feat: context-firewall plugin

[lollipopkit]

Fixes #30

Summary by CodeRabbit

• New Features

  • Introduced Context Firewall plugin to preprocess large inputs via sub-agents, producing auditable, evidence-linked compressed results.
  • Added /cf-spec, /cf-run, and /cf-verify commands to create task specs, run map-reduce preprocessing, and perform deterministic verification.

• Documentation

  • Added comprehensive docs: architecture, agent behaviors, command workflows, schemas, examples, hooks guidance, settings templates, and a test plan.

• Chores

  • Updated .gitignore to exclude local Context Firewall configuration files.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

Adds a new "context-firewall" plugin with manifest, documentation, commands, agent specs, schemas, examples, hooks, scripts, and gitignore entries to preprocess large inputs via sub-agents producing strict, auditable JSON results and verification artifacts.

Changes

Cohort / File(s)	Summary
Plugin Manifest plugins/context-firewall/.claude-plugin/plugin.json	New plugin manifest (name, version, description, author, keywords, repository, license, commands entry).
Top-level Docs README.md, README.zh-CN.md	Added plugin mention and brief description of context-firewall feature.
Plugin README plugins/context-firewall/README.md, plugins/context-firewall/README.zh-CN.md	Comprehensive plugin documentation: architecture, commands, agents, hooks, settings, schemas, examples, and testing guidance.
Agent Specs plugins/context-firewall/agents/cf-fileworker.md, plugins/context-firewall/agents/cf-aggregator.md, plugins/context-firewall/agents/cf-critic.md	New agent definitions describing responsibilities, strict JSON output contracts, evidence locators, deduplication, conflict detection, and critic review behavior.
Command Specs plugins/context-firewall/commands/cf-spec.md, plugins/context-firewall/commands/cf-run.md, plugins/context-firewall/commands/cf-verify.md	New command specifications: TaskSpec generator, map-reduce orchestration (cf-run), and deterministic verification sampling (cf-verify) with strict JSON inputs/outputs and persistence rules.
Schemas plugins/context-firewall/schemas/task-spec.v1.schema.json, plugins/context-firewall/schemas/sub-result.v1.schema.json, plugins/context-firewall/schemas/verify-report.v1.schema.json, plugins/context-firewall/schemas/settings.v1.schema.json	Four JSON Schemas enforcing TaskSpec.v1, SubResult.v1 (claims, evidence locators), VerifyReport.v1, and settings.v1 with ranges, patterns, and required fields.
Examples plugins/context-firewall/examples/logs-timeout-task.json, plugins/context-firewall/examples/repo-entrypoints-task.json	Example TaskSpec.v1 files demonstrating log analysis and repo-entrypoint workflows.
Hooks & Settings plugins/context-firewall/hooks/hooks.json, plugins/context-firewall/scripts/settings-frontmatter.md	Advisory hooks for PreToolUse/PostToolUse/UserPromptSubmit with matchers and prompts; YAML frontmatter template for local settings and defaults.
Skill, Tests & Todos plugins/context-firewall/skills/context-firewall/SKILL.md, plugins/context-firewall/scripts/test-plan.md, plugins/context-firewall/todos.md	Skill workflow doc, quick test plan, and todos for future enhancements.
Commands Docs plugins/context-firewall/commands/*.md	Docs describing command flows, validation, error modes, persistence, and strict JSON-only outputs.
Project Config .gitignore	Added ignore rules for local Claude Code config and plugin state (.claude/*.local.md, .claude/*.local.json, .claude/context-firewall/).

