chore(cloud-agent): fix local docker sandbox build

[tatoalo]

Problem

The local-overlay cloud-agent sandbox image fails to build under pnpm v11, treating an unapproved dependency build script as fatal, which breaks SANDBOX_PROVIDER=docker image builds

[greptile-apps]

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
products/tasks/backend/sandbox/images/Dockerfile.sandbox-local:24
**Broad build-script allowlist in local sandbox**

`--config.dangerouslyAllowAllBuilds=true` permits every installed package to run its `preinstall`/`install`/`postinstall` scripts unconditionally. For this local-only development image the risk is low, but pnpm v9+ offers a more targeted alternative: list the specific packages that need build scripts in `package.json` under `pnpm.onlyBuiltDependencies` (or a `.npmrc` `onlyBuiltDependencies[]` array). That would satisfy pnpm v11's stricter check without opening the door to all packages. Worth considering if the offending package is already known.

_{Reviews (1): Last reviewed commit: "chore(cloud-agent): fix local docker san..." | Re-trigger Greptile}

[mendral-app]

Supply Chain Security Review

✅ Approve — 1 finding in 1 file

Single Dockerfile change adds --config.dangerouslyAllowAllBuilds=true to a pnpm install of locally-packed workspace tarballs in a local sandbox image. Since the installed packages are internal monorepo artifacts (not arbitrary registry packages), the blast radius is minimal.

_{Tag @mendral-app with feedback or questions. View session}

[deployment-status-posthog]

Deploy status

Environment	Status	Deployed At	Workflow
dev	✅ Deployed	2026-06-01 12:53 UTC	Run
prod-us	✅ Deployed	2026-06-01 13:24 UTC	Run
prod-eu	✅ Deployed	2026-06-01 13:11 UTC	Run