fix(sandbox): Use pip to install uv in Docker build

[bheemreddy-samsara]

Summary

• Fix sandbox Docker build failing due to SSL certificate issues when using curl to download uv installer
• Use pip to install uv instead, avoiding SSL verification problems in Docker build environments

What changed

• Install uv via pip install uv instead of curl-based installer script (docker/Dockerfile.sandbox)
• Removed manual mv commands to relocate binaries - pip installs uv and uvx directly to /usr/local/bin/
• Add explicit ca-certificates package and run update-ca-certificates for other curl/wget operations

Why

The curl-based uv installer fails in some Docker build environments due to SSL certificate verification issues:

curl: (60) SSL certificate problem: unable to get local issuer certificate

This commonly occurs with Docker Desktop on macOS when corporate proxies or VPNs intercept SSL traffic. Even with ca-certificates installed and updated, the curl installer can fail. Using pip to install uv sidesteps this issue entirely while achieving the same result.

The original approach downloaded uv to /root/.local/bin/ and required manual mv commands to relocate binaries. With pip, both uv and uvx are installed directly to /usr/local/bin/ as entry points, so no relocation is needed.

Test plan

• docker build --no-cache -f docker/Dockerfile.sandbox -t ash-sandbox . succeeds
• uv run ash sandbox build succeeds
• uvx is available at /usr/local/bin/uvx
• Sandbox image builds and ash-sb CLI works correctly