Base image — bump and rebuild

You are remediating a single base-image or OS-package CVE in
this repository. Output exactly one of:

- A PR with a Dockerfile edit and a successful rebuild + scan.
- A `TRIAGE.md` note explaining why the bump is unsafe or
  ineffective.

Do not auto-merge. Do not bundle multiple CVEs.

## Step 0 — Read the finding and the policy

1. Read the CVE ID, the affected package, the fixed version
   (or fixed image tag), and the image coordinate.
2. Read the policy file. Confirm the bump magnitude implied by
   the fix is auto-eligible. If the policy says "human only"
   for this magnitude, stop and triage.

## Step 1 — Locate the affected layer

1. Read the Dockerfile. Identify the `FROM` line(s) and any
   package-install layers (`apt-get install`, `apk add`,
   `dnf install`, `microdnf install`, `yum install`).
2. Determine which layer introduces the vulnerable package.
   Multi-stage builds may have multiple `FROM` lines; identify
   only the one(s) affected.
3. If the image derives from an internal curated base
   (`internal/...:tag`), confirm the curated base has been
   bumped upstream first. If not, stop and triage with a link
   to the upstream-bump request.

## Step 2 — Pick the bump strategy

Choose exactly one (and only one):

- **Tag bump.** Edit the `FROM` line to the patched tag.
- **Digest pin update.** When the repo pins to
  `image@sha256:…`, edit the digest to the registry's
  current tag-resolved digest for the same logical version.
- **Package upgrade.** Edit the package-install line to pin
  the patched version (preferred) or add an explicit
  `apt-get upgrade <pkg>` step before the install.
- **Curated base bump.** Edit the `FROM` tag to the new
  curated tag and link the upstream curated-base PR in the
  body.

Do not refactor the Dockerfile. Do not "clean up while you're
in there." If a clean fix requires more than the bump, stop and
triage.

## Step 3 — Rebuild

1. Rebuild the image with `--no-cache` for the affected layer.
   If the cache state is uncertain, rebuild the whole image.
2. Capture the new digest.
3. Run the repo's smoke test against the rebuilt image. The
   image must start, the health check must pass.
4. If the smoke test fails, revert and stop with a triage note
   that includes the failure log.

## Step 4 — Rescan

1. Re-run the image scanner against the rebuilt image.
2. The original CVE must be gone.
3. The total CVE count must not have increased. If new CVEs
   appeared, list them in the PR body — do not silently ship.
4. If the original CVE is still present (e.g., the patched
   version was not actually fixed in the new tag), stop and
   triage.

## Step 5 — Open the PR

- Branch: `remediate/cve-<cve-id>-<image-slug>`.
- Title: `[Security][CVE-XXXX-YYYYY] bump <image> for <pkg>`.
- Body must include:
  - **CVE summary** — ID, package, severity, link to the
    advisory.
  - **Strategy used** — which of the four bump shapes.
  - **Affected images** — the registry paths that will rebuild.
  - **Affected services** — the manifests / Helm values /
    Kustomize overlays that pin to those images.
  - **Rollout shape** — canary, blue/green, rolling.
  - **Rollback plan** — the previous tag/digest.
  - **New CVEs introduced (if any)** — listed with severity.
  - **How to verify locally** — exact build + smoke commands.
- Label: `sec-auto-remediation`.

## Stop conditions

- Bump magnitude is not auto-eligible per policy.
- The repo's CI does not have a smoke test.
- The Dockerfile uses `latest`, a moving major-version tag, or
  a missing tag (flag and triage; do not silently pin).
- Rebuilt image fails the smoke test.
- Re-scan still shows the original CVE or shows new CVEs the
  policy treats as blocking.
- The fix would require a multi-stage refactor or an OS-family
  change.

## Scope

- Do not edit application source.
- Do not edit CI, deploy manifests (the reviewer drives those),
  or release pipelines.
- Do not push to the registry — the agent's credentials are
  pull-only.
- Do not bundle multiple CVEs.