Refactor verification steps into a single `docker run` command.
* Dynamically generate tool lists or use a more robust configuration management approach.
* Remove the `sanitized_input` function; true command injection prevention requires proper argument handling, not string sanitization.
---
### 4. `run.sh` (Both `output/toolbox-base/run.sh` and `output/toolbox-template/run.sh`)
**Issue:** Security theater, redundancy, inefficiency, and inflexibility.
**Details:**
* **Security Theater:** The `sanitized_input` function is present and ineffective, providing a false sense of security.
* **Redundant Actions:** Scripts redundantly create directories on the host that are already mounted as volumes in `docker-compose.yml`.
* **Dangerous Permissions:** `chmod 700` applied broadly to `.config`, `.local/share`, and `.cache` is overly aggressive and potentially destructive, with errors suppressed (`2>/dev/null || true`).
* **Inefficient Rebuilds:** `docker compose up --build` forces an inefficient rebuild of the image on every `up` command, even when no changes have occurred.
* **Inflexibility:** Hardcoded container names in `docker exec` commands limit adaptability.
**Impact:** False security, potential data loss, slow development cycles, and reduced flexibility.
**Recommendation:**
* Remove the `sanitized_input` function.
* Eliminate redundant directory creation.
* Remove the dangerous `chmod` command or apply it with extreme precision.
* Remove `--build` from `docker compose up`; `build.sh` should handle image building.
* Dynamically derive container names or use `docker compose exec` with service names.
---
### 5. `release.sh` (`output/toolbox-base/release.sh`)
**Issue:** Critically incomplete release process and dangerous practices.
**Details:**
* **Incomplete Release:** The script builds and tags images locally but *fails to push* them to a remote registry. This renders the "release" process incomplete and useless for distribution or consumption by other systems.
* **Dangerous `--allow-dirty` Flag:** The `--allow-dirty` flag, while guarded, is a severe anti-pattern for a release script. A release must always originate from a clean, committed state to ensure reproducibility and integrity. Its presence encourages risky behavior.
* **Inherited Inefficiencies:** The script calls `build.sh`, inheriting all its inefficiencies and flaws.
**Impact:** Non-reproducible releases, inability to distribute images, compromised integrity, and a false sense of a completed release.
**Recommendation:**
* Implement robust `docker push` commands for all relevant tags.
* Remove the `--allow-dirty` flag entirely. A release should *always* require a clean git tree.
* Address the underlying inefficiencies in `build.sh`.
---
### 6. `security-audit.sh` (Both `output/toolbox-base/security-audit.sh` and `output/toolbox-template/security-audit.sh`)
**Issue:** Superficial, inefficient, and misleading security audit.
**Details:**
* **False Sense of Security:** The script provides a very basic and incomplete security audit, giving a false sense of assurance. It misses many critical aspects of container security.
* **Inefficiency:** Each check executes a new `docker run --rm "${IMAGE_NAME}" ...`, which is extremely inefficient. A single `docker run` executing an internal script would be significantly faster.
* **Limited Scope:** Checks are basic and do not cover the full spectrum of container security, especially for `npm`, `mise`, or `aqua` managed tools. It fails to perform static analysis of the Dockerfile (e.g., with Hadolint, which is installed in the base image).
* **Error Hiding:** Excessive use of `2>/dev/null` suppresses potentially valuable error messages.
* **Poor UX:** Verbose output, generic recommendations, and a lack of clear overall risk assessment.
* **Missing Critical Checks:** Lacks checks for image size, multi-stage build optimization, comprehensive vulnerability scanning (beyond basic `apt` packages), and content of sensitive files.
**Impact:** Undetected security vulnerabilities, inefficient security checks, and a false sense of security.
**Recommendation:**
* Refactor to use a single `docker run` command for all internal checks.
* Integrate comprehensive vulnerability scanning tools (e.g., Trivy for all package types, Hadolint for Dockerfile analysis).
* Expand checks to cover `npm`, `mise`, and `aqua` dependencies.
* Remove excessive error suppression.
* Provide a clear, concise summary of findings and actionable recommendations.
---
### 7. `test.sh` (Both `output/toolbox-base/test.sh` and `output/toolbox-template/test.sh`)
**Issue:** Highly inefficient and superficial testing.
**Details:**
* **Extreme Inefficiency:** Each tool test executes a new `docker run --rm "${IMAGE_NAME}" ...`, making the test suite incredibly slow.
* **Limited Scope:** Tests only check if a tool's `--version` command works, which is a very basic sanity check. It fails to verify actual functionality, correct configuration, or integration between tools.
* **Error Hiding:** Suppresses all output from tool commands (`>/dev/null 2>&1`), hiding potential warnings or errors.
* **Maintenance Burden:** Hardcoded tool lists require manual updates when the `Dockerfile` changes.
* **No Integration Tests:** Lacks tests to verify that tools work together as expected (e.g., `mise` and `aqua` integration with the shell, `starship` prompt display).
**Impact:** Slow development cycles, undetected regressions, and a false sense of tested functionality.
**Recommendation:**
* Refactor to use a single `docker run` command for all internal tests.
* Implement more comprehensive tests that verify actual tool functionality and integration.
* Remove excessive error suppression.
* Dynamically generate tool lists or use a more robust configuration management approach.
---
### 8. `README.md` (Both `output/toolbox-base/README.md` and `output/toolbox-template/README.md`)
**Issue:** Misleading information, incompleteness, and propagation of bad examples.
**Details:**
* **Misleading Information:** `toolbox-base/README.md` falsely claims `release.sh` pushes images, which is not implemented.
* **Incompleteness:** Fails to mention `test.sh` and `security-audit.sh` in the verification checklist, despite their presence.
* **Propagation of Bad Examples:** `toolbox-template/README.md` includes flawed code examples directly from the `Dockerfile`, perpetuating bad practices.
* **Lack of Verification Checklist:** `toolbox-template/README.md` lacks a dedicated verification checklist, which is crucial for a template.
**Impact:** Confusion for users, incorrect expectations, and propagation of poor practices.
**Recommendation:**
* Update `README.md` files to accurately reflect script functionality.
* Include all relevant scripts in verification checklists.
* Refactor code examples in `README.md` to demonstrate best practices.
* Add a comprehensive verification checklist to `toolbox-template/README.md`.
---
### 9. `.devcontainer/devcontainer.json` (Both `output/toolbox-base/.devcontainer/devcontainer.json` and `output/toolbox-template/.devcontainer/devcontainer.json`)
**Issue:** Weak validation and potential maintenance burden.
**Details:**
* **Weak Validation:** The `postCreateCommand` uses a very basic `starship --version` check, which is insufficient for comprehensive environment validation.
* **Maintenance Burden:** The hardcoded `remoteUser` could become a maintenance issue if the user name needs to change across different environments.
**Impact:** Insufficient environment validation, potential for broken development environments.
**Recommendation:**
* Enhance `postCreateCommand` with more robust validation checks, potentially leveraging the improved `test.sh` script.
* Consider making `remoteUser` configurable if dynamic user names are anticipated.
---
### 10. Git Status
**Issue:** Uncommitted changes and untracked files.
**Details:** The `git status` command reveals numerous modified and untracked files.
**Impact:** Indicates ongoing work, but also a lack of regular commits, which can lead to larger, harder-to-review changes, and potential loss of work.
**Recommendation:** Encourage more frequent, smaller commits to facilitate easier review and better version control.
---
### Conclusion
The ToolboxStack project, in its current state, is fundamentally flawed. It exhibits a systemic disregard for efficiency, best practices, and security across its Docker configurations, build scripts, and documentation. The pervasive redundancy, inefficiency, and security vulnerabilities will lead to bloated images, slow development cycles, and a high risk of undetected issues. A complete overhaul, focusing on Docker best practices, robust scripting, and accurate documentation, is urgently required.

118
ToolboxStack/collab/WORKLOG.md
View File

@@ -1,26 +1,26 @@
# 📔 ToolboxStack Work Log
A comprehensive record of work conducted on the ToolboxStack component of TSYSDevStack, documenting progress, challenges, solutions, and learnings.
> **A comprehensive record of work conducted on the ToolboxStack component of TSYSDevStack**
Documenting progress, challenges, solutions, and learnings throughout the development process.
---
## 📚 Table of Contents
- [📅 Thursday, October 30, 2025](#-thursday-october-30-2025)
- [🕐 08:00 - Initial Setup & Gemini Audit](#-0800---initial-setup--gemini-audit)
- [🕐 09:30 - Issue Identification & Planning](#-0930---issue-identification--planning)
- [🕐 10:00 - Implementing Fixes](#-1000---implementing-fixes)
- [🕐 11:00 - Testing & Verification](#-1100---testing--verification)
- [🕐 13:30 - Further Investigation & Cleanup](#-1330---further-investigation--cleanup)
- [🕐 14:15 - Audit & Issue Identification](#-1415---audit--issue-identification)
- [🕐 15:00 - Reverting Problematic Changes](#-1500---reverting-problematic-changes)
- [🕐 16:30 - Testing & Verification](#-1630---testing--verification-1)
- [🕐 17:15 - Creating DocStack Toolbox](#-1715---creating-docstack-toolbox)
- [🕐 18:00 - Adding Game to DocStack (Test)](#-1800---adding-game-to-docstack-test)
- [🕐 19:00 - Cleaning Up & Preparation](#-1900---cleaning-up--preparation)
- [📈 Progress Summary](#-progress-summary)
- [🎯 Next Steps](#-next-steps)
- [💡 Key Learnings](#-key-learnings)
- [🛠️ Tools & Technologies Used](#-tools--technologies-used)
- [📊 Challenges & Solutions](#-challenges--solutions)
- [📝 Notes & Observations](#-notes--observations)
| 🗓️ **Date** | 🕒 **Time** | 📋 **Activity** | ✅ **Status** |
|-------------|-------------|-----------------|---------------|
| [📅 Thursday, October 30, 2025](#-thursday-october-30-2025) | [🕐 08:00](#-0800---initial-setup--gemini-audit) | Initial Setup & Gemini Audit | ✅ Completed |
| | [🕐 09:30](#-0930---issue-identification--planning) | Issue Identification & Planning | ✅ Completed |
| | [🕐 10:00](#-1000---implementing-fixes) | Implementing Fixes | ✅ Completed |
| | [🕐 11:00](#-1100---testing--verification) | Testing & Verification | ✅ Completed |
| | [🕐 13:30](#-1330---further-investigation--cleanup) | Further Investigation & Cleanup | ✅ Completed |
| | [🕐 14:15](#-1415---audit--issue-identification) | Audit & Issue Identification | ✅ Completed |
| | [🕐 15:00](#-1500---reverting-problematic-changes) | Reverting Problematic Changes | ✅ Completed |
| | [🕐 16:30](#-1630---testing--verification-1) | Testing & Verification | ✅ Completed |
| | [🕐 17:15](#-1715---creating-docstack-toolbox) | Creating DocStack Toolbox | ✅ Completed |
| | [🕐 18:00](#-1800---adding-game-to-docstack-test) | Adding Game to DocStack (Test) | ✅ Completed |
| | [🕐 19:00](#-1900---cleaning-up--preparation) | Cleaning Up & Preparation | ✅ Completed |
---
@@ -230,10 +230,10 @@ A comprehensive record of work conducted on the ToolboxStack component of TSYSDe
---
## 📈 Progress Summary
## 📊 Progress Summary
| Time | Activity | Status |
|------|----------|--------|
| 🕐 **Time** | 🛠️ **Activity** | ✅ **Status** |
|-------------|-----------------|---------------|
| 08:00 | Initial Setup & Gemini Audit | ✅ Completed |
| 09:30 | Issue Identification & Planning | ✅ Completed |
| 10:00 | Implementing Fixes | ✅ Completed |
@@ -250,43 +250,47 @@ A comprehensive record of work conducted on the ToolboxStack component of TSYSDe
## 🎯 Next Steps
1. **Fresh rebuild of toolbox-base** with clean cache
2. **Rebuild DocStack** with all documentation tools
3. **Add additional tools** as requested (quarto, mdbook, marp, typst, markwhen, joplin)
4. **Create comprehensive testing** for all tools
5. **Document all tools** in README with usage examples
| 🔢 **#** | 🚀 **Action** | 📋 **Details** |
|----------|----------------|----------------|
| 1 | **Fresh rebuild of toolbox-base** | With clean cache |
| 2 | **Rebuild DocStack** | With all documentation tools |
| 3 | **Add additional tools** | As requested (quarto, mdbook, marp, typst, markwhen, joplin) |
| 4 | **Create comprehensive testing** | For all tools |
| 5 | **Document all tools** | In README with usage examples |
---
## 💡 Key Learnings
1. **Change Management**: Always audit AI-generated changes carefully before accepting
2. **Docker Buildx**: Container driver has limitations with local images; default driver works better
3. **Aqua Behavior**: Lazy installation is standard, not a bug
4. **User Permissions**: Proper switching between root and non-root users in Dockerfiles is critical
5. **Package Compatibility**: Some packages have issues with newer Node.js versions
| 🔢 **#** | 🧠 **Learning** | 💬 **Details** |
|----------|-----------------|----------------|
| 1 | **Change Management** | Always audit AI-generated changes carefully before accepting |
| 2 | **Docker Buildx** | Container driver has limitations with local images; default driver works better |
| 3 | **Aqua Behavior** | Lazy installation is standard, not a bug |
| 4 | **User Permissions** | Proper switching between root and non-root users in Dockerfiles is critical |
| 5 | **Package Compatibility** | Some packages have issues with newer Node.js versions |
---
## 🛠️ Tools & Technologies Used
| Tool | Purpose | Status |
|------|---------|--------|
| Docker | Containerization platform | ✅ Working |
| Docker Buildx | Multi-platform image builder | ✅ Working (with fixes) |
| Aqua | CLI tool manager | ✅ Working |
| Mise | Runtime manager | ✅ Working |
| Git | Version control | ✅ Working |
| Zsh | Shell environment | ✅ Working |
| Oh My Zsh | Shell framework | ✅ Working |
| Starship | Prompt customization | ✅ Working |
| 🔧 **Tool** | 📋 **Purpose** | ✅ **Status** |
|-------------|----------------|---------------|
| 🐳 Docker | Containerization platform | ✅ Working |
| 🏗️ Docker Buildx | Multi-platform image builder | ✅ Working (with fixes) |
| 💧 Aqua | CLI tool manager | ✅ Working |
| 🪄 Mise | Runtime manager | ✅ Working |
| 🧭 Git | Version control | ✅ Working |
| 🐚 Zsh | Shell environment | ✅ Working |
| 💎 Oh My Zsh | Shell framework | ✅ Working |
| Starship | Prompt customization | ✅ Working |
---
## 📊 Challenges & Solutions
| Challenge | Solution | Outcome |
|----------|----------|---------|
| 🚧 **Challenge** | 🛠️ **Solution** | 📈 **Outcome** |
|------------------|-----------------|----------------|
| Gemini's problematic changes | Systematic audit and revert | ✅ Resolved |
| Docker Buildx local image access | Switch to default driver | ✅ Resolved |
| Aqua package installation timing | Accept lazy installation behavior | ✅ Understood |
@@ -297,10 +301,26 @@ A comprehensive record of work conducted on the ToolboxStack component of TSYSDe
## 📝 Notes & Observations
- The ToolboxStack architecture is well-designed for extensibility
- Aqua's lazy installation approach is actually beneficial for image size
- Regular maintenance and cleanup are important for healthy Docker environments
- Thorough testing after changes prevents downstream issues
- Documentation should be updated alongside code changes
| 📌 **Note** | 📝 **Details** |
|-------------|----------------|
| 🏗️ **Architecture** | The ToolboxStack architecture is well-designed for extensibility |
| 🧘 **Aqua Efficiency** | Aqua's lazy installation approach is actually beneficial for image size |
| 🧹 **Maintenance** | Regular maintenance and cleanup are important for healthy Docker environments |
| 🧪 **Testing** | Thorough testing after changes prevents downstream issues |
| 📚 **Documentation** | Documentation should be updated alongside code changes |
---
## 📅 Change Log
| 🗓️ **Date** | 📝 **Change** | 👤 **Author** |
|-------------|---------------|---------------|
| 2025-10-30 | Initial work log creation | ToolboxBot |
| 2025-10-30 | Added DocStack creation | ToolboxBot |
| 2025-10-31 | Updated with toolbox-qadocker information | ToolboxBot |
---
## 📄 License
See [LICENSE](../../LICENSE) for full terms.

95
ToolboxStack/collab/prompts/AuditPrompt.md
View File

@@ -1,95 +0,0 @@
## Qwen Audit
Please orient yourself in exhaustive detail and depth to this entire directory tree.
The purpose of this directory treee is to create a set of "toolbox" containers for myself (as CTO) and my team of AI coding agents to use to implment all of my ideas.
Your role in this chat is to conduct a series of ongoing
- exhaustive
- in depth
- brutal
- no stone left unturned
audits of this directory tree.
You will be taking on the roles of
Docker expert
tooling expert
senior staff level developer/architect/tester/DEVOPS/SRE
and you will conduct an audit and produce a report.
Your audit should cover:
- Docker build optimization,
- Dockerfile correctness
- Build caching
- security best practices,
- docker development environment best practices,
- best common practices in general for (dockerized) development/tooling stacks
- any other criteria you feel is prudent in the subject area
- assessment of all existing toolboxes (base, DocStack, QADocker, and any others)
When I say the words "perform QA"
You will write out a human-readable report to :
collab/audits/YYYY/MM/DD/HHMM/QAReport.md (using the local system time).
The human-readable report should use icons/headers/tables/graphics and be very beautiful and easy to digest.
You will write out an llm optimized report to
collab/audits/YYYY/MM/DD/HHMM/QAReport.LLM (using the local system time).
Keep in mind that I will feed your LLM optimized report to the other qwen chat for implementation. So it should be fully optimized for an LLM to follow and implement.
Be advised another QWEN is actively working in this directory tree making toolboxes for me. So confine your write operations to collab/audits please.
You have another role as well.
When I say the words "give advice"
You will write out a human readable report to :
collab/advisor/YYYY/MM/DD/HHMM/AdvisorReport.md (using the local system time).
The human readable report should use icons/headers/tables/graphics and be very beautiful and easy to digest.
You will write out an llm optimized report to
collab/advisor/YYYY/MM/DD/HHMM/AdvisorReport.LLM (using the local system time).
Keep in mind that I will feed your LLM optimized report to the other qwen chat for implementation. So it should be fully optimized for an LLM to follow and implement.
To make suggestions and give feedback on
- tools to add
- how to split up the containers
- what needs to go into base toolbox vs specialized toolboxes
Some context:
My projects span:
- Extensive documentation generation needs (PDFs, websites) of governance documents, reports, proposals, project plans, budgets etc.
- Software development (full SDLC) across: node,python,php, ruby, perl, java, rust, c and c++ (including embedded development, cross compiling),
nix (embedded systems builds for aeronautical applications where we need complete reproducibility), web application development, desktop GUI development etc
The ToolboxStack is for "inner loop" operations (edit/compile/test) only.
I have another stack for build/packaging/release operations and another stack for support functions (like atuin/mailhog etc).
## Enhanced Audit Process
The audit process now includes automated assessment of all existing toolboxes using the script at collab/audit-all-toolboxes.sh.
When performing an audit using the "perform QA" command, this script will be run automatically to analyze all toolboxes in the system, and the results will be incorporated into both the human-readable and LLM-optimized reports.
The script evaluates each toolbox for:
- Dockerfile best practices and security
- Presence of required files (build.sh, run.sh, test.sh, etc.)
- Documentation completeness (README.md, PROMPT, SEED)
- Tool configuration (aqua.yaml, etc.)
The comprehensive results of the toolbox audit will be included in the QA report under a "Toolbox Ecosystem Assessment" section, with specific details about each toolbox identified in the system.

