From 852c8979563c1c47126deb58b74bc46a4c61539d Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sun, 15 Feb 2026 00:53:50 +0100
Subject: [PATCH] refactor(sandbox): add sandbox-common dockerfile

---
 Dockerfile.sandbox-common       | 45 +++++++++++++++++++++++++++++++++
 scripts/sandbox-common-setup.sh | 39 +++++-----------------------
 2 files changed, 51 insertions(+), 33 deletions(-)
 create mode 100644 Dockerfile.sandbox-common

diff --git a/Dockerfile.sandbox-common b/Dockerfile.sandbox-common
new file mode 100644
index 00000000000..71f80070adf
--- /dev/null
+++ b/Dockerfile.sandbox-common
@@ -0,0 +1,45 @@
+ARG BASE_IMAGE=openclaw-sandbox:bookworm-slim
+FROM ${BASE_IMAGE}
+
+USER root
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+ARG PACKAGES="curl wget jq coreutils grep nodejs npm python3 git ca-certificates golang-go rustc cargo unzip pkg-config libasound2-dev build-essential file"
+ARG INSTALL_PNPM=1
+ARG INSTALL_BUN=1
+ARG BUN_INSTALL_DIR=/opt/bun
+ARG INSTALL_BREW=1
+ARG BREW_INSTALL_DIR=/home/linuxbrew/.linuxbrew
+ARG FINAL_USER=sandbox
+
+ENV BUN_INSTALL=${BUN_INSTALL_DIR}
+ENV HOMEBREW_PREFIX=${BREW_INSTALL_DIR}
+ENV HOMEBREW_CELLAR=${BREW_INSTALL_DIR}/Cellar
+ENV HOMEBREW_REPOSITORY=${BREW_INSTALL_DIR}/Homebrew
+ENV PATH=${BUN_INSTALL_DIR}/bin:${BREW_INSTALL_DIR}/bin:${BREW_INSTALL_DIR}/sbin:${PATH}
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends ${PACKAGES} \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN if [ "${INSTALL_PNPM}" = "1" ]; then npm install -g pnpm; fi
+
+RUN if [ "${INSTALL_BUN}" = "1" ]; then \
+  curl -fsSL https://bun.sh/install | bash; \
+  ln -sf "${BUN_INSTALL_DIR}/bin/bun" /usr/local/bin/bun; \
+fi
+
+RUN if [ "${INSTALL_BREW}" = "1" ]; then \
+  if ! id -u linuxbrew >/dev/null 2>&1; then useradd -m -s /bin/bash linuxbrew; fi; \
+  mkdir -p "${BREW_INSTALL_DIR}"; \
+  chown -R linuxbrew:linuxbrew "$(dirname "${BREW_INSTALL_DIR}")"; \
+  su - linuxbrew -c "NONINTERACTIVE=1 CI=1 /bin/bash -c '$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)'"; \
+  if [ ! -e "${BREW_INSTALL_DIR}/Library" ]; then ln -s "${BREW_INSTALL_DIR}/Homebrew/Library" "${BREW_INSTALL_DIR}/Library"; fi; \
+  if [ ! -x "${BREW_INSTALL_DIR}/bin/brew" ]; then echo \"brew install failed\"; exit 1; fi; \
+  ln -sf "${BREW_INSTALL_DIR}/bin/brew" /usr/local/bin/brew; \
+fi
+
+# Default is sandbox, but allow BASE_IMAGE overrides to select another final user.
+USER ${FINAL_USER}
+
diff --git a/scripts/sandbox-common-setup.sh b/scripts/sandbox-common-setup.sh
index eac7ea84afc..95c90c8cb97 100755
--- a/scripts/sandbox-common-setup.sh
+++ b/scripts/sandbox-common-setup.sh
@@ -9,6 +9,7 @@ INSTALL_BUN="${INSTALL_BUN:-1}"
 BUN_INSTALL_DIR="${BUN_INSTALL_DIR:-/opt/bun}"
 INSTALL_BREW="${INSTALL_BREW:-1}"
 BREW_INSTALL_DIR="${BREW_INSTALL_DIR:-/home/linuxbrew/.linuxbrew}"
+FINAL_USER="${FINAL_USER:-sandbox}"
 
