chore: use uv for Python management, consolidate Dockerfile layers, and clean up policies

- Remove deadsnakes PPA, apt Python packages, and pip bootstrap; let uv
  manage the full Python 3.13 toolchain
- Merge Node.js install + npm upgrade into a single RUN layer
- Merge all npm global installs (vuln fixes + CLI tools) into one call
- Add uv cache clean after python install and venv creation
- Copy base policy.yaml into the image instead of just creating the dir
- Remove duplicate UV_PYTHON_INSTALL_DIR ENV and redundant mkdir
- Update syntax directive from dockerfile:1.4 to dockerfile:1
- Revert nemoclaw/openclaw policies to main and replace repo-specific
  rules (johntmyers/alpha-claw, bravo-claw) with generic placeholders

Author: drew

sandboxes/base/Dockerfile

@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile:1
 
 # SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
@@ -20,9 +20,9 @@ ENV DEBIAN_FRONTEND=noninteractive \
 WORKDIR /sandbox
 
 # Core system dependencies
-# python3.13 + pip: agent scripting and SDK usage (deadsnakes PPA for Noble)
 # iproute2: network namespace management (ip netns, veth pairs)
 # dnsutils: dig, nslookup
+# Python is managed entirely by uv (see devtools stage).
 RUN apt-get update && apt-get install -y --no-install-recommends \
         ca-certificates \
         curl \
@@ -33,17 +33,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
         netcat-openbsd \
         openssh-sftp-server \
         procps \
-        software-properties-common \
         traceroute \
-    && add-apt-repository -y ppa:deadsnakes/ppa \
-    && apt-get update \
-    && apt-get install -y --no-install-recommends \
-        python3.13 \
-        python3.13-venv \
-        python3.13-dev \
-    && curl -sS https://bootstrap.pypa.io/get-pip.py | python3.13 \
-    && update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.13 1 \
-    && update-alternatives --install /usr/bin/python python /usr/bin/python3.13 1 \
     && rm -rf /var/lib/apt/lists/*
 
 # Create supervisor and sandbox users/groups
@@ -57,25 +47,32 @@ FROM system AS devtools
 # Pin to a specific patch version for reproducible builds.
 # CVE-2026-21637, CVE-2025-59466, CVE-2025-59465, CVE-2025-55131 affect
 # Node.js <= 22.22.1. Update to 22.23.0+ when a patched release ships.
+#
+# npm is upgraded to v11 in the same layer to avoid caching the old npm.
+# npm 11 ships tar@^7.5.9, fixing tar@6.2.1 vulns bundled in npm 10
+# (GHSA-r6q2-hw4h-h46w, GHSA-8qq5-rm4j-mr97, GHSA-83g3-92jg-28cx,
+# GHSA-34x7-hfp2-rc4v, GHSA-qffp-2rhf-9h96).
 RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - && \
     apt-get install -y --no-install-recommends \
         build-essential \
         git \
         nodejs=22.22.1-1nodesource1 \
         vim-tiny \
         nano \
-    && rm -rf /var/lib/apt/lists/*
-
-# Upgrade npm to v11 which ships tar@^7.5.9 (fixes tar@6.2.1 vulns bundled in
-# npm 10: GHSA-r6q2-hw4h-h46w, GHSA-8qq5-rm4j-mr97, GHSA-83g3-92jg-28cx,
-# GHSA-34x7-hfp2-rc4v, GHSA-qffp-2rhf-9h96).
-RUN npm install -g npm@11.11.0
-
-# Fix transitive tar and @hono/node-server vulnerabilities
-# (GHSA-qffp-2rhf-9h96, GHSA-9ppj-qmqm-q256, GHSA-8qq5-rm4j-mr97,
-# GHSA-r6q2-hw4h-h46w, GHSA-34x7-hfp2-rc4v, GHSA-83g3-92jg-28cx,
-# GHSA-wc8c-qw6v-h7f6).
-RUN npm install -g tar@7.5.11 @hono/node-server@1.19.11
+    && rm -rf /var/lib/apt/lists/* \
+    && npm install -g npm@11.11.0
+
+# Global npm packages — pinned for reproducibility.
+# tar + @hono/node-server: transitive vuln fixes
+#   (GHSA-qffp-2rhf-9h96, GHSA-9ppj-qmqm-q256, GHSA-8qq5-rm4j-mr97,
+#    GHSA-r6q2-hw4h-h46w, GHSA-34x7-hfp2-rc4v, GHSA-83g3-92jg-28cx,
+#    GHSA-wc8c-qw6v-h7f6).
+# opencode-ai + @openai/codex: agent CLIs.
+RUN npm install -g \
+        tar@7.5.11 \
+        @hono/node-server@1.19.11 \
+        opencode-ai@1.2.18 \
+        @openai/codex@0.111.0
 
