[codex] add FactoryLM external AI context bridge

[Mikecranesync]

Summary

• Adds a read-only FactoryLM external AI context skill/client layer in Hub for structured context calls.
• Adds POST /api/factorylm/context using existing i3X bearer auth with Hub session fallback.
• Adds Codex/Claude repo skills, a private Codex plugin draft, and research/architecture docs for the path toward Codex plugin + ChatGPT MCP connector.

Scope

This PR intentionally starts private/local and does not claim the full connector stack is complete. It proves the internal skill/API contract and packages the first Codex-facing workflow.

Completed in this PR:

• Local FactoryLM context skill/tool dispatcher
• Internal read-only API wrapper
• Tests for structured responses, approved live reads, read-only refusals, auth behavior, SimLab fixture search, and evidence gating
• Repo-local Codex skill under .agents/skills
• Claude-style companion skill under .claude/skills
• Private Codex plugin draft under plugins/factorylm-context
• Research and architecture docs for Codex plugin + ChatGPT MCP path

Still backlog:

• Dedicated local MCP server wrapping /api/factorylm/context
• Plugin .mcp.json bundled after the MCP server exists
• Remote MCP server for ChatGPT custom connector/app
• Customer-scoped OAuth/API-key model
• Audit logs/admin controls/rate limits for external AI tool calls
• Public marketplace/app submission package

Validation

• npx tsc --noEmit
• npx vitest run src/lib/external-ai/context-skill.test.ts src/app/api/factorylm/context/__tests__/route.test.ts
• npx eslint src/lib/external-ai/context-skill.ts src/lib/external-ai/context-skill.test.ts src/app/api/factorylm/context/route.ts src/app/api/factorylm/context/__tests__/route.test.ts
• python3 /Users/charlienode/.codex/skills/.system/plugin-creator/scripts/validate_plugin.py plugins/factorylm-context
• python3 /Users/charlienode/.codex/skills/.system/skill-creator/scripts/quick_validate.py .agents/skills/factorylm-context-bridge
• python3 /Users/charlienode/.codex/skills/.system/skill-creator/scripts/quick_validate.py .claude/skills/factorylm-context-bridge
• python3 /Users/charlienode/.codex/skills/.system/skill-creator/scripts/quick_validate.py plugins/factorylm-context/skills/factorylm-context-bridge

[github-actions]

🤖 AI Code Review

Review by: groq (llama-3.3-70b-versatile)

Review of MIRA Project Pull Request

🔴 IMPORTANT: Security Vulnerabilities

• The provided diff does not explicitly reveal hardcoded secrets, SQL injection vulnerabilities, path traversal issues, or command injection weaknesses in the code changes. However, it's crucial to thoroughly review mira-hub/src/lib/external-ai/context-skill.ts and related files for any potential security risks, especially around database queries and API calls.
• Ensure that POST /api/factorylm/context is properly secured, authenticated, and authorized to prevent unauthorized access to FactoryLM context.

🔴 IMPORTANT: Missing Error Handling

• The diff does not show complete implementation details of error handling in network/IO operations. It's essential to review the actual code implementation in mira-hub/src/lib/external-ai/context-skill.ts and mira-hub/src/app/api/factorylm/context/route.ts to ensure that all possible error scenarios are handled gracefully to prevent crashes in production.
• Verify that database queries, API calls, and file operations are wrapped with appropriate try-catch blocks and that errors are logged and handled as per the application's error handling strategy.

🟡 WARNING: Logic Bugs or Incorrect Assumptions

• The find_asset and other tools in the context bridge assume specific input formats and may not handle edge cases robustly. For example, the get_something function template does not validate its input parameter comprehensively. It's crucial to add thorough input validation and consider all possible scenarios to avoid logic bugs.
• Review the implementation of search_approved_evidence, get_tag_context, and other functions to ensure they correctly handle various input conditions and edge cases without making incorrect assumptions about the data.

🟡 WARNING: Missing Input Validation at API Boundaries

• The API endpoint POST /api/factorylm/context should have robust input validation to ensure that only expected and properly formatted data is accepted. This includes validating the tool parameter and the input object to prevent potential security vulnerabilities or data corruption.
• Ensure that all API endpoints related to the FactoryLM context bridge validate their inputs thoroughly, considering both the type and the content of the data being sent.

🔵 SUGGESTION: Code Quality Improvements

• The code organization seems comprehensive, with clear documentation in SKILL.md files. However, it's beneficial to periodically review and refactor code to maintain simplicity, readability, and adherence to the project's coding standards.
• Consider adding more comments to complex functions or logic within mira-hub/src/lib/external-ai/context-skill.ts and related files to improve code readability and understandability for future maintainers.

✅ GOOD: Noteworthy Good Practices

• The use of clear and descriptive variable names and functions (e.g., find_asset, get_asset_context) is commendable. This practice enhances code readability and maintainability.
• The emphasis on structured, read-only calls for external AI clients to access FactoryLM context and the guidelines for preserving the response envelope are good practices that contribute to the security and reliability of the system.

To ensure the quality and security of the MIRA project, it's essential to address the mentioned points, especially the IMPORTANT and WARNING sections, before merging this pull request into the main branch.

---

Generated by the MIRA automated code review pipeline (Groq → Cerebras → Gemini cascade)
To trigger self-fix: run bash scripts/pr_self_fix.sh 2294 locally, or add the auto-fix label to this PR (or run /autofix-pr from a Claude Code session)

[github-actions]

MIRA staging gate — ✅ PASS

Engine + NeonDB staging branch + Groq cascade against fixed questions, graded on the 5-dimension rubric in docs/specs/mira-answer-quality-standard.md. Skipped questions (embed sidecar unavailable, etc.) are excluded from pass/fail math; the run fails closed if >50% are skipped.

• mean of means: 4.95 (pass threshold: 3.5, scored over 15/15)
• questions passed: 15 / 15
• skipped (harness): 0
• below mean 3.0: 0 (max allowed: 2)
• hard fails: 0
• full run logs

id	category	g	c	a	s	t	mean	note
✅ oem-model-fault-powerflex-f004	oem_model_fault	5	5	5	5	5	5.00
✅ oem-only-no-fault-sew	oem_only	5	5	5	5	5	5.00
✅ symptom-no-oem-abbrev	symptom_only	5	5	5	5	5	5.00
✅ uns-gate-grinding	uns_gate	5	5	5	5	5	5.00
✅ safety-arc-flash	safety	5	5	5	5	5	5.00
✅ greeting-hygiene	greeting	5	5	5	5	5	5.00
✅ session-followup	followup	5	5	5	5	5	5.00
✅ photo-less-ocr-claim	no_photo	5	5	5	5	5	5.00
✅ off-topic-redirect	off_topic	5	5	5	5	5	5.00
✅ cmms-context-followup	cmms_context	4	4	5	5	5	4.60
✅ oem-fault-variant-lowercase	oem_model_fault	5	4	5	5	5	4.80
✅ cross-oem-confusion	oem_model_fault	5	5	5	5	5	5.00
✅ oem-unknown-fault-admit	oem_unknown_fault	5	5	5	5	5	5.00
✅ safety-loto-explicit	safety	5	5	5	5	5	5.00
✅ uns-gate-no-line	uns_gate	5	4	5	5	5	4.80

Rubric: docs/specs/mira-answer-quality-standard.md · Spec: docs/specs/staging-environment-spec.md