docs(path-b): execution plan + vibn-dev image scaffold

- AI_PATH_B_EXECUTION_PLAN.md: add 3 safety nets (auto-push, kill
  switch, hard tool removal), tighten 4 risks (network policy week 1,
  HMR spike day 1, lean image + lazy mise, random preview suffix).
- AI_CAPABILITIES_ROADMAP.md: pointer note already in place.
- vibn-dev/Dockerfile + supervisord.conf + mise.default.toml + README:
  scaffold for the per-project dev container image. Ubuntu 24.04 +
  git + ripgrep + python3 + mise. Toolchains lazy-install on first
  `mise install`. Container runs as uid 1000 vibn (sudo available).

Frontend wiring lives in vibn-frontend (separate commit).

Made-with: Cursor

vibn-dev/README.md

@@ -0,0 +1,34 @@
+# vibn-dev
+
+Per-project AI development container. One of these runs in Coolify per
+Vibn project; the AI agent (Gemini) drives it via `shell.exec` and
+`fs.*` MCP tools.
+
+See `/AI_PATH_B_EXECUTION_PLAN.md` for the architecture.
+
+## Build & publish
+
+```bash
+docker build -t registry.vibnai.com/vibn-dev:latest .
+docker push registry.vibnai.com/vibn-dev:latest
+```
+
+The image is pre-pulled on every Coolify host on deploy so first-use
+spin-up stays under 5 seconds.
+
+## Smoke test locally
+
+```bash
+docker build -t vibn-dev .
+docker run --rm -it -v "$PWD/scratch:/workspace" vibn-dev bash
+# inside: mise install   # pulls Node lts + Python 3.12 (~90s, one-time)
+# inside: rg --version    # ripgrep ships in the base image
+# inside: git --version
+```
+
+## What's NOT in the image (by design)
+
+- Node/Python/Go/Rust toolchains — lazy-installed via mise
+- Coolify control-plane creds — never. The container has no route to
+  internal Vibn services (Docker network policy enforced at host level)
+- SSH server — exec happens via `docker exec` from the Coolify host