@yawlabs/ctxlint 0.9.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +106 -58
  2. package/action.yml +1 -1
  3. package/dist/index.js +2225 -1931
  4. package/package.json +7 -8
package/README.md CHANGED
@@ -6,7 +6,7 @@
6
6
  [![CI](https://github.com/YawLabs/ctxlint/actions/workflows/ci.yml/badge.svg)](https://github.com/YawLabs/ctxlint/actions/workflows/ci.yml)
7
7
  [![Release](https://github.com/YawLabs/ctxlint/actions/workflows/release.yml/badge.svg)](https://github.com/YawLabs/ctxlint/actions/workflows/release.yml)
8
8
 
9
- **Lint your AI agent context files and MCP server configs against your actual codebase.** Context linting + MCP config linting. 21+ context formats, 8 MCP clients, auto-fix. Works as a CLI, CI step, pre-commit hook, or MCP server.
9
+ **Lint your AI agent context files, MCP server configs, and session data against your actual codebase.** Context linting + MCP config linting + session auditing. 21+ context formats, 8 MCP clients, cross-project consistency, auto-fix. Works as a CLI, CI step, pre-commit hook, or MCP server.
10
10
 
11
11
  Your `CLAUDE.md` is lying to your agent. Your `.mcp.json` has a hardcoded API key. ctxlint catches both.
12
12
 
@@ -66,38 +66,44 @@ Useful if you want `ctxlint` available in every project without per-project setu
66
66
 
67
67
  ## What It Checks
68
68
 
69
- | Check | What it finds |
70
- |-------|--------------|
71
- | **Broken paths** | File references in context that don't exist in your project |
72
- | **Wrong commands** | Build/test commands that don't match your package.json scripts or Makefile targets |
73
- | **Stale context** | Context files not updated after recent code changes |
74
- | **Token waste** | How much context window your files consume per session |
75
- | **Redundancy** | Content the agent can already infer (e.g. "We use React" when react is in package.json) |
76
- | **Contradictions** | Conflicting directives across context files (e.g. "use Jest" in one, "use Vitest" in another) |
77
- | **Frontmatter** | Invalid or missing YAML frontmatter in Cursor .mdc, Copilot instructions, and Windsurf rules |
78
- | **CI coverage** | Release/deploy workflows in `.github/workflows/` not documented in any context file |
79
- | **CI secrets** | Secrets used in CI workflows (`${{ secrets.X }}`) not mentioned in context files |
69
+ | Check | What it finds |
70
+ | --------------------- | --------------------------------------------------------------------------------------------- |
71
+ | **Broken paths** | File references in context that don't exist in your project |
72
+ | **Wrong commands** | Build/test commands that don't match your package.json scripts or Makefile targets |
73
+ | **Stale context** | Context files not updated after recent code changes |
74
+ | **Token waste** | How much context window your files consume per session |
75
+ | **Redundancy** | Content the agent can already infer (e.g. "We use React" when react is in package.json) |
76
+ | **Contradictions** | Conflicting directives across context files (e.g. "use Jest" in one, "use Vitest" in another) |
77
+ | **Frontmatter** | Invalid or missing YAML frontmatter in Cursor .mdc, Copilot instructions, and Windsurf rules |
78
+ | **CI coverage** | Release/deploy workflows in `.github/workflows/` not documented in any context file |
79
+ | **CI secrets** | Secrets used in CI workflows (`${{ secrets.X }}`) not mentioned in context files |
80
+ | **Missing secrets** | GitHub secrets set on sibling repos but missing from current project |
81
+ | **Diverged configs** | Canonical config files (CI, tsconfig, etc.) drifting across sibling projects |
82
+ | **Missing workflows** | GitHub Actions workflows present in 2+ siblings but absent here |
83
+ | **Stale memory** | Claude Code memory entries referencing paths that no longer exist |
84
+ | **Duplicate memory** | Near-duplicate memories across projects (>60% content overlap) |
85
+ | **Loop detection** | Agent stuck in loops — repeated commands or cyclic patterns in session history |
80
86
 
