@minhpnq1807/contextos 0.5.44 → 0.5.45

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## 0.5.45
+
+- **Project-aware MCP skill suggestions:** Skill ranking now reads `package.json` keywords and dependencies such as `@modelcontextprotocol/sdk`. MCP projects can recommend `mcp-builder`, `mcp-management`, `mcp-tool-developer`, and `agent-memory-mcp` for context retrieval, scorer, hook, and prompt-injection debugging tasks even when the prompt does not explicitly say `mcp`.
+- **Domain-safe skill ranking:** Added common-language stopwords and bounded domain gates so generic prompt overlap no longer revives unrelated MCP, offensive-security, or platform-commerce skills. Purchase prompts prioritize payment, billing, frontend API integration, and backend skills without assuming Stripe, PayPal, WooCommerce, or another provider unless named.
+- **Purchase-flow file retrieval:** File embedding and graph retrieval queries now expand purchase, wallet, checkout, content-access, library, and notification prompts with focused retrieval hints while keeping repository walking out of the prompt hot path.
+- **Seven-item prompt summaries:** Increased suggested file and skill limits from three to seven in prompt hooks and `ctx debug`. Suggested files now render as a compact comma-separated inline summary while duplicate basenames remain disambiguated with relative paths.
+- **Target-workspace prompt scoring:** Prompt hooks can score an explicitly named sibling workspace such as `../philo-mind`, allowing repo-specific manifest and skill recommendations when debugging another project from the current shell.
+- **Monorepo manifest awareness:** Project skill hints and run/connect file suggestions now read bounded root and workspace `package.json` metadata, including workspace arrays, `{ packages: [...] }`, and one-level globs.
+- **Fallback file retrieval budget:** Raised direct hook fallback file-vector timeout to 1000ms so indexed file suggestions remain available when the private MCP bridge is unavailable.
+
 ## 0.5.44
 
 - **Robust MCP TOML handling:** Added `smol-toml` parsing for Codex MCP config while preserving comments, ordering, multiline arrays, and nested tool approval sections during telemetry proxy rewrites.

package/bin/ctx.js

@@ -590,12 +590,13 @@ async function debug(task) {
     cwd,
     prompt: task,
     dataDir: contextOSDataDir(),
-    maxFiles: 3,
+    maxFiles: 7,
+    maxSkills: 7,
     embeddingTimeoutMs: Number(process.env.CONTEXTOS_EMBEDDING_DEBUG_TIMEOUT_MS || 5000)
   });
   const rules = scored.scoredRules;
-  const relevantFiles = scored.suggestedFiles.slice(0, 3);
-  const suggestedSkills = (scored.suggestedSkills || []).slice(0, 3);
+  const relevantFiles = scored.suggestedFiles.slice(0, 7);
+  const suggestedSkills = (scored.suggestedSkills || []).slice(0, 7);
   const suggestedWorkflows = (scored.suggestedWorkflows || []).slice(0, 2);
   const scheduled = scheduleContext({ rules, relevantFiles, suggestedSkills, suggestedWorkflows });
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@minhpnq1807/contextos",
-  "version": "0.5.44",
+  "version": "0.5.45",
   "description": "Task-aware AGENTS.md context injection and compliance reporting for Codex, Claude Code, and Antigravity.",
   "type": "module",
   "bin": {

package/plugins/ctx/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "ctx",
-  "version": "0.5.44",
+  "version": "0.5.45",
   "description": "Inject task-relevant AGENTS.md rules into Codex through plugin hooks.",
   "author": {
     "name": "ContextOS"

package/plugins/ctx/lib/analyzer.js

@@ -1,3 +1,4 @@
+import fs from "node:fs";
 import path from "node:path";
 import { findGraphRelevantFiles, mergeRelevantFiles } from "./graph-retriever.js";
 import { expandImportGraph } from "./import-graph.js";
@@ -282,9 +283,12 @@ export async function findRelevantFiles({
 } = {}) {
   if (!String(task || "").trim()) return [];
 
+  const retrievalTask = expandFileRetrievalTask(task);
+  const explicitFiles = findExplicitPromptFiles({ cwd, task, limit: Math.max(limit * 2, 6) });
+  const manifestFiles = findProjectManifestFiles({ cwd, task, limit: Math.max(limit * 2, 6) });
   const embeddingFiles = await embeddingFileFinder({
     cwd,
-    task,
+    task: retrievalTask,
     dataDir,
     timeoutMs: fileEmbeddingTimeoutMs,
     embeddingOptions: fileEmbeddingOptions,
@@ -292,16 +296,16 @@ export async function findRelevantFiles({
   });
   const importGraphFiles = expandImportGraph({
     cwd,
-    seedFiles: embeddingFiles.slice(0, limit),
+    seedFiles: [...explicitFiles, ...manifestFiles, ...embeddingFiles].slice(0, limit),
     dataDir,
     limit: Math.max(limit * 2, 6)
   });
-  const seedFiles = mergeLocalFileCandidates([...embeddingFiles, ...importGraphFiles])
+  const seedFiles = mergeLocalFileCandidates([...explicitFiles, ...manifestFiles, ...embeddingFiles, ...importGraphFiles])
     .slice(0, Math.max(limit * 3, 9));
 
   const graphFiles = findGraphRelevantFiles({
     cwd,
-    task,
+    task: retrievalTask,
     rules,
     seedFiles,
     limit: Math.max(limit * 2, 6)
@@ -310,6 +314,186 @@ export async function findRelevantFiles({
   return mergeRelevantFiles({ graphFiles, heuristicFiles: seedFiles, limit });
 }
 