 # GitHub CLI
 RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
@@ -90,12 +87,14 @@ RUN curl -fsSL https://claude.ai/install.sh | bash \
     && cp /root/.local/bin/claude /usr/local/bin/claude \
     && chmod 755 /usr/local/bin/claude
 
-# Install OpenCode CLI and Codex CLI (OpenAI) with pinned versions for
-# reproducible builds.
-RUN npm install -g opencode-ai@1.2.18 @openai/codex@0.111.0
-
-# uv (Python package manager) — pinned for reproducibility
+# uv (Python package/project manager) — pinned for reproducibility.
+# uv manages the Python toolchain; no system Python packages are needed.
 COPY --from=ghcr.io/astral-sh/uv:0.10.8 /uv /usr/local/bin/uv
+ENV UV_PYTHON_INSTALL_DIR="/sandbox/.uv/python"
+RUN uv python install 3.13 && \
+    ln -s $(uv python find 3.13) /usr/local/bin/python3 && \
+    ln -s $(uv python find 3.13) /usr/local/bin/python && \
+    uv cache clean
 
 # Final base image
 FROM devtools AS final
@@ -105,11 +104,10 @@ FROM devtools AS final
 # VIRTUAL_ENV and UV_PYTHON_INSTALL_DIR are also exported in .bashrc
 # so that login shell sessions (interactive and exec) see them.
 ENV PATH="/sandbox/.venv/bin:/usr/local/bin:/usr/bin:/bin" \
-    VIRTUAL_ENV="/sandbox/.venv" \
-    UV_PYTHON_INSTALL_DIR="/sandbox/.uv/python"
+    VIRTUAL_ENV="/sandbox/.venv"
 
-# Ensure policy directory exists
-RUN mkdir -p /etc/navigator
+# Default sandbox network / filesystem policy
+COPY policy.yaml /etc/navigator/policy.yaml
 
 # Copy custom skills into the image.
 # To add a skill, create a subdirectory under sandboxes/base/skills/
@@ -118,11 +116,12 @@ RUN mkdir -p /etc/navigator
 COPY skills/ /sandbox/.agents/skills/
 
 # Set up sandbox user home directory
-RUN mkdir -p /sandbox/.agents/skills /sandbox/.claude/skills && \
-    # Create a writable venv that inherits all system packages.
-    # Sandbox users can `pip install` or `uv pip install` into
+RUN mkdir -p /sandbox/.claude/skills && \
+    # Create a writable venv using uv-managed Python 3.13.
+    # Sandbox users can `uv pip install` (or `pip install`) into
     # this venv without touching the base image layer.
-    uv venv --python /usr/bin/python3.13 --seed --system-site-packages /sandbox/.venv && \
+    uv venv --python 3.13 --seed /sandbox/.venv && \
+    uv cache clean && \
     chown -R sandbox:sandbox /sandbox/.venv && \
     # Minimal shell init files so interactive and non-interactive shells
     # get a sane PATH and prompt.  Without these, bash sources nothing