45
ToolboxStack/collab/prompts/FeatureWork/toolbox-qadocker.md Normal file
View File

@@ -0,0 +1,45 @@
The first toolbox we need to build is for performing audit/QA work on the custom toolbox images we are trying to build.
Finish the design/validation/auditing/building/testing of the
tsysdevstack-toolboxstack-toolbox-qadocker
dockerimage.
This will be the ONLY image that we build (other than tsysdevstack-toolboxstack-toolbox-base itself) which DOES NOT use the toolbox-base image as its foundation.
The toolbox-qadocker image is used for bootstrap purposes and is meant to audit toolbox-base and every other custom toolbox we make.
The toolbox-qadocker image should be minimal, simple. It should be easy to extend, it should be able to be re-built quickly.
Adopt all best common practices
Add in
- hadolint
- docky
- dive
and other useful qa/linting tools for QA of Dockerfile/shellscripts etc commonly used in the docker image build/release process.
Ensure it will be useful for auditing docker images (hadolint etc). Its meant to run quickly and be utilized by AI CLI agents when they are making container images.
Do the work in:
output/toolbox-qadocker
Ensure the container image builds and the tools work
Use it to QA itself.
DO NOT USE root for anything but apt-get and bootstrapping aqua if needed.
All work that can be done as the qadocker user should be done as the qadocker user
Optimize the Dockerfile that you generate.
Check it for errors.
Ensure it will past the strictest linting checks.
DO NOT USE ANY OTHER MATERIAL IN THIS PROJECT for your work.
Do the image creation completely from scratch.

52
ToolboxStack/output/NewToolbox.sh
View File

@@ -1,52 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
if [[ $# -ne 1 ]]; then
echo "Usage: $0 <toolbox-name>" >&2
exit 1
fi
RAW_NAME="$1"
if [[ "${RAW_NAME}" == toolbox-* ]]; then
TOOLBOX_NAME="${RAW_NAME}"
else
TOOLBOX_NAME="toolbox-${RAW_NAME}"
fi
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
TEMPLATE_DIR="${SCRIPT_DIR}/toolbox-template"
TARGET_DIR="${SCRIPT_DIR}/${TOOLBOX_NAME}"
if [[ ! -d "${TEMPLATE_DIR}" ]]; then
echo "Error: template directory not found at ${TEMPLATE_DIR}" >&2
exit 1
fi
if [[ -e "${TARGET_DIR}" ]]; then
echo "Error: ${TARGET_DIR} already exists" >&2
exit 1
fi
cp -R "${TEMPLATE_DIR}" "${TARGET_DIR}"
python3 - "$TARGET_DIR" "$TOOLBOX_NAME" <<'PY'
import sys
from pathlib import Path
base = Path(sys.argv[1])
toolbox_name = sys.argv[2]
for path in base.rglob("*"):
if not path.is_file():
continue
text = path.read_text()
updated = text.replace("{{toolbox_name}}", toolbox_name)
if updated != text:
path.write_text(updated)
PY
echo "Created ${TARGET_DIR} from template."
echo "Next steps:"
echo " 1) Edit ${TARGET_DIR}/SEED once to describe the toolbox goals."
echo " 2) Load ${TARGET_DIR}/PROMPT in Codex; it will instruct you to read SEED and proceed."

19
ToolboxStack/output/PROMPT
View File

@@ -1,19 +0,0 @@
You are Codex helping with TSYSDevStack ToolboxStack deliverables.
Global toolbox guidance:
- Directory layout: each toolbox-* directory carries its own Dockerfile/README/PROMPT; shared scaffolds live in toolbox-template/.devcontainer and docker-compose.yml.
- Use ./NewToolbox.sh <name> to scaffold a new toolbox-* directory from toolbox-template.
- Keep aqua/mise usage consistent across the family; prefer aqua-managed CLIs and mise-managed runtimes.
- Reference toolbox-template when bootstrapping a new toolbox. Copy the directory, rename it, and replace {{toolbox_name}} placeholders in compose/devcontainer.
- Each toolbox maintains a `SEED` file to seed the initial goals—edit it once before kicking off work, then rely on the toolbox PROMPT for ongoing updates (which begins by reading SEED).
- Default build workflow: `./build.sh` produces a `:dev` tag; `./release.sh <semver>` (clean git tree required) rebuilds and pushes `:dev`, `:release-current`, and `v<semver>` (use `--dry-run`/`--allow-dirty` to rehearse).
- Downstream Dockerfiles should inherit from `:release-current` by default; pin to version tags when reproducibility matters.
Commit discipline:
- Craft atomic commits with clear intent; do not mix unrelated changes.
- Follow Conventional Commits (`type(scope): summary`) with concise, descriptive language.
- Commit frequently as features evolve, keeping diffs reviewable.
- After documentation/tooling changes, run ./build.sh to ensure the image builds, then push once the build succeeds.
- Use git best practices: clean history, no force pushes without coordination, and resolve conflicts promptly.
Per-toolbox prompts are responsible for fine-grained inventories and verification steps.

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/0600cbad4e2f0cdb4ae8d8533ab69525d369ca15d451f5c7215f5cd135ee7a3d
View File

Binary file not shown.

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/137fd46d0711c93cbe2cf57ddb09f37eb24b4542fb12bb74d24756ea8e522009
View File

Binary file not shown.

1
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/214e3893ab3153850b5a55eab42170633de27abdfdf4c8a484a29526ffec7dee
View File

File diff suppressed because one or more lines are too long

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/3b4ce4b48b458dbb5687c43255d739107ce2eddebfe0d654246f91a45fb47b4a
View File

Binary file not shown.

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/48cc916780062e22ab0511f6b73f513ab95aa8508c89cbe0df11dea5efd97c21
View File

Binary file not shown.

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/4b3ffd8ccb5201a0fc03585952effb4ed2d1ea5e704d2e7330212fb8b16c86a3
View File

Binary file not shown.

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/4e1a5932682ec5d9fb15702f0adaf8dad355c04f120a679cec4e3cff2aee0177
View File

Binary file not shown.

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1
View File

Binary file not shown.

1
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/57727d7f67e96e68579a1d1b87349901af04fd8c875b2e3ef53c7ddb75f0dfbf
View File

File diff suppressed because one or more lines are too long

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/5b030c429c991160dd20644ccb559139d07e37a8fe1fe0d8ce2fcb4f252cbc09
View File

Binary file not shown.

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/6bf4253d4f85f2f549faf6637b325b8a5d4cbba12ee1de03afd9e64d62ed238d
View File

Binary file not shown.

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/721b30d72b06064615bfecf6e0fcd6052f40fed6bb96105b8619fe5d5f4ad121
View File

Binary file not shown.

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/761ba886fa278fde5f732d9e81d1925169a92d0d8e78fcfb12d25f494746069f
View File

Binary file not shown.

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/761e328889ea591c67937dd448fee95d1408117d66d59521dcd8a5f696158e52
View File

Binary file not shown.

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/7de8da5c93b1a4688ac6bf752b44ef1a9fb6d8fc4ef239fba210fec137b7c197
View File

Binary file not shown.

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/8e1ea2ada4d8df15a4e596c50d05d446122951e27636b4a8ef65e14cf0eb04ad
View File

Binary file not shown.

1
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/998089039b2fdc65d5babf923e2cfa742c67ca058b169ea8cb9f368b2f5f493c
View File

File diff suppressed because one or more lines are too long

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/9991a339ab196f31dc1e2e82452e3ef95326965f279f1430d480caa178e901e8
View File

Binary file not shown.

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/9c25597a62c69bd8153cb7bcc8289b384d927613b5ec9c6c3d92aa971f965676
View File

Binary file not shown.

1
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/b67ce052e76b308d4e0f2e7d1a9dab6b078f9b22d981f7ab36916ea34f2ff06f
View File

File diff suppressed because one or more lines are too long

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/bc654a1de1f8d2af6b6152495ff3e5fd2b4b67dc5c020ca582607fd9489d614f
View File

Binary file not shown.

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/c73374b4e053028d74c25050b32bc6878be46ce805c9a4d2131d3660966227ae
View File

Binary file not shown.

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/c823cb6e578625d7ffaaeaba5ebc38b3282c0ac847006f3f320bed638324f996
View File

Binary file not shown.

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/ca6878747b5947e9bb4cbc3a9b0c3323f63043e80f1c5a25f5b073982a562a38
View File

Binary file not shown.

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/eea9736d467a1c0467cb6cc5c5ad77847197862c18e853787534c58279010e66
View File

Binary file not shown.

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/f9dfc8e6ece6d74060e3baafa753bc1c50f4cefbbc52659bd08943c0fb6f4c75
View File

Binary file not shown.

BIN
ToolboxStack/output/toolbox-QADocker/.build-cache/blobs/sha256/fb3794aafa934beb48d5ae0dc07d6ce64c6154e2b0f1846e98408b0eab6665da
View File

Binary file not shown.

1
ToolboxStack/output/toolbox-QADocker/.build-cache/index.json
View File

@@ -1 +0,0 @@
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","digest":"sha256:b67ce052e76b308d4e0f2e7d1a9dab6b078f9b22d981f7ab36916ea34f2ff06f","size":8758,"annotations":{"org.opencontainers.image.ref.name":"latest"}}]}

1
ToolboxStack/output/toolbox-QADocker/.build-cache/oci-layout
View File

@@ -1 +0,0 @@
{"imageLayoutVersion":"1.0.0"}

25
ToolboxStack/output/toolbox-QADocker/.devcontainer/devcontainer.json
View File

@@ -1,25 +0,0 @@
{
"name": "TSYSDevStack Docker QA Toolbox",
"dockerComposeFile": [
"../docker-compose.yml"
],
"service": "toolbox-qadocker",
"workspaceFolder": "/workspace",
"remoteUser": "toolbox",
"runServices": [
"toolbox-qadocker"
],
"overrideCommand": false,
"postCreateCommand": "zsh -lc 'echo \"Docker QA environment ready. Available tools: trivy, hadolint, docker, dockerfilelint\"'",
"mounts": [
"source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind"
],
"customizations": {
"vscode": {
"extensions": [
"ms-azuretools.vscode-docker",
"hadolint.hadolint"
]
}
}
}

101
ToolboxStack/output/toolbox-QADocker/AUDIT_CHECKLIST.md
View File

@@ -1,101 +0,0 @@
# 🛡️ Docker QA Toolbox Audit Checklist
This checklist ensures the Docker QA toolbox meets all security, functionality, and maintainability requirements for Docker image auditing.
## 🔒 Security Audit
- [ ] All packages installed with specific versions (no `latest` tags)
- [ ] All external downloads verified with checksums/signatures
- [ ] No root access possible at runtime (sudo removed)
- [ ] Non-root user properly configured with UID/GID mapping
- [ ] No hardcoded secrets or credentials in image
- [ ] Minimal attack surface (unnecessary packages removed)
- [ ] Regular security scanning implemented (Trivy integration)
- [ ] Base image (Ubuntu) regularly updated
- [ ] All aqua packages verified through registry
- [ ] Docker socket access properly secured
## 🛠️ Functionality Audit
- [ ] All Docker QA tools properly installed and accessible
- [ ] All tools respond to `--version` flag correctly
- [ ] Aqua proxy mechanism properly configured
- [ ] Docker access to host daemon working correctly
- [ ] Security scanning tools (Trivy, Hadolint) functional
- [ ] Dockerfile linting tools working properly
- [ ] Shell configurations properly set up (zsh, bash)
- [ ] Environment variables properly configured
- [ ] PATH correctly set for all tools
- [ ] User home directory properly configured
- [ ] Workspace directory properly set up with correct permissions
## 🏗️ Build Process Audit
- [ ] Dockerfile follows best practices
- [ ] Multi-stage build optimizations implemented
- [ ] Build cache properly utilized
- [ ] Build arguments properly validated
- [ ] Error handling in build scripts comprehensive
- [ ] Build verification tests implemented
- [ ] Image tagging strategy consistent
- [ ] Release process properly documented
## 🧪 Testing Audit
- [ ] Automated testing of all installed tools
- [ ] Integration tests for Docker daemon access
- [ ] Regression tests for known issues
- [ ] Security scanning of built images
- [ ] Performance benchmarks
- [ ] Security scanning during build
## 📚 Documentation Audit
- [ ] README.md accurately reflects current state
- [ ] All tools properly documented
- [ ] Usage examples for Docker QA workflows provided
- [ ] Troubleshooting guide included
- [ ] Contribution guidelines clear
- [ ] License information up to date
## 🔄 Maintenance Audit
- [ ] Dependency update strategy defined
- [ ] Version pinning strategy consistent
- [ ] Backward compatibility maintained
- [ ] Deprecation policy established
- [ ] Release notes properly maintained
- [ ] Issue tracking process defined
## 🎯 Specialized QA Features Audit
- [ ] Trivy vulnerability scanning functional
- [ ] Hadolint Dockerfile linting operational
- [ ] Dockerfilelint working correctly
- [ ] Docker history/inspect tools accessible
- [ ] Image layer analysis capabilities present
- [ ] Best practices validation tools available
## 📈 Performance Audit
- [ ] Image size optimized
- [ ] Startup time acceptable
- [ ] Memory footprint reasonable
- [ ] CPU usage within expected bounds
- [ ] Docker scanning performance adequate
## 🌐 Compatibility Audit
- [ ] Works on all supported platforms
- [ ] Docker daemon access functional across platforms
- [ ] Backward compatibility with Docker versions maintained
- [ ] Integration with common CI/CD tools verified
## 🧹 Cleanup Audit
- [ ] Temporary files properly removed
- [ ] Build artifacts cleaned up
- [ ] Cache directories properly managed
- [ ] Log files rotated or removed
- [ ] Orphaned processes prevented
- [ ] Resource leaks eliminated