81
87
  ## Supported Context Files
82
88
 
83
- | File | Tool |
84
- |------|------|
85
- | `CLAUDE.md`, `CLAUDE.local.md`, `.claude/rules/*.md` | Claude Code |
86
- | `AGENTS.md`, `AGENT.md`, `AGENTS.override.md` | AAIF / Multi-agent standard |
87
- | `.cursorrules`, `.cursor/rules/*.md`, `.cursor/rules/*.mdc`, `.cursor/rules/*/RULE.md` | Cursor |
88
- | `.github/copilot-instructions.md`, `.github/instructions/*.md`, `.github/git-commit-instructions.md` | GitHub Copilot |
89
- | `.windsurfrules`, `.windsurf/rules/*.md` | Windsurf |
90
- | `GEMINI.md` | Gemini CLI |
91
- | `.clinerules` | Cline |
92
- | `.aiderules` | Aider |
93
- | `.aide/rules/*.md` | Aide / Codestory |
94
- | `.amazonq/rules/*.md` | Amazon Q Developer |
95
- | `.goose/instructions.md`, `.goosehints` | Goose by Block |
96
- | `.junie/guidelines.md`, `.junie/AGENTS.md` | JetBrains Junie |
97
- | `.aiassistant/rules/*.md` | JetBrains AI Assistant |
98
- | `.continuerules`, `.continue/rules/*.md` | Continue |
99
- | `.rules` | Zed |
100
- | `replit.md` | Replit |
89
+ | File | Tool |
90
+ | ---------------------------------------------------------------------------------------------------- | --------------------------- |
91
+ | `CLAUDE.md`, `CLAUDE.local.md`, `.claude/rules/*.md` | Claude Code |
92
+ | `AGENTS.md`, `AGENT.md`, `AGENTS.override.md` | AAIF / Multi-agent standard |
93
+ | `.cursorrules`, `.cursor/rules/*.md`, `.cursor/rules/*.mdc`, `.cursor/rules/*/RULE.md` | Cursor |
94
+ | `.github/copilot-instructions.md`, `.github/instructions/*.md`, `.github/git-commit-instructions.md` | GitHub Copilot |
95
+ | `.windsurfrules`, `.windsurf/rules/*.md` | Windsurf |
96
+ | `GEMINI.md` | Gemini CLI |
97
+ | `.clinerules` | Cline |
98
+ | `.aiderules` | Aider |
99
+ | `.aide/rules/*.md` | Aide / Codestory |
100
+ | `.amazonq/rules/*.md` | Amazon Q Developer |
101
+ | `.goose/instructions.md`, `.goosehints` | Goose by Block |
102
+ | `.junie/guidelines.md`, `.junie/AGENTS.md` | JetBrains Junie |
103
+ | `.aiassistant/rules/*.md` | JetBrains AI Assistant |
104
+ | `.continuerules`, `.continue/rules/*.md` | Continue |
105
+ | `.rules` | Zed |
106
+ | `replit.md` | Replit |
101
107
 
102
108
  ## MCP Server Config Linting
103
109
 
@@ -116,28 +122,28 @@ npx @yawlabs/ctxlint --mcp-global
116
122
 
117
123
  ### What MCP config files are scanned
118
124
 
119
- | File | Client |
120
- |------|--------|
121
- | `.mcp.json` | Claude Code (universal project config) |
122
- | `.cursor/mcp.json` | Cursor |
123
- | `.vscode/mcp.json` | VS Code / GitHub Copilot |
124
- | `.amazonq/mcp.json` | Amazon Q Developer |
125
- | `.continue/mcpServers/*.json` | Continue |
125
+ | File | Client |
126
+ | ----------------------------- | -------------------------------------- |
127
+ | `.mcp.json` | Claude Code (universal project config) |
128
+ | `.cursor/mcp.json` | Cursor |
129
+ | `.vscode/mcp.json` | VS Code / GitHub Copilot |
130
+ | `.amazonq/mcp.json` | Amazon Q Developer |
131
+ | `.continue/mcpServers/*.json` | Continue |
126
132
 
127
133
  With `--mcp-global`, also scans Claude Desktop, Cursor, Windsurf, and Amazon Q global configs.
128
134
 
129
135
  ### What MCP config checks catch
130
136
 
131
- | Check | What it finds |
132
- |-------|--------------|
133
- | **Schema** | Invalid JSON, wrong root key (`servers` vs `mcpServers`), missing required fields |
134
- | **Security** | Hardcoded API keys and Bearer tokens in git-tracked config files |
135
- | **Commands** | Missing `cmd /c` wrapper for npx on Windows, broken file paths in args |
136
- | **Deprecated** | SSE transport usage (deprecated March 2025, use Streamable HTTP) |
137
- | **Env vars** | Wrong env var syntax for the client (`${VAR}` vs `${env:VAR}` vs `${{ secrets.VAR }}`) |
138
- | **URLs** | Malformed URLs, localhost in project configs, missing path component |
139
- | **Consistency** | Same server configured differently across client configs |
140
- | **Redundancy** | Disabled servers, identical configs at multiple scopes |
137
+ | Check | What it finds |
138
+ | --------------- | -------------------------------------------------------------------------------------- |
139
+ | **Schema** | Invalid JSON, wrong root key (`servers` vs `mcpServers`), missing required fields |
140
+ | **Security** | Hardcoded API keys and Bearer tokens in git-tracked config files |
141
+ | **Commands** | Missing `cmd /c` wrapper for npx on Windows, broken file paths in args |
142
+ | **Deprecated** | SSE transport usage (deprecated March 2025, use Streamable HTTP) |
143
+ | **Env vars** | Wrong env var syntax for the client (`${VAR}` vs `${env:VAR}` vs `${{ secrets.VAR }}`) |
144
+ | **URLs** | Malformed URLs, localhost in project configs, missing path component |
145
+ | **Consistency** | Same server configured differently across client configs |
146
+ | **Redundancy** | Disabled servers, identical configs at multiple scopes |
141
147
 
