| name | cortex-code |
| description | Routes Snowflake-related operations to Cortex Code CLI for specialized Snowflake expertise. Use when user asks about Snowflake databases, data warehouses, SQL queries on Snowflake, Cortex AI features, Snowpark, dynamic tables, data governance in Snowflake, Snowflake security, or mentions "Cortex" explicitly. Do NOT use for general programming, local file operations, non-Snowflake databases, web development, or infrastructure tasks unrelated to Snowflake. |
| license | Proprietary. See LICENSE for complete terms |
| metadata | {"author":"Snowflake Integration Team","compatibility":"Requires Cortex Code CLI installed and configured"} |
Cortex Code Integration Skill
This skill enables Claude Code to leverage Cortex Code's specialized Snowflake expertise by intelligently routing Snowflake-related operations to Cortex Code CLI in headless mode.
Architecture Overview
Routing Principle: ONLY Snowflake operations → Cortex Code. Everything else → Claude Code.
Key Components:
- Dynamic skill discovery at session initialization
- LLM-based semantic routing (not keyword matching)
- Security wrapper with approval modes (prompt/auto/envelope_only)
- Stateless Cortex execution with context enrichment
- Hybrid memory management
- Audit logging for compliance
Security
The skill includes a security wrapper around Cortex execution with three approval modes:
Approval Modes
-
prompt (default): High security
- User shown approval prompt with predicted tools and confidence
- User must approve before execution
- No audit logging required
- Best for: Interactive sessions, untrusted prompts, production
-
auto: Medium security
- All operations auto-approved
- Mandatory audit logging
- Envelopes still enforced
- Best for: Automated workflows, trusted environments
-
envelope_only: Medium security
- No tool prediction (faster)
- Auto-approved with audit logging
- Relies on envelope blocklist only
- Best for: Trusted environments, low latency needs
Configuration: Set in ~/.claude/skills/cortex-code/config.yaml or organization policy.
Built-in Protections
- Prompt Sanitization: Automatic PII removal and injection detection
- Credential Blocking: Prevents routing when credential paths detected
- Secure Caching: SHA256-validated cache in
~/.cache/cortex-skill/
- Audit Logging: Structured JSONL logs (mandatory for auto/envelope_only)
- Organization Policy: Enterprise override via
~/.snowflake/cortex/claude-skill-policy.yaml
Session Initialization
When this skill is first loaded in a Claude Code session:
Step 1: Discover Cortex Capabilities
python scripts/discover_cortex.py
This script:
- Runs
cortex skill list to enumerate all available Cortex skills
- Reads each skill's SKILL.md frontmatter and trigger patterns
- Caches capabilities with
CacheManager in the configured cache directory
- Returns structured data about what Cortex can handle
Expected output: JSON mapping of skill names to their trigger patterns and capabilities.
Step 2: Load Routing Context
The discovered capabilities are loaded into memory to inform routing decisions throughout the session.
Workflow: Handling User Requests
Step 1: Analyze Request with LLM-Based Routing
Before taking any action, analyze the user's request:
python scripts/route_request.py --prompt "USER_PROMPT_HERE"
This script:
- Loads Cortex capabilities from cache
- Uses LLM reasoning to classify the request
- Returns routing decision with confidence score
Routing Logic:
Step 2: Execute Based on Routing Decision
If routed to Claude Code:
Handle the request directly using Claude Code's built-in capabilities. No Cortex involvement.
If routed to Cortex Code:
Proceed to Step 3.
Step 3: Choose Security Envelope and Handle Approval
Before executing Cortex, the security wrapper handles approval based on configured mode.
Step 3a: Check Approval Mode
Read configuration to determine approval behavior:
- auto mode (trusted opt-in): Auto-approve with audit logging, skip to Step 4
- envelope_only mode: Auto-approve, no tool prediction, skip to Step 4
- prompt mode: Requires user approval, proceed to Step 3b
Note: The shipped Claude Code config defaults to approval_mode: "prompt". Only skip Step 3b when the user or organization policy explicitly opts into auto or envelope_only.
Step 3b: Handle Approval (prompt mode only)
Only use this step if approval_mode is "prompt". Otherwise skip to Step 4.
If using prompt mode:
python scripts/security_wrapper.py \
--prompt "ENRICHED_PROMPT" \
--envelope '{"mode":"RW"}'
This will:
- Predict required tools using LLM
- Display approval prompt to user:
Cortex Code needs to execute the following tools:
• snowflake_sql_execute
• Read
• Write
Envelope: RW
Confidence: 85%
Approve execution? [yes/no]
- If approved, proceed to Step 3c
- If denied, abort execution
Important: The --envelope parameter must be JSON format for security_wrapper.py.
