fix(sandbox): add python -> python3 symlink in base image

[BenediktSchackenberg]

Summary

Partially fixes #1452.

The sandbox base image installs python3 but has no python binary. Scripts using the bare python command (shebangs, subprocess calls, AI-generated code) fail with python: command not found. This is the specific trigger described in #1452 that causes tool call failures, which in turn can lead to agent hallucination.

Change

Adds ln -s /usr/bin/python3 /usr/local/bin/python in the base image apt-get layer so python resolves to python3 without any user action.

Scope

This PR addresses the sandbox-side trigger. The broader agent hallucination behaviour on tool failure is an OpenClaw agent loop issue outside the scope of NemoClaw.

Signed-off-by: Benedikt Schackenberg 6381261+BenediktSchackenberg@users.noreply.github.com

Summary by CodeRabbit

• Chores
  • Enhanced sandbox environment to ensure scripts using the standard python command execute correctly.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 243d53e4-61ac-4bc0-b1f0-183bd3366411

📥 Commits

Reviewing files that changed from the base of the PR and between f4a01cf and b2a6613.

📒 Files selected for processing (1)

• Dockerfile.base

---

📝 Walkthrough

Walkthrough

The Dockerfile.base is modified to create a /usr/local/bin/python symlink pointing to /usr/bin/python3 during the apt install layer. This ensures tools and scripts that invoke the bare python command will successfully resolve to the available Python 3 executable within the sandbox container.

Changes

Cohort / File(s)	Summary
Docker Base Image Dockerfile.base	Added symlink creation (ln -s /usr/bin/python3 /usr/local/bin/python) to the apt install RUN command, enabling backward compatibility for scripts expecting python command availability.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A symlink so small, yet mighty and true,
Python now answers to names both old and new!
No more "command not found" in the sandbox's call,
This rabbit rejoices—the fix solves it all! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(sandbox): add python -> python3 symlink in base image' directly and clearly describes the main change: adding a symlink to resolve the python command issue in the sandbox.
Linked Issues check	✅ Passed	The PR directly addresses the specific mitigation requested in issue #1452 by adding the python → python3 symlink to prevent the 'python not found' error that triggers tool failures.
Out of Scope Changes check	✅ Passed	The changes are limited to a single Dockerfile modification adding a symlink, which is directly scoped to the linked issue #1452's specific mitigation request with no extraneous changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates the NemoClaw sandbox base image to ensure python is available on PATH by adding a symlink to python3, preventing failures for scripts and tool calls that invoke python (as described in #1452).

Changes:

• Add a python -> python3 symlink during the base image apt layer build step.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

ln -s will fail the image build if /usr/local/bin/python already exists (e.g., if the upstream base image or a future layer introduces it). Consider making this idempotent (e.g., conditional creation or forcing/replacing the link) so rebuilds remain robust while still ensuring python resolves to python3.

Suggested change

	&& ln -s /usr/bin/python3 /usr/local/bin/python
	&& ln -sf /usr/bin/python3 /usr/local/bin/python