 if ! docker image inspect "${BASE_IMAGE}" >/dev/null 2>&1; then
   echo "Base image missing: ${BASE_IMAGE}"
@@ -20,44 +21,16 @@ echo "Building ${TARGET_IMAGE} with: ${PACKAGES}"
 
 docker build \
   -t "${TARGET_IMAGE}" \
+  -f Dockerfile.sandbox-common \
+  --build-arg BASE_IMAGE="${BASE_IMAGE}" \
+  --build-arg PACKAGES="${PACKAGES}" \
   --build-arg INSTALL_PNPM="${INSTALL_PNPM}" \
   --build-arg INSTALL_BUN="${INSTALL_BUN}" \
   --build-arg BUN_INSTALL_DIR="${BUN_INSTALL_DIR}" \
   --build-arg INSTALL_BREW="${INSTALL_BREW}" \
   --build-arg BREW_INSTALL_DIR="${BREW_INSTALL_DIR}" \
-  - <<EOF
-FROM ${BASE_IMAGE}
-USER root
-ENV DEBIAN_FRONTEND=noninteractive
-ARG INSTALL_PNPM=1
-ARG INSTALL_BUN=1
-ARG BUN_INSTALL_DIR=/opt/bun
-ARG INSTALL_BREW=1
-ARG BREW_INSTALL_DIR=/home/linuxbrew/.linuxbrew
-ENV BUN_INSTALL=\${BUN_INSTALL_DIR}
-ENV HOMEBREW_PREFIX="\${BREW_INSTALL_DIR}"
-ENV HOMEBREW_CELLAR="\${BREW_INSTALL_DIR}/Cellar"
-ENV HOMEBREW_REPOSITORY="\${BREW_INSTALL_DIR}/Homebrew"
-ENV PATH="\${BUN_INSTALL_DIR}/bin:\${BREW_INSTALL_DIR}/bin:\${BREW_INSTALL_DIR}/sbin:\${PATH}"
-RUN apt-get update \\
-  && apt-get install -y --no-install-recommends ${PACKAGES} \\
-  && rm -rf /var/lib/apt/lists/*
-RUN if [ "\${INSTALL_PNPM}" = "1" ]; then npm install -g pnpm; fi
-RUN if [ "\${INSTALL_BUN}" = "1" ]; then \\
-  curl -fsSL https://bun.sh/install | bash; \\
-  ln -sf "\${BUN_INSTALL_DIR}/bin/bun" /usr/local/bin/bun; \\
-fi
-RUN if [ "\${INSTALL_BREW}" = "1" ]; then \\
-  if ! id -u linuxbrew >/dev/null 2>&1; then useradd -m -s /bin/bash linuxbrew; fi; \\
-  mkdir -p "\${BREW_INSTALL_DIR}"; \\
-  chown -R linuxbrew:linuxbrew "\$(dirname "\${BREW_INSTALL_DIR}")"; \\
-  su - linuxbrew -c "NONINTERACTIVE=1 CI=1 /bin/bash -c '\$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)'"; \\
-  if [ ! -e "\${BREW_INSTALL_DIR}/Library" ]; then ln -s "\${BREW_INSTALL_DIR}/Homebrew/Library" "\${BREW_INSTALL_DIR}/Library"; fi; \\
-  if [ ! -x "\${BREW_INSTALL_DIR}/bin/brew" ]; then echo "brew install failed"; exit 1; fi; \\
-  ln -sf "\${BREW_INSTALL_DIR}/bin/brew" /usr/local/bin/brew; \\
-fi
-USER sandbox
-EOF
+  --build-arg FINAL_USER="${FINAL_USER}" \
+  .
 
 cat <<NOTE
 Built ${TARGET_IMAGE}.