Step 3c: Determine Security Envelope
Determine the appropriate security envelope based on the operation:
- RO (Read-Only): For queries and read operations - blocks Edit, Write, destructive Bash
- RW (Read-Write): For data modifications - allows most operations, blocks destructive Bash
- RESEARCH: For exploratory work - read access plus web tools
- DEPLOY: For deployment operations - blocks destructive Bash commands
- NONE: Custom blocklist via --disallowed-tools
Step 4: Enrich Context for Cortex
Build an enriched prompt that includes:
Claude Conversation Context:
- Last 2-3 relevant exchanges from current Claude session
- Any Snowflake-specific details already discussed
Recent Cortex Session Context:
python scripts/read_cortex_sessions.py --limit 3
This reads the most recent Cortex session files from ~/.local/share/cortex/sessions/ to understand what Cortex recently worked on.
Enriched Prompt Format:
# Context from Claude Code Session
[Recent relevant conversation history]
# Recent Cortex Work
[Summary from recent Cortex sessions]
# User Request
[Original user prompt]
Step 5: Execute Cortex Code Headlessly
python scripts/execute_cortex.py \
--prompt "ENRICHED_PROMPT" \
--connection "connection_name" \
--envelope "RW" \
--disallowed-tools "tool1" "tool2"
This script:
- Invokes
cortex -p "prompt" --output-format stream-json
- Uses print mode for prompt delivery and stream JSON output for non-TTY parsing
- Applies envelope-based security via
--disallowed-tools blocklist for safety
- Parses NDJSON event stream in real-time
- Detects tool use events and execution results
Key Insight: The wrapper intentionally does not combine -p with --input-format stream-json. Cortex reserves --input-format for JSON stdin input; with closed stdin, that combination can emit only an init event and exit before processing the prompt.
Security Envelopes:
- RO (Read-Only): Blocks Edit, Write, destructive Bash commands
- RW (Read-Write): Blocks destructive operations like rm -rf, sudo
- RESEARCH: Read access plus web tools, blocks write operations
- DEPLOY: Deployment operations, blocks destructive Bash commands
- NONE: Custom blocklist via --disallowed-tools parameter
Event Stream Handling:
type: assistant → Cortex's responses, display to usertype: tool_use → Cortex is calling a tooltype: result → Final outcome
Step 6: Handle Permission Requests
With the security wrapper:
- prompt mode: User approves BEFORE execution (no mid-execution prompts)
- auto/envelope_only modes: Non-blocked tools are auto-approved in stream JSON mode
The security wrapper handles permission management through:
- Upfront approval (prompt mode): User approves predicted tools before execution
- Audit logging (auto/envelope_only): All operations logged to
~/.claude/skills/cortex-code/audit.log
- Envelope enforcement: Tool blocklist still enforced via
--disallowed-tools
Step 7: Return Results to User
Format Cortex's output for Claude Code context:
- Show SQL query results in readable format
- Display any generated artifacts
- Report success/failure status
- Provide relevant excerpts from Cortex's analysis
Examples
Example 1: Snowflake Query
User says: "Show me the top 10 customers by revenue in Snowflake"
Routing: → Cortex Code (Snowflake SQL query)
Security Envelope: RW (allows SQL execution)
Cortex Action:
- Uses snowflake_sql_execute to run:
SELECT customer_name, SUM(revenue) as total FROM sales GROUP BY customer_name ORDER BY total DESC LIMIT 10
- Returns formatted results
Result: Table displayed to user with top 10 customers.
Example 2: Local File Operation
User says: "Read the config.json file in this directory"
Routing: → Claude Code (local file operation)
Claude Action: Uses Read tool directly, no Cortex involvement.
Result: File contents displayed.
Example 3: Data Quality Check
User says: "Check data quality for the SALES_DATA table"
Routing: → Cortex Code (Snowflake data quality - matches Cortex's data-quality skill)
Security Envelope: RW (allows SQL execution for analysis)
Cortex Action:
- Runs data quality checks using its data-quality skill
- Analyzes schema, null rates, duplicates, etc.
- Generates quality report
Result: Comprehensive data quality report with recommendations.
