docs(path-b): execution plan + vibn-dev image scaffold

- AI_PATH_B_EXECUTION_PLAN.md: add 3 safety nets (auto-push, kill
  switch, hard tool removal), tighten 4 risks (network policy week 1,
  HMR spike day 1, lean image + lazy mise, random preview suffix).
- AI_CAPABILITIES_ROADMAP.md: pointer note already in place.
- vibn-dev/Dockerfile + supervisord.conf + mise.default.toml + README:
  scaffold for the per-project dev container image. Ubuntu 24.04 +
  git + ripgrep + python3 + mise. Toolchains lazy-install on first
  `mise install`. Container runs as uid 1000 vibn (sudo available).

Frontend wiring lives in vibn-frontend (separate commit).

Made-with: Cursor

vibn-dev/Dockerfile

@@ -0,0 +1,67 @@
+# vibn-dev — per-project AI development container.
+#
+# Goal: a small, fast-pulling base image (~500 MB target) that gives the AI
+# (and the user, eventually) a real shell with git, ripgrep, and the
+# scaffolding to lazy-install language toolchains via mise on first use.
+#
+# Heavy toolchains (Node / Python / Go / Rust) are NOT baked in — they
+# install on demand via `mise install` the first time the AI runs
+# `npm`, `python`, `go`, etc. This keeps the base image lean and lets us
+# bump toolchain versions without rebuilding the image.
+#
+# Spec is in AI_PATH_B_EXECUTION_PLAN.md §3.
+
+FROM ubuntu:24.04
+
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    LC_ALL=C.UTF-8 \
+    TZ=UTC
+
+# Core OS packages: shell, git, network, build essentials, ripgrep
+# (powers fs.grep), tini (PID 1 reaper), supervisord (process supervisor
+# for sshd + dev servers), curl/ca-certs (downloads), unzip (mise
+# tarballs), sudo (toolchain installers expect it).
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        bash coreutils ca-certificates curl wget git openssh-client \
+        ripgrep jq nano vim less procps lsof net-tools dnsutils \
+        build-essential pkg-config \
+        sudo tini supervisor unzip xz-utils \
+        python3-minimal \
+    && rm -rf /var/lib/apt/lists/*
+
+# vibn user — the AI runs as this, NOT root.
+RUN useradd --create-home --shell /bin/bash --uid 1000 vibn \
+    && mkdir -p /workspace /home/vibn/.cache /home/vibn/.local /var/log/vibn-dev \
+    && chown -R vibn:vibn /workspace /home/vibn /var/log/vibn-dev \
+    && echo 'vibn ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/vibn
+
+# mise — polyglot version manager. Installs Node/Python/Go/Rust on demand.
+# Pinned to a specific version for reproducibility; bump in this Dockerfile.
+ENV MISE_VERSION=v2024.12.14
+RUN curl -fsSL "https://mise.run" | MISE_VERSION=${MISE_VERSION} sh \
+    && mv /root/.local/bin/mise /usr/local/bin/mise \
+    && chmod +x /usr/local/bin/mise
+
+# Hook mise into vibn's shell so `node`, `python` etc. resolve once
+# installed via `mise install`.
+RUN echo 'eval "$(/usr/local/bin/mise activate bash)"' >> /home/vibn/.bashrc \
+    && echo 'export PATH="$HOME/.local/bin:$PATH"' >> /home/vibn/.bashrc
+
+# Default mise toolchain config — lazily materialised. The AI can
+# override per-project by writing /workspace/.mise.toml.
+COPY --chown=vibn:vibn mise.default.toml /home/vibn/.config/mise/config.toml
+
+# supervisord runs sshd-less; we don't need ssh in the container because
+# all exec happens via `docker exec` from the Coolify host. Supervisord
+# is reserved for dev_server.* (Vite/Next/etc) once that ships.
+COPY supervisord.conf /etc/supervisor/conf.d/vibn-dev.conf
+
+WORKDIR /workspace
+USER vibn
+
+# Keep-alive process. The container's job is to exist; commands run via
+# `docker exec`. tail -f /dev/null is the canonical "stay running, do
+# nothing" pattern — cheaper than supervisord for the no-dev-server case.
+ENTRYPOINT ["/usr/bin/tini", "--"]
+CMD ["tail", "-f", "/dev/null"]

vibn-dev/README.md

@@ -0,0 +1,34 @@
+# vibn-dev
+
+Per-project AI development container. One of these runs in Coolify per
+Vibn project; the AI agent (Gemini) drives it via `shell.exec` and
+`fs.*` MCP tools.
+
+See `/AI_PATH_B_EXECUTION_PLAN.md` for the architecture.
+
+## Build & publish
+
+```bash
+docker build -t registry.vibnai.com/vibn-dev:latest .
+docker push registry.vibnai.com/vibn-dev:latest
+```
+
+The image is pre-pulled on every Coolify host on deploy so first-use
+spin-up stays under 5 seconds.
+
+## Smoke test locally
+
+```bash
+docker build -t vibn-dev .
+docker run --rm -it -v "$PWD/scratch:/workspace" vibn-dev bash
+# inside: mise install   # pulls Node lts + Python 3.12 (~90s, one-time)
+# inside: rg --version    # ripgrep ships in the base image
+# inside: git --version
+```
+
+## What's NOT in the image (by design)
+
+- Node/Python/Go/Rust toolchains — lazy-installed via mise
+- Coolify control-plane creds — never. The container has no route to
+  internal Vibn services (Docker network policy enforced at host level)
+- SSH server — exec happens via `docker exec` from the Coolify host

vibn-dev/mise.default.toml

@@ -0,0 +1,6 @@
+# Default toolchain hints for vibn-dev. Nothing is installed until the
+# AI (or the user) runs `mise install`. Override per-project by writing
+# /workspace/.mise.toml — mise auto-loads the closest config.
+[tools]
+node = "lts"
+python = "3.12"

vibn-dev/supervisord.conf

@@ -0,0 +1,9 @@
+; supervisord config for vibn-dev. Currently a no-op — the container
+; runs `tail -f /dev/null` as PID 1 (via tini) and dev servers are
+; launched ad-hoc through `docker exec` + nohup once dev_server.start
+; ships in week 2. Reserved here so the conf path exists.
+[supervisord]
+nodaemon=true
+user=vibn
+logfile=/var/log/vibn-dev/supervisord.log
+pidfile=/tmp/supervisord.pid