Sequence Diagram(s)

mermaid
sequenceDiagram
participant User
participant CLI as "cf-run (or client)"
participant FileWorker as "cf-fileworker (many)"
participant Aggregator as "cf-aggregator"
participant Critic as "cf-critic"
participant Storage as "persist (.claude/context-firewall)"
Note over CLI,FileWorker: Map phase (parallel)
User->>CLI: invoke /cf-run with TaskSpec
CLI->>FileWorker: spawn per-input sub-agents (map shards)
FileWorker-->>CLI: emit strict SubResult snippet JSON (evidence locators)
CLI->>Aggregator: submit TaskSpec + fileworker results (reduce)
Aggregator-->>CLI: consolidated SubResult.v1 JSON
CLI->>Critic: (optional) request independent review
Critic-->>CLI: critic JSON report (discrepancies)
CLI->>Storage: persist TaskSpec / SubResult / VerifyReport (optional)
CLI-->>User: stdout final SubResult.v1 (strict JSON)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Linked Issues check	❓ Inconclusive	Issue #30 references a 'large-io reader plugin' but the PR implements a 'context-firewall plugin'. The change appears to address the general objective of handling large inputs through sub-agents, but the issue title/description mismatch creates ambiguity about whether all requirements from #30 are met.	Verify that the context-firewall implementation fully satisfies the requirements outlined in issue #30 by reviewing the detailed issue description and acceptance criteria.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: context-firewall plugin' clearly and specifically summarizes the main change—addition of a new context-firewall plugin with all its components.
Out of Scope Changes check	✅ Passed	All changes are directly related to the context-firewall plugin implementation: documentation (.gitignore, README updates), agent definitions, command specifications, JSON schemas, configuration files, examples, and supporting scripts.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch lollipopkit/issue30

---

🧹 Recent nitpick comments

plugins/context-firewall/schemas/sub-result.v1.schema.json (1)

84-94: Consider documenting that end >= start is expected.

The schema validates that start and end are both ≥1 for line ranges, but JSON Schema cannot natively enforce end >= start. This same gap exists in ByteRange. Consider adding a description field noting this expectation, or rely on downstream validation.

plugins/context-firewall/commands/cf-run.md (1)

116-122: Consider consolidating repetitive prohibitions for readability.

The three consecutive "Do not" bullet points are flagged by static analysis. You could consolidate them for variety:

✏️ Optional wording consolidation

 ## Output rules (MANDATORY)
 
 - Output **strict JSON only**, conforming to `SubResult.v1`.
-- Do not include markdown fences.
-- Do not include narrative text before or after the JSON.
-- Do not paste large raw inputs into the output.
+- Omit markdown fences and any narrative text before or after the JSON.
+- Never paste large raw inputs into the output.
 - Ensure every claim has at least one evidence locator.

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bd069f6 and 3e5e443.

📒 Files selected for processing (3)

• plugins/context-firewall/agents/cf-critic.md
• plugins/context-firewall/commands/cf-run.md
• plugins/context-firewall/schemas/sub-result.v1.schema.json

✅ Files skipped from review due to trivial changes (1)

• plugins/context-firewall/agents/cf-critic.md

🧰 Additional context used

📓 Path-based instructions (1)

**/*.md

📄 CodeRabbit inference engine (CLAUDE.md)

Markdown linting must ensure compliance with .markdownlint.json configuration which disables MD013 and MD041 rules

Files:

• plugins/context-firewall/commands/cf-run.md

🧠 Learnings (1)

📚 Learning: 2026-01-17T04:29:56.872Z

Learnt from: CR
Repo: lollipopkit/cc-plugins PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-17T04:29:56.872Z
Learning: Applies to */agents/*.md : Define behavior primarily via system prompts in Markdown files using YAML frontmatter to specify tool permissions

Applied to files:

• plugins/context-firewall/commands/cf-run.md

🪛 LanguageTool

plugins/context-firewall/commands/cf-run.md

[style] ~121-~121: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...rative text before or after the JSON. - Do not paste large raw inputs into the out...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

🔇 Additional comments (11)

plugins/context-firewall/schemas/sub-result.v1.schema.json (5)

1-23: Well-structured root schema with clear constraints.

The root object definition is clean with appropriate additionalProperties: false and clear required fields. The followups field being optional aligns with the expected behavior where follow-ups are only needed in certain scenarios.

---

57-71: Good evidence validation with flexible quote or hash requirement.