Important Notes
Security Wrapper
The skill uses a security wrapper that provides:
- Approval modes: prompt (default), auto, envelope_only
- Prompt sanitization: Automatic PII removal and injection detection
- Credential blocking: Prevents routing when credential paths detected
- Audit logging: Mandatory for auto/envelope_only modes
- Tool prediction: LLM predicts required tools for approval prompt
Configuration: ~/.claude/skills/cortex-code/config.yaml or organization policy
Headless Execution with Auto-Approval
When using auto or envelope_only modes:
- All tool calls are automatically approved without interactive prompts
- Works for built-in tools (Read, Write, Edit, Bash, Grep, Glob) and non-builtin tools (snowflake_sql_execute, data_diff, MCP tools)
- Uses print mode for prompt delivery and stream JSON mode for non-TTY output parsing
- Security is controlled via
--disallowed-tools blocklist instead of interactive approval; use these modes only in trusted contexts
Stateless Execution
Each Cortex invocation is stateless. Context must be explicitly provided via enriched prompts.
Memory Boundaries
- Claude Code maintains: Full conversation history, user preferences, project context
- Cortex Code receives: Only task-specific context for current operation
- Cortex sessions are read: For historical context enrichment only
Security Envelope Strategy
Choose envelopes based on operation risk:
- Start with RO or RW: Most operations fit here
- Use RESEARCH: When web access is needed for exploratory work
- Use DEPLOY: Only for deployment-style operations that require broader non-destructive tool access
- Use NONE with custom blocklist: When fine-grained control is needed
Performance Considerations
- Cortex skill discovery runs once per Claude Code session (cached)
- Each Cortex execution adds ~2-5 seconds latency
- Use routing wisely to minimize unnecessary Cortex calls
Troubleshooting
Error: "Cortex CLI not found"
Cause: Cortex Code is not installed or not in PATH
Solution:
which cortex
Error: Approval prompt not appearing (or appearing unexpectedly)
Cause: Approval mode misconfiguration or organization policy override
Solution:
cat ~/.claude/skills/cortex-code/config.yaml | grep approval_mode
cat ~/.snowflake/cortex/claude-skill-policy.yaml 2>/dev/null
Error: "Prompt contains credential file path"
Cause: Prompt mentions paths matching credential allowlist (e.g., ~/.ssh/, .env)
Solution:
- Remove credential references from prompt
- Or customize allowlist in config.yaml if false positive
Error: PII removed from prompts
Symptom: Emails, phone numbers replaced with placeholders
Cause: Automatic sanitization enabled by default
Solution: Disable if needed (not recommended):
security:
sanitize_conversation_history: false
Error: "Permission denied" despite auto mode
Cause: Tool is in the --disallowed-tools blocklist for current envelope
Solution:
- Check which envelope is being used (RO/RW/RESEARCH/DEPLOY)
- If operation is safe, switch to a less restrictive envelope
- Avoid
NONE in auto/envelope_only modes; use a named envelope plus explicit custom blocklist if needed
Error: Audit log not created
Symptom: No audit.log despite auto/envelope_only mode
Solution:
mkdir -p ~/.claude/skills/cortex-code
chmod 700 ~/.claude/skills/cortex-code
cat ~/.claude/skills/cortex-code/config.yaml | grep audit_log_path
Error: Tools still requiring approval
Cause: Approval mode, envelope blocklist, or stream JSON invocation is misconfigured
Solution: Ensure the wrapper invokes cortex -p "..." --output-format stream-json without --input-format, and that the configured envelope does not block the intended tool.
Issue: Routing sends Snowflake query to Claude Code
Cause: Routing logic didn't detect Snowflake keywords
Solution:
- Check if user mentioned "Snowflake" explicitly
- Review routing script logic in
scripts/route_request.py
- Add more trigger patterns to routing context
Issue: Cortex returns "Connection refused"
Cause: Snowflake connection not configured in Cortex
Solution:
cortex connections list
Issue: Context enrichment too large
Cause: Including too much conversation history
Solution: Limit to last 2-3 relevant exchanges, summarize older context.
Advanced: Custom Routing Rules
To customize routing beyond default logic, edit scripts/route_request.py:
FORCE_CORTEX_PATTERNS = [
"snowflake",
"cortex",
"warehouse",
"snowpark"
]
FORCE_CLAUDE_PATTERNS = [
"local file",
"git commit",
"python script"
]
References
See references/ directory for:
cortex-cli-reference.md - Full Cortex CLI documentationrouting-examples.md - More routing decision examplessession-file-format.md - Cortex session file structuretroubleshooting-guide.md - Extended troubleshooting
