fix: allow model invocation for adversarial-review command#156
Open
parthpm wants to merge 2 commits intoopenai:mainfrom
Open
fix: allow model invocation for adversarial-review command#156parthpm wants to merge 2 commits intoopenai:mainfrom
parthpm wants to merge 2 commits intoopenai:mainfrom
Conversation
The `disable-model-invocation: true` flag prevents other skills from invoking `/codex:adversarial-review` via the Skill tool. This blocks useful workflow composition — for example, a `/plan-review` skill that explores the codebase, drafts a plan, and then calls `/codex:adversarial-review --wait` to pressure-test it before presenting to the user. The command already constrains its own tool access via `allowed-tools` and its prompt enforces review-only behavior, so the model-invocation gate adds no safety value — it only prevents programmatic orchestration.
|
🦀 Assigned! I'll submit a PR to remove |
D2758695161
added a commit
to D2758695161/codex-plugin-cc
that referenced
this pull request
Apr 5, 2026
Author
|
@dkundel-openai Can we have a look please? Thanks! |
kangminlee-maker
added a commit
to kangminlee-maker/onto
that referenced
this pull request
Apr 8, 2026
…ons learned)
The 2026-04-08~09 fix for the broken `${CLAUDE_PLUGIN_ROOT}/scripts/codex-companion.mjs`
reference is now documented in known-issues.md as Issue 4. The entry covers:
- Symptoms: /onto:review and /onto:onboard always halted in Codex mode
with MODULE_NOT_FOUND, regardless of actual Codex install state.
- Root cause: ${CLAUDE_PLUGIN_ROOT} expands to the *calling* plugin's
root, not the codex plugin's root. Onto's templates copied codex's own
internal pattern without realizing the variable's per-caller semantics.
- Verification of scope: full grep across cowork/ (48 repos) found this
pattern in only 3 source files, all in onto / onto-prototype. Other
repos using ${CLAUDE_PLUGIN_ROOT} (ouroboros, oh-my-claudecode) all
reference their OWN plugin's scripts/, which is the correct usage.
- Resolution: A+D combination fix
A — Skill tool invokes /codex:setup slash command (works today)
D — $CODEX_COMPANION_PATH env var (forward-compatible, unset today)
- Decision NOT to file upstream issue with codex plugin owners:
1. Slash command pattern is the established norm; another third-party
plugin (parthpm/adversarial-dev-plugin) uses it successfully.
2. Codex plugin team is already strengthening this path via
openai/codex-plugin-cc#156 (removing disable-model-invocation
on /codex:adversarial-review for Skill tool delegation).
3. The bug was bad copy-paste, not a missing feature. Filing would
likely be closed as "use the slash command".
- Lesson for future plugin work: never use \${CLAUDE_PLUGIN_ROOT} for
cross-plugin references. Use the other plugin's slash command via
Skill tool instead. Documented as a 4-point rule in the entry's
"Lesson for future plugin work" section.
This is a documentation-only commit. No code changes — the actual fixes
are in dc7f111 (cross-plugin path fix) and 615f90d (chatgpt OAuth
fail-fast).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes
disable-model-invocation: truefrom theadversarial-reviewcommand frontmatter.Motivation
The
disable-model-invocationflag prevents skills from invoking/codex:adversarial-reviewvia the Skill tool. When a skill tries to call it, Claude Code returns:This blocks workflow composition — any skill or agent that wants to include an adversarial review as one step in a multi-step workflow cannot do so programmatically (example: adversarial-dev-plugin). Users who build custom skills (e.g., a review-then-implement pipeline, a plan-and-validate loop, or a CI-like pre-merge check) hit this wall when they try to chain
/codex:adversarial-reviewinto their flow.The flag was likely added because the command delegates to an external process (the companion script) rather than using Claude's model directly. But preventing programmatic invocation is a separate concern from preventing model invocation — the Skill tool just needs to run the command's prompt, which then runs the companion script via its
allowed-tools.Why this is safe
The command already has two independent safety layers:
allowed-toolsrestricts the tool set toRead, Glob, Grep, Bash(node:*), Bash(git:*), AskUserQuestion— no edit or write access.The
disable-model-invocationgate adds no additional safety beyond these — it only prevents orchestration by other skills.Test plan
/codex:adversarial-review --wait "test"still works when invoked directly from the prompt/codex:adversarial-reviewvia the Skill tool now succeeds instead of erroring