195
ToolboxStack/output/toolbox-QADocker/Dockerfile
View File

@@ -1,195 +0,0 @@
# Multi-stage approach to minimize final image size and attack surface
FROM ubuntu:24.04 AS installer
ARG USER_ID=1000
ARG GROUP_ID=1000
ARG USERNAME=toolbox
ARG TEA_VERSION=0.11.1
ENV DEBIAN_FRONTEND=noninteractive
# ROOT STAGE 1: System package installation for Docker QA tools only
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
apt-get update \
&& apt-get install -y --no-install-recommends \
ca-certificates \
curl \
git \
jq \
bc \
locales \
openssh-client \
zsh \
unzip \
zip \
python3 \
python3-pip \
wget \
# Docker and container tools \
docker.io \
# Security scanning tools \
clamav \
# Static analysis tools \
shellcheck \
# JSON/YAML tools \
yq \
# Development tools for custom scripts \
make \
gcc \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
# ROOT: Configure locale
RUN locale-gen en_US.UTF-8
ENV LANG=en_US.UTF-8 \
LANGUAGE=en_US:en \
LC_ALL=en_US.UTF-8
# ROOT: Create non-root user with matching UID/GID for host mapping
RUN if getent passwd "${USER_ID}" >/dev/null; then \
existing_user="$(getent passwd "${USER_ID}" | cut -d: -f1)"; \
userdel --remove "${existing_user}"; \
fi \
&& if ! getent group "${GROUP_ID}" >/dev/null; then \
groupadd --gid "${GROUP_ID}" "${USERNAME}"; \
fi \
&& useradd --uid "${USER_ID}" --gid "${GROUP_ID}" --shell /usr/bin/zsh --create-home "${USERNAME}"
# ROOT: Set up toolbox user home directory with proper permissions
RUN chown -R "${USER_ID}:${GROUP_ID}" "/home/${USERNAME}"
# SWITCH TO NON-ROOT USER: All further operations as toolbox user
USER ${USERNAME}
WORKDIR /home/${USERNAME}
# NON-ROOT: Install mise runtime manager for toolbox user
RUN curl -sSfL https://mise.jdx.dev/install.sh | sh
# NON-ROOT: Update PATH for mise tools
ENV PATH=/home/${USERNAME}/.local/bin:/home/${USERNAME}/.local/share/mise/shims:$PATH
# NON-ROOT: Install Node.js via mise as toolbox user
RUN mise install node@22.13.0 && mise use -g node@22.13.0
# NON-ROOT: Install aqua package manager for toolbox user
RUN curl -sSfL https://raw.githubusercontent.com/aquaproj/aqua-installer/v2.3.1/aqua-installer > /tmp/aqua-installer.sh && \
chmod +x /tmp/aqua-installer.sh && \
AQUA_ROOT_DIR=/home/${USERNAME}/.local/share/aquaproj-aqua /tmp/aqua-installer.sh && \
rm /tmp/aqua-installer.sh
# NON-ROOT: Update PATH for aqua tools
ENV PATH=/home/${USERNAME}/.local/share/aquaproj-aqua/bin:$PATH
# NON-ROOT: Install Oh My Zsh
RUN git clone --depth=1 https://github.com/ohmyzsh/ohmyzsh.git ~/.oh-my-zsh
# NON-ROOT: Configure shells (zsh, bash) with all customizations
RUN cp ~/.oh-my-zsh/templates/zshrc.zsh-template ~/.zshrc \
&& sed -i "s/^plugins=(git)$/plugins=(git docker docker-compose)/" ~/.zshrc \
&& printf "\nexport PATH=\"\$HOME/.local/share/aquaproj-aqua/bin:\$HOME/.local/share/mise/shims:\$HOME/.local/bin:\$PATH\"\n" >> ~/.zshrc \
&& printf "\n# Starship prompt\neval \"\$(starship init zsh)\"\n" >> ~/.zshrc \
&& printf "\n# mise runtime manager\neval \"\$(mise activate zsh)\"\n" >> ~/.zshrc \
&& printf "\n# direnv\nexport DIRENV_LOG_FORMAT=\"\"\neval \"\$(direnv hook zsh)\"\n" >> ~/.zshrc \
&& printf "\nexport AQUA_GLOBAL_CONFIG=\"\$HOME/.config/aquaproj-aqua/aqua.yaml\"\n" >> ~/.bashrc \
&& printf "\n# mise runtime manager (bash)\neval \"\$(mise activate bash)\"\n" >> ~/.bashrc \
&& printf "\n# direnv\nexport DIRENV_LOG_FORMAT=\"\"\neval \"\$(direnv hook bash)\"\n" >> ~/.bashrc
# NON-ROOT: Install aqua packages for Docker QA tools
RUN mkdir -p ~/.config/aquaproj-aqua \
&& echo "version: 1.0.0\nregistries:\n - type: standard\n ref: v4.431.0\npackages:\n - name: aquasecurity/trivy@v0.54.1\n - name: hadolint/hadolint@v2.14.0\n - name: github/gh@v2.69.0\n - name: dandavison/delta@0.18.2\n - name: ajeetdsouza/zoxide@v0.9.8\n - name: mikefarah/yq@v4.48.1\n - name: direnv/direnv@v2.37.1" > ~/.config/aquaproj-aqua/aqua.yaml \
&& aqua install \
&& aqua install --all
# NON-ROOT: Install additional Docker QA tools via npm
RUN mise exec -- npm install -g dockerfilelint@latest && mise reshim
# NON-ROOT: Install additional Python-based tools using --break-system-packages
RUN pip3 install --break-system-packages docker-image-py
# ROOT: Set up workspace directory
USER root
RUN mkdir -p /workspace && chown "${USER_ID}:${GROUP_ID}" /workspace
USER ${USERNAME}
# NON-ROOT: Verify all tools are accessible during build
RUN bash -c 'command -v docker && command -v dockerfilelint' \
&& bash -c 'docker --version && node --version && npm --version'
# NON-ROOT: Final mise reshim to ensure all tools are properly linked
RUN mise reshim
# FINAL STAGE: Copy completed setup to minimize image and enhance security
FROM ubuntu:24.04
ARG USER_ID=1000
ARG GROUP_ID=1000
ARG USERNAME=toolbox
ARG TEA_VERSION=0.11.1
ENV DEBIAN_FRONTEND=noninteractive
# ROOT: Install minimal runtime dependencies only
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
apt-get update \
&& apt-get install -y --no-install-recommends \
ca-certificates \
curl \
git \
jq \
bc \
locales \
openssh-client \
zsh \
unzip \
zip \
python3 \
docker.io \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
# ROOT: Restore system-wide configurations
RUN locale-gen en_US.UTF-8
ENV LANG=en_US.UTF-8 \
LANGUAGE=en_US:en \
LC_ALL=en_US.UTF-8
# ROOT: Create non-root user with matching UID/GID for host mapping
RUN if getent passwd "${USER_ID}" >/dev/null; then \
existing_user="$(getent passwd "${USER_ID}" | cut -d: -f1)"; \
userdel --remove "${existing_user}"; \
fi \
&& if ! getent group "${GROUP_ID}" >/dev/null; then \
groupadd --gid "${GROUP_ID}" "${USERNAME}"; \
fi \
&& useradd --uid "${USER_ID}" --gid "${GROUP_ID}" --shell /usr/bin/zsh --create-home "${USERNAME}"
# ROOT: Copy the complete user environment from the installer stage
COPY --from=installer --chown=${USER_ID}:${GROUP_ID} /home/${USERNAME} /home/${USERNAME}
# ROOT: Create workspace directory
RUN mkdir -p /workspace && chown "${USER_ID}:${GROUP_ID}" /workspace
# ROOT: Install system-wide tools (tea and starship) which were in the source image
RUN curl -fsSL "https://dl.gitea.io/tea/${TEA_VERSION}/tea-${TEA_VERSION}-linux-amd64" -o /tmp/tea \
&& curl -fsSL "https://dl.gitea.io/tea/${TEA_VERSION}/tea-${TEA_VERSION}-linux-amd64.sha256" -o /tmp/tea.sha256 \
&& sed -n 's/ .*//p' /tmp/tea.sha256 | awk '{print $1 " /tmp/tea"}' | sha256sum -c - \
&& install -m 0755 /tmp/tea /usr/local/bin/tea \
&& rm -f /tmp/tea /tmp/tea.sha256
RUN curl -fsSL https://starship.rs/install.sh | sh -s -- -y -b /usr/local/bin
# ROOT: Security hardening - remove sudo if present
RUN apt-get remove -y sudo 2>/dev/null || true && apt-get autoremove -y 2>/dev/null || true && rm -rf /var/lib/apt/lists/* 2>/dev/null || true
# ROOT: Final environment variables
ENV PATH=/home/${USERNAME}/.local/share/aquaproj-aqua/bin:/home/${USERNAME}/.local/share/mise/shims:/home/${USERNAME}/.local/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
ENV SHELL=/usr/bin/zsh \
AQUA_GLOBAL_CONFIG=/home/${USERNAME}/.config/aquaproj-aqua/aqua.yaml
# FINAL USER: Switch to toolbox user for runtime
USER ${USERNAME}
WORKDIR /workspace
CMD ["/usr/bin/zsh"]

34
ToolboxStack/output/toolbox-QADocker/PROMPT
View File

@@ -1,34 +0,0 @@
# Docker QA Toolbox Prompt
You are an AI assistant working inside the Docker QA Toolbox container. Your purpose is to assist with Docker image auditing, security scanning, and quality assurance.
## Your Environment
- You're running as the 'toolbox' user with the same UID/GID as the host user
- You have access to the Docker daemon via the mounted socket
- You're in a bash shell with access to various Docker auditing tools
## Your Capabilities
1. Scan Docker images for vulnerabilities using Trivy
2. Lint Dockerfiles using Hadolint and dockerfilelint
3. Analyze Docker image layers and composition
4. Validate Docker best practices
5. Perform security audits of container images
6. Generate reports on Docker image quality
## Common Commands
- `trivy image <image-name>` - Scan an image for vulnerabilities
- `hadolint <Dockerfile>` - Lint a Dockerfile against best practices
- `dockerfilelint <Dockerfile>` - Additional Dockerfile linting
- `docker history <image-name>` - Show image layer history
- `docker inspect <image-name>` - Show image metadata
- `docker run --rm -it <image-name> /bin/sh` - Inspect image contents interactively
## Best Practices to Follow
1. Always scan images before deploying to production
2. Use multi-stage builds to minimize attack surface
3. Run containers as non-root users
4. Pin base image versions rather than using 'latest'
5. Regularly update base images and packages
6. Verify checksums when downloading external binaries
Remember: The workspace directory is mounted from your host system, so you can analyze Dockerfiles and images from the host.

85
ToolboxStack/output/toolbox-QADocker/README.md
View File

@@ -1,85 +0,0 @@
# 🛡️ Docker QA Toolbox
A specialized development environment for Docker image auditing, security scanning, and quality assurance.
## 🚀 Quick Start
```bash
cd output/toolbox-QADocker
./build.sh # build the image with UID/GID matching your host
./run.sh up # launch the toolbox-qadocker service in the background
docker exec -it tsysdevstack-toolboxstack-toolbox-qadocker zsh
```
Use `./run.sh down` to stop the container when you are finished.
## 🧰 Included Tools
### Security Scanning
- **Trivy** - Comprehensive vulnerability scanner for containers and code
- **ClamAV** - Antivirus scanner for file system analysis
- **Hadolint** - Dockerfile linter for best practices
### Docker Analysis
- **Dockerfilelint** - Node.js-based Dockerfile linter
- **Docker** - Docker CLI with access to host Docker daemon via socket
- **Docker Buildx** - Docker CLI plugin for extended build capabilities
### Development Tools
- **Git** - Version control system
- **Zsh** - Interactive shell with Oh My Zsh framework
- **Mise** - Runtime manager for language versions
- **Aqua** - CLI tool manager
- **YQ** - YAML/JSON processor
- **JQ** - JSON processor
## 📋 QA Workflows
### Security Scanning
```bash
# Scan a Docker image with Trivy
trivy image <your-image-name>
# Scan a Dockerfile with Hadolint
hadolint Dockerfile
# Scan a Dockerfile with dockerfilelint
dockerfilelint Dockerfile
```
### Image Analysis
```bash
# Analyze image layers and size
docker history <your-image-name>
# Extract image contents for analysis
docker save <your-image-name> -o image.tar
tar -xf image.tar
```
### Best Practices Validation
The toolbox includes tools to validate Docker best practices:
- Hadolint for Dockerfile best practices
- Trivy for security vulnerabilities
- Docker's own best practices recommendations
## ⚙️ Configuration
The toolbox is configured to:
- Run as a non-root user with host UID/GID mapping
- Access the host Docker daemon via socket mounting
- Include both Docker build and runtime analysis tools
- Follow security best practices (no sudo, minimal attack surface)
## 🔐 Security Features
- Non-root user execution with UID/GID mapping
- Sudo is removed from the final image
- Multi-stage build minimizing attack surface
- Regular security scanning capabilities
## 🤖 AI Agent
This toolbox is maintained by **ToolboxBot**, an AI agent focused on Docker QA tooling.
## 📄 License
See [LICENSE](../LICENSE) for full terms.

26
ToolboxStack/output/toolbox-QADocker/SEED
View File

@@ -1,26 +0,0 @@
# Docker QA Toolbox SEED
## Purpose
This toolbox is specifically designed for Docker image auditing, security scanning, and quality assurance. It provides a comprehensive set of tools to analyze, validate, and secure Docker images and Dockerfiles.
## Core Functionality
- Security scanning of Docker images using Trivy
- Linting of Dockerfiles using Hadolint and dockerfilelint
- Analysis of Docker image composition and layers
- Validation of Docker best practices
- Compliance checking against security standards
## Target Use Cases
- Pre-deployment security scanning of Docker images
- Dockerfile quality validation in CI/CD pipelines
- Docker image composition analysis
- Security audit of existing container images
- Verification of container best practices
## Key Tools
- Trivy: Comprehensive vulnerability scanner
- Hadolint: Dockerfile linter for best practices
- Dockerfilelint: Additional Dockerfile validation
- Docker CLI: Direct access to Docker daemon
- Mise: Runtime version management
- Aqua: CLI tool management

22
ToolboxStack/output/toolbox-QADocker/aqua.yaml
View File

@@ -1,22 +0,0 @@
version: 1.0.0
registries:
- type: standard
ref: v4.431.0
packages:
# Docker and container analysis tools
- name: aquasecurity/trivy@v0.54.1
- name: hadolint/hadolint@v2.14.0
# GitHub and collaboration tools
- name: cli/cli@v2.82.1
# Environment and runtime management
- name: direnv/direnv@v2.37.1
- name: dandavison/delta@0.18.2
- name: ajeetdsouza/zoxide@v0.9.8
# Development and build tools
- name: mikefarah/yq@v4.48.0
# Configuration management
- name: twpayne/chezmoi@v2.66.1

198
ToolboxStack/output/toolbox-QADocker/build.sh
View File

@@ -1,198 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
# Security: Validate input parameters to prevent command injection
sanitized_input() {
local input="$1"
# Check for potentially dangerous characters/commands
case "$input" in
*[\;\|\&\`\$]*)
echo "Error: Invalid input detected: $input" >&2
exit 1
;;
esac
}
# Validate dependencies
if ! command -v docker &> /dev/null; then
echo "Error: docker is required but not installed." >&2
exit 1
fi
if ! docker buildx version &> /dev/null; then
echo "Error: docker buildx is required but not available." >&2
exit 1
fi
IMAGE_NAME="tsysdevstack-toolboxstack-toolbox-qadocker"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# Sanitize user input
USER_ID="${USER_ID_OVERRIDE:-$(id -u)}"
sanitized_input "$USER_ID"
GROUP_ID="${GROUP_ID_OVERRIDE:-$(id -g)}"
sanitized_input "$GROUP_ID"
USERNAME="${USERNAME_OVERRIDE:-toolbox}"
sanitized_input "$USERNAME"
TEA_VERSION="${TEA_VERSION_OVERRIDE:-0.11.1}"
sanitized_input "$TEA_VERSION"
BUILDER_NAME="${BUILDER_NAME:-tsysdevstack-builder}"
sanitized_input "$BUILDER_NAME"
CACHE_DIR="${SCRIPT_DIR}/.build-cache"
TAG="${TAG_OVERRIDE:-dev}"
sanitized_input "$TAG"
RELEASE_TAG="${RELEASE_TAG_OVERRIDE:-release-current}"
sanitized_input "$RELEASE_TAG"
VERSION_TAG="${VERSION_TAG_OVERRIDE:-}"
if [[ -n "$VERSION_TAG" ]]; then
sanitized_input "$VERSION_TAG"
fi
PUSH="${PUSH_OVERRIDE:-false}"
echo "Building ${IMAGE_NAME} with UID=${USER_ID} GID=${GROUP_ID} USERNAME=${USERNAME}"
echo "Primary tag: ${TAG}"
# Ensure builder exists
if ! docker buildx inspect "${BUILDER_NAME}" >/dev/null 2>&1; then
echo "Creating builder: ${BUILDER_NAME}"
if ! docker buildx create --driver docker-container --name "${BUILDER_NAME}" --use >/dev/null; then
echo "Error: Failed to create Docker buildx builder." >&2
exit 1
fi
else
echo "Using existing builder: ${BUILDER_NAME}"
if ! docker buildx use "${BUILDER_NAME}" >/dev/null; then
echo "Error: Failed to use Docker buildx builder." >&2
exit 1
fi
fi
# Ensure cache directory exists
if ! mkdir -p "${CACHE_DIR}"; then
echo "Error: Failed to create cache directory: ${CACHE_DIR}" >&2
exit 1
fi
echo "Starting build..."
BUILD_OUTPUT=$(mktemp)
trap 'rm -f "$BUILD_OUTPUT"' EXIT
# Build the image
if ! docker buildx build \
--builder "${BUILDER_NAME}" \
--load \
--progress=plain \
--build-arg USER_ID="${USER_ID}" \
--build-arg GROUP_ID="${GROUP_ID}" \
--build-arg USERNAME="${USERNAME}" \
--build-arg TEA_VERSION="${TEA_VERSION}" \
--cache-from "type=local,src=${CACHE_DIR}" \
--cache-to "type=local,dest=${CACHE_DIR},mode=max" \
--tag "${IMAGE_NAME}:${TAG}" \
"${SCRIPT_DIR}" 2>&1 | tee "${BUILD_OUTPUT}"; then
echo "Error: Docker build failed. Check output above for details." >&2
exit 1
fi
echo "Build completed successfully."
# Run comprehensive verification tests
echo "Running comprehensive verification tests..."
if ! docker run --rm "${IMAGE_NAME}:${TAG}" zsh -c 'echo "Container starts successfully as $(whoami) user"'; then
echo "Error: Failed to start container with basic test." >&2
exit 1
fi
# Verify core tools are available to toolbox user
echo "Verifying core tools for toolbox user..."
CORE_TOOLS=("zsh" "git" "curl" "jq" "docker" "trivy" "hadolint")
for tool in "${CORE_TOOLS[@]}"; do
if ! docker run --rm "${IMAGE_NAME}:${TAG}" su - toolbox -c "which $tool" >/dev/null 2>&1; then
echo "Error: Core tool '$tool' not found in PATH for toolbox user." >&2
exit 1
fi
done
# Verify Docker QA tools are available to toolbox user
echo "Verifying Docker QA tools for toolbox user..."
QA_TOOLS=("dockerfilelint" "yq")
for tool in "${QA_TOOLS[@]}"; do
if ! docker run --rm "${IMAGE_NAME}:${TAG}" su - toolbox -c "which $tool" >/dev/null 2>&1; then
echo "Error: QA tool '$tool' not found in PATH for toolbox user." >&2
exit 1
fi
done
# Verify Node.js and npm are working properly
echo "Verifying Node.js runtime..."
if ! docker run --rm "${IMAGE_NAME}:${TAG}" su - toolbox -c "node --version && npm --version" >/dev/null 2>&1; then
echo "Error: Node.js or npm not working properly for toolbox user." >&2
exit 1
fi
# Verify mise is managing tools properly
echo "Verifying mise runtime management..."
if ! docker run --rm "${IMAGE_NAME}:${TAG}" su - toolbox -c "mise --version" >/dev/null 2>&1; then
echo "Error: Mise not available for toolbox user." >&2
exit 1
fi
# Verify aqua is managing tools properly
echo "Verifying aqua package management..."
if ! docker run --rm "${IMAGE_NAME}:${TAG}" su - toolbox -c "aqua --version" >/dev/null 2>&1; then
echo "Error: Aqua not available for toolbox user." >&2
exit 1
fi
# Final security check: verify container runs as toolbox user
echo "Verifying runtime security model..."
RUNTIME_USER=$(docker run --rm "${IMAGE_NAME}:${TAG}" whoami)
if [ "$RUNTIME_USER" != "toolbox" ]; then
echo "Error: Container is not running as toolbox user. Current user: $RUNTIME_USER" >&2
exit 1
fi
echo "All verifications passed. Security model is correct."
if [[ "${PUSH}" == "true" ]]; then
echo "Pushing ${IMAGE_NAME}:${TAG}"
if ! docker push "${IMAGE_NAME}:${TAG}"; then
echo "Error: Failed to push ${IMAGE_NAME}:${TAG}" >&2
exit 1
fi
if [[ "${TAG}" == "dev" && -n "${VERSION_TAG}" ]]; then
if ! docker tag "${IMAGE_NAME}:${TAG}" "${IMAGE_NAME}:${VERSION_TAG}"; then
echo "Error: Failed to tag ${IMAGE_NAME}:${VERSION_TAG}" >&2
exit 1
fi
echo "Pushing ${IMAGE_NAME}:${VERSION_TAG}"
if ! docker push "${IMAGE_NAME}:${VERSION_TAG}"; then
echo "Error: Failed to push ${IMAGE_NAME}:${VERSION_TAG}" >&2
exit 1
fi
fi
if [[ "${TAG}" == "dev" ]]; then
if ! docker tag "${IMAGE_NAME}:${TAG}" "${IMAGE_NAME}:${RELEASE_TAG}"; then
echo "Error: Failed to tag ${IMAGE_NAME}:${RELEASE_TAG}" >&2
exit 1
fi
echo "Pushing ${IMAGE_NAME}:${RELEASE_TAG}"
if ! docker push "${IMAGE_NAME}:${RELEASE_TAG}"; then
echo "Error: Failed to push ${IMAGE_NAME}:${RELEASE_TAG}" >&2
exit 1
fi
fi
fi
# Run security scan if TRIVY is available
if command -v trivy &> /dev/null; then
echo "Running security scan with Trivy..."
trivy image --exit-code 0 --severity HIGH,CRITICAL "${IMAGE_NAME}:${TAG}"
else
echo "Trivy not found. Install Trivy to perform security scanning."
fi
echo "Build process completed successfully with all verifications and security checks."

