refactor(sandbox): unify Claude and Codex into single multi-stage Dockerfile

[visahak]

Summary

• Replace separate sandbox/Dockerfile and sandbox/codex/Dockerfile with a single multi-stage Dockerfile (--target claude / --target codex)
• Rename sandbox-* justfile targets to claude-* for agent clarity; add codex-run and codex-test targets
• Make sandbox-build and sandbox-clean accept an optional target param (claude, codex, or all)
• Add sandbox/codex/entrypoint.sh and bootstrap_codex_config.py (Codex-specific container setup)
• Merge sandbox/codex/README.md into a unified sandbox/README.md covering both agents
• Add OPENAI_API_KEY placeholder to sandbox/sample.env
• Update docs/integrations/evolve-lite.md target references
• Add docs/integrations/evolve-lite-codex.md — full Codex + Evolve Lite integration walkthrough

Summary by CodeRabbit

• New Features

  • Added Codex sandbox integration with its own image, entrypoint, and CLI tasks; renamed Claude sandbox tasks for clarity.

• Documentation

  • Added a comprehensive Codex Evolve Lite integration guide with installation, storage format, workflows, and walkthroughs.
  • Updated sandbox docs and Claude examples; refined the Learn skill guidance for extracting actionable entities.

• Chores

  • Converted sandbox to multi-stage builds and split build/clean targets.
  • Added config bootstrap/entrypoint for Codex and OpenAI API key sample entry; updated secrets baseline.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 33f8aaf0-88e2-43ff-8dd8-bd7ab9cf93c7

📥 Commits

Reviewing files that changed from the base of the PR and between 932090f and 1bee322.

📒 Files selected for processing (1)

• .secrets.baseline

---

📝 Walkthrough

Walkthrough

Adds a Codex “Evolve Lite” integration and docs; converts the sandbox into multi-stage Docker builds with separate Claude and Codex stages; renames just targets and adds Codex-specific tasks; introduces Codex bootstrap scripts and entrypoint; updates the learn skill to prioritize error-driven entity extraction.

Changes

Cohort / File(s)	Summary
Codex Integration Docs docs/integrations/evolve-lite-codex.md	New Codex Evolve Lite integration guide: installation, operational flows (learn/recall), storage format (.evolve/entities), hooks, examples, and tradeoffs.
Claude Docs Update docs/integrations/claude/evolve-lite.md	Updated examples to use new claude build selector and claude-prompt task names.
Build Tasks & Justfile justfile	Split image into claude_image and codex_image; sandbox-build/sandbox-clean now accept target; renamed sandbox-* Claude targets to claude-*; added codex-* targets and conditional build/clean logic.
Sandbox Dockerfile sandbox/Dockerfile	Converted to multi-stage build: base, claude, and codex stages; added tools, separate Codex stage with Node/Codex install and ENTRYPOINT for Codex container.
Codex Container Bootstrap sandbox/codex/bootstrap_codex_config.py, sandbox/codex/entrypoint.sh	New Python script ensures config.toml contains cli_auth_credentials_store="file" and features.codex_hooks=true; entrypoint sets CODEX_HOME, runs bootstrap, then execs CMD.
Sandbox Env & Docs sandbox/sample.env, sandbox/README.md	Added OPENAI_API_KEY to sample env; generalized README to cover both Claude and Codex sandboxes, usage of just tasks, mounting, auth, and plugin install steps.
Evolve Lite Skill (learn) platform-integrations/codex/plugins/evolve-lite/skills/learn/SKILL.md	Restructured skill to prioritize extracting actionable, error-driven entities; explicit 5-step workflow, error-signal categories, output rules, and new examples.
Misc .secrets.baseline	Updated baseline scan entry for sandbox/sample.env (non-secret annotation).

