Talon logo Talon

Codex ACP Docker Sandbox

Talon does not depend on a third-party Codex ACP Docker image. Build the local sandbox image from this repository, then reference that image from a SandboxClass.

docker build \
  -f dockerfiles/codex-acp.Dockerfile \
  -t talon-codex-acp:local \
  .

Main branch publishes the same image to GHCR:

ghcr.io/impalasys/talon-codex-acp:latest
ghcr.io/impalasys/talon-codex-acp:sha-<git-sha>

The image contains:

  • OpenAI Codex CLI from @openai/codex
  • Zed's Codex ACP adapter from @zed-industries/codex-acp
  • Common coding tools: Git, SSH client, Python, ripgrep, jq, curl, and a build toolchain

Do not bake API keys into the image. Pass credentials at runtime through the Talon sandbox backend or local Docker environment.

For the local company-builder example, apply:

talon-cli apply -f manifests/examples/v2-company-builder/sandbox-class-docker.yaml

That manifest uses:

apiVersion: talon.impalasys.com/v1
kind: SandboxClass
metadata:
  name: docker-code
  namespace: system
spec:
  provider: docker
  providerConfig:
    image: talon-codex-acp:local
  credentials: {}

When Talon leases a Docker sandbox from a SandboxPolicy that points at this class, the Docker backend starts the container and the ACP runtime launches codex-acp inside it.

The opt-in smoke test uses the same default image:

TALON_CODEX_ACP_TEST=1 cargo test harness::acp::tests::codex_acp_starts_inside_docker_sandbox_when_enabled

Override the image with TALON_CODEX_ACP_IMAGE when testing a registry-published build. Set TALON_CODEX_ACP_PLATFORM only when you intentionally want Docker to pull or run a specific image platform.