142
148
  ### Example MCP config output
143
149
 
@@ -168,10 +174,47 @@ The full specification for MCP config linting rules, the cross-client config lan
168
174
  - **[`MCP_CONFIG_LINT_SPEC.md`](./MCP_CONFIG_LINT_SPEC.md)** — 23 lint rules across 8 categories, the complete client/format reference, and implementation guidance. Tool-agnostic — any linter can implement it.
169
175
  - **[`mcp-config-lint-rules.json`](./mcp-config-lint-rules.json)** — Machine-readable rule catalog for programmatic consumption by AI agents, CI systems, and other tools.
170
176
 
177
+ ## Session Linting
178
+
179
+ ctxlint can audit AI agent session data — history files and memory entries — for cross-project consistency. Session checks compare your current project against sibling repos to catch drift and missing setup.
180
+
181
+ ```bash
182
+ # Lint context files + session data
183
+ npx @yawlabs/ctxlint --session
184
+
185
+ # Lint only session data
186
+ npx @yawlabs/ctxlint --session-only
187
+ ```
188
+
189
+ Session checks are **opt-in** because they access files outside the project directory (agent history in your home directory, sibling repos in the parent directory).
190
+
191
+ ### What session files are scanned
192
+
193
+ | Agent | History | Memory |
194
+ | ----------- | ------------------------- | ---------------------------------- |
195
+ | Claude Code | `~/.claude/history.jsonl` | `~/.claude/projects/*/memory/*.md` |
196
+ | Codex CLI | `~/.codex/history.jsonl` | — |
197
+
198
+ ### What session checks catch
199
+
200
+ | Check | What it finds |
201
+ | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
202
+ | **Missing secrets** | `gh secret set` ran on 2+ sibling repos but not this one |
203
+ | **Diverged configs** | Shared config files (CI workflows, tsconfig, .prettierrc, etc.) with 20-90% line overlap — enough to be related, different enough to be drifting |
204
+ | **Missing workflows** | GitHub Actions workflows in 2+ siblings but absent from this project |
205
+ | **Stale memory** | Memory entries referencing file paths that no longer exist |
206
+ | **Duplicate memory** | Near-duplicate memory entries across projects (>60% overlap) |
207
+ | **Loop detection** | Agent stuck in a loop — 3+ consecutive identical commands, or cyclic A,B,A,B patterns |
208
+
209
+ ### Session Linting Specification
210
+
211
+ - **[`AGENT_SESSION_LINT_SPEC.md`](./AGENT_SESSION_LINT_SPEC.md)** — 7 lint rules, the agent session data landscape across 8 agents, sibling detection strategy, and implementation guidance.
212
+ - **[`agent-session-lint-rules.json`](./agent-session-lint-rules.json)** — Machine-readable rule catalog.
213
+
171
214
  ## Example Output
172
215
 
173
216
  ```
174
- ctxlint v0.7.0
217
+ ctxlint v0.9.0
175
218
 
176
219
  Scanning /Users/you/my-app...
177
220
 
@@ -214,6 +257,8 @@ Options:
214
257
  --mcp Enable MCP config linting alongside context file checks
215
258
  --mcp-only Run only MCP config checks, skip context file checks
216
259
  --mcp-global Also scan user/global MCP config files (implies --mcp)
260
+ --session Enable session audit checks (cross-project consistency)
261
+ --session-only Run only session checks, skip context and MCP checks
217
262
  --mcp-server Start the MCP server (for IDE/agent integration)
218
263
  --watch Re-lint on context file changes
219
264
  -V, --version Output the version number
@@ -223,9 +268,9 @@ Commands:
223
268
  init Set up a git pre-commit hook
224
269
  ```
225
270
 
226
- **Available checks:** `paths`, `commands`, `staleness`, `tokens`, `redundancy`, `contradictions`, `frontmatter`, `ci-coverage`, `ci-secrets`, `mcp-schema`, `mcp-security`, `mcp-commands`, `mcp-deprecated`, `mcp-env`, `mcp-urls`, `mcp-consistency`, `mcp-redundancy`
271
+ **Available checks:** `paths`, `commands`, `staleness`, `tokens`, `redundancy`, `contradictions`, `frontmatter`, `ci-coverage`, `ci-secrets`, `mcp-schema`, `mcp-security`, `mcp-commands`, `mcp-deprecated`, `mcp-env`, `mcp-urls`, `mcp-consistency`, `mcp-redundancy`, `session-missing-secret`, `session-diverged-file`, `session-missing-workflow`, `session-stale-memory`, `session-duplicate-memory`, `session-loop-detection`
227
272
 