+export function findProjectManifestFiles({ cwd = process.cwd(), task = "", limit = 6 } = {}) {
+  const tokens = new Set(tokenize(task));
+  if (!isManifestRelevantTask(tokens)) return [];
+  const manifests = workspacePackageManifests(cwd, tokens);
+  return manifests.slice(0, limit).map((filePath, index) => ({
+    path: filePath,
+    score: manifestScore(filePath, tokens, index),
+    source: "manifest",
+    reasons: ["project-manifest"]
+  }));
+}
+
+function manifestScore(manifest, taskTokens, index) {
+  if (manifest === "package.json") return 50;
+  const parts = manifest.split(/[\\/]+/).filter(Boolean);
+  const workspaceName = parts.at(-2);
+  return (taskTokens.has(workspaceName) ? 35 : 20) - index * 0.01;
+}
+
+function isManifestRelevantTask(tokens) {
+  const runIntent = ["run", "start", "connect", "qr", "install", "build", "script", "scripts"].some((token) => tokens.has(token));
+  const projectIntent = ["webapp", "frontend", "expo", "native", "app", "package", "workspace"].some((token) => tokens.has(token));
+  return runIntent && projectIntent;
+}
+
+function workspacePackageManifests(cwd, taskTokens = new Set()) {
+  const rootManifest = path.join(cwd, "package.json");
+  const manifests = [];
+  if (fs.existsSync(rootManifest)) manifests.push("package.json");
+  const rootPackage = readJson(rootManifest);
+  for (const pattern of workspacePatterns(rootPackage?.workspaces)) {
+    for (const manifest of expandWorkspacePattern({ cwd, pattern })) {
+      manifests.push(path.relative(cwd, manifest));
+    }
+  }
+  return [...new Set(manifests)].sort((a, b) => manifestPriority(b, taskTokens) - manifestPriority(a, taskTokens) || a.localeCompare(b));
+}
+
+function manifestPriority(manifest, taskTokens) {
+  if (manifest === "package.json") return 100;
+  const parts = manifest.split(/[\\/]+/).filter(Boolean);
+  const workspaceName = parts.at(-2);
+  return taskTokens.has(workspaceName) ? 80 : 0;
+}
+
+function workspacePatterns(workspaces) {
+  if (Array.isArray(workspaces)) return workspaces.filter((item) => typeof item === "string");
+  if (Array.isArray(workspaces?.packages)) return workspaces.packages.filter((item) => typeof item === "string");
+  return [];
+}
+
+function expandWorkspacePattern({ cwd, pattern }) {
+  const normalized = String(pattern || "").replace(/\\/g, "/").replace(/\/+$/g, "");
+  if (!normalized || normalized.startsWith("..") || path.isAbsolute(normalized)) return [];
+  if (!normalized.includes("*")) {
+    const manifest = path.join(cwd, normalized, "package.json");
+    return fs.existsSync(manifest) ? [manifest] : [];
+  }
+  const parts = normalized.split("/");
+  const starIndex = parts.indexOf("*");
+  if (starIndex < 0 || parts.includes("**")) return [];
+  const baseDir = path.join(cwd, ...parts.slice(0, starIndex));
+  const suffix = parts.slice(starIndex + 1);
+  let entries = [];
+  try {
+    entries = fs.readdirSync(baseDir, { withFileTypes: true });
+  } catch {
+    return [];
+  }
+  return entries
+    .filter((entry) => entry.isDirectory() && !entry.name.startsWith("."))
+    .map((entry) => path.join(baseDir, entry.name, ...suffix, "package.json"))
+    .filter((manifest) => fs.existsSync(manifest));
+}
+
+function readJson(filePath) {
+  try {
+    return JSON.parse(fs.readFileSync(filePath, "utf8"));
+  } catch {
+    return null;
+  }
+}
+
+function expandFileRetrievalTask(task) {
+  const tokens = new Set(tokenize(task));
+  const additions = new Set();
+  if (hasAny(tokens, ["purchase", "purchased", "buy", "buyer", "seller", "payment", "pay", "checkout"])) {
+    addAll(additions, [
+      "purchase", "payment", "checkout", "billing", "wallet", "balance", "top up",
+      "transaction", "order", "invoice"
+    ]);
+  }
+  if (hasAny(tokens, ["wallet", "balance", "topup", "top", "funded"])) {
+    addAll(additions, ["wallet", "balance", "top up", "billing"]);
+  }
+  if (hasAny(tokens, ["library", "access", "permissions", "permission", "resources", "tutorials", "collections"])) {
+    addAll(additions, [
+      "content access", "content-access-service", "access permissions", "library",
+      "resource", "resources", "tutorial", "tutorials", "collections"
+    ]);
+  }
+  if (hasAny(tokens, ["notification", "notifications", "notify", "buyer", "seller"])) {
+    addAll(additions, ["notification", "notifications", "notify", "buyer", "seller"]);
+  }
+  if (!additions.size) return task;
+  return `${task}\n\nContextOS retrieval hints: ${[...additions].join(", ")}`;
+}
+
+function hasAny(tokens, values) {
+  return values.some((value) => tokens.has(value));
+}
+
+function addAll(target, values) {
+  for (const value of values) target.add(value);
+}
+
+export function findExplicitPromptFiles({ cwd = process.cwd(), task = "", limit = 6 } = {}) {
+  const candidates = new Set();
+  const normalizedTask = String(task || "").replace(/\/\s+/g, "/");
+  const matches = normalizedTask.match(/[A-Za-z0-9_.()[\]@~:-]+(?:\/[A-Za-z0-9_.()[\]@~:-]+)+/g) || [];
+  for (const match of matches) {
+    const cleaned = match.replace(/[),.;:]+$/g, "");
+    for (const filePath of resolvePromptPathCandidates({ cwd, promptPath: cleaned })) {
+      candidates.add(filePath);
+      if (candidates.size >= limit) break;
+    }
+    if (candidates.size >= limit) break;
+  }
+  return [...candidates].map((filePath, index) => ({
+    path: filePath,
+    score: 12 - index * 0.01,
+    source: "prompt-path",
+    reasons: ["prompt-path"]
+  }));
+}
+
+function resolvePromptPathCandidates({ cwd, promptPath }) {
+  if (!promptPath || promptPath.includes("://")) return [];
+  const relative = promptPath.replace(/^\.?\//, "");
+  if (relative.startsWith("..")) return [];
+  const absolute = path.resolve(cwd, relative);
+  if (!isInsidePath(absolute, cwd)) return [];
+  const resolved = [];
+  if (isSourceFile(absolute)) resolved.push(path.relative(cwd, absolute));
+  if (isDirectory(absolute)) {
+    for (const fileName of ["page.tsx", "page.ts", "page.jsx", "page.js", "layout.tsx", "index.tsx", "index.ts"]) {
+      const candidate = path.join(absolute, fileName);
+      if (isSourceFile(candidate)) resolved.push(path.relative(cwd, candidate));
+    }
+  }
+  if (!path.extname(relative)) {
+    for (const extension of [".tsx", ".ts", ".jsx", ".js", ".md", ".json"]) {
+      const candidate = `${absolute}${extension}`;
+      if (isSourceFile(candidate)) resolved.push(path.relative(cwd, candidate));
+    }
+  }
+  return resolved;
+}
+
+function isInsidePath(filePath, parentPath) {
+  const relative = path.relative(path.resolve(parentPath), path.resolve(filePath));
+  return relative && !relative.startsWith("..") && !path.isAbsolute(relative);
+}
+
+function isDirectory(filePath) {
+  try {
+    return fs.statSync(filePath).isDirectory();
+  } catch {
+    return false;
+  }
+}
+
+function isSourceFile(filePath) {
+  try {
+    return fs.statSync(filePath).isFile();
+  } catch {
+    return false;
+  }
+}
+
 function mergeLocalFileCandidates(files) {
   const byPath = new Map();
   for (const file of files) {

