pi-context-firewall

Natively route noisy Pi shell commands through Context Firewall.

pi-context-firewall integrates your local context-firewall (cfw) installation natively into the Pi coding agent. It intercepts Pi's bash tool calls on-the-fly and routes noisy operations (tests, diffs, log reads, and wide searches) through cfw run automatically, saving up to 94%+ of noisy command context for useful reasoning.

How it works

The extension registers a global hook on tool_call events. If cfw is present on your system path, it inspects incoming commands and automatically rewrites them:

git diff  →  cfw run --kind git -- git diff

The model gets a clean, compact summary of the result with a local span handle, while the full raw stdout/stderr remains stored locally on disk for exact retrieval. If cfw is missing, the extension falls back to raw execution silently so nothing ever breaks.

Install

First, make sure cfw is installed on your system:

# macOS/Linux
brew install nik1t7n/tap/cfw

# Or via the installer script
curl -LsSf https://github.com/nik1t7n/context-firewall/releases/latest/download/cfw-installer.sh | sh

Then install the native package inside Pi:

pi install npm:pi-context-firewall

And reload Pi:

/reload

You'll see a clean, dim orange cfw: active status indicator in the bottom-left corner of your TUI.

Supported commands

The on-the-fly rewriter automatically intercepts and routes:

• Git Diffs/Logs: git diff, git show, git log, git status
• Search Results: rg, grep, find, ag, ack
• Tests & Linters: cargo test, pytest, npm test, eslint, vitest, jest, tsc
• Container Logs: docker logs, kubectl logs
• Large Dumps: cat reads on .log, .json, .lock, and .xml files

Verification

To inspect your savings, run:

cfw receipt --json

Or ask the agent to retrieve exact lines from a saved span:

cfw show <span-id> --lines 50:100

Versioning

pi-context-firewall uses semantic versioning: MAJOR.MINOR.PATCH.

See VERSIONING.md for details and the release checklist.

License

MIT