feat(sandbox): bake Homebrew core into the sandbox base image (#3913)

[latenighthackathon]

Summary

Closes #3913. Bakes Homebrew core into the sandbox base image so the brew policy preset actually works end-to-end. Without this, applying the preset and running brew install <formula> inside the sandbox fails with Insufficient permissions to install Homebrew to "/home/linuxbrew/.linuxbrew" because the sandbox lacks filesystem write to /home/linuxbrew/ AND runs as an unprivileged user with no sudo.

Problem

Two filesystem constraints block runtime Homebrew installation today:

1. nemoclaw-blueprint/policies/openclaw-sandbox.yaml lists only [/tmp, /dev/null, /sandbox/.openclaw, /sandbox/.nemoclaw] plus the workdir under filesystem_policy.read_write. Landlock denies writes to /home/linuxbrew/.
2. Dockerfile.base runs the sandbox as useradd -r -g sandbox -d /sandbox -s /bin/bash sandbox (no sudo). Homebrew's install script's first step is sudo to create + chown /home/linuxbrew/.linuxbrew, which the sandbox cannot grant.

Result: the brew preset's binary whitelist for /home/linuxbrew/.linuxbrew/bin/* is dead code. Two QA reports already documented the symptom: #1767 (filed 2026-04-10) and #3757 (filed 2026-05-18). #3846 was an interim docs-only attempt that we closed in favor of this PR; documenting a bootstrap that cannot actually succeed in the default sandbox would have set wrong expectations.

Approach

Follow the #3682 precedent (WeChat plugin baked into the base image in v0.0.46): provision the tool at image-build time, when the build runs as root and can create + chown the prefix.

• Dockerfile.base: after the existing WeChat plugin install block, add a step that creates /home/linuxbrew/.linuxbrew/bin, chowns to sandbox:sandbox, clones Homebrew core as the sandbox user via gosu at the pinned ARG HOMEBREW_VERSION=5.1.12 tag, symlinks the brew entry point, and asserts brew --version succeeds. The ARG keeps the base-image layer reproducible across rebuilds and can be bumped by editing the default or passing --build-arg.
• nemoclaw-blueprint/policies/openclaw-sandbox.yaml: add /home/linuxbrew to filesystem_policy.read_write so runtime brew install <formula> can extract bottles and manage Cellar/opt symlinks.
• test/policies.test.ts: behavior-style assertion that the baseline read_write list includes the Homebrew prefix. Trips CI if a future change drops the entry.

Cost

Approximately 80 to 150 MB on the base image (Homebrew core only; formulae download on demand). Acceptable relative to the existing ~2.4 GB sandbox image and consistent with the trade-off the project already accepted for the WeChat plugin baking.

Follow-up docs PR planned

Once this merges and the base image rebuilds, a small docs PR will land covering the new flow on the matching MDX pages: apply the brew preset, run brew install <formula>. The previous attempt at documenting a runtime bootstrap (closed #3846) becomes obsolete and the new docs will reflect that brew is included by default.

Out of scope

• agents/hermes/Dockerfile.base — Hermes does not currently get the WeChat plugin baking either; same scoping rationale. Can extend in a follow-up if maintainers want Homebrew under Hermes.
• System PATH — users can run brew via the full path /home/linuxbrew/.linuxbrew/bin/brew or via eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)". A separate PR could add the prefix to /etc/bash.bashrc if a cleaner default UX is wanted.
• Option B (drop the brew preset entirely) — discussed in #3913; rejected because removing a Balanced-tier preset is a user-visible regression.

Test plan

• prek run --files clean on all changed files
• New test/policies.test.ts assertion passes (Homebrew prefix test)
• Behavior-style test (parses YAML and checks the structured read_write array); satisfies the source-shape budget
• Verified the pinned HOMEBREW_VERSION=5.1.12 tag exists upstream (gh api repos/Homebrew/brew/releases + direct https://github.com/Homebrew/brew/releases/tag/5.1.12 returns 200)
• CI to verify: sandbox base image rebuilds successfully with the new step
• CI to verify: brew --version runs inside a freshly-created sandbox (covered by the build-time gosu sandbox /home/linuxbrew/.linuxbrew/bin/brew --version assertion in Dockerfile.base)
• Manual smoke after base-image publish: nemoclaw onboard -> <name> policy-add brew --yes -> <name> connect -> brew install hello -> succeeds

Signed-off-by: latenighthackathon latenighthackathon@users.noreply.github.com

Summary by CodeRabbit

• New Features

  • Homebrew package manager is now pre-installed and available in the sandbox environment, enabling users to install and manage software packages using standard Homebrew commands.

