Add devcontainer base image with feature deps preinstalled

debian:trixie-slim base with the union of apt packages every feature in
src/ installs on demand, plus common dev utilities. Pre-installing them
short-circuits each feature's dpkg-s/command-v guard, so feature install
becomes a single binary fetch — and removes the dpkg-lock contention the
web-shell run.sh retry loop existed to paper over.

Published to ghcr.io/<owner>/devcontainer-base via a multi-arch buildx
workflow on master pushes and v* tags.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: chapterjason

.github/workflows/publish-devcontainer-base.yml

@@ -0,0 +1,56 @@
+name: Publish Devcontainer Base Image
+
+on:
+  push:
+    branches: [master]
+    paths:
+      - "Dockerfile.devcontainer-base"
+      - ".github/workflows/publish-devcontainer-base.yml"
+    tags: ["v*"]
+  workflow_dispatch:
+
+jobs:
+  publish:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Lowercase image name
+        id: img
+        run: echo "name=ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/devcontainer-base" >> "$GITHUB_OUTPUT"
+
+      - uses: docker/setup-qemu-action@v4
+      - uses: docker/setup-buildx-action@v4
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract tags
+        id: meta
+        uses: docker/metadata-action@v6
+        with:
+          images: ${{ steps.img.outputs.name }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=tag
+            type=sha,format=short
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build and push
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          file: ./Dockerfile.devcontainer-base
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

Dockerfile.devcontainer-base

@@ -0,0 +1,38 @@
+ARG BASE_IMAGE=debian:trixie-slim
+FROM ${BASE_IMAGE}
+
+SHELL ["/bin/bash", "-c"]
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends --no-install-suggests \
+        build-essential \
+        ca-certificates \
+        curl \
+        dtach \
+        file \
+        git \
+        gnupg \
+        htop \
+        iputils-ping \
+        jq \
+        less \
+        locales \
+        lsb-release \
+        lsof \
+        openssh-client \
+        procps \
+        python3 \
+        rsync \
+        software-properties-common \
+        strace \
+        sudo \
+        tar \
+        tree \
+        unzip \
+        vim \
+        wget && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN sed -i 's/^# *\(en_US.UTF-8\)/\1/' /etc/locale.gen && locale-gen
+ENV LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8