23
ToolboxStack/output/toolbox-QADocker/docker-compose.yml
View File

@@ -1,23 +0,0 @@
services:
toolbox-qadocker:
container_name: tsysdevstack-toolboxstack-toolbox-qadocker
image: ${TOOLBOX_IMAGE:-tsysdevstack-toolboxstack-toolbox-qadocker:release-current}
build:
context: .
args:
USER_ID: ${LOCAL_UID:-1000}
GROUP_ID: ${LOCAL_GID:-1000}
USERNAME: ${LOCAL_USERNAME:-toolbox}
user: "${LOCAL_UID:-1000}:${LOCAL_GID:-1000}"
working_dir: /workspace
command: ["sleep", "infinity"]
init: true
tty: true
stdin_open: true
volumes:
- .:/workspace:rw
- /var/run/docker.sock:/var/run/docker.sock:rw
- ${HOME}/.local/share/mise:/home/toolbox/.local/share/mise:rw
- ${HOME}/.cache/mise:/home/toolbox/.cache/mise:rw
# Aqua configuration
- ${HOME}/.config/aquaproj-aqua:/home/toolbox/.config/aquaproj-aqua:rw

35
ToolboxStack/output/toolbox-QADocker/release.sh
View File

@@ -1,35 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
# Validate input parameters
if [ "$#" -ne 1 ]; then
echo "Usage: $0 <version-tag>"
exit 1
fi
VERSION="$1"
IMAGE_NAME="tsysdevstack-toolboxstack-toolbox-qadocker"
# Build the image with the version tag
echo "Building ${IMAGE_NAME}:${VERSION}"
if ! docker build --tag "${IMAGE_NAME}:${VERSION}" .; then
echo "Error: Failed to build ${IMAGE_NAME}:${VERSION}" >&2
exit 1
fi
# Run tests
echo "Running tests..."
if ! ./test.sh; then
echo "Error: Tests failed for ${IMAGE_NAME}:${VERSION}" >&2
exit 1
fi
# Create release tag
echo "Creating release tag..."
if ! docker tag "${IMAGE_NAME}:${VERSION}" "${IMAGE_NAME}:release-current"; then
echo "Error: Failed to create release tag for ${IMAGE_NAME}" >&2
exit 1
fi
echo "Release ${IMAGE_NAME}:${VERSION} completed successfully!"

69
ToolboxStack/output/toolbox-QADocker/run.sh
View File

@@ -1,69 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
# Security: Validate input parameters to prevent command injection
sanitized_input() {
local input="$1"
# Check for potentially dangerous characters/commands
case "$input" in
*[\;\|\&\`\$]*)
echo "Error: Invalid input detected: $input" >&2
exit 1
;;
esac
}
# Validate dependencies
if ! command -v docker &> /dev/null; then
echo "Error: docker is required but not installed." >&2
exit 1
fi
if ! command -v docker compose &> /dev/null; then
echo "Error: docker compose is required but not installed." >&2
exit 1
fi
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
COMPOSE_FILE="${SCRIPT_DIR}/docker-compose.yml"
# Sanitize user input
export LOCAL_UID="${USER_ID_OVERRIDE:-$(id -u)}"
sanitized_input "$LOCAL_UID"
export LOCAL_GID="${GROUP_ID_OVERRIDE:-$(id -g)}"
sanitized_input "$LOCAL_GID"
export LOCAL_USERNAME="${USERNAME_OVERRIDE:-toolbox}"
sanitized_input "$LOCAL_USERNAME"
export TOOLBOX_IMAGE="${TOOLBOX_IMAGE_OVERRIDE:-tsysdevstack-toolboxstack-toolbox-qadocker:release-current}"
sanitized_input "$TOOLBOX_IMAGE"
if [[ ! -f "${COMPOSE_FILE}" ]]; then
echo "Error: docker-compose.yml not found at ${COMPOSE_FILE}" >&2
exit 1
fi
ACTION="${1:-up}"
sanitized_input "$ACTION"
shift || true
if [[ "${ACTION}" == "up" ]]; then
# Create necessary directories for the toolbox tools with proper permissions
mkdir -p "${HOME}/.local/share/mise" "${HOME}/.cache/mise"
mkdir -p "${HOME}/.config/aquaproj-aqua"
fi
case "${ACTION}" in
up)
docker compose -f "${COMPOSE_FILE}" up --build --detach "$@"
echo "Container started. Use 'docker exec -it tsysdevstack-toolboxstack-toolbox-qadocker zsh' to access the shell."
;;
down)
docker compose -f "${COMPOSE_FILE}" down "$@"
echo "Container stopped."
;;
*)
echo "Usage: $0 [up|down] [additional docker compose args]" >&2
exit 1
;;
esac

42
ToolboxStack/output/toolbox-QADocker/security-audit.sh
View File

@@ -1,42 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
echo "Running security audit on the current environment..."
# Check for any security issues with the current setup
echo "Checking for common security issues..."
# Check if running as root (should not be)
if [ "$EUID" -eq 0 ]; then
echo "WARNING: Running as root user" >&2
exit 1
else
echo "✓ Running as non-root user"
fi
# Check for sudo access (should not have)
if command -v sudo &> /dev/null; then
echo "WARNING: Sudo is available in the container" >&2
exit 1
else
echo "✓ Sudo correctly removed from container"
fi
# Verify important security tools are available
echo "Checking for security tools..."
if command -v trivy &> /dev/null; then
echo "✓ Trivy security scanner available"
else
echo "✗ Trivy security scanner not available" >&2
exit 1
fi
if command -v hadolint &> /dev/null; then
echo "✓ Hadolint Dockerfile linter available"
else
echo "✗ Hadolint Dockerfile linter not available" >&2
exit 1
fi
echo "Security audit completed successfully!"

41
ToolboxStack/output/toolbox-QADocker/test.sh
View File

@@ -1,41 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
echo "Testing toolbox-QADocker functionality..."
# Test core tools availability
echo "Testing core tools..."
if ! command -v zsh &> /dev/null; then
echo "Error: zsh is not available" >&2
exit 1
fi
if ! command -v git &> /dev/null; then
echo "Error: git is not available" >&2
exit 1
fi
if ! command -v docker &> /dev/null; then
echo "Error: docker is not available" >&2
exit 1
fi
# Test QA tools availability
echo "Testing QA tools..."
if ! command -v trivy &> /dev/null; then
echo "Error: trivy is not available" >&2
exit 1
fi
if ! command -v hadolint &> /dev/null; then
echo "Error: hadolint is not available" >&2
exit 1
fi
if ! command -v dockerfilelint &> /dev/null; then
echo "Error: dockerfilelint is not available" >&2
exit 1
fi
echo "All tests passed! toolbox-QADocker is functional."

2
ToolboxStack/output/toolbox-base/.gitkeep Normal file
View File

@@ -0,0 +1,2 @@
# This file keeps the directory in git even when it's empty.
# Actual implementation files will be added soon.

43
ToolboxStack/output/toolbox-base/Dockerfile
View File

@@ -57,6 +57,7 @@ RUN ln -sf /usr/bin/fdfind /usr/local/bin/fd \
&& ln -sf /usr/bin/batcat /usr/local/bin/bat
# ROOT: Install Gitea tea CLI (system-wide)
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN curl -fsSL "https://dl.gitea.io/tea/${TEA_VERSION}/tea-${TEA_VERSION}-linux-amd64" -o /tmp/tea \
&& curl -fsSL "https://dl.gitea.io/tea/${TEA_VERSION}/tea-${TEA_VERSION}-linux-amd64.sha256" -o /tmp/tea.sha256 \
&& sed -n 's/ .*//p' /tmp/tea.sha256 | awk '{print $1 " /tmp/tea"}' | sha256sum -c - \
@@ -70,27 +71,32 @@ ENV LANG=en_US.UTF-8 \
LC_ALL=en_US.UTF-8
# ROOT: Install Starship prompt (system-wide)
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN curl -fsSL https://starship.rs/install.sh | sh -s -- -y -b /usr/local/bin
# Install aqua package manager (manages additional CLI tooling)
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN curl -sSfL https://raw.githubusercontent.com/aquaproj/aqua-installer/v2.3.1/aqua-installer | AQUA_ROOT_DIR=/usr/local/share/aquaproj-aqua bash \
&& ln -sf /usr/local/share/aquaproj-aqua/bin/aqua /usr/local/bin/aqua
# Install mise for runtime management (no global toolchains pre-installed)
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN curl -sSfL https://mise.jdx.dev/install.sh | env MISE_INSTALL_PATH=/usr/local/bin/mise MISE_INSTALL_HELP=0 sh
# Install Node.js via mise to enable npm package installation
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN mise install node@22.13.0 && mise global node@22.13.0
# Create non-root user with matching UID/GID for host mapping
# Check if user/group already exists and handle appropriately
RUN if getent passwd "${USER_ID}" >/dev/null; then \
RUN set -eux; \
if getent passwd "${USER_ID}" >/dev/null; then \
existing_user="$(getent passwd "${USER_ID}" | cut -d: -f1)"; \
echo "User with UID ${USER_ID} already exists: ${existing_user}" >&2; \
elif ! getent group "${GROUP_ID}" >/dev/null; then \
groupadd --gid "${GROUP_ID}" "${USERNAME}"; \
useradd --uid "${USER_ID}" --gid "${GROUP_ID}" --shell /usr/bin/zsh --create-home "${USERNAME}"; \
else \
if ! getent group "${GROUP_ID}" >/dev/null; then \
groupadd --gid "${GROUP_ID}" "${USERNAME}"; \
fi \
useradd --uid "${USER_ID}" --gid "${GROUP_ID}" --shell /usr/bin/zsh --create-home "${USERNAME}"; \
fi
@@ -101,6 +107,9 @@ RUN chown -R "${USER_ID}:${GROUP_ID}" "/home/${USERNAME}"
USER ${USERNAME}
WORKDIR /home/${USERNAME}
# Ensure the workspace directory exists with proper permissions
RUN mkdir -p /workspace && chmod 755 /workspace
# NON-ROOT: Install mise runtime manager for toolbox user
RUN curl -sSfL https://mise.jdx.dev/install.sh | sh
@@ -166,9 +175,8 @@ RUN mise exec -- npm install -g bats@1.11.0 && mise reshim
# NON-ROOT: Install BATS testing framework from source (baked into image)
RUN git clone https://github.com/bats-core/bats-core.git /tmp/bats-core \
&& cd /tmp/bats-core \
&& git checkout v1.11.0 \
&& ./install.sh "$HOME/.local" \
&& git -C /tmp/bats-core checkout v1.11.0 \
&& /tmp/bats-core/install.sh "$HOME/.local" \
&& rm -rf /tmp/bats-core
# Prepare workspace directory with appropriate ownership
@@ -178,6 +186,8 @@ RUN mkdir -p /workspace \
# Remove sudo to ensure no root escalation is possible at runtime
RUN apt-get remove -y sudo 2>/dev/null || true && apt-get autoremove -y 2>/dev/null || true && rm -rf /var/lib/apt/lists/* 2>/dev/null || true
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
ENV SHELL=/usr/bin/zsh \
AQUA_GLOBAL_CONFIG=/home/${USERNAME}/.config/aquaproj-aqua/aqua.yaml \
PATH=/home/${USERNAME}/.local/share/aquaproj-aqua/bin:/home/${USERNAME}/.local/share/mise/shims:/home/${USERNAME}/.local/bin:${PATH}
@@ -244,19 +254,21 @@ ENV LANG=en_US.UTF-8 \
LC_ALL=en_US.UTF-8
# ROOT: Create user/group structure
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
# First clean up any existing user/group with the same ID
RUN if getent passwd "${USER_ID}" >/dev/null; then \
RUN set -eux; \
if getent passwd "${USER_ID}" >/dev/null; then \
existing_user="$(getent passwd "${USER_ID}" | cut -d: -f1)"; \
userdel --remove "${existing_user}"; \
fi \
&& if getent group "${GROUP_ID}" >/dev/null; then \
fi; \
if getent group "${GROUP_ID}" >/dev/null; then \
groupdel "$(getent group "${GROUP_ID}" | cut -d: -f1)"; \
fi \
fi; \
# Create the group and user
&& groupadd --gid "${GROUP_ID}" "${USERNAME}" \
&& useradd --uid "${USER_ID}" --gid "${GROUP_ID}" --shell /usr/bin/zsh --create-home "${USERNAME}" \
groupadd --gid "${GROUP_ID}" "${USERNAME}"; \
useradd --uid "${USER_ID}" --gid "${GROUP_ID}" --shell /usr/bin/zsh --create-home "${USERNAME}"; \
# Ensure proper ownership of home directory
&& chown -R "${USER_ID}:${GROUP_ID}" "/home/${USERNAME}"
chown -R "${USER_ID}:${GROUP_ID}" "/home/${USERNAME}"
# ROOT: Copy the complete user environment from the installer stage
COPY --from=installer --chown=${USER_ID}:${GROUP_ID} /home/${USERNAME} /home/${USERNAME}
@@ -265,6 +277,7 @@ COPY --from=installer --chown=${USER_ID}:${GROUP_ID} /home/${USERNAME} /home/${U
RUN mkdir -p /workspace && chown "${USER_ID}:${GROUP_ID}" /workspace
# ROOT: Install system-wide tools (tea and starship) which were in the source image
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN curl -fsSL "https://dl.gitea.io/tea/${TEA_VERSION}/tea-${TEA_VERSION}-linux-amd64" -o /tmp/tea \
&& curl -fsSL "https://dl.gitea.io/tea/${TEA_VERSION}/tea-${TEA_VERSION}-linux-amd64.sha256" -o /tmp/tea.sha256 \
&& sed -n 's/ .*//p' /tmp/tea.sha256 | awk '{print $1 " /tmp/tea"}' | sha256sum -c - \
@@ -281,6 +294,8 @@ ENV PATH=/home/${USERNAME}/.local/share/aquaproj-aqua/bin:/home/${USERNAME}/.loc
ENV SHELL=/usr/bin/zsh \
AQUA_GLOBAL_CONFIG=/home/${USERNAME}/.config/aquaproj-aqua/aqua.yaml
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
# FINAL USER: Switch to toolbox user for runtime
USER ${USERNAME}
WORKDIR /workspace

