Runcastle

Claude Implement, Codex Review

MIT0 downloads

by castellan-demo

v1.0.0

A mixed-provider pipeline: a Claude Code agent implements a task, then a Codex reviewer critiques and fixes it on the same warm branch, looping until it approves.

Topology

Disclosures

Disclosures — declared side-effect surface

Everything below runs on your machine or inside the sandbox when you use this workflow. Mismatches between these declarations and the actual code block publishing.

Host hooks

Commands executed on YOUR host machine by Sandcastle lifecycle hooks.

None declared.

Sandbox hooks

Commands executed inside the sandbox container.

  • npm install

Network access

None. Both agents operate only on the local repository inside the sandbox.

Shell expansion

No shell-expansion blocks in prompt files.

Files

Diff vs the stock Sandcastle 0.12.0 template Dockerfile — green lines were added by the author, red lines were removed from stock.

+# Sandbox image for the Claude Implement, Codex Review workflow.
+# Installs both agent CLIs — Claude Code and Codex — on the stock Sandcastle base.
FROM node:22-bookworm
# System dependencies.
RUN apt-get update && apt-get install -y --no-install-recommends \
git \
curl \
jq \
ca-certificates \
&& rm -rf /var/lib/apt/lists/*
-# Claude Code CLI (the agent runtime).
-RUN npm install -g @anthropic-ai/claude-code
+# Agent CLIs: Claude Code (implementer) and Codex (reviewer).
+RUN npm install -g @anthropic-ai/claude-code @openai/codex
# Non-root agent user. `sandcastle docker build-image` aligns AGENT_UID/GID to
# the host user via --build-arg to avoid permission errors on bind mounts.
ARG AGENT_UID=1000
ARG AGENT_GID=1000
RUN groupadd --gid ${AGENT_GID} agent \
&& useradd --uid ${AGENT_UID} --gid ${AGENT_GID} --create-home --shell /bin/bash agent
USER agent
WORKDIR /workspace
Show full Dockerfile (highlighted)
# Sandbox image for the Claude Implement, Codex Review workflow.
# Installs both agent CLIs — Claude Code and Codex — on the stock Sandcastle base.
FROM node:22-bookworm

# System dependencies.
RUN apt-get update && apt-get install -y --no-install-recommends \
      git \
      curl \
      jq \
      ca-certificates \
 && rm -rf /var/lib/apt/lists/*

# Agent CLIs: Claude Code (implementer) and Codex (reviewer).
RUN npm install -g @anthropic-ai/claude-code @openai/codex

# Non-root agent user. `sandcastle docker build-image` aligns AGENT_UID/GID to
# the host user via --build-arg to avoid permission errors on bind mounts.
ARG AGENT_UID=1000
ARG AGENT_GID=1000
RUN groupadd --gid ${AGENT_GID} agent \
 && useradd --uid ${AGENT_UID} --gid ${AGENT_GID} --create-home --shell /bin/bash agent

USER agent
WORKDIR /workspace

README

Claude Implement, Codex Review

A two-agent, mixed-provider pipeline that shows how to combine Anthropic and OpenAI models in a single Sandcastle workflow. A Claude Code (Sonnet) agent implements the task described in implement-prompt.md, then a Codex (gpt-5.4) reviewer critiques the change and fixes any problems on the same warm branch inside the same container, looping until it emits <promise>APPROVED</promise>.

Why createSandbox()

Both agents run inside one long-lived sandbox created with createSandbox(). The container and its installed dependencies persist between the implement and review steps, so the reviewer sees exactly the state the implementer left behind without paying container start-up costs twice. The await using binding tears the sandbox down automatically when the script exits.

Environment variables

This workflow needs credentials for both providers:

  • The Codex reviewer requires OPENAI_API_KEY (always).
  • The Claude Code implementer requires one of CLAUDE_CODE_OAUTH_TOKEN (from claude setup-token) or ANTHROPIC_API_KEY. Both are listed as optional in the manifest because either one satisfies the implementer — set exactly one.

Requirements

Fill in .sandcastle/.env, build the image with npx @ai-hero/sandcastle docker build-image, then run npx tsx .sandcastle/main.ts. No network access beyond the model APIs is required — the agents only touch the local repository.