fix(sandbox): switch to root user for package installation in sandbox-common-setup

[arosstale]

Summary

Fixes #16420

The base image (Dockerfile.sandbox) sets USER sandbox as the final layer. When scripts/sandbox-common-setup.sh builds FROM this base image, all subsequent RUN commands (including apt-get update, npm install -g, curl | bash) execute as the unprivileged sandbox user, causing Permission denied errors.

Changes

• Add USER root immediately after FROM in the generated Dockerfile so package installation steps run with the required privileges
• Restore USER sandbox at the end of the build to preserve the non-root runtime default from the base image

Root Cause

# Dockerfile.sandbox (base image)
RUN useradd --create-home --shell /bin/bash sandbox
USER sandbox    # <-- sets default user
WORKDIR /home/sandbox

# sandbox-common-setup.sh (before fix)
FROM ${BASE_IMAGE}          # inherits USER sandbox
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update ...       # fails: Permission denied

Testing

Verified that the generated Dockerfile correctly elevates to root for installation and drops back to sandbox for runtime.

Greptile Overview

Greptile Summary

Fixes permission errors in the sandbox common image build by adding USER root / USER sandbox directives around the package installation steps in the generated Dockerfile.

• The base image (Dockerfile.sandbox) sets USER sandbox as the final layer, so the derived build in sandbox-common-setup.sh inherited the unprivileged user for all RUN commands (apt-get, npm install -g, curl | bash)
• Adds USER root immediately after FROM so installation commands run with required privileges
• Restores USER sandbox at the end to preserve the non-root runtime default

Confidence Score: 5/5

• This PR is safe to merge — it's a minimal, well-scoped Dockerfile fix with no behavioral changes at runtime.
• The change adds two standard Dockerfile directives (USER root/USER sandbox) to fix a clear permission bug. The fix is minimal, correctly placed, and follows Docker best practices. The runtime user is properly restored to the unprivileged sandbox user.
• No files require special attention.

_{Last reviewed commit: 8a01107}

[Copilot]

Pull request overview

This PR fixes permission errors that occur when building Docker images using sandbox-common-setup.sh by ensuring package installation commands run with appropriate privileges.

Changes:

• Add USER root after the FROM directive to elevate privileges for package installations
• Restore USER sandbox at the end of the Dockerfile to maintain non-root runtime defaults

[steipete]

Landed via rebase onto main.

• Gate (local, before merge): pnpm check && pnpm build && pnpm test
• Merge commit: 3189430

Thanks @arosstale!