sandboxes/base/policy.yaml

@@ -0,0 +1,161 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+version: 1
+
+# --- Sandbox setup configuration (queried once at startup) ---
+
+filesystem_policy:
+  include_workdir: true
+  read_only:
+    - /usr
+    - /lib
+    - /proc
+    - /dev/urandom
+    - /app
+    - /etc
+    - /var/log
+  read_write:
+    - /sandbox
+    - /tmp
+    - /dev/null
+
+landlock:
+  compatibility: best_effort
+
+process:
+  run_as_user: sandbox
+  run_as_group: sandbox
+
+# --- Network policies (queried per-CONNECT request) ---
+#
+# Each named policy maps a set of allowed (binary, endpoint) pairs.
+# Binary identity is resolved via /proc/net/tcp inode lookup + /proc/{pid}/exe.
+# Ancestors (/proc/{pid}/status PPid walk) and cmdline paths are also matched.
+# SHA256 integrity is enforced in Rust via trust-on-first-use, not here.
+
+network_policies:
+  claude_code:
+    name: claude-code
+    endpoints:
+      - { host: api.anthropic.com, port: 443, protocol: rest, enforcement: enforce, access: full, tls: terminate }
+      - { host: statsig.anthropic.com, port: 443 }
+      - { host: sentry.io, port: 443 }
+      - { host: raw.githubusercontent.com, port: 443 }
+      - { host: platform.claude.com, port: 443 }
+    binaries:
+      - { path: /usr/local/bin/claude }
+      - { path: /usr/bin/node }
+
+  github_ssh_over_https:
+    name: github-ssh-over-https
+    endpoints:
+      - host: github.com
+        port: 443
+        protocol: rest
+        tls: terminate
+        enforcement: enforce
+        rules:
+          # Git Smart HTTP read-only: allow clone, fetch, pull
+          # Discovery (query string is included in path matching)
+          - allow:
+              method: GET
+              path: "/**/info/refs*"
+          # Data transfer for reads (all repos)
+          - allow:
+              method: POST
+              path: "/**/git-upload-pack"
+          # Data transfer for writes
+          # - allow:
+          #    method: POST
+          #    path: "/**/git-receive-pack"
+    binaries:
+      - { path: /usr/bin/git }
+
+  nvidia_inference:
+    name: nvidia-inference
+    endpoints:
+      - { host: integrate.api.nvidia.com, port: 443 }
+    binaries:
+      - { path: /usr/bin/curl }
+      - { path: /bin/bash }
+      - { path: /usr/local/bin/opencode }
+
+  # --- GitHub REST API (read-only) ---
+  github_rest_api:
+    name: github-rest-api
+    endpoints:
+      - host: api.github.com
+        port: 443
+        protocol: rest
+        tls: terminate
+        enforcement: enforce
+        access: read-only
+    binaries:
+      - { path: /usr/local/bin/claude }
+      - { path: /usr/bin/gh }
+
+  pypi:
+    name: pypi
+    endpoints:
+      - { host: pypi.org, port: 443 }
+      - { host: files.pythonhosted.org, port: 443 }
+      # uv python install downloads from python-build-standalone on GitHub
+      - { host: github.com, port: 443 }
+      - { host: objects.githubusercontent.com, port: 443 }
+      # uv resolves python-build-standalone release metadata via the GitHub API
+      - { host: api.github.com, port: 443 }
+      - { host: downloads.python.org, port: 443 }
+    binaries:
+      - { path: /sandbox/.venv/bin/python }
+      - { path: /sandbox/.venv/bin/python3 }
+      - { path: /sandbox/.venv/bin/pip }
+      - { path: /app/.venv/bin/python }
+      - { path: /app/.venv/bin/python3 }
+      - { path: /app/.venv/bin/pip }
+      - { path: /usr/local/bin/uv }
+      # Managed Python installations from uv python install
+      - { path: "/sandbox/.uv/python/**" }
+
+  vscode:
+    name: vscode
+    endpoints:
+      - { host: update.code.visualstudio.com, port: 443 }
+      # NOTE: OPA host matching uses exact equality, not glob — list hosts explicitly.
+      - { host: az764295.vo.msecnd.net, port: 443 }
+      - { host: vscode.download.prss.microsoft.com, port: 443 }
+      - { host: marketplace.visualstudio.com, port: 443 }
+      - { host: gallerycdn.vsassets.io, port: 443 }
+    binaries:
+      - { path: /usr/bin/curl }
+      - { path: /usr/bin/wget }
+      - { path: "/sandbox/.vscode-server/**" }
+      - { path: "/sandbox/.vscode-remote-containers/**" }
+
+  cursor:
+    name: cursor
+    endpoints:
+      - { host: cursor.blob.core.windows.net, port: 443 }
+      # NOTE: OPA host matching uses exact equality, not glob — list hosts explicitly.
+      - { host: api2.cursor.sh, port: 443 }
+      - { host: repo.cursor.sh, port: 443 }
+      - { host: download.cursor.sh, port: 443 }
+      - { host: cursor.download.prss.microsoft.com, port: 443 }
+    binaries:
+      - { path: /usr/bin/curl }
+      - { path: /usr/bin/wget }
+      - { path: "/sandbox/.cursor-server/**" }
+
+  opencode:
+    name: opencode
+    endpoints:
+    - host: registry.npmjs.org
+      port: 443
+    - host: opencode.ai
+      port: 443
+    - host: integrate.api.nvidia.com
+      port: 443
+    binaries:
+    - path: /usr/lib/node_modules/opencode-ai/bin/.opencode
+    - path: /usr/bin/node
+    - path: /usr/local/bin/opencode