package/plugins/ctx/lib/prompt-hook.js

@@ -5,8 +5,13 @@ import { callCtxScoreContext } from "./ctx-mcp-client.js";
 import { resolveHookCwd } from "./hook-io.js";
 import { loadOutputConfig } from "./output-config.js";
 import { scoreContext as scoreContextDirect } from "./score-context.js";
+import fs from "node:fs";
 import path from "node:path";
 
+const PROMPT_FILE_LIMIT = 7;
+const PROMPT_SKILL_LIMIT = 7;
+const PROMPT_WORKFLOW_LIMIT = 2;
+
 export async function handlePromptPayload(
   payload,
   {
@@ -24,7 +29,8 @@ export async function handlePromptPayload(
   } = {}
 ) {
   const prompt = payload.prompt || payload.message || payload.user_prompt || "";
-  const cwd = resolveHookCwd(payload);
+  const hookCwd = resolveHookCwd(payload);
+  const cwd = resolvePromptTargetCwd({ cwd: hookCwd, prompt });
   const openFiles = payload.openFiles || payload.open_files || payload.files || [];
   const dataDir = dataPath ? path.dirname(dataPath) : undefined;
 
@@ -34,7 +40,9 @@ export async function handlePromptPayload(
       cwd,
       prompt,
       openFiles,
-      maxFiles: 3
+      maxFiles: PROMPT_FILE_LIMIT,
+      maxSkills: PROMPT_SKILL_LIMIT,
+      maxWorkflows: PROMPT_WORKFLOW_LIMIT
     }, {
       dataDir: mcpDataDir || dataDir,
       timeoutMs: Number(process.env.CONTEXTOS_MCP_BRIDGE_TIMEOUT_MS || 2000)
@@ -45,10 +53,12 @@ export async function handlePromptPayload(
         cwd,
         prompt,
         openFiles,
-        maxFiles: 3,
+        maxFiles: PROMPT_FILE_LIMIT,
+        maxSkills: PROMPT_SKILL_LIMIT,
+        maxWorkflows: PROMPT_WORKFLOW_LIMIT,
         dataDir: mcpDataDir || dataDir,
         embeddingTimeoutMs: Number(process.env.CONTEXTOS_HOOK_EMBEDDING_TIMEOUT_MS || 500),
-        fileEmbeddingTimeoutMs: Number(process.env.CONTEXTOS_HOOK_FILE_EMBEDDING_TIMEOUT_MS || 500)
+        fileEmbeddingTimeoutMs: Number(process.env.CONTEXTOS_HOOK_FILE_EMBEDDING_TIMEOUT_MS || 1000)
       }), directFallbackTimeoutMs, "direct fallback scoring");
       scored.telemetry = {
         ...(scored.telemetry || {}),
@@ -66,9 +76,9 @@ export async function handlePromptPayload(
 
