chore: upgrade sandbox dependencies and fix vulnerabilities

sandboxes/base/Dockerfile

@@ -20,7 +20,7 @@ ENV DEBIAN_FRONTEND=noninteractive \
 WORKDIR /sandbox
 
 # Core system dependencies
-# python3 + pip: agent scripting and SDK usage
+# python3.13 + pip: agent scripting and SDK usage (deadsnakes PPA for Noble)
 # iproute2: network namespace management (ip netns, veth pairs)
 # dnsutils: dig, nslookup
 RUN apt-get update && apt-get install -y --no-install-recommends \
@@ -31,10 +31,18 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
         iputils-ping \
         net-tools \
         netcat-openbsd \
-        python3 \
-        python3-pip \
-        python3-venv \
+        openssh-sftp-server \
+        procps \
+        software-properties-common \
         traceroute \
+    && add-apt-repository -y ppa:deadsnakes/ppa \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends \
+        python3.13 \
+        python3.13-venv \
+    && curl -sS https://bootstrap.pypa.io/get-pip.py | python3.13 \
+    && update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.13 1 \
+    && update-alternatives --install /usr/bin/python python /usr/bin/python3.13 1 \
     && rm -rf /var/lib/apt/lists/*
 
 # Create supervisor and sandbox users/groups
@@ -54,6 +62,11 @@ RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - && \
         nano \
     && rm -rf /var/lib/apt/lists/*
 
+# Fix transitive tar vulnerabilities (GHSA-qffp-2rhf-9h96,
+# GHSA-9ppj-qmqm-q256, GHSA-8qq5-rm4j-mr97, GHSA-r6q2-hw4h-h46w,
+# GHSA-34x7-hfp2-rc4v, GHSA-83g3-92jg-28cx).
+RUN npm install -g tar@7.5.11
+
 # GitHub CLI
 RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
         -o /usr/share/keyrings/githubcli-archive-keyring.gpg && \

sandboxes/nemoclaw/Dockerfile

@@ -27,6 +27,9 @@ COPY policy-proxy.js /usr/local/lib/policy-proxy.js
 COPY proto/ /usr/local/lib/nemoclaw-proto/
 RUN npm install -g @grpc/grpc-js @grpc/proto-loader js-yaml
 
+# Fix @hono/node-server authorization bypass (GHSA-wc8c-qw6v-h7f6)
+RUN npm install -g @hono/node-server@1.19.11
+
 # Allow the sandbox user to read the default policy (the startup script
 # copies it to a writable location; this chown covers non-Landlock envs)
 RUN chown -R sandbox:sandbox /etc/navigator
@@ -56,4 +59,13 @@ RUN set -e; \
     npm uninstall -g esbuild; \
     rm -rf /opt/nemoclaw-devx/node_modules
 
+# Fix transitive tar vulnerabilities (GHSA-qffp-2rhf-9h96,
+# GHSA-9ppj-qmqm-q256, GHSA-8qq5-rm4j-mr97, GHSA-r6q2-hw4h-h46w,
+# GHSA-34x7-hfp2-rc4v, GHSA-83g3-92jg-28cx).
+# The base image pins tar@7.5.11 globally, but openclaw ships older nested
+# copies; force-upgrade them. (npm's own bundled tar is not updatable via
+# --prefix without pulling missing internal deps like @npmcli/docs.)
+RUN npm install -g tar@7.5.11 && \
+    npm --prefix "$(npm root -g)/openclaw" update tar
+
 ENTRYPOINT ["/bin/bash"]

sandboxes/openclaw/Dockerfile

@@ -14,8 +14,9 @@ FROM ${BASE_IMAGE}
 
 USER root
 
-# Install OpenClaw CLI
-RUN npm install -g openclaw
+# Install OpenClaw CLI (pinned to fix GHSA-rchv-x836-w7xp, GHSA-6mgf-v5j7-45cr,
+# GHSA-5wcw-8jjv-m286)
+RUN npm install -g openclaw@2026.3.11
 
 # Copy sandbox policy
 COPY policy.yaml /etc/navigator/policy.yaml