173
ToolboxStack/output/toolbox-base/README.md
View File

@@ -1,64 +1,138 @@
# 🧰 TSYSDevStack Toolbox Base
> **Daily-driver development container with curated tooling**
Daily-driver development container for ToolboxStack work. It provides a reproducible Ubuntu 24.04 environment with curated shell tooling, package managers, and helper scripts.
---
## 🚀 Quick Start
1. **Build the image (local dev tag)**
```bash
./build.sh
```
> Builds and tags the image as `tsysdevstack-toolboxstack-toolbox-base:dev`. Uses `docker buildx` with a local cache at `.build-cache/` for faster rebuilds.
2. **Start the container**
```bash
./run.sh up
```
> Defaults to the `release-current` tag; override with `TOOLBOX_IMAGE_OVERRIDE=...` when testing other tags. Mise runtimes persist to your host in `~/.local/share/mise` and `~/.cache/mise` so language/tool downloads are shared across projects.
3. **Attach to a shell**
```bash
docker exec -it tsysdevstack-toolboxstack-toolbox-base zsh
# or: bash / fish
```
4. **Stop the container**
```bash
./run.sh down
```
| 📋 Step | 🛠️ Command | 📝 Description |
|---------|------------|----------------|
| 1. 🏗️ **Build the image** | `./build.sh` | Builds and tags the image as `tsysdevstack-toolboxstack-toolbox-base:dev`. Uses `docker buildx` with a local cache at `.build-cache/` for faster rebuilds. |
| 2. ▶️ **Start the container** | `./run.sh up` | Defaults to the `release-current` tag; override with `TOOLBOX_IMAGE_OVERRIDE=...` when testing other tags. Mise runtimes persist to your host in `~/.local/share/mise` and `~/.cache/mise` so language/tool downloads are shared across projects. |
| 3. 🔗 **Attach to a shell** | `docker exec -it tsysdevstack-toolboxstack-toolbox-base zsh` | or: `bash` / `fish` |
| 4. ⏹️ **Stop the container** | `./run.sh down` | Stops the running container |
The compose service mounts the current repo to `/workspace` (read/write) and runs as the mapped host user (`toolbox`).
> **💡 Note:** The compose service mounts the current repo to `/workspace` (read/write) and runs as the mapped host user (`toolbox`).
---
## 🏷️ Image Tagging & Releases
- `./build.sh` (no overrides) ⇒ builds `:dev` for active development.
- `./release.sh <semver>` ⇒ rebuilds, retags, and pushes `:dev`, `:release-current`, and `v<semver>` (e.g., `./release.sh 0.2.0`). Requires a clean git tree.
- Add `--dry-run` to rehearse the release without pushing (optionally `--allow-dirty` for experimentation only).
- Downstream Dockerfiles should inherit from `tsysdevstack-toolboxstack-toolbox-base:release-current` (or pin to a semantic tag for reproducibility).
| 🛠️ Operation | 📋 Command | 📝 Details |
|--------------|------------|------------|
| 🏗️ Build Development | `./build.sh` | Builds `:dev` for active development |
| 🚀 Release | `./release.sh <semver>` | Rebuilds, retags, and pushes `:dev`, `:release-current`, and `v<semver>` (e.g., `./release.sh 0.2.0`). Requires a clean git tree. |
| 🧪 Dry Run | `./release.sh --dry-run <semver>` | Rehearse the release without pushing (optionally `--allow-dirty` for experimentation only) |
| 📦 Downstream | `FROM tsysdevstack-toolboxstack-toolbox-base:release-current` | Downstream Dockerfiles should inherit from `release-current` (or pin to a semantic tag for reproducibility) |
---
## 🧩 Tooling Inventory
| Category | Tooling | Notes |
|----------|---------|-------|
| **Shells & Prompts** | 🐚 `zsh` • 🐟 `fish` • 🧑‍💻 `bash` • ⭐ `starship` • 💎 `oh-my-zsh` | Starship prompt enabled for all shells; oh-my-zsh configured with `git` + `fzf` plugins. |
| **Runtime & CLI Managers** | 🪄 `mise` • 💧 `aqua` | `mise` handles language/tool runtimes (activation wired into zsh/bash/fish); `aqua` manages standalone CLIs with config at `~/.config/aquaproj-aqua/aqua.yaml`. |
| **Core CLI Utilities** | 📦 `curl` • 📥 `wget` • 🔐 `ca-certificates` • 🧭 `git` • 🔧 `build-essential` + headers (`pkg-config`, `libssl-dev`, `zlib1g-dev`, `libffi-dev`, `libsqlite3-dev`, `libreadline-dev`, `make`) • 🔍 `ripgrep` • 🧭 `fzf` • 📁 `fd` • 📖 `bat` • 🔗 `openssh-client` • 🧵 `tmux` • 🖥️ `screen` • 📈 `htop` • 📉 `btop` • ♻️ `entr` • 📊 `jq` • 🌐 `httpie` • ☕ `tea` • 🧮 `bc` | Provides ergonomic defaults plus toolchain deps for compiling runtimes (no global language installs). |
| **Aqua-Managed CLIs** | 🐙 `gh` • 🌀 `lazygit` • 🪄 `direnv` • 🎨 `git-delta` • 🧭 `zoxide` • 🧰 `just` • 🧾 `yq` • ⚡ `xh` • 🌍 `curlie` • 🏠 `chezmoi` • 🛠️ `shfmt` • ✅ `shellcheck` • 🐳 `hadolint` • 🐍 `uv` • 🔁 `watchexec` | Extend via `~/.config/aquaproj-aqua/aqua.yaml`. These packages are baked into the image at build time for consistency and reproducibility. Direnv logging is muted and hooks for direnv/zoxide are pre-configured for zsh, bash, and fish. |
| **AI CLI Tools** | 🧠 `@just-every/code` • 🤖 `@qwen-code/qwen-code` • 💎 `@google/gemini-cli` • 🔮 `@openai/codex` • 🌐 `opencode-ai` | AI-powered command-line tools for enhanced development workflows. Node.js is installed via mise to support npm package installation. |
| **Container Workflow** | 🐳 Docker socket mount (`/var/run/docker.sock`) | Enables Docker CLIs inside the container; host Docker daemon required. |
| **AI Tool Configuration** | 🧠 Host directories for AI tools | Host directories for AI tool configuration and cache are mounted to maintain persistent settings and data across container runs. |
| **Runtime Environment** | 👤 Non-root user `toolbox` (UID/GID mapped) • 🗂️ `/workspace` mount | Maintains host permissions and isolates artifacts under `artifacts/ToolboxStack/toolbox-base`. |
### 🐚 Shells & Prompts
| 🛠️ Tool | 📋 Name | 📝 Notes |
|---------|---------|---------|
| 🐚 | `zsh` | Z shell with oh-my-zsh framework |
| 🐟 | `fish` | Friendly interactive shell |
| 🧑‍💻 | `bash` | Bourne again shell |
| ⭐ | `starship` | Cross-shell prompt |
| 💎 | `oh-my-zsh` | Zsh framework |
> ⭐ Starship prompt enabled for all shells; oh-my-zsh configured with `git` + `fzf` plugins.
### 🪄 Runtime & CLI Managers
| 🛠️ Tool | 📋 Name | 📝 Notes |
|---------|---------|---------|
| 🪄 | `mise` | Runtime manager for languages and tools |
| 💧 | `aqua` | CLI version manager |
> `mise` handles language/tool runtimes (activation wired into zsh/bash/fish); `aqua` manages standalone CLIs with config at `~/.config/aquaproj-aqua/aqua.yaml`.
### 🧰 Core CLI Utilities
| 🛠️ Tool | 📋 Name | 📝 Notes |
|---------|---------|---------|
| 📦 | `curl` | Command-line data transfer |
| 📥 | `wget` | Network downloader |
| 🔐 | `ca-certificates` | Common CA certificates |
| 🧭 | `git` | Distributed version control |
| 🔧 | `build-essential` | Essential build tools |
| 🔍 | `ripgrep` | Fast search tool |
| 🧭 | `fzf` | Fuzzy finder |
| 📁 | `fd` | Simple, fast & user-friendly alternative to find |
| 📖 | `bat` | Cat clone with syntax highlighting |
| 🔗 | `openssh-client` | OpenSSH client applications |
| 🧵 | `tmux` | Terminal multiplexer |
| 🖥️ | `screen` | Terminal multiplexer |
| 📈 | `htop` | Interactive process viewer |
| 📉 | `btop` | A monitor of resources |
| ♻️ | `entr` | Run arbitrary commands when files change |
| 📊 | `jq` | Command-line JSON processor |
| 🌐 | `httpie` | User-friendly curl replacement |
| ☕ | `tea` | Package manager for dev projects |
| 🧮 | `bc` | Arbitrary precision calculator language |
> Provides ergonomic defaults plus toolchain deps for compiling runtimes (no global language installs).
### 🌊 Aqua-Managed CLIs
| 🛠️ Tool | 📋 Name |
|---------|---------|
| 🐙 | `gh` (GitHub CLI) |
| 🌀 | `lazygit` |
| 🪄 | `direnv` |
| 🎨 | `git-delta` |
| 🧭 | `zoxide` |
| 🧰 | `just` |
| 🧾 | `yq` |
| ⚡ | `xh` |
| 🌍 | `curlie` |
| 🏠 | `chezmoi` |
| 🛠️ | `shfmt` |
| ✅ | `shellcheck` |
| 🐳 | `hadolint` |
| 🐍 | `uv` |
| 🔁 | `watchexec` |
> Extend via `~/.config/aquaproj-aqua/aqua.yaml`. These packages are baked into the image at build time for consistency and reproducibility. Direnv logging is muted and hooks for direnv/zoxide are pre-configured for zsh, bash, and fish.
### 🤖 AI CLI Tools
| 🛠️ Tool | 📋 Name |
|---------|---------|
| 🧠 | `@just-every/code` |
| 🤖 | `@qwen-code/qwen-code` |
| 💎 | `@google/gemini-cli` |
| 🔮 | `@openai/codex` |
| 🌐 | `opencode-ai` |
> AI-powered command-line tools for enhanced development workflows. Node.js is installed via mise to support npm package installation.
### 🐳 Container Workflow
| 🛠️ Feature | 📋 Description |
|------------|----------------|
| 🐳 | Docker socket mount (`/var/run/docker.sock`) - Enables Docker CLIs inside the container; host Docker daemon required. |
### 🧠 AI Tool Configuration
| 🛠️ Feature | 📋 Description |
|------------|----------------|
| 🧠 | Host directories for AI tools - Host directories for AI tool configuration and cache are mounted to maintain persistent settings and data across container runs. |
### 👤 Runtime Environment
| 🛠️ Feature | 📋 Description |
|------------|----------------|
| 👤 | Non-root user `toolbox` (UID/GID mapped) |
| 🗂️ | `/workspace` mount - Maintains host permissions and isolates artifacts under `artifacts/ToolboxStack/toolbox-base` |
---
## 🛠️ Extending the Sandbox
- **Add a runtime**: `mise use python@3.12` (per project). Run inside `/workspace` to persist `.mise.toml`.
- **Add a CLI tool**: update `~/.config/aquaproj-aqua/aqua.yaml`, then run `aqua install`.
- **Adjust base image**: modify `Dockerfile`, run `./build.sh`, and keep this README & `PROMPT` in sync.
| 🧩 Task | 🛠️ Command | 📝 Description |
|---------|------------|----------------|
| 🧮 **Add a runtime** | `mise use python@3.12` | (per project). Run inside `/workspace` to persist `.mise.toml`. |
| 🧰 **Add a CLI tool** | Update `~/.config/aquaproj-aqua/aqua.yaml`, then run `aqua install` | Extend the available tools in the environment |
| 🛠️ **Adjust base image** | Modify `Dockerfile`, run `./build.sh`, and keep this README & `PROMPT` in sync | Make changes to the base environment |
> 🔁 **Documentation policy:** Whenever you add/remove tooling or change the developer experience, update both this README and the `PROMPT` file so the next collaborator has an accurate snapshot.
@@ -66,8 +140,8 @@ The compose service mounts the current repo to `/workspace` (read/write) and run
## 📂 Project Layout
| Path | Purpose |
|------|---------|
| 📁 Path | 📝 Purpose |
|---------|------------|
| `Dockerfile` | Defines the toolbox-base image. |
| `docker-compose.yml` | Compose service providing the container runtime. |
| `build.sh` | Wrapper around `docker build` with host UID/GID mapping. |
@@ -81,14 +155,23 @@ The compose service mounts the current repo to `/workspace` (read/write) and run
## ✅ Verification Checklist
After any image changes:
1. Run `./build.sh` and ensure it succeeds.
2. Optionally `./run.sh up` and sanity-check key tooling (e.g., `mise --version`, `gh --version`).
3. Update this README and the `PROMPT` with any new or removed tooling.
1. 🏗️ **Build Test**: Run `./build.sh` and ensure it succeeds.
2. 🧪 **Functionality Test**: Optionally `./run.sh up` and sanity-check key tooling (e.g., `mise --version`, `gh --version`).
3. 📝 **Documentation Sync**: Update this README and the `PROMPT` with any new or removed tooling.
---
## 🤝 Collaboration Notes
- Container always runs as the mapped non-root user; avoid adding steps that require root login.
- Prefer `mise`/`aqua` for new tooling to keep installations reproducible.
- Keep documentation synchronized (README + PROMPT) so future contributors can resume quickly.
| 📋 Best Practice | 📝 Description |
|------------------|----------------|
| 👤 **Non-Root Policy** | Container always runs as the mapped non-root user; avoid adding steps that require root login. |
| 🧩 **Tooling Consistency** | Prefer `mise`/`aqua` for new tooling to keep installations reproducible. |
| 📚 **Documentation Sync** | Keep documentation synchronized (README + PROMPT) so future contributors can resume quickly. |
---
## 📄 License
See [LICENSE](../../LICENSE) for full terms.

0
ToolboxStack/output/toolbox-DocStack/.devcontainer/devcontainer.json → ToolboxStack/output/toolbox-docstack/.devcontainer/devcontainer.json
View File

2
ToolboxStack/output/toolbox-docstack/.gitkeep Normal file
View File

@@ -0,0 +1,2 @@
# This file keeps the directory in git even when it's empty.
# Actual implementation files will be added soon.

0
ToolboxStack/output/toolbox-DocStack/AUDIT_CHECKLIST.md → ToolboxStack/output/toolbox-docstack/AUDIT_CHECKLIST.md
View File

0
ToolboxStack/output/toolbox-DocStack/Dockerfile → ToolboxStack/output/toolbox-docstack/Dockerfile
View File

0
ToolboxStack/output/toolbox-DocStack/PROMPT → ToolboxStack/output/toolbox-docstack/PROMPT
View File

0
ToolboxStack/output/toolbox-DocStack/README.md → ToolboxStack/output/toolbox-docstack/README.md
View File

0
ToolboxStack/output/toolbox-DocStack/SEED → ToolboxStack/output/toolbox-docstack/SEED
View File

0
ToolboxStack/output/toolbox-DocStack/aqua.yaml → ToolboxStack/output/toolbox-docstack/aqua.yaml
View File

0
ToolboxStack/output/toolbox-DocStack/build.sh → ToolboxStack/output/toolbox-docstack/build.sh
View File

0
ToolboxStack/output/toolbox-DocStack/docker-compose.yml → ToolboxStack/output/toolbox-docstack/docker-compose.yml
View File

0
ToolboxStack/output/toolbox-DocStack/release.sh → ToolboxStack/output/toolbox-docstack/release.sh
View File

0
ToolboxStack/output/toolbox-DocStack/run.sh → ToolboxStack/output/toolbox-docstack/run.sh
View File

0
ToolboxStack/output/toolbox-DocStack/security-audit.sh → ToolboxStack/output/toolbox-docstack/security-audit.sh
View File

0
ToolboxStack/output/toolbox-DocStack/test.sh → ToolboxStack/output/toolbox-docstack/test.sh
View File

2
ToolboxStack/output/toolbox-etl/.gitkeep Normal file
View File

@@ -0,0 +1,2 @@
# This file keeps the directory in git even when it's empty.
# Actual implementation files will be added soon.

2
ToolboxStack/output/toolbox-gis/.gitkeep Normal file
View File

@@ -0,0 +1,2 @@
# This file keeps the directory in git even when it's empty.
# Actual implementation files will be added soon.

2
ToolboxStack/output/toolbox-lifecycle-buildandtest/.gitkeep Normal file
View File

@@ -0,0 +1,2 @@
# This file keeps the directory in git even when it's empty.
# Actual implementation files will be added soon.

2
ToolboxStack/output/toolbox-lifecycle-packageandrelease/.gitkeep Normal file
View File

@@ -0,0 +1,2 @@
# This file keeps the directory in git even when it's empty.
# Actual implementation files will be added soon.

68
ToolboxStack/output/toolbox-qadocker/Dockerfile Normal file
View File

@@ -0,0 +1,68 @@
FROM ubuntu:24.04
# Prevent interactive prompts during package installation
ENV DEBIAN_FRONTEND=noninteractive
# Install dependencies needed for tools
RUN apt-get update && apt-get install -y --no-install-recommends \
ca-certificates \
curl \
wget \
git \
unzip \
gnupg \
lsb-release \
software-properties-common \
&& rm -rf /var/lib/apt/lists/*
# Create a non-root user for running tools
RUN groupadd -r qadocker && useradd -r -g qadocker -m -s /bin/bash qadocker
# Install Hadolint
RUN wget -q -O /usr/local/bin/hadolint \
https://github.com/hadolint/hadolint/releases/latest/download/hadolint-$(uname -s)-$(uname -m) && \
chmod +x /usr/local/bin/hadolint
# Install Dive
RUN wget -q -O /tmp/dive_0.10.0_linux_amd64.deb \
https://github.com/wagoodman/dive/releases/download/v0.10.0/dive_0.10.0_linux_amd64.deb && \
apt-get update && apt-get install -y --no-install-recommends /tmp/dive_0.10.0_linux_amd64.deb && \
rm /tmp/dive_0.10.0_linux_amd64.deb && \
rm -rf /var/lib/apt/lists/*
# Install ShellCheck
RUN apt-get update && apt-get install -y --no-install-recommends shellcheck && \
rm -rf /var/lib/apt/lists/*
# Install Trivy (vulnerability scanner)
RUN wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor -o /usr/share/keyrings/trivy.gpg && \
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | tee -a /etc/apt/sources.list.d/trivy.list && \
apt-get update && \
apt-get install -y trivy && \
rm -rf /var/lib/apt/lists/*
# Install Dockle (container linter)
RUN wget -q -O dockle_0.4.5_linux_amd64.deb \
https://github.com/goodwithtech/dockle/releases/download/v0.4.5/dockle_0.4.5_Linux-64bit.deb && \
apt-get update && apt-get install -y --no-install-recommends ./dockle_0.4.5_linux_amd64.deb && \
rm dockle_0.4.5_linux_amd64.deb && \
rm -rf /var/lib/apt/lists/*
# Install Docker client
RUN curl -fsSL https://get.docker.com -o get-docker.sh && \
sh get-docker.sh && \
rm get-docker.sh
# Install Node.js (may be needed for some tools)
RUN curl -fsSL https://deb.nodesource.com/setup_lts | bash - && \
apt-get install -y --no-install-recommends nodejs && \
rm -rf /var/lib/apt/lists/*
# Ensure non-root user has proper permissions for Docker socket if needed
# This should be handled at runtime via volume mounting
# Switch to non-root user
USER qadocker
WORKDIR /home/qadocker
CMD ["/bin/bash"]

172
ToolboxStack/output/toolbox-qadocker/README.md Normal file
View File

@@ -0,0 +1,172 @@
# toolbox-qadocker
This is a specialized toolbox container for performing audit and quality assurance work on Docker images and related files in the TSYSDevStack project. It includes essential tools for Dockerfile linting, shell script validation, container auditing, and security scanning.
## 🛠️ Included Tools
- **[Hadolint](https://github.com/hadolint/hadolint)**: A Dockerfile linter that checks for best practices
- **[Dive](https://github.com/wagoodman/dive)**: Tool to explore layers in Docker images
- **[ShellCheck](https://www.shellcheck.net/)**: Static analysis tool for shell scripts
- **[Trivy](https://github.com/aquasecurity/trivy)**: Comprehensive vulnerability scanner for containers
- **[Dockle](https://github.com/goodwithtech/dockle)**: Container image linter for security best practices
- **Docker Client**: Command-line interface for Docker
- **Node.js**: JavaScript runtime for additional tooling
## 🚀 Quick Start
### Build the Image
```bash
# Build with default 'dev' tag
./build.sh
# Build with a specific tag
./build.sh --tag mytag
```
### Run the Container
```bash
# Run interactively with current directory mounted
./run.sh
# Run with Docker socket access (to use Docker from inside container)
./run.sh --with-docker
# Run with a specific tag
./run.sh --tag mytag
```
### Release (Push to Registry)
```bash
# Build and push with version tag (requires clean git tree)
./release.sh --version v0.1.0
# Build and push with version tag (allowing dirty git tree)
./release.sh --version v0.1.0 --allow-dirty
# Dry run to test the process without actually pushing
./release.sh --version v0.1.0 --dry-run
```
## 🔍 Using QA Tools
### Hadolint - Dockerfile Linting
```bash
# Lint a Dockerfile
docker run --rm -i hadolint/hadolint < Dockerfile
# Or when using the toolbox container with current directory mounted:
hadolint Dockerfile
```
### ShellCheck - Shell Script Analysis
```bash
# Analyze a shell script
shellcheck myscript.sh
# Or when using the toolbox container:
shellcheck /workspace/myscript.sh
```
### Dive - Analyze Docker Image Layers
```bash
# Analyze an image
dive myimage:tag
```
### Trivy - Vulnerability Scanning
```bash
# Scan a container image for vulnerabilities
trivy image myimage:tag
# Scan the current directory for vulnerabilities
trivy fs .
```
### Dockle - Container Image Linting
```bash
# Lint a container image
dockle myimage:tag
# Or run on current directory
dockle .
```
## 🏗️ Project Context
The toolbox-qadocker is designed to be a minimal, fast-to-rebuild image specifically for auditing and validating Docker images and related files in the TSYSDevStack ecosystem. Unlike other toolboxes, it does not inherit from `toolbox-base` and instead uses a clean Ubuntu base with only the essential QA tools installed.
## 🎯 Purpose
- Audit Dockerfiles for best practices and security issues
- Validate shell scripts with ShellCheck
- Analyze Docker image layers with Dive
- Scan for vulnerabilities with Trivy
- Check image security with Dockle
- Support AI CLI agents in container image creation
## 📁 Directory Structure
- `Dockerfile`: Defines the container image
- `build.sh`: Builds the container image
- `run.sh`: Runs the container with appropriate settings
- `release.sh`: Builds and pushes container images with multiple tags
- `test.sh`: Test script to verify all tools are working
## 🛡️ Security
- Runs as a non-root user (`qadocker`) by default
- Contains only essential tools needed for QA work
- Designed to be minimal and fast to rebuild if security issues are discovered
## 🧪 Testing
To verify that all tools are working correctly in the container:
```bash
# Run the test script to verify all tools
./test.sh
# Or run the test script inside the container
docker run --rm -v $(pwd)/test.sh:/test.sh tsysdevstack-toolboxstack-toolbox-qadocker:dev bash /test.sh
```
## 🔍 Dockerfile QA
You can use this toolbox to check Dockerfiles for best practices using Hadolint:
```bash
# Run Hadolint on a Dockerfile
docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev hadolint Dockerfile
# Run ShellCheck on shell scripts
docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev shellcheck your_script.sh
# Run Trivy for vulnerability scanning
docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev trivy fs --offline-scan .
# Run Dockle for container image linter
docker run --rm -v $(pwd):/workspace -w /workspace tsysdevstack-toolboxstack-toolbox-qadocker:dev dockle .
```
## 📝 Dockerfile Compliance
The Dockerfile is designed to meet Docker best practices and security standards. It has been optimized to:
- Use minimal base image (Ubuntu 24.04)
- Install packages with `--no-install-recommends` to reduce bloat
- Download packages with quiet mode to reduce output
- Create a non-root user for running tools
- Follow security best practices for container images
- Comply with Hadolint and Dockle recommendations where possible
## 📝 License
This project is part of the TSYSDevStack project. See the main LICENSE file in the repository root for details.