The anyOf constraint elegantly ensures every evidence item has either a verbatim quote or a quote_hash for verification, supporting both inline and hash-based evidence contracts.

---

73-82: Good discriminated union for locator types.

The oneOf with distinct type constants provides clear discrimination between locator variants, making validation and code generation straightforward.

---

195-219: Coverage definition is well-designed with intentional flexibility.

The counts field being unconstrained is documented with a description, and the known_gaps array provides a clear mechanism for reporting coverage limitations.

---

40-55: Claim structure enforces evidence-backed assertions.

The minItems: 1 constraint on the evidence array ensures every claim is substantiated, and the confidence range of 0-1 is well-bounded.

plugins/context-firewall/commands/cf-run.md (6)

1-6: LGTM!

Frontmatter correctly specifies the command metadata with appropriate tool permissions for the workflow. Based on learnings, this follows the expected pattern for agent behavior definition.

---

27-33: Previous feedback incorporated correctly.

The spec parsing now properly handles trimming leading whitespace before checking for {, and uses the correct followups field name from the schema.

---

35-53: Comprehensive validation with proper error handling.

The validation checks cover essential TaskSpec.v1 fields, and the error output correctly produces a schema-valid SubResult.v1 with appropriate fallbacks.

---

78-93: Clear parallel execution strategy for the Map phase.

The sharding approach and explicit concurrency rule for launching FileWorkers in parallel are well-documented.

---

94-101: LGTM!

The Reduce phase clearly defines the aggregation workflow with proper data handoff to the cf-aggregator sub-agent.

---

64-77: LGTM!

Persistence handling is well-structured with proper conditional logic for persist.enabled and directory creation.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@plugins/context-firewall/agents/cf-fileworker.md`:
- Around line 1-27: The YAML frontmatter in cf-fileworker.md is invalid because
the Examples: block is inside the frontmatter; fix by moving the Examples
section (everything from "Examples:" through the end of examples) below the
closing '---' so only valid YAML keys remain in the frontmatter (retain "name:
cf-fileworker", "model: inherit", "color: cyan"), or alternatively convert the
examples into a YAML block scalar under a single frontmatter key; ensure the
file begins and ends the frontmatter with '---' and that no plain-text example
blocks remain inside it.

In `@plugins/context-firewall/commands/cf-run.md`:
- Around line 27-29: Update the wording in the error-handling description for
extracting `--spec` from `$ARGUMENTS` to match the schema: replace ambiguous
"followup(s)" phrasing with the exact field name "followups" and consolidate
duplicate sentences so the block describing the SubResult.v1 error output reads:
emit a schema-valid SubResult.v1 with status: "tool_error" and a single
"followups" array containing the required usage message. Apply the same
replacement/consolidation to the other identical block that mentions producing
SubResult.v1 with status: "tool_error" (the later occurrence in the file) so
both `--spec` parsing failure descriptions use the exact "followups" field name
and non-redundant wording.

🧹 Nitpick comments (5)

plugins/context-firewall/agents/cf-critic.md (1)

1-18: Add explicit allowed-tools in frontmatter. Tool access is currently implicit; declare the intended permissions to keep behavior stable and auditable.

🔧 Suggested frontmatter addition (adjust list to intended access)

 ---
 name: cf-critic
 description: Use this agent when a high-risk TaskSpec/SubResult needs an independent second pass to reduce hallucinations, validate coverage, or resolve cross-file causal claims.
+allowed-tools: ["Read", "Bash", "Task", "AskUserQuestion", "WebFetch", "WebSearch"]
 
 Examples:

Based on learnings, please keep tool permissions explicit in agent frontmatter.

plugins/context-firewall/agents/cf-aggregator.md (1)

5-14: Frontmatter key formatting inconsistency.

The Examples: on line 5 appears as a standalone label rather than a proper YAML key-value pair. If this is intended as metadata, consider using examples: as a key with the example content as its value. Otherwise, if examples are meant to be part of the description field or the body, move them outside the frontmatter block.

plugins/context-firewall/commands/cf-verify.md (1)

146-150: Clarify status when all sampled claims are "partial".