   if (scored.error) throw new Error(scored.error);
   const scoredRules = scored.scoredRules || [];
-  const relevantFiles = (scored.suggestedFiles || []).slice(0, 3);
-  const suggestedSkills = (scored.suggestedSkills || []).slice(0, 3);
-  const suggestedWorkflows = (scored.suggestedWorkflows || []).slice(0, 2);
+  const relevantFiles = (scored.suggestedFiles || []).slice(0, PROMPT_FILE_LIMIT);
+  const suggestedSkills = (scored.suggestedSkills || []).slice(0, PROMPT_SKILL_LIMIT);
+  const suggestedWorkflows = (scored.suggestedWorkflows || []).slice(0, PROMPT_WORKFLOW_LIMIT);
   const effectiveOutputConfig = outputConfig || loadOutputConfig();
   const scheduled = scheduleContext({ rules: scoredRules, relevantFiles, suggestedSkills, suggestedWorkflows, outputConfig: effectiveOutputConfig });
   const contextEmptyReason = emptyContextReason({ scheduled, outputConfig: effectiveOutputConfig, injectContext });
@@ -127,6 +137,58 @@ export async function handlePromptPayload(
   return output;
 }
 
+export function resolvePromptTargetCwd({ cwd = process.cwd(), prompt = "" } = {}) {
+  const current = path.resolve(cwd);
+  const candidates = targetPathCandidates(prompt);
+  for (const candidate of candidates) {
+    const resolved = path.resolve(current, candidate);
+    if (!isAllowedTargetCwd({ current, resolved })) continue;
+    if (isWorkspaceRoot(resolved)) return resolved;
+  }
+  return current;
+}
+
+function targetPathCandidates(prompt) {
+  const text = String(prompt || "");
+  const patterns = [
+    /\b(?:tr[eê]n|in|inside|under|repo|workspace|cwd)\s+([.~A-Za-z0-9_/@.-]+(?:\/[A-Za-z0-9_@().-]+)*)/gi,
+    /\b(?:debug|test|check|run)\s+(?:on|tr[eê]n)\s+([.~A-Za-z0-9_/@.-]+(?:\/[A-Za-z0-9_@().-]+)*)/gi
+  ];
+  const results = [];
+  for (const pattern of patterns) {
+    let match;
+    while ((match = pattern.exec(text))) {
+      const value = cleanPromptPath(match[1]);
+      if (value) results.push(value);
+    }
+  }
+  return results;
+}
+
+function cleanPromptPath(value) {
+  const cleaned = String(value || "").trim().replace(/[),.;:]+$/g, "");
+  if (!cleaned || cleaned.includes("://")) return null;
+  return cleaned;
+}
+
+function isAllowedTargetCwd({ current, resolved }) {
+  const parent = path.dirname(current);
+  const relative = path.relative(parent, resolved);
+  return relative && !relative.startsWith("..") && !path.isAbsolute(relative);
+}
+
+function isWorkspaceRoot(directory) {
+  try {
+    const stat = fs.statSync(directory);
+    if (!stat.isDirectory()) return false;
+  } catch {
+    return false;
+  }
+  return fs.existsSync(path.join(directory, "package.json"))
+    || fs.existsSync(path.join(directory, "AGENTS.md"))
+    || fs.existsSync(path.join(directory, ".git"));
+}
+
 function emptyContextReason({ scheduled, outputConfig, injectContext }) {
   if (!injectContext) return "injection-disabled";
   if (scheduled.additionalContext) return null;

package/plugins/ctx/lib/scheduler.js

@@ -22,7 +22,7 @@ export function scheduleContext({
     sections.push(section("Critical ContextOS rules", high.slice(0, 5).map(formatRule)));
   }
   if (outputConfig.sections.files && relevantFiles.length) {
-    sections.push(section("Suggested files to check", relevantFiles.map(formatFile)));
+    sections.push(commaSection("Suggested files to check", formatFiles(relevantFiles)));
   }
   if (outputConfig.sections.skills && suggestedSkills.length) {
     sections.push(inlineSection("Skills to activate for this task", suggestedSkills.map(formatSkill)));
@@ -72,13 +72,28 @@ function inlineSection(title, values) {
   return `## ${title}: ${uniqueValues.join(", ")}`;
 }
 