228
- Passing any `mcp-*` check name implies `--mcp`.
273
+ Passing any `mcp-*` check name implies `--mcp`. Passing any `session-*` check name implies `--session`.
229
274
 
230
275
  ## Watch Mode
231
276
 
@@ -297,7 +342,7 @@ Add to your `.pre-commit-config.yaml`:
297
342
  ```yaml
298
343
  repos:
299
344
  - repo: https://github.com/yawlabs/ctxlint
300
- rev: v0.7.0
345
+ rev: v0.9.0
301
346
  hooks:
302
347
  - id: ctxlint
303
348
  ```
@@ -327,7 +372,7 @@ CLI flags override config file settings. Use `--config <path>` to load a config
327
372
 
328
373
  ## Use as MCP Server
329
374
 
330
- ctxlint ships with an MCP server that exposes five tools (`ctxlint_audit`, `ctxlint_mcp_audit`, `ctxlint_validate_path`, `ctxlint_token_report`, `ctxlint_fix`). All read-only tools declare annotations so MCP clients can skip confirmation dialogs.
375
+ ctxlint ships with an MCP server that exposes six tools (`ctxlint_audit`, `ctxlint_mcp_audit`, `ctxlint_session_audit`, `ctxlint_validate_path`, `ctxlint_token_report`, `ctxlint_fix`). All read-only tools declare annotations so MCP clients can skip confirmation dialogs.
331
376
 
332
377
  ### With Claude Code
333
378
 
@@ -407,16 +452,19 @@ Returns structured JSON with all file results, issues, and summary — useful fo
407
452
 
408
453
  ## Specifications
409
454
 
410
- ctxlint is the reference implementation of two open specifications for linting AI agent interfaces. These specs are tool-agnostic — any linter, IDE extension, or CI system can implement them.
455
+ ctxlint is the reference implementation of three open specifications for linting AI agent interfaces. These specs are tool-agnostic — any linter, IDE extension, or CI system can implement them.
456
+
457
+ | Spec | What it covers |
458
+ | -------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
459
+ | **[AI Context File Linting Spec](./CONTEXT_LINT_SPEC.md)** | 19 rules for validating context files (CLAUDE.md, .cursorrules, AGENTS.md, etc.) across 17 clients. Covers file formats, frontmatter schemas, path/command validation, staleness, token budgets, redundancy, and contradictions. |
460
+ | **[MCP Config Linting Spec](./MCP_CONFIG_LINT_SPEC.md)** | 23 rules for validating MCP server configs (.mcp.json, .cursor/mcp.json, .vscode/mcp.json, etc.) across 8 clients. Covers schema validation, hardcoded secrets, env var syntax, deprecated transports, and cross-file consistency. |
461
+ | **[Agent Session Linting Spec](./AGENT_SESSION_LINT_SPEC.md)** | 7 rules for auditing agent session data (history, memory) across 8 agents. Covers cross-project secret consistency, config drift, stale memory, and loop detection. |
411
462
 
412
- | Spec | What it covers |
413
- |------|---------------|
414
- | **[AI Context File Linting Spec](./CONTEXT_LINT_SPEC.md)** | 19 rules for validating context files (CLAUDE.md, .cursorrules, AGENTS.md, etc.) across 17 clients. Covers file formats, frontmatter schemas, path/command validation, staleness, token budgets, redundancy, and contradictions. |
415
- | **[MCP Config Linting Spec](./MCP_CONFIG_LINT_SPEC.md)** | 23 rules for validating MCP server configs (.mcp.json, .cursor/mcp.json, .vscode/mcp.json, etc.) across 8 clients. Covers schema validation, hardcoded secrets, env var syntax, deprecated transports, and cross-file consistency. |
463
+ All specs include machine-readable rule catalogs for programmatic consumption:
416
464
 
417
- Both specs include machine-readable rule catalogs for programmatic consumption:
418
465
  - [`context-lint-rules.json`](./context-lint-rules.json) — context file rules and 16 supported format definitions
419
466
  - [`mcp-config-lint-rules.json`](./mcp-config-lint-rules.json) — MCP config rules and 8 client definitions
467
+ - [`agent-session-lint-rules.json`](./agent-session-lint-rules.json) — session lint rules and 8 agent data source definitions
420
468
 
421
469
  ## Also By Yaw Labs
422
470
 
package/action.yml CHANGED
@@ -18,7 +18,7 @@ runs:
18
18
  using: 'composite'
19
19
  steps:
20
20
  - name: Set up Node.js
21
- uses: actions/setup-node@v4
21
+ uses: actions/setup-node@v6
22
22
  with:
23
23
  node-version: '20'
24
24