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant Codex
  participant Hook as UserPromptSubmit Hook
  participant FS as .evolve/entities (filesystem)
  User->>Codex: Send prompt (session)
  Codex->>Hook: UserPromptSubmit triggers (on submit)
  Hook->>FS: read relevant entities by trigger/type
  Hook-->>Codex: inject recalled entities into prompt context
  Codex->>FS: (learn flow) extract entities -> write Markdown with YAML frontmatter
  FS-->>Codex: persisted entities available for future recall

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat(platform-integrations): add codex evolve-lite installer #111: Core Codex "evolve-lite" integration and plugin/hook installer — strong overlap with codex bootstrap and plugin wiring.
• docs(codex): update evolve-lite learn skill guidance #143: Updates to the same SKILL.md (learn skill) refining entity extraction criteria.
• refactor(evolve-lite): replace EVOLVE_ENTITIES_DIR with EVOLVE_DIR #148: Changes converging on EVOLVE_DIR storage model and hook/installer behavior.

Suggested reviewers

• vinodmut
• illeatmyhat
• gaodan-fang

Poem

🐰 Two sandboxes awaken, neat and bright,
Claude to the left, Codex to the right,
Evolve Lite nibbles errors into lore,
Saving hints on disk so we fail no more,
Bootstraps hum, containers leap — hooray! 🎉

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main architectural change: consolidating Claude and Codex sandboxes into a single multi-stage Dockerfile.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[vinodmut]

Rename this file to evolve-lite-claude.md?

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@justfile`:
- Around line 20-27: The sandbox-build recipe can hide a failed docker build
because the script doesn't stop on error; update the sandbox-build target to
fail fast by enabling shell errexit (e.g., run "set -e" / "set -o errexit") at
the top of the recipe or append explicit failure checks to each docker build
command (e.g., check the exit status or add "|| exit 1") so that a failing build
for the claude image aborts the rest and returns a non-zero status; modify the
sandbox-build target and the docker build invocations (referenced as
sandbox-build target, the docker build --target claude and docker build --target
codex commands, and the "{{target}}" conditional logic) accordingly.

In `@sandbox/codex/bootstrap_codex_config.py`:
- Around line 21-31: The current ensure_top_level_setting function only skips
insertion if a key prefix exists, leaving wrong values in place; update
ensure_top_level_setting to detect an existing key (using prefix = f"{key} ="),
parse or strip the existing value and if it differs from the desired value
replace that line in-place (e.g., lines[i] = f'{key} = "{value}"\n') instead of
returning False, otherwise return False only when the value already matches;
apply the same approach to the analogous helper referenced at lines 53-69 so
both will update incorrect existing settings (use the function name
ensure_top_level_setting to find the current logic and mirror the replacement
behavior).

In `@sandbox/codex/entrypoint.sh`:
- Around line 4-8: The fallback order in entrypoint.sh makes /codex-home
unreachable because codex_home="${CODEX_HOME:-${HOME:-/codex-home}}" prefers
HOME from the image; change the fallback logic so CODEX_HOME defaults to
/codex-home when CODEX_HOME is unset (e.g., set codex_home using CODEX_HOME
first, then default to /codex-home if neither CODEX_HOME nor HOME are set),
ensure subsequent exports export HOME and CODEX_HOME consistently, and update
references to the codex_home variable in this script to use the new assignment
(symbols: codex_home, CODEX_HOME, HOME, entrypoint.sh).

In `@sandbox/README.md`:
- Line 80: Update the README sentence that currently says "just codex-run starts
in /workspace" to explicitly state the demo thread starts in
"/workspace/demo/workspace" so the documented demo paths match the actual
session location; also update the related paragraph(s) around lines referenced
(the block mentioning demo data under demo/workspace and the duplicate section
at 104-109) and make the same correction in
docs/integrations/evolve-lite-codex.md so both files consistently reference
"/workspace/demo/workspace" as the Codex demo home.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 49679a0d-e393-4684-9850-59906c6ff518

📥 Commits

Reviewing files that changed from the base of the PR and between ec5e11b and 8f472ae.

📒 Files selected for processing (8)

• docs/integrations/evolve-lite-codex.md
• docs/integrations/evolve-lite.md
• justfile
• sandbox/Dockerfile
• sandbox/README.md
• sandbox/codex/bootstrap_codex_config.py
• sandbox/codex/entrypoint.sh
• sandbox/sample.env

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

justfile (1)

20-28: ⚠️ Potential issue | 🟠 Major

Validate target to prevent silent no-op build/clean runs.

