docs: update documentation for pnpm migration

Convert npm run/install/ci -> pnpm equivalents, npx -> pnpm exec,
package-lock.json -> pnpm-lock.yaml across CLAUDE.md, groups/global/,
docs/SPEC.md, docs/DEBUG_CHECKLIST.md, docs/BRANCH-FORK-MAINTENANCE.md,
and docs/docker-sandboxes.md. Kept .npmrc and npm config references
where they document real files.

docs/docker-sandboxes.md

@@ -87,8 +87,8 @@ mv nanoclaw "$WORKSPACE/nanoclaw"
 cd "$WORKSPACE/nanoclaw"
 
 # Install dependencies
-npm install
-npm install https-proxy-agent
+pnpm install
+pnpm install https-proxy-agent
 ```
 
 ## Step 4: Apply Proxy and Sandbox Patches
@@ -97,7 +97,7 @@ NanoClaw needs several patches to work inside a Docker Sandbox. These handle pro
 
 ### 4a. Dockerfile — proxy args for container image build
 
-`npm install` inside `docker build` fails with `SELF_SIGNED_CERT_IN_CHAIN` because the sandbox's MITM proxy presents its own certificate. Add proxy build args to `container/Dockerfile`:
+`pnpm install` inside `docker build` fails with `SELF_SIGNED_CERT_IN_CHAIN` because the sandbox's MITM proxy presents its own certificate. Add proxy build args to `container/Dockerfile`:
 
 Add these lines after the `FROM` line:
 
@@ -111,7 +111,7 @@ ARG npm_config_strict_ssl=true
 RUN npm config set strict-ssl ${npm_config_strict_ssl}
 ```
 
-And after the `RUN npm install` line:
+And after the `RUN pnpm install` line:
 
 ```dockerfile
 RUN npm config set strict-ssl true
@@ -185,7 +185,7 @@ Patch `setup/container.ts` to pass the same proxy `--build-arg` flags as `build.
 ## Step 5: Build
 
 ```bash
-npm run build
+pnpm run build
 bash container/build.sh
 ```
 
@@ -195,10 +195,10 @@ bash container/build.sh
 
 ```bash
 # Apply the Telegram skill
-npx tsx scripts/apply-skill.ts .claude/skills/add-telegram
+pnpm exec tsx scripts/apply-skill.ts .claude/skills/add-telegram
 
 # Rebuild after applying the skill
-npm run build
+pnpm run build
 
 # Configure .env
 cat > .env << EOF
@@ -209,7 +209,7 @@ EOF
 mkdir -p data/env && cp .env data/env/env
 
 # Register your chat
-npx tsx setup/index.ts --step register \
+pnpm exec tsx setup/index.ts --step register \
   --jid "tg:<your-chat-id>" \
   --name "My Chat" \
   --trigger "@nanoclaw" \
@@ -235,10 +235,10 @@ Make sure you configured proxy bypass in [Step 1](#step-1-create-the-sandbox) fi
 
 ```bash
 # Apply the WhatsApp skill
-npx tsx scripts/apply-skill.ts .claude/skills/add-whatsapp
+pnpm exec tsx scripts/apply-skill.ts .claude/skills/add-whatsapp
 
 # Rebuild
-npm run build
+pnpm run build
 
 # Configure .env
 cat > .env << EOF
@@ -250,13 +250,13 @@ mkdir -p data/env && cp .env data/env/env
 # Authenticate (choose one):
 
 # QR code — scan with WhatsApp camera:
-npx tsx src/whatsapp-auth.ts
+pnpm exec tsx src/whatsapp-auth.ts
 
 # OR pairing code — enter code in WhatsApp > Linked Devices > Link with phone number:
-npx tsx src/whatsapp-auth.ts --pairing-code --phone <phone-number-no-plus>
+pnpm exec tsx src/whatsapp-auth.ts --pairing-code --phone <phone-number-no-plus>
 
 # Register your chat (JID = your phone number + @s.whatsapp.net)
-npx tsx setup/index.ts --step register \
+pnpm exec tsx setup/index.ts --step register \
   --jid "<phone>@s.whatsapp.net" \
   --name "My Chat" \
   --trigger "@nanoclaw" \
@@ -276,7 +276,7 @@ Apply both skills, patch both for proxy support, combine the `.env` variables, a
 ## Step 7: Run
 
 ```bash
-npm start
+pnpm start
 ```
 
 You don't need to set `ANTHROPIC_API_KEY` manually. The sandbox proxy intercepts requests and replaces `proxy-managed` with your real key automatically.
@@ -306,7 +306,7 @@ The workspace is mounted via virtiofs. Git's pack file handling can corrupt over
 
 ## Troubleshooting
 
-### npm install fails with SELF_SIGNED_CERT_IN_CHAIN
+### pnpm install fails with SELF_SIGNED_CERT_IN_CHAIN
 ```bash
 npm config set strict-ssl false
 ```
@@ -355,5 +355,5 @@ Run the auth command interactively inside the sandbox (not piped through `docker
 ```bash
 docker sandbox run shell-nanoclaw-workspace
 # Then inside:
-npx tsx src/whatsapp-auth.ts
+pnpm exec tsx src/whatsapp-auth.ts
 ```