* feat: use Nix profiles in sandbox Docker image
Replace manual tool installs (rustup, nodesource, curl installers) in
sandbox-image/Dockerfile.sandbox with a single `nix profile install .#sandbox`.
All tools (Rust, Node, Bun, Deno, Go, gh, sqlx-cli, cargo-watch, Chromium,
Playwright, etc.) are now managed declaratively via flake.nix.
- Add `packages.sandbox` and `packages.sandbox-full` buildEnv outputs to flake.nix
- Add `sandbox-env` helper script for browser tooling env vars
- Update playwrightWrapper to export PLAYWRIGHT_BROWSERS_PATH
- Rewrite Dockerfile.sandbox: Nix replaces ~50 lines of manual installs
- Update entrypoint.sh to source Nix profile PATH
- Delete deprecated root Dockerfile.sandbox
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: sandbox image runs as non-root user with wmdev
- Rewrite entrypoint.sh to start PostgreSQL as current user (no
chown/su needed), fixing "Operation not permitted" when wmdev
runs containers with --user
- Add chmod -R 777 /root and passwd entry for UID 1000 so non-root
containers can access bashrc, nix-profile, and tool configs
- Remove apt postgresql server (Nix profile provides it)
- Fix bash history expansion errors from literal `!` in system prompt
- Fix asciinema path reference (available on PATH, not hardcoded)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: wrap pkg-config in sandbox profiles to bake in Nix search path
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: add openssh-client and sudo to sandbox image for full root access
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: use useradd instead of manual passwd entry for sandbox agent user
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
89f835727b