Line 23 and Line 42 only gate known values, but unknown values currently exit 0 after doing nothing. This can hide typos in CI/local workflows.

💡 Proposed fix

 sandbox-build target="all":
     #!/usr/bin/env sh
     set -e
+    case "{{target}}" in
+        all|claude|codex) ;;
+        *) echo "target must be one of: all, claude, codex" >&2; exit 1 ;;
+    esac
     if [ "{{target}}" = "all" ] || [ "{{target}}" = "claude" ]; then
         docker build --target claude -t {{claude_image}} {{sandbox_dir}}
     fi
     if [ "{{target}}" = "all" ] || [ "{{target}}" = "codex" ]; then
         docker build --target codex -t {{codex_image}} {{sandbox_dir}}
     fi
 
 sandbox-clean target="all":
     #!/usr/bin/env sh
+    case "{{target}}" in
+        all|claude|codex) ;;
+        *) echo "target must be one of: all, claude, codex" >&2; exit 1 ;;
+    esac
     if [ "{{target}}" = "all" ] || [ "{{target}}" = "claude" ]; then
         docker rmi {{claude_image}} || true
     fi
     if [ "{{target}}" = "all" ] || [ "{{target}}" = "codex" ]; then
         docker rmi {{codex_image}} || true
     fi

Also applies to: 40-47

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@justfile` around lines 20 - 28, The sandbox-build recipe currently treats
unknown {{target}} values as a silent no-op; update the shell stub inside
sandbox-build (the recipe that defines sandbox-build target="all") to validate
{{target}} against the allowed set (e.g., "all", "claude", "codex") before the
conditional docker build steps and if the value is not one of those, print a
clear error to stderr and exit with a non-zero status (use set -e already
present) so CI/local runs fail fast; apply the same validation pattern to the
analogous recipe/block that handles the clean/other target (the second
conditional block around the "codex" build in the file) so both build and clean
paths reject unknown targets.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@platform-integrations/codex/plugins/evolve-lite/skills/learn/SKILL.md`:
- Around line 92-93: Update the broken helper script paths in the Codex skill
command snippets so they point to
platform-integrations/codex/plugins/evolve-lite/... instead of
plugins/evolve-lite/.... Specifically, locate the shell examples that invoke
save_entities.py (the echo | python3
".../plugins/evolve-lite/skills/learn/scripts/save_entities.py" lines) in
SKILL.md and replace the leading path with
platform-integrations/codex/plugins/evolve-lite to ensure the echo ... | python3
command resolves correctly; apply the same fix to all occurrences of the save
commands shown in the file.

---

Duplicate comments:
In `@justfile`:
- Around line 20-28: The sandbox-build recipe currently treats unknown
{{target}} values as a silent no-op; update the shell stub inside sandbox-build
(the recipe that defines sandbox-build target="all") to validate {{target}}
against the allowed set (e.g., "all", "claude", "codex") before the conditional
docker build steps and if the value is not one of those, print a clear error to
stderr and exit with a non-zero status (use set -e already present) so CI/local
runs fail fast; apply the same validation pattern to the analogous recipe/block
that handles the clean/other target (the second conditional block around the
"codex" build in the file) so both build and clean paths reject unknown targets.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 92e6ce68-7b5e-4abf-b3aa-6129a7044c23

📥 Commits

Reviewing files that changed from the base of the PR and between 8f472ae and 932090f.

📒 Files selected for processing (9)

• docs/integrations/claude/evolve-lite.md
• docs/integrations/evolve-lite-codex.md
• justfile
• platform-integrations/codex/plugins/evolve-lite/skills/learn/SKILL.md
• sandbox/Dockerfile
• sandbox/README.md
• sandbox/codex/bootstrap_codex_config.py
• sandbox/codex/entrypoint.sh
• sandbox/sample.env

✅ Files skipped from review due to trivial changes (4)

• docs/integrations/claude/evolve-lite.md
• sandbox/sample.env
• sandbox/codex/entrypoint.sh
• docs/integrations/evolve-lite-codex.md

🚧 Files skipped from review as they are similar to previous changes (3)

• sandbox/README.md
• sandbox/codex/bootstrap_codex_config.py
• sandbox/Dockerfile