Fix output explosion OOM: add tool-prevention, timeout, and output caps

[rodboev]

Summary

Fixes two critical issues with the codex-peer-review plugin:

1. OOM crash — codex exec runs in full-auto mode and autonomously reads files, searches code, and streams JSON. For multi-file reviews, this produced 64MB+ of output that crashed the peer-reviewer agent.
2. Hook overhead — The current hooks.json fires on SessionStart, every UserPromptSubmit, every Stop, and three PreToolUse matchers, causing 5+ subprocess invocations per turn and measurably slowing sessions.

This PR backports defensive patterns proven in the gemini-peer-review fork (by stephenbrandon), adapted for Codex CLI semantics, and reduces hooks to a minimal keyword-gated set.

Root Cause — OOM

When codex exec receives a prompt that references file paths, it autonomously:

1. Reads every referenced file via tool calls
2. Searches for related code across the repo
3. Streams each tool invocation as JSON (with --json flag)
4. The agent captures all output via tee

For a real-world test (8 shell scripts + a 430-line GUIDE.md), this produced a 64MB output file that OOM'd the peer-reviewer agent.

Root Cause — Hook Overhead

Each hook spawns a bash subprocess, reads stdin/env, runs grep, and outputs text injected into context. With 6 hooks firing across SessionStart + UserPromptSubmit + Stop + 3x PreToolUse, busy sessions trigger dozens of hook invocations per conversation turn.

Changes

Commit 1: Output Protection

All codex exec invocations:

• Tool-prevention suffix: Every prompt ends with "IMPORTANT: Do not use any tools, do not read files, do not search code. Analyze ONLY the content provided in this prompt. Output text only."
• Timeout: All codex exec calls wrapped with timeout 120 (prevents infinite tool loops)
• Output cap: All output piped through head -c 500000 (caps at 500KB)

Content Inclusion Pattern:

• Never reference file paths — include file contents directly in prompts
• Temp file approach (mktemp) for large multi-file prompts
• Per-file chunking guidance for large reviews

Agent Definition (agents/codex-peer-reviewer.md):

• Removed permissionMode: bypassPermissions (overly permissive)
• Added new tool permissions: mktemp, rm, timeout, head, git diff/show/log

Documentation:

• New "Letting Codex Use Tools (Output Explosion)" section in common-mistakes.md
• New "Rule 5: Output Protection (MANDATORY)" in discussion-protocol.md
• New "CRITICAL: Output Protection" and "CRITICAL: Include Content in Prompts" sections in SKILL.md

Hook Scripts:

• user-prompt-check.sh, task-peer-review-check.sh, write-peer-review-check.sh: Try env vars first, fall back to stdin JSON parsing

Commit 2: Hook Reduction

Reduced from 6 hooks to 2 — keeping only the ones that earn their overhead:

Hook	Before	After	Rationale
UserPromptSubmit (keyword-gated)	✅	✅	Only outputs when prompt matches plan/design/review keywords. Silent otherwise.
PreToolUse(ExitPlanMode)	✅	✅	Fires only when about to present a plan. Very targeted.
SessionStart	✅	❌	Unconditional reminder every session — adds noise
Stop	✅	❌	Fires on every response completion — very noisy
PreToolUse(Task)	✅	❌	Fires on every subagent dispatch — too broad
PreToolUse(Write)	✅	❌	Fires on every file write — too broad

Testing

• Tested /codex-peer-review command locally
• Verified subagent dispatches correctly
• Updated relevant documentation
• Verified output stays under 500KB with the protections applied
• Confirmed hook scripts work with both env var and stdin approaches
• Verified reduced hooks don't fire on non-matching prompts

Checklist

• Prompts remain language-agnostic
• No breaking changes to existing behavior (or documented if intentional)
• README updated if needed (N/A — changes are internal to plugin files)