perf: reduce sandbox image build time and size during onboarding

[kjw3]

Summary

Reduce NemoClaw sandbox image build cost during onboarding without changing functionality or weakening the current security model.

This PR keeps the existing monolithic image approach, but trims unnecessary build/runtime overhead and adds a repeatable benchmark for comparing image build performance against origin/main.

What Changed

• stage a minimal sandbox build context instead of copying whole source trees
• exclude nemoclaw-blueprint/.venv from the staged context
• stage only the blueprint files the Docker build actually consumes
• switch plugin installs from npm install to lockfile-backed npm ci
• remove unused runtime packages from the sandbox image:
  • python3-pip
  • python3-venv
  • iproute2
  • build-time PyYAML
• prune clearly non-runtime OpenClaw package content after install:
  • docs
  • READMEs
  • changelogs
  • source maps
• add benchmark tooling for origin/main vs current branch sandbox image builds

Security / Behavior

This PR is intentionally scoped to image build optimization and does not change the core security model.

Preserved:

• immutable openclaw.json / config-hash protection
• gateway vs sandbox user separation
• no credential values in CLI argv
• no sandbox secret env injection during sandbox create
• Dockerfile arg-to-env injection guard for the Python config generation step

Security validation still passes, including the gateway isolation end-to-end test.

Validation

Repo checks:

• npx vitest run test/sandbox-build-context.test.js test/onboard.test.js test/security-c2-dockerfile-injection.test.js test/credential-exposure.test.js test/runner.test.js
• git diff --check
• bash -n test/e2e-test.sh test/e2e-gateway-isolation.sh

Container/security checks:

• bash test/e2e-gateway-isolation.sh
• result: 10 passed, 0 failed

Benchmark:

• node scripts/benchmark-sandbox-image-build.js

Latest result:

• main (93a475a): 74.2s, 1493.0 MiB
• candidate: 40.8s, 1165.7 MiB

Delta:

• build time: 33.4s faster
• image size: 327.3 MiB smaller

Follow-up

The next larger step is tracked separately in #854:

• reusable nemoclaw-base image
• thin per-onboard top image
• optional uninstall purge for cached/base images
• possible GHCR publishing flow

Summary by CodeRabbit

• Chores

  • Lockfile-based installs in build/runtime, reduced runtime packages, trimmed unnecessary files, added env vars to silence installers, and extra cleanup of cached package data during final image hardening.
  • Sandbox build context assembly streamlined to include only essential artifacts, improving image build efficiency and size.

• New Tools

  • Added a benchmarking tool to compare legacy vs optimized sandbox image builds.

• Tests

  • Added tests validating staged build-context contents and measured size/build-time reductions; updated validation to use the JS YAML parser.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 635571da-5686-4d2c-90c4-be1542feb894

📥 Commits

Reviewing files that changed from the base of the PR and between dde9e19 and 2f45a12.

📒 Files selected for processing (1)

• scripts/benchmark-sandbox-image-build.js

🚧 Files skipped from review as they are similar to previous changes (1)

• scripts/benchmark-sandbox-image-build.js

---

📝 Walkthrough

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 6.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'perf: reduce sandbox image build time and size during onboarding' directly and accurately summarizes the main objective of the PR: performance optimization of sandbox image builds by reducing both build time and final image size.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/optimize-sandbox-image-builds

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}