69
ToolboxStack/output/toolbox-qadocker/build.sh Executable file
View File

@@ -0,0 +1,69 @@
#!/usr/bin/env bash
# Build script for toolbox-qadocker
set -e
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Print colored output
print_status() {
echo -e "${GREEN}[INFO]${NC} $1"
}
print_warning() {
echo -e "${YELLOW}[WARNING]${NC} $1"
}
print_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
# Default values
IMAGE_NAME="tsysdevstack-toolboxstack-toolbox-qadocker"
TAG="dev"
DOCKERFILE_PATH="Dockerfile"
# Parse command line arguments
while [[ $# -gt 0 ]]; do
case $1 in
--tag)
TAG="$2"
shift 2
;;
--file)
DOCKERFILE_PATH="$2"
shift 2
;;
--help)
echo "Usage: $0 [--tag TAG] [--file DOCKERFILE_PATH]"
echo ""
echo "Options:"
echo " --tag TAG Specify the tag for the image (default: dev)"
echo " --file DOCKERFILE_PATH Specify the path to the Dockerfile (default: Dockerfile)"
echo " --help Show this help message"
exit 0
;;
*)
print_error "Unknown option: $1"
exit 1
;;
esac
done
IMAGE_TAGGED_NAME="${IMAGE_NAME}:${TAG}"
print_status "Building ${IMAGE_TAGGED_NAME}"
# Build the Docker image
docker build -t "${IMAGE_TAGGED_NAME}" -f "${DOCKERFILE_PATH}" .
if [ $? -eq 0 ]; then
print_status "Successfully built ${IMAGE_TAGGED_NAME}"
else
print_error "Failed to build ${IMAGE_TAGGED_NAME}"
exit 1
fi

124
ToolboxStack/output/toolbox-qadocker/release.sh Executable file
View File

@@ -0,0 +1,124 @@
#!/usr/bin/env bash
# Release script for toolbox-qadocker
set -e
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Print colored output
print_status() {
echo -e "${GREEN}[INFO]${NC} $1"
}
print_warning() {
echo -e "${YELLOW}[WARNING]${NC} $1"
}
print_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
# Default values
IMAGE_NAME="tsysdevstack-toolboxstack-toolbox-qadocker"
DEV_TAG="dev"
RELEASE_CURRENT_TAG="release-current"
DOCKERFILE_PATH="Dockerfile"
ALLOW_DIRTY=false
DRY_RUN=false
# Parse command line arguments
while [[ $# -gt 0 ]]; do
case $1 in
--version)
VERSION_TAG="$2"
shift 2
;;
--file)
DOCKERFILE_PATH="$2"
shift 2
;;
--allow-dirty)
ALLOW_DIRTY=true
shift
;;
--dry-run)
DRY_RUN=true
shift
;;
--help)
echo "Usage: $0 --version VERSION [--file DOCKERFILE_PATH] [--allow-dirty] [--dry-run]"
echo ""
echo "Options:"
echo " --version VERSION Specify the version tag for the release (required)"
echo " --file DOCKERFILE_PATH Specify the path to the Dockerfile (default: Dockerfile)"
echo " --allow-dirty Allow release from a dirty git tree"
echo " --dry-run Perform a dry run without actually building or pushing"
echo " --help Show this help message"
exit 0
;;
*)
print_error "Unknown option: $1"
exit 1
;;
esac
done
if [[ -z "$VERSION_TAG" ]]; then
print_error "Version tag is required. Use --version to specify it."
exit 1
fi
# Check if git tree is clean (unless --allow-dirty is specified)
if [[ "$ALLOW_DIRTY" == false ]]; then
if [[ -z $(git status --porcelain) ]]; then
print_status "Git tree is clean"
else
print_error "Git tree is not clean. Commit your changes or use --allow-dirty to override."
exit 1
fi
fi
# Determine the build command based on DRY_RUN flag
BUILD_CMD="docker build"
if [[ "$DRY_RUN" == true ]]; then
BUILD_CMD="echo [DRY RUN] Would run: docker build"
fi
# Build the Docker image with all tags
print_status "Building ${IMAGE_NAME} with tags: ${DEV_TAG}, ${RELEASE_CURRENT_TAG}, ${VERSION_TAG}"
$BUILD_CMD -t "${IMAGE_NAME}:${DEV_TAG}" -t "${IMAGE_NAME}:${RELEASE_CURRENT_TAG}" -t "${IMAGE_NAME}:${VERSION_TAG}" -f "${DOCKERFILE_PATH}" .
if [ $? -ne 0 ]; then
print_error "Failed to build the image(s)"
exit 1
fi
if [[ "$DRY_RUN" == false ]]; then
print_status "Successfully built images with tags: ${DEV_TAG}, ${RELEASE_CURRENT_TAG}, ${VERSION_TAG}"
else
print_status "Dry run completed - would have built images with tags: ${DEV_TAG}, ${RELEASE_CURRENT_TAG}, ${VERSION_TAG}"
fi
# Push the images unless in dry run mode
if [[ "$DRY_RUN" == false ]]; then
print_status "Pushing ${IMAGE_NAME}:${DEV_TAG}"
docker push "${IMAGE_NAME}:${DEV_TAG}"
print_status "Pushing ${IMAGE_NAME}:${RELEASE_CURRENT_TAG}"
docker push "${IMAGE_NAME}:${RELEASE_CURRENT_TAG}"
print_status "Pushing ${IMAGE_NAME}:${VERSION_TAG}"
docker push "${IMAGE_NAME}:${VERSION_TAG}"
if [ $? -eq 0 ]; then
print_status "Successfully pushed all images"
else
print_error "Failed to push images"
exit 1
fi
fi

118
ToolboxStack/output/toolbox-qadocker/run.sh Executable file
View File

@@ -0,0 +1,118 @@
#!/usr/bin/env bash
# Run script for toolbox-qadocker
set -e
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Print colored output
print_status() {
echo -e "${GREEN}[INFO]${NC} $1"
}
print_warning() {
echo -e "${YELLOW}[WARNING]${NC} $1"
}
print_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
# Default values
IMAGE_NAME="tsysdevstack-toolboxstack-toolbox-qadocker"
TAG="dev"
CONTAINER_NAME="tsysdevstack-toolboxstack-toolbox-qadocker-run"
INTERACTIVE=true
TTY=true
MOUNT_CURRENT_DIR=true
DOCKER_SOCKET=false
# Parse command line arguments
while [[ $# -gt 0 ]]; do
case $1 in
--tag)
TAG="$2"
shift 2
;;
--name)
CONTAINER_NAME="$2"
shift 2
;;
--no-tty)
TTY=false
shift
;;
--no-interactive)
INTERACTIVE=false
shift
;;
--no-mount)
MOUNT_CURRENT_DIR=false
shift
;;
--with-docker)
DOCKER_SOCKET=true
shift
;;
--help)
echo "Usage: $0 [--tag TAG] [--name NAME] [--no-tty] [--no-interactive] [--no-mount] [--with-docker]"
echo ""
echo "Options:"
echo " --tag TAG Specify the tag for the image to run (default: dev)"
echo " --name NAME Specify the container name (default: tsysdevstack-toolboxstack-toolbox-qadocker-run)"
echo " --no-tty Disable TTY allocation"
echo " --no-interactive Disable interactive mode"
echo " --no-mount Don't mount current directory to /workspace"
echo " --with-docker Mount Docker socket to use Docker from inside container"
echo " --help Show this help message"
exit 0
;;
*)
print_error "Unknown option: $1"
exit 1
;;
esac
done
IMAGE_TAGGED_NAME="${IMAGE_NAME}:${TAG}"
# Check if the image exists
if ! docker images --format "{{.Repository}}:{{.Tag}}" | grep -q "^${IMAGE_NAME}:${TAG}$"; then
print_error "Image ${IMAGE_TAGGED_NAME} does not exist. Please build it first."
exit 1
fi
# Build docker run command
RUN_CMD="docker run"
if [[ "$INTERACTIVE" == true ]]; then
RUN_CMD="${RUN_CMD} -i"
fi
if [[ "$TTY" == true ]]; then
RUN_CMD="${RUN_CMD} -t"
fi
# Mount current directory to /workspace
if [[ "$MOUNT_CURRENT_DIR" == true ]]; then
RUN_CMD="${RUN_CMD} -v $(pwd):/workspace -w /workspace"
fi
# Mount Docker socket if requested
if [[ "$DOCKER_SOCKET" == true ]]; then
RUN_CMD="${RUN_CMD} -v /var/run/docker.sock:/var/run/docker.sock"
fi
RUN_CMD="${RUN_CMD} --name ${CONTAINER_NAME}"
# Add the image name
RUN_CMD="${RUN_CMD} ${IMAGE_TAGGED_NAME}"
print_status "Running: ${RUN_CMD}"
# Execute the command
eval $RUN_CMD

52
ToolboxStack/output/toolbox-qadocker/test.sh Executable file
View File

@@ -0,0 +1,52 @@
#!/usr/bin/env bash
# Test script for toolbox-qadocker
set -e
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Print colored output
print_status() {
echo -e "${GREEN}[INFO]${NC} $1"
}
print_warning() {
echo -e "${YELLOW}[WARNING]${NC} $1"
}
print_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
print_status "Testing all installed QA tools in toolbox-QADocker:"
print_status "1. Testing Hadolint (Dockerfile linter)..."
echo "FROM ubuntu:24.04
RUN apt-get update
RUN apt-get install -y curl" > /tmp/test.Dockerfile
hadolint /tmp/test.Dockerfile || echo "Hadolint found issues (expected in test file)"
print_status "2. Testing ShellCheck (shell script linter)..."
echo '#!/bin/bash
var=hello
echo $var' > /tmp/test.sh
chmod +x /tmp/test.sh
shellcheck /tmp/test.sh || echo "ShellCheck found issues (expected in test file)"
print_status "3. Testing Trivy (vulnerability scanner)..."
trivy --version
print_status "4. Testing Dockle (container linter)..."
dockle --version
print_status "5. Testing Docker client..."
docker --version
print_status "6. Testing Node.js..."
node --version
print_status "All tools are properly installed and functional!"

14
ToolboxStack/output/toolbox-template/.devcontainer/devcontainer.json
View File

@@ -1,14 +0,0 @@
{
"name": "TSYSDevStack {{toolbox_name}}",
"dockerComposeFile": [
"../docker-compose.yml"
],
"service": "{{toolbox_name}}",
"workspaceFolder": "/workspace",
"remoteUser": "toolbox",
"runServices": [
"{{toolbox_name}}"
],
"overrideCommand": false,
"postCreateCommand": "zsh -lc 'starship --version >/dev/null'"
}

120
ToolboxStack/output/toolbox-template/AUDIT_CHECKLIST.md
View File

@@ -1,120 +0,0 @@
# 🧰 Toolbox Template Audit Checklist
This checklist ensures the toolbox-template provides a solid foundation for creating new toolboxes that extend from toolbox-base.
## 🏗️ Structure Audit
- [ ] Template Dockerfile properly extends from toolbox-base:release-current
- [ ] Template Dockerfile follows best practices for extension
- [ ] Template docker-compose.yml properly inherits from base configuration
- [ ] Template build.sh script properly wraps docker build with UID/GID mapping
- [ ] Template run.sh script properly manages container lifecycle
- [ ] Template devcontainer.json properly references base configuration
- [ ] Template SEED file properly defines extension objectives
- [ ] Template PROMPT file properly guides contributors
- [ ] Template README.md properly documents usage and customization
- [ ] Template aqua.yaml properly extends from base tooling
## 🔧 Consistency Audit
- [ ] Template inherits all base security practices
- [ ] Template follows same build process patterns as base
- [ ] Template uses same user model as base (non-root with UID/GID mapping)
- [ ] Template workspace mounting consistent with base
- [ ] Template runtime behavior consistent with base
- [ ] Template error handling consistent with base
- [ ] Template documentation style consistent with base
- [ ] Template testing approach consistent with base
- [ ] Template customization points clearly defined
- [ ] Template extension patterns well-documented
## 🛡️ Security Audit
- [ ] Template maintains all base security guarantees
- [ ] Template doesn't introduce security vulnerabilities
- [ ] Template doesn't weaken base security model
- [ ] Template properly validates user inputs
- [ ] Template properly handles file permissions
- [ ] Template doesn't expose additional attack surfaces
- [ ] Template properly manages secrets/configuration
- [ ] Template follows principle of least privilege
- [ ] Template properly isolates user processes
- [ ] Template maintains non-root execution model
## 🧪 Testing Audit
- [ ] Template includes testing framework
- [ ] Template tests verify proper extension from base
- [ ] Template tests validate added functionality
- [ ] Template tests check for regression issues
- [ ] Template tests cover error conditions
- [ ] Template tests verify security properties
- [ ] Template tests run automatically during build
- [ ] Template tests provide clear failure diagnostics
- [ ] Template tests cover all customization points
- [ ] Template tests align with base testing philosophy
## 📚 Documentation Audit
- [ ] Template README.md clearly explains purpose and usage
- [ ] Template README.md properly documents customization options
- [ ] Template README.md links to base documentation
- [ ] Template README.md includes quick start guide
- [ ] Template README.md covers troubleshooting
- [ ] Template README.md explains extension patterns
- [ ] Template README.md documents versioning strategy
- [ ] Template README.md covers maintenance procedures
- [ ] Template README.md explains collaboration guidelines
- [ ] Template README.md maintains consistent style with base
## 🔄 Maintenance Audit
- [ ] Template properly tracks base image updates
- [ ] Template provides clear upgrade paths
- [ ] Template maintains backward compatibility
- [ ] Template follows same release cadence as base
- [ ] Template properly handles dependency updates
- [ ] Template includes update automation where appropriate
- [ ] Template documents breaking changes
- [ ] Template provides migration guides when needed
- [ ] Template follows same versioning scheme as base
- [ ] Template maintains consistent issue tracking
## 🎯 Usability Audit
- [ ] Template is easy to copy and customize
- [ ] Template provides clear extension points
- [ ] Template includes helpful examples
- [ ] Template reduces boilerplate code
- [ ] Template provides sensible defaults
- [ ] Template includes proper error messages
- [ ] Template supports common customization patterns
- [ ] Template includes helpful documentation
- [ ] Template follows intuitive naming conventions
- [ ] Template minimizes configuration complexity
## 🌐 Compatibility Audit
- [ ] Template works with all supported platforms
- [ ] Template maintains cross-platform consistency
- [ ] Template integrates well with base tooling
- [ ] Template supports common development workflows
- [ ] Template handles various project structures
- [ ] Template works with popular IDEs/editors
- [ ] Template supports CI/CD integration
- [ ] Template compatible with common deployment methods
- [ ] Template supports popular version control systems
- [ ] Template integrates with common development tools
## 🧹 Cleanliness Audit
- [ ] Template includes no unnecessary files
- [ ] Template follows consistent file organization
- [ ] Template includes proper .gitignore
- [ ] Template avoids duplicating base functionality
- [ ] Template includes proper licensing information
- [ ] Template maintains clean directory structure
- [ ] Template includes appropriate comments/documentation
- [ ] Template avoids hardcoded values where possible
- [ ] Template follows consistent naming conventions
- [ ] Template includes proper attribution where needed

56
ToolboxStack/output/toolbox-template/Dockerfile
View File

@@ -1,56 +0,0 @@
# Extend from the toolbox-base image
# NOTE: Always use the full image name to ensure compatibility in standalone builds
FROM tsysdevstack-toolboxstack-toolbox-base:release-current
# Set build arguments (these can be overridden at build time)
ARG USER_ID=1000
ARG GROUP_ID=1000
ARG USERNAME=toolbox
# Ensure the non-root user exists with the correct UID/GID
# Check if user/group already exists and handle appropriately
RUN if getent passwd "${USER_ID}" >/dev/null; then \
existing_user="$(getent passwd "${USER_ID}" | cut -d: -f1)"; \
echo "User with UID ${USER_ID} already exists: ${existing_user}" >&2; \
else \
if ! getent group "${GROUP_ID}" >/dev/null; then \
groupadd --gid "${GROUP_ID}" "${USERNAME}"; \
fi \
useradd --uid "${USER_ID}" --gid "${GROUP_ID}" --shell /usr/bin/zsh --create-home "${USERNAME}"; \
fi
# Install toolbox-specific packages here
# Example:
# RUN apt-get update && apt-get install -y --no-install-recommends \
# specific-package \
# && apt-get clean \
# && rm -rf /var/lib/apt/lists/*
# Install toolbox-specific aqua packages here
# Example:
# COPY aqua.yaml /tmp/aqua.yaml
# RUN chown "${USER_ID}:${GROUP_ID}" /tmp/aqua.yaml \
# && su - "${USERNAME}" -c 'mkdir -p ~/.config/aquaproj-aqua' \
# && su - "${USERNAME}" -c 'cp /tmp/aqua.yaml ~/.config/aquaproj-aqua/aqua.yaml' \
# && AQUA_GLOBAL_CONFIG=/tmp/aqua.yaml aqua install \
# && su - "${USERNAME}" -c 'AQUA_GLOBAL_CONFIG=~/.config/aquaproj-aqua/aqua.yaml aqua install'
# Install toolbox-specific npm packages here
# Example:
# RUN su - "${USERNAME}" -c 'mise exec -- npm install -g @scope/package@version'
# Prepare workspace directory with appropriate ownership
RUN mkdir -p /workspace \
&& chown "${USER_ID}:${GROUP_ID}" /workspace
# Remove sudo to ensure no root escalation is possible at runtime
RUN apt-get remove -y sudo 2>/dev/null || true && apt-get autoremove -y 2>/dev/null || true && rm -rf /var/lib/apt/lists/* 2>/dev/null || true
ENV SHELL=/usr/bin/zsh \
AQUA_GLOBAL_CONFIG=/home/${USERNAME}/.config/aquaproj-aqua/aqua.yaml \
PATH=/home/${USERNAME}/.local/share/aquaproj-aqua/bin:/home/${USERNAME}/.local/share/mise/shims:/home/${USERNAME}/.local/bin:${PATH}
WORKDIR /workspace
USER ${USERNAME}
CMD ["/usr/bin/zsh"]

27
ToolboxStack/output/toolbox-template/PROMPT
View File

@@ -1,27 +0,0 @@
You are Codex, collaborating with a human on the TSYSDevStack ToolboxStack project.
- Seed context:
- `SEED` captures the initial scope. Edit it once to define goals, then treat it as read-only unless the high-level objectives change.
- Start each session by reading it (`cat SEED`) and summarize progress or adjustments here in PROMPT.
Context snapshot ({{toolbox_name}}):
- Working directory: artifacts/ToolboxStack/{{toolbox_name}}
- Image: tsysdevstack-toolboxstack-{{toolbox_name}} (extends from tsysdevstack-toolboxstack-toolbox-base:release-current)
- Container user: toolbox (non-root, UID/GID mapped to host)
- Mounted workspace: current repo at /workspace (rw)
Current state:
- Extends from the standard toolbox-base image, inheriting all base tooling (shells, CLIs, package managers).
- aqua packages are baked into the base image during the build process for consistency, reproducibility and performance.
- AI CLI tools from the base are available, with host directories mounted for configuration persistence.
- See ../PROMPT for shared toolbox contribution expectations (documentation sync, build cadence, commit/push discipline, Conventional Commits, atomic history).
Collaboration checklist:
1. Translate SEED goals into concrete tooling decisions; mirror outcomes in README.md and this PROMPT (do not rewrite SEED unless the scope resets).
2. Prefer aqua-managed CLIs and mise-managed runtimes for reproducibility.
3. After each tooling change, update README/PROMPT, run ./build.sh, commit (Conventional Commit message, focused diff), and push only once the build succeeds per ../PROMPT.
4. Record verification steps (build/test commands) as they are performed.
5. Maintain UID/GID mapping and non-root execution.
Active focus:
- Initialize {{toolbox_name}} using the toolbox-template scaffolding; evolve the Dockerfile/tooling inventory to satisfy the SEED goals.