The status rules define three states but the interaction with "partial" claims is ambiguous:

• ok requires failed == 0 and all checked claims passed
• partial covers "unverifiable locators only"

If all N sampled claims result in "partial (unverifiable)", the count shows checked=N, passed=0, failed=0. By line 148, this doesn't qualify as ok (not all passed). By line 150, this would be partial. Consider explicitly stating this case in the rules for clarity.

plugins/context-firewall/schemas/sub-result.v1.schema.json (2)

1-5: Consider adding $schema declaration.

The schema is missing a $schema property to declare which JSON Schema draft it conforms to. This helps validators and tooling apply the correct semantics.

Suggested addition

 {
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
   "$id": "context-firewall/SubResult.v1",
   "type": "object",

---

200-207: Consider constraining counts object structure.

The counts property accepts any object shape ("type": "object" with no properties or additionalProperties constraints). If specific count fields are expected (e.g., lines_read, files_processed), defining them would improve validation and documentation. If the shape is intentionally freeform, consider adding a brief comment or description field.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b6cd895 and dd5d19e.

📒 Files selected for processing (24)

• .gitignore
• README.md
• README.zh-CN.md
• plugins/context-firewall/.claude-plugin/plugin.json
• plugins/context-firewall/README.md
• plugins/context-firewall/README.zh-CN.md
• plugins/context-firewall/agents/cf-aggregator.md
• plugins/context-firewall/agents/cf-critic.md
• plugins/context-firewall/agents/cf-fileworker.md
• plugins/context-firewall/commands/cf-run.md
• plugins/context-firewall/commands/cf-spec.md
• plugins/context-firewall/commands/cf-verify.md
• plugins/context-firewall/examples/logs-timeout-task.json
• plugins/context-firewall/examples/repo-entrypoints-task.json
• plugins/context-firewall/hooks/hooks.json
• plugins/context-firewall/schemas/settings.v1.schema.json
• plugins/context-firewall/schemas/sub-result.v1.schema.json
• plugins/context-firewall/schemas/task-spec.v1.schema.json
• plugins/context-firewall/schemas/verify-report.v1.schema.json
• plugins/context-firewall/scripts/.gitkeep
• plugins/context-firewall/scripts/settings-frontmatter.md
• plugins/context-firewall/scripts/test-plan.md
• plugins/context-firewall/skills/context-firewall/SKILL.md
• plugins/context-firewall/todos.md

🧰 Additional context used

📓 Path-based instructions (1)

**/*.md

📄 CodeRabbit inference engine (CLAUDE.md)

Markdown linting must ensure compliance with .markdownlint.json configuration which disables MD013 and MD041 rules

Files:

• plugins/context-firewall/scripts/settings-frontmatter.md
• plugins/context-firewall/README.md
• README.md
• plugins/context-firewall/scripts/test-plan.md
• plugins/context-firewall/commands/cf-spec.md
• README.zh-CN.md
• plugins/context-firewall/agents/cf-fileworker.md
• plugins/context-firewall/todos.md
• plugins/context-firewall/agents/cf-aggregator.md
• plugins/context-firewall/agents/cf-critic.md
• plugins/context-firewall/commands/cf-run.md
• plugins/context-firewall/skills/context-firewall/SKILL.md
• plugins/context-firewall/README.zh-CN.md
• plugins/context-firewall/commands/cf-verify.md

🧠 Learnings (4)

📚 Learning: 2026-01-17T04:29:56.872Z

Learnt from: CR
Repo: lollipopkit/cc-plugins PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-17T04:29:56.872Z
Learning: Applies to */agents/*.md : Define behavior primarily via system prompts in Markdown files using YAML frontmatter to specify tool permissions

Applied to files:

• plugins/context-firewall/scripts/settings-frontmatter.md
• plugins/context-firewall/agents/cf-critic.md

📚 Learning: 2026-01-17T04:29:56.872Z

Learnt from: CR
Repo: lollipopkit/cc-plugins PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-17T04:29:56.872Z
Learning: Plugins should read per-project configuration from the target project's `.claude/<plugin-name>.local.md` file for local settings