+function commaSection(title, values) {
+  const uniqueValues = [...new Set(values)];
+  if (!uniqueValues.length) return "";
+  return `## ${title}, ${uniqueValues.join(", ")}`;
+}
 
 function formatRule(rule) {
   return `- ${rule.content}`;
 }
 
-function formatFile(file) {
-  return `- ${path.basename(file.path)}`;
+function formatFiles(files) {
+  const counts = new Map();
+  for (const file of files) {
+    const name = path.basename(file.path);
+    counts.set(name, (counts.get(name) || 0) + 1);
+  }
+  return files.map((file) => formatFile(file, counts));
+}
+
+function formatFile(file, basenameCounts) {
+  const name = path.basename(file.path);
+  return basenameCounts.get(name) > 1 ? file.path : name;
 }
 
 function formatSkill(skill) {

package/plugins/ctx/lib/skill-discoverer.js

@@ -14,10 +14,15 @@ const GENERIC_SKILL_TOKENS = new Set([
   "active", "agent", "agents", "code", "config", "configuration", "create", "development",
   "environment", "file", "files", "graph", "install", "integration", "local", "node", "package",
   "project", "refresh", "rebuild", "setup", "skill", "skills", "sync", "tool", "tools", "using",
-  "build", "production", "https", "http", "com", "www"
+  "build", "can", "not", "production", "show", "something", "https", "http", "com", "www",
+  "a", "an", "and", "are", "as", "at", "be", "before", "after", "both", "by", "from", "for",
+  "if", "in", "into", "is", "must", "of", "on", "or", "the", "then", "this", "to", "user",
+  "users", "when", "where", "whether", "with"
 ]);
 const SPECIALIZED_SKILL_TOKENS = new Set([
-  "android", "cicd", "eas", "expo", "ios", "postgres", "postgresql", "react-native"
+  "android", "authorization", "cicd", "eas", "expo", "frontend", "ios", "next", "nextjs",
+  "mcp", "modelcontextprotocol", "postgres", "postgresql", "react", "react-native", "tailwind",
+  "typescript", "ui"
 ]);
 
 const scanCache = new Map();
@@ -29,9 +34,9 @@ export function skillSearchRoots({ cwd = process.cwd(), home = os.homedir() } =
     path.join(cwd, ".gemini", "skills"),
     path.join(cwd, ".gemini", "antigravity", "skills"),
     path.join(cwd, ".gemini", "antigravity-cli", "skills"),
-    path.join(home, ".config", "skillshare", "skills"),
     path.join(home, ".codex", "skills"),
     path.join(home, ".claude", "skills"),
+    path.join(home, ".config", "skillshare", "skills"),
     path.join(home, ".gemini", "skills"),
     path.join(home, ".gemini", "antigravity", "skills"),
     path.join(home, ".gemini", "antigravity-cli", "skills")
@@ -197,10 +202,18 @@ function finalizeSkillScores(skills, limit, { minimumKeywordScore = 0.35 } = {})
       keywordScore: rule.keywordScore,
       score: Math.min(1, Number(rule.score || 0)),
       embeddingScore: rule.embeddingScore,
+      relevancePriority: Number(rule.relevancePriority || 0),
+      rankScore: Math.min(1, Number(rule.score || 0)) + Number(rule.relevancePriority || 0) / 100,
       reasons: rule.reasons || []
     }))
-    .filter((skill) => Number(skill.keywordScore || 0) >= minimumKeywordScore || Number(skill.embeddingScore || 0) >= 0.62)
-    .sort((a, b) => b.score - a.score || scopePriority(b.scope) - scopePriority(a.scope) || a.name.localeCompare(b.name));
+    .filter((skill) => Number(skill.keywordScore || 0) >= minimumKeywordScore
+      || Number(skill.embeddingScore || 0) >= 0.62
+      || Number(skill.relevancePriority || 0) >= 50)
+    .sort((a, b) => b.rankScore - a.rankScore
+      || b.relevancePriority - a.relevancePriority
+      || b.score - a.score
+      || scopePriority(b.scope) - scopePriority(a.scope)
+      || a.name.localeCompare(b.name));
   const seen = new Set();
   return ranked
     .filter((skill) => {
@@ -259,10 +272,11 @@ function scoreSkillsByKeyword({ prompt, skills, projectHints = [] }) {
     const nameHit = normalizedPrompt.includes(normalizedName);
     const nameTokenHit = nameTokens.length > 1 && nameTokens.every((token) => promptTokens.has(token));
     const scopeBonus = enriched.scope === "project" ? 0.08 : 0;
-    const intentBonus = skillIntentBonus(normalizedPrompt, enriched);
-    const domainEligible = isSkillDomainEligible(normalizedPrompt, enriched);
+    const intentBonus = skillIntentBonus(normalizedPrompt, enriched, projectTokens);
+    const relevancePriority = skillRelevancePriority(normalizedPrompt, enriched, projectTokens);
+    const domainEligible = isSkillDomainEligible(normalizedPrompt, enriched, projectTokens);
     const matchScore = matches.reduce((sum, token) => sum + (SPECIALIZED_SKILL_TOKENS.has(token) ? 0.2 : 0.08), 0);
-    const projectBonus = matches.length && intentBonus ? Math.min(0.16, projectMatches.length * 0.04) : 0;
+    const projectBonus = intentBonus ? Math.min(0.16, projectMatches.length * 0.04) : 0;
     const score = Math.min(1, (matches.length ? 0.25 + matchScore : 0) + projectBonus + intentBonus + (nameHit ? 0.2 : 0) + (nameTokenHit ? 0.18 : 0) + scopeBonus);
     return {
       id: `skill-${index + 1}`,
@@ -273,6 +287,7 @@ function scoreSkillsByKeyword({ prompt, skills, projectHints = [] }) {
       content,
       score,
       keywordScore: score,
+      relevancePriority,
       domainEligible,
       reasons: [
         ...(matches.length ? [`keyword:${matches.slice(0, 4).join(",")}`] : []),
@@ -292,31 +307,191 @@ function filterSkillMatches(matches, { normalizedPrompt, enriched }) {
   return matches.filter((token) => token !== "android" && token !== "ios");
 }
 