• Tests

  • Added validation tests for Homebrew policy configuration and binary permissions.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c7dff67b-fffd-4cc6-90a8-eedcdee90e6d

📥 Commits

Reviewing files that changed from the base of the PR and between 91b7020 and 20b8ab2.

📒 Files selected for processing (3)

• Dockerfile.base
• nemoclaw-blueprint/policies/presets/brew.yaml
• test/policies.test.ts

✅ Files skipped from review due to trivial changes (1)

• nemoclaw-blueprint/policies/presets/brew.yaml

---

📝 Walkthrough

Walkthrough

Bakes Homebrew into the sandbox base image (cloned as the sandbox user and symlinked), adds /home/linuxbrew to the sandbox filesystem read-write allowlist, adds /usr/local/bin/brew to the brew preset binaries, and adds tests asserting these policy and preset entries.

Changes

Homebrew sandbox support

Layer / File(s)	Summary
Homebrew installation in base image Dockerfile.base	Adds HOMEBREW_VERSION build-arg and a RUN step to create /home/linuxbrew/.linuxbrew, clone Homebrew/brew as sandbox, symlink brew into the bin prefix, and verify with brew --version.
Sandbox policy and brew preset update nemoclaw-blueprint/policies/openclaw-sandbox.yaml, nemoclaw-blueprint/policies/presets/brew.yaml	Adds /home/linuxbrew to filesystem_policy.read_write with documentation and includes /usr/local/bin/brew in the brew preset binaries allowlist.
Policy and preset tests test/policies.test.ts	Adds two assertions: one verifying /home/linuxbrew appears in openclaw-sandbox.yaml read_write, and one asserting the brew preset binaries list matches the expected ordered allowlist (including /usr/local/bin/brew).

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I dug a prefix, snug and bright,
Where bottles sleep through sandbox night,
I cloned the brew with careful paw,
Symlinked paths and checked the law,
Hop, install — the sandbox sips delight!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: baking Homebrew core into the sandbox base image, which is the central objective of this pull request.
Linked Issues check	✅ Passed	All code changes directly address the primary objectives from #3913: bake Homebrew at build time, add write access to /home/linuxbrew, verify binary whitelist, and test the baseline policy.
Out of Scope Changes check	✅ Passed	All changes are scoped to the stated objectives: Dockerfile.base bakes Homebrew, openclaw-sandbox.yaml grants write access, brew.yaml updates binaries, and tests validate the configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile.base`:
- Around line 233-240: The RUN step currently clones Homebrew with a moving ref
(--branch=stable); replace this with a pinned ref workflow: add an ARG (e.g.
HOMEBREW_REF) and in the same RUN use gosu sandbox git clone --depth=1
https://github.com/Homebrew/brew.git /home/linuxbrew/.linuxbrew/Homebrew (no
--branch), then run gosu sandbox git -C /home/linuxbrew/.linuxbrew/Homebrew
fetch --depth=1 origin ${HOMEBREW_REF} && gosu sandbox git -C
/home/linuxbrew/.linuxbrew/Homebrew checkout --detach ${HOMEBREW_REF} so the
layer is reproducible and tied to the immutable ref; ensure HOMEBREW_REF ARG is
declared and documented.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b74bd06a-5deb-461b-b8d9-05a0fcfe7f1c

📥 Commits

Reviewing files that changed from the base of the PR and between fa6dd4a and d44a26e.

📒 Files selected for processing (3)

• Dockerfile.base
• nemoclaw-blueprint/policies/openclaw-sandbox.yaml
• test/policies.test.ts

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile.base`:
- Around line 247-255: The Dockerfile sets ARG HOMEBREW_VERSION=5.1.12 but that
tag doesn't exist, causing the git clone in the RUN block (gosu sandbox git
clone --depth=1 --branch="${HOMEBREW_VERSION}"
https://github.com/Homebrew/brew.git /home/linuxbrew/.linuxbrew/Homebrew) to
fail; update the ARG HOMEBREW_VERSION to a valid tag such as 5.1.11 so the
branch="${HOMEBREW_VERSION}" clone succeeds and subsequent steps (ln -s
.../Homebrew/bin/brew and gosu sandbox /home/linuxbrew/.linuxbrew/bin/brew
--version) run correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 960321a5-14a7-48c8-8bae-61fff3822f98

📥 Commits

Reviewing files that changed from the base of the PR and between d44a26e and 91b7020.

📒 Files selected for processing (3)

• Dockerfile.base
• nemoclaw-blueprint/policies/openclaw-sandbox.yaml
• test/policies.test.ts