Applied to files:

• plugins/context-firewall/scripts/settings-frontmatter.md
• .gitignore

📚 Learning: 2026-01-17T04:29:56.872Z

Learnt from: CR
Repo: lollipopkit/cc-plugins PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-17T04:29:56.872Z
Learning: Applies to */agents/*.md : Ensure plugins have an `agents/` directory containing AI agent definitions as Markdown files with YAML frontmatter

Applied to files:

• plugins/context-firewall/agents/cf-fileworker.md
• plugins/context-firewall/agents/cf-critic.md

📚 Learning: 2026-01-17T04:29:56.872Z

Learnt from: CR
Repo: lollipopkit/cc-plugins PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-17T04:29:56.872Z
Learning: Applies to */hooks.json : Ensure plugins have a `hooks/` directory with lifecycle hooks defined in `hooks.json`

Applied to files:

• plugins/context-firewall/hooks/hooks.json

🪛 LanguageTool

plugins/context-firewall/commands/cf-run.md

[grammar] ~28-~28: Ensure spelling is correct
Context: ....v1** with status: "tool_error" and a followup describing the required usage. - If th...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

---

[style] ~121-~121: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...rative text before or after the JSON. - Do not paste large raw inputs into the out...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

🔇 Additional comments (24)

.gitignore (3)

3-7: Good addition for plugin local configuration.

The ignore patterns align well with the plugin architecture mentioned in the learnings, ensuring local configuration and state files are not committed.

---

5-6: Current patterns are correct; plugins use flat .claude/ structure for local config files.

The patterns .claude/*.local.md and .claude/*.local.json are sufficient. All plugins follow the documented format of .claude/<plugin-name>.local.md (e.g., .claude/context-firewall.local.md, .claude/devloop.local.md). Subdirectories under .claude/ (such as .claude/context-firewall/) are used for persistence data (task-specs, results), not for local configuration files. No expansion to recursive patterns is needed.

Likely an incorrect or invalid review comment.

---

7-7: The .claude/context-firewall/ directory is correctly ignored.

This directory is the runtime output location for the context-firewall plugin (as defined in plugins/context-firewall/schemas/settings.v1.schema.json). User configuration is stored separately in .claude/context-firewall.local.md and is not affected by this gitignore pattern, allowing per-project settings to be version-controlled as intended.

plugins/context-firewall/.claude-plugin/plugin.json (1)

1-19: Manifest looks consistent and complete.
Clear metadata and a dedicated commands entrypoint; no issues spotted.

README.md (1)

9-12: Doc update is clear and aligned with the plugin list.
The new bullet is concise and fits the existing format.

README.zh-CN.md (1)

9-12: Chinese README update mirrors the English entry well.
Looks consistent and clear.

plugins/context-firewall/scripts/test-plan.md (1)

1-18: Test checklist is clear and actionable.
Good coverage of core commands and persistence checks.

plugins/context-firewall/scripts/settings-frontmatter.md (1)

1-30: Settings template is well-structured and self-describing.
No issues spotted.

plugins/context-firewall/README.md (1)

1-59: Comprehensive README with clear structure.
Covers commands, agents, settings, schemas, and examples succinctly.

plugins/context-firewall/schemas/verify-report.v1.schema.json (1)

1-28: Looks solid and strict.
The schema is tight (additionalProperties: false) and the required fields match the intended VerifyReport payload.

plugins/context-firewall/examples/logs-timeout-task.json (1)

1-31: Clear, realistic TaskSpec example.
The structure and constraints read well for a large-log workflow.

plugins/context-firewall/commands/cf-spec.md (1)

1-48: Doc is clear and operational.
The steps and output rules are concise and easy to follow.

plugins/context-firewall/examples/repo-entrypoints-task.json (1)

1-28: Good example for repo entrypoint discovery.
The inputs/questions/must_cover are aligned with the stated objective.

plugins/context-firewall/todos.md (1)