-function isSkillDomainEligible(normalizedPrompt, enriched) {
-  if (!/\beas\b/.test(normalizedPrompt)) return true;
+function isSkillDomainEligible(normalizedPrompt, enriched, projectTokens = new Set()) {
   const skillText = normalize(`${enriched.name} ${enriched.description}`);
+  if (isMcpSkill(skillText) && !isMcpRelevantTask(normalizedPrompt, projectTokens)) return false;
+  if (isOffensiveSecuritySkill(skillText) && !isSecurityTask(normalizedPrompt)) return false;
+  if (isPlatformCommerceSkill(skillText) && !isPlatformCommerceTask(normalizedPrompt, skillText)) return false;
+  if (!/\beas\b/.test(normalizedPrompt)) return true;
   if (!/\b(android|ios)\b/.test(skillText)) return true;
   return /\b(eas|expo|cicd)\b/.test(skillText);
 }
 
-function skillIntentBonus(normalizedPrompt, enriched) {
+function skillIntentBonus(normalizedPrompt, enriched, projectTokens = new Set()) {
   const skillText = normalize(`${enriched.name} ${enriched.description}`);
+  if (isMcpRelevantTask(normalizedPrompt, projectTokens)
+    && /\b(mcp|model context protocol|modelcontextprotocol|agent memory|tool developer|tool builder)\b/.test(skillText)) {
+    return 0.48;
+  }
+  if (isCommerceTask(normalizedPrompt)
+    && /\b(payment|payments|checkout|billing|bill|invoice|wallet|balance|stripe|paypal|commerce|monetization)\b/.test(skillText)) {
+    return 0.46;
+  }
+  if (isContentAccessTask(normalizedPrompt)
+    && /\b(api|endpoint|backend|service|services|auth|authorization|permission|permissions|access|rbac|frontend api)\b/.test(skillText)) {
+    return 0.34;
+  }
+  if (isNotificationTask(normalizedPrompt)
+    && /\b(notification|notifications|notify|message|sms|email|event|webhook)\b/.test(skillText)) {
+    return 0.3;
+  }
+  if (isFrontendCheckoutTask(normalizedPrompt)
+    && /\b(frontend|react|next|nextjs|ui|component|modal|api integration)\b/.test(skillText)) {
+    return 0.32;
+  }
+  if (isExpoRuntimeTask(normalizedPrompt, projectTokens)
+    && /\b(expo|eas|nativewind|react native|tailwind)\b/.test(skillText)) {
+    return 0.46;
+  }
+  if (isNextAppRouterTask(normalizedPrompt)
+    && /\b(next|nextjs)\b/.test(skillText)
+    && /\b(app router|router|routing|server components)\b/.test(skillText)) {
+    return 0.5;
+  }
   if (/\beas\b/.test(normalizedPrompt)
     && /\b(eas|expo)\b/.test(skillText)
     && /\b(cicd|workflow|workflows|build|deploy|deployment|pipeline|pipelines)\b/.test(skillText)) {
     return 0.28;
   }
+  if (/\b(webapp|frontend|ui|dashboard|button|page|component|app|router)\b/.test(normalizedPrompt)
+    && /\b(frontend|react|next|nextjs|ui|component|tailwind|app router)\b/.test(skillText)) {
+    return 0.36;
+  }
+  if (/\b(role|admin|creator|permission|permissions|authorization|access)\b/.test(normalizedPrompt)
+    && /\b(auth|authentication|authorization|permission|permissions|access|rbac)\b/.test(skillText)) {
+    return 0.32;
+  }
   return 0;
 }
 