107
ToolboxStack/output/toolbox-template/README.md
View File

@@ -1,107 +0,0 @@
# 🧰 TSYSDevStack Toolbox Template
Template for creating new toolboxes that extend from the `toolbox-base` image.
---
## 🚀 Quick Start
1. **Create a new toolbox**
```bash
cp -r /path/to/toolbox-template /path/to/new-toolbox
cd /path/to/new-toolbox
```
2. **Customize the toolbox**
- Edit `Dockerfile` to add toolbox-specific tooling
- Modify `docker-compose.yml` to adjust service configuration
- Update `SEED` to define the toolbox's purpose and goals
3. **Build the toolbox**
```bash
./build.sh
```
4. **Start the toolbox**
```bash
./run.sh up
```
5. **Access the toolbox**
```bash
docker exec -it tsysdevstack-toolboxstack-{{toolbox_name}} zsh
```
6. **Stop the toolbox**
```bash
./run.sh down
```
---
## 🧱 Architecture
- **Base Image**: Extends from `tsysdevstack-toolboxstack-toolbox-base:release-current`
- **User**: Runs as non-root `toolbox` user (UID/GID mapped to host)
- **Workspace**: Mounts current directory to `/workspace` (read/write)
- **Runtime**: Inherits all tooling from base plus toolbox-specific additions
---
## 🛠️ Customization
### Dockerfile
Extend the base image with toolbox-specific tooling:
```dockerfile
# Extend from the toolbox-base image
FROM tsysdevstack-toolboxstack-toolbox-base:release-current
# Add toolbox-specific packages or configurations
RUN apt-get update && apt-get install -y --no-install-recommends \
specific-package \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
```
### docker-compose.yml
Adjust service configuration for toolbox-specific needs:
```yaml
services:
my-toolbox:
# Inherits all base configuration
# Add toolbox-specific volumes, ports, etc.
volumes:
- ./custom-config:/home/toolbox/.config/custom-tool
```
### SEED
Define the toolbox's purpose and goals:
```markdown
- Describe what this toolbox should provide (languages, CLIs, workflows)
- List required base image modifications or additional mounts
- Note verification or testing expectations specific to this toolbox
```
---
## 📂 Project Layout
| Path | Purpose |
|------|---------|
| `Dockerfile` | Extends base image with toolbox-specific tooling |
| `docker-compose.yml` | Service configuration for the toolbox |
| `build.sh` | Wrapper around `docker build` with host UID/GID mapping |
| `run.sh` | Helper to bring the service up/down |
| `.devcontainer/devcontainer.json` | VS Code remote container definition |
| `SEED` | Defines the toolbox's purpose and goals |
| `PROMPT` | LLM onboarding prompt for future contributors |
---
## 🤝 Collaboration Notes
- Inherits all collaboration policies from `toolbox-base`
- Document toolbox-specific additions in `README.md` and `PROMPT`
- Update `SEED` only when the high-level objectives change
- Prefer aqua/mise for new tooling to keep installations reproducible
- Keep documentation synchronized for future contributors

38
ToolboxStack/output/toolbox-template/SEED
View File

@@ -1,38 +0,0 @@
# Toolbox Template SEED
This SEED file defines the high-level objectives for all toolboxes created from this template.
## 🎯 Goals
- **Extensibility**: Each toolbox should extend from `toolbox-base` to inherit core tooling
- **Consistency**: All toolboxes should follow the same patterns and conventions
- **Reproducibility**: Toolbox builds should be deterministic and cache-efficient
- **Security**: Toolboxes should run as non-root users with minimal privileges
- **Portability**: Toolboxes should work identically across different host environments
## 🧰 Requirements
- **Base Image**: Extend from `tsysdevstack-toolboxstack-toolbox-base:release-current`
- **User Model**: Run as non-root `toolbox` user (UID/GID mapped to host)
- **Workspace**: Mount current directory to `/workspace` (read/write)
- **Runtime**: Inherit all base tooling plus toolbox-specific additions
- **Configuration**: Preserve user configs/mise toolchains via volume mounts
## 🛠️ Implementation
- **Dockerfile**: Extend from base with toolbox-specific tooling
- **docker-compose.yml**: Configure service with inherited + custom settings
- **build.sh**: Wrapper around `docker build` with UID/GID mapping
- **run.sh**: Helper to bring service up/down
- **devcontainer.json**: VS Code remote container definition
- **SEED**: Define toolbox-specific objectives (this file)
- **PROMPT**: LLM onboarding prompt for future contributors
## ✅ Verification
- Toolboxes should build without errors
- Toolboxes should start and run indefinitely
- Toolboxes should be accessible via `docker exec`
- Toolboxes should inherit all base tooling
- Toolboxes should support toolbox-specific additions
- Toolboxes should preserve user configurations across restarts

22
ToolboxStack/output/toolbox-template/aqua.yaml
View File

@@ -1,22 +0,0 @@
version: 1.0.0
registries:
- type: standard
ref: v4.431.0
packages:
# Add additional packages specific to your toolbox here
# Example:
# - name: cli/cli@v2.82.1
# - name: jesseduffield/lazygit@v0.55.1
# - name: direnv/direnv@v2.37.1
# - name: dandavison/delta@0.18.2
# - name: ajeetdsouza/zoxide@v0.9.8
# - name: casey/just@1.43.0
# - name: mikefarah/yq@v4.48.1
# - name: ducaale/xh@v0.25.0
# - name: rs/curlie@v1.8.2
# - name: twpayne/chezmoi@v2.66.1
# - name: mvdan/sh@v3.12.0
# - name: koalaman/shellcheck@v0.11.0
# - name: hadolint/hadolint@v2.14.0
# - name: astral-sh/uv@0.9.6
# - name: watchexec/watchexec@v2.3.2

193
ToolboxStack/output/toolbox-template/build.sh
View File

@@ -1,193 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
# Security: Validate input parameters to prevent command injection
sanitized_input() {
local input="$1"
# Check for potentially dangerous characters/commands
case "$input" in
*[\;\|\&\`\$]*)
echo "Error: Invalid input detected: $input" >&2
exit 1
;;
esac
}
# Validate dependencies
if ! command -v docker &> /dev/null; then
echo "Error: docker is required but not installed." >&2
exit 1
fi
if ! docker buildx version &> /dev/null; then
echo "Error: docker buildx is required but not available." >&2
exit 1
fi
# Get the toolbox name from the directory name (or you can pass it as an argument)
TOOLBOX_NAME="${TOOLBOX_NAME_OVERRIDE:-$(basename "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")}"
sanitized_input "$TOOLBOX_NAME"
IMAGE_NAME="tsysdevstack-toolboxstack-${TOOLBOX_NAME#toolbox-}"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# Sanitize user input
USER_ID="${USER_ID_OVERRIDE:-$(id -u)}"
sanitized_input "$USER_ID"
GROUP_ID="${GROUP_ID_OVERRIDE:-$(id -g)}"
sanitized_input "$GROUP_ID"
USERNAME="${USERNAME_OVERRIDE:-toolbox}"
sanitized_input "$USERNAME"
TEA_VERSION="${TEA_VERSION_OVERRIDE:-0.11.1}"
sanitized_input "$TEA_VERSION"
BUILDER_NAME="${BUILDER_NAME:-tsysdevstack-toolboxstack-builder}"
sanitized_input "$BUILDER_NAME"
CACHE_DIR="${SCRIPT_DIR}/.build-cache"
TAG="${TAG_OVERRIDE:-dev}"
sanitized_input "$TAG"
RELEASE_TAG="${RELEASE_TAG_OVERRIDE:-release-current}"
sanitized_input "$RELEASE_TAG"
VERSION_TAG="${VERSION_TAG_OVERRIDE:-}"
if [[ -n "$VERSION_TAG" ]]; then
sanitized_input "$VERSION_TAG"
fi
PUSH="${PUSH_OVERRIDE:-false}"
echo "Building ${IMAGE_NAME} with UID=${USER_ID} GID=${GROUP_ID} USERNAME=${USERNAME}"
echo "Primary tag: ${TAG}"
# Ensure builder exists
if ! docker buildx inspect "${BUILDER_NAME}" >/dev/null 2>&1; then
echo "Creating builder: ${BUILDER_NAME}"
if ! docker buildx create --driver docker-container --name "${BUILDER_NAME}" --use >/dev/null; then
echo "Error: Failed to create Docker buildx builder." >&2
exit 1
fi
else
echo "Using existing builder: ${BUILDER_NAME}"
if ! docker buildx use "${BUILDER_NAME}" >/dev/null; then
echo "Error: Failed to use Docker buildx builder." >&2
exit 1
fi
fi
# Ensure cache directory exists
if ! mkdir -p "${CACHE_DIR}"; then
echo "Error: Failed to create cache directory: ${CACHE_DIR}" >&2
exit 1
fi
echo "Starting build..."
BUILD_OUTPUT=$(mktemp)
trap 'rm -f "$BUILD_OUTPUT"' EXIT
# Build the image
if ! docker buildx build \
--builder "${BUILDER_NAME}" \
--load \
--progress=plain \
--build-arg USER_ID="${USER_ID}" \
--build-arg GROUP_ID="${GROUP_ID}" \
--build-arg USERNAME="${USERNAME}" \
--build-arg TEA_VERSION="${TEA_VERSION}" \
--cache-from "type=local,src=${CACHE_DIR}" \
--cache-to "type=local,dest=${CACHE_DIR},mode=max" \
--tag "${IMAGE_NAME}:${TAG}" \
"${SCRIPT_DIR}" 2>&1 | tee "${BUILD_OUTPUT}"; then
echo "Error: Docker build failed. Check output above for details." >&2
exit 1
fi
echo "Build completed successfully."
# Run post-build verification
echo "Running post-build verification..."
if ! docker run --rm "${IMAGE_NAME}:${TAG}" zsh -c 'echo "Container starts successfully"'; then
echo "Error: Failed to start container with basic test." >&2
exit 1
fi
# Verify critical tools are available
echo "Verifying critical tools..."
CRITICAL_TOOLS=("zsh" "git" "curl" "jq" "fish" "fzf" "bat" "fd" "rg" "htop" "btop")
for tool in "${CRITICAL_TOOLS[@]}"; do
if ! docker run --rm "${IMAGE_NAME}:${TAG}" which "$tool" >/dev/null 2>&1; then
echo "Error: Critical tool '$tool' not found in PATH." >&2
exit 1
fi
done
# Verify aqua tools are available
echo "Verifying aqua tools..."
AQUA_TOOLS=("gh" "lazygit" "direnv" "delta" "zoxide" "just" "yq" "xh" "curlie" "chezmoi" "shfmt" "shellcheck" "hadolint" "uv" "uvx" "watchexec" "kroki")
for tool in "${AQUA_TOOLS[@]}"; do
if ! docker run --rm "${IMAGE_NAME}:${TAG}" which "$tool" >/dev/null 2>&1; then
echo "Error: Aqua tool '$tool' not found in PATH." >&2
exit 1
fi
done
# Verify AI CLI tools are available
echo "Verifying AI CLI tools..."
AI_TOOLS=("code" "qwen" "gemini" "codex" "opencode")
for tool in "${AI_TOOLS[@]}"; do
if ! docker run --rm "${IMAGE_NAME}:${TAG}" which "$tool" >/dev/null 2>&1; then
echo "Error: AI CLI tool '$tool' not found in PATH." >&2
exit 1
fi
done
# Verify testing tools are available
echo "Verifying testing tools..."
TESTING_TOOLS=("bats" "shellcheck" "shfmt" "hadolint")
for tool in "${TESTING_TOOLS[@]}"; do
if ! docker run --rm "${IMAGE_NAME}:${TAG}" which "$tool" >/dev/null 2>&1; then
echo "Error: Testing tool '$tool' not found in PATH." >&2
exit 1
fi
done
echo "All verifications passed."
# Push if requested
if [[ "${PUSH}" == "true" ]]; then
echo "Pushing ${IMAGE_NAME}:${TAG}"
if ! docker push "${IMAGE_NAME}:${TAG}"; then
echo "Error: Failed to push ${IMAGE_NAME}:${TAG}" >&2
exit 1
fi
if [[ "${TAG}" == "dev" && -n "${VERSION_TAG}" ]]; then
if ! docker tag "${IMAGE_NAME}:${TAG}" "${IMAGE_NAME}:${VERSION_TAG}"; then
echo "Error: Failed to tag ${IMAGE_NAME}:${VERSION_TAG}" >&2
exit 1
fi
echo "Pushing ${IMAGE_NAME}:${VERSION_TAG}"
if ! docker push "${IMAGE_NAME}:${VERSION_TAG}"; then
echo "Error: Failed to push ${IMAGE_NAME}:${VERSION_TAG}" >&2
exit 1
fi
fi
if [[ "${TAG}" == "dev" ]]; then
if ! docker tag "${IMAGE_NAME}:${TAG}" "${IMAGE_NAME}:${RELEASE_TAG}"; then
echo "Error: Failed to tag ${IMAGE_NAME}:${RELEASE_TAG}" >&2
exit 1
fi
echo "Pushing ${IMAGE_NAME}:${RELEASE_TAG}"
if ! docker push "${IMAGE_NAME}:${RELEASE_TAG}"; then
echo "Error: Failed to push ${IMAGE_NAME}:${RELEASE_TAG}" >&2
exit 1
fi
fi
fi
# Run security scan if TRIVY is available
if command -v trivy &> /dev/null; then
echo "Running security scan with Trivy..."
trivy image --exit-code 0 --severity HIGH,CRITICAL "${IMAGE_NAME}:${TAG}"
else
echo "Trivy not found. Install Trivy to perform security scanning."
fi
echo "Build process completed successfully with all verifications."

35
ToolboxStack/output/toolbox-template/docker-compose.yml
View File

@@ -1,35 +0,0 @@
services:
{{toolbox_name}}:
container_name: tsysdevstack-toolboxstack-{{toolbox_name}}
image: tsysdevstack-toolboxstack-{{toolbox_name}}
build:
context: .
dockerfile: Dockerfile
args:
USER_ID: ${LOCAL_UID:-1000}
GROUP_ID: ${LOCAL_GID:-1000}
USERNAME: ${LOCAL_USERNAME:-toolbox}
user: "${LOCAL_UID:-1000}:${LOCAL_GID:-1000}"
working_dir: /workspace
command: ["sleep", "infinity"]
init: true
tty: true
stdin_open: true
volumes:
- .:/workspace:rw
- ${HOME}/.local/share/mise:/home/toolbox/.local/share/mise:rw
- ${HOME}/.cache/mise:/home/toolbox/.cache/mise:rw
# AI CLI tool configuration and cache directories
- ${HOME}/.config/openai:/home/toolbox/.config/openai:rw
- ${HOME}/.config/gemini:/home/toolbox/.config/gemini:rw
- ${HOME}/.config/qwen:/home/toolbox/.config/qwen:rw
- ${HOME}/.config/code:/home/toolbox/.config/code:rw
- ${HOME}/.config/opencode:/home/toolbox/.config/opencode:rw
- ${HOME}/.cache/openai:/home/toolbox/.cache/openai:rw
- ${HOME}/.cache/gemini:/home/toolbox/.cache/gemini:rw
- ${HOME}/.cache/qwen:/home/toolbox/.cache/qwen:rw
- ${HOME}/.cache/code:/home/toolbox/.cache/code:rw
- ${HOME}/.cache/opencode:/home/toolbox/.cache/opencode:rw
# Additional AI tool directories
- ${HOME}/.config/codex:/home/toolbox/.config/codex:rw
- ${HOME}/.cache/codex:/home/toolbox/.cache/codex:rw

