fix(sandbox): chown /sandbox/.openclaw to sandbox user at end of build

[brycelelbach]

Summary

nemoclaw-sandbox:local is being built such that /sandbox/.openclaw/ ends up root-owned and openclaw.json lands at mode 0444. At runtime, the openclaw process runs as uid 998 (sandbox) and cannot:

• create new files under /sandbox/.openclaw/ (directory is root-owned, drwxr-xr-x)
• rewrite its own openclaw.json (-r--r--r-- root:root)
• read openclaw.json.bak (-rw------- root:root)
• write logs to /sandbox/.openclaw/logs/ (drwx------ root:root)
• read the .config-hash sentinel (-r--r--r-- root:root)

The symptom end-users hit: the OpenClaw dashboard's config edits silently fail, and the agent can't write rotating logs.

Root cause

Two things go wrong during the build:

1. `openshell sandbox create --from Dockerfile` doesn't always honor `USER` directives. The RUN steps after `USER sandbox` (line 43) execute as root in some build environments, so `mkdir -p /sandbox/.openclaw/agents/...`, the python `openclaw.json` write, and `openclaw doctor --fix` all run as root — leaving root-owned state under `.openclaw/`.
2. `openclaw doctor --fix` writes `openclaw.json` with mode `0444` (read-only for everyone), which blocks the runtime from rewriting its own config even when ownership is correct.

Interestingly, `/sandbox/.openclaw-data/` and `/sandbox/.nemoclaw/` both end up correctly `sandbox:sandbox` owned, because the openshell base layer seeds the former and the earlier `chown -R sandbox:sandbox /sandbox` (line 16) covers the latter before the USER-switched steps happen. Only `.openclaw/` is regenerated by `openclaw doctor --fix` and then not re-chowned.

Fix

Add an explicit final `USER root` → `chown -R sandbox:sandbox /sandbox/.openclaw /sandbox/.nemoclaw && chmod -R u+w /sandbox/.openclaw` → `USER sandbox` block at the end of the Dockerfile. This makes the final ownership unambiguous regardless of which intermediate RUN steps ran as root vs sandbox, and restores owner-write on the config files that `openclaw doctor` clamped to `0444`.

The alternative would be to restructure the Dockerfile to do all work as root with explicit `su sandbox -c` for the openclaw-bootstrap steps, but the defensive chown at the end is the smaller diff and works regardless of what intermediate build systems do.

Reproduction (before fix)

On a `bryce-claw` brev instance running this image via openshell:

```
$ kubectl exec -n openshell agent -- ls -la /sandbox/.openclaw/openclaw.json
-r--r--r-- 1 root root 1601 Apr 7 18:19 /sandbox/.openclaw/openclaw.json

$ kubectl exec -n openshell agent -- su sandbox -s /bin/bash -c
'printf "" >> /sandbox/.openclaw/openclaw.json'
bash: /sandbox/.openclaw/openclaw.json: Permission denied
```

Verification

Applied the equivalent of this patch (`chown -R sandbox:sandbox /sandbox/.openclaw && chmod -R u+w /sandbox/.openclaw`) inside the live agent pod. After the change:

```
$ su sandbox -s /bin/bash -c 'touch /sandbox/.openclaw/.writetest && rm /sandbox/.openclaw/.writetest'
$ su sandbox -s /bin/bash -c 'printf "" >> /sandbox/.openclaw/openclaw.json'
$ su sandbox -s /bin/bash -c 'touch /sandbox/.openclaw/logs/test.log && rm /sandbox/.openclaw/logs/test.log'

all succeed

```

Test plan

• `openshell sandbox create --from ./Dockerfile --name nemoclaw` on a clean gateway
• `openshell sandbox connect nemoclaw` and verify `ls -la /sandbox/.openclaw/` shows `sandbox:sandbox` on all entries
• Verify `openclaw.json` is mode `0644` (or at least u+w) and writable by the sandbox user
• Verify the control UI can persist a config edit (no silent write-back failure)
• Verify `/sandbox/.openclaw/logs/` is writable