+function skillRelevancePriority(normalizedPrompt, enriched, projectTokens = new Set()) {
+  const skillText = normalize(`${enriched.name} ${enriched.description}`);
+  const skillName = normalize(enriched.name);
+  let priority = 0;
+  if (isMcpRelevantTask(normalizedPrompt, projectTokens)) {
+    if (skillName === "mcp builder") priority += 760;
+    if (skillName === "mcp management") priority += 740;
+    if (skillName === "mcp tool developer") priority += 720;
+    if (skillName === "agent memory mcp") priority += 700;
+    if (skillName === "agent tool builder" || skillName === "context agent") priority += 260;
+    if (/\b(mcp|model context protocol|modelcontextprotocol)\b/.test(skillText)) priority += 160;
+  }
+  if (isCommerceTask(normalizedPrompt)) {
+    if (/\b(payment integration|stripe integration|paypal integration)\b/.test(skillText)) priority += 520;
+    if (/\bbilling automation\b/.test(skillText)) priority += 430;
+    if (/\b(payment|payments|checkout|billing|wallet|balance|stripe|paypal|commerce|monetization)\b/.test(skillText)) priority += 160;
+    if (!/\bstripe\b/.test(normalizedPrompt) && /\bstripe\b/.test(skillText)) priority -= 520;
+    if (!/\bpaypal\b/.test(normalizedPrompt) && /\bpaypal\b/.test(skillText)) priority -= 520;
+    if (!/\bsquare\b/.test(normalizedPrompt) && /\bsquare\b/.test(skillText)) priority -= 440;
+    if (/\b(mcp|metasploit|penetration|exploit|bug bounty)\b/.test(skillText)) priority -= 500;
+  }
+  if (isContentAccessTask(normalizedPrompt)) {
+    if (/\b(api endpoint builder|backend development|backend architect|frontend api integration patterns)\b/.test(skillText)) priority += 260;
+    if (/\b(auth implementation patterns|authorization|permission|permissions|access|rbac)\b/.test(skillText)) priority += 120;
+  }
+  if (isNotificationTask(normalizedPrompt)) {
+    if (/\bsendblue notify\b/.test(skillText)) priority += 140;
+    if (/\b(notification|notifications|notify|message|sms|email|event|webhook)\b/.test(skillText)) priority += 90;
+  }
+  if (isFrontendCheckoutTask(normalizedPrompt)) {
+    if (/\bfrontend api integration patterns\b/.test(skillText)) priority += 220;
+    if (/\breact nextjs development|nextjs best practices|nextjs app router patterns|frontend developer\b/.test(skillText)) priority += 90;
+  }
+  if (isExpoRuntimeTask(normalizedPrompt, projectTokens)) {
+    if (/\bexpo deployment\b/.test(skillText)) priority += 900;
+    if (/\bbuilding native ui\b/.test(skillText)) priority += 760;
+    if (/\bexpo tailwind setup\b/.test(skillText)) priority += 620;
+    if (/\bexpo\b/.test(skillText) && /\b(qr|expo go|run|running|start|connect|eas|deployment|build)\b/.test(skillText)) priority += 220;
+    if (/\bnativewind|tailwind\b/.test(skillText) && projectTokens.has("nativewind")) priority += 120;
+    if (/\b(next|nextjs|frontend designer|dark themed|glassmorphism|framer motion)\b/.test(skillText)) priority -= 160;
+  }
+  if (isNextAppRouterTask(normalizedPrompt)) {
+    if (/\bnextjs app router patterns\b/.test(skillText)) priority += 600;
+    if (/\bnextjs best practices\b/.test(skillText)) priority += 560;
+    if (/\breact nextjs development\b/.test(skillText)) priority += 420;
+    if (/\b(next|nextjs)\b/.test(skillText) && /\b(app router|router|routing|server components)\b/.test(skillText)) priority += 100;
+    if (/\b(next|nextjs)\b/.test(skillText) && /\breact\b/.test(skillText)) priority += 70;
+    if (/\b(glassmorphism|dark themed|dark theme|framer motion)\b/.test(skillText)) priority -= 40;
+  }
+  if (/\b(role|admin|creator|permission|permissions|authorization|access)\b/.test(normalizedPrompt)
+    && /\b(auth|authentication|authorization|permission|permissions|access|rbac)\b/.test(skillText)) {
+    priority += 55;
+  }
+  return priority;
+}
+
+function isNextAppRouterTask(normalizedPrompt) {
+  return /\bwebapp\b.*\bsrc\b.*\bapp\b/.test(normalizedPrompt)
+    || /\b(next|nextjs)\b.*\b(app router|router|routing)\b/.test(normalizedPrompt)
+    || /\bapp router\b/.test(normalizedPrompt);
+}
+
+function isExpoRuntimeTask(normalizedPrompt, projectTokens = new Set()) {
+  const expoProject = projectTokens.has("expo") || projectTokens.has("nativewind") || projectTokens.has("eas");
+  if (!expoProject) return false;
+  return /\b(qr|connect|run|start|expo go|device|metro|tunnel|lan)\b/.test(normalizedPrompt);
+}
+
+function isCommerceTask(normalizedPrompt) {
+  return /\b(purchase|purchased|buy|buyer|seller|payment|pay|checkout|wallet|balance|top up|topup|funded|billing|invoice)\b/.test(normalizedPrompt);
+}
+
+function isContentAccessTask(normalizedPrompt) {
+  return /\b(content access service|content access|access permissions|grant access|permissions|library|resources|tutorials|collections)\b/.test(normalizedPrompt);
+}
+
+function isNotificationTask(normalizedPrompt) {
+  return /\b(notification|notifications|notify|buyer|seller)\b/.test(normalizedPrompt);
+}
+
+function isFrontendCheckoutTask(normalizedPrompt) {
+  return /\b(modal|display|show|checkout|library|frontend|webapp|page|button)\b/.test(normalizedPrompt);
+}
+
+function isMcpTask(normalizedPrompt) {
+  return /\b(mcp|model context protocol|tool server|tools server|server tool|bridge|proxy)\b/.test(normalizedPrompt);
+}
+
+function isMcpRelevantTask(normalizedPrompt, projectTokens = new Set()) {
+  return isMcpTask(normalizedPrompt)
+    || (isMcpProject(projectTokens) && isContextRetrievalTask(normalizedPrompt));
+}
+
+function isMcpProject(projectTokens = new Set()) {
+  return projectTokens.has("mcp") || projectTokens.has("modelcontextprotocol");
+}
+
+function isContextRetrievalTask(normalizedPrompt) {
+  return /\b(suggest|suggested|suggestion|skills|files|context|retrieval|retrieve|scorer|scoring|match|matching|prompt|hook|inject|injection)\b/.test(normalizedPrompt);
+}
+
+function isSecurityTask(normalizedPrompt) {
+  return /\b(security|pentest|penetration|exploit|vulnerability|metasploit|bug bounty|owasp|xss|csrf|attack|audit)\b/.test(normalizedPrompt);
+}
+
+function isMcpSkill(skillText) {
+  return /\bmcp\b|\bmodel context protocol\b/.test(skillText);
+}
+
+function isOffensiveSecuritySkill(skillText) {
+  return /\b(metasploit|penetration testing|bug bounty|exploit|exploitation|privilege escalation|ethical hacking|web fuzzing|security assessment)\b/.test(skillText);
+}
+
+function isPlatformCommerceSkill(skillText) {
+  return /\b(wordpress|woocommerce|shopify|odoo)\b/.test(skillText);
+}
+
+function isPlatformCommerceTask(normalizedPrompt, skillText) {
+  if (/\bwordpress\b/.test(skillText)) return /\bwordpress\b/.test(normalizedPrompt);
+  if (/\bwoocommerce\b/.test(skillText)) return /\bwoocommerce\b/.test(normalizedPrompt);
+  if (/\bshopify\b/.test(skillText)) return /\bshopify\b/.test(normalizedPrompt);
+  if (/\bodoo\b/.test(skillText)) return /\bodoo\b/.test(normalizedPrompt);
+  return true;
+}
+
 export function projectSkillHints({ cwd = process.cwd() } = {}) {
   const hints = new Set();
-  const packagePaths = [path.join(cwd, "package.json")];
-  const rootPackage = readJson(path.join(cwd, "package.json"));
-  for (const workspace of rootPackage?.workspaces || []) {
-    if (typeof workspace !== "string" || workspace.includes("*")) continue;
-    packagePaths.push(path.join(cwd, workspace, "package.json"));
-  }
+  const packagePaths = workspacePackagePaths(cwd);
 
