feat(foundry): add foundry base sandbox image with sudo, chromium, and dev tooling

Add a custom Docker image (foundry-base.Dockerfile) that builds sandbox-agent
from source and layers sudo, git, neovim, gh, node, bun, chromium, and
agent-browser. Includes publish script for timestamped + latest tags to
rivetdev/sandbox-agent on Docker Hub.

Update local sandbox provider default to use foundry-base-latest and wire
HF_LOCAL_SANDBOX_IMAGE env var through compose.dev.yaml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

foundry/compose.dev.yaml

@@ -44,6 +44,7 @@ services:
       STRIPE_WEBHOOK_SECRET: "${STRIPE_WEBHOOK_SECRET:-}"
       STRIPE_PRICE_TEAM: "${STRIPE_PRICE_TEAM:-}"
       FOUNDRY_SANDBOX_PROVIDER: "${FOUNDRY_SANDBOX_PROVIDER:-local}"
+      HF_LOCAL_SANDBOX_IMAGE: "${HF_LOCAL_SANDBOX_IMAGE:-rivetdev/sandbox-agent:foundry-base-latest}"
       E2B_API_KEY: "${E2B_API_KEY:-}"
       E2B_TEMPLATE: "${E2B_TEMPLATE:-}"
       HF_E2B_TEMPLATE: "${HF_E2B_TEMPLATE:-${E2B_TEMPLATE:-}}"
@@ -56,8 +57,6 @@ services:
       - "7741:7741"
     volumes:
       - "..:/app"
-      # The linked RivetKit checkout resolves from Foundry packages to /task/rivet-checkout in-container.
-      - "../../../task/rivet-checkout:/task/rivet-checkout:ro"
       # Reuse the host Codex auth profile for local sandbox-agent Codex sessions in dev.
       - "${HOME}/.codex:/root/.codex"
       - "/var/run/docker.sock:/var/run/docker.sock"
@@ -86,7 +85,6 @@ services:
       - "..:/app"
       # Ensure logs in .foundry/ persist on the host even if we change source mounts later.
       - "./.foundry:/app/foundry/.foundry"
-      - "../../../task/rivet-checkout:/task/rivet-checkout:ro"
       # Use Linux-native repo dependencies inside the container instead of host node_modules.
       - "foundry_node_modules:/app/node_modules"
       - "foundry_client_node_modules:/app/foundry/packages/client/node_modules"