1-12: Nice lightweight roadmap list.
No issues spotted in the checklist formatting.

plugins/context-firewall/skills/context-firewall/SKILL.md (1)

1-130: Well-structured skill workflow spec. Clear evidence contract, verification steps, and operational defaults; reads consistent with the rest of the plugin docs.

plugins/context-firewall/schemas/settings.v1.schema.json (1)

1-42: Schema looks solid. Clear bounds and defaults for warnings, sampling, constraints, and persistence.

plugins/context-firewall/README.zh-CN.md (1)

1-59: 内容清晰、结构完整。 与其他文档一致，覆盖了命令、代理、设置与示例。

plugins/context-firewall/schemas/task-spec.v1.schema.json (1)

1-174: Schema is comprehensive and strict. Input variants, constraints, and optional policy blocks are well-specified.

plugins/context-firewall/agents/cf-aggregator.md (1)

21-57: LGTM!

The agent documentation is well-structured with clear input/output specifications, deduplication logic, clustering behavior, and conflict detection rules. The evidence signature formats align correctly with the SubResult.v1 schema definitions.

plugins/context-firewall/commands/cf-verify.md (2)

86-92: Verify Read tool offset/limit semantics.

The formula offset = start and limit = end-start+1 assumes the Read tool uses 1-indexed line numbers where offset is the starting line. Ensure this matches the actual Read tool behavior in your environment—some tools use 0-indexed offsets or byte-based positioning.

---

1-180: LGTM!

The command specification is comprehensive, covering argument parsing, claim sampling, locator-specific verification logic, and report generation. The deterministic sampling approach and persistence options are well-documented.

plugins/context-firewall/schemas/sub-result.v1.schema.json (2)

68-77: LGTM!

The Locator discriminated union using oneOf is well-designed, covering all documented locator types (line_range, symbol_range, tool_call, byte_range, json_path, stack_signature). Each variant correctly uses const for the type discriminator.

---

116-155: LGTM!

The RerunHint variants are well-structured with appropriate constraints—web_fetch requires url/prompt, web_search requires query with optional domain filters, and unknown is intentionally extensible with additionalProperties: true for forward compatibility.

plugins/context-firewall/hooks/hooks.json (1)

1-53: LGTM!

The hooks configuration correctly implements advisory lifecycle hooks for PreToolUse, PostToolUse, and UserPromptSubmit. The prompts are well-crafted with clear rules, actionable guidance, and references to local configuration options. The consistent 30-second timeout and advisory-only pattern align with the plugin's non-blocking design philosophy. Based on learnings, this satisfies the requirement for plugins to have a hooks/ directory with lifecycle hooks defined in hooks.json.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dd5d19e8ab

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Declare tools for cf-fileworker

The FileWorker agent frontmatter does not declare any tools, yet the instructions require it to use Grep/Glob/Read to scan large inputs. In Claude Code, agents without an explicit tools list cannot access those tools, so /cf-run will spawn FileWorkers that are unable to read or search inputs and will return empty/failed SubResults. Add the necessary tools (at least Read/Grep/Glob) to the frontmatter to make the workflow functional.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Grant tools to cf-critic for independent verification

The Critic agent is expected to independently re-check evidence and detect contradictions, but its frontmatter omits a tools list entirely. Without Read/Grep/Glob access, the Critic cannot inspect source inputs, so any requested critic pass would be unable to verify claims. Add at least Read/Grep/Glob (and any other needed tools) to the frontmatter so the critic can perform its stated role.

Useful? React with 👍 / 👎.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@plugins/context-firewall/agents/cf-critic.md`:
- Around line 31-44: The example JSON in cf-critic.md uses pipe-delimited
literals like "ok|partial|tool_error" which can be copied verbatim and break
JSON; update the example to use a concrete value (e.g., set "status": "ok") and
add an explicit rule line(s) that enumerate allowed values for the "status"
field (allowed: "ok", "partial", "tool_error") and for the
"discrepancies[].type" field (allowed: "missing_coverage", "weak_evidence",
"conflict") so readers see both a valid sample and the permitted alternatives;
target the JSON example and the rule text around the "status" and
"discrepancies.type" fields in cf-critic.md.