111
ToolboxStack/output/toolbox-template/release.sh
View File

@@ -1,111 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
usage() {
cat <<'EOU'
Usage: ./release.sh [--dry-run] [--allow-dirty] <semver>
Examples:
./release.sh 0.2.0
./release.sh --dry-run 0.2.0
This script rebuilds the toolbox image, tags it as:
- tsysdevstack-toolboxstack-<name>:dev
- tsysdevstack-toolboxstack-<name>:release-current
- tsysdevstack-toolboxstack-<name>:v<semver>
When run without --dry-run it pushes all three tags.
EOU
}
DRY_RUN=false
ALLOW_DIRTY=false
VERSION=""
while (( $# > 0 )); do
case "$1" in
--dry-run)
DRY_RUN=true
shift
;;
--allow-dirty)
ALLOW_DIRTY=true
shift
;;
-h|--help)
usage
exit 0
;;
-*)
echo "Unknown option: $1" >&2
usage
exit 1
;;
*)
VERSION="$1"
shift
;;
esac
done
if [[ -z "${VERSION}" ]]; then
echo "Error: semantic version is required." >&2
usage
exit 1
fi
if [[ "${VERSION}" =~ ^v?([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
SEMVER="v${BASH_REMATCH[1]}.${BASH_REMATCH[2]}.${BASH_REMATCH[3]}"
else
echo "Error: version must be semantic (e.g., 0.2.0 or v0.2.0)." >&2
exit 1
fi
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "${SCRIPT_DIR}" && git rev-parse --show-toplevel 2>/dev/null || true)"
if [[ -n "${REPO_ROOT}" && "${ALLOW_DIRTY}" != "true" ]]; then
if ! git -C "${REPO_ROOT}" diff --quiet --ignore-submodules --exit-code; then
echo "Error: git working tree has uncommitted changes. Please commit or stash before releasing." >&2
exit 1
fi
elif [[ -z "${REPO_ROOT}" ]]; then
echo "Warning: unable to resolve git repository root; skipping clean tree check." >&2
fi
# Get the toolbox name from the directory name (or you can pass it as an argument)
TOOLBOX_NAME="${TOOLBOX_NAME_OVERRIDE:-$(basename "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")}"
IMAGE_NAME="tsysdevstack-toolboxstack-${TOOLBOX_NAME#toolbox-}"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
USER_ID="${USER_ID_OVERRIDE:-$(id -u)}"
GROUP_ID="${GROUP_ID_OVERRIDE:-$(id -g)}"
USERNAME="${USERNAME_OVERRIDE:-toolbox}"
TEA_VERSION="${TEA_VERSION_OVERRIDE:-0.11.1}"
BUILDER_NAME="${BUILDER_NAME:-tsysdevstack-toolboxstack-builder}"
CACHE_DIR="${SCRIPT_DIR}/.build-cache"
TAG="${TAG_OVERRIDE:-dev}"
RELEASE_TAG="${RELEASE_TAG_OVERRIDE:-release-current}"
VERSION_TAG="${VERSION_TAG_OVERRIDE:-}"
if [[ -n "$VERSION_TAG" ]]; then
VERSION_TAG="$SEMVER"
fi
PUSH="${PUSH_OVERRIDE:-false}"
echo "Preparing release for ${SEMVER}"
echo " dry-run: ${DRY_RUN}"
echo " allow-dirty: ${ALLOW_DIRTY}"
if [[ "${DRY_RUN}" == "true" ]]; then
echo "[dry-run] Would build ${IMAGE_NAME}:${TAG}"
TAG_OVERRIDE="${TAG}" PUSH_OVERRIDE=false "${SCRIPT_DIR}/build.sh"
echo "[dry-run] Skipped pushing tags."
else
echo "Building ${IMAGE_NAME}:${TAG}"
TAG_OVERRIDE="${TAG}" PUSH_OVERRIDE=true RELEASE_TAG_OVERRIDE="${RELEASE_TAG}" VERSION_TAG_OVERRIDE="${SEMVER}" "${SCRIPT_DIR}/build.sh"
echo "Release ${SEMVER} pushed as:"
echo " - ${IMAGE_NAME}:dev"
echo " - ${IMAGE_NAME}:release-current"
echo " - ${IMAGE_NAME}:${SEMVER}"
fi

74
ToolboxStack/output/toolbox-template/run.sh
View File

@@ -1,74 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
# Security: Validate input parameters to prevent command injection
sanitized_input() {
local input="$1"
# Check for potentially dangerous characters/commands
case "$input" in
*[\;\|\&\`\$]*)
echo "Error: Invalid input detected: $input" >&2
exit 1
;;
esac
}
# Validate dependencies
if ! command -v docker &> /dev/null; then
echo "Error: docker is required but not installed." >&2
exit 1
fi
if ! command -v docker compose &> /dev/null; then
echo "Error: docker compose is required but not installed." >&2
exit 1
fi
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
COMPOSE_FILE="${SCRIPT_DIR}/docker-compose.yml"
export LOCAL_UID="${USER_ID_OVERRIDE:-$(id -u)}"
sanitized_input "$LOCAL_UID"
export LOCAL_GID="${GROUP_ID_OVERRIDE:-$(id -g)}"
sanitized_input "$LOCAL_GID"
export LOCAL_USERNAME="${USERNAME_OVERRIDE:-toolbox}"
sanitized_input "$LOCAL_USERNAME"
export TOOLBOX_IMAGE="${TOOLBOX_IMAGE_OVERRIDE:-tsysdevstack-toolboxstack-{{toolbox_name}}}"
sanitized_input "$TOOLBOX_IMAGE"
if [[ ! -f "${COMPOSE_FILE}" ]]; then
echo "Error: docker-compose.yml not found at ${COMPOSE_FILE}" >&2
exit 1
fi
ACTION="${1:-up}"
sanitized_input "$ACTION"
shift || true
if [[ "${ACTION}" == "up" ]]; then
# Create necessary directories for the toolbox tools with proper permissions
mkdir -p "${HOME}/.local/share/mise" "${HOME}/.cache/mise"
mkdir -p "${HOME}/.config" "${HOME}/.local/share"
mkdir -p "${HOME}/.cache/openai" "${HOME}/.cache/gemini" "${HOME}/.cache/qwen" "${HOME}/.cache/code" "${HOME}/.cache/opencode"
mkdir -p "${HOME}/.config/openai" "${HOME}/.config/gemini" "${HOME}/.config/qwen" "${HOME}/.config/code" "${HOME}/.config/opencode"
mkdir -p "${HOME}/.config/codex" "${HOME}/.cache/codex"
# Set proper permissions for created directories
chmod 700 "${HOME}/.config" "${HOME}/.local/share" "${HOME}/.cache" 2>/dev/null || true
fi
case "${ACTION}" in
up)
docker compose -f "${COMPOSE_FILE}" up --build --detach "$@"
echo "Container started. Use 'docker exec -it tsysdevstack-toolboxstack-{{toolbox_name}} zsh' to access the shell."
;;
down)
docker compose -f "${COMPOSE_FILE}" down "$@"
echo "Container stopped."
;;
*)
echo "Usage: $0 [up|down] [additional docker compose args]" >&2
exit 1
;;
esac

155
ToolboxStack/output/toolbox-template/security-audit.sh
View File

@@ -1,155 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
# Security audit script for the toolbox-template
IMAGE_NAME="${IMAGE_NAME_OVERRIDE:-tsysdevstack-toolboxstack-{{toolbox_name}}}"
echo "🔒 Running security audit on ${IMAGE_NAME}"
# Check if Trivy is available for security scanning
if command -v trivy &> /dev/null; then
echo "🔍 Running Trivy security scan..."
trivy image --exit-code 0 --severity HIGH,CRITICAL "${IMAGE_NAME}"
echo "✅ Trivy scan completed"
else
echo "⚠️ Trivy not found. Install Trivy to perform security scanning."
echo " Visit https://aquasecurity.github.io/trivy/ for installation instructions."
fi
# Check for outdated packages
echo "📦 Checking for outdated packages..."
OUTDATED_PACKAGES=$(docker run --rm "${IMAGE_NAME}" apt list --upgradable 2>/dev/null | grep -v "Listing..." | wc -l)
if [[ "${OUTDATED_PACKAGES}" -gt 0 ]]; then
echo "⚠️ ${OUTDATED_PACKAGES} packages can be upgraded"
echo " Run 'apt update && apt upgrade' to update packages"
else
echo "✅ All system packages are up to date"
fi
# Check for unnecessary packages that increase attack surface
echo "🛡️ Checking for unnecessary packages..."
UNNECESSARY_PACKAGES=$(docker run --rm "${IMAGE_NAME}" dpkg -l | grep -E "(telnet|ftp|rsh-client|nfs-common|rpcbind)" | wc -l)
if [[ "${UNNECESSARY_PACKAGES}" -gt 0 ]]; then
echo "⚠️ Found ${UNNECESSARY_PACKAGES} potentially unnecessary packages that increase attack surface"
echo " Consider removing packages like telnet, ftp, rsh-client, nfs-common, rpcbind"
else
echo "✅ No unnecessary packages found that increase attack surface"
fi
# Check for world-writable files/directories
echo "📁 Checking for world-writable files/directories..."
WORLD_WRITABLE=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -perm -0002 -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l)
if [[ "${WORLD_WRITABLE}" -gt 0 ]]; then
echo "⚠️ Found ${WORLD_WRITABLE} world-writable files/directories"
echo " These should be reviewed and permissions adjusted if necessary"
else
echo "✅ No world-writable files/directories found"
fi
# Check for setuid/setgid binaries
echo "🔑 Checking for setuid/setgid binaries..."
SETUID_BINARIES=$(docker run --rm "${IMAGE_NAME}" find / -xdev \( -perm -4000 -o -perm -2000 \) -type f -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l)
if [[ "${SETUID_BINARIES}" -gt 0 ]]; then
echo "⚠️ Found ${SETUID_BINARIES} setuid/setgid binaries"
echo " These should be reviewed for security implications"
else
echo "✅ No setuid/setgid binaries found"
fi
# Check for running services
echo "サービ Checking for running services..."
RUNNING_SERVICES=$(docker run --rm "${IMAGE_NAME}" ps aux 2>/dev/null | grep -v "PID" | wc -l)
if [[ "${RUNNING_SERVICES}" -gt 1 ]]; then
echo "⚠️ Found ${RUNNING_SERVICES} running processes"
echo " These should be reviewed for necessity"
else
echo "✅ No unnecessary running services found"
fi
# Check for listening ports
echo "📡 Checking for listening ports..."
LISTENING_PORTS=$(docker run --rm "${IMAGE_NAME}" netstat -tuln 2>/dev/null | grep LISTEN | wc -l)
if [[ "${LISTENING_PORTS}" -gt 0 ]]; then
echo "⚠️ Found ${LISTENING_PORTS} listening ports"
echo " These should be reviewed for security implications"
else
echo "✅ No unnecessary listening ports found"
fi
# Check for sudo availability
echo "🛑 Checking for sudo availability..."
if docker run --rm "${IMAGE_NAME}" which sudo >/dev/null 2>&1; then
echo "❌ Sudo is available in the image - this is a security risk"
echo " Sudo should be removed to prevent privilege escalation"
else
echo "✅ Sudo is not available in the image"
fi
# Check for root login capability
echo "🔐 Checking for root login capability..."
ROOT_LOGIN_ENABLED=$(docker run --rm "${IMAGE_NAME}" cat /etc/passwd | grep root | grep -v "nologin" | wc -l)
if [[ "${ROOT_LOGIN_ENABLED}" -gt 0 ]]; then
echo "⚠️ Root login might be enabled"
echo " Ensure root login is disabled for security"
else
echo "✅ Root login is properly disabled"
fi
# Check user configuration
echo "👤 Checking user configuration..."
USER_ID=$(docker run --rm "${IMAGE_NAME}" id -u toolbox 2>/dev/null || echo "not_found")
if [[ "${USER_ID}" == "1000" ]]; then
echo "✅ Non-root user 'toolbox' with UID 1000 is properly configured"
else
echo "⚠️ Non-root user configuration might be incorrect"
fi
# Check for hardcoded passwords
echo "🔑 Checking for hardcoded passwords..."
HARDCODED_PASSWORDS=$(docker run --rm "${IMAGE_NAME}" grep -r "password\|passwd" /etc/ 2>/dev/null | grep -v "shadow" | wc -l)
if [[ "${HARDCODED_PASSWORDS}" -gt 0 ]]; then
echo "⚠️ Found ${HARDCODED_PASSWORDS} potential hardcoded password references"
echo " These should be reviewed for security implications"
else
echo "✅ No hardcoded password references found"
fi
# Check for exposed secrets
echo " секр Checking for exposed secrets..."
EXPOSED_SECRETS=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -name "*.key" -o -name "*.pem" -o -name "*.cert" 2>/dev/null | wc -l)
if [[ "${EXPOSED_SECRETS}" -gt 0 ]]; then
echo "⚠️ Found ${EXPOSED_SECRETS} potential secret files"
echo " These should be reviewed for security implications"
else
echo "✅ No exposed secret files found"
fi
# Check that this template properly extends from the base image
echo "🔗 Checking inheritance from base image..."
BASE_INHERITANCE=$(docker history "${IMAGE_NAME}" 2>/dev/null | grep "FROM tsysdevstack-toolboxstack-toolbox-base:release-current" | wc -l)
if [[ "${BASE_INHERITANCE}" -gt 0 ]]; then
echo "✅ Template properly extends from toolbox-base:release-current"
else
echo "⚠️ Template might not properly extend from toolbox-base:release-current"
fi
# Summary
echo ""
echo "🔒 Security Audit Summary:"
echo " - Image: ${IMAGE_NAME}"
echo " - Scan completed with recommendations above"
echo ""
echo "💡 Recommendations:"
echo " 1. Install Trivy for comprehensive security scanning"
echo " 2. Regularly update packages to address vulnerabilities"
echo " 3. Remove unnecessary packages to reduce attack surface"
echo " 4. Review world-writable files/directories"
echo " 5. Review setuid/setgid binaries"
echo " 6. Remove sudo to prevent privilege escalation"
echo " 7. Ensure root login is disabled"
echo " 8. Verify non-root user configuration"
echo " 9. Review hardcoded password references"
echo " 10. Check for exposed secrets"
echo " 11. Ensure proper inheritance from base image"

112
ToolboxStack/output/toolbox-template/test.sh
View File

@@ -1,112 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
# Test script to verify all tools are working properly in the toolbox-template
IMAGE_NAME="${IMAGE_NAME_OVERRIDE:-tsysdevstack-toolboxstack-{{toolbox_name}}}"
echo "🧪 Testing all tools in ${IMAGE_NAME}"
# Function to test a command
test_cmd() {
local cmd="$1"
local description="$2"
echo -n "Testing ${cmd} (${description})... "
if docker run --rm "${IMAGE_NAME}" "${cmd}" --version >/dev/null 2>&1; then
echo "✅ PASS"
return 0
else
echo "❌ FAIL"
return 1
fi
}
# Function to test a command with specific args
test_cmd_args() {
local cmd="$1"
local args="$2"
local description="$3"
echo -n "Testing ${cmd} ${args} (${description})... "
if docker run --rm "${IMAGE_NAME}" "${cmd}" ${args} >/dev/null 2>&1; then
echo "✅ PASS"
return 0
else
echo "❌ FAIL"
return 1
fi
}
# Counter for tracking results
PASSED=0
FAILED=0
# Test core tools inherited from base
echo "🔍 Testing core tools inherited from base..."
test_cmd "zsh" "Z shell" && ((PASSED++)) || ((FAILED++))
test_cmd "git" "Git version control" && ((PASSED++)) || ((FAILED++))
test_cmd "curl" "cURL utility" && ((PASSED++)) || ((FAILED++))
test_cmd "jq" "JSON processor" && ((PASSED++)) || ((FAILED++))
test_cmd "fish" "Fish shell" && ((PASSED++)) || ((FAILED++))
test_cmd "fzf" "Fuzzy finder" && ((PASSED++)) || ((FAILED++))
test_cmd "bat" "Cat clone with wings" && ((PASSED++)) || ((FAILED++))
test_cmd "fd" "Simple, fast alternative to find" && ((PASSED++)) || ((FAILED++))
test_cmd "rg" "Ripgrep - line-oriented search tool" && ((PASSED++)) || ((FAILED++))
test_cmd "htop" "Interactive process viewer" && ((PASSED++)) || ((FAILED++))
test_cmd "btop" "Modern and colorful terminal monitor" && ((PASSED++)) || ((FAILED++))
# Test aqua installed tools inherited from base
echo "🔧 Testing aqua installed tools inherited from base..."
test_cmd "gh" "GitHub CLI" && ((PASSED++)) || ((FAILED++))
test_cmd "lazygit" "Simple terminal UI for git commands" && ((PASSED++)) || ((FAILED++))
test_cmd "direnv" "Unclutter your .profile" && ((PASSED++)) || ((FAILED++))
test_cmd "delta" "Syntax-highlighting pager for git, diff, and grep output" && ((PASSED++)) || ((FAILED++))
test_cmd "zoxide" "Smarter cd command" && ((PASSED++)) || ((FAILED++))
test_cmd "just" "Just a command runner" && ((PASSED++)) || ((FAILED++))
test_cmd "yq" "Portable command-line YAML processor" && ((PASSED++)) || ((FAILED++))
test_cmd "xh" "Friendly and fast tool for sending HTTP requests" && ((PASSED++)) || ((FAILED++))
test_cmd "curlie" "The power of curl, the ease of use of httpie" && ((PASSED++)) || ((FAILED++))
test_cmd "chezmoi" "Manage your dotfiles across multiple machines" && ((PASSED++)) || ((FAILED++))
test_cmd "shfmt" "Shell formatter" && ((PASSED++)) || ((FAILED++))
test_cmd "shellcheck" "Shell script analysis tool" && ((PASSED++)) || ((FAILED++))
test_cmd "hadolint" "Dockerfile linter" && ((PASSED++)) || ((FAILED++))
test_cmd "uv" "Python package installer and resolver" && ((PASSED++)) || ((FAILED++))
test_cmd "watchexec" "Execute commands in response to file modifications" && ((PASSED++)) || ((FAILED++))
test_cmd "tea" "Gitea CLI" && ((PASSED++)) || ((FAILED++))
# Test AI CLI tools inherited from base
echo "🤖 Testing AI CLI tools inherited from base..."
test_cmd_args "code" "--version" "just-every/code AI CLI" && ((PASSED++)) || ((FAILED++))
test_cmd_args "qwen" "--version" "QwenLM/qwen-code AI CLI" && ((PASSED++)) || ((FAILED++))
test_cmd_args "gemini" "--version" "google-gemini/gemini-cli AI CLI" && ((PASSED++)) || ((FAILED++))
test_cmd_args "codex" "--version" "openai/codex AI CLI" && ((PASSED++)) || ((FAILED++))
test_cmd_args "opencode" "--version" "sst/opencode AI CLI" && ((PASSED++)) || ((FAILED++))
# Test additional tools inherited from base
echo "🧰 Testing additional tools inherited from base..."
test_cmd "starship" "Cross-shell prompt" && ((PASSED++)) || ((FAILED++))
test_cmd "mise" "Polyglot runtime manager" && ((PASSED++)) || ((FAILED++))
test_cmd_args "aqua" "--version" "Declarative CLI Version Manager" && ((PASSED++)) || ((FAILED++))
# Summary
echo ""
echo "📊 Test Results:"
echo " Passed: ${PASSED}"
echo " Failed: ${FAILED}"
echo " Total: $((PASSED + FAILED))"
if [[ "${FAILED}" -eq 0 ]]; then
echo "🎉 All tests passed!"
exit 0
else
echo "💥 ${FAILED} tests failed!"
exit 1
fi

2
ToolboxStack/output/toolbox-weather/.gitkeep Normal file
View File

@@ -0,0 +1,2 @@
# This file keeps the directory in git even when it's empty.
# Actual implementation files will be added soon.