fix(docker): self-dropping netclaw CLI launcher so root exec works (0.23.0-beta.3)

[Aaronontheweb]

Summary

Makes the non-root container model usable for the operator CLI, and locks it in with a standalone-docker regression test. Bumps to 0.23.0-beta.3.

Problem

The daemon runs as the unprivileged netclaw user (good — it executes model-chosen shell commands). But docker exec/kubectl exec default to the image's USER root, and netclaw init — the documented first-run setup — is invoked exactly that way.

A root-context netclaw invocation breaks the agent two ways:

1. Bundle extraction (EACCES). The CLI is a .NET single-file binary; it self-extracts into $HOME/.net/netclaw/<hash>/, which the runtime locks to the invoking user at mode 700. Extracted by root, the non-root daemon can no longer extract its own CLI:

   Failure processing application bundle.
   Failed to create directory [/home/netclaw/.net/netclaw/<hash>] ... Error code: 13
   

   (EACCES, exit 160).
2. Root-owned config. netclaw init writes identity/config/secrets under NETCLAW_HOME as root; the non-root daemon can't read them.

Seen in production: operators inspecting/setting model assignments via kubectl exec left the agents unable to run their own CLI.

Fix

/usr/local/bin/netclaw becomes a self-dropping launcher (docker/netclaw-cli-launcher.sh): if invoked as root it re-execs as netclaw via gosu; if already netclaw it execs directly (so it composes with runAsUser: 1654 / docker exec -u netclaw). netclawd stays a plain symlink — it's only ever launched by the already-dropped entrypoint, so it never hits the root path.

Rationale and alternatives (why not USER netclaw, runAsUser, DOTNET_BUNDLE_EXTRACT_BASE_DIR, or docs-only) are in ADR-004.

Regression test

scripts/docker/test-nonroot-cli.sh (wired into validate_docker_image.yml) reproduces the original break with standalone docker and asserts:

• root docker exec -- netclaw --version exits 0, prints a version (no EACCES signature), and emits the launcher's drop breadcrumb;
• nothing under /home/netclaw/.net or /home/netclaw/.netclaw is owned by uid 0 after root-context CLI runs (the guard — without the launcher the extraction dir is root:root and this fails);
• the non-root path (docker exec -u netclaw) execs directly with no second drop;
• the daemon stays healthy throughout.

Changes

• docker/netclaw-cli-launcher.sh (new) + docker/Dockerfile (CLI → launcher; netclawd symlink unchanged)
• scripts/docker/test-nonroot-cli.sh (new) + validate_docker_image.yml (run it; path trigger; cleanup)
• docs/adr/ADR-004-non-root-cli-self-drop.md (new)
• Directory.Build.props + RELEASE_NOTES.md → 0.23.0-beta.3

Release

Tag 0.23.0-beta.3 after merge to fire publish_release_binaries.yml.