In `@plugins/context-firewall/commands/cf-run.md`:
- Around line 30-33: The spec detection currently treats `--spec` as inline JSON
only if it literally starts with '{', which fails when there is leading
whitespace; update the detection logic (the code that inspects the `--spec` flag
value in the cf-run command) to trim leading whitespace before checking for '{'
(e.g. use a trimmed/trimStart string for the starts-with test) while preserving
the original `spec` value when you need to treat it as a file path and pass it
to Read; ensure the branch that calls Read still resolves non-absolute paths
relative to the project root after trimming/inspecting.

🧹 Nitpick comments (1)

plugins/context-firewall/schemas/sub-result.v1.schema.json (1)

57-67: Require some evidentiary payload in Evidence.
As written, Evidence can omit both quote and quote_hash, yielding an evidence entry with no verifiable content. Consider enforcing at least one.

♻️ Proposed schema tightening

     "Evidence": {
       "type": "object",
       "additionalProperties": false,
       "required": ["source", "locator"],
       "properties": {
         "source": { "type": "string", "minLength": 1 },
         "locator": { "$ref": "#/$defs/Locator" },
         "quote": { "type": "string" },
         "quote_hash": { "type": "string", "pattern": "^sha256:" }
-      }
+      },
+      "anyOf": [
+        { "required": ["quote"] },
+        { "required": ["quote_hash"] }
+      ]
     },

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dd5d19e and bd069f6.

📒 Files selected for processing (8)

• plugins/context-firewall/agents/cf-aggregator.md
• plugins/context-firewall/agents/cf-critic.md
• plugins/context-firewall/agents/cf-fileworker.md
• plugins/context-firewall/commands/cf-run.md
• plugins/context-firewall/commands/cf-spec.md
• plugins/context-firewall/commands/cf-verify.md
• plugins/context-firewall/schemas/sub-result.v1.schema.json
• plugins/context-firewall/scripts/test-plan.md

🚧 Files skipped from review as they are similar to previous changes (4)

• plugins/context-firewall/commands/cf-verify.md
• plugins/context-firewall/agents/cf-aggregator.md
• plugins/context-firewall/agents/cf-fileworker.md
• plugins/context-firewall/scripts/test-plan.md

🧰 Additional context used

📓 Path-based instructions (1)

**/*.md

📄 CodeRabbit inference engine (CLAUDE.md)

Markdown linting must ensure compliance with .markdownlint.json configuration which disables MD013 and MD041 rules

Files:

• plugins/context-firewall/commands/cf-spec.md
• plugins/context-firewall/agents/cf-critic.md
• plugins/context-firewall/commands/cf-run.md

🧠 Learnings (2)

📚 Learning: 2026-01-17T04:29:56.872Z

Learnt from: CR
Repo: lollipopkit/cc-plugins PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-17T04:29:56.872Z
Learning: Applies to */agents/*.md : Define behavior primarily via system prompts in Markdown files using YAML frontmatter to specify tool permissions

Applied to files:

• plugins/context-firewall/agents/cf-critic.md
• plugins/context-firewall/commands/cf-run.md

📚 Learning: 2026-01-17T04:29:56.872Z

Learnt from: CR
Repo: lollipopkit/cc-plugins PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-17T04:29:56.872Z
Learning: Applies to */agents/*.md : Ensure plugins have an `agents/` directory containing AI agent definitions as Markdown files with YAML frontmatter

Applied to files:

• plugins/context-firewall/agents/cf-critic.md

🪛 LanguageTool

plugins/context-firewall/commands/cf-run.md

[style] ~121-~121: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...rative text before or after the JSON. - Do not paste large raw inputs into the out...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

🔇 Additional comments (1)

plugins/context-firewall/commands/cf-spec.md (1)

39-54: Clear, enforceable JSON-only contract.
The steps and output rules are concise and align with the schema-driven workflow.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}