   for (const packagePath of packagePaths) {
     const packageDir = path.dirname(packagePath);
@@ -324,6 +499,8 @@ export function projectSkillHints({ cwd = process.cwd() } = {}) {
     addHintText(hints, JSON.stringify({
       name: packageJson?.name,
       description: packageJson?.description,
+      keywords: packageJson?.keywords || [],
+      scripts: packageJson?.scripts || {},
       dependencies: Object.keys(packageJson?.dependencies || {}),
       devDependencies: Object.keys(packageJson?.devDependencies || {})
     }));
@@ -334,6 +511,48 @@ export function projectSkillHints({ cwd = process.cwd() } = {}) {
   return [...hints];
 }
 
+function workspacePackagePaths(cwd) {
+  const rootPackagePath = path.join(cwd, "package.json");
+  const rootPackage = readJson(rootPackagePath);
+  const paths = new Set([rootPackagePath]);
+  for (const workspace of workspacePatterns(rootPackage?.workspaces)) {
+    for (const packagePath of expandWorkspacePattern({ cwd, pattern: workspace })) {
+      paths.add(packagePath);
+    }
+  }
+  return [...paths];
+}
+
+function workspacePatterns(workspaces) {
+  if (Array.isArray(workspaces)) return workspaces.filter((item) => typeof item === "string");
+  if (Array.isArray(workspaces?.packages)) return workspaces.packages.filter((item) => typeof item === "string");
+  return [];
+}
+
+function expandWorkspacePattern({ cwd, pattern }) {
+  const normalized = String(pattern || "").replace(/\\/g, "/").replace(/\/+$/g, "");
+  if (!normalized || normalized.startsWith("..") || path.isAbsolute(normalized)) return [];
+  if (!normalized.includes("*")) {
+    const packagePath = path.join(cwd, normalized, "package.json");
+    return fs.existsSync(packagePath) ? [packagePath] : [];
+  }
+  const parts = normalized.split("/");
+  const starIndex = parts.indexOf("*");
+  if (starIndex < 0 || parts.includes("**")) return [];
+  const baseDir = path.join(cwd, ...parts.slice(0, starIndex));
+  const suffix = parts.slice(starIndex + 1);
+  let entries = [];
+  try {
+    entries = fs.readdirSync(baseDir, { withFileTypes: true });
+  } catch {
+    return [];
+  }
+  return entries
+    .filter((entry) => entry.isDirectory() && !entry.name.startsWith("."))
+    .map((entry) => path.join(baseDir, entry.name, ...suffix, "package.json"))
+    .filter((packagePath) => fs.existsSync(packagePath));
+}
+
 function readJson(filePath) {
   try {
     return JSON.parse(fs.readFileSync(filePath, "utf8"));
@@ -366,5 +585,8 @@ function normalize(value) {
 }
 
 function normalizePrompt(value) {
-  return normalize(String(value || "").replace(/https?:\/\/\S+/gi, " "));
+  return normalize(String(value || "")
+    .replace(/https?:\/\/\S+/gi, " ")
+    .replace(/giao\s+di[eệ]n/gi, "frontend ui")
+    .replace(/phan\s+quyen/gi, "authorization role"));
 }