simplify ./images

[banksean]

Sand uses too many images. One image per agent doesn't scale well to additional agent types, and limits sand's ability to run multiple agents on the same container instance.

Some ideas for simplifying the number and complexity of container images that sand currently relies on:

• bind-mount the linux-arm64 sand binary

  • don't build innie in images/base/Dockerfile
  • cross-compile the container-side innie sand executable for linux-arm64 and publish it simultaneously with the brew tap bits for the macOS-side sand binary
  • bind-mount the innie into the container at some well-known fixed path location
  • add that path to the user's $PATH at container creation time

• rely on/expand use of cross-container package caching for agent installers

  • don't build separate images, one for each agent, with the agent binaries pre-installed
  • install agents at container creation time (or perhaps at exec time, if we want to support multiple agents on the same container instance)
  • cross-container package caching can amortize the again installer download cost over multiple sandbox instances.
  • TODO: verify that there are cache-friendly installation methods for claude, codex, gemini, opencode etc.
    • npm, apk should already work with mise caching, though that would now basically promote mise to a hard requirement for sand (instead of an opportunistic speedup for projects that already use mise).
    • may need to re-visit general purpose cross-container http caching, since that could